Who will bear liability in cyber fraud cases — banks or customers?

The digitization of the financial sector is having unintended, but unavoidable consequences — cyber frauds and ransomware attacks. To assuage the fears of depositors, the Reserve Bank of India (RBI), in its annual report for 2017-18, highlighted the framework for containing the spread of unauthorized transactions and limiting the liability of customers.

The prevailing norms categorize customers’ exposure to frauds into two categories — zero liability and fixed liability. Customers can rest assured if the fault is on the part of the bank. Even if the breach can be traced to deficiencies existing in the system, and not on banks, the customers will not have to bear a loss.

To claim immunity from liability, customers will have to notify their bank within three working days of the time of breach. In the case of unauthorized transactions attributed to systemic flaws, customers are expected to report the incident between four to seven days of the incident. Depending on the type of account and the circumstances in which the fraud took place, the liability to be borne by customers can range from Rs 5,000 to Rs 25,000.

The central bank’s norms restricting the liability of customers places the ball in the court of banks. Cash-strapped lenders will have to compensate depositors who have been defrauded in online scams unless it can provide conclusive proof that the fault lies on the part of the victim. Experts are of the opinion that banks should be slapped with penalties for not adhering to norms laid down by the RBI.

However, many banks continue to disregard the existing guidelines. In the case of small amounts, the length of the investigation can be a deterrent for customers seeking a refund. After following up with banks in the immediate aftermath of the fraud, customer interest may recede if the pendency in settlement is long, and the money in question is relatively small.

According to the RBI’s liability norms, the amount of money constituting the unauthorized transaction has to be transferred to the customer’s account inside 10 working days from the date of notification. Investigations undertaken by the bank’s board are instructed to establish liability within 90 days of the breach being flagged.

Time taken to report fraud Customer’s liability
Less than 3 working days                  Zero
Between 4-7 working days                Transaction value or between Rs 5,000 – Rs 25,000, whichever is lower
Over 7 working days                           Dependent on policy of bank’s board

The central bank has not provided a timeline for the implementation of its norms. However, after the guidelines were released, banks have been more responsive in acting against complaints of cyber fraud.
PC: google
Source