Mumbai (ABC Live): The Reserve Bank of India has issued final directions that change how banks must handle fraudulent electronic banking transactions.

The RBI digital fraud customer protection rules 2026 will take effect on January 1, 2027. Moreover, they will apply to eligible electronic banking transactions undertaken on or after that date.

According to the RBI press release issued on June 24, 2026, the framework applies to:

  • commercial banks;
  • small finance banks;
  • payments banks;
  • local area banks;
  • regional rural banks;
  • urban co-operative banks; and
  • rural co-operative banks.

Earlier, the framework mainly focused on payments that customers had not authorised. Therefore, banks often asked whether the customer entered an OTP, used a PIN or approved a Unified Payments Interface transaction.

However, modern fraud often works differently. Instead of hacking an account, criminals frequently manipulate customers into approving payments themselves.

Consequently, the RBI has widened the framework. It now covers several transactions that appear authorised in the banking system but result from deception, impersonation, coercion, duress or stolen credentials.

Why Can an Approved Payment Still Be Fraudulent?

A customer may approve a transaction without understanding its true purpose or the real identity of the recipient.

For example, a fraudster may pose as:

  • a police officer;
  • a bank employee;
  • a government official;
  • an investment adviser;
  • a courier company;
  • a buyer or seller;
  • a relative; or
  • a customer-service executive.

As a result, the victim may enter an OTP or approve a UPI transfer because the fraudster creates fear, trust or urgency.

A digital-arrest scam illustrates this problem. For instance, the customer may transfer money because the fraudster threatens arrest, account freezing or legal action.

Similarly, a person may send money after receiving a fake investment offer or false bank warning.

Therefore, technical approval does not always prove free and informed consent.

ABC Live examined this regulatory gap when the RBI released its draft directions. Readers may therefore refer to Explained: RBI’s New Digital Fraud Liability Rules for the earlier background.

What Is the Main Consumer Benefit?

The new framework creates three main forms of protection.

First, customers will continue to receive zero liability where bank negligence or deficiency causes the fraud.

Second, customers may receive zero liability in certain third-party breaches if they report the transaction within the prescribed period.

Third, eligible victims of small-value fraud may receive compensation equal to:

85% of the net loss or ?25,000, whichever is lower.

However, the compensation mechanism carries strict conditions. In particular, the gross loss must not exceed ?50,000.

Moreover, the customer may receive this special benefit only once during their lifetime.

Therefore, the directions do not guarantee a full refund in every fraud case. Nevertheless, they create a wider safety net than the earlier framework.

Key Points

  • The directions take effect on January 1, 2027.
  • Moreover, they cover unauthorised and certain fraud-induced transactions.
  • Bank negligence can result in zero customer liability.
  • Similarly, timely reporting can protect customers in third-party breaches.
  • Small-value fraud compensation can reach ?25,000.
  • However, compensation equals 85% of net loss or ?25,000, whichever is lower.
  • The gross loss must not exceed ?50,000.
  • In addition, the benefit is available only once in a customer’s lifetime.
  • Individuals and sole proprietors may qualify.
  • Customers must report eligible fraud within five calendar days.
  • Banks must decide domestic cases within 45 calendar days.
  • Meanwhile, cross-border cases may take up to 60 calendar days.
  • Credit-card fraud complaints require shadow reversal within five days.
  • Finally, banks must send instant SMS alerts for transactions above ?500.

Why Is This Explainer Needed?

India’s digital-payment system has grown rapidly. However, fraud methods have also changed.

Earlier fraud often involved a stolen card, cloned card or hacked account. By contrast, many present scams rely on social engineering.

In social-engineering fraud, the criminal does not always break the bank’s security system. Instead, the criminal manipulates the customer into completing the transfer.

Consequently, an OTP-based system may confirm who operated the account. Nevertheless, it may not confirm whether that person acted after deception or coercion.

ABC Live’s Critical Analysis of RBI’s Fraud Safeguards Paper explains why authorised push-payment fraud has become a major policy concern.

