Submitted by alvin on Sat, 2016-09-03 16:59 Banking today has completely been taken over by “Digital Banking”. Many of the co-operative banks and regional rural banks have also adopted the use of internet banking, ATM cards and also credit cards. As a result of these developments, e-banking has become a standard, though most of the customers have no formal or informal education in the use of computers. In this context of increasing use, the growth of cybercrimes - where attackers steal the access credentials of customers through phishing, vishing, trojans, coat tailing viruses, Man In the Middle attack etc - are a matter of concern. It is impossible to expect every bank customer to be fully aware of the ways in which these frauds are committed and avoid occasionally falling prey to such targeted attacks. Recently, an attack on the inter-bank international fund transfer system under SWIFT was hacked in Bangladesh in which a bank lost Rs 90 crores. A similar attempt was also made on Union Bank of India in which an amount of Rs 1200 crores was sought to be transferred. The fraud was fortunately discovered in time and averted. But RBI has taken the incident seriously. If a secure fund transfer system such as SWIFT, where there are a minimum of two bank officials involved in any transfer, could be successfully hacked and credentials stolen, then the possibility of individual bank customer’s credentials being stolen and misused is very much possible. The RBI has therefore initiated an important step towards protecting customers using internet and mobile banking as well as cards by suggesting a “limited liability” for such frauds. A “Draft Circular” has been issued in this regard on August 11, 2016 asking for public comments to be sent to the RBI before August 31, 2016. If customers want RBI to formalise the suggestions, it is necessary for the public to send an e-mail to the DBOD (firstname.lastname@example.org) and state that they support the move. If necessary they can send their suggestions and comments also after perusing the circular. While a detailed analysis of the circular may be found on Naavi.org, I summarise below what RBI has proposed. First of all, if an unauthorised transaction occurs after the customer has reported either loss of his card or when his account has been compromised, then the bankalone will be responsible for the loss. In other instances, frauds will be classified into three categories: a) Where there is a negligence of the customer b) Where there is a negligence of the bank c) Where there is neither negligence of the customer or the bank Where there is a negligence of the bank, obviously there will be no liability on the customer. However, there may be some instances where the customer might also have been negligent and pass on his credentials to the fraudsters. In most cases of phishing and vishing, the credentials of the customer are “stolen” by the fraudster. It is debatable that when something is taken out of you by fraud, deceit or coercion, whether it can be called “negligence”. Hence, there will be a discussion of this aspect whenever the bank alleges that there was a negligence of the customer. However, the onus of providing evidence for such an allegation now is on the bank and not the customer. This is an important aspect that helps the customer prove his innocence. In fact, in every instance where the beneficiary of the fraud has no proven nexus with the customer, prima facie innocence of the customer can be presumed. In the third category, where there is neither negligence on the part of the bank or the customer, the RBI expects that the bank would be sending a transaction alert through SMS or email which gives an opportunity for the customer to respond if the transaction is fraudulent. If he responds within 3 days, then there would be no liability to the customer. If he responds between 4 to 7 days, he may have to take a liability of the loss or Rs 5000/- whichever is less. It is not clear what would be the liability if the customer fails to dispute the transaction for more than 7 days. The RBI has left it to the banks to formulate policies in this regard and put it up on their websites. It is expected that ultimately a customer cannot be held totally liable just because he failed to raise a dispute within 7 days, and there has to be a sharing of responsibility between the bank and the customer, probably more by the bank. It is expected that banks would oppose the RBI move and try to get the circular withdrawn. Hence it is necessary for the public to voice their strong opinion in favour of the circular and with further suggestions if any. Consumer organisations may also take steps to collate the views of the public and forward it to RBI. So, it is time to act. Don’t be complacent and let the opportunity to safeguard yourself go waste.