Key Takeaways
June 25, 2026 · 4 min read · By Rishabh Bhardwaj
·
AI-assisted, human-reviewed · Our editorial standards
The Reserve Bank of India has issued final directions overhauling customer protection in digital payment fraud, shifting a key burden onto banks and introducing a compensation scheme for small-value victims. The rules apply to all electronic banking transactions by customers of commercial banks from January 1, 2027.
The most significant structural change is a reversal of the proof burden. Under the new framework, banks must establish that a customer was negligent in a fraud complaint. Previously, customers effectively had to prove they were not at fault. That shift alone changes the default posture of fraud dispute resolution across India's banking system.
The directions define three categories of fault, and the compensation outcome depends on which applies. If the bank is negligent, the customer bears zero liability, with no reporting deadline attached. Bank negligence includes failing to send mandatory transaction alerts, not maintaining 24-hour fraud reporting channels, and internal security failures or system breaches.
If the fraud stems from a third-party breach, meaning a failure by entities such as payment aggregators, payment gateways, third-party app providers, or telecom companies, the customer again faces zero liability, provided they report the fraud within five calendar days of the transaction.
If the customer is negligent, such as by sharing a PIN or OTP, downloading a malicious app, or ignoring specific scam warnings from the bank, losses up to the point of reporting fall on the customer. Any unauthorised transactions after the customer reports the fraud must be absorbed by the bank. The directions also introduce a concept called shadow reversal for credit card fraud cases: a provisional credit that stops interest accruing while a complaint is under review, though the customer cannot use the funds.
Complaint resolution timelines are also now codified. Banks must resolve domestic fraud complaints within 45 calendar days and cross-border cases within 60 calendar days, with reversals value-dated to the original transaction date.
The RBI has created a one-time compensation scheme for fraud victims who suffered losses up to Rs 50,000 due to their own negligence. This covers individual customers and sole proprietors. To qualify, the victim must report the fraud to both their bank and the National Cyber Crime Reporting Portal or the 1930 helpline within five calendar days. Eligible customers receive 85% of the net loss or Rs 25,000, whichever is lower, and only once in their lifetime. Banks must pay out within five calendar days of receiving a completed application. The scheme runs for one year from the directions' effective date.
The operational requirements on banks are extensive. Banks must verify customers' mobile numbers and email addresses at onboarding and periodically after that. Instant SMS alerts are mandatory for all transactions above Rs 500. Email alerts are required wherever an email address is on record. All alerts must include the amount, time, channel, and beneficiary. Banks must offer round-the-clock reporting through phone banking, SMS, IVR, toll-free numbers, and app or website channels, and must acknowledge each complaint immediately with a reference number and timestamp.
Banks are also required to publish a customer protection policy covering reporting channels, complaint timelines, and customer rights and obligations.
The practical gap in these directions is worth noting. India recorded an estimated Rs 22,495 crore in cyber fraud losses in 2025, and 2.81 million fraud complaints were filed that year. The new compensation ceiling of Rs 50,000 means that larger fraud victims, who often suffer the most severe financial damage, have no specific recourse under this framework. The five-day reporting window to qualify for zero liability or compensation is also tight, particularly for customers who may not immediately recognise a fraudulent transaction or know how to file a complaint through official channels.
Still, the burden-of-proof reversal and the mandatory infrastructure requirements, including 24-hour reporting lines and instant alerts, represent a meaningful baseline that did not previously exist in codified form. For banks, the compliance build-out before January 2027 is now clearly scoped: alert systems, onboarding verification, fraud reporting infrastructure, and written customer protection policies all need to be in place and publicly documented before the directions take effect.
The Supreme Court blocked Trump from firing Federal Reserve board member Lisa Cook, preserving the Fed's independence from presidential removal power. A separate ruling the same day gave Trump broader authority to dismiss leaders of other independent federal agencies.
The US Supreme Court has blocked President Trump's attempt to fire Federal Reserve governor Lisa Cook, who faced unproven mortgage fraud allegations