Do you use mobile wallets such as PayTM or PhonePe or Amazon Pay? If you do, then do you know the steps you should take if you figure out that there has been a fraudulent transaction using your wallet? What are your rights? What is your liability? Let’s find out.
We had discussed about customer liability in case of credit / debit card or online banking frauds in an earlier post. At the time, these were only draft guidelines. However, the same guidelines were later notified in July 2017. You can read the notified guidelines on RBI website.
Recently, RBI, in its circular dated January 4, 2019, released guidelines about limiting customer liability in case of fraud / unauthorized electronic transactions in case of Prepaid payment instruments or electronic wallets issued by non-banks. Therefore, if you use PayTM, Amazon Pay, PhonePe or Mobikwik, you will find these guidelines useful.
How Much Is Your Liability if There Is a Fraud Using Your Mobile Wallet?
Your liability depends on two aspects.
- Who is responsible for the unauthorized transaction
- The delay in reporting the transaction
Let’s see how this works.
- You are at fault: If you have acted irresponsibly or have shared OTP without using discretion, you will have to bear the entire loss till such time you report the transaction to the wallet / prepaid instrument issuer
- The PPI or wallet issuer is at fault: You have no liability
- Third party breach: Depends on when you report
- Within 3 days: You have Nil liability
- Within 4 to 7 days: Transaction value or Rs 10,000 per transaction, whichever is lower
- Beyond 7 days: As per Board approved policy of the issuer
For counting the number of days, the number of days shall be counted excluding the date of receiving communication (SMS / e-mail) about the transaction (transaction alert) from the issuer. Here is the snapshot from RBI circular.
By the way, the liability is almost the same as for fraud with credit/debit cards or net banking. No reason why this should be much different.
Who Decides Who Is Responsible?
Clearly, this is a very subjective aspect. The issuer would want to put the onus on you. As per the RBI circular, the burden of proving customer liability (or fault) lies with the issuer.
How Long Does It Take for the Amount to Reverse?
Once the customer notifies the fraudulent transaction, the issuer shall credit the amount to the wallet within 10 days. As I understand, this shall merely be notional credit. You may not be allowed to use the amount till such time the complaint is finally resolved. Further, the issuer has 90 days to resolve the issue and establish customer liability, if any. If customer liability is established, the customer will take a hit as discussed earlier (depending on who is responsible and the delay in reporting).
Responsibility of the Wallet (Prepaid Payment Instrument) Issuer
- The issuer must ensure that the customer mandatorily register for SMS alerts.
- The issuer must send SMS (transaction alert) for any payment transaction in the wallet. If the e-mail id is registered, an e-mail must be sent too.
- The transaction alert must have a contact number or e-mail id on which the user can report unauthorized transaction.
- The issuer must provide 24X7 access via website / SMS / e-mail / dedicated toll-free helpline to report such fraudulent transactions.
- The issuer shall provide a direct link for lodging complaints (with an option to report fraudulent transactions) on the home page of the website and the mobile app.
- If you register a complaint using any of the mode specified above, you must get an acknowledgement of the complaint along with the complaint number.
Points to Note
Users do not typically keep a lot of money in their prepaid wallets. Therefore, the amount-at-risk is unlikely to be very high. However, you load your wallet using credit card, debit card, net banking or UPI. Now, some of these wallets may also have auto-load features. i.e., your wallet can automatically reload once the balance drops below a certain level. Therefore, if your wallet account is compromised, your losses can run very high. Depending on the type of prepaid instrument, there are restrictions on the amount you can load in the wallet every month, the amount you can transfer to another account holder and the amount you can hold in your wallet at any point in time. These restrictions will limit the loss in case of a fraud.
What Should You Do?
First, you must take steps to prevent any unauthorized usage in your electronic wallet. Keep your mobile secure and act responsibly (do not share OTPs with anyone). Do note you can’t shrug off the responsibility if you shared OTP with someone and a fraud takes place thereafter. You will have to bear the entire loss.
Mobile wallets pose an interesting problem. Once the wallet is installed on your mobile, you do not have to login every time you use the wallet. So, if you lose your mobile, the person with malintent can easily access your wallet. Moreover, even if he is required to enter the password for any reason, he can easily generate one. You get a SMS with a link to change password. That’s my experience with PayTM. Mobile banking apps have additional steps (grid PIN etc) to create password. So, you need to keep your mobile secure.
Second, if you detect a fraud/unauthorized usage, report it to the issuer at the earliest. As discussed above, the delay in reporting will only increase your liability.