RBI rules on e-transaction frauds: Onus on customers to prove they were not careless

CERT-LatestNews Security News ThreatsCybercrime Uncategorized

Customers will not suffer any loss if unauthorised electronic banking transactions are reported within three days and the amount involved will be credited in the accounts concerned within 10-days. This is the highlight of what the Reserve Bank of India (RBI) said while issuing revised directions on ‘Customer Protection – Limiting Liability of Customers in Unauthorized Electronic Banking Transactions’ on 6th July 2017.



But the devil is in the details. And in law the details are contained in numerous provisos and exceptions which the draftsman revels in. The following paraphrased proviso virtually would seal the fate of the shortchanged customers in vast majority of cases.

However, in cases where the loss is due to negligence by the account holder (such as sharing of payment credentials), the customer will bear the entire loss until the unauthorized transaction is reported to the bank.
Let us say, Rita handles her busy husband’s finances including cards. And let us say the card details are hacked. Will the bank wash its hands off the resultant losses to Rita’s husband? This is the kind of escape route banks will latch onto. The Reserve Bank should make it clear that the account holder must have been negligent in allowing a fraudster to access the payment credentials so as to absolve the bank of any liability. After all, Rita was not committing, or complicit in committing, the fraud.

And there is a bloomer too in the RBI’s revised directions. If the fraud is reported after three days but within 7 working days, the maximum liability of the customer would be Rs 25,000. This is hilarious. Suppose a person loses Rs 15 lac on account of electronic payment fraud and reports after five days, he would get back Rs 14.75 lac whereas if Rita in the above example had lost Rs 25,000, she and her husband would stand to lose the entire Rs 25,000. Surely there must be a sense of proportion.

More hilarious is what follows. Should the fraud be reported after 7 working days, the maximum hit to be taken by the customer is Rs 10,000? Wouldn’t the one waking up late say after 3 days, prefer for 7 working days to run out before reporting a fraud so that he loses only Rs 10,000 instead of Rs 25,000 for greater and earlier vigilance? Greater the negligence, greater the penalty should be the norm. This principle has been turned on its head.
But all these matter only if the bank is unable to pin the blame on the customer. In all likelihood, every bank would first try to wriggle out of its liability by pinning the blame on the customer. If she had done the transaction from a cyber café, the bank would say perhaps with justification that cyber cafes are the least secured for carrying out electronic payment transactions. Electronic crooks also know how to take advantage of trails left by Wify. Who knows a wily bank may turn the tables on the hapless customer by saying—hey you were operating your internet through Wify that gave away your credentials to a peeping Tom in the neighborhood.

It is good that the RBI has mandated registration of cell number mandatory for those who do electronic card transactions. One-time password or OTP is a good additional safeguard to nip the mischief in the bud because it takes double the normal ingenuity to hack both the things—card details including password and one’s SIM card details so that the OTP lands in the trickster’s cell phone as well.

The RBI would do well to staunch a gaping hole prevalent in the system—ATM withdrawals, a facet of electronic payment system. There is no reason why it cannot mandate OTP even for ATM withdrawals. If a bank can inform a customer through SMS after withdrawal, it can as well seek his approval through OTP before withdrawal. There is no point in closing the stable after the horse has bolted.

Published Date: Jul 07, 2017 03:17 pm | Updated Date: Jul 07, 2017 03:17 pm