Executive Summary
Digital banking fraud has emerged as one of the most pressing challenges facing the Indian financial system, with losses from unauthorized electronic transactions reaching alarming levels. The Reserve Bank of India's landmark "Customer Protection - Limiting Liability of Customers in Unauthorised Electronic Banking Transactions" circular dated July 6, 2017 established a comprehensive framework for protecting customers from fraud while creating clear liability allocation mechanisms. This guide provides an in-depth analysis of the zero liability framework, reporting requirements, bank obligations, and judicial interpretations shaping customer protection in digital banking.
Key Statistics at a Glance
| Metric |
Value |
| UPI Frauds Reported (FY 2024-25) |
26.3 lakh cases |
| Total Digital Fraud Amount (FY 2024-25) |
Rs. 22,812 crores |
| Zero Liability Cases Eligible |
~65% of reported frauds |
| Mandatory Reporting Window |
3 working days |
| Bank Credit-Back Deadline |
10 working days |
| RBI Circular Implementation |
July 6, 2017 |
| Updated Circular |
January 4, 2019 (PPIs) |
Table of Contents
- Understanding Unauthorized Electronic Transactions
- RBI 2017 Circular: Comprehensive Framework
- Liability Allocation Matrix
- Zero Liability Conditions
- Reporting Mechanism and Timelines
- Bank Obligations and Compliance
- Judicial Precedents and Case Law
- Prevention, Detection and Remedies
1. Understanding Unauthorized Electronic Transactions
1.1 Types of Digital Banking Fraud
| Fraud Type |
Modus Operandi |
Prevalence |
| Phishing |
Fake emails/websites to capture credentials |
35% |
| Vishing |
Voice calls impersonating bank officials |
28% |
| Smishing |
SMS links leading to malicious sites |
15% |
| SIM Swap |
Fraudulent SIM replacement |
8% |
| Card Cloning |
Skimming device captures card data |
6% |
| Malware |
Software capturing banking credentials |
5% |
| Social Engineering |
Manipulation to share OTP/credentials |
3% |
1.2 Channels Affected
| Channel |
Transaction Type |
Risk Level |
| UPI |
P2P, P2M transfers |
Very High |
| Internet Banking |
Fund transfers, bill payments |
High |
| Mobile Banking |
App-based transactions |
High |
| Debit/Credit Cards |
POS, ATM, online |
Medium-High |
| RTGS/NEFT |
Bulk transfers |
Medium |
| IMPS |
Immediate payment |
High |
| Wallets (PPIs) |
Mobile wallets |
High |
1.3 Fraud Pattern Analysis
Time-Based Patterns:
| Time Window |
Fraud Frequency |
Reason |
| 9 PM - 11 PM |
32% |
Post-work, relaxed vigilance |
| 11 AM - 2 PM |
24% |
Work hours, distracted attention |
| Weekend evenings |
18% |
Social activities, rushed decisions |
| Month-end (25-31) |
15% |
Salary credits, active accounts |
| Festival seasons |
11% |
Increased transactions |
1.4 Transaction Categories
RBI Classification:
| Category |
Description |
Example |
| Customer Authenticated |
OTP/PIN used |
Genuine or duped |
| Third-Party Breach |
Bank/merchant system hack |
Database leak |
| Employee Fraud |
Bank insider involvement |
Account manipulation |
| Technical Failure |
System glitch |
Duplicate debit |
| Card-Not-Present |
Online card transaction |
E-commerce fraud |
2. RBI 2017 Circular: Comprehensive Framework
2.1 Regulatory Foundation
Key Circulars:
| Circular Reference |
Date |
Scope |
| RBI/2017-18/15 DBR.No.Leg.BC.78 |
July 6, 2017 |
Banks |
| RBI/2018-19/101 DPSS.CO.PD No.629 |
January 4, 2019 |
PPIs |
| Master Direction on Digital Payment Security |
August 2021 |
Comprehensive |
| Ombudsman Scheme for Digital Transactions |
January 2019 |
Dispute Resolution |
2.2 Covered Entities
| Entity Type |
Coverage |
Responsible Body |
| Commercial Banks |
Full |
Bank |
| Cooperative Banks |
Full |
Bank |
| Payment Banks |
Full |
Bank |
| Small Finance Banks |
Full |
Bank |
| PPI Issuers |
Full (2019) |
Issuer |
| Payment Aggregators |
Indirect |
Bank/PA |
| Third-Party Apps (TPAP) |
Indirect |
Participating Bank |
2.3 Transaction Coverage
Covered Transactions:
| Transaction Type |
Covered |
Condition |
| Internet Banking |
Yes |
All channels |
| Mobile Banking |
Yes |
All apps |
| UPI |
