With the recent rise in credit card frauds it is but natural to wonder who is liable – you or the bank? Does the cardholder bear the brunt of the fraud or should the banks absorb the expenses? To end this suspense, the Reserve Bank of India (RBI) recently revised the draft guidelines on Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions. Let us understand how these guidelines safeguard your interest before, during and after an unauthorized transaction.
What should you do when a fraudulent transaction is conducted on your account?
The moment you realize a fraudulent transaction is being carried out on your account, you will have to act swiftly:
Inform your bank of the unauthorized transaction as soon as possible, maximum within 3 days of occurrence. You can do this by contacting them via phone banking facility, SMS, email, toll-free number or by visiting a bank branch.
- Banks’ loss and fraud reporting system will immediately acknowledge your complaint and share the registered complaint number.
When are you liable for fraudulent transaction and when not
Scenarios when you are not liable
There are two scenarios when customers are not liable:
- When the transaction occurs due to fraud or negligence or lack of appropriate checks on the part of bank, even if the customer fails to report it to the bank. For example, malware attacks, or large-scale account hacks.
- When the fraud occurs due to your negligence but you report the incident within 3 working days. For example, loss of credit card or sharing account/card details with strangers. Also Read: What To Do if You Send Money To Wrong Bank Account]
Scenarios when you are liable
You are liable when you delay reporting the fraudulent transaction to the bank by more than 3 working days.
- Delay in reporting by 4 – 7 working days: You will have to pay an amount equal to the transaction value or as per the bank’s Board’s policy, whichever is lower. Refer Table 1 for more details. But even in such a scenario, you are liable only for the loss occurring till the time you report the incident to the bank. So, even if unauthorized transactions continue (which is unlikely as banks block the card or account when informed of breach or loss), you won’t have to bear the losses.
- Delay in reporting beyond 7 working days: In this case, you will be liable as per the bank Board’s approved policy. The maximum liability will vary according to the account that has been breached. For instance, in the case of savings account, your maximum liability is Rs 5000, whereas for credit cards (with limit > Rs 5 lakhs) the maximum liability is Rs 25,000. Refer Table 2 for details.
Another crucial aspect the RBI has touched upon is making it banks’ responsibility to prove customer liability in the case of unauthorized electronic banking transactions. As a result, banks will have to prove whether the fraud occurred due to customers’ negligence. Instances of customer negligence include disclosing your card details to someone or losing your credit or debit card.
Table 1: Customer Liability during Fraudulent Transactions
|Time taken to report the fraudulent transaction||Customer’s liability|
|Within 3 working days||Zero liability|
|Within 4 to 7 working days||Transaction amount or the amount mentioned in Table 2, whichever is lower|
|Beyond 7 working days||As per bank’s Board-approved policy|
When you delay reporting the incident by more than 7 days, you will be liable to pay as per the bank Board’s-approved policy (refer Table 2 for details).
Table 2: Details of Customer Liability in case of Fraudulent Transactions (By Account Type)
|Type of Account||Maximum liability|
|Basic savings bank account||Rs 5,000|
What happens after you report a fraudulent transaction
The moment you notify the bank about the unauthorized transaction, the bank representatives will immediately block your account or card, whichever is under threat. If at all any more transactions are carried out on this account or card, you will not be held liable. However, if the initial unauthorized transaction happened due to your negligence and you reported the incident after 3 working days, the bank will have to decide on your liability according to RBI guidelines (refer tables 1 and 2 above).
If the bank happens to dispute the transaction you have reported, the burden of proof will fall on the bank. It will have to prove that either you acted fraudulently or shared sensitive information and were complicit in the fraud. In such a scenario, if the bank dismisses your complaint or responds dissatisfactory manner, you can approach the banking ombudsman. After a proper investigation, the ombudsman will announce its ruling. If you are not happy with this ruling, you can reach out to the appellate authority, headed by the deputy governor of RBI, within 30 days of the said ruling. Post this, the only option is to approach High Court.
When will the fraudulent transaction be reversed?
If you notify the bank within 3 days of the unauthorized transaction, your liability is zero. So, the bank will have to credit the amount within 10 working days from the date of notification. However, if there is a delay in reporting the fraud, the bank may follow the liability rules as laid out in the above tables or might waive off your liability.
RBI Guidelines for Banks on How to Protect Customers Against Unauthorized Transactions
The Reserve Bank of India has come up with a two-part approach to dealing with such frauds. Part One includes advisory and awareness campaigns. Herein banks will have to constantly advise customers on how to protect themselves from electronic banking and payments related fraud. This information can be shared via emails, SMSes and interactive voice response (IVR). Part Two will include setting up of processes and mechanisms by banks to prevent and detect frauds. Banks will have to set up:
- systems and procedures to ensure safe and secure electronic banking transactions, including transactions conducted at or via ATMs, POS, banks’ mobile app and net banking
- robust fraud detection and prevention mechanisms so that banks become aware of malware attacks or hacking at the earliest and are able to take swift action
- processes to assess the risks that can arise from unauthorized transactions and the liabilities resulting from such events
- measures to reduce risks and protect themselves (i.e., banks) against potential liabilities
- grievance redressal platform where customers can file complain regarding unauthorized account breach or transactions.
How do banks ensure secure transactions?
