📜 RBI Circular on Customer Liability (2017)
The RBI Circular dated July 6, 2017 on "Limiting Liability of Customers in Unauthorized Electronic Banking Transactions" is crucial for consumer complaints:
RBI/2017-18/15 — Key Framework
Banks must limit customer liability based on who is at fault and how quickly the customer reports the fraud. This circular is binding on all banks and creates actionable "deficiency" if violated.
Liability Framework
| Scenario | Customer Liability |
|---|---|
| Bank's negligence/fraud (irrespective of whether reported) | ZERO |
| Third-party breach (not bank or customer's fault) + reported within 3 days | ZERO |
| Third-party breach + reported within 4-7 days | Transaction value or ₹10,000 (whichever is lower) for savings/basic; ₹25,000 for others |
| Third-party breach + reported after 7 days | As per bank's Board-approved policy |
| Customer negligence (shared OTP, PIN, password) | FULL until reported; zero after reporting |
🛡️ Zero Liability — When Customer Gets Full Refund
✅ Zero Liability Situations (Para 6 of RBI Circular)
- Bank's fault: Contributory fraud/negligence/deficiency on part of bank — irrespective of whether customer reports
- Third-party breach + timely reporting: Where breach is neither customer nor bank's fault, and customer reports within 3 working days
Jaiprakash Kulkarni v. Banking Ombudsman
Bombay HC, June 2024
Where cyber fraud happened through third-party breach (neither bank nor customer at fault) and cyber cell reports confirmed this, customer has zero liability. Bank directed to refund full amount.
🏦 Bank Obligations Under RBI Guidelines
Security Obligations
- Implement Two-Factor Authentication (2FA)
- Detect unusual login activities from different IP addresses
- Send SMS/email alerts for all transactions
- Send alerts when new beneficiary added
- Provide 24x7 reporting mechanism for frauds
Post-Fraud Obligations
- Shadow Reversal: Credit disputed amount within 10 days of complaint
- Chargeback: Initiate inter-bank chargeback to recover funds
- Freeze Recipient Account: Request freeze on beneficiary account
- Report: Register complaint with Cyber Cell
- Resolution: Complete investigation within 90 days
Hare Ram Singh v. RBI & SBI
Delhi HC, November 2024
SBI's failure to: (1) detect unusual login from different IP, (2) prevent 2FA breach, (3) initiate chargeback despite knowing recipient accounts = gross deficiency in service. Directed to pay ₹2.6 Lakhs + interest.
📋 Types of Banking Cyber Frauds
| Fraud Type | Description | Bank Deficiency If... |
|---|---|---|
| Phishing | Fake emails/SMS seeking credentials | Bank didn't warn customers; security systems failed |
| Vishing | Phone calls impersonating bank | No call verification system; no awareness campaigns |
| SIM Swap | Fraudster gets duplicate SIM | OTP sent to new SIM without verification |
| Card Skimming | ATM device copies card data | No anti-skimming devices; no CCTV monitoring |
| Malware/RAT | Remote access to device | App security breach; no unusual activity detection |
| UPI Fraud | Fraudulent UPI requests | No request validation; no beneficiary verification |
⚖️ Consumer Forum vs Banking Ombudsman
| Aspect | Consumer Commission | Banking Ombudsman |
|---|---|---|
| Authority | CPA 2019 | RBI Ombudsman Scheme 2021 |
| Jurisdiction | Based on consideration value | Up to ₹50 Lakhs |
| Compensation | Unlimited (as per facts) | Capped at ₹20 Lakhs |
| Punitive Damages | Available | Not available |
| Timeline | 3-6 months to years | 30 days resolution target |
| Pre-condition | None | Must complain to bank first; wait 30 days |
| Appeal | State/National Commission | Appellate Authority under RBI |
⚠️ Strategic Choice
For amounts under ₹20 Lakhs, Banking Ombudsman is faster and free. But for higher amounts, punitive damages, or systemic issues, Consumer Commission is preferable. Both can be pursued, but choose one.
📱 FinTech Deficiency
FinTech companies (Paytm, PhonePe, Google Pay, lending apps) are also covered:
Common FinTech Issues
- Payment Failures: Money debited but not credited
- Loan Recovery Harassment: Aggressive collection tactics
- Hidden Charges: Undisclosed fees and interest
- Data Misuse: Sharing customer data without consent
- KYC Issues: Account freeze without notice
SBI's Defence Against Paytm Rejected
Delhi HC, 2024
SBI argued Paytm (One97 Communications) was outside its regulatory scope. Court rejected — RBI's PPI guidelines mandate banks to act promptly even for third-party PPI fraudulent transactions. Bank cannot escape liability by pointing to PPI provider.
✅ Remedies Available
Consumer Can Seek:
- Refund: Return of fraudulently transferred amount
- Interest: At rate bank would have charged consumer
- Compensation: For mental agony, harassment, litigation costs
- Punitive Damages: For gross negligence by bank
- Costs: Legal fees, documentation charges
📝 Part 9.4 Quiz
Q1: RBI Circular on Customer Liability was issued on:
Q2: Customer has ZERO liability when:
Q3: In Hare Ram Singh v. SBI (2024), 2FA breach was held as:
Q4: Bank must complete fraud investigation within:
Q5: Shadow reversal by bank means:
Q6: Banking Ombudsman can award compensation up to:
Q7: Before approaching Banking Ombudsman, customer must:
Q8: SIM swap fraud occurs when:
Q9: Consumer Commission can award punitive damages unlike:
Q10: In Jaiprakash Kulkarni case, court held: