PrepLiberty.
Updated · Today
Economics June 24, 2026 6 min read Daily brief · #22 of 25

RBI Issues Amendment Directions on ‘Review of Framework of Limiting Customer Liability in Digital Transactions’

The Reserve Bank of India issued final Amendment Directions to its existing customer liability framework for digital transactions, effective January 1, 2027....

GS Paper 3 (Economy — Banking and Financial Sector Regulation); GS Paper 2 (Governance — Consumer Protection Digital India)

What Happened

  • The Reserve Bank of India issued final Amendment Directions to its existing customer liability framework for digital transactions, effective January 1, 2027.
  • The amendment expands the scope of protection beyond "unauthorised" transactions (where the customer did not initiate the transaction) to also cover "fraudulent" transactions — including cases where customers were deceived into authorising transfers themselves through phishing, social engineering, or impersonation.
  • A new compensation mechanism is introduced specifically for small-value fraudulent electronic banking transactions involving losses up to ₹50,000 — providing 85% of net loss or ₹25,000, whichever is lower, on a once-in-a-lifetime basis.
  • Banks are required to dramatically compress complaint resolution timelines: complaints must now be resolved within 30 calendar days (down from 90 working days under the original 2017 framework) and compensation disbursed within 5 calendar days of application.
  • The framework applies to all seven categories of regulated banking institutions: Commercial Banks, Small Finance Banks, Payments Banks, Local Area Banks, Regional Rural Banks (RRBs), Urban Co-operative Banks, and Rural Co-operative Banks.
  • Draft directions were released for public comment from March 6, 2026 to June 24, 2026; the final directions reflect incorporated stakeholder feedback.

Static Topic Bridges

Original RBI Framework on Customer Liability (2017)

The foundational circular — "Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions" (RBI/2017-18/15, dated July 6, 2017) — established India's first structured framework for zero-liability and limited-liability protection in digital banking fraud. It introduced tiered liability caps (₹5,000 to ₹25,000 depending on account type and reporting speed) and required banks to resolve disputes within 90 working days. The 2017 framework covered only "unauthorised" transactions — those initiated without the customer's knowledge or consent. Social-engineering frauds where victims authorised transfers under false pretences fell outside its scope.

  • Original circular date: July 6, 2017
  • Reference: RBI/2017-18/15, DBR.No.Leg.BC.78/09.07.005/2017-18
  • Original liability caps: ₹5,000–₹25,000 (tiered by account type and reporting speed)
  • Original resolution timeline: 90 working days
  • Gap addressed by 2027 amendment: Fraudulent (socially engineered) transactions not covered in 2017

Connection to this news: The 2027 amendment directly builds on and supersedes key provisions of the 2017 circular, extending protections to the fastest-growing category of digital fraud in India.

Scope of New Protection: Unauthorised vs. Fraudulent Transactions

A critical conceptual distinction in digital banking fraud law: an "unauthorised" transaction is one the customer did not initiate at all (card skimming, SIM swap, hacking). A "fraudulent" transaction is one the customer was deceived into authorising — paying a fake seller, responding to a phishing call, downloading malware. Previous Indian law largely left victims of the second category without structured redress. The 2027 framework closes this gap by explicitly covering fraudulent electronic banking transactions (EBTs) regardless of whether the customer technically "authorised" the transfer.

  • Fraudulent EBT definition: Transactions induced through deception — phishing, vishing, smishing, fake support calls, social engineering
  • Burden of proof shift: Banks must prove customer negligence; customer no longer required to prove innocence
  • Zero liability: Applies when bank is negligent (irrespective of customer reporting timeline)
  • Limited liability / compensation: Applies to third-party fraud reported within 5 calendar days

Connection to this news: Extending the framework from "unauthorised" to "fraudulent" is the most significant policy shift in the amendment — it addresses the dominant form of digital financial crime in India today.

New Compensation Mechanism (Pilot: July 1, 2026–June 30, 2027)

For the first time, the RBI directly contributes to a consumer fraud compensation pool rather than leaving the full burden on banks. For small-value fraudulent EBTs (gross loss ≤ ₹50,000) reported by an individual to both the bank and the National Cyber Crime Reporting Portal within 5 calendar days: compensation equals 85% of net loss or ₹25,000, whichever is lower. The cost is shared: RBI bears 65%, the customer's bank 10%, the beneficiary bank 10%. The benefit applies once in a lifetime per individual. For losses below ₹29,412, this formula pays out the maximum ₹25,000 cap.

