Issuing Authority: Reserve Bank of India | Date of Issue: June 24, 2026 | Effective From: January 1, 2027
Background
India's existing customer-liability framework for digital banking — first built around the concept of "unauthorised" electronic banking transactions — was designed for an earlier generation of fraud: stolen passwords, cloned cards, phishing that resulted in transactions the customer never approved. It was never built for the scam-call era, where a customer is talked into approving a payment themselves, often under pressure or deception. That gap is exactly what RBI has now moved to close.
RBI flagged its intent to review this framework in the Statement on Developmental and Regulatory Policies dated February 6, 2026, then released the draft Reserve Bank of India (Responsible Business Conduct) Third Amendment Directions, 2026 on March 6, 2026 for public comment. After examining stakeholder feedback, RBI has now finalised the changes — not as one document, but as seven entity-specific Amendment Directions covering every category of deposit-taking bank regulated by it.
The core shift is conceptual: the trigger for customer protection moves from "unauthorised" transactions to the much broader "Fraudulent Electronic Banking Transaction" (Fraudulent EBT) — and, for the first time, RBI is backing that protection with an actual compensation fund for small-value cases, not just a liability-allocation rule.
RBI's New Fraudulent EBT Framework — Key Changes for Banks and Customers
1. New Definitions: Fraudulent EBT Now Covers More Than "Unauthorised"
Fraudulent EBT is now defined to include (a) a transaction executed by a third party using credentials obtained from the customer through fraud, (b) a transaction executed by the customer themselves after being coerced or pressured by a third party, and/or (c) an Unauthorised EBT. Unauthorised EBT, in turn, is narrowed to mean a transaction not authorised by the customer at all, arising from bank negligence and/or a third-party breach. In effect, "unauthorised" is now a sub-category inside the much wider "fraudulent" umbrella — which is precisely the scope expansion the original draft proposed.
Other new definitions inserted across all seven Directions: Card Not Present (CNP) and Card Present (CP) transactions (cross-referenced to the RBI Authentication Mechanisms for Digital Payment Transactions Directions, 2025); Electronic Banking Transaction (EBT), aligned to the definition of "electronic funds transfer" under Section 2(c) of the Payment and Settlement Systems Act, 2007; Third-party breach, covering deficiencies by intermediaries such as Third-Party Application Providers, Payment Aggregators, Payment Gateways, or Telecom Service Providers; and Shadow reversal (in six of the seven directions — not applicable to Payments Banks), the temporary provisional credit a bank provides to a customer on receiving notification of fraud, before completing its investigation. The customer cannot use or withdraw this amount but will not bear any interest or charges on it;
2. Detailed Negligence Tests — for Both Banks and Customers
The Directions spell out, for the first time in this level of detail, what counts as negligence on each side:
- Not implementing mandated security systems
- Not sending mandatory transaction alerts
- No 24x7 fraud-reporting channel
- Not acting promptly on a customer's fraud notification
- System malfunctions / security breaches / internal fraud
- Not exercising reasonable care with PIN/OTP/password
- Delayed notification of fraud or card loss
- Ignoring specific, clear scam warnings from the bank
- Downloading malicious apps
- Not updating registered mobile number / email
3. Liability Allocation — Who Pays, and When
Applies whenever the fraud arises from bank negligence — regardless of whether the customer reported it. It also applies to third-party breach cases, but only if the customer reports the fraud within 5 calendar days of its occurrence; reported later, liability is governed by the bank's own policy.
Where the fraud results from the customer's own negligence, the customer bears the loss — but only up to the point they report it. Any loss occurring after reporting is borne entirely by the bank. The portion of customer-negligence loss not covered is also where the new small-value compensation mechanism (below) can apply.
Banks retain discretion to waive customer liability entirely in any case. Where a bank must reverse a fraudulent transaction, the reversal must be value-dated back to the original transaction date so the customer loses no interest, and for credit-card fraud specifically, the bank must provide a shadow reversal within 5 calendar days of notification.
4. Faster Complaint Resolution — the 45/60-Day Cap
Banks set their own complaint-resolution timeline in policy, but it must not exceed 45 calendar days for domestic fraudulent EBTs and 60 calendar days for cross-border fraudulent EBTs, measured from the date the bank receives the complaint. This is the "reduced time taken by banks to process complaints" flagged in RBI's press release — now codified as a firm outer limit rather than left to bank discretion.
5. New: Compensation for Small-Value Fraudulent EBTs
An individual (including a sole proprietor) who has suffered a customer-negligence fraud loss of up to ₹50,000 can claim compensation of 85% of the net loss, or ₹25,000 — whichever is less — once in their lifetime. To qualify, the victim must have reported the fraud to the National Cyber Crime Reporting Portal (or Helpline 1930) and to the bank within 5 calendar days of the fraud occurring. For joint accounts, only one holder may claim, and that choice is permanent.
Worked example from the Direction: Reported loss ₹40,000, with ₹15,000 recovered and returned to the customer before compensation is paid. Net loss = ₹25,000. Compensation payable (85% of net loss) = ₹21,250 — funded as RBI ₹16,250 and ₹2,500 each from the customer's bank and beneficiary bank.
6. How the Claim and Reimbursement Process Works
- Bank examines the complaint within the 45/60-day window and determines it is a bona fide customer-negligence case.
- Bank issues the customer an application form to formally claim compensation — Annex II(1) for Commercial Banks, SFBs, RRBs, UCBs and RCBs; Annex I(1) for Payments Banks; and Annex AAI for Local Area Banks.
- Bank pays the customer within 5 calendar days of receiving the completed application.
- Bank claims reimbursement from RBI and any beneficiary bank(s) on a quarterly basis — via Annex II(2) for Commercial Banks, SFBs, RRBs, UCBs and RCBs; Annex I(2) for Payments Banks; and Annex ABI for Local Area Banks — signed by a Senior Executive, sent to [email protected] within 30 calendar days of quarter-end.
- RBI settles claims on a net basis, deducting amounts the bank owes as a beneficiary bank elsewhere.
- If money is later recovered, the bank recalculates and adjusts the compensation, refunding any excess to the contributing parties.
The compensation mechanism only covers fraudulent EBTs occurring within one year of the January 1, 2027 effective date — i.e., broadly through end-2027. Banks must retain related records for two years after the mechanism closes.
7. Alerts, Reporting Channels and Monitoring
Banks must collect a verified mobile number (and email, where available) from every EBT customer, send mandatory SMS alerts for all EBTs above ₹500 (free of charge), and email alerts wherever an email address is on file. They must provide 24x7 reporting channels — phone banking, SMS, IVR, dedicated helpline, in-app, or branch — and must acknowledge every fraud report immediately with a complaint number. SMS charges cannot be levied for regulatory-compliance or awareness messages, though banks retain discretion on other categories of SMS. Boards (or a designated Committee) must receive periodic reporting on fraud volumes, values, and the functioning of the grievance and compensation mechanism.
8. How the Seven Instruments Differ
While the substantive framework is near-identical, the legal mechanics differ by entity category:
- Commercial Banks, SFBs, RRBs, UCBs, RCBs: the existing liability-limiting section is deleted in full and substituted with the new Fraudulent-EBT section.
- Payments Banks: similarly substituted, but with narrower provisions reflecting PBs' product set (e.g., no credit-card shadow-reversal clause, since PBs do not issue credit cards), and using Annex I rather than Annex II for the claim/reimbursement forms.
- Local Area Banks: this is a wholly new insertion — LABs' Responsible Business Conduct Directions, 2025 previously had no dedicated section on this subject at all.
Earlier Framework vs. New Requirement
Compliance Checklist
☑ Identify the specific Amendment Direction applicable to your entity category and update internal policy documents to reference "Fraudulent EBT" rather than only "Unauthorised EBT"
☑ Rebuild complaint-handling SOPs to guarantee resolution within 45 calendar days (domestic) / 60 calendar days (cross-border)
☑ Design and roll out the small-value fraud compensation claim form (Annex II(1) / Annex I(1)) and internal approval workflow
☑ Build the quarterly RBI/beneficiary-bank reimbursement process (Annex II(2) / Annex I(2)) and the [email protected] submission workflow, signed by an identified Senior Executive
☑ Update fraud-classification logic to capture bank negligence, customer negligence, and third-party breach as distinct categories with the correct liability outcome for each
☑ Confirm SMS/email alerting systems trigger correctly above the ₹500 threshold and record delivery/response timestamps
☑ Ensure 24x7 fraud-reporting channels (phone, SMS, IVR, app, helpline) are live and produce immediate complaint acknowledgements with complaint numbers
☑ Brief the Board or relevant Committee on the new periodic monitoring/reporting requirement for fraudulent EBTs
☑ Update customer-facing policy disclosures on the website to reflect the new framework, grievance process, and compensation mechanism
☑ Track the one-year sunset window for compensation eligibility and plan record retention for two years after the mechanism closes
CorpLawUpdates Analysis
The single most consequential change here is definitional, not procedural: by making "Fraudulent EBT" the operative concept and folding "Unauthorised EBT" inside it as a sub-category, RBI has closed the most exploited gap in the old framework — the social-engineering scam where a customer technically "authorises" a payment after being deceived or coerced. Under the old regime, such cases sat in a grey zone; under the new DA/CA/EA/AA sections, they are squarely within scope, with the same negligence-based liability tests applied to determine who bears the cost.
The compensation mechanism is the bigger operational lift for REs. This is the first time RBI has attached an actual funded payout — not just a liability-shifting rule — to retail digital fraud, complete with a DEA-Fund-style quarterly reimbursement cycle between banks and the central bank. Banks will need new claim-intake, approval, and inter-bank settlement workflows essentially from scratch, and the precision of the cost-sharing math (down to the rupee, e.g., ₹19,118 and ₹2,941 splits) suggests RBI expects banks to automate this rather than process it manually.
Practitioners should watch two things closely: first, how banks operationalise the "bona fide" determination for customer-negligence claims, since that judgment call decides who gets compensated; and second, how beneficiary-bank cost recovery plays out in practice, since it requires cooperation between banks that may have no other relationship with each other. The one-year sunset on the compensation mechanism is also notable — RBI may be treating this as a pilot before deciding whether to make it permanent or recalibrate the thresholds.
With six months between issuance and the January 1, 2027 effective date, compliance, fraud-risk, and customer-service teams across all seven RE categories have a fairly tight runway to rebuild policy documents, retrain frontline and grievance-redressal staff, and stand up the compensation claims process — particularly for Local Area Banks, which are implementing this entire framework for the first time rather than amending an existing one.
This article is for informational and educational purposes only and does not constitute legal or regulatory advice. Verify with primary regulatory sources before acting.
