By Shivanand Pandit
India’s digital payments landscape has grown rapidly over the past decade. With millions of people relying on mobile banking, UPI, and online payments every day, safeguarding customers has become increasingly important. In response to this development, the Reserve Bank of India has issued the draft Third Amendment Directions, 2026, as part of its Responsible Business Conduct framework.
These proposed measures aim to provide stronger protection for customers who may face fraud while using electronic banking services. The guidelines seek to enhance the safety of digital banking for users making transactions through UPI, internet banking, mobile banking, debit and credit cards, and ATM withdrawals. The RBI has indicated that the new rules will apply to transactions carried out from July 1, 2026. However, the directions will apply only to commercial banks and will not extend to small finance banks, payments banks, regional rural banks, or local area banks. The draft amendment updates the earlier guidelines that determine a customer’s responsibility when an unauthorised transaction occurs in their bank account. As per the draft issued on March 6, 2026, electronic banking transactions cover payments made through internet banking, mobile banking, debit or credit cards, and other digital channels that are classified as electronic fund transfers under the Payment and Settlement Systems Act, 2007.
Since the initial regulations were introduced, India’s digital payments landscape has expanded rapidly. Facilities like internet banking, mobile banking, and instant payment services have made transactions faster and easier for users. At the same time, this expansion has also brought a rise in cyber fraud, phishing attempts, and unauthorized electronic transactions. Following a review of the current guidelines, the Reserve Bank of India concluded that certain aspects needed to be updated. Consequently, the central bank has proposed revisions aimed at improving customer protection and ensuring that banks address complaints about fraudulent transactions more promptly.
Fraud in digital payments has been an ongoing issue. Data from the RBI’s Report on Trend and Progress of Banking in India shows that banks reported 13,469 fraud cases involving cards and internet transactions in 2024–25, compared with 27,663 cases in 2023–24. These figures include fraud cases where the amount involved was ₹1 lakh or more. This data shows that although digital payments are growing quickly in India, they also come with risks. As a result, the RBI is considering stricter rules to protect customers and ensure proper compensation for individuals who lose money due to online fraud.
Key Amendments
The central bank has proposed clearer guidelines to differentiate between authorised and fraudulent electronic banking transactions. Transactions performed by customers using recognised authentication methods such as OTP, PIN, passwords, or card credentials will generally be regarded as authorised. Payments executed through previously approved standing instructions or mandates registered with the bank are also treated as authorised transactions. However, the draft clarifies that certain situations may still be classified as fraudulent electronic transactions. For instance, a transaction carried out by a third-party using customer credentials obtained through deceit would fall into this category. Similarly, a transaction approved by a customer due to coercion, intimidation, or manipulation by a fraudster may also be treated as fraudulent. Another example includes cases where customers are misled into transferring money to individuals falsely claiming to be legitimate recipients. The proposed amendments, therefore, recognise that even transactions that appear technically authorised may still qualify as fraudulent if they arise from deception, coercion, or misuse of customer credentials.
The RBI has clarified the circumstances under which banks and customers may be considered negligent in cases of fraudulent electronic transactions. Bank negligence may arise when a bank fails to maintain secure systems or does not follow required safeguards for digital transactions. It can also occur if the bank does not send timely transaction alerts or fails to provide proper channels for customers to report fraud or the loss of payment instruments. A bank may also be held responsible if it does not act promptly after a customer reports suspicious activity, or if unauthorised transactions occur due to system failures, security breaches, or internal misconduct. Customer negligence, on the other hand, refers to situations where individuals fail to protect their banking credentials. This may include sharing passwords, PINs, or OTPs with others, ignoring fraud warnings issued by banks, or not reporting suspicious transactions quickly. Customers may also be considered negligent if they store sensitive information carelessly, such as writing a PIN with the debit card, or installing malicious applications that compromise their accounts. The RBI draft directions also recognise that fraud can originate from outside the bank–customer relationship. In some cases, the problem may arise from other participants in the digital payment ecosystem. These include third-party application providers, payment gateways, payment aggregators, or telecom service providers. In such situations, neither the bank nor the customer may be directly responsible for the breach.
The central bank has asked customers to quickly report any fraudulent transactions. Anyone who has been affected should inform their bank right away and also file a complaint via the National Cyber Crime Reporting Portal or call the National Cyber Crime Helpline at 1930 as soon as they can. To help those affected by small frauds, the RBI has introduced a compensation plan. If someone suffers a real loss of up to ₹50,000 due to fraud, they might get compensation of 85% of their actual loss, or ₹25,000, whichever is smaller. This benefit is only available once in a person’s lifetime. To receive this compensation, the customer needs to report the fraud to both their bank and the cybercrime portal or helpline within five days of the incident. Usually, the RBI will cover most of the compensation, while the customer’s bank and the bank that received the payment will contribute smaller amounts. If any of the lost money is later recovered, the compensation amount will be adjusted based on that.
