My comments on RBI’s Draft Circular on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions

On Aug 11th, 2016, Reserve Bank of India (RBI) has released a draft circular on protecting bank customers and limiting their liability in unauthorised electrionic banking transactions and requested feedback. Here are my comments on this circular, that have been sent to RBI:

4. The systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions.
  • It is the duty of RBI to audit IT infrastructure, security mechanisms of banks and the software that banks provide to their customers for banking. It cannot escape from its responsibility and blame banks alone when things go wrong.
5. Banks must ask their customers to mandatorily register for alerts for electronic banking transactions. The alerts shall be sent to the customers through different channels (email or SMS) offered by the banks.
  • The charges for this service have to be standardised by RBI. Instead of saying “different channels”, clearly define all the channels that can be used by banks to inform customers and vice versa. Make notifications by e-mail as a free and mandatory service that has to be provided by banks by default.
5. The longer the time taken to notify the bank, the higher will be the risk of loss to the bank/customer. To facilitate this, banks must provide customers with 24x7 access through multiple channels (at a minimum, via website, phone banking, SMS, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting fradulent transactions that have taken place and/or loss or theft of payment instruments such as card, etc.
  • If the risk of loss is both to bank and customer, does that mean bank also informs the customer proactively in case it figures out the fraud before the customer?
  • What would be the liability of the customer or bank, if bank informs the customer even before customer informs the bank?
  • Multiple channels are fine, but how can a customer prove in a court of law that he has reported to the bank immediately while the bank denies? Standardise this process so that it produces legally valid evidences.
The loss/fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer’s response, if any, to them. This shall be important in determining the extent of the customer’s liability.
  • When complaining to bank by e-mail, let customers also send a copy of it to a dedicated e-mail at RBI. The purpose of this e-mail account is to send acknowledgements immediately so that the time at which the complaint has been received is recorded. In case the bank acts smart, this e-mail acknowledgement can be used as evidence by the customer. Ensure that such evidence would be honoured by banking ombudsmen, consumer courts and regular courts.
  • Ensure that banks do not tamper with e-mail header and modify the sending time in order to escape the liability to pay back to customers.
  • Ask the banks not to delete any part of earlier e-mail content and keep all the communication details intact, while replying to customer e-mails.
  • Clearly specify whether to top-post or bottom-post while responding to e-mails, by both banks and customers.
(i) Zero Liability of a Customer
6. A customer’s entitlement to zero liability shall arise where the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer in the following events:
(a) Fraud / negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)
(b) Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.
  • Who decides that the fraud/negligence is on the part of the bank or customer or whether it is a third-party breach and which procedure is to be followed to do so?
  • What if the bank doesn’t communicate to the customer about a fraudulent transaction within a week despite noticing it? Will it be penalized? How can a customer prove this easily?
  • How does this three working days is calculated in case of a bank strike or general strike or technical failure in bank or natural calamity due to which bank couldn’t function?
  • Let’s say I create a beautiful phishing page in the name of cyclone relief fund and send it to my friend. My friend, who is a partner in my crime, sends money to me by paying online using this page, and immediately reports to his bank (under third-party breach) that he is a victim of a phishing attack. Since my friend reported it immediately to his bank, as per this draft policy, his bank has to return his ‘lost’ money! In the end, my friend hasn’t lost any money and I gained the money that the bank had lost. What options are available to a bank not to lose money this way if it couldn’t establish customer liability in this fraud within the stipulated time?
(ii) Limited Liability of a Customer
7. A customer shall be liable for the loss occurring due to fradulent transactions in the following cases:
(a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occuring after the reporting of the unauthorised transaction shall be borne by the bank.
  • This clause can be comfortably used by banks to escape their liability. What constitutes customer negligence and who decides that the customer is indeed negligent?
  • This clause can also be comfortably used by customers who want to take banks for a ride. Let’s say the customer gives his credit card to someone and asks them to make a Rs.100 transaction. Then he reports to his bank by e-mail that a fradulent transaction has taken place and immediately asks the other person to make a Rs.100000 transaction. The second transaction happens even before the bank blocks his credit card. Is the bank liable in such cases?
7 (b) In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction, the customer liability shall be limited to the transaction value or Rs.5000/-, whichever is lower. Further if the delay in reporting is beyond seven working days, the customer liability shall be determined as per bank’s Board approved policy. Banks shall provide the details of the bank’s policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.
  • By “elsewhere in the system”, which system are we talking here?
  • How is this amount of Rs.5000/- arrived at?
  • Ensure that bank’s “board approved policy” does not become another tool to harass customers or charge exorbitant amounts from customers in case of customers reporting beyond 7 working days.
  • For what all accounts, banks have to provide their board approved policy to new and existing customers, existing customers would be informed when and how, who ensures that this is followed strictly by banks and what is the punishment if they don’t? Mention these details clearly.
Reversal Timeline for Zero Liability / Limited Liability
9. On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer. Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.
  • 10 days is a long time when we talk of electronic banking.
  • Don’t give any leeway to banks saying they may waive off at their discretion etc. Keep the policy clear and simple for all banks so that customers would not get confused.
Further, banks shall ensure that:
(i) a complaint is resolved within 90 days from the date of reporting; and
(ii) in case of debit card/bank account the customer does not lose out interest, and in case of credit card the customer does not bear any additional burden of interest.
  • Again, 90 days is a long time. When banks want to make money quickly, why should customers wait for three months for their complaint to be resolved?
Board approved Policy for Customer Protection Policy
10. ….. banks need to clearly define the rights and obligations of customers in case of unauthorised transactions in specified scenarios. …. The policy must be transparent, non-discriminatory and should stipulate the mechanism of compensating the customers for the unauthorised electronic banking transactions and also prescribe the timelines for effecting such compensation, based on the circumstances of each case. ….
  • “Board approved policy” must be a joke by RBI on bank customers. Instead, RBI needs to clearly stipulate the terms in place of board approved policy. Otherwise, it is creating another mess in the name of solving one. RBI expecting banks, who do not follow RBI Guidelines and BCSBI Code much of the time, to define the rights and obligations of customers? LMAO. Please get rid of this section 10 altogether.

Lastly:

a) Improve and make this a part of RBI’s Consumer Charter and start working on that seriously.

b) Clearly spell out the penalties for banks that violate this process, and for customers who try to abuse this process.

c) Explain the difference between “clearly established” and “not clearly established” regarding liability.

d) Ensure that farmers, laborers and other non-educated and e-illiterates can also utilize this mechanism without much difficulty.

e) Take the help of CERT-In for regular alerting of online scams.

f) For this to work effectively, RBI has to ensure that banking ombudsmen and judiciary work without any bias towards banks.