India’s Digital Fraud Overhaul

Posted On - 15 April, 2026 • By - King Stubb & Kasiva

Abstract 

The RBI’s Draft Rules on Digital Fraud & Customer Liability released on March 6, 2026, overhaul the 2017 guidelines by expanding scope to fraudulent transactions, introducing a pilot compensation up to ₹25,000 for small-value losses, and shifting proof burdens to banks. Effective July 1, 2026, following public commentary, these amendments enhance customer safeguards amid rising cyber threats, mandate faster resolutions, and impose stricter compliance on banks. Thus, they redefine liability dynamics, urging firms to advise clients on dual reporting and policy updates

Regulatory Background and Evolution 

The Reserve Bank of India’s (RBI) issued its “Draft RBI (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026,” on March 6, 2026, marking a pivotal evolution from the 2017’s “Customer Protection – Limiting Liability of Customers in Unauthorized Electronic Banking Transactions” guidelines.  

This move succeeds the monetary policy announcement made on 6th February 2026 to address the systemic vulnerabilities in digital payments. Recognising the surge of digital payments, these amendments address the rise of social engineering scams and third-party breaches, recalibrating the need to balance customer rights and institutional accountability. 

Key Reform: Compensation Framework for Small-Value Fraud 

A notable development is the compensation-sharing mechanism for small-value fraud. 

Under this provision: 

  • Victims of digital payment fraud up to ₹50,000, reported within five days, can claim up to 85% of their net loss, capped at ₹25,000 (whichever is lower).  
  • The compensation is shared between the RBI, the customer’s bank, and the beneficiary bank.  
  • During the first year, the RBI will absorb approximately 65% of the compensation cost, with the remaining borne by the banks.  
  • Over time, the framework will be reviewed to increase the banks’ share, incentivizing stronger fraud detection systems.  

In contrast, the 2017 rules were limited to unauthorized electronic transactions, imposing tiered liability caps. The 2026 draft significantly broadens the scope to include fraudulent inducements, not just unauthorized access. 

Zero liability now applies in cases of bank negligence or third-party fault, with mandatory reversal of funds within five days of dual reporting to both the bank and the National Cyber Crime Portal. 

Expanded Definition of Fraudulent Transactions 

Another critical update is the widened definition of fraudulent transactions. The Rules now cover cases where customers are coerced or manipulated into authorizing payments. This is particularly significant for: 

  • Elderly users  
  • Individuals with low digital literacy  
  • Victims of social engineering scams  

This shift ensures protection even where consent was obtained through deception. 

Enhanced Obligations on Banks 

The Draft Rules place significantly higher compliance responsibilities on banks: 

  • Burden of Proof: Banks must disprove customer claims of fraud.  
  • Evidence Requirement: Rejection of complaints must be supported by evidence such as OTP logs and SMS records.  
  • Timely Compensation: Compensation must be credited within five days of a valid complaint.  
  • Real-Time Alerts:  SMS alerts for all transactions above ₹500 and Email alerts for all transactions (where registered)  
  • 24/7 Reporting Channels: Mandatory round-the-clock fraud reporting mechanisms  

These changes require banks including commercial, small finance, and co-operative banks to overhaul internal policies, adopt AI-driven fraud detection systems, and ensure no-fee alert mechanisms. 

For customers, the framework strengthens protection and enhances trust in digital payment systems. However, it also raises potential litigation risks: 

  • Disputes may increase over determinations of fraud versus customer negligence  
  • Courts may be required to interpret evolving standards of “trickery” and “consent”  
  • Non-compliance by banks could lead to increased regulatory scrutiny and liability  

For businesses and advisors, the rules underscore the importance of: 

  • Updating internal compliance frameworks  
  • Advising clients on dual reporting obligations  
  • Revising risk management and customer communication policies 

Limitations and Concerns 

Despite its progressive approach, the framework has certain limitations: 

  • No specific recourse for repeat victims  
  • The ₹25,000 compensation cap may be insufficient in many cases  
  • The five-day reporting window may disadvantage users with limited digital awareness 

These concerns highlight the need for further refinement as the framework evolves. 

Conclusion 

The RBI’s 2026 Draft Rules signal a decisive shift toward a customer-centric digital payments ecosystem. By expanding the definition of fraud, introducing shared compensation, and imposing stricter obligations on banks, the framework aims to mitigate losses while strengthening consumer trust. 

With implementation scheduled for July 1, 2026, these reforms are set to redefine liability dynamics and reshape India’s digital payments landscape.