Similarly, ABC Live’s Critical Analysis of RBI’s Payments Vision 2028 shows that India’s next payment challenge is not merely expansion. Instead, it is the protection of trust, safety and accountability.

What Transactions Do the Rules Cover?

The new rules cover fraudulent electronic banking transactions.

These may involve:

  • internet banking;
  • mobile banking;
  • UPI transfers;
  • debit cards;
  • credit cards;
  • ATM transactions; and
  • other covered electronic banking channels.

However, the exact result will depend on how the transaction occurred, who caused the failure and how quickly the customer reported it.

Unauthorised Transactions

An unauthorised transaction occurs without the customer’s approval.

For example, a criminal may hack an account, clone a card, steal a mobile device or misuse compromised credentials.

The earlier framework already covered such cases. Therefore, this protection continues under the amended directions.

Credentials Obtained Through Fraud

A criminal may obtain an OTP, PIN, password or card information by impersonating a trusted person.

Although the transaction may pass through normal authentication, the criminal obtained the credentials through deception.

Consequently, the bank must examine how the fraudster obtained and used them.

Transactions Approved Under Coercion

A customer may approve a transaction because a fraudster threatens arrest, legal action, account closure or another serious consequence.

Therefore, the approval may not reflect a free decision.

Moreover, the new framework expressly recognises transactions completed under coercion or duress as part of the wider fraud problem.

Payments to Fake Recipients

A fraudster may pose as a legitimate recipient and persuade the customer to transfer money.

For example, the fraudster may pretend to represent a bank, employer, investment platform or government department.

Although the customer initiates the payment, the recipient’s claimed identity is false. Therefore, the transaction may qualify as fraud-induced.

What Was the Earlier RBI Framework?

The RBI issued its earlier customer-liability framework on July 6, 2017.

The 2017 RBI customer-protection circular mainly governed unauthorised electronic banking transactions.

Under that framework, customers received zero liability where bank negligence caused the transaction.

In addition, customers received zero liability for certain third-party breaches if they informed the bank within three working days of receiving the transaction communication.

However, where customer negligence caused the loss, the customer generally bore the amount lost before reporting the fraud.

Furthermore, complaints reported after seven working days were governed by the bank’s Board-approved policy.

Although the 2017 framework created important safeguards, it did not adequately address cases where a customer approved a transaction after manipulation.

Therefore, the 2026 reform expands the framework from unauthorised transactions to a wider class of fraudulent transactions.

How Did the New Framework Develop?

The RBI announced a review in its Statement on Developmental and Regulatory Policies dated February 6, 2026.

Thereafter, the RBI issued its draft amendment directions on March 6, 2026.

The draft proposed three main changes:

  1. wider coverage of digital fraud;
  2. faster processing of fraud complaints; and
  3. compensation for small-value fraud.

The RBI then invited stakeholder comments until April 6, 2026.

After examining the feedback, the RBI issued the final directions on June 24, 2026. Moreover, it published a statement on the feedback and final changes.

However, the RBI postponed implementation from the proposed July 2026 date to January 1, 2027.

Consequently, banks received additional time to change their systems, procedures and customer-liability policies.

RBI Digital Fraud Rules Timeline

Date Development
July 6, 2017 Earlier customer-liability circular issued
February 6, 2026 RBI announces review
March 6, 2026 Draft directions released
April 6, 2026 Consultation period closes
June 24, 2026 Final directions issued
January 1, 2027 New framework begins

Who Can Receive Zero Liability?

Zero liability means that the customer should not bear the disputed amount.

However, zero liability does not apply automatically to every scam. Instead, the cause of the fraud and the reporting period determine the outcome.

The operative provisions appear in the RBI Commercial Banks Responsible Business Conduct Third Amendment Directions, 2026.

Moreover, the RBI has issued parallel directions for the other covered categories of banks.

Fraud Caused by Bank Negligence

A customer will receive zero liability where negligence, deficiency or a security failure attributable to the bank causes the fraudulent transaction.

Importantly, this protection applies regardless of whether the customer reported the transaction immediately.

