On 6 March 2026, the Reserve Bank of India (RBI) released the “Draft Amendment Directions for ‘Review of Framework of Limiting Customer Liability in Digital Transactions” (hereafter “Amendments”). (Link: https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=4922)
The Amendments propose a framework to offer a one-time compensation to victims of small value fraudulent digital transactions. Further, it discusses the distribution of liability among the banks and the RBI, the reporting requirements that customers must satisfy and the obligations of the financial service providers.
In this response, we present four recommendations to the Draft Amendments.
1. First, we recommend progressing to a negligence-based customer liability regime. The current Amendments seek to make good to every customer who may have fallen prey to a victim fraud. However, they can claim such a compensation only once. Research suggests that Indians encounter fraud attempts multiple times a week, that these attempts are growing more sophisticated, and therefore, it is not unlikely that customers may fall for them more than once. It may be prudent to imagine a compensation framework that factors in customers’ role (or negligence), the sophistication of the fraud, the context of the customer (traditional and digital literacy, income levels, post-fraud reporting behaviour) etc. to determine the eligibility and quantum of compensation. Such a framework would compensate the customer when they have been rendered defenseless yet not discourage the customer from exercising caution when transacting online, as an unconditional compensation mechanism might.
We recommend expanding the scope of negligence for both customer and the providers, identifying parameters that qualify as gross negligence on either side and developing a compensation mechanism that factors and the nature of negligence. Further, when qualifying customer negligence, attention may be paid to the customers’ context of literacy, age, savviness in the digital landscape, income-level and sophistication of the fraud. Vulnerable customers may not be expected to meet high standards of attentiveness or defend themselves against frauds that are sophisticated even for the more evolved customers.
2. Second, identifying authorized but fraudulent (unintended/mistaken/deceitful) transactions as a separate category, outside of the authorized transactions. Transactions listed out in 4(3A)(i) are bona fide and fall outside the purview of any liability. On the contrary, transactions listed out from 4(3A) (ii) (a)-(c) are fraudulent where the customer may have authorized the transaction but were operating under external influence, coercion, information asymmetry, ignorance or other such contexts. Under the Indian Contract Act , such transactions amount to a voidable contract. Separating bonafide transactions from voidable ones is semantically proper. It may also help build more enduring compensation mechanisms, where the eligibility for compensation and its quantum will be determined by the role of the customer and the fraudulent actor. At that point, including authorized bona fide and authorized but unintended transactions in the same definition may be confusing.
We recommend identifying these as authorised but unintended/fraudulent transactions.
3. Third, streamlining reporting requirements to make them more customer-centric. Specifically, we recommend doing away with the need to complain to both banks and the national cybercrime portal, instituting multiple reporting channels and raise awareness around the compensation scheme.
4. Fourth, we highlight the need to develop complementary infrastructure for the successful execution of the Amendments, including strenghtening complaint acceptance infrastructure and a platform for banks to manage their claims.
Read the full response here.
