Access our Submission to the Reserve Bank of India
In this post, we share our feedback to the RBI on the Draft Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026.
We commend the RBI for taking strong measures to protect consumer interests in online payment services, as laid out in the Draft Reserve Bank of India (Commercial Banks - Responsible Business Conduct) Third Amendment Directions, 20261 (referred to hereafter as Draft Compensation Directions).
In this post, we share our responses to the new Draft Compensation Directions. In doing so, we refer back to an earlier report titled Curbing Scams in UPI: A White Paper on Facilitating Real-Time Reporting and Management, a white paper jointly authored by Dvara Research and the Data Security Council of India, a subsidiary of NASSCOM, in 2024 (referred to hereafter as the white paper). The authors of the said report are Beni Chugh, Anubhutie Singh, Lakshay Narang and Deepti George. The below Table 1 covers a discussion on select aspects of the Draft Compensation Directions against select recommendations of the white paper and includes specific feedback to the RBI on the respective aspect.
| Table 1: A Discussion on select aspects of the Draft Compensation Directions against the recommendations of the White Paper | |
| Recommendations in the white paper | Feedback / Comments on the Draft Compensation Direction |
|
Cover transactions that were authorized but were not intended Transactions authorized by a customer when under duress or to unintended recipients were not covered under the limited liability framework of RBI for unauthorized transactions. Our recommendation was to include such transactions as a separate category of Authorized – But - Unintentional Transactions (AbU)2, while also acknowledging that there would be another category of Authorized – And - Intentional Transactions (AaI)3 that could get implicated erroneously as AbU transactions. |
RBI explicitly includes transactions authorized by the account holder under the compensation framework. These are noted as transactions - “(a) executed by a third-party using the credentials obtained from the customer through fraudulent means; or (b) executed by the customer by granting approval under coercion or duress from the third-party; or (c) executed by the customer when he / she is tricked into willingly sending money to a scammer who is posing as a legitimate recipient.” Further, in addition to the requirement to comply on extant regulations, it places explicit responsibility on banks to put in place “b) robust and dynamic fraud detection and prevention mechanism c) mechanism to assess the risks (for example, gaps in the bank’s existing systems) d) appropriate measures to mitigate the risks and protect themselves against the liabilities arising e) a system of continually and repeatedly making the customers aware about evolving electronic banking and payments related frauds and the ways to protect themselves from such frauds.” |
|
Fraud liability & compensation framework The white paper recommended a fraud liability and compensation framework with the following features:
|
We are very happy to see that the RBI’s conceptualization of the compensation framework has incorporated many of these features:
The language on ‘negligence’, we believe, closely mirrors the ‘Caution Standards’ approach of the white paper. |
|
Burden of Proof The burden of proof to establish where the liability lies must be on banks |
The RBI has clarified that the burden of proof in establishing customer liability is on banks “76K. The burden of proving customer liability in complaints involving fraudulent electronic banking transactions shall lie on the bank.” |
|
Apportioning of liability for compensation between banks The white paper recommended apportioning of liability between the issuer bank, the acquirer bank and the TPAPs involved. |
The RBI has suggested that it wishes to bear 65% of the liability while 10% each is to be borne by the issuer bank and the acquirer bank (totaling 85%). The RBI hence excludes TPAPs from the liability but is silent on whether the banks have the freedom to pass on whole or part of their liability to the TPAP/ TSP/ LSP/ third-party involved / implicated in the transaction (who they have a service relationship with). This has implications for the development of the TSP / LSP sectors and is worth understanding further. The decision on absorbing 65% of the liability on the RBI’s own balance sheet5 sends a strong signal to the digital payments ecosystem that - a)It takes its development function (for the adoption of digital payments across the country) very seriously, b)It is willing to backstop losses to lower-income and under-served and/or digital unsavvy or ‘new-to-digital’ citizens, and c)It takes responsibility for preventing and managing the scrouge of digital fraud affecting retail citizens Both these design features of the draft compensation directions are very prudent and we welcome them wholeheartedly. |
|
Risk-based apportionment of liability The white paper called for applying a specific logic to apportioning such liability, that can help to drive specific market level outcomes and institutional conduct behaviors. It suggested that to effectively apportion liability, several factors might be considered, such as:
Such an approach helps avoid a ‘cross-subsidy’ situation between two banks involved in a transaction where one bank with robust systems unduly compensates for vulnerabilities in another with weaker systems. |
The RBI currently envisages a 1:1 apportionment of liability between the issuer bank and the acquirer bank. However, in reality, not all banks have equally robust systems in place for preventing ‘negligence’ and for upholding all the requirements stipulated in the Draft Compensation Directions. We believe that it is indeed possible to build a sophisticated system for determining how liability can be apportioned fairly based on the suggestions made in the white paper. Perhaps, the RBI can consider such an approach once the learnings from operationalizing the compensation mechanism are obtained over the course of the year. |
Additional Comments:
- While the RBI is well-intentioned in placing primary responsibilities on banks on several aspects, there are limits to the extent that individual banks can prevent authorized but fraudulent transactions from going through. Banks have been asked to have robust and dynamic fraud detection and prevention mechanisms but this cannot be done in isolation – system-wide readiness requires concerted efforts. Hence, it may be useful for the RBI to explicitly require regulated entities to engage in data sharing and exchanges via various cross-stakeholder systems such as under the Indian Cyber Crime Coordination Centre (I4C) of the Ministry of Home Affairs, and the Digital Intelligence Platform (DIP) of the Department of Telecommunications. While many banks, TPAPs, NBFCs and other payment system entities are already onboarded on the DIP and contribute to the formulation of, and benefit from the financial fraud risk indicator for classifying / flagging high-risk cases, not all of them are taking the problem as seriously as it needs to be taken. Such platforms conduct robust and expansive analysis of the data put into it, and are expected to generate system-level actionable and dynamic /real-time insights for stakeholders. For this system to work at peak-performance, it is imperative to have all banks and TPAPs on it, contributing to and benefitting from the collective intelligence of the system. The RBI could thus indicate how banks are expected to participate in this systemic intelligence-building exercise.