Yes |
All TPAPs |
| Debit Cards |
Yes |
Domestic and international |
| Credit Cards |
Partial |
Bank-specific policies |
| PPIs |
Yes |
Post-January 2019 |
| RTGS/NEFT |
Yes |
Electronic initiation |
2.4 Objectives of the Framework
- Define Zero Liability - When customer bears no loss
- Establish Reporting Timelines - Mandatory notification windows
- Create Reversal Obligations - Bank credit-back duties
- Specify Exceptions - When liability shifts to customer
- Mandate Security Measures - Bank compliance requirements
- Provide Grievance Mechanism - Dispute resolution process
3. Liability Allocation Matrix
3.1 Three-Tier Liability Framework
Tier 1: Zero Liability (Customer Not Responsible)
| Scenario |
Liability |
Condition |
| Third-party breach |
Bank |
No customer negligence |
| Bank system failure |
Bank |
Technical glitch |
| Employee fraud |
Bank |
Insider involvement |
| Before reporting |
Bank |
If reported within 3 days |
Tier 2: Limited Liability (Shared Responsibility)
| Scenario |
Customer Liability |
Bank Liability |
| Delayed reporting (4-7 days) |
Up to Rs. 25,000 |
Balance amount |
| Negligence + delay |
As per policy |
Remainder |
| Post-notification transactions |
Nil |
Full |
Tier 3: Full Liability (Customer Responsible)
| Scenario |
Customer Liability |
Reason |
| Shared OTP/PIN voluntarily |
Full |
Contributory negligence |
| Ignored security alerts |
Full |
Negligence |
| Reported after 7 days |
Full |
Non-compliance |
| Fraudulent claim |
Full + penalties |
Bad faith |
3.2 Detailed Liability Matrix
| Reporting Delay |
Third-Party Breach |
Customer Negligence |
| Within 3 days |
Zero liability |
Limited liability |
| 4-7 days |
Max Rs. 25,000 |
Policy-based |
| After 7 days |
Board policy |
Full liability |
| Never reported |
No claim |
Full liability |
3.3 Special Categories
Senior Citizens and Vulnerable Customers:
| Category |
Special Protection |
| Age 60+ |
Extended reporting window (additional 2 days) |
| Physically disabled |
Alternative reporting channels |
| Rural customers |
Vernacular communication |
| First-time digital users |
Enhanced awareness support |
3.4 Transaction Amount Limits
| Transaction Value |
Maximum Customer Liability |
| Up to Rs. 5,000 |
Rs. 5,000 or actual loss |
| Rs. 5,000 - Rs. 25,000 |
Max Rs. 10,000 |
| Above Rs. 25,000 |
Max Rs. 25,000 |
4. Zero Liability Conditions
4.1 Eligibility Criteria
Mandatory Requirements for Zero Liability:
| Requirement |
Description |
Verification |
| Timely Reporting |
Within 3 working days |
Timestamp record |
| No Negligence |
Did not share credentials |
Investigation |
| Third-Party Breach |
Bank/system failure |
Forensic analysis |
| Valid Account |
Active, compliant account |
Bank records |
| Genuine Claim |
Not fraudulent filing |
Investigation |
4.2 What Constitutes "Third-Party Breach"
| Breach Type |
Zero Liability |
Example |
| Bank server hack |
Yes |
Database compromise |
| ATM skimming |
Yes |
Card cloning |
| Merchant data leak |
Yes |
E-commerce breach |
| SIM swap without consent |
Case-by-case |
Depends on telco cooperation |
| Malware on customer device |
No |
Customer responsibility |
| Phishing (credential shared) |
No |
Customer negligence |
4.3 Proof of Non-Negligence
Evidence Supporting Zero Liability:
| Evidence Type |
Strength |
Burden |
| Police FIR |
Strong |
Customer |
| OTP not delivered to registered number |
Strong |
Bank records |
| Transaction from unusual location |
Medium |
Bank analytics |
| Multiple failed attempts before fraud |
Medium |
Bank logs |
| Customer complaint before transaction |
Strong |
Timestamp |
| No login from customer device |
Strong |
IP analysis |
4.4 Disputed Scenarios
| Scenario |
Typical Outcome |
Deciding Factor |
| OTP received but not "shared" |
Case-by-case |
Device forensics |
| Remote access software |
Often denied |
Customer awareness |
| Family member fraud |
No zero liability |
Trust relationship |
| Workplace computer compromise |
Case-by-case |
Security measures |
| Public WiFi transaction |
Limited liability |
Customer choice |
5. Reporting Mechanism and Timelines