Bank negligence may include:

  • failure to maintain required security controls;
  • failure to send mandatory transaction alerts;
  • failure to provide 24-hour reporting channels;
  • failure to act after receiving a complaint;
  • system malfunction;
  • internal fraud; or
  • a security breach within the bank.

Therefore, a bank cannot transfer the cost of its own failure to the customer.

Third-Party Breach Reported in Time

Zero liability may also arise where the weakness lies neither with the customer nor the bank.

Instead, the breach may occur elsewhere in the payment system.

For example, it may involve:

  • a payment gateway;
  • a telecom service;
  • a third-party application;
  • a payment aggregator; or
  • another payment-system participant.

However, the customer must report the unauthorised fraudulent transaction to the bank within five calendar days from its occurrence.

Loss After Reporting the Fraud

Once the customer reports the fraud, the bank must act promptly to prevent further unauthorised transactions.

Consequently, the bank must bear the loss from any unauthorised transaction that occurs after the customer reports the incident.

Thus, the rule gives banks a direct incentive to block the compromised channel without delay.

When Can the Customer Remain Liable?

A customer may remain liable where their negligence contributed to the loss.

For example, negligence may include:

  • knowingly sharing an OTP or PIN;
  • disclosing a banking password;
  • downloading a malicious application;
  • granting remote control of a mobile device;
  • ignoring a specific fraud warning; or
  • delaying the report after discovering the fraud.

However, customer negligence does not necessarily mean that the customer receives no protection.

Instead, the customer may still qualify for limited compensation if the transaction meets the small-value fraud conditions.

Therefore, a bank must distinguish between zero-liability cases, compensation cases and cases where the customer must bear the loss.

Customer Liability Dashboard

Situation Likely result
Bank negligence Zero liability
Timely third-party breach report Zero liability
Loss after fraud report Bank bears later loss
Customer negligence Liability may remain
Eligible small fraud Capped compensation
Report after five days Bank policy may apply
Fraud above ?50,000 No special small-fraud compensation

How Much Compensation Can a Victim Receive?

A bona fide victim may receive:

85% of the net loss or ?25,000, whichever is lower.

However, the complaint must involve a gross loss of up to ?50,000.

Moreover, the compensation can be claimed only once during the customer’s lifetime.

In addition, the mechanism covers eligible individuals and sole proprietors. Therefore, it can protect both personal account holders and certain small-business account holders.

The net loss means the amount remaining after adjusting any money already recovered or returned.

Consequently, the compensation depends on the actual outstanding loss rather than only the original transaction amount.

Compensation Examples

Net loss Eligible amount
?5,000 ?4,250
?10,000 ?8,500
?20,000 ?17,000
?25,000 ?21,250
?29,000 ?24,650
?30,000 ?25,000
?40,000 ?25,000
?50,000 ?25,000

Therefore, the 85% formula applies until the compensation reaches ?25,000.

After that point, however, the ?25,000 ceiling controls the payment.

Why Does ?29,412 Matter?

Eighty-five per cent of approximately ?29,412 equals ?25,000.

Therefore, this figure marks the point at which the compensation cap starts affecting the calculation.

For example, a victim with a net loss of ?20,000 may receive ?17,000.

By contrast, a victim with a net loss of ?40,000 will not receive ?34,000. Instead, the maximum payment will remain ?25,000.

Net-loss band Compensation rule
Below ?29,412 85% of net loss
?29,412 to ?50,000 Maximum ?25,000
Gross loss above ?50,000 Special mechanism unavailable

What Conditions Apply to Compensation?

Compensation will not arise automatically after every digital-fraud complaint.

Instead, the customer must meet the required conditions.

The customer must:

  1. be an eligible individual or sole proprietor;
  2. suffer a gross loss of no more than ?50,000;
  3. report the fraud to the bank;
  4. report it through Helpline 1930 or the cybercrime portal;
  5. complete both reports within five calendar days;
  6. provide complaint references and transaction details; and
  7. establish a bona fide fraud claim.

Moreover, the once-in-a-lifetime condition applies across eligible claims.

