RBI’s new rules on customer liability in banking frauds raise a few questions

You can ignore a message from your spouse, your mother-in-law, your boy friend, but not that from your bank. The reason being the RBI’s new rules on customer liability and unauthorised electronic transactions. While these rules look good on paper they also raise many questions. Here are some of them. [caption id=“attachment_3783797” align=“alignleft” width=“380”]  Reuters[/caption] For one, according to the new rules, your bank must ask all customers to mandatorily register for SMS alerts and, if possible, for e-mail alerts on electronic banking transactions. Currently, a section of the banks (not all) charge for such SMS services. The key question here is when the RBI makes SMS alerts mandatory, who will bear the cost for these? Bank or the customer? The central bank has not answered this question. Secondly, the RBI has asked customers to inform their bank of any unauthorised transfer within three days of it taking place. To facilitate this, banks must provide customers with 24x7 access through multiple channels, like website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline. There’s nothing new about this part of the guideline, most banks have some of the channels active currently. A dedicated toll-free helpline is a good idea though, but how long the customer will actually spend holding your phone line before you speak to a human voice is anyone’ guess. Thirdly, the RBI has told banks to allow customers to instantly respond by replying to the SMS and e-mail alerts. The idea is to spare the customers of the pain of searching for the website or another e-mail address to inform the bank about the transaction. In these days when phishing attacks are on the rise, one wonders whether the instant reply option will turn out to be one that facilitates frauds. Phishing happens when an attacker, masquerading as a trusted entity (your bank), dupes a victim into opening an email, instant message, or text message, asking for sensitive data. There are chances that a customer, who gets an alert about a fraudulent transaction, may panic and simply reply to a phishing SMS. Rather than allowing an instant reply, it will be better of for banks to provide multiple channels for customers to get in touch with them. Fourthly, the RBI has told banks to not offer electronic transaction facilities, other than ATM cash withdrawals, to customers who do not provide mobile numbers to the bank. Does this mean withdrawing cash from ATMs is all safe? This after India witnessed one of the biggest ATM security breaches just last year. The central bank should brought ATM transactions under this ambit as well. Fifthly, at the outset, the rules may seem like the RBI has put the onus of checking fraudulent transactions on the banks. But read between the lines and you will see, it’s not so. The responsibility rests on the customer. The liability on the customer is zero only if your bank goofs up despite you alerting it of the fraud or not. If there’s a third-party goof up, and the deficiency lies neither with the bank nor you, but lies elsewhere in the system, and you inform the bank within three working days of the fraud, then also you have zero liability. But, there are other conditions where you have limited liability. In case you goofed up, and there’s a loss due to your negligence, such as you gave your payment credentials, you will bear the entire loss, until you report the unauthorised transaction to the bank. Thankfully, any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank. Now if neither you nor the bank is responsible for a loss due to an unauthorised transaction but the issue lies elsewhere in the system, then you have three days to inform the bank without any penalty. If you are alerting the bank in four to seven working days after receiving the communication on the unauthorised transaction, you will have to pay a per truncation liability amount (see table).   If the delay in reporting is beyond seven working days, the bank will decide how much you will need to pay, which will be as per the bank’s policy So what is RBI really saying here? If the bank goofed you, you need not pay, whether you alter the bank about the fraud or not. If a third party breaches, and it’s neither your fault nor the bank’s fault and you inform the bank within three days, you don’t pay a penalty. If you goofed up – like gave your credentials – the customer will bear the entire loss until he reports the unauthorised transaction to the bank. So can the bank simply wash their hands off, even if the details were inadvertently given? No clarity on this is given by the apex bank. Thankfully, any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank. If a third party goofs up, and it’s neither your nor your bank’s fault, you will have to face some liability if you inform after four days. Here again there is a question. Why should the customer take the liability at all just because he did not alert the bank in three days? There are chances that he was in a hospital, or out of coverage area, or any such. In the US, customer liability is limited regardless of the amount defrauded if reported within 60 days of receiving the bank/card statement. Why is the customer in India not given an option to redress if he or she detects the fraud in the statement? No where has the RBI circular used the words “bank statement”. With these rules one thing is clear - as noted at the beginning, you may ignore a message from your spouse, your mother in law or your boyfriend, but not that of your bank.