The Reserve Bank of India (RBI) has issued draft Third Amendment Directions, 2026, under its Responsible Business Conduct framework, proposing stronger safeguards for customers facing fraud in electronic banking transactions.
It primarily protects bank customers from fraud in digital banking transactions, including UPI payments, internet banking, mobile banking, debit/credit card transactions, and ATM transactions.
The draft directions will apply to transactions carried out on or after July 1, 2026, and cover commercial banks excluding small finance banks, payments banks, regional rural banks and local area banks.
The proposal revises earlier rules on limiting customer liability for unauthorised electronic banking transactions.
According to the draft directions issued on March 6, 2026, electronic banking transactions include payments made through internet banking, mobile banking, cards, or other digital channels that fall under the definition of electronic funds transfer in the Payment and Settlement Systems Act, 2007.
The central bank has also introduced clearer definitions for authorised and unauthorised transactions. The draft states that transactions carried out by customers using authentication methods such as OTP, PIN, card details or passwords will be considered authorised.
However, transactions carried out using credentials obtained through fraud, or where customers are tricked or coerced into sending money to scammers posing as legitimate recipients, will fall under fraudulent electronic banking transactions.
The circular stated, "Authorised electronic banking transaction includes: a transaction carried out by a customer or a previously authorised third-party registered with the bank by granting approval through a standing instruction/mandate or any form of additional authentication such as a static
password or dynamic password (e.g. OTP), answering challenge questions, card details (CVV / Expiry date / PIN) or any other mode of electronic authentication option provided by the bank; or
(ii) a transaction which is (a) executed by a third-party using the credentials obtained from the
customer through fraudulent means; or (b) executed by the customer by granting approval under coercion or duress from the third-party; or (c) executed by the customer when he/she is tricked into willingly sending money to a scammer who is posing as a legitimate recipient.”
The RBI has also clarified what constitutes negligence on the part of banks and customers. Negligence by a bank may include failing to maintain secure systems, not sending transaction alerts, or failing to provide channels for reporting fraud. On the other hand, customer negligence could include sharing passwords or OTPs, ignoring bank fraud warnings, or downloading malicious applications.
The draft directions also define third-party breaches, where the problem arises from intermediaries such as payment gateways, telecom service providers or third-party application providers rather than the bank or the customer.
"Third-party breach refers to a situation where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and includes deficiency on the part of an intermediary such as a Third-Party Application Provider (TPAP), Payment Aggregator (PA), Payment Gateway (PG), Telecom Service Provider (TSP), etc.," per the circular.
A bank shall advise its customers that on occurrence of any fraudulent electronic banking transaction, they should notify the bank and also lodge a complaint through National Cyber Crime Reporting Portal or National Cyber Crime Helpline (1930) at the earliest, per the circular.
The draft RBI directions also propose a compensation mechanism for small digital banking frauds. If an individual customer loses up to Rs 50,000 in a genuine fraudulent electronic transaction, they may receive 85 percent of the net loss or up to Rs 25,000, whichever is lower, once in their lifetime. To qualify, the fraud must be reported to both the bank and the National Cyber Crime portal or helpline (1930) within five days. For smaller losses, most of the compensation will be paid by the Reserve Bank, with smaller contributions from the customer’s bank and the beneficiary bank. If money is later recovered, compensation will be recalculated accordingly, per the RBI circular.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