Therefore, customers should preserve every acknowledgement and communication related to the fraud.

Who Will Pay the Compensation?

The compensation burden will be shared between the RBI and the banks concerned.

For eligible domestic fraud below ?29,412, the distribution broadly works as follows:

Contributor Share of loss
RBI 65%
Customer’s bank 10%
Beneficiary bank 10%
Customer’s uncovered loss 15%

For eligible domestic losses of ?29,412 or more, but not exceeding ?50,000, the compensation remains capped at ?25,000.

Accordingly, the prescribed contribution at that level is:

Contributor Amount
RBI ?19,118
Customer’s bank ?2,941
Beneficiary bank ?2,941
Total compensation ?25,000

However, cross-border fraud uses a different sharing arrangement because an overseas beneficiary bank may fall outside the RBI’s direct regulatory structure.

Why Must the Beneficiary Bank Contribute?

The beneficiary bank maintains the account that receives the fraudulent funds.

Therefore, the fraud problem does not end with the victim’s bank. Instead, it also involves the institution that opened and monitored the receiving account.

Fraud networks frequently use mule accounts to receive and rapidly move stolen money.

Consequently, beneficiary banks must improve their ability to detect:

  • sudden transaction spikes;
  • several unrelated incoming credits;
  • rapid outward transfers;
  • unusual cash withdrawals;
  • activity inconsistent with the account profile; and
  • accounts linked to repeated fraud complaints.

The contribution requirement therefore creates a financial incentive for beneficiary banks to strengthen account-opening and transaction-monitoring controls.

However, their contribution remains relatively limited. Therefore, supervisory enforcement will still matter.

Is the Compensation Mechanism Permanent?

The compensation mechanism is initially linked to a one-year implementation period.

Therefore, it will apply to eligible fraudulent electronic banking transactions occurring during the prescribed first year after the directions take effect.

The RBI intends to review the arrangement after gaining practical experience.

Moreover, the earlier draft indicated that the RBI could later increase the share paid by banks and reduce or remove its own contribution.

Consequently, the funding formula may change after the initial review.

Customers should therefore check the rules that apply on the date of the fraudulent transaction.

What Should a Fraud Victim Do Immediately?

Speed matters because fraudsters may move money through several accounts within minutes.

Therefore, the customer should not wait for a branch visit or a detailed investigation before reporting the transaction.

Inform the Bank

First, the customer should immediately contact the bank through its official fraud-reporting channel.

They should also:

  • block the affected card or account channel;
  • change compromised credentials;
  • request a complaint number; and
  • record the time of the report.

Call Helpline 1930

Second, the customer should call the National Cyber Crime Helpline at 1930.

Early reporting may help banks and authorities freeze the beneficiary account before the fraudsters withdraw or transfer the money.

File an Online Cybercrime Complaint

Third, the customer should complete the complaint through the National Cyber Crime Reporting Portal.

Moreover, the customer should preserve the portal acknowledgement number.

Save the Evidence

Finally, the customer should retain:

  • screenshots;
  • SMS alerts;
  • transaction references;
  • phone numbers;
  • email messages;
  • chat records;
  • website addresses;
  • beneficiary details; and
  • complaint acknowledgements.

Five-Day Reporting Checklist

Required step Status
Report to bank Essential
Call 1930 Essential
Use cybercrime portal Recommended and may be required
Save complaint number Essential
Block compromised channel Immediate
Preserve evidence Essential
Submit bank documents As requested

What Must Banks Do After a Complaint?

Banks must provide round-the-clock channels for reporting fraudulent transactions.

These channels may include:

  • telephone banking;
  • SMS;
  • email;
  • Interactive Voice Response;
  • a toll-free helpline;
  • mobile banking;
  • internet banking;
  • the bank’s website; and
  • branch reporting.

Moreover, the bank must acknowledge the complaint and record when it received the report.

Thereafter, it must promptly prevent further unauthorised use of the account or payment instrument.

The bank must also examine the complaint and determine who bears liability.

Importantly, the burden of proving customer liability lies on the bank.

