RBI Strengthens Payments Bank Customer Protection Because Digital Banking Fraud Risks Have Increased
The Reserve Bank of India (RBI), through the Reserve Bank of India (Payments Banks – Responsible Business Conduct) Second Amendment Directions, 2026, has substantially strengthened the customer protection framework for fraudulent electronic banking transactions undertaken through Payments Banks, with effect from January 1, 2027. The revised Directions introduce comprehensive definitions of fraudulent electronic banking transactions, customer and bank negligence, third-party breaches, and unauthorised transactions. Payments Banks are required to establish robust fraud prevention systems, provide mandatory transaction alerts, maintain 24×7 reporting channels, and implement transparent grievance redressal policies. Customers are entitled to zero liability where fraud results from bank negligence or timely reported third-party breaches, while a compensation mechanism has been introduced for eligible victims of small-value frauds involving customer negligence. The Directions also prescribe strict timelines for complaint resolution, value-dated transaction reversals, reimbursement procedures, Board-level monitoring, and enhanced customer awareness to improve trust, accountability, and security in digital banking.
Reserve Bank of India
RBI/2026-27/169
DOR.MCS.REC.No.132/01-01-034/2026-27 | Dated: June 24, 2026
Reserve Bank of India (Payments Banks – Responsible Business Conduct) Second Amendment Directions, 2026
Instructions on ‘Limiting Liability of Customers in Unauthorised Electronic Banking Transactions’ for Payments Banks (hereinafter referred to collectively as “PBs” and individually as an “PB”) have been consolidated in the Reserve Bank of India (Payments Banks – Responsible Business Conduct) Directions, 2025. On a review, it has been decided to issue revised instructions on the subject.
2. In exercise of the powers conferred by Section 35A of the Banking Regulation Act,1949, the Reserve Bank, being satisfied that it is necessary and expedient in public interest so to do, hereby issues the Amendment Directions hereinafter specified.
3. Short Title and Commencement
1. These Directions shall be called the Reserve Bank of India (Payments Banks Responsible Business Conduct) Second Amendment Directions, 2026.
2. These Directions shall apply in cases of electronic banking transactions undertaken by customers of a bank on or after January 1, 2027.
4. These Amendment Directions shall modify the Reserve Bank of India (Payments Banks – Responsible Business Conduct) Directions, 2025 as under:
1. In paragraph 4, the following definitions shall be inserted after sub-paragraph 4(4), namely:
“4(4.1A) Card Not Present transaction shall have the same meaning as given in the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025.
4(4.1B) Card Present transaction shall have the same meaning as given in the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025.
2. In paragraph 4, the following definition shall be inserted after sub-paragraph 4(7C), namely:
“4(7D) Electronic banking transaction (EBT) shall have the same meaning as `electronic funds transfer’ given in Section 2(c) of the Payment and Settlement Systems Act, 2007 and inter alia include both Card Not Present and Card Present transactions.”.
3. In paragraph 4, the following definition shall be inserted after sub-paragraph 4(9), namely:
“4(9A) Fraudulent electronic banking transaction (Fraudulent EBT) means an EBT executed by a third-party using the credentials obtained from the customer through fraudulent means or executed by the customer by granting approval under coercion or duress from the third-party, and / or an unauthorised EBT as defined at paragraph 4(13B) below.”.
4. In paragraph 4, the following definitions shall be inserted after sub-paragraph 4(10A), namely:
“4(10B) Negligence by a customer inter alia includes the following actions by the customer:
i. failing to exercise reasonable care in usage of credentials such as PIN, password, OTP or other details (e.g., providing credentials for carrying out transactions to another person, whether intentionally or otherwise, writing down and storing the PIN with a debit card, etc.); or
ii. not notifying the PB promptly after finding out about a fraudulent EBT, or loss of a debit card; or
iii. not paying attention to specific, directed and clear warnings from the PB that a prospective transaction is likely a scam; or
iv. downloading malicious apps; or
v. failing to update her / his registered mobile number / email address with the PB in case of change.”.
4(10C) Negligence by a PB inter alia includes the following actions by the PB:
i. not putting in place the mandated systems and procedures to ensure safety and security of EBTs; or
ii. not sending mandatory alerts for EBTs; or
iii. not providing 24×7 channels for reporting of fraudulent EBTs or loss of debit card; or
iv. not acting diligently upon a customer notification regarding unauthorised EBT(s) or loss of debit card; or
v. system malfunctions / security breaches / internal frauds leading to unauthorised EBTs.”.
