In its annual report for 2017-18 released on Wednesday, the Reserve Bank of India reiterated the framework on limiting customers’ liability in unauthorised electronic banking transactions. The norms include ‘zero liability’ and ‘limited liability’ for customers. A customer need not bear any loss if the deficiency is on the part of the bank, and in cases where the fault lies neither with the bank nor with the customer but lies elsewhere in the system. For this, the customer needs to notify the bank within three working days of receiving the communication about the unauthorised transaction.
In cases where the fault lies neither with the customer nor with the bank but lies elsewhere in the system, and the customer reports the unauthorised transaction with a delay of four to seven working days after receiving the communication about the transaction, the maximum liability of the customer ranges from Rs 5,000 to Rs 25,000, depending on the type of account and instrument.
These guidelines, which were introduced last year, made banks liable for unauthorised electronic banking transactions unless banks can conclusively prove that the customer is at fault. But experts say that the regulator needs to implement these guidelines strictly and introduce penalties if banks don’t adhere to them.
However, experts say that banks are yet to fall in line. “We have umpteen number of cases where banks have delayed the reversal of unauthorised transactions giving one excuse or the other,” says Pavan Duggal, a Supreme Court lawyer and a cyber law expert. Customers are usually told that the fraud is under investigation and closure will take time. After constant follow-ups, the customer gives up if the amount involved is not significant.
The regulator has even mandated guidelines for banks to conclude unauthorised transactions and pay the money back to the customer. Banks need to credit the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of notification by the customer. If a bank is investigating a transaction, it is supposed to resolve the complaint and establish the liability of the customer, if any, within 90 days of receipt of the complaint.
Banks are, however, not adhering to the guidelines as there are no deterrents. “RBI has provided timelines, but there are no penalties if banks don’t follow them. If the RBI says there will be Rs 500,000 penalty for missing the deadlines, then banks will be more proactive,” says Duggal.
Following the guidelines, banks have become proactive in compensating customers only in case of large-scale frauds. Recently, fraudsters skimmed, cloned and siphoned off funds from over several accounts of different banks in Kolkata. The culprits were nabbed, and the funds were credited back to customers’ bank account within a few days. But cases involving a single customer still take time, and the victim has to fight hard to reverse the transaction.
According to the guidelines, the customer will have to bear liability if the loss is due to negligence on his part, for instance, if he shares his payment credentials. He will have to bear the entire loss until he reports the unauthorised transaction to the bank. Any unauthorised transaction that takes place after he has reported to the bank will be borne by the latter. If the delay is beyond seven working days, then the customer’s liability will depend on the policy approved by the bank’s board.