Who is liable for money lost when fraud occurs in a customer’s bank account or card through illegal access/use of ATM or any of the Digital Channels (Internet Banking, Mobile Banking, Payments, E-wallets, etc.)?
The answer depends on the country where the account is being operated.
While the customer is responsible for the safe keeping of his/her ATM Card, Pin, Internet Banking and Mobile Banking credentials, different countries have different regulations on ‘limited liability’ of the customer.
When a customer discovers and reports fraud in her account through the use of ATM, Internet Banking or Mobile Banking, she is not liable for the full funds lost.
In the US, the Federal “Regulation E” Consumer Protection Act ensures that customer’s liability is capped at $50 if she contacts the financial institution within 2 days of discovering loss, theft or theft of the access device. The bank is liable for the rest of the money lost.
Many banks take account protection a step further with their banking guarantee and even waive the $50 liability given the fiercely competitive market.
As a result, banks take the entire responsibility for the loss. The UK too has similar consumer protection clauses for electronic banking transactions.
India’s central banking institution, the Reserve Bank of India (RBI) has been working on beefing up customer protection aspects of banking supervision for the past few years.
RBI’s recent communication to Indian banks on limited customer liability is laudable for its bold steps towards better customer service and protection in the Indian banking ecosystem.
It mandates banks to adopt better systems and processes to ensure safety and security of electronic transactions including the robust fraud detection and prevention mechanisms.
Some of the highlights in the communication:
Mandatory By Banks For All Digital Transactions
- Registration of customers for text alerts and email wherever available, for electronic transactions.
- Text alerts to customers for all electronic transactions and email alerts to customer registered email.
- Ability for customer to report unauthorised transactions 24X7 through multiple channels (including website, phone banking, SMS, email, IVR, toll-free helpline, home branch).
- Enable customers to instantly respond by Reply to text alert for unauthorised transactions.
Zero Liability of Customer
The customer has zero liability for the loss where unauthorised transaction occurs in case of:
- Contributory fraud/negligence/deficiency on part of bank irrespective of whether the transaction is reported by the customer.
- Third party breach, where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and the customer notifies the bank within 3 working days of receiving the communication from the bank regarding the transaction.
Limited Liability of Customer
The customer has limited liability for the lost funds due to unauthorised transactions in the following cases:
- Where loss is due to negligence of the customer, such as sharing payment credentials, the customer will bear the entire loss until customer reports the unauthroised transaction to the bank. Any loss occuring after customer reports unauthorised transaction should be borne by the bank.
- Where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of 4 to 7 working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the range of INR 5000 to INR 25,000 based on the type of the accounts and the average balance/credit limit.
- Where the delay in reporting is beyond 7 working days, the customer liability shall be determined as per the bank’s Board approved policy.
Customer Liability – Summary
|Time Taken To Report Fraudulent Transaction From Date Of Receiving The Communication||Customer’s Liability (in INR)|
Within 3 working days
Within 4 to 7 working days
|The transaction value or the amount mentioned in Table 1, whichever is lower|
Beyond 7 working days
|As per the bank’s Board approved policy|
Moreover, the bank should credit the amount involved in unauthorised transactions to the customer’s account within 10 working days from the date of reporting by the customer.
These measures will certainly take digital adoption to the next level for the Indian banking sector and the overall economy.
While banks must invest in the enabling technology and processes, the benefits of increased customer confidence in digital adoption far outweigh the enablement costs.