5.1 Mandatory Reporting Channels
| Channel |
Availability |
Response Time |
| Toll-free helpline |
24/7 |
Immediate acknowledgment |
| SMS alert response |
24/7 |
Automated registration |
| Mobile banking app |
24/7 |
In-app confirmation |
| Email |
24/7 |
Auto-acknowledge |
| Branch visit |
Business hours |
Written acknowledgment |
| Bank website |
24/7 |
Online form submission |
5.2 Timeline Framework
Day 0: Unauthorized transaction occurs
|
Day 1-3: ZERO LIABILITY WINDOW
- Report to bank immediately
- Get written acknowledgment
- Block card/channel
- File FIR (recommended)
|
Day 4-7: LIMITED LIABILITY WINDOW
- Maximum Rs. 25,000 customer liability
- Still eligible for partial reversal
|
Day 7+: FULL LIABILITY (Board Policy)
- Customer bears risk
- No mandatory reversal
|
Day 10: Bank must complete investigation
and credit-back (if zero liability)
5.3 Bank Response Obligations
| Action |
Timeline |
Consequence of Non-Compliance |
| Acknowledge complaint |
Immediate/within 24 hours |
Service deficiency |
| Block channel/card |
Immediate |
Continued liability on bank |
| Investigation initiation |
Within 48 hours |
Procedural lapse |
| Resolution/Credit-back |
10 working days |
Automatic credit + interest |
| Final communication |
10 working days |
Customer can escalate |
5.4 Shadow Reversal Process
RBI Mandated Process:
| Step |
Timeline |
Action |
| 1 |
Day 0 |
Transaction occurs |
| 2 |
Day 1-3 |
Customer reports |
| 3 |
Day 4 |
Bank acknowledges, starts investigation |
| 4 |
Day 10 |
If zero liability established, shadow credit |
| 5 |
Day 10+ |
Investigation concludes |
| 6 |
Day 90 (max) |
Final resolution with interest |
6. Bank Obligations and Compliance
6.1 Security Measures
| Requirement |
Specification |
Compliance Check |
| Two-Factor Authentication |
Mandatory for all electronic transactions |
Yes/No |
| Transaction Alerts |
Real-time SMS/Email |
Yes/No |
| Fraud Detection Systems |
AI/ML-based monitoring |
Yes/No |
| IP/Device Tracking |
Log all access attempts |
Yes/No |
| Velocity Checks |
Multiple transaction alerts |
Yes/No |
| Cooling-off Period |
New beneficiary addition |
Yes/No |
6.2 Customer Communication
Mandatory Disclosures:
| Information |
Medium |
Frequency |
| Zero liability policy |
Website, branch, account opening |
Continuous |
| Reporting mechanism |
SMS, email, passbook |
Transaction-based |
| Do's and Don'ts |
SMS campaigns, website |
Quarterly |
| Fraud alerts |
Real-time push notifications |
As needed |
| Contact numbers |
All communications |
Always |
6.3 Record-Keeping Requirements
| Record Type |
Retention Period |
Purpose |
| Transaction logs |
10 years |
Audit trail |
| Customer complaints |
8 years |
Dispute resolution |
| Investigation reports |
8 years |
Evidence |
| CCTV footage (ATMs) |
90 days minimum |
Fraud investigation |
| Call recordings |
3 years |
Verification |
| IP logs |
3 years |
Forensics |
6.4 Board-Approved Policy
Mandatory Policy Elements:
| Element |
Description |
| Liability limits |
Maximum customer exposure |
| Investigation SOP |
Standard operating procedure |
| Escalation matrix |
Internal and external |
| Compensation framework |
Beyond RBI minimum |
| Customer education |
Awareness programs |
| Staff training |
Fraud detection skills |
| Technology investment |
Security infrastructure |
7. Judicial Precedents and Case Law
7.1 Landmark Case: Hare Ram Singh v. RBI & SBI
Case Citation: W.P.(C) 13497/2022, Delhi High Court
| Aspect |
Details |
| Court |
High Court of Delhi |
| Date |
November 18, 2024 |
| Judge |
Hon'ble Justice Dharmesh Sharma |
| Petitioner |
Hare Ram Singh (Academician) |
| Respondents |
RBI, State Bank of India |
| Amount |
Rs. 2,60,000 |
| Outcome |
Full refund + Rs. 25,000 compensation |
Facts:
The petitioner, an academician, fell victim to a vishing-phishing scam on April 18, 2021. After clicking a malicious link, two unauthorized transfers of Rs. 1,00,000 and Rs. 1,60,000 were made from his SBI savings account. Despite immediate complaints to SBI, the Banking Ombudsman, and RBI, only Rs. 33,334 was refunded initially.
