On 23rd May, addressing a public meeting, SS Mundhra, deputy governor of the Reserve Bank of India (RBI), said that the increase in online transactions had led to a manifold surge in customer complaints. These relate to electronic transactions, unauthorised fund transfers, fraudulent ATM withdrawals using duplicate cards, phishing, vishing, etc. He told banks that the problem is so widespread that they cannot wash their hands off by saying that customers failed to exercise the necessary safeguards or compromised their password. Banks were also told that it was incumbent on them to educate customers and put in place a robust fraud prevention mechanism.
In the same hard-hitting speech, Mr Mundhra said that RBI was examining whether to issue regulatory directions to limit customer liability in fraudulent transactions arising out of electronic banking or credit/debit card transactions. Three months later, RBI has issued ‘draft regulations’ seeking public feedback by 31st August. This is interesting for two reasons. The last time RBI had issued a notification to protect customers was in April 2002. It was titled ‘Reversal of Erroneous Debits Arising on Fraudulent or Other Transactions’ but did not mention electronic fraud. Instead, it referred to “unscrupulous persons opening accounts mainly to use them as conduit for fraudulently encashing payment instruments.” The notification merely asked banks to ‘compensate customers without demur’ when the customer is not at fault. If neither the bank nor the customer was at fault, it asks that the customer be compensated, only ‘(up to a limit)’.
RBI’s concern at the ‘surge’ in complaints indicates that banks were not applying the 2002 notification to electronic fraud cases. Worse, they were also ignoring a more explicit commitment made under the BCSBI (Banking Codes and Standards Board of India) fair practices code. The BCSBI code categorically states that a customer is not liable for losses once a fraudulent transaction, or lost card, stolen password or PIN is notified to the bank. It also limits customer liability to Rs10,000 for any loss that occurred before the bank was notified, except when the customer had contributed to the unauthorised transaction.
Since RBI provides no details about the number of fraudulent transactions being reported, we can only draw conclusions from the tenor of Mr Mundhra’s speech and his concern about the misuse of Jan Dhan accounts and the use of dormant accounts for ‘money muling’. The draft regulations issued in August are, indeed, a huge step forward; but one cannot help wondering at the need for a draft instead of a formal notification of rules. After all, RBI is lagging many countries when it comes to consumer protection.
The draft notification proposes that an innocent victim of electronic fraud will have zero liability and will not be given the run-around by banks. To ensure this, the burden of proving customer liability in unauthorised transactions is unambiguously cast on the bank. There is a clear time-frame in which the matter has to be dealt with and money re-credited to the customer’s account. It is 10 working days after the fraud is notified to the bank, if the customer is not at fault. The bank has 90 days in which to resolve the complaint. Banks are also asked to ensure no loss of interest in case of debit-card fraud and no unfair interest burden on the customer in case of a credit-card fraud.
Another positive provision is that banks must insist on mandatory registration for alerts through email or SMS and that banks must facilitate 24x7 access through multiple channels for reporting fraudulent transactions to minimise the time in which issues can be notified. Further, complaints must be acknowledged with a time-stamped communication and a complaint number.
Transaction alerts and texts from banks to registered phones and emails are unidirectional. Since a mobile phone is the most widely used device today, I believe that RBI must ensure that such alerts include a complaint /toll-free helpline number or link to the bank’s website where customers can instantly call, text, whatsapp or email, to notify fraudulent transactions. After all, speedy notification is crucial to minimise losses.
Other key details of the policy are:
Zero liability if the fraud is not due to customer negligence and is reported to the bank in three working days.
A customer who falls for a fraud, phishing or entrapment call (fake lottery, escrow accounts, job schemes, insurance, or income-tax refund) will also bear the loss only until it is reported to the bank. Any transaction after such a report will be the bank’s liability.
If neither the bank nor the customer is responsible for the fraud but there is a 4-7-day delay in reporting the transaction, the customer liability will be limited to the transaction value, or Rs5,000, whichever is lower. In case of a reporting delay beyond seven days, the customer’s liability will be based on the bank's board-approved policy.
These customer protection rules are welcome and must be notified immediately with clarity on just a couple of issues. It is not clear whether the same rules will apply to transactions from electronic-wallets and mobile-based transactions that are being aggressively marketed to less financially savvy customers. The thrust on financial inclusion, especially via the JAM (Jan Dhan accounts-Aaadhaar-Mobile) demands a huge emphasis on financial literacy, especially in rural India. It is also unclear how these rules will apply to transactions conducted through banking correspondents, especially if they defraud newly-included customers by winning their trust. Let us also not forget the lack of any serious discussion on the repeated failure of Aadhaar-based authentication even for savvy, urban customers. We have no idea what is happening in rural India, which is apparently the primary target of the huge Aadhaar infrastructure.
Mr Mundhra, in his speech, had said that banks have some ‘alert and exception transaction reporting mechanism’ at present; but it is ‘mostly primitive and generally ineffective’. The draft notification aims to correct this by asking banks ‘to clearly define the rights and obligations of customers in case of unauthorised transactions in specified scenarios’. They must also formulate a board-approved customer protection policy and a mechanism of creating customer awareness on the risks and responsibilities involved in electronic banking transactions, customer liability and a compensation mechanism for unauthorised transactions with timelines for paying compensation based on the circumstances of each case. The last bit is strange, because the policy has already said that grievance resolution must happen in a maximum of 90 days when the customer is not at fault and there is no liability otherwise.
Banks will have to submit details of customer liability cases including volume, number of cases, aggregate value involved and distribution across product categories (Internet banking, mobile banking, ATM transactions, card transactions with card present/not present, etc) to their standing committee on customer services. The committee will then be responsible for reviewing complaints and grievance redress.
This may sound good in a notification, except that customer services committee meetings are largely perfunctory and not even held with any regularity. This means that a bunch of meaningless statistics will be pushed before the committee and ratified whenever the banks care to hold meetings. If RBI is serious about monitoring electronic fraud, it may be far better to create a centralised reporting system which will also help issue warnings to all customers when new types of scams or frauds are detected.
Interestingly, this long and detailed notification makes no mention of RBI’s much-touted consumer charter that each bank was supposed to frame by the end-July 2016. These rules would surely fit into the detailed charter to be framed by each bank.
Mr Mundhra refused to respond to our query about the charter which appears to have been buried before it was born, during Dr Raghuram Rajan’s tenure itself.