5. In paragraph 4, the following definition shall be inserted after sub-paragraph 4(13), namely:
“4(13.1A) Third-party breach refers to a situation where the deficiency lies neither with the PB nor with the customer but lies elsewhere in the system and includes deficiency on the part of an intermediary such as a Third-Party Application Provider (TPAP), Payment Aggregator (PA), Payment Gateway (PG), Telecom Service Provider (TSP), etc.”.
6. In paragraph 4, the following definition shall be inserted after sub-paragraph 4(13A), namely:
“4(13B) Unauthorised electronic banking transaction (Unauthorised EBT) means an EBT which is not authorised by a customer and inter alia includes an EBT occurring on account of negligence by a bank and / or a third-party breach.”.
7. In Chapter III on ‘Customer Guidance and Protection’, the section Limiting Liability of Customers in Unauthorised Electronic Banking Transactions and paragraphs 21 to 33 thereunder shall be deleted and substituted with the following section and paragraphs, namely:
“CA. Customer Protection in Fraudulent Electronic Banking Transactions CA.1 Policy
33A. A PB, keeping in view the instructions contained in these Directions, shall formulate a policy to cover aspects of customer protection in EBTs, such as:
(1) channels for alerting customers about occurrence of EBTs and reporting of fraudulent EBTs;
(2) define the rights and obligations of customers in case of EBTs, including fraudulent EBTs, after taking into account the risks to customers arising out of customer negligence / PB negligence / banking system frauds / third-party breaches in specified scenarios;
(3) timeline for resolution of complaints and disclosure to customer; and
(4) mechanism for creating customer awareness on their rights and obligations involved in EBTs along with the risks involved.
The policy must be transparent, non-discriminatory and shall be displayed on the PB’s website along with the details of grievance handling / escalation procedure.
33B. A PB shall design its systems and procedures to make customers feel safe about carrying out EBTs. To achieve this, the PB shall put in place:
1. appropriate systems and procedures to ensure safety and security of EBTs carried out by customers, including those mandated under the Master Direction on Digital Payment Security Controls, Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025., and other relevant instructions issued by the Reserve Bank on related matters, as amended from time to time;
2. robust and dynamic fraud detection and prevention mechanism;
3. mechanism to assess the risks (for example, gaps in the PB’s existing systems) arising from fraudulent EBTs and measure the liabilities arising out of such events;
4. appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom; and
5. a system of continually and repeatedly making the customers aware about evolving electronic banking and payments related frauds and the ways to protect themselves from such frauds.
CA.2 Alerts for EBTs
33C. A PB shall ask its customer, availing the facility of EBTs (other than ATM cash withdrawals), to mandatorily provide her / his mobile number and wherever available, email address. The PB shall verify the mobile number and email address provided by the customer at the time of onboarding and subsequently at pre-defined intervals prescribed in its policy.
33D. A PB shall mandatorily send instant SMS alerts to its customers for all EBTs of value more than f500. For EBTs of value up to f500, a PB may decide to send instant SMS as per its internal policy but without any charge to the customer.
33E. A PB shall send email alerts for all EBTs, wherever email address is provided by the customer.
33F SMS and email alerts as above shall be in addition to any other form of alerts, e.g. in-app / push notifications, instant messaging, etc., which the PB may send as per its internal policy. Further, such transaction alerts shall contain relevant details pertaining to the EBT such as account / card number, amount, date, time, transaction channel, beneficiary / point of transaction, etc.
CA.3 Reporting of fraudulent EBTs by customers to PBs
33G. A PB shall, from time to time, advise its customers to report any fraudulent EBT to the PB and also lodge a complaint through National Cyber Crime Reporting Portal or National Cyber Crime Helpline (1930) at the earliest. The PB shall also inform its customers that the longer the time taken to notify the PB, the higher will be the risk of loss to customer and also to the PB. To facilitate the same, the PB shall:
1. provide customers with 24×7 access through channels such as phone banking, SMS, instant messaging, dedicated email address, IVR, a dedicated toll-free helpline, reporting to home branch, etc., for reporting fraudulent EBTs that have taken place and / or loss or theft of debit card, etc.;
2. provide a number in the transaction alert SMS itself, to which the customer can immediately send an SMS to notify her/his objection, if any; and
3. provide a direct link on the home page of its website and mobile application, if available, for reporting fraudulent EBTs.
