After waiting for more than 10 months and repeated reminders at all levels including the Finance Minister and the Prime Minister, RBI finally came out with its circular of 6th July 2017 titled “Customer Protection-Limited Liability in Unauthorized Electronic Banking Transactions” as a follow up of its August 11, 2016 draft circular.
Between the draft circular received for public comments on August 11, 2016 and the final circular of yesterday, there is not much of a difference except that the liability for notifying the Bank after a delay of 3 days has been increased from Rs 5000/- to Rs 10000/- except for the BSBD accounts (Basic Savings Bank Accounts) and to Rs 25000/- for larger accounts.
Zero Liability of a Customer
A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:
- Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
- Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.
A customer shall be liable for the loss occurring due to unauthorised transactions in the following cases:
- In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.
In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table below, whichever is lower.
Maximum Liability of a customer (Report between 4-7 days)
|BSBD Accounts:||Rs 5000|
|All other SB accounts, and Pre-paid Payment Instruments and Gift Cards, Current/ Cash Credit/ Overdraft Accounts of MSMEs,Current Accounts/ Cash Credit/ Overdraft Accounts of Individuals with annual average balance (during 365 days preceding the incidence of fraud)/ limit up to Rs.25 lakh and Credit cards with limit up to Rs.5 lakh||Rs 10000|
|All other Current/ Cash Credit/ Overdraft Accounts, Credit cards with limit above Rs.5 lakh||Rs 25000/-|
Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per the bank’s Board approved policy. Banks shall provide the details of their policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall also display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.
It is also stated that the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any).
Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.
The credit shall be value dated to be as of the date of the unauthorised transaction.
Further the complaint shall be resolved by the Bank within 90 days failing which the Band should reimburse the amount to the customer ensuring that there is no interst loss to the customer.
Burden of Proof
Most importantly, the burden of proving customer liability in case of unauthorised electronic banking transactions will lie on the bank.
Security Procedures to be adopted
The circular goes on to also mandate that the systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions. To achieve this, banks must put in place:
- appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers;
- robust and dynamic fraud detection and prevention mechanism;
- mechanism to assess the risks (for example, gaps in the bank’s existing systems) resulting from unauthorised transactions and measure the liabilities arising out of such events;
- appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom; and
a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments related fraud.
Precautions to be taken by the Customer
In order to protect themselves from the frauds arising out of “Unauthorised transactions”, Customers should ensure the following.
It is the Bank’s responsibility to ensure that a mobile alert is provided for “All Debits”. When an alert comes in, the customer needs to check and if the transaction is not authorized, he should immediately report to the Bank for which Bank should publish contact information and provide for a “Reply” to the message.
Customer can ensure that the mobile is registered with the Bank. However we know that many times we may not be able to check the messages as and when it comes in and some times it may come in the night or when say you are on a flight. Most frauds occur in a single transaction or multiple transactions all of which occurs in quick succession. It is unlikely that the customer would be able to respond in time to stop the fraudulent withdrawals before the account is cleaned out.
If the customer is missing any alert, he should record it by informing the Bank and keeping record of such reports. If the customer is going abroad where he may miss the alert, he should ensure that the account is suitably locked or alternate arrangements are made by limiting the transaction limits.
Whenever the Bank receives any instruction from the customer, the banks should match the location of the transaction with the known location of the customer (eg: he is abroad or he is in the village when the transaction is reported from elsewhere etc).
Even the OTP is answered from a mobile whose location is easily available to the Bank and if they are not having systems to monitor these, it should be considered as “Inadequate security” and challenged.
We suggest that Banks introduce a system by which the transactions should have a mandatory gap of at least 5 minutes between two successive transactions to avoid such frauds besides an option to the customer to switch off the transactions any time he wants. Customers should be able to switch on the transactions at will and switch it off immediately after the transaction. For this purpose the alert should have an automatic option to switch off for a stated period like we put our WhatsApp on “mute” from time to time.
