If the recent circular of RBI on limited liability for Customers in E Banking frauds becomes a reality, it would simultaneously open the doors for the Cyber Insurance Industry to offer products for Cyber Insurance to individual Bank customers.
The reason why Insurance Companies were reluctant to insure E Banking frauds on behalf of individuals was their fear of unknown risks and possibility of a sudden huge loss arising out of Phishing at individual customer’s level or at a system level in Banks or their critical service providers.
While Insurers manage their risks by having a limited liability clause in their policies with sub limits for various causes, now the overall liability of the customer itself would have been brought down significantly in view of the RBI guidelines.
When a loss occurs on account of an E Banking Fraud, the fraud would be classified as
A: Zero Liability Incident
B: Limited Liability Incident
The “Zero Liability Incident” is one in which the Customer shall not be liable and the Banks should reverse the amount lost within 10 days.
This is applicable when the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer in case of
a) Fraud or Negligence on the part of the Bank
-irrespective of whether the loss was reported by the customer or not
b) Third party breach
-where the fault lies neither with the Bank nor with the customer and
-the customer notifies the Bank within three working days of receiving communication from the bank regarding the unauthorized transaction
c) Involving Negligence of the customer
-such as sharing of payment credentials
– after the customer reports the unauthorized transaction to the Bank
The “Limited Liability Incident” is one where the customer has to bear the loss to a limited extent and would cover the following cases.
a) In cases where the responsibility for the unauthorized electronic banking transaction lies neither with the Bank nor the Customer and
-the customer notifies the Bank of the unauthorized nature of the transaction between 4 to 7 days
-the liability of the customer is limited to the transaction value or Rs 5000/- whichever is lower
-Where the customer notifies the Bank after 7 days, the liability will be determined as per the Bank’s approved policy.
It is reasonable to expect that the liability will be still limited and cannot be 100% of the transaction value
The residual category where the fraud is involving negligence of the customer (such as sharing of payment credentials) and the loss occurs before the customer reports the unauthorized transaction to the Bank, the loss may have to be boarne by the customer.
From the perspective of an Insurer therefore, it is critical that the customer notifies the Bank that a transaction reported to him by the SMS or EMail alert by the Bank is “Unauthorized” and it is done within 3 days.
Then the Bank will check if the unauthorized transaction is due to the “Negligence” of the Customer which will be a matter of dispute to be resolved in the next 90 days.
The Customer will not have any liability unless it is able to provide evidence that the negligence of the customer was the cause of the loss or the customer himself committed the fraud with an accomplice or otherwise.
In the meantime Bank will have to provide a shadow credit within 10 days which should also provide for compensation of any interest loss that may be involved especially in the credit card transactions.
Since the customer is not suffering any loss in these transactions, the Insurer need not take any liability on the individual’s cyber insurance policy.
Even in other cases, the liabilities will be limited to Rs 5000/- except where the “Negligence” is proved. What constitutes negligence in these cases is a matter that will be debated and the Insurance industry will be required to put its weight behind the customer in ensuring that excessive responsibility is not expected of the Customer in identifying a fraud such as “Phishing” or “Vishing” particularly when malware is used to extract the credentials of the customer without his knowledge.
Insurers will also be required to recognize the concept of “Proximate Cause” for loss where a the Bank had an opportunity to prevent the loss even after the negligent act of the customer but failed to do so because of its own inadequacies in which case the loss is due to the failure of the Bank and not of the customer.
Though some of these intricate points will be disputed and resolved over a period of time, it is clear that the Cyber Crime Insurance Risk of the insurers for E Banking frauds in policies issued or to be issued to individuals has come down from the clouds to the ground level
There is therefore no excuse after this circular to the Insurance companies to issue such policies for individuals.
I hope Tata AIG, HDFC Ergo, ICICI Lombard, Bajaj Alliance etc will now start structuring their individual Cyber liability policies.
We look forward to developments in this regard in the next few months and request IRDA to also suggest all its members through a circular to construct such policies.
In particular, I request attention of Mr Rajesh Aggarwal the dynamic ex-Adjudicator of Maharashtra who is now heading a public sector Insurance Company and urge him to make the first move. Let one of our public sector Insurance companies be the first to introduce a Cyber Insurance Policy for Individuals as a part of the 70th Independence day celebrations.