December 14, 2017
The Chief Executive Officer
Madam / Dear Sir,
Customer Protection – Limiting Liability of Customers of Co-operative Banks in Unauthorised Electronic Banking Transactions
Please refer to our circular UBD.BSD.I/PCB/No.45/12.05.00/2001-02 dated May 30, 2002 and para 13 of circular RPCD.CO.RCB.BC.No.36/07.51.010/2014-15 dated October 22, 2014 regarding reversal of erroneous debits arising from fraudulent or other transactions.
2. With the increased thrust on IT enabled financial inclusion and related customer protection issues, and considering the recent surge in customer grievances relating to unauthorised transactions resulting in debits to their accounts/cards, the criteria for determining the customer liability in these circumstances have been reviewed. The revised directions in this regard are set out below.
Strengthening of systems and procedures
3. Broadly, the electronic banking transactions can be divided into two categories:
4. The systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions. To achieve this, banks must put in place:
Reporting of unauthorised transactions by customers to banks
5. Banks must ask their customers to mandatorily register for SMS alerts and, wherever available, register for e-mail alerts, for electronic banking transactions. The SMS alerts shall mandatorily be sent to the customers, while email alerts may be sent, wherever registered. The customers must be advised to notify their bank of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction, and informed that the longer the time taken to notify the bank, the higher will be the risk of loss to the bank/customer. To facilitate this, banks providing e-banking services must provide customers with 24×7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting unauthorised transactions that have taken place and/or loss or theft of payment instrument such as card, etc. Banks shall also enable customers to instantly respond by "Reply" to the SMS and e-mail alerts and the customers should not be required to search for a web page or an e-mail address to notify the objection, if any. Further, a direct link for lodging the complaints, with specific option to report unauthorised electronic transactions shall be provided by banks on home page of their website. The loss/fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer’s response, if any, to them. This shall be important in determining the extent of a customer’s liability. The banks may not offer facility of electronic transactions, other than ATM cash withdrawals, to customers who do not provide mobile numbers to the bank. On receipt of report of an unauthorised transaction from the customer, banks must take immediate steps to prevent further unauthorized transactions in the account.
Limited Liability of a Customer
(a) Zero Liability of a Customer
6. A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:
(b) Limited Liability of a Customer
7. A customer shall be liable for the loss occurring due to unauthorised transactions in the following cases:
Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per the bank’s Board approved policy. Banks shall provide the details of their policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall also display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.
8. Overall liability of the customer in third party breaches, as detailed in paragraph 6 (ii) and paragraph 7 (ii) above, where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, is summarised in the Table 2:
The number of working days mentioned in Table 2 shall be counted as per the working schedule of the home branch of the customer excluding the date of receiving the communication.
Reversal Timeline for Zero Liability/Limited Liability of customer
9. On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). The credit shall be value dated to be as of the date of the unauthorised transaction. Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.
10. Further, banks shall ensure that:
Board Approved Policy for Customer Protection
11. Bank shall formulate / revise their customer relations policy with approval of their Boards, which should clearly define the rights and obligations of customers in case of unauthorized transactions in specified scenarios i.e. debits to customer accounts owning to customer negligence / bank negligence / banking system frauds/ third party breaches etc. The policy should also include mechanism of creating customer awareness on the risks and responsibilities involved in electronic banking transactions, and customer liability in case of unauthorized electronic banking transactions, procedure for reporting unauthorized electronic banking transactions and acknowledgement of complaints. It should also provide for a robust grievance redressal structure as per extant instructions, escalation matrix, clear timelines for resolution of customer complaints, and compensation keeping in view the instructions contained in paragraph 10 above. The instructions contained in this circular shall be incorporated in the policy, and the policy should be prominently displayed at branches.
Burden of Proof
12. The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.
Reporting and Monitoring Requirements
13. The banks shall put in place a suitable mechanism and structure for the reporting of cases of unauthorized electronic banking transactions to the Board or one of its Committees. The reporting shall, inter alia, include volume/number of cases and the aggregate value involved and distribution across various categories of cases viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM transactions, etc. The Board in each bank shall periodically review the unauthorised electronic banking transactions reported by customers or otherwise, as also the action taken thereon, the functioning of the grievance redressal mechanism and take appropriate measures to improve the systems and procedures. All such transactions shall be reviewed by the bank’s internal auditors.
14. The instructions contained in this circular supersede some of the instructions contained in our circular DCBR.CO.BPD.(SCB).No.1/13.05.000/2014-15 dated April 30, 2015 on Issue of Credit Cards by Scheduled Urban Co-operative Banks, circular UBD(PCB)Cir.No.6/09.18.300/2007-08 dated July 13, 2007 on Guidelines for issue of ATM-cum-Debit cards by UCBs, circular DCBR.BPD.(PCB/RCB)Cir.No.6/19.51.026/ 2015-16 dated November 05, 2015 on Internet Banking Facility for Customers of Co-operative Banks, as detailed in Annex.
Instructions in circulars on Credit cards, ATM-cum-debit cards and other electronic banking products which stands revised in respect of Co-operative Banks:
Source: RBI Notification