Customer Protection Policy: – Limiting Liability of Customers in Unauthorised Electronic Banking Transaction
1. In terms of RBI circular DCBR.(PCB/RCB)CIR.No.06/12.05.001/2017-18 dated 14.12.2017 issued regarding customer Protection in unauthorized Electronic Banking Transactions, we have formulated and approved Bank’s ‘Customer Protection Policy’ as described here under.
2. As advised in the RBI circular, the electronic banking transactions can be divided into two categories:
Remote/ online payment transactions (transactions that do not require physical payment instruments to be presented at the point of transactions e.g. internet banking, mobile banking, card not present (CNP) transactions), Pre-paid Payment Instruments (PPI),
Face-to-face/ proximity payment transactions (transactions which require the physical payment instrument such as card or mobile phone to be present at the point of transaction e.g. ATM, POS, etc.)
3. Further, as per the guidelines issued by RBI, the systems and procedures in Banks must be designed to make customers feel safe about carrying out electronic banking transactions.
To achieve this, our Bank has put in place:
(i) Appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers;
(ii) Robust and dynamic fraud detection and prevention mechanism;
(iii) Mechanism to assess the risks (for example, gaps in the bank’s existing Systems) resulting from unauthorized transactions and measure the liabilities arising out of such events;
(iv) Appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom; and
(v) A system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments related fraud.
Reporting of unauthorized transactions by customers to the Bank :
4. For this purpose, we have asked our all customers to mandatorily register for SMS alerts and, wherever available, register for e-mail alerts, for electronic banking transactions. The SMS alerts shall mandatorily be sent to the customers, while email alerts may be sent, wherever registered.
The Bank will advise its customers to notify the Bank of any unauthorized electronic banking transaction at the earliest after the occurrence of such transaction, and informed that the longer the time taken to notify the bank, the higher will be the risk of loss to the bank/customer.
To facilitate this, Bank will provide its customers with 24×7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting unauthorized transactions that have taken place and/or loss or theft of payment instrument such as card, etc. Banks shall also enable customers to instantly respond by “Reply” to the SMS and e-mail alerts and the customers should not be required to search for a web page or an e-mail address to notify the objection, if any.
Further, a direct link for lodging the complaints, with specific option to report unauthorized electronic transactions shall be provided by the Bank on home page of our Bank’s website. The loss/fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. The communication systems used by the Bank to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer’s response, if any, to them.
This shall be important in determining the extent of a customer’s liability.
The bank will not offer facility of electronic transactions, other than ATM cash withdrawals, to customers who do not provide mobile numbers to the Bank. On receipt of report of an unauthorized transaction from the customer, the Bank will take immediate steps to prevent further unauthorized transactions in the account.
Reporting of unauthorized transactions to RBI by the Bank:
For the purpose of protection of customer’s data, the Bank will formulate its ‘Cyber Security Policy’ and also implement basic Cyber Security Controls as required in terms of RBI circular DCBS.CO.PCB.Cir.No.1/18.01.000/2018-19 dated 19.10.2018. It will also follow the CERT-IN Security advisory and implements the guidelines issued by RBI in this regard.
Further, the Bank will report all unusual cyber security incidents immediately by email to DCBS, CO at ‘email@example.com’ and also submit a ‘NIL’ report at the end of the each quarter, by email to the same email address..
Limited Liability of a Customer:
(A) Zero Liability of a Customer:
5. In case of the unauthorized transactions occurs in following events, a customer’s entitlement to zero liability shall arise :
(i) Contributory fraud/ negligence/deficiency on the part of the Bank (irrespective of whether or not the transaction is reported by the customer).
(ii) Third party breach where the deficiency lies neither with the Bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction.
(B) Limited Liability of a Customer:
6. A customer shall be liable for the loss occurring due to unauthorized transactions in the following cases:
- In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the Bank. Any loss occurring after the reporting of the unauthorized transaction shall be borne by the Bank.
- In cases where the responsibility for the unauthorized electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and the customer notifies the bank of such a transaction within four to seven working days of receiving a communication of the transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table 1, whichever is lower.
Table 1 :
Maximum Liability of a Customer under paragraph 6 (ii) :
Type of Account
|• All other SB accounts
• Pre-paid Payment Instruments and Gift Cards
• Current/Cash Credit/Overdraft Accounts of MSMEs
• Current Accounts/Cash Credit/Overdraft Accounts of Individuals with annual average balance (during 365 days preceding the incidence of fraud)/ limit up to Rs.25 lakh
• Credit cards with limit up to Rs. 5 lakh
|• All other Current/Cash Credit/Overdraft Accounts
Further, if the delay in reporting is beyond seven working days, the customer shall be liable for the entire value of the transaction(s) involved as per the bank’s Board approved policy.
The Bank shall provide the details of its policy formulated in regard to customers’ liability to the account holder, at the time of opening the accounts.
Further, the Bank shall also display its approved policy in public domain for wider dissemination.
The Bank will also individually inform, about the bank’s policy, to its all the existing customers.
7. Overall liability of the customer in third party breaches, as detailed in paragraph 5(ii) and 6(ii) above, where the deficiency lies neither with the Bank nor with the Customer but lies elsewhere in the System, is summarized in the Table 2 :
: Table – 2 :
Summary of Customer’s Liability :
|Time taken to report the fraudulent transaction from the date of receiving the communication
|Customer’s liability (Rs.)
|Within 3 working days
|Within 4 to 7 working days
|The transaction value or the amount mentioned in Table 1, whichever is lower
|Beyond 7 working days
|The customer liability to the extent of the value of the transaction(s).
The number of working days mentioned in Table 2 shall be counted as per the working schedule of the Bank excluding the date of receiving the communication.
Reversal Timeline for Zero Liability/Limited Liability of customer :
8. On being notified by the customer, the Bank shall credit (shadow reversal) the amount involved in the unauthorized electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). The credit shall be value dated to be as of the date of the unauthorized transaction.
The Bank may also consider, at its discretion, to waive off any customer’s liability in case of unauthorized electronic banking transactions even in cases of customer negligence.
9. Further, banks will ensure that:
(i) a complaint is resolved and liability of the customer, if any, established and the customer is compensated as per provisions of paragraphs 5 to 8 above, within such time as may be specified in the Bank’s Board approved policy, but not exceeding 90 days from the date of receipt of the complaint;
(ii) where it is unable to resolve the complaint or determine the customer liability, if any, within 90 days, the compensation as prescribed in paragraphs 5 to 8 will be paid immediately to the customer; and
(iii) In case of debit card/Bank account, the customer does not suffer loss of interest, and in case of credit card, the customer does not bear any additional burden of interest.
The Bank will strictly follow its ‘Customer Protection Policy’ keeping in view instructions / guidelines issued by RBI from time to time in this regard. It is decided to review the Customer Protection Policy on yearly basis.