Digital fraud: RBI ups compensation to 85% with cap of Rs 25,000 for first loss

MUMBAI: The RBI has issued amended directions proposing stronger safeguards for customers facing digital fraud by increasing the compensation percentage to 85 but capping the absolute pay-out at Rs 25,000 for the first instance. The new directions will be effective July 1.

Issuing the third draft amendment direction, 2026, under the central bank’s ‘responsible business conduct’ framework, the RBI said Friday that the new rules primarily protect bank customers from fraud in digital banking transactions, including UPI payments, Internet banking, mobile banking, debit/credit card transactions and ATM transactions.

“The draft directions, revising earlier rules on limiting customer liability for unauthorised electronic banking transactions, will apply to transactions carried out on or after July 1, 2026, and cover commercial banks excluding small finance banks, payments banks, regional rural banks and local area banks,” said the draft rules.

RBI governor Sanjay Malhotra had said on February 6 that the central bank will pay 70% of the small value money or up to Rs 25,000 lost in fraudulent transactions without any questions being asked to the customer for first time instances. The remaining 30% will be equally shared by the customer (15%) and the bank to ensure all parties have skin in the game.

Under the new compensation rules, the RBI will offer 85% of the loss or a maximum of Rs 25,000 per victim. For instance, if your loss is Rs 20,000, you will get Rs 17,000 in compensation or 85%; or if your loss is Rs 50,000, you will get only Rs 25,000 or 50% of the loss. That means the less the loss, more will be the compensation.

According to RBI data, banks reported 13,469 fraud cases related to card and Internet-based transactions in fiscal 2025, involving losses of Rs 520 crore, much lower than the 29,080 cases and losses of Rs 1,457 crore in the previous financial year.

“Introducing a framework to compensate customers up to an amount of Rs 25,000 for losses incurred in fraudulent transactions,” the governor said, adding this will be done asking no questions including whether the affected customer has shared the OTP or not.

“Even if the customer has shared the OTP and if the incidence of fraud was first time,” the customer is eligible for the compensation, less than 15% of the total loss,” the governor clarified. The governor further said a vast majority to the tune 65% of the digital frauds are worth less than Rs 55,000. The money will come from the depositor education fund of the central bank which is worth over Rs 85,000 crore and interest.

Proposing a compensation mechanism for small digital banking frauds, the RBI said, “If a customer lost up to Rs 50,000 in a genuine fraudulent electronic transaction, she may receive 85% of the net loss or up to Rs 25,000, whichever is lower, for the first instance."

The RBI added, “To qualify for the compensation, the fraud must be reported to both the bank and the National Cyber Crime portal or helpline (1930) within five days. For smaller losses, most of the compensation will be paid by the Reserve Bank, with smaller contributions from the customer’s bank and the beneficiary bank. If money is later recovered, compensation will be recalculated accordingly.”

However, this is a climbdown from what the governor had said on February 6.

The new draft directions say electronic banking transactions include payments made through Internet banking, mobile banking, debit or credit cards, or other digital channels that fall under the definition of electronic funds transfer in the Payment and Settlement Systems Act of 2007.

The central bank has also introduced clearer definitions for authorised and unauthorised transactions. The draft states that transactions carried out by customers using authentication methods such as OTP, PIN, card details or passwords will be considered authorised, which is also a change from the February 6 statement.

However, transactions carried out using credentials obtained through fraud, or where customers are tricked or coerced into sending money to scammers posing as legitimate recipients, will fall under fraudulent electronic banking transactions.

"Authorised electronic banking transaction includes a transaction carried out by a customer or a previously authorised third-party registered with the bank by granting approval through a standing instruction/mandate or any form of additional authentication such as a static password or dynamic password (e.g. OTP), answering challenge questions, card details (CVV/expiry date/PIN) or any other mode of electronic authentication option provided by the bank,” said the circular.

The circular also said, “Digital transactions also include a transaction which is executed by a third-party using the credentials obtained from the customer through fraudulent means; or executed by the customer by granting approval under coercion or duress from the third-party; or executed by the customer when he/she is tricked into willingly sending money to a scammer who is posing as a legitimate recipient.”

The RBI has also clarified what constitutes negligence on the part of banks and customers. For a bank, negligence includes failing to maintain secure systems, not sending transaction alerts, or failing to provide channels for reporting fraud.

On the other hand, customer negligence include sharing passwords or OTPs, ignoring bank fraud warnings, or downloading malicious applications.

The draft directions also define third-party breaches, where the problem arises from intermediaries such as payment gateways, telecom service providers or third-party application providers rather than the bank or the customer.

"Third-party breach refers to a situation where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and includes deficiency on the part of an intermediary such as a third-party application provider, payment aggregator, payment gateway, telecom service provider etc," said the circular.