In October 2012, Goa-based designer Smita Singh, now 38, realised that a little more than 50 lakh was missing from a savings account she used. She lived in Delhi back then, and it was just after financial details were submitted to take a home loan and the loan amount was transferred to the account. “What they had done was block the SIM card of the registered phone, taken a new SIM on which they got PIN details, and then within just 3-4 days, they used online transactions to take away most of the money," she said. The bank restored the money “because they realised that it wasn’t our fault. We were unaware that this was happening; it wasn’t our responsibility. It took about a month-and-a-half to get the money back". The incident left such a mark on Singh that “for very long I did not do any online transaction. It’s only recently that I have restarted," she said. While the money was restored, the bank did not explain what had really transpired.

Many of our money transactions are now done online because of the speed and convenience of the medium. But it also increases the exposure to fraud. Yes, you get an SMS every time there is any movement in your bank accounts or when your credit or debit card is used. But what if someone has blocked your SIM card, and given the bank a new one? All our transactions—swiping a credit card, or sending someone money online—are exposed to fraud.

According to a report on fraudulent activities by Experian Credit Information Co. of India Pvt. Ltd, identity theft or fictitious identity frauds account for three-fourth of the overall fraud incidences. Credit card is the second most targeted product by fraudsters after consumer loans.

Taking cognisance of the fact that cases of unauthorised electronic transfers are increasing, the Reserve Bank of India (RBI) released a draft circular on 11 August stating what would be the liabilities of a customer and her bank in such cases. (Read it here: http://bit.ly/2bZdWGM).

Areas of responsibility

To start with, RBI has told banks to ask all customers to mandatorily register for alerts (via SMS or email) for electronic banking transactions. To facilitate this, banks have to provide customers with 24x7 access through multiple channels. The loss or fraud reporting system has to be such that there is immediate response (including auto response). The complaint has to be acknowledged and a registered complaint number has to be given. Time and date of delivery of alerts and responses received from customers have to be recorded. This will help in determining how much time passed since the fraud took place or was reported, and the extent of the customer’s liability.

Here’s a look at how the central bank has defined the customer’s liability.

Zero liability: In its notification, the central bank says the customer is not at fault if the bank’s security systems that are used for electronic banking transactions are faulty, and the fraud or negligence is on the part of the bank (even if it is the customer who reports the incident).

The customer is also at no fault if there is a third-party breach; wherein the fault was neither the bank’s nor the customer’s but elsewhere, and the customer informs the bank within 3 working days of getting such communication from the bank regarding an unauthorised transaction.

“If you incur a direct loss that is due to a security breach of our internet banking system as a result of our failure to take reasonable care and is not caused or contributed to by you, we will reimburse or compensate you for that loss," said A.C. Mahajan, chairman, Banking Codes and Standards Board of India (BCSBI). But there are conditions under which the customer may have to bear the liability.

Limited liability of a customer: The customer will bear the burden of the loss if she has been careless and shared her details such as PIN or secret questions or any other payment credential with someone else.

In such a case, the customer bears the entire loss but only till the point she reports the case to the bank. After that point, it becomes the bank’s liability.

If it is not the customer’s or the bank’s fault and the chink lies elsewhere in the system, but the customer takes time informing the bank (4-7 working days), then the liability is the customer’s, but only to a limit. That limit is lower of the transaction value or 5,000. So, if a fraudulent transaction of 10,000 is detected, your liability is 5,000 only. Now if you tell the bank after 7 working days, things may or may not swing in your favour because the central bank has said that in such cases, the customer’s liability shall be determined according to the bank’s Board approved policy.

What banks need to do

Depending on circumstances, the bank has to return your money. According to the RBI circular, once you inform the bank about the fraudulent transaction, it has to credit the amount into your account within 10 working days from the day the fraud was reported.

If the case involved a debit card or a bank account, you continues to earn interest on the ‘lost’ money. If it’s a credit card, you don’t bear any additional interest. Banks also have the right to waive off your liability, even if the unauthorised online banking transaction happened because of your negligence.

Also, banks have to ensure that a complaint is resolved within 90 days from the date of reporting. Apart from case-specific resolution, banks need to define the rights and obligations of customers in case of unauthorised transactions in specified scenarios. These details have to be available on the bank’s website. If there is any customer liability, the bank has to prove this. Plus, customer liability cases have to be reported to the bank’s Board, along with details such as number of cases, aggregate value involved, and types of cases: card present transactions, card not present transactions, internet banking, mobile banking, ATM transactions, and others

Keeping it safe

As the modus operandi evolves, banks too have to install suitable systems. “Device authentication is the way forward. And this has to be done by the banks; it doesn’t require more involvement from the customer in terms of having to provide further authentication. The bank has to find a way to ensure that the device from which the instructions are coming actually belongs to the correct person," said Mohan Jayaraman, managing director, Experian. If this happens, there will be two layers of authentication—one of the user, and the other of the device, where the registered device verifies that the user is connecting from an authorised endpoint.

“Transactions in India are among the safer ones globally because of two-factor authentication," Jayaraman added, but simple safety measures should never be ignored.

If you notice something fishy, report it to the bank immediately. All banks have facilities for reporting loss of card and card cancellation on their IVR menu. Make use of them, don’t wait till the next day to go to the branch and then inform someone. Check your accounts regularly. Be sure to sign up for SMS and email alerts. Don’t share your PIN with anyone. Try to change it at regular intervals.

Subscribe to Mint Newsletters * Enter a valid email * Thank you for subscribing to our newsletter.

Share Via