RBI To Compensate Digital Fraud Victims Even With OTP Share, Limit Capped At Rs 25,000

The Reserve Bank of India (RBI) has announced a change in its approach to digital fraud compensation, allowing payouts even in cases where customers have shared a one-time password (OTP) with the scammer. The proposal was announced by the RBI Governor Sanjay Malhotra during the Monetary Policy Committee (MPC) meeting decisions on February 6, 2026.

Under the proposed framework, victims of small-value digital frauds will qualify for compensation even if the fraud took place after sharing an OTP, provided that the loss was not carried out intentionally. Earlier, sharing an OTP was often treated with customer negligence, and therefore denied any compensation.

How The New Compensation Framework Works

The proposal applies to fraudulent digital transactions involving amounts up to Rs 50,000. According to RBI, close to 65 per cent of reported digital fraud cases fall within the range.

Under the framework, a customer will be eligible to receive 85 per cent of the loss amount or Rs 25,000, whichever is lower. For instance, a loss of Rs 20,000 would result in a payout of Rs 17,000. 

If the loss amount is Rs 50,000, the compensation will be capped at Rs 25,000. The payout will be shared among multiple entities. RBI will bear 70 per cent of the compensation, while the remaining amount will be shared between the bank and the customer. The exact split between the bank and the customer has not been specified yet.

Source Of Compensation Funds

RBI has said that the compensation will be paid from the Deposit Education and Awareness Fund (DEAF), which is funded through unclaimed deposits and surplus income accumulated over time. The central bank also indicated that the fund has sufficient surplus to support the proposed payouts.

A discussion paper outlining the framework will be issued for public consultation before the rules are finalised.

Once-In-A-Lifetime Compensation

The compensation can be availed only once in a customer's lifetime. RBI has clarified that the measure is intended to provide relief in cases of unintended loss due to digital fraud and will not apply repeatedly for the same individual.

Subsequent fraud cases, in which customers have been careless, will continue to be dealt with in accordance with the existing framework of liability.

Existing RBI Rules On Digital Fraud

The new proposal will function in parallel with RBI's digital fraud guidelines issued in 2017, which defines the customer liability on the basis of cause of the fraud and the reporting timeline.

If a fraud occurs due to a bank's error, the customer has nil liability and must be fully compensated. If a third party is responsible and the fraud is reported within 3 working days, the customer also has nil liability. If the reporting delay is between 4 and 7 working days, customer liability is capped at Rs 25,000.

Under the earlier framework, customers who shared an OTP were generally held fully liable for the loss until the fraud was reported.

Banks' Responsibilities And Timeline

Banks are supposed to issue a shadow credit of the disputed sum to the customer's account within 10 working days from the fraud being reported. This ensures the temporary relief during the investigation of the case.

The bank will have 90 days to resolve the complaint. Banks are also required to offer several 24x7 channels to report frauds. This could be through a toll-free number, SMS alerts and email-based reporting systems.