Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

Customers to have zero liability in case of lender negligence: RBI’s draft guidelines on digital fraud

March 06, 2026 5 min read Economics Polity & Governance GS Paper 2 (Government Policies Statutory Bodies) GS Paper 3 (Banking Digital Economy)
On This Page

What Happened

  • The Reserve Bank of India (RBI) released draft guidelines — the "Draft Reserve Bank of India (Commercial Banks — Responsible Business Conduct) Third Amendment Directions, 2026" — proposing a comprehensive framework for customer compensation in digital banking fraud cases.
  • The draft proposes zero liability for customers when fraud occurs due to negligence or a security deficiency on the part of the bank or lender, irrespective of whether the customer reported the fraud or not.
  • For third-party fraud (not bank's fault), zero liability applies if the customer reports the fraud within five calendar days.
  • A compensation mechanism is proposed for small-value digital fraud: up to 85% of the lost amount or a maximum of ₹25,000, whichever is lower — even in cases where the fraud occurred partly due to the customer's own negligence.
  • The draft shifts the burden of proof to banks — banks must demonstrate customer liability rather than the customer having to prove innocence.
  • Proposed effective date: July 1, 2026. Feedback from stakeholders invited until April 6, 2026.

Static Topic Bridges

RBI's Existing Customer Liability Framework — 2017 Notification

The current RBI framework for customer liability in unauthorised electronic banking transactions was introduced through a circular in July 2017 (updated from an earlier 2014 circular). It established a tiered liability structure: if fraud occurs due to bank negligence — zero liability on the customer; if due to third-party breach and reported within 3 working days — zero liability; if reported in 4–7 days — limited liability (₹5,000–₹25,000 depending on account type); beyond 7 days — as per bank's board-approved policy.

  • Existing framework: RBI Circular (July 2017) on "Limiting Liability of Customers in Unauthorised Electronic Banking Transactions"
  • Current reporting window for zero liability (third-party breach): 3 working days
  • Proposed 2026 update: Extended to 5 calendar days for third-party breach zero liability
  • New addition: Compensation for small-value frauds (up to ₹25,000 or 85% of loss)
  • Burden of proof: Proposed to shift to banks (currently ambiguous in practice)
  • Shadow reversal on complaint: Banks currently must credit disputed amount within 10 working days

Connection to this news: The 2026 draft represents a significant upgrade to the 2017 framework — broadening protections, introducing a formal compensation cap, extending the reporting window, and explicitly defining bank negligence.

RBI's Definition of Bank Negligence in the 2026 Draft

The draft guidelines define "bank negligence" broadly to include: failing to implement mandated security systems and procedures; failing to send mandatory transaction alerts; failing to act diligently on customer fraud notifications; and any system malfunction or security breach on the bank's infrastructure. This definition shifts the accountability culture — previously, banks often invoked customer negligence (sharing OTP, phishing) to deny liability. The new framework forces banks to first demonstrate they met all mandated security standards before claiming customer fault.

  • Bank negligence = Failure of mandated systems, alert failures, inadequate response to complaints, security breaches
  • Proposed framework applies to: All commercial banks (excludes small finance banks, payments banks, RRBs, local area banks)
  • Compensation proposed: 85% of loss (max ₹25,000) for small-value frauds, even if customer partly at fault
  • Burden of proof: Banks must prove customer was liable
  • Fraud reporting mechanism: Must be acknowledged by banks promptly; no delay in shadow reversal

Connection to this news: The explicit definition of bank negligence is the most significant shift — it creates a legal standard against which banks' cybersecurity and fraud response systems will be measured, incentivising proactive investment in fraud prevention.

Digital Banking Fraud — Scale and RBI's Regulatory Mandate

India's digital payments ecosystem has grown dramatically — UPI processes 15+ billion transactions monthly (2025 data). With scale comes fraud: the RBI Annual Report 2024-25 reported significant increases in digital fraud cases, particularly through phishing, sim-swap fraud, and social engineering. RBI, as the banking regulator, has a mandate to ensure the safety and soundness of the financial system. Its Responsible Business Conduct framework extends this mandate to customer protection in day-to-day banking transactions.

  • UPI transactions (2025): 15+ billion/month (NPCI data)
  • India's digital payments: Second-largest real-time payments market globally
  • Common fraud types: Phishing, sim-swap, vishing, social engineering, OTP theft
  • RBI regulatory tools: Master Directions, Circulars, Draft Guidelines (consultation process)
  • Stakeholder feedback window (this draft): Until April 6, 2026
  • Effective date proposed: July 1, 2026
  • Applicable to: Commercial banks (excludes SFBs, Payments Banks, RRBs)

Connection to this news: The proposed framework is a direct regulatory response to India's digital fraud epidemic — as payment volumes grow, the asymmetry between customer vulnerability and bank accountability has created consumer trust deficits that the RBI is now addressing legislatively.

Consumer Protection in Financial Services — Regulatory Architecture

Customer protection in India's financial sector is enforced through multiple channels: RBI (banking), SEBI (securities), IRDAI (insurance), and PFRDA (pension). RBI's Integrated Ombudsman Scheme (2021) consolidated multiple ombudsman schemes for banking, NBFCs, and digital payments under one window. The Responsible Business Conduct framework builds on this — requiring banks to proactively meet consumer protection standards rather than merely respond to complaints.

  • RBI Integrated Ombudsman Scheme: 2021; one portal, one email, one address for banking complaints
  • Ombudsman jurisdiction: Awards up to ₹20 lakh in compensation
  • Consumer protection laws: Consumer Protection Act, 2019 also applies to banking services (financial institutions as "service providers")
  • RBI's Responsible Business Conduct directions: Being developed progressively through amendment rounds
  • This draft: Third Amendment to Responsible Business Conduct Directions

Connection to this news: The 2026 draft guidelines, once finalised, will complement the Integrated Ombudsman by creating clear, pre-defined liability standards — reducing the need for customers to escalate to ombudsman for resolution of straightforward digital fraud disputes.

Key Facts & Data

  • Zero liability applies: Bank negligence (any case) OR third-party fraud reported within 5 calendar days
  • Compensation for small frauds: Up to 85% of loss, maximum ₹25,000
  • Burden of proof: Shifts to banks to prove customer liability
  • Applicable to: Commercial banks only (excludes SFBs, payments banks, RRBs, local area banks)
  • Proposed effective date: July 1, 2026
  • Stakeholder feedback deadline: April 6, 2026
  • RBI defines bank negligence: Failure of mandated systems, missing alerts, inadequate fraud response, security breaches
  • Existing framework: RBI Circular 2017 (3-day window, tiered liability); draft upgrades this significantly