India’s Central Bank Proposes New Safety Nets for Victims of Digital Fraud

The Reserve Bank of India (RBI) has issued draft guidelines designed to fortify customer protection against the rising tide of online financial fraud. Under the proposed Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026, the central bank seeks to introduce a mandatory compensation scheme for small-value scams and redefine the liability of financial institutions when security failures occur.

Background and Context

As digital transactions become ubiquitous in the Indian economy, the mechanisms for redressal have struggled to keep pace with the sophistication of cybercrime. These new rules, slated to take effect from July 1, 2026, represent a regulatory attempt to balance the convenience of digital banking with robust consumer safeguards. The draft guidelines specifically address electronic banking transactions, including card-based payments and online transfers, aiming to reduce the financial burden on individual victims of unauthorized activity.

Key Figures and Entities

The framework places the Reserve Bank of India at the center of enforcement, requiring commercial banks to adjust their internal grievance redressal mechanisms. A critical component of the proposed system involves the National Cyber Crime Reporting Portal and the Cyber Crime Helpline (1930), which will serve as the official channels for victims to report unauthorized transactions to establish eligibility for compensation.

Legal and Financial Mechanisms

The draft rules introduce a tiered approach to liability. In cases involving third-party breaches where the customer reports the fraud within five calendar days, the customer will be entitled to zero liability, mandating the reversal of the transaction. Furthermore, the guidelines propose a compensation fund for gross losses up to Rs 50,000.

If a fraud is proven genuine and reported within the stipulated timeframe, the customer is eligible for 85% of the net loss amount, capped at Rs 25,000, once in their lifetime. The draft outlines a shared liability model for these compensations: 65% would be borne by the Reserve Bank of India, 10% by the customer’s bank, and 10% by the beneficiary bank.

Conversely, the regulations specify conditions where the customer bears full responsibility. Negligence is defined as sharing credentials, such as PINs or OTPs; failing to report the loss of an instrument immediately; ignoring specific warnings from the bank regarding potential scams; or storing credentials insecurely, such as writing a PIN on a card. Downloading malicious applications is also cited as a form of customer negligence.

International Implications and Policy Response

While these regulations are domestic, they reflect a global shift in financial regulatory policy toward treating cyber-fraud as a systemic risk requiring centralized intervention. By mandating that banks send instant SMS alerts for transactions exceeding Rs 500 and requiring customers to provide contact details for electronic banking, the RBI is attempting to close the information gap that often allows fraud to proliferate. The policy highlights the growing necessity for regulatory bodies to step in as insurers of last resort in the digital finance ecosystem.

Sources

This report draws on the Reserve Bank of India's draft guidelines regarding the Commercial Banks – Responsible Business Conduct Third Amendment Directions, 2026, and information regarding the National Cyber Crime Reporting Portal.