Who Pays When A Digital Fraud Takes Place? RBI Shifts Burden Of Proof To Banks

The Reserve Bank of India (RBI) has revised its framework on customer liability in digital fraud cases, expanding protection beyond unauthorised transactions and placing the burden of proving customer liability on banks.

The amended directions, issued on June 24, will come into effect from January 1, 2027. These apply to commercial banks, small finance banks, payments banks, regional rural banks, local area banks and co-operative banks.

The move follows a review of the existing framework on limiting customer liability in unauthorised digital banking transactions. The RBI had released draft directions in March 2026 and finalised the framework after examining feedback from stakeholders.

More Coverage For Fraud Cases

A key change is the expansion of the framework beyond unauthorised online transactions to cover other types of fraud transactions, carried out digitally.

The revised rules will apply to a broader range of digital fraud cases, including situations where customers are induced into carrying out transactions through fraudulent means.

Banks To Determine Liability

Once implemented, banks will have 30 calendar days to investigate the complaints and determine liability.

The directions place the burden of proving customer liability on banks. Where a claim is rejected, banks will have to provide the customer with reasons for the decision and supporting evidence, including transaction records and authentication logs.

Banks must also take immediate steps to prevent further fraudulent transactions once a complaint is reported. Any fraudulent transaction that occurs after the reporting of the incident will have to be borne by the bank.

Zero Liability And Compensation

The RBI has retained zero customer liability in cases where the fraud arises due to negligence by the bank.

Zero liability will also apply in third-party breach cases if the customer reports the fraudulent transaction within five calendar days of receiving communication from the bank.

The revised framework also introduces a compensation mechanism for certain small-value fraudulent electronic banking transactions. Eligible customers may receive compensation of 85 per cent of the net loss or Rs 25,000, whichever is lower, provided the fraud amount does not exceed Rs 50,000, and the incident is reported to both the bank and the National Cyber Crime Reporting Portal or helpline 1930 within five calendar days.

The amended directions will take effect from January 1, 2027.