- The draft compensation directions state that “76U. The compensation shall be payable for losses incurred on fraudulent electronic banking transactions occurring up to one year from the effective date of these directions.” – implying that the RBI wishes to run this mechanism for a year and review its performance before taking any decisions on its future. We believe this may be too short a period for - a) banks to build systems and processes needed to meet all the requirements of the Draft Compensation Directions, and b) customers to avail themselves of the compensation mechanism. In addition to the initial operational challenges that are to be expected, many new learnings will surface through the process of executing the compensation mechanism. Hence, we request that the mechanism run for 2 years during which regular assessments of the mechanism can be undertaken to glean its impact and effectiveness.
Annex A
|
The White Paper lays out 3 Caution Standards for Customers to follow responsibly, and Requirements on Banks and TPAPs to ensure it is possible for customers to do so (Users belonging to ‘vulnerable user’6 categories were envisaged to be automatically eligible for compensation without having to establish they upheld these Caution Standards) |
|
| Demonstrating caution | Measures required of banks and TPAPs to ensure applicability of the Caution Standards for UPI users |
|
Caution Standard 1: Users should heed specific warnings and cautions issued by banks and other UPI service providers related to transactions and potential scams |
|
|
Caution Standard 2: Users should promptly report any fraudulent incidents to banks or relevant stakeholders, adhering to the timelines similar to those outlined in the RBI’s limited liability framework |
|
|
Caution Standard 3: Users should respond appropriately and reasonably to information requests from banks, TPAPs, and law enforcement agencies to aid in compensation and investigation processes |
|
Annex B
| ‘Negligence’ under RBI’s Draft Compensation Directions | |
|
“4(20A) Negligence by a bank inter alia includes the following actions by the bank: (i) not putting in place the mandated systems and procedures to ensure safety and security of electronic banking transactions; or (ii) not sending mandatory alerts for electronic banking transactions; or (iii) not providing the mandated channels for reporting of fraudulent electronic banking transactions or loss of payment instruments such as card; or (iv) not acting diligently upon a customer notification regarding unauthorised electronic banking transaction(s) or loss of payment instrument(s); or (v) system malfunctions / security breaches / internal frauds leading to unauthorised electronic banking transactions.” |
“4(20B) Negligence by a customer inter alia includes the following actions by the customer: (i) providing credentials such as PIN, password, OTP or other details for carrying out transactions to another person, whether intentionally or otherwise; or (ii) not notifying the bank immediately after finding out about a fraudulent electronic banking transaction, or loss of a payment instrument; or (iii) not paying attention to specific, directed and clear warnings from the bank that a prospective transaction is likely a scam; or (iv) failing to exercise reasonable care in usage of credentials, e.g., writing down and storing the PIN with an ATM / credit card; or (v) downloading malicious apps.” |
Access our Submission to the Reserve Bank of India
1 Draft Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026, March xx, 2026, accessible at https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=4922
2 Users engage knowingly or unknowingly to authorise transactions to unintended parties because they were deceived or manipulated into doing, or because of system vulnerabilities
3 Situations where the authorised owner of the bank account may not be in control of the transactions being made, such as when the account is operated by another family member or friend
4 Such as the elderly and people with disabilities, and first-time users of UPI (for instance, with < 6 months of activity on a given app)
5 We would assume this will be borne on the RBI’s balance sheet in the absence of any further public information about the same
6 Such as the elderly and people with disabilities, and first-time users of UPI (for instance, with < 6 months of activity on a given app)