RBI Limits Liability of Customers in unauthorised electronic transactions

After limiting liability of customers in fraudulent bank transactions, the Reserve Bank of India (RBI) has brought out new (similar) rules in mobile wallet and prepaid payment instruments (PPI) issued by non-banking entities like Paytm, PhonePe, GooglePay, and Amazon Pay. Under the new rules, customers will have a zero liability in case of fraud, negligence or deficiency from the PPI issuer and if the unauthorised electronic transaction is reported by the customer within three days. Most importantly, the burden of proving customer liability in case of unauthorised electronic payment transactions is on the PPI issuer and not on customers, as per the RBI rules.

In addition, PPI issuers are asked to ensure that their customers mandatorily register for SMS alerts and wherever available register for e-mail alerts, for electronic payment transactions.

Under the new rules, mobile wallet providers like Paytm, PhonePe, Google Pay and Amazon Pay, will have to setup a 24/7 customer care helpline to report fraud or any loss or theft or hack of the mobile wallet account of their customers.

If the PPI customer suffers a loss due to fraud, negligence or deficiency on the mobile wallet provider then the entire amount would be refunded if the incident is reported within three days. For unauthorized transactions reported between four and seven days, the liability of the customer is limited to the transaction value or Rs10,000 per transaction, whichever is lower. For fraud incidents reported beyond seven days, the customer liability would be as decided by the board of the PPI issuer.

On being notified by the customer, the PPI issuer is required to credit (notional reversal) the amount involved in the unauthorised electronic payment transaction to the customer’s PPI within 10 days from the date of such notification by the customer without waiting for settlement of insurance claim, if any, even if such reversal breaches the maximum permissible limit applicable to that type or category of PPI. The credit shall be value-dated to be as of the date of the unauthorised transaction.

Further, RBI says, the PPI issuers should ensure that a complaint is resolved and liability of the customer, if any, established within such time, as may be specified in the PPI issuer’s Board approved policy, but not exceeding 90 days from the date of receipt of the complaint, and the customer is compensated as per provisions mentioned above. 

"In case the PPI issuer is unable to resolve the complaint or determine the customer liability, if any, within 90 days, the amount as prescribed in above paragraph should be paid to the customer, irrespective of whether the negligence is on the part of customer or otherwise," RBI says.

Reporting of unauthorised payment transactions by customers to PPI issuers

RBI says, PPI issuers should ensure that their customers mandatorily register for SMS alerts and wherever available also register for e-mail alerts, for electronic payment transactions.

The SMS alert for any payment transaction in the account should mandatorily be sent to the customers and e-mail alert may additionally be sent, wherever registered. The transaction alert should have a contact number and or e-mail ID on which a customer can report unauthorised transactions or notify the objection.

Customers should notify the PPI issuer of any unauthorised electronic payment transaction at the earliest and, also be informed that longer the time taken to notify the PPI issuer, higher will be the risk of loss to the PPI issuer and customer.

To facilitate the reporting, PPI issuers are asked to provide customers with 24x7 access via website, SMS, e-mail or a dedicated toll-free helpline for reporting unauthorised transactions that have taken place and or loss or theft of the PPI.

Further, RBI says PPI providers need to provide a direct link on mobile app or home page of their website or any other evolving acceptance mode for lodging of complaints, with specific option to report unauthorised electronic payment transactions.

"The loss and fraud reporting system must also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. The communication systems used by PPI issuers to send alerts and receive their responses should record time and date of delivery of the message and receipt of customer’s response, if any. This is important in determining the extent of a customer’s liability. On receipt of report of an unauthorised payment transaction from the customer, PPI issuers should take immediate action to prevent further unauthorised payment transactions in the PPI," says RBI.