33H. The PB’s communication systems, deployed for sending alerts and receiving the responses thereto, shall record the date and time of delivery of the message and receipt of customer’s response, if any.
33I. A PB shall ensure that its system registers the reporting of any fraudulent EBT as a complaint and sends an immediate acknowledgement to the customer, along with the complaint number and the date and time of receipt of the complaint, through any means such as message to the registered mobile number, email to the registered email address, in-app notification (if the complaint is registered through app), etc.
33J. On receipt of a complaint regarding any fraudulent EBT from a customer, a PB shall take prompt steps to prevent further unauthorised EBTs in the customer’s account(s) under advice to him / her. Further, the PB shall also advise the customer to lodge a complaint on National Cyber Crime Reporting Portal or National Cyber Crime Helpline (1930) at the earliest.
CA.4 Processing of complaints and establishing liability in fraudulent EBTs
33K. The burden of proving customer liability in complaints involving fraudulent EBTs shall lie on the PB. Accordingly, it shall examine and classify each complaint under the relevant categories of EBTs as defined in these Directions.
33L. A customer shall be entitled to zero liability and reversal of the transaction in cases where the fraudulent EBT occurs due to negligence / deficiency on the part of the PB, irrespective of whether the transaction is reported by the customer or not.
33M. A customer shall be entitled to zero liability and reversal of the transaction in cases of third-party breach where the customer reports the unauthorised fraudulent EBT to the bank within five calendar days from the date of its occurrence. In cases of third-party breach reported to the bank after five calendar days, the customer’s liability shall be determined as per the PB’s policy.
33N. In cases where the fraudulent EBT occurs due to negligence by the customer, he / she shall be liable for the loss incurred by him / her, to the extent of loss not eligible for compensation as per the mechanism detailed at paragraph 33T below, until he / she reports the fraudulent EBT to the PB.
33O. Loss arising from any unauthorised transaction occurring after the reporting of the fraudulent EBT by a customer to a PB shall be borne by the PB.
33P. A PB may also, at its discretion, decide to waive off any customer liability in case of fraudulent EBTs.
33Q. A PB shall ensure that a complaint arising out of fraudulent EBTs is examined, liability therein is established and response, as applicable, is issued to the customer within such time as may be specified in the PB’s policy. However, this timeline shall not exceed 45 calendar days from the date of receipt of the complaint by the PB in case of a complaint arising out of domestic fraudulent EBT(s) and 60 calendar days from the date of receipt of the complaint by the PB in case of a complaint arising out of cross-border fraudulent EBT(s). In cases where the customer is entitled to zero liability as provided at paragraphs 33L and 33M above, the response to the customer shall also include details of reversal of the transaction(s) concerned. In cases falling under paragraph 33N above, the response, in eligible cases, shall include details regarding the compensation mechanism prescribed at paragraph 33T below.
33R. In cases where the PB is required to reverse a fraudulent EBT, it shall ensure that the reversal is value dated to its original date of occurrence and the customer does not suffer loss of interest or bear any additional burden of interest / charges, as applicable.
33S. In case of rejected complaints, i.e., in cases where customer liability is established, a PB shall disclose the reason for such rejection and with the supporting details, if any, to the customer.
CA.5 Compensation for small value fraudulent EBTs
33T. (1) A bona fide victim, being an individual person, including a sole proprietor, and having lodged a complaint involving gross loss of an amount up to f50,000 on account of fraudulent EBT(s) covered under paragraph 33N above, shall be compensated 85 per cent of the net loss amount (calculated after reducing recoveries made, whether before or after paying the compensation, from the gross loss amount), or f25,000, whichever is less, once during her / his lifetime, subject to the following:
a. loss is established to be bona fide, as per the internal processes covered in the PB’s policy, and
b. the victim has reported the fraudulent EBT(s) on the National Cyber Crime Reporting Portal or National Cyber Crime Helpline (1930) and to the bank within five calendar days from its occurrence.
Explanation: In case of joint account(s), only one of the account holders may submit a claim for compensation. The customer availing compensation as a joint account holder shall not be eligible for claiming compensation in her / his capacity as a single account holder in future and vice versa.
