How to Get Your Money Back if You Fall Victim to Online Fraud
Online
Fraud – Narendra Pal, a government school teacher in Zirakpur near
Chandigarh, got the shock of his life when he received an sms just
before midnight that Rs 10,000 has been withdrawn from his account
through an ATM in Surat. By the time he could realise what was
happening, he got two more messages about withdrawal of Rs 10,000 and Rs
20,000. He had fallen victim to online fraud. As the first debit
happened a few minutes before 12 midnight, the fraudster was able to
transact again immediately as withdrawal limit for the next day set in.
As
more and more people use online banking services, which are now
reaching the unbanked under the financial inclusion programmes of the
government, banking frauds are rising. Also, post demonetisation, there
has been a sharp rise in online transactions. Pal informed his bank
about the transactions immediately by calling on the helpline number. He
also wrote to the bank branch and the RBI that he had not shared
details of his bank account and ATM card with anyone. He also filed a
complaint with the crime branch’s cyber cell. The officers took him to
the petrol pump where he had last used the card but nothing came out of
it. Pal says the bank staff was cooperative but still it took him more
than two months and two-three visits to the branch to get his money. He
had to forgo the interest.
People like Pal need
not worry now. The RBI has come out with guidelines that say the bank
will have to make good the entire loss if the customer notifies it about
the unauthorised/fraudulent transaction within a stipulated period. The
RBI has taken forward the draft guidelines on customer liability in
case of online fraudulent transactions that it had issued in August
2016. “Considering the recent surge in customer grievances associated
with unsanctioned electronic transactions, the recent notification
shared by RBI entails a more specific guideline to protect customers
from potential cases of fraud or misuse.
Banks
will therefore have to set up robust frameworks around fraud
identification and early warning mechanisms covering the online and
digital space”, says Vikram Babbar, Partner, Fraud Investigation &
Dispute Services, EY India.
Onus On Bank
While
earlier, the onus was on the customer to prove that he or she has not
shared his bank details with anyone, now it is the bank that has to
prove that the customer was at fault and not careful enough while using
online banking facilities. The earlier system used to result in the
customer suffering losses or the bank taking long to pay the money as
there were no clear guidelines or stipulated period for refunds. “Many
people are apprehensive about online transactions. These guidelines will
build trust among bank customers,” says Kalpesh J. Mehta, Partner,
Deloitte Haskins and Sells.
This
is a big step, believes Mahesh Patel, President and CTO, AGS Transact
Technologies, as this will encourage banks to use better fraud
monitoring systems.
“As the onus was on the
customer, the cost of a good fraud monitoring system was more than the
cost of actual fraud for banks. As a result of this, barring the top few
banks, the rest refrained from investing in fraud monitoring systems,”
says Patel. The RBI guidelines ask banks to implement a robust and
dynamic fraud detection and prevention mechanism and assess and fill
gaps if any.
Customer to get full refund
Banks will pay for the entire loss in the following cases.- When a fraudulent transaction has happened due to deficiency or negligence on the part of the bank irrespective of the fact that the customer has reported it or not. “A digital transaction goes through various intermediary platforms such as the payer bank, the payee bank, the payment gateway, etc, and the transaction has to be encrypted. No data should be stored with either of the intermediaries but only transferred. Therefore, if a fraud happens during this process, the customer should not be held liable. As per RBI recommendations, the bank will have to refund to the customer,” says Mehta of Deloitte Haskins and Sells.
- When there is a third-party breach where the deficiency lies neither with the bank nor the customer but with the system somewhere else and the customer notifies the bank regarding the transaction within three working days.
For
example, last year, the systems of Hitachi Payment Service, to which
some banks had outsourced their ATM transaction processing, were
compromised, affecting around 3.2 million cards across banks such as
ICICI, SBI, YES and HDFC.
In this scenario, if the
customer informs the bank about the fraudulent transaction within three
working days after receiving the communication, the bank will have to
make good the entire loss to the customer.
Limited
liability If the fraud has happened due to the negligence of the
customer, he or she will have to bear the entire loss till the bank is
informed about the transaction.
- If the customer shares confidential information like ATM PIN, card number, etc, with somebody knowingly or unknowingly, he or she will have to bear the entire loss till the bank is informed about the transaction.
- If neither the bank nor the customer is responsible but the fraud has happened due to the fault in the system and the customer informs the bank within four or seven days, the customer liability will be limited to the transaction value or Rs 10,000, whichever is less. The limit applies in case of savings bank accounts, credit cards with limit of up to Rs 5 lakh, and current accounts with annual average balance limit up to Rs 25 lakh. If a person informs within three days, the entire amount is paid back. For current accounts, overdraft accounts and credit cards with limit above Rs 5 lakh, the maximum limit is Rs 25,000.
- If there is a delay of more than seven days, the customer’s liability will be decided as per the policy approved by the bank’s board.
Reply Option
Apart
from multiple channels like website, phone banking, SMS, e-mail, IVR, a
dedicated toll-free helpline, reporting to the home branch, etc, for
reporting fraudulent transactions, banks will have to provide the
customer an option to reply to an SMS and email alerts. Further, the RBI
has directed banks to provide a direct link for lodging complaints,
with specific option to report unauthorised electronic transactions on
home page of bank’s website.
The fraud reporting
system of banks shall also ensure that immediate response (including
auto response) is sent to customers acknowledging the complaint along
with the registered complaint number. The communication systems used by
banks to send alerts and receive their responses thereto must record the
time and date of delivery of the message and receipt of customer’s
response, if any, to them. This shall be important in determining the
extent of a customer’s liability.
Timeline for Refund
After
the customer has informed the bank about the transaction, the bank
shall credit the amount to the customer’s account within 10 working days
as per the new guidelines.
Apart from this, in
cases where the customer liability is to be decided by the bank’s board,
the complaint should be addressed within 90 days and if the board is
unable to decide the customer liability, he or she should be compensated
as per zero liability and limited liability provisions.