Banks customers in India are facing many cyber problems while dealings with their respective banks. These include inadequate cyber security, illegal fund transfers due to phishing and cyber crimes, unreasonable delay in settlement of customer’s dues, etc. The problem regarding cyber security is worst. Realising the gravity of the situation, the Reserve Bank of India (RBI) finally prescribed the cyber security framework for banks in India but it has failed to inspire the banks in India so far. This is so because although the RBI has given a deadline of September 30, 2016 to the Indian banks to implement techno legal cyber security policy yet there are no signs that banks in India have actually started even considering this cyber security policy. This is just like the other policies that RBI has prescribed from time to time with no actual and practical implementation from the banks.
We at Perry4Law Organisation (P4LO) believe that this is not the fault of banks of India as it is the RBI and Indian government that have failed to enforce these policies against Indian banks. When the basic level cyber security breaches disclosure norms in India are missing, banks have no incentive and motivation to either ensure cyber security or report any possible cyber breach. It is high time for RBI and Indian government to ensure that banks in India comply with techno legal cyber law due diligence (pdf) and cyber security compliances as per the prescribed standards and rules. This is very much required for the successful implementation of the Digital India project that the current government is pushing very hard.
RBI has now released the draft circular titled Customer Protection–Limiting Liability of Customers in Unauthorised Electronic Banking Transactions for public comments. These comments can be sent to RBI on or before August 31, 2016 through post or e-mail. The draft circular has focused on reversal of erroneous debits made to customers’ accounts arising from fraudulent and other transactions. The paper has reiterated the increased thrust on financial inclusion and customer protection as the two crucial pillars of financial stability. The paper has also taken into account the tremendous increase in customer grievances relating to unauthorised transactions resulting in erroneous debits to their accounts/cards while reviewing the criteria for determining the customer liability in these circumstances.
RBI has proposed the following revised directions in this regard:
(1) Strengthening of systems and procedures: Broadly, the electronic banking transactions can be divided into two categories: (i) Remote/ Online payment transactions (transactions that do not require physical payment instruments to be present at the point of transactions e.g. internet banking, mobile banking, card not present (CNP) transactions) and (ii) Face-to-face/ proximity payment transactions (transactions which require the physical payment instrument such as a card or mobile phone to be present at the point of transaction e.g. ATM , POS, etc.). The systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions. To achieve this, banks must put in place:
(a) Appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers;
(b) Robust and dynamic fraud detection and prevention mechanism;
(c) Mechanism to assess the risks (for example, gaps in the banks’ existing systems) resulting from unauthorised transactions and measure the liabilities arising out of such events; and
(d) Appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom.
(2) Reporting of unauthorised transactions by customers to banks: Banks must ask their customers to mandatorily register for alerts for electronic banking transactions. The alerts shall be sent to the customers through different channels (email or SMS) offered by the banks. The customers must be advised to notify the bank concerned of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction. The longer the time taken to notify the bank, the higher will be the risk of loss to the bank/customer. To facilitate this, banks must provide customers with 24×7 access through multiple channels (at a minimum, via website, phone banking, SMS, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting fraudulent transactions that have taken place and/or loss or theft of payment instrument such as card, etc. The loss/fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer’s response, if any, to them. This shall be important in determining the extent of the customer’s liability.
(3) Liability of a Customer: The liability of the customer shall be as following:
(i) Zero Liability of a Customer: A customer’s entitlement to zero liability shall arise where the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer in the following events:
(a) Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)
(b) Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.
(ii) Limited Liability of a Customer: A customer shall be liable for the loss occurring due to fraudulent transactions in the following cases:
(a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.
(b) In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction, the customer liability shall be limited to the transaction value or ₹ 5000/-, whichever is lower. Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per bank’s Board approved policy. Banks shall provide the details of the bank’s policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.
(iii) Overall liability of the customer in third party breaches, as detailed above, where the fault lies neither with the bank nor the customer but lies elsewhere in the system and the customer has notified as per the prescribed time framework and manner, is summarised as follows:
(a) Within 3 working days: Zero liability,
(b) Within 4-7 working days of receiving the communication: The transaction value or ₹ 5000/-, whichever is lower,
(c) Beyond 7 working days of receiving the communication: As per bank’s Board approved policy.
(4) Reversal Timeline for Zero Liability/ Limited Liability: On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer. Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.
Further, banks shall ensure that:
(i) A complaint is resolved within 90 days from the date of reporting; and
(ii) In case of debit card/bank account the customer does not lose out on interest, and in case of credit card the customer does not bear any additional burden of interest.
(5) Board approved Policy for Customer Protection Policy: Taking into account the risks arising out of unauthorised debits to customer accounts owing to customer negligence/ banking system frauds/ third party breaches, banks need to clearly define the rights and obligations of customers in case of unauthorised transactions in specified scenarios. Banks shall formulate/ revise their customer relations policy, with approval of their Board, to cover aspects of customer protection, including the mechanism of creating customer awareness on the risks and responsibilities involved in electronic banking transactions and customer liability in such cases of unauthorised electronic banking transactions. The policy must be transparent, non-discriminatory and should stipulate the mechanism of compensating the customers for the unauthorised electronic banking transactions and also prescribe the timelines for effecting such compensation, based on the circumstances of each case. The policy shall be displayed on the bank’s website along with the details of grievance handling/ escalation procedure. The instructions contained in this circular shall be incorporated in the policy.
(6) Burden of Proof: The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank. The bank’s above policy shall also specify the maximum time period for establishing customer liability after which the bank shall compensate the customer.
(7) Reporting and Monitoring Requirements: The banks shall put in place a suitable mechanism and structure for reporting of the customer liability cases to the Board or its Committee. The reporting shall, inter-alia, include volume/number of cases and the aggregate value involved and distribution across various categories of cases viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM trasanctions, etc. The Standing Committee on Customer Service in each bank shall review, on a monthly basis, the unauthorised electronic banking transactions reported by customers or otherwise, as also the action taken thereupon, the functioning of the grievance redress mechanism and take appropriate measures to improve the systems and procedures.
Perry4Law Organisation (P4LO) strongly recommends that banks in India must now pay more attention to techno legal compliance requirements as the regulatory regime in India is fast changing.