How to Get Your Money Back if You Fall Victim to Online Fraud
Narendra
Pal, a government school teacher in Zirakpur near Chandigarh, got the
shock of his life when he received an sms just before midnight that Rs
10,000 has been withdrawn from his account through an ATM in Surat. By
the time he could realise what was happening, he got two more messages
about withdrawal of Rs 10,000 and Rs 20,000. He had fallen victim to
online fraud. As the first debit happened a few minutes before 12
midnight, the fraudster was able to transact again immediately as
withdrawal limit for the next day set in.
As more
and more people use online banking services, which are now reaching the
unbanked under the financial inclusion programmes of the government,
banking frauds are rising. Also, post demonetisation, there has been a
sharp rise in online transactions. Pal informed his bank about the
transactions immediately by calling on the helpline number. He also
wrote to the bank branch and the RBI that he had not shared details of
his bank account and ATM card with anyone. He also filed a complaint
with the crime branch’s cyber cell. The officers took him to the petrol
pump where he had last used the card but nothing came out of it. Pal
says the bank staff was cooperative but still it took him more than two
months and two-three visits to the branch to get his money. He had to
forgo the interest.
People like Pal need not worry
now. The RBI has come out with guidelines that say the bank will have
to make good the entire loss if the customer notifies it about the
unauthorised/fraudulent transaction within a stipulated period. The RBI
has taken forward the draft guidelines on customer liability in case of
online fraudulent transactions that it had issued in August 2016.
“Considering the recent surge in customer grievances associated with
unsanctioned electronic transactions, the recent notification shared by
RBI entails a more specific guideline to protect customers from
potential cases of fraud or misuse.
Banks will
therefore have to set up robust frameworks around fraud identification
and early warning mechanisms covering the online and digital space”,
says Vikram Babbar, Partner, Fraud Investigation & Dispute Services,
EY India.
Onus on Bank
While
earlier, the onus was on the customer to prove that he or she has not
shared his bank details with anyone, now it is the bank that has to
prove that the customer was at fault and not careful enough while using
online banking facilities. The earlier system used to result in the
customer suffering losses or the bank taking long to pay the money as
there were no clear guidelines or stipulated period for refunds. “Many
people are apprehensive about online transactions. These guidelines will
build trust among bank customers,” says Kalpesh J. Mehta, Partner,
Deloitte Haskins and Sells.
This is a big step,
believes Mahesh Patel, President and CTO, AGS Transact Technologies, as
this will encourage banks to use better fraud monitoring systems.
“As
the onus was on the customer, the cost of a good fraud monitoring
system was more than the cost of actual fraud for banks. As a result of
this, barring the top few banks, the rest refrained from investing in
fraud monitoring systems,” says Patel. The RBI guidelines ask banks to
implement a robust and dynamic fraud detection and prevention mechanism
and assess and fill gaps if any.
Customer to get full refund
Banks will pay for the entire loss in the following cases.
- When a fraudulent transaction has happened due to deficiency or negligence on the part of the bank irrespective of the fact that the customer has reported it or not. “A digital transaction goes through various intermediary platforms such as the payer bank, the payee bank, the payment gateway, etc, and the transaction has to be encrypted. No data should be stored with either of the intermediaries but only transferred. Therefore, if a fraud happens during this process, the customer should not be held liable. As per RBI recommendations, the bank will have to refund to the customer,” says Mehta of Deloitte Haskins and Sells.
- When there is a third-party breach where the deficiency lies neither with the bank nor the customer but with the system somewhere else and the customer notifies the bank regarding the transaction within three working days.
For example, last year, the
systems of Hitachi Payment Service, to which some banks had outsourced
their ATM transaction processing, were compromised, affecting around 3.2
million cards across banks such as ICICI, SBI, YES and HDFC.
In
this scenario, if the customer informs the bank about the fraudulent
transaction within three working days after receiving the communication,
the bank will have to make good the entire loss to the customer.
Limited
liability If the fraud has happened due to the negligence of the
customer, he or she will have to bear the entire loss till the bank is
informed about the transaction.
- If the customer shares confidential information like ATM PIN, card number, etc, with somebody knowingly or unknowingly, he or she will have to bear the entire loss till the bank is informed about the transaction.
- If neither the bank nor the customer is responsible but the fraud has happened due to the fault in the system and the customer informs the bank within four or seven days, the customer liability will be limited to the transaction value or Rs 10,000, whichever is less. The limit applies in case of savings bank accounts, credit cards with limit of up to Rs 5 lakh, and current accounts with annual average balance limit up to Rs 25 lakh. If a person informs within three days, the entire amount is paid back. For current accounts, overdraft accounts and credit cards with limit above Rs 5 lakh, the maximum limit is Rs 25,000.
For basic saving bank deposit accounts, that is, no-frills accounts, the limit is Rs 5,000.
- If there is a delay of more than seven days, the customer’s liability will be decided as per the policy approved by the bank’s board.
Banks
convey to their customers who have registered their mobile number and
email with banks about every transaction through email and sms. Now, the
RBI has advised banks to ask for a mobile number if the customer wants
to take the online transaction facility so that he or she is notified
about every transaction. The banks may not offer the facility of
electronic transactions, other than ATM cash withdrawals, to customers
who do not provide mobile numbers to the bank. At present, banks charge
for the SMS service. However, RBI guidelines do not mention anything
about who will bear the SMS charges. At present, the charges are borne
by account holders.
Reply option
Apart
from multiple channels like website, phone banking, SMS, e-mail, IVR, a
dedicated toll-free helpline, reporting to the home branch, etc, for
reporting fraudulent transactions, banks will have to provide the
customer an option to reply to an SMS and email alerts. Further, the RBI
has directed banks to provide a direct link for lodging complaints,
with specific option to report unauthorised electronic transactions on
home page of bank’s website.
The fraud reporting
system of banks shall also ensure that immediate response (including
auto response) is sent to customers acknowledging the complaint along
with the registered complaint number. The communication systems used by
banks to send alerts and receive their responses thereto must record the
time and date of delivery of the message and receipt of customer’s
response, if any, to them. This shall be important in determining the
extent of a customer’s liability.
Timeline for refund
After
the customer has informed the bank about the transaction, the bank
shall credit the amount to the customer’s account within 10 working days
as per the new guidelines.
Apart from this, in
cases where the customer liability is to be decided by the bank’s board,
the complaint should be addressed within 90 days and if the board is
unable to decide the customer liability, he or she should be compensated
as per zero liability and limited liability provisions.
Source: BT