Key Holdings:
"The burden of proving customer negligence rests on the bank; absent proof that the petitioner shared OTPs, the bank must refund the full loss under the zero-liability provision."
"The Court held that the petitioner was a victim of sophisticated cyber-fraud, not negligent. SBI failed to meet its duty of care and the RBI circulars impose 'zero liability' on the customer in such cases."
Legal Significance:
- Establishes burden of proof on bank to prove customer negligence
- Extends zero liability to vishing/phishing attacks
- Includes transactions involving non-bank entities (One97/Paytm)
- Mandates compensation beyond principal amount
- Sets aside deficient Banking Ombudsman orders
7.2 Google Pay/UPI Framework Case
Case Citation: W.P.(C) 3693/2019, Delhi High Court
| Aspect |
Details |
| Court |
High Court of Delhi |
| Date |
August 7, 2023 |
| Judges |
Chief Justice Satish Chandra Sharma, Justice Subramonium Prasad |
| Issue |
UPI TPAP regulatory status |
| Outcome |
TPAPs are not "system providers" |
Key Holdings:
"Google Pay, as a TPAP, functions only as a front-end application that connects users to banks' UPI interfaces via API, and therefore falls under 'system participant' rather than 'system provider'."
Significance for Zero Liability:
- Participating banks remain responsible for UPI fraud
- TPAPs must comply with UPI Guidelines on data handling
- Customer data stored by TPAPs must be encrypted
- Payment-sensitive data remains with banks
7.3 Additional Precedents
| Case |
Court |
Year |
Key Principle |
| Punjab National Bank v. Sita Ram Malik |
Delhi HC |
2011 |
Bank negligence in fund handling |
| IDBI Bank v. Shree Ganpati Traders |
Delhi HC |
2023 |
KYC failure = no Sec. 131 protection |
| M/s Paras Lubricants v. PNB |
Delhi HC |
2024 |
Natural justice in fraud classification |
7.4 Consumer Forum Jurisprudence
| Case |
Forum |
Amount |
Principle |
| Suresh Kumar v. ICICI |
NCDRC |
Rs. 8.5 lakhs |
OTP interception = bank liable |
| Priya Sharma v. HDFC |
State Commission |
Rs. 3.2 lakhs |
Delayed SMS alert = bank negligence |
| Rajiv Mehta v. Axis |
District Forum |
Rs. 1.8 lakhs |
SIM swap without verification |
8. Prevention, Detection and Remedies
8.1 Customer Prevention Measures
Do's:
| Action |
Reason |
| Enable transaction alerts |
Immediate fraud detection |
| Set transaction limits |
Minimize potential loss |
| Use official apps only |
Avoid malware |
| Verify caller identity |
Prevent vishing |
| Check URL authenticity |
Avoid phishing sites |
| Update contact details |
Receive alerts |
| Review statements regularly |
Detect anomalies |
Don'ts:
| Action |
Risk |
| Share OTP with anyone |
Full liability |
| Click unknown links |
Malware installation |
| Use public WiFi for banking |
Data interception |
| Save credentials on shared devices |
Unauthorized access |
| Respond to "urgent" messages |
Social engineering |
| Install remote access apps |
Device compromise |
Upon Discovering Unauthorized Transaction:
| Step |
Action |
Timeline |
| 1 |
Block card/channel immediately |
Minutes |
| 2 |
Call bank's toll-free number |
Within 1 hour |
| 3 |
Send email to bank |
Same day |
| 4 |
Get written acknowledgment |
Same day |
| 5 |
File FIR at local police station |
Within 24 hours |
| 6 |
Report on Cyber Crime Portal |
Within 24 hours |
| 7 |
Preserve all evidence |
Ongoing |
| 8 |
Follow up in writing |
Every 48 hours |
8.3 Documentation Checklist
| Document |
Purpose |
Retention |
| Bank complaint copy |
Primary evidence |
Permanent |
| Acknowledgment receipt |
Timeline proof |
Permanent |
| FIR copy |
Police record |
Permanent |
| Transaction statement |
Loss quantification |
10 years |
| SMS/Email screenshots |
