India’s digital payment ecosystem has grown exponentially. Such massive scale inevitably invites fraudsters, and many gullible customers have fallen victim to their tricks.
The Reserve Bank of India has earlier issued master directions specifying customer liability in the event of a digital/online fraud. The RBI has gone further and proposed amendments to the Master Directions that further expand on the scope and provide greater comfort to the customers.
In this post, let’s look at the major amendment proposals.
Note: There are just draft amendments and will become rules once RBI notifies the amendments.
| Area | Master Directions 2025 | Proposed in Draft Amendment 2026 |
| Definition of Fraud | No formal definition of ‘fraudulent’ transactions. No distinction between deception-induced authorizations and genuinely unauthorized transactions. Customers tricked into authorizing a transfer/transaction had little recourse since the transaction was deemed authorized. | In addition to unauthorized transactions, transactions where the customer shared OTP/UPI PIN/ credentials under deception, coercion, and scammer impersonation will be considered fraudulent. Hence, even in cases where the customer is tricked into authorizing a fraudulent transaction, he/she may be eligible for compensation. Crisp Definitions for
|
| Burden of Proof | While not written explicitly, the customers had to demonstrate that they were not negligent. Banks could simply reject claims citing customer negligence and without detailed justification. Customers had to prove innocence. | The burden of proving customer liability now rests entirely on the bank. The customer is innocent until proven guilty by the bank.
The bank must disclose the reason for claim rejection with supporting details such as OTP logs, SMS logs, and transaction records. |
| Customer liability in case of fraud to bank negligence | Zero liability in case of fraud because of bank negligence/deficiency. | Zero liability in case of fraud because of bank negligence/deficiency.
|
| Customer liability in case of fraud due to third party breach | Zero liability in case of third- party breach if reported to the bank within 3 working days. Limited liability for cases reported with 4 to 7 working days of fraudulent transaction. Beyond 7 working days, customer liability to be decided as per the bank approved policy. No structured compensation | Zero liability in case of third- party breach if reported to the bank within 5 calendar days
Structured compensation: For transactions reported after 5 calendar days, the customer shall be compensated for the loss. Up to Rs 25,000 or 85% of the net loss, whichever is lower. Subject to conditions.
Adverse move: Maximum liability of the customer seems to have been removed. |
| Customer Liability in case of fraud due to customer negligence | The customer bears the loss until the transaction is reported to the bank. For any loss arising after the fraudulent transaction is reported, the customer has zero liability. The bank must bear such a loss. | The customer bears the loss until the transaction is reported to the bank. Structured compensation: The customer shall be compensated for the loss. Up to Rs 25,000 or 85% of the net loss, whichever is lower. Subject to conditions. For any loss arising after the fraudulent transaction is reported, the customer has zero liability. The bank must bear such a loss. |
| Resolution Timeline | Banks must resolve complaints and communicate the outcome within 90 days. | Banks must resolve complaints and communicate the outcome within 30 calendar days. |
How will the Small Value compensation be calculated?
This is applicable only in the following cases:
- Fraudulent transactions due to customer negligence OR due to third party breach (reported after 5 days). AND
- The transaction(s) involves a loss not exceeding Rs 50,000 AND
- The victim has reported the fraudulent transaction on the National Cyber Crime Reporting Portal or National Cyber Crime Helpline (1930) AND to the bank within 5 calendar days.
As you can see, timely reporting is important.
Note: There are no fraudulent transactions that are both authorized and due to third party breach. A third-party breach transaction is, by definition, always unauthorized. If authorized, it falls into the customer negligence bucket.
Small value compensation does not apply to loss due to bank negligence or due to third party (but was reported within 5 days) because the bank must pay the customer in full.
How much compensation is available and who bears the burden?
85% of net loss (up to ₹25,000) for losses under ₹50,000.
This 85% shall be funded by RBI (65%), the customer’s bank (10%) and the beneficiary bank (10%).
This limit of Rs 25,000 is a lifetime limit for a customer. Hence, you can’t keep repeating the mistakes and hope for compensation.
The draft also explains using various scenarios.
Illustration 1
Amount reported lost under the complaint: Rs. 40,000
Recovery made & credited to customer before compensating: Rs. 15,000
Net loss faced by the customer = Rs. 25,000
Compensation to be paid to the customer = Min (85% of Rs 25,000, 25,000) = Rs 25,000 X 85% = Rs 21, 250
Contribution of Reserve Bank = 21, 250 X 65/85 = Rs 16,250
Contribution of customer’s bank and beneficiary bank = Rs 21,250 X 10/85 = Rs 2,500 each
Illustration 2
Amount reported lost under the complaint: Rs 40,000
Compensation paid to the customer: Min (85% of 40,000, 25,000) = Rs. 25,000
Contribution of Reserve Bank = 25,000 X 65/85 = Rs 19,118
Contribution of customer’s bank and beneficiary bank: Rs. 2,941 each
Recovery made = ₹40,000
Since the entire amount has been recovered, each party must be made full.
The customer gets Rs. 15,000 out of recovered amount of Rs 40,000. This is in addition to Rs 25,000 that he/she had received earlier.
RBI gets back Rs. 19,118 that it had paid as part of compensation.
The customer’s bank and beneficiary bank get Rs. 2,941 each, the portion they had paid.
Illustration 3
Amount reported lost under the complaint: Rs 40,000
Compensation paid to the customer: Min (85% of 40,000, 25,000) = Rs. 25,000
Contribution of Reserve Bank = 25,000 X 65/85 = Rs 19,118
Contribution of customer’s bank and beneficiary bank: Rs. 2,941 each
Recovery made = Rs. 15,000
Net loss = Rs 40,000 – Rs 15,000 = Rs. 25,000
Compensation payable = Min (85% of Rs 25,000, 25,000) = Rs 25,000 X 85% = Rs 21, 250
Hence, the customer must get Rs 15,000 (the recovered amount) + Rs 21,250 (compensation) = Rs 36,250. He/she has already been Rs 25,000. Hence, the customer will be Rs 11,250.
We still Rs 15,000 – Rs 11,250 = Rs 3,750 left. This will be shared between RBI and the banks.
RBI gets back 3,750 X 65/85 = Rs 2,868. Net amount paid by RBI = Rs 19,118 – Rs 2,868 = Rs 16,250
The two banks get Rs 3,750 X 10/85 = Rs 441 each. Net amount paid by each bank = Rs 2,941 – Rs 441 = Rs 2,500.
What should you do?
- Know the rules and your rights.
- You do not incur any loss if the fraud happens because of negligence by bank or due to third party breach (if reported on time).
- You incur loss only if the fraud happens because of your negligence (OTP/credential sharing). The burden of proving your negligence lies with the bank. The bank must also provide supporting details.
- The banks must resolve the complaint and establish liability with 30 calendar days.
- Know your responsibilities too.
- Try your best not to become victim of online fraud.
- Be alert. Fraudsters will keep figuring out new ways to deceive people.
- Follow safe online practices.
- The timely reporting of fraudulent transactions can limit your losses. Report at the earliest. Report both to the bank and the National Cyber Crime Reporting portal.
Note: This is still a draft circular and is not yet final.