  • Compensation quantum: 85% of net loss OR ₹25,000 — whichever is lower
  • Loss ceiling for eligibility: ₹50,000 (gross loss per incident)
  • Reporting requirement: Within 5 calendar days — to bank AND National Cyber Crime Reporting Portal (cybercrime.gov.in)
  • Cost-sharing: RBI 65% + Customer's bank 10% + Beneficiary bank 10%
  • Eligibility: Individual persons only (not corporate entities)
  • Lifetime limit: One claim per individual (once-in-a-lifetime benefit)
  • Pilot period: July 1, 2026 to June 30, 2027
  • Notable: First time RBI directly funds a customer fraud compensation mechanism

Connection to this news: This mechanism represents a structural shift in how banking regulation approaches consumer protection — from passive standards to active financial participation in remediation.

Seven Categories of Regulated Banking Institutions

The Reserve Bank of India, under the Reserve Bank of India Act, 1934 and the Banking Regulation Act, 1949, regulates multiple categories of banks. The 2027 framework applies uniformly to all of them.

  • Commercial Banks: Scheduled and non-scheduled, including public sector, private sector, and foreign banks
  • Small Finance Banks (SFBs): Licensed to serve underserved segments; minimum 75% of adjusted net bank credit to priority sector
  • Payments Banks: Limited-purpose banks; accept deposits up to ₹2 lakh per customer; cannot lend
  • Local Area Banks (LABs): Small private sector banks operating in limited geographic areas
  • Regional Rural Banks (RRBs): Joint venture between Central Government, State Government, and sponsor bank; serve rural areas
  • Urban Co-operative Banks (UCBs): Regulated jointly by RBI and Registrar of Co-operative Societies
  • Rural Co-operative Banks: Include State Co-operative Banks and District Central Co-operative Banks

Connection to this news: Uniform applicability across all seven categories ensures that customers of cooperative banks and RRBs — segments most vulnerable to digital fraud — receive the same protections as customers of large commercial banks.

Bank Obligations Under the New Framework

Banks must now provide: 24/7 multi-channel fraud reporting (phone, SMS, email, IVR, toll-free); instant SMS alerts for all electronic banking transactions exceeding ₹500; email alerts for all e-banking transactions; board-level transparent customer protection policies; immediate account or card freezing upon complaint; value-dated reversals (backdated to the original transaction date so customers do not lose interest); and detailed rejection notices with supporting logs (OTP records, SMS trails, transaction timestamps) when claims are denied.

  • SMS alert threshold: ₹500 (mandatory instant alert for transactions above this value)
  • Shadow reversal: Credit card fraud reversals must be value-dated to original transaction date
  • Resolution timeline: 30 calendar days (from 90 working days)
  • Compensation payout: Within 5 calendar days of application approval

Connection to this news: Operational mandates on banks are as significant as the compensation quantum — they create enforceable standards for fraud response infrastructure.

Key Facts & Data

  • Framework: Amendment to RBI's Customer Liability Directions for Digital/Electronic Banking Transactions
  • Effective date: January 1, 2027
  • Original framework date: July 6, 2017 (RBI/2017-18/15)
  • Draft for public comment: March 6 – June 24, 2026
  • Pilot compensation scheme period: July 1, 2026 – June 30, 2027
  • Banks covered: 7 categories — Commercial, Small Finance, Payments, Local Area, RRBs, Urban Co-operative, Rural Co-operative
  • Key expansion: Now covers fraudulent EBTs (social engineering, phishing) — not just unauthorised transactions
  • Compensation for losses up to ₹50,000: 85% of net loss or ₹25,000 (whichever is lower)
  • Cost-sharing: RBI 65% + Customer's bank 10% + Beneficiary bank 10%
  • Reporting deadline for compensation eligibility: 5 calendar days to both bank and National Cyber Crime Reporting Portal
  • Burden of proof: Shifted to bank (must prove customer negligence)
  • Complaint resolution deadline: 30 calendar days (was 90 working days)
  • Compensation disbursement: Within 5 calendar days of application
  • Once-in-a-lifetime benefit: Per individual; corporate entities excluded
  • SMS alert mandate: Mandatory for all EBTs above ₹500
  • Gap addressed: Frauds above ₹50,000 remain outside structured compensation — key limitation
On this page
  1. What Happened
  2. Static Topic Bridges
  3. Original RBI Framework on Customer Liability (2017)
  4. Scope of New Protection: Unauthorised vs. Fraudulent Transactions
  5. New Compensation Mechanism (Pilot: July 1, 2026–June 30, 2027)
  6. Seven Categories of Regulated Banking Institutions
  7. Bank Obligations Under the New Framework
  8. Key Facts & Data
Display