Therefore, the bank should not reject a complaint merely by stating that an OTP or PIN authenticated the transaction.

What Evidence Should a Bank Examine?

Banks control most of the technical evidence connected with a digital transaction.

Therefore, they should examine:

  • transaction logs;
  • device details;
  • IP and location records;
  • authentication records;
  • alert-delivery records;
  • beneficiary-account history;
  • transaction velocity;
  • unusual account behaviour; and
  • the timing of the customer’s complaint.

In addition, the bank should examine the nature of the fraud.

For example, it should consider whether the fraudster used impersonation, threats, remote-access software or stolen credentials.

Consequently, complaint decisions should rest on evidence rather than standardised rejection messages.

How Long Can a Bank Take?

The final directions prescribe separate timelines for domestic and cross-border complaints.

Complaint Maximum period
Domestic fraud 45 calendar days
Cross-border fraud 60 calendar days

Within this period, the bank must examine the complaint and establish customer liability.

Moreover, the bank must communicate the result to the customer.

If the bank exceeds the prescribed period, it should explain the reason for the delay.

The final timelines differ from the draft proposal, which contemplated a shorter general period.

However, the final framework remains significantly faster than the earlier outer limit of 90 days.

What Is Shadow Reversal?

Shadow reversal means provisional credit of the disputed amount while the complaint remains under examination.

For a fraudulent credit-card transaction, the bank must provide a shadow reversal within five calendar days after receiving the customer’s notification.

Consequently, the disputed amount should not continue to increase the customer’s payable credit-card balance during the investigation.

Furthermore, where the transaction is finally reversed, the reversal must carry the original transaction date.

Therefore, the customer should not suffer avoidable interest, charges or penalties because of the disputed fraud.

ABC Live’s Explainer on RBI’s E-Mandate Framework 2026 provides wider context on customer control over electronic payments.

Will Banks Send Transaction Alerts?

Banks must send instant SMS alerts for electronic banking transactions above ?500.

For transactions up to ?500, however, the bank may decide whether to send an SMS under its internal policy.

Nevertheless, it cannot charge the customer for such an alert.

Moreover, banks must send email alerts where customers have registered email addresses.

The communication system must record the delivery time and any customer response.

Therefore, the alert record may become important when the bank determines liability.

Draft Rules Versus Final Rules

Issue Draft position Final position
Start date July 2026 proposed January 1, 2027
Domestic decision period Shorter general proposal 45 calendar days
Cross-border cases No clear separate period 60 calendar days
Credit-card shadow reversal Requested during consultation Five calendar days
Wider fraud coverage Proposed Retained
Compensation cap ?25,000 proposed Retained
SMS alert threshold Above ?500 Retained

Therefore, the final framework keeps the central consumer-protection design.

However, it gives banks more time to investigate. In addition, it adds a specific credit-card safeguard.

Does Entering an OTP Defeat the Claim?

No, not automatically.

Entering an OTP shows that the banking system authenticated the transaction.

However, it does not always prove that the customer acted after receiving truthful information.

For example, a fraudster may obtain the OTP by posing as a bank official.

Similarly, a victim may approve a payment after receiving threats.

Therefore, the bank must examine:

  • how the fraudster contacted the customer;
  • what representation the fraudster made;
  • whether coercion occurred;
  • whether the bank gave a clear warning;
  • whether the customer ignored the warning; and
  • how quickly the customer reported the fraud.

Nevertheless, sharing an OTP may still amount to customer negligence.

Consequently, the customer may qualify for capped compensation rather than zero liability.

Does the RBI Guarantee a Full Refund?

No. The new rules do not guarantee a complete refund for every digital scam.

Full reversal generally depends on factors such as:

  • bank negligence;
  • deficiency in the banking system;
  • a qualifying third-party breach; and
  • timely reporting.

By contrast, the special small-value mechanism offers only 85% of the net loss or ?25,000, whichever is lower.

Therefore, a victim who loses ?50,000 may receive only ?25,000 through the special compensation mechanism.

