The Reserve Bank of India is moving to fortify the “digital trust” of Indian consumers. In a landmark set of draft guidelines released on Friday, March 6, 2026, the central bank has proposed a major shift in how liability is assigned during digital banking frauds. For the first time, the regulator is clearly defining “lender negligence” and mandating that banks bear the full cost of security failures.
The framework aims to protect citizens from the rising tide of sophisticated cyber-attacks by making banks more accountable for their internal systems and third-party partnerships.
Also Read |Â Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail
Defining Bank Negligence: What Counts?
Under the new norms, a customer is entitled to a full reversal of the fraudulent amount if the bank fails in its “duty of care.” Negligence is defined as:
-
System Failures: Malfunctions, security breaches, or internal frauds within the bank’s infrastructure.
-
Protocol Lapses: Failure to implement mandated safety systems or failing to send mandatory transaction alerts (SMS/Email).
-
Automatic Reversal: The bank must reverse these transactions regardless of whether the customer reported them or not.
Third-Party Breaches and Reporting Timelines
The draft also covers “Third-Party Breaches”—where the failure happens at an intermediary level like a payment gateway (PG), telecom provider (TSP), or app provider (TPAP).
-
The 5-Day Rule: If a customer reports a third-party breach within five calendar days, the lender bears full responsibility.
-
Lender Liability: The bank must reverse the transaction, ensuring it is value-dated to the original transaction date so the customer loses no interest.
The Compensation Split: RBI vs. Banks
For “bona fide” victims of gross loss (up to ₹50,000), a unique compensation mechanism has been proposed. The payout is shared among regulators and banks:
Also Read |Â Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail
| Loss Amount | Total Compensation | Share: RBI | Share: User Bank | Share: Beneficiary Bank |
| < ₹29,412 | 85% of Loss | 65% | 10% | 10% |
| ₹29,412 – ₹50,000 | ₹25,000 | ₹19,118 | ₹2,941 | ₹2,941 |
Customer Responsibility and Disclosure Rules
The RBI is not absolving customers of all responsibility. If a fraud occurs due to customer negligence (e.g., sharing an OTP), the customer remains liable until they report the fraud.
-
The “Burden of Proof”: It is now the bank’s job to prove the customer was negligent.
-
Mandatory Disclosure: If a bank rejects a fraud claim, it must provide the customer with supporting evidence, including OTP logs and SMS logs.
Reality Check
The “Zero Liability” promise is a massive win for consumer rights. Still, the ₹25,000 cap on lifetime compensation for “bona fide” victims is relatively small for high-value fraud. Therefore, while the RBI is providing a safety net, it is not a “blank check” for all losses. In fact, the July 2026 implementation date gives banks ample time to upgrade their systems, but it also means customers remain under the older, more restrictive liability rules for the next 15 months.
The Loopholes
The RBI requires reporting within five days for third-party breaches. In fact, this is a “Discovery Loophole”—many sophisticated frauds are only noticed during monthly statement reviews, which often happen 30 days later. Therefore, if you don’t check your app daily, you could still lose the “Zero Liability” protection. Still, the “Beneficiary Bank Loophole”—making the bank that received the stolen money pay 10% of the compensation—is a genius move to force banks to tighten their KYC (Know Your Customer) checks for “mule accounts.”
Also Read |Â Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail
What This Means for You
If you are a digital banking user, your rights are about to get a massive upgrade. First, realize that if your bank’s app glitches or they forget to send you an SMS alert for a transaction, you are legally entitled to every paisa back. Then, if you are a victim of fraud, understand that you must report it to the 1930 helpline and your bank within 120 hours (5 days) to maximize your chances of recovery.
Finally, understand that transparency is now mandatory. You should demand “log files” if your bank tries to blame you for a transaction you didn’t authorize. Before the July 2026 rollout, you should make it a habit to monitor your “Value-Dating” on reversals to ensure your bank isn’t quietly pocketing the interest on the disputed amount.
What’s Next
The RBI will accept feedback on the draft from stakeholders until late 2025. Then, look for the finalized framework to be published in early 2026. Finally, expect a massive tech upgrade across Indian banks before the July 1, 2026, deadline as they scramble to minimize their new financial liability for system lapses.
Also Read |Â Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail
End…