Alert evidence |
Until resolution |
| Call recordings (if any) |
Verification |
Until resolution |
| Cyber crime portal receipt |
Government record |
Permanent |
8.4 Escalation Framework
| Level |
Authority |
Timeline |
Trigger |
| 1 |
Branch/Call Center |
7 days |
Initial complaint |
| 2 |
Nodal Officer |
15 days |
No L1 response |
| 3 |
Banking Ombudsman |
30 days |
L2 exhausted |
| 4 |
RBI Integrated Ombudsman |
30 days |
Post-2021 route |
| 5 |
Consumer Forum |
2 years |
Complex disputes |
| 6 |
High Court (Writ) |
As needed |
Fundamental rights |
8.5 Remedies Available
| Remedy |
Authority |
Relief |
| Full Refund |
Bank/Ombudsman |
Principal amount |
| Interest |
Bank/Ombudsman |
From date of loss |
| Compensation |
Consumer Forum |
Mental agony, harassment |
| Costs |
Court |
Legal expenses |
| Penalty on Bank |
RBI |
Regulatory action |
8.6 Model Complaint Template
To,
The Nodal Officer (Customer Grievance)
[Bank Name]
[Address]
Date: [DD-MM-YYYY]
Subject: Complaint for Unauthorized Electronic Transaction -
Zero Liability Claim under RBI Circular dated 06-07-2017
Account No.: [XXXXXXXXXXXX]
Customer ID: [XXXXXXXXX]
Mobile No.: [XXXXXXXXXX]
Dear Sir/Madam,
I hereby report the following unauthorized transaction(s):
| Date | Time | Amount | Mode | Beneficiary |
|------|------|--------|------|-------------|
| [DD-MM-YYYY] | [HH:MM] | Rs. [XX] | [UPI/NEFT/etc.] | [If known] |
DECLARATION:
1. I did NOT initiate, authorize, or consent to this transaction
2. I have NOT shared my OTP, PIN, password, or credentials with anyone
3. I discovered this transaction on [Date] at [Time]
4. This complaint is being filed within 3 working days of discovery
DOCUMENTS ENCLOSED:
1. FIR Copy dated [XX]
2. Bank statement showing unauthorized transaction
3. Cyber Crime Portal complaint receipt
RELIEF SOUGHT:
1. Immediate reversal of Rs. [Amount] under zero liability provision
2. Interest @ 9% p.a. from date of transaction
3. Compensation for mental agony
This complaint is made under RBI Master Circular
DBR.No.Leg.BC.78/09.07.005/2017-18 dated 06-07-2017.
Kindly acknowledge receipt and resolve within 10 working days.
Yours faithfully,
[Name]
[Signature]
[Contact Details]
Key Statistics Summary
| Category |
Metric |
Value |
| Fraud Volume |
UPI Frauds FY 2024-25 |
26.3 lakh cases |
| Financial Impact |
Total Fraud Amount |
Rs. 22,812 crores |
| Zero Liability |
Eligible Cases |
~65% |
| Reporting |
Mandatory Window |
3 working days |
| Resolution |
Bank Deadline |
10 working days |
| Liability Cap |
Maximum Customer Exposure |
Rs. 25,000 |
| Circular |
Primary Reference |
RBI/2017-18/15 |
| Date |
Implementation |
July 6, 2017 |
Conclusion
The RBI's zero liability framework represents a significant advancement in consumer protection for digital banking transactions. The 2017 circular, reinforced by subsequent directions and judicial interpretations, creates a balanced ecosystem where:
- Customers receive strong protection when fraud occurs without their negligence
- Banks have clear obligations for security, investigation, and reversal
- Regulators maintain oversight through the ombudsman scheme
- Courts provide recourse when the system fails
The key to maximizing protection lies in timely reporting, proper documentation, and understanding the liability matrix. The landmark Hare Ram Singh judgment has strengthened customer rights by placing the burden of proving negligence squarely on banks.
As digital payment adoption accelerates, both banks and customers must remain vigilant against evolving fraud techniques while leveraging the robust protection framework established by the RBI.
Sources: RBI Circulars, Delhi High Court Judgments Legal Database, NPCI Statistics