Moreover, the framework does not provide special compensation where the gross loss exceeds ?50,000.

However, other zero-liability or legal remedies may still apply, depending on the cause of the transaction.

Are Commercial Disputes Covered?

A commercial dispute is not automatically a fraudulent electronic banking transaction.

For example, a disagreement about the quality of goods, late delivery or contractual performance may remain a consumer or civil dispute.

Similarly, an ordinary investment loss does not become bank fraud merely because the investment performed badly.

However, where a fake seller or false investment platform obtained the payment through deception, the underlying transfer may qualify as fraud-induced.

Therefore, the bank and authorities must examine the facts rather than rely only on the label used by the customer.

Are Failed Transactions Covered?

Failed transactions generally fall under separate RBI rules governing reversal and customer compensation.

Therefore, a failed ATM withdrawal, unsuccessful UPI transfer or delayed credit may not fall under the digital-fraud liability framework unless fraud also occurred.

Customers should therefore distinguish between:

  • a failed transaction;
  • an unauthorised transaction;
  • a fraud-induced transaction; and
  • a commercial dispute.

This distinction will help the bank apply the correct regulatory framework.

What If the Bank Rejects the Complaint?

The customer should first seek a written and reasoned decision from the bank.

Thereafter, the customer may escalate the matter through:

  1. the bank’s grievance officer;
  2. the bank’s principal nodal officer;
  3. the bank’s Internal Ombudsman process; and
  4. the RBI Complaint Management System, where eligible.

Customers can access the RBI Complaint Management System for complaints covered by the Reserve Bank–Integrated Ombudsman Scheme.

Moreover, ABC Live’s Critical Analysis of RBI’s Internal Ombudsman Directions 2026 explains how rejected and partly rejected complaints should undergo internal review.

However, customers should preserve the original bank complaint, response and all supporting evidence before escalating the matter.

What Do the Rules Mean for Banks?

Banks will need stronger fraud-detection and complaint-management systems.

In particular, they will need to:

  • identify fraud-induced payments;
  • preserve technical evidence;
  • record transaction-alert delivery;
  • provide simple reporting channels;
  • coordinate with beneficiary banks;
  • detect mule accounts;
  • provide credit-card shadow reversal;
  • explain rejection decisions; and
  • report fraud patterns to their Boards.

Consequently, banks cannot treat digital fraud as an ordinary customer-service issue.

Instead, they will require trained investigation teams, stronger beneficiary-account monitoring and clear escalation systems.

What Do the Rules Mean for Customers?

Customers receive wider protection. However, they also carry important responsibilities.

They must:

  • protect their banking credentials;
  • respond quickly to transaction alerts;
  • report fraud immediately;
  • preserve evidence;
  • use official reporting channels; and
  • cooperate with the investigation.

Therefore, the framework balances customer protection with responsible digital behaviour.

Nevertheless, a person should not avoid reporting fraud merely because they entered an OTP.

Instead, the bank must examine whether deception, coercion or credential theft influenced the transaction.

ABC Live Analysis: What Is the Real Reform?

The most important change is not the ?25,000 compensation cap.

Instead, the deeper reform lies in recognising that authentication and genuine consent are not always the same.

A transaction can pass through every technical security stage and still result from fraud.

For example, the customer may enter the correct OTP. However, the fraudster may have created a false emergency or used a fake identity.

Therefore, the final directions move regulation closer to the real structure of social-engineering fraud.

Moreover, placing the burden of proving customer liability on the bank improves procedural fairness.

Banks hold the technical records. Consequently, they should explain why those records establish customer negligence or liability.

What Does the Framework Get Right?

The framework makes several important improvements.

First, it widens fraud recognition beyond classic account hacking.

Second, it protects customers where bank negligence causes the loss.

Third, it introduces financial responsibility for beneficiary banks.

Fourth, it requires faster decisions in domestic and cross-border cases.

Fifth, it provides provisional relief for credit-card fraud.

Finally, it recognises that small-value victims need some relief even where customer negligence may have contributed to the fraud.