The RBI has invited public feedback on the draft guidelines until April 6, 2026. Once these guidelines are finalised, they will apply to all regulated banks concerning the Responsible Business Conduct Directions. Under the proposed framework, banks are required to develop a formal policy on customer protection for electronic banking transactions. This policy should clearly define the rights and responsibilities of customers in cases of fraudulent activity. Banks will also have to set specific timelines for resolving complaints and provide detailed information about their processes for handling grievances and escalating issues. In addition, these policies must be published on the banks’ websites, and banks should organise awareness programs to inform customers about new types of digital payment fraud and safe banking practices. The RBI has also instructed banks to enhance their internal systems for managing fraud. This includes using effective tools for detecting and preventing fraud, regularly assessing risks related to electronic transactions, and implementing measures that help reduce financial losses and liabilities. The systems and procedures must meet digital payment security standards and ensure customers feel secure during online transactions.
The draft guidelines introduce stricter rules on transaction alerts. Banks must collect customers’ mobile numbers when offering electronic banking services and, where feasible, also gather their email addresses. Instant SMS alerts must be sent for all transactions exceeding ₹500, and email notifications should be provided where possible. Banks may also use other forms of communication, such as in-app or push notifications. Customers must be given multiple options to report fraudulent transactions or the loss of payment instruments. These reporting channels must be available 24/7 and may include phone banking, SMS, email, interactive voice response systems, dedicated toll-free helplines, and reporting through the home branch. Banks must include a contact number in transaction alert messages to enable immediate reporting of objections. They must also provide a direct link on their website homepages for reporting fraud. Upon receiving a complaint, the bank must promptly register it, assign a complaint number and timestamp, and take immediate action to stop any further unauthorised transactions. Each complaint must be thoroughly investigated, and the bank must determine liability based on the facts. The bank must respond within the timelines outlined in its policy, and in any case, within 30 days. Importantly, in disputes involving fraudulent electronic transactions, the bank will be responsible for proving that the customer was negligent. The draft guidelines classify fraud situations into three main categories: bank negligence, customer negligence, and failures elsewhere in the digital payment system. Finally, banks must establish internal monitoring systems to track complaints related to fraudulent electronic banking transactions. They will also be required to periodically report the number and value of such cases to their Board of Directors or a designated committee. This body must review the handling of complaints, grievance redressal processes, and compensation mechanisms, and suggest ways to improve the bank’s systems and procedures.
Execution will prove its success
The draft framework outlines a structured approach to compensate victims of digital banking fraud, but its coverage remains limited. For example, the scheme applies only to smaller fraud incidents. Larger fraud cases, where customers lose significant amounts of money, are not covered under this framework. These cases will likely rely on bank investigations or recovery actions taken by law enforcement agencies. In addition, the eligibility criteria may limit the number of victims who can receive compensation. Customers must report fraudulent transactions to their bank and also to the National Cyber Crime Reporting Portal or helpline within five days of the incident. The framework also allows only a single compensation payment per customer. This means that if a person is a victim of fraud again in the future, they may not be eligible for another claim.
The proposed contribution mechanism might face practical challenges. According to the draft, the RBI, the customer’s bank, and the beneficiary bank will share the compensation costs. However, if fraudsters transfer stolen funds to crypto wallets or other non-bank payment channels, the receiving institution may not be a bank. In such situations, applying the cost-sharing mechanism could become complex. It is also important to note that the draft addresses only fraud within the banking system and does not cover crypto-related scams, which are outside the scope of the RBI’s regulatory framework.
Compensation alone cannot address the root causes of digital fraud. Many incidents occur due to low digital awareness and a lack of understanding of cyber risks. First-time users, elderly individuals, and small business owners are often more susceptible to scams such as fake payment links or impersonation calls. At the same time, poor coordination among banks, telecom companies, and law-enforcement agencies can delay the freezing of fraudulent accounts and the recovery of stolen funds. Therefore, the success of this framework will also depend on how effectively banks implement real-time fraud detection systems and improve their cybersecurity measures.
A coordinated effort from the entire ecosystem is necessary. Banks need to invest in systems that can quickly identify suspicious transactions. Measures such as real-time alerts, restrictions on high-risk transactions, and stronger authentication processes can help prevent fraud. Public awareness campaigns led by banks, regulators, and the National Cyber Crime Reporting Portal are also essential to educate people about common scam tactics. Ideally, the goal should be to prevent such frauds altogether. While prevention may take time, the RBI’s proposed framework can still play a key role in enhancing customer trust. The fact that the RBI, the customer’s bank, and the beneficiary bank are jointly contributing to compensation shows that the central bank is committed to addressing this issue. Allowing compensation for small-value frauds, even when there is some customer negligence, is a positive step. However, the real challenge will be in the effective implementation of the framework. Despite ongoing awareness campaigns, digital fraud cases continue to increase, and fraudsters are becoming more skilled in using social engineering tactics. Regulators are therefore trying to strike a balance between protecting customers and encouraging them to be cautious when using digital banking services.
