On July 6, 2017, RBI released the “Customer Protection-Limiting Liability of Customers in Unauthorized Electronic Banking Transactions”.
The circular indicated that a customer is entitled to “Zero Liability” in case of loss arising out of frauds in E banking in which
a) There is a contributory fraud or negligence or deficiency on the part of the Bank irrespective of whether or not the transaction is reported by the customer
b) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and the customer notifies the Bank within three working days of receiving the communication from the Bank regarding the unauthorized transaction
Further the Customer would have a “Limited Liability” of Rs 5000 or 10000 or 25000/- (depending on the nature of the customer) in cases where the responsibility for the unauthorized electronic banking transaction lies neither with the Bank nor the customer and when there is a delay (of four to seven working days) in notifying the Bank.
If the delay in reporting the transaction where the fault lies with neither the Bank nor the customer, the Bank’s boards were expected to come up with their policies on how much of liability they would bear.
However, even after nearly five months, we donot see any such policy from any of the Banks being announced at least on their websites. (If any Bank disagrees, they are requested to keep us informed so that we can correct this statement). This shows that RBI has not been able to impose its regulation so far on the Banks.
The circular of July 6, 2017 was applicable to all Scheduled Commercial Banks including RRBs, All Small Finance Banks and Payment Banks.
Now, on 14th December, RBI issued a follow up circular extending the applicability of the Circular also to the Primary (Urban) Cooperative Banks, State Cooperative Banks and District Central Cooperative Banks.
While it was natural that all Banks which were in the E-Banking activity had to come under one regulation as regards protecting the Consumers and it was more important in the case of the rural banks such as the Cooperative sector Banks, RBI needs to ensure that the Banks take it’s regulations seriously.
Recently, we came across a fraud in which a well known journalist reported that a supplementary credit card had been issued in her name and an outstanding debit in the card was claimed from her by none other than HDFC Bank. She also reported that the Bank refused to accept her complaint and insisted that the amount was payable by her.
In many instances the frauds happen because of “Phishing”. In some cases the customers do give out their Passwords or OTP without being aware of the possibility of the fraud. It is in such cases that Banks and Customers need to resolve who has to bear the liability. In most cases there would be no doubt that the customer would be a victim but the Bank tries to claim that it also is a victim and hence if the customer is negligent in giving away his credentials then he should bear the loss himself and not the Bank.
However, we need to ask the Bankers whether they are pitting their information security capabilities and knowledge with the awareness of the customer and claiming that the customer has to be more intelligent than the Bank. RBI has clearly advised these banks to adopt “Adaptive Authentication” and a robust Cyber Security Framework which should identify fraudulent transactions before they occur and take measures to prevent a fraud before it occurs. In some cases the money would have been debited to one account but the payment would not have been irrevocably paid out to the fraudster and it may lie in the system with another Banker. In such cases if the paying bank moves the collecting bank immediately and stops the withdrawal, the fraud could be prevented. But the Banks are so arrogant and fraudster friendly that they will raise 100 questions to the customer that he should file a police complaint, give complaint in writing, accept that he has given away the password etc, besides saying my Manager is not available etc… and delay action.
Many banks make their Call center access difficult and not provide specific fraud reporting mechanism directly on the SMS which they must send. If the customer says that they have not received SMS, Banks often refuse to accept.
All these hurdles need to be addressed by RBI by conducting the audit of Banks on the implementation of the July 6th Circular at branch level without which the intentions of RBI will not be implemented in practice.
RBI has also since June 2001, mandated that Customers should be protected by picking up the legal risk themselves and using the Cyber Insurance cover. But none of the Banks have so far sent one SMS to their customers about Cyber Insurance cover they have taken for them though they might have sent scores of messages for not linking Aadhaar.
The Chair persons of the Banks need to be pulled up by RBI for ignoring the RBI guidelines and apart from imposing some fine or the other, they must make an example of some Banks and suspend the Chair person. Banks like Axis Bank which were considered as the habitual offenders during the demonetization days continue to carry on business without paying for their guilt.
The definition of “negligence” in the limited liability circular on the part of the Bank will have to be evaluated in this context of “Not correcting past mistakes” and even in case of Phishing where there is negligence on the part of the customer, “Contributory negligence” on the part of the Bank should be recognized.
It is some time back that ICICI Bank was pulled up by the Adjudicator of Tamil Nadu and made to pay for their negligence in the S.Umashankar case. Perhaps many have forgotten the case and there is a need for other similar judicial interventions holding the Banks liable for Banking frauds before we ensure security in the Banking scenario.
Some of these Banks are even challenging the RBI by adopting to use of Bitcoins and also use of Block chain against the Banking laws. RBI unfortunately is unable to take corrective action and letting the public continue to take risks which they should not take,
Will RBI now wake up and take necessary corrective action so that the Customers feel safe?