Mandatory Registering for SMS Alerts: The only way to do ensure authorized transactions are carried out is to notify customers every time there is a transaction on their account, whether savings account or credit card. Banks will have to make it compulsory for customers to register for SMS alerts and even e-mail alerts (wherever necessary) for electronic banking transactions. So, whenever a transaction will happen in your account, you will immediately get an SMS on your registered mobile number and an email on the mail id shared.
If, however, customers do not wish to share their mobile numbers, RBI has directed banks to not offer the facility of electronic transactions, except ATM cash withdrawals, to these customers.
What are unauthorized or fraudulent transactions?
Unauthorized transactions can occur via numerous methods, such as phishing, hacking, and skimming. Let’s take a look some of the most common ways unauthorized transactions are carried out:
- Cards intercepted during transit: This happens when you open a new account or get a new credit card. Suppose you opened a new savings account on 10th July and received your welcome kit (i.e. cheque book, debit card, IPin) on 15th July. Now, if during this time you notice any activity happening in your account, it will be the bank’s liability not yours.
- Skimming: This happens when the information in your card’s magnetic strip is copied by inserting it in an electronic device. This data is used to create a counterfeit card using your card’s details to make purchases.
- Phishing: These are email traps, where you receive mails from people supposedly working at banks or government agencies and asking for confidential details pertaining to your account or credit card. Most of these emails direct you to bogus sites and prompt you to share account-related information
- Account Takeover: This happens when you unknowingly share your personal information, such as address, date of birth, account number, card number and expiry date, with a stranger, who can use it to make online purchases.
- Loss of debit or credit card: If you happen to lose your card, chances are it may land up in the hands of a fraudster who can use it to conduct transactions till the time you report it lost and get it blocked.
- Card-not-present (CNP) fraud: Here, the fraudster would use your card number and expiry date to conduct a transaction over phone or mail. In such cases, the card need not be present physically and card verification code (CVV) may not be required, making it easy for the fraudster.
Also read: 2-minute to Credit Card Fraud
Tips to Conduct Online Transactions Safely
Given the amount of time we spent in front of a computer screen, it’s important to follow some simple steps to ensure all our financial transactions, such as netbanking and online bookings and purchases, are secure. Take a look:
Anti-virus software: Always use a licensed and latest version of anti-virus software to ensure complete protection against malware, phishing and Trojans.
Auto-update all software: Web browser companies regularly update their software by periodically releasing patches or version updates. It can be difficult to keep up with these updates manually, so it’s better to activate the auto-update option for all software installed in your computer.
Use different passwords: Don’t keep a common password for all your bank accounts, credit cards, emails and social logins. Ensure you have a different password for each account and never share it with anyone.
Avoid using public computers: When conducting financial transactions, avoid using public computers, such as those present in internet cafes. Most of these systems do not have requisite anti-virus software, thus compromising your account security.
- Conduct online purchases with reputed companies or merchants: When making purchases online, it is important to ensure that the merchant’s website is secure. One of the ways to ensure is checking whether the site is “https” and if there is lock symbol before the site’s name in the address bar. A lot of small merchants do not implement tough security mechanisms, making customers vulnerable to data breach.
Tips to Conduct Mobile Transactions Safely
With the advent of banks’ mobile apps and wallets, such as PayTM and Freecharge, it has become all the more important to ensure that you follow “safe” mobile banking habits. Here are a few ways that can help you have a safe mobile banking experience without compromising on your financial security:
Be cautious: Don’t store your account details, such as PINs and account number, on your mobile phone. And, if you happen to use a banking app or a mobile wallet, don’t activate the automatic login feature. By ensuring these habits, your accounts will be safe even if you lose your mobile.
Avoid making transactions on public networks: While free Wi-fi hotspots are a big hit, they aren’t the safest platforms for conducting transactions. Always use your mobile service provider or Wi-fi connection that is password protected.
Use official apps: With the internet teeming with banking apps and wallets, it’s important that you download only the official versions of these apps. Using unofficial apps makes you susceptible to data breach or mobile hacking as these apps’ data security features may be too lax or already compromised.
Avoid spam mails and messages: If you happen to check your mails on the go, it’s best to avoid spam mails as they contain malicious links. Note that secure weblinks start with “https” and “http”. Similarly, in the case of SMSes and Whatsapp message, don’t follow a link shared in the form of a text.
Use social media wisely: While a lot of people share absolute details about their life voluntarily on social media, it is better to exercise restraint when it comes to financial information. Also, avoid clicking on suspicious posts that may lead you to third-party sites and solicit confidential personal information.
- Be careful when answering calls from unknown numbers: Nowadays, a lot of scammers call up people and ask for account or card details on the pretext that your account has been blocked or deactivated and that these callers will help recover it. Do not divulge your account information as this is just another way of getting their hands on your sensitive financial information.
To sum up, here’s what you should do to avoid incurring losses caused by an unauthorized transaction:
Register your mobile number and email id with your bank for notifications
Inform the bank immediately in case of loss of card or account hacking or any fraudulent transaction
Get your account or card blocked to prevent any further loss
Keep a record of all your correspondence with the bank officials, whether telephonic or via mail
Follow up with the bank with respect to action or steps taken after your notification
Monitor your account whether any more transactions are being conducted
- Contact banking ombudsman if you are not satisfied with the bank’s resolution