The Reserve Bank of India (RBI) has issued new draft guidelines for customer protection in electronic banking transactions, including online and card-based payments. The proposed rules are part of the Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026.
The revised rules will apply to electronic banking transactions carried out by customers from July 1, 2026.
These are some of the salient features of the Draft Rules.
Compensation for small-value online frauds
The Draft Rules say an individual who has filed a complaint alleging a gross loss of up to Rs 50,000 due to fraudulent electronic banking transactions covered by paragraphs 76M and 76N will receive 85% of the net loss amount (calculated after deducting recoveries made from the gross loss amount, whether before or after paying the compensation), or Rs 25,000, whichever is less, once during his or her lifetime, subject to the following:a) the loss is proven to be genuine in accordance with the internal procedures outlined in the bank’s policy, and
b) the fraud must be reported within five days to both the bank and the National Cyber Crime Reporting Portal or Cyber Crime Helpline (1930).
Example: For a complaint related to fraudulent electronic banking transaction(s) involving a loss amount of less than Rs 29,412, where a compensation of 85% is paid, 65% shall be borne by the Reserve Bank of India, 10% by the customer’s bank and the remaining 10% by the beneficiary bank.
Zero liability in certain cases
A customer will be entitled to zero liability and reversal of the transaction in cases where the fraudulent electronic banking transaction occurs due to negligence/deficiency on the part of the bank (irrespective of whether the transaction is reported by the customer or not) and in cases of third-party breach where customer reports the unauthorised fraudulent electronic banking transaction to the bank within five calendar days from the date of its occurrence.Banks must send alerts and improve security
- A bank should ask its customer to mandatorily provide his / her mobile number and wherever available, email address, to the bank for availing the facility of electronic banking transactions (other than ATM cash withdrawals).
- Banks should send email alerts for all electronic banking transactions, wherever the email address is provided by the customer.
- SMS and email alerts as above shall be in addition to any other form of alerts, e.g., in-app / push notifications, etc., which the bank may send as per its internal policy.
- A bank shall mandatorily send instant SMS alerts to the customers for all electronic banking transactions of value more than Rs 500. For electronic banking transactions of value up to Rs 500, a bank may decide to send instant SMS as per its internal policy.
What actions are considered customer negligence in online banking transactions?
Negligence by a customer includes the following actions by the customer:
(i) providing credentials such as PIN, password, OTP or other details for carrying out transactions to another person, whether intentionally or otherwise; or
(ii) not notifying the bank immediately after finding out about a fraudulent electronic banking transaction, or the loss of a payment instrument; or
(iii) not paying attention to specific, directed and clear warnings from the bank that a prospective transaction is likely a scam; or
(iv) failing to exercise reasonable care in usage of credentials, e.g., writing down and storing the PIN with an ATM / credit card; or
(v) downloading malicious apps.
