Bank customers won’t have to bear loss for data breach, fraudulent transactions: RBI
The Reserve Bank of India on Thursday said bank customers who are victims of fraudulent or unauthorised electronic transactions will not bear any loss if the transaction is due to a fault in the bank’s security system, or a third-party breach.
However, the zero liability is conditional on the customer reporting the unauthorised transaction due to a third-party fault within three days of receiving the alert from the bank, according to the revised norms on “customer protection—limiting liability of customers in unauthorised electronic banking transactions”.
The draft norms were issued in August 2016.
The RBI has mandated banks to pay the amount involved in a transaction within 10 days of reporting by the customer.
Last year, after a malware injection in the systems of Hitachi Payment Services Pvt Ltd, about 3.2 million debit cards were compromised; similarly, hackers had infected the servers of the Union Bank of India with malware.
Digital transactions rose 2.36% to ₹113.73 lakh crore in June, from ₹111.11 lakh crore in May, provisional data released on Wednesday by RBI said.
According to the latest norms, the maximum liability of the customer—in case the transaction was because of the customer’s negligence or if the customer did not adhere to reporting timelines, is set at ₹5,000-25,000. The draft norms had set it at ₹5,000.
To be sure, the current maximum liability of the customer will be as per the nature of the transaction and hinges on the seven-day reporting deadline.
If the customer misses the three-day deadline but reports the unauthorised transaction caused due to a third-party breach within seven days, the customer will have to share some liability.
In such a loss the customer’s liability is a maximum of ₹5,000 in case of basic savings bank deposits.
For other savings bank accounts, pre-paid instruments, gift cards or credit cards with up to ₹5 lakh limit, current and overdraft accounts with annual average balance of ₹25 lakh, the customer liability is at ₹10,000.
The maximum liability of ₹25,000 is for credit cards with a limit above ₹5 lakh and other current and overdraft accounts. The liability will be lower than the transaction value for the aforementioned amounts.
Banks, which have the burden of proving customer liability, will determine the amount the customer has to shell out as per the board policy, if the customer misses the seven-day deadline. The central bank said the bank must resolve the complaint and establish customer liability, if any, as per its board policy but the timeline must not exceed 90 days.
According to the central bank, while banks must ask customers to mandatorily register for SMS and e-mail alerts, for electronic banking transactions, the banks must also provide 24x7 access through multiple channels like website, phone banking, SMS, etc for reporting.