Digital payments have become the backbone of everyday financial activity in India. UPI transfers, mobile banking, card payments and internet banking now handle millions of transactions daily. While this shift has made payments faster and more convenient, it has also increased the exposure of individuals and businesses to digital fraud.
Recognising this risk, the Reserve Bank of India (RBI) has proposed a new set of draft directions aimed at strengthening customer protection in electronic banking transactions. The proposed rules are expected to apply to transactions carried out from July 1, 2026, once finalised.
For individuals and businesses using digital banking channels, the draft framework clarifies how fraud will be classified and how compensation may work in certain situations.
Why RBI Is Revising Digital Fraud Rules
Over the past few years, digital banking has experienced rapid expansion across India.
Transactions through UPI, mobile banking apps, internet banking platforms, debit and credit cards, and ATMs have grown significantly.
Along with this growth, fraudsters have adopted new methods, including phishing links, fake payment requests, malicious apps, and impersonation scams.
The RBI’s draft amendment under its Responsible Business Conduct framework attempts to bring clearer rules on three important issues:
• What counts as an authorised transaction
• What qualifies as a fraudulent or unauthorised transaction
• When banks or customers may be held responsible
The objective is to create a clearer structure for handling digital banking disputes.
What Will Be Treated as an Authorised Transaction
Under the draft directions, a transaction will generally be considered authorised when the customer uses normal authentication methods such as:
• OTP verification
• PIN authentication
• Card details, including CVV or expiry date
• Password or other bank-provided authentication tools
If the customer completes a transaction using these authentication methods, the bank may treat the payment as authorised.
However, the RBI has also recognised that fraud often occurs even when authentication appears valid.
When a Transaction May Be Treated as Fraudulent
The draft rules acknowledge several situations where a payment may still be classified as fraudulent even if authentication was used.
Examples include cases where:
• A fraudster obtains the customer’s credentials through deception
• A customer is tricked into transferring money to someone pretending to be a legitimate recipient
• A customer approves a payment under pressure, threats or coercion
In such situations, the transaction may fall under the category of fraudulent electronic banking transactions, even though authentication was technically completed.
This distinction is important because it affects how liability and compensation are assessed.
RBI Clarifies Bank and Customer Responsibilities
The draft directions also attempt to define what may be considered negligence by banks or customers.
A bank may be seen as negligent if it fails to maintain secure systems, does not send timely transaction alerts or does not provide clear channels for reporting fraud.
Customer negligence, on the other hand, could include actions such as:
• Sharing OTPs, passwords or card details with others
• Ignoring fraud alerts issued by the bank
• Downloading suspicious applications that compromise security
The final assessment of liability in a fraud case may depend on the circumstances and behaviour of both parties.
Third-Party Breaches in Digital Payments
Digital payments often involve multiple intermediaries such as payment gateways, telecom networks and third-party applications.
The RBI draft directions recognise that sometimes the problem may arise from these intermediaries rather than from the bank or the customer.
In such cases, the incident may be treated as a third-party breach, where the deficiency lies elsewhere in the payment ecosystem.
This distinction becomes relevant when determining responsibility and handling customer complaints.
Proposed Compensation for Small Digital Fraud Losses
One of the notable features of the draft framework is a proposed compensation mechanism for smaller fraud cases.
If an individual customer suffers a genuine fraudulent loss of up to ₹50,000, the draft directions propose compensation of:
• 85% of the net loss, or
• ₹25,000, whichever is lower
This compensation may be available once in a customer’s lifetime.
To qualify, the fraud must be reported within five days to both:
• the concerned bank, and
• the National Cyber Crime Reporting Portal or the 1930 cyber crime helpline
For smaller fraud cases, most of the compensation may be funded by the RBI, with the remaining contribution coming from the customer’s bank and the beneficiary bank involved in the transaction.
If any funds are later recovered during investigation, the compensation amount may be adjusted accordingly.
Why Prompt Fraud Reporting Is Critical
The draft rules place strong emphasis on early reporting of fraud.
Customers who notice a suspicious transaction are advised to immediately inform their bank and register a complaint through the National Cyber Crime portal or helpline 1930.
Quick reporting improves the chances of blocking the transaction, freezing accounts involved in the fraud and possibly recovering funds.
Delayed reporting, on the other hand, can significantly reduce the chances of recovery.
What These Rules Mean for Digital Banking Users
If implemented, the new framework will bring more clarity to how digital banking fraud cases are treated in India.
Customers will have a better understanding of:
• what constitutes authorised and fraudulent transactions
• how responsibility may be assessed
• when compensation may apply
At the same time, the draft rules also reinforce the importance of safe digital practices such as protecting login credentials and avoiding suspicious links or applications.
Bottom Line
India’s rapid shift toward digital payments has created enormous convenience but also new risks. The RBI’s proposed amendments aim to address these risks by clearly defining fraud categories, responsibilities and limited compensation mechanisms.
For individuals and businesses using digital banking channels, the message remains straightforward: digital transactions are efficient, but they require careful handling of credentials and immediate reporting of suspicious activity.