Therefore, the framework represents a meaningful step toward stronger digital-payment protection.

Where Does the Framework Remain Weak?

Several concerns remain.

First, once-in-a-lifetime compensation appears excessively restrictive.

A person may use digital banking for several decades. Moreover, the same person may become a genuine victim more than once.

Second, the ?25,000 cap offers limited help against digital-arrest and investment scams involving larger losses.

Third, customers may receive different outcomes where banks apply different Board-approved policies after delayed reporting.

Fourth, people facing illness, travel, limited connectivity or psychological pressure may struggle to report within five days.

Finally, the RBI initially bears the largest share of compensation.

Therefore, banks may not face a sufficiently strong financial incentive to prevent fraud.

ABC Live Consumer-Protection Scorecard

Area Assessment
Wider fraud recognition Strong
Bank accountability Improved
Small-loss relief Moderate
Large-loss protection Weak
Complaint timelines Improved
Credit-card protection Strong
Vulnerable-customer support Needs work
Uniform bank outcomes Uncertain
Mule-account accountability Improved

Frequently Asked Questions

When Do the New Rules Start?

The directions take effect on January 1, 2027.

Therefore, the special compensation mechanism does not automatically apply to earlier transactions.

What Is the Maximum Compensation?

The maximum compensation is ?25,000.

However, the actual payment will be 85% of the net loss or ?25,000, whichever is lower.

Can a Customer Receive Compensation Twice?

No. The special compensation benefit is available only once during a customer’s lifetime.

What Is the Maximum Eligible Loss?

The complaint must involve a gross loss of no more than ?50,000.

How Quickly Must the Fraud Be Reported?

The customer should report the fraud immediately.

Moreover, for the special compensation mechanism, the customer must report it to both the bank and the cybercrime system within five calendar days.

What Number Should the Victim Call?

The victim should call the National Cyber Crime Helpline at 1930.

In addition, they should inform their bank immediately.

Can a Sole Proprietor Claim Compensation?

Yes, an eligible sole proprietor may receive protection under the compensation mechanism.

However, all other conditions still apply.

What Happens If the Bank Caused the Fraud?

The customer receives zero liability where bank negligence or deficiency caused the transaction.

Can the Bank Reject a Claim Because an OTP Was Used?

The bank may consider OTP sharing while assessing negligence.

However, OTP use alone does not prove that deception or coercion did not occur.

How Long Can the Bank Take?

The bank must decide domestic fraud complaints within 45 calendar days.

Meanwhile, cross-border cases may take up to 60 calendar days.

What Happens in Credit-Card Fraud?

The bank must provide shadow reversal of the disputed amount within five calendar days after receiving the complaint.

What Customers Should Remember

The rules improve customer protection. However, prevention remains essential.

Therefore, customers should never disclose:

  • an OTP;
  • a card PIN;
  • an internet-banking password;
  • a UPI PIN; or
  • remote-control access to their device.

Moreover, no genuine police officer, court, bank or government agency should demand a secret payment to avoid arrest.

At the same time, victims should not remain silent because they approved the payment.

Instead, they should report the fraud immediately and allow the bank to assess the complete circumstances.

How We Verified This Explainer

ABC Live examined:

Moreover, ABC Live compared the final framework with the 2017 rules and the March 2026 draft.

Therefore, this explainer distinguishes the proposed provisions from the final regulatory position.

Sources and Resources

Official RBI Sources

  1. RBI Issues Final Amendment Directions on Customer Liability in Digital Transactions
  2. RBI Commercial Banks Responsible Business Conduct Third Amendment Directions, 2026
  3. RBI Statement on Stakeholder Feedback and Final Changes
  4. RBI Draft Amendment Directions Issued on March 6, 2026
  5. RBI Developmental and Regulatory Policies Statement of February 6, 2026
  6. RBI Customer Protection Circular of July 6, 2017

Complaint and Reporting Resources

  1. National Cyber Crime Reporting Portal
  2. RBI Complaint Management System

Related ABC Live Reports

ABC Live — Making Complex Public Issues Simple.