With the rapid growth of digital payments, cases of unauthorised transactions through internet banking, UPI, and card payments have also increased. Many users are often unsure about their rights, liability, and whether they can recover their money in case of fraud.
To address these concerns and strengthen customer protection, the Reserve Bank of India (RBI) has issued clear guidelines defining customer liability, reporting timelines, and refund rules in case of unauthorised electronic banking transactions.
These guidelines are based on RBI’s 2017 circular on customer protection in unauthorised electronic banking transactions.
Before understanding these rules, it is important to first know what qualifies as an unauthorised transaction and the types of transactions covered under these guidelines.
Table of Contents
What is an Unauthorised Transaction?
An unauthorised transaction refers to any payment made from your bank account without your knowledge, consent, or approval.
These may occur through:
- UPI frauds
- Debit/Credit card misuse
- Internet banking breaches
- Phishing or fake links
Types of Transactions Covered
RBI classifies electronic transactions into:
Remote / Online Transactions
(Internet banking, mobile banking, UPI, card-not-present transactions)
Face-to-Face Transactions
(ATM withdrawals, POS machine payments)
These guidelines apply to both categories.
Common Types of Digital Fraud
Some common fraud scenarios include:
- Phishing Attacks – Fake emails/SMS asking for banking details
- OTP Fraud – Scammers trick users into sharing OTPs
- SIM Swap Fraud – Duplicate SIM used to access accounts
- Fake Apps/Links – Malicious apps that steal credentials
Key RBI Guidelines for Customer Protection
RBI mandates banks to:
- Implement robust fraud detection systems
- Send mandatory SMS alerts for transactions
- Provide 24×7 reporting channels (call, SMS, email, website)
- Enable instant complaint registration
- Educate customers about fraud prevention
These guidelines continue to remain applicable, with the Reserve Bank of India and banks further strengthening fraud prevention systems and customer protection measures over time.
Customer Liability in Unauthorised Transactions
Customer liability in unauthorised electronic transactions depends on two key factors:
- Who is responsible for the fraud
- How quickly the transaction is reported to the bank
1. Zero Liability of Customer
You will have zero liability in the following cases:
- If the fraud occurs due to bank negligence, deficiency, or system failure
- If it is a third-party breach (neither bank nor customer at fault) and you report it within 3 working days
In these cases, you bear no financial loss
2. Full Liability of Customer
You will bear the entire loss if:
The fraud occurs due to your negligence, such as:
- Sharing OTP, PIN, or passwords
- Falling for phishing or scam calls
In such cases
- You bear the loss until you report the fraud
- Any loss after reporting will be borne by the bank
3. Limited Liability (Third-Party Breach Cases Only)
This applies only when the deficiency lies neither with the bank nor with the customer.
If you delay reporting:
- Reported within 4 to 7 working days → Liability is limited
- Reported after 7 working days → Liability as per bank’s policy
👉 In the 4–7 day case, your liability will be:
Lower of:
- Transaction amount, OR
- RBI-prescribed cap
📊 Maximum Liability Limits (4–7 Days Delay)
| Account Type | Maximum Liability |
| Basic Savings Account (BSBDA) | ₹5,000 |
| Savings / PPI / MSME Accounts | ₹10,000 |
| Current / CC / OD Accounts | ₹25,000 |
| Credit Cards (limit ≤ ₹5 lakh) | ₹10,000 |
| Credit Cards (limit > ₹5 lakh) | ₹25,000 |
⚠️ Important Note
- The 3-day / 7-day rule applies only in third-party breach cases
- In cases of customer negligence, full liability applies until reporting
- The bank must prove customer negligence in all cases
Burden of Proof
As per RBI guidelines:
The responsibility to prove customer liability lies with the bank.
This means the bank must establish whether the fraud occurred due to customer negligence.
How to Report an Unauthorised Transaction
If you notice a fraudulent transaction, act immediately:
- Inform your bank via customer care, app, or branch
- Block your card or freeze your account
- Register a complaint and note the reference number
- File a complaint on RBI CMS portal (if required)
👉 Faster reporting = lower liability
Timeline for Refund (As per RBI)
- Within 10 working days: Bank must credit the disputed amount (shadow reversal)
- Value Date Rule: Credit must be applied from the date of the unauthorised transaction
- Within 90 days: Complaint must be fully resolved
During this period:
- No interest or penalty should be charged
- Customer should not suffer financial loss
Bank Policy & Customer Awareness
Banks are required to:
- Have a Board-approved policy on customer liability
- Share this policy at the time of account opening
- Display it publicly on their website
- Inform customers about risks and responsibilities
Tips to Stay Safe from Digital Fraud
- Never share OTP, PIN, or passwords
- Avoid clicking on unknown links
- Use only trusted apps and websites
- Enable SMS/email alerts
- Regularly monitor bank statements
Key Takeaways
- Report fraud within 3 days → Zero liability
- Delay of 4–7 days → Limited liability (capped)
- Beyond 7 days → As per bank policy
- Bank must credit amount within 10 days
- Bank bears burden of proof
- Quick action is the best protection
Conclusion
Digital payments offer convenience but also come with risks. RBI has established a clear framework to protect customers from unauthorised transactions. However, timely reporting and responsible usage are critical.
Being aware of your rights, understanding liability rules, and acting quickly can help you recover your money and avoid financial losses.
Staying vigilant and reporting fraud immediately is the most effective way to minimise financial loss.