There would be occasions when there is a dispute between the Bank and the Customer regarding whether a notice was sent or not etc. The customer may then be at a disadvantage. hence customer should create an evidence that he had reported the unauthorized transaction (one can use the Cyber notice service of ceac.in for this purpose) and hold the acknowledgement for future reference.
It goes without saying that when a customer receives a phishing call or an e-mail, he should not respond. If any such call comes in, then he should report it to the Bank also stating that he has not responded and the Banks should take action to block the mobile number used or the e-mail used like shutting down Phishing websites, as a part of its security due diligence. Since this could also be a point of dispute later , customers are suggested to use the Cyber-notice service (Refer www.ceac.in or cyber-notice.com websites, links to which are available from this site.)
We anticipate that in cases where a “Receipt of a phishing call is received” by a customer, Bank may allege that he has responded to it even if the customer swears otherwise. Though the circular clearly says that the burden to prove such disclosure is on the Bank and not the customer, it is possible that Banks would bully the customer and just like in a Police interrogation an accused admits to an offence he might not have committed, the customer may be forced to say some thing to the effect “I don’t know or I don’t remember” etc which the Bank may latch on to and claim that the customer has admitted. Remember that the Banks will record the call center conversations and they should be asked to produce evidence through recordings if they claim that the customer has admitted the disclosure of credentials.
Banks also need to have a good adaptive authentication systems and at present none of the Banks have proper systems in place and hence customers should be able to prove “Lack of Due Diligence” on the part of the Bank most of the time.
We should also remember that as long as Banks continue to use Undigitally signed instructions or OTP for authentication, they are not following law and hence they are vulnerable to be held negligent when challenged in a Court of law. Banking law never recognizes a “Forgery” as valid and hence any electronic transaction where the customer’s signature is forged is a nullity even if the Bank may claim difficulty in recognizing the forgery.
The circular itself refers to “Insurance” which we have always held as mandatory for banks and they need to cover their losses through insurance and not think of burdening the customer with the loss.
There could be several more precautions that the customer can take such as using only Prepaid cards, keeping FD accounts not attached to the account, refusing increase of credit card limits if he does not need it, etc.
Banks should refrain from indiscriminately issuing cards to people who donot understand the implications of secure usage and avoid situations where the customer may be negligent.
Some of the common mistakes that people do such as “Writing the Pin on the back of the card”, “Answering the Phishing call etc” should be pointed out to the customer at the time of the issue of the card and a specific acknowledgement that the” safety precautions were read out to the customer and he has understood it before accepting the card” should be obtained under third party witness (introducer) and the declaration should be held with the account opening form as a part of the routine procedure. Bank auditors should ensure that such records are kept properly.
RBI has informed Banks that they should undertake customer education through various means and this has to be implemented and audited.
Banks should quickly come up with their policy regarding how they handle the implementation of the above circular and modify their SMS alert systems within the next one week and report it to the RBI as part of the month end compliance report.
The banks which are presently not having the 24X7 call centers which actually are responsive (operator should pick up the call within the first three rings at least for the separate number designated for these complaints) should ensure that the call centers become operational immediately.
Any customer who finds that his Banks does not have necessary measures envisaged in this circular (such as SMS alerts not sent etc) may kindly report it to Naavi.org (Special cell for monitoring Implementation of Limited Liability Circular) through an e-mail available on the website. (check contact page). We will try to maintain a record of such complaints as part of our public service so that they will come in handy when proving the negligence of the banks on a later date.
We will provide supplementary instructions from time to time on this site as and when necessary. Please do keep writing to us. More services from Ceac.in and Cyber-notice.com along with special service charges applicable to such services would be indicated at the earliest.
Kindly note that this circular has not indicated any prospective effect and hence in all cases including the present pending cases where disputes exist, customers should approach their Banks and seek remedy under this circular. Since this is now part of the Bank’s service, even the Banking Ombudsman has to take up complaints related to these instances without brushing it aside.