RBI widens digital fraud protection framework; customers to get compensation of up to ₹25,000

The Reserve Bank of India (RBI) on Wednesday issued revised customer protection norms for digital banking transactions, widening the scope of existing rules to cover a broader range of fraudulent electronic transactions and introducing a compensation mechanism for victims of small-value digital frauds. The new framework will come into effect from January 1, 2027.

The central bank said the revised directions stem from its review of the existing framework on limiting customer liability in unauthorised electronic banking transactions and incorporate feedback received from stakeholders after draft norms were released in March this year.

Wider definition of digital fraud

One of the most important changes is the expansion of the framework beyond unauthorised transactions to include a broader category of "fraudulent electronic banking transactions" (EBTs).

Under the revised rules, fraudulent transactions include cases where fraudsters obtain customer credentials through deceptive means, transactions carried out under coercion or duress, as well as unauthorised transactions resulting from bank negligence or third-party system failures. The norms also explicitly cover both card-present and card-not-present transactions.

"The draft Amendment Directions inter alia proposed to enhance the scope of existing instructions on limiting liability of customers in unauthorised electronic banking transactions to cover other categories of fraudulent electronic banking transactions," the RBI said in a statement.

Compensation for victims

In a relief for customers, the RBI has introduced a compensation mechanism for small-value frauds.

Under the framework, individual customers, including sole proprietors, who suffer losses of up to ₹50,000 due to fraudulent electronic transactions may receive compensation amounting to 85% of the net loss or ₹25,000, whichever is lower. To qualify, customers must report the fraud both to their bank and through the National Cyber Crime Reporting Portal or Cyber Crime Helpline 1930 within five calendar days of the incident.

The RBI will bear the largest share of the compensation burden, while customer banks and beneficiary banks will contribute the remaining amount under a predefined formula.

Faster reversals, stronger accountability

The central bank has also tightened obligations on banks and payment institutions.

Banks will be required to send instant SMS alerts for all electronic banking transactions above ₹500 and email alerts wherever email addresses are available. They must also provide customers with round-the-clock channels for reporting fraudulent transactions, including dedicated helplines, email addresses, SMS facilities and app-based reporting options.

Importantly, the burden of proving customer liability in fraud complaints will rest with banks. Customers will be entitled to zero liability where fraud arises due to bank negligence, irrespective of when the transaction is reported. Similarly, customers will not be held liable for losses arising from third-party breaches if the incident is reported within five calendar days.

The RBI has also directed banks to complete investigations and communicate outcomes within 45 days for domestic fraud complaints and 60 days for cross-border cases. In the case of fraudulent credit-card transactions, banks must provide a "shadow reversal" of the disputed amount within five days of receiving a complaint.

Applicable across banking system

The revised directions have been issued for commercial banks, small finance banks, payments banks, local area banks, regional rural banks and co-operative banks, ensuring a uniform customer-protection framework across the banking system.

The move comes amid rising digital payment volumes and growing concerns over online frauds, phishing attacks and unauthorised transactions, with the RBI seeking to strengthen consumer confidence in India's rapidly expanding digital payments ecosystem.