(2) (a) For a complaint related to fraudulent EBT(s) involving a loss amount of less than f29,412, where a compensation of 85 per cent is paid, 65 per cent shall be borne by the Reserve Bank, 10 per cent by the customer’s bank and the remaining 10 per cent by the beneficiary bank in case of a complaint arising out of domestic fraudulent EBT(s), whereas in case of a complaint arising out of cross-border fraudulent EBT(s), 65 per cent shall be borne by the Reserve Bank and the remaining 20 per cent by the customer’s bank
(b) For a complaint related to fraudulent EBT(s) involving a loss amount of f29,412 or more but up to f50,000, where a compensation of f25,000 is paid, the Reserve Bank, the customer’s bank and the beneficiary bank shall contribute f19,118, f 2,941 and f2,941 respectively towards the compensation in case of a complaint arising out of domestic fraudulent EBT(s), whereas in case of a complaint arising out of cross-border fraudulent EBT(s), the Reserve Bank and the customer’s bank shall contribute f19,118 and f5,882 respectively towards the compensation.
Explanation: Beneficiary bank refers to the bank holding the account where the fraudulently debited amount is first credited. In cases where there is more than one beneficiary bank, the applicable compensation to be borne by each bank shall be in the proportion of the amount credited to their respective account(s).
(3) In case any recovery is made in relation with a complaint involving fraudulent EBT(s) after the compensation is paid, the customer’s bank shall recalculate the compensation payable on the net loss amount and accordingly make additional payment from the recovered amount after factoring in the excess amount of compensation, if any, paid before the recovery.
Illustration 1: Amount reported lost under the complaint arising out of domestic fraudulent EBT(s) — Rs. 40,000
Recovery made & credited to customer before compensating — f15,000 Net loss faced by the customer – Rs. 25,000
Compensation to be paid to the customer (85% of net loss) — f21,250 Contribution of Reserve Bank – Rs. 16,250
Contribution of customer’s bank and beneficiary bank – Rs. 2,500 each
Illustration 2: Amount reported lost under the complaint arising out of domestic fraudulent EBT(s) — Rs. 40,000
Compensation paid to the customer — Rs. 25,000
Contribution of Reserve Bank – Rs. 19,118
Contribution of customer’s bank and beneficiary bank – Rs. 2,941 each
Recovery made – Rs. 40,000
Apportionment of recovery shall be as under:
To customer — Rs. 15,000
To Reserve Bank – Rs. 19,118
To customer’s bank and beneficiary bank — Rs. 2,941 each
Illustration 3: Amount reported lost under the complaint arising out of domestic fraudulent EBT(s) — Rs. 40,000
Compensation paid to the customer — Rs.25,000
Contribution of Reserve Bank – Rs.19,118
Contribution of customer’s bank and beneficiary bank – Rs. 2,941 each
Recovery made after compensation is paid – Rs. 15,000
Net loss – Rs. 25,000
Compensation payable — Rs. 21,250
Additional amount payable – Rs. 15,000 + Rs. 21,250 – Rs. 25,000 = Rs. 11,250
Apportionment of recovery shall be as under:
To customer — Rs. 11,250
To Reserve Bank – Rs. 19,118 — Rs. 16,250 = Rs. 2,868
To customer’s bank and beneficiary bank— Rs. 2941- Rs. 2,500 = Rs. 441 each
(4) Based on its examination carried out in accordance with paragraph 33Q, where the customer’s bank is satisfied that the complaint is bona fide, it shall provide the customer an application form as per the format provided at Annex 1(1) to claim compensation for the loss suffered by her / him.
(5) The customer’s bank shall, within five calendar days of receipt of the application from a customer, compensate the customer as given above.
(6) The customer’s bank shall seek reimbursement of the amount receivable from the Reserve Bank and the beneficiary bank(s) on a quarterly basis by submitting an application to the Reserve Bank as per the format provided at Annex 1(2). The application for reimbursement, duly signed by a Senior Executive identified by the Top Management of the PB, shall be submitted through email to dea.fund@rbi.org.in within 30 calendar days from the end of the respective quarter. The Reserve Bank shall settle the claims from banks on a net basis i.e., the reimbursable amount to a bank shall be determined by deducting the amount owed by the bank (as beneficiary bank) to other banks from the amount claimed by it for reimbursement.
(7) The claims made by a PB to the Reserve Bank shall be subjected to internal audit / inspection, as per the bank’s internal guidelines.
33U. The compensation shall be payable for losses incurred on fraudulent EBTs occurring up to one year from the effective date of these Directions. A PB shall retain the records, related to the compensation paid and amount claimed by it for reimbursement under the mechanism for audit, supervision and review purposes, for two years from the date of closure of the compensation mechanism.
CA.6 Monitoring mechanism
33V A PB shall put in place a suitable mechanism and structure for periodic reporting of complaints involving fraudulent EBTs to the Board or one of its Committees identified for the purpose. The reporting shall, inter alia, include volume / number of cases and the aggregate value involved and distribution across various categories of cases, viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM transactions, etc. The Board or its Committee shall periodically review the fraudulent EBTs reported by customers, the action taken thereon, functioning of the grievance redressal and compensation mechanism, etc., and take appropriate measures to improve the systems and procedures.”.
(8) In Chapter III on ‘Customer Guidance and Protection’, paragraph 42 shall be substituted by the following, namely:
“A PB shall not levy any charges on its customers for SMS sent in compliance to extant regulations or those sent for promotional / marketing / customer awareness purposes. In case of SMS sent for other purposes, the PB may levy or waive charges as per its internal policy”.
(9) In Annexures, the following Annexures shall be inserted after Annex I, namely:
“Annex 1(1) – Application Form for Compensation for Small Value Fraudulent Electronic Banking Transactions
The Branch Manager,
Date:_______________
_____________________ Bank
_____________________ Branch
Madam/ Dear Sir,
Application for Compensation for Small Value Fraudulent Electronic Banking Transactions
Please refer to my complaint lodged with National Cyber Crime Reporting Portal (https://cybercrime.gov.in/Default.aspx) / National Cyber Crime Helpline (1930) with reference / complaint no._________________ (copy enclosed) regarding the fraudulent electronic banking transaction(s) in my bank account no.
2. I understand that compensation for small value fraudulent electronic banking transactions is available to an individual only once and declare that I have not previously availed such a compensation from any bank
3. As per the advice dated____________ received from the bank, an amount off________ (Rupees______________ only) may please be credited to my aforesaid bank account.
4. I understand that in case of my claim being established as ‘false’ or ‘repeated claims’ in future, I will be liable to refund the compensation received.
5. I authorise the bank to debit the additional amount received by me over and above the amount lost in the fraudulent electronic banking transaction(s) if any subsequent recovery is credited to my account.
Signature of the applicant:
Name of applicant:________________
Unique Customer Identification Code:______________
Address: _________________
Contact No.:________________
Email Address:______________
FOR OFFICE USE
(may be modified by the PB as per its own requirement)
Annex 11(2) – Compensation for Small Value Fraudulent Electronic Banking Transactions — Claim Form for Banks
Name of the Bank:
DEA Fund Code:
Claim for the Quarter Ended: Mar’ 27/ Jun’ 27/ Sep’ 27/ Dec’ 27 (Put ✓)
Bank’s Current Account No. Maintained with RBI / Sponsor Bank:
IFSC:
I. Details of compensation paid by the bank to customers during the quarter:
Category
|
No. of
|
Total
|
Amount of
|
Amount
|
Amount
|
Details of amount
|
||
(A) |
(B) |
complaints
|
(D) |
(E = 76.48% of (D)) |
(in ₹) (F = 11.76% of (D)) |
|||
Domestic Fraudulen t EBTs |
Name of
|
DEA
|
Amount
|
|||||
Cross-Border Fraudulent EBTs |
Not Applicable |
|||||||
Total |
(G) Total amount receivable by the bank ((E)+(F)) (in r) = |
|||||||
II. Details of recovery received by the bank during the quarter after compensation was paid to the customer:
Category
|
No. of
|
Total
|
Net
|
Recovered amount
|
Recovered
|
Details of amount
|
||
(H) |
(I) |
(J) |
(K) |
(L = 76.48% of (K)) |
(M = 11.76% of (K)) |
|||
Domestic Fraudulent EBTs |
Name
|
DEA
|
Amount
|
|||||
Cross-Border Fraudulent EBTs |
Not Applicable |
|||||||
Total |
(N) Total amount to be refunded by the bank ((L)+(M)) (in e) = |
|||||||
The claim for reimbursement for the quarter ended ___________________ , 2027 is Rs.______ (Rupees __________________only) ((G) — (N)).
i. I certify that the above details have been subjected to internal audit/inspection as per the bank’s internal guidelines and are verified and found to be correct.
ii. I confirm that no duplication of claims has been made in the submission.
(Signature) (To be signed and stamped by the Identified Executive)
(Name & Designation)
Date:
Seal:
(Veena Srivastava)
Chief General Manager
Note:
1 Please refer to The Depositor Education and Awareness Fund Scheme, 2014 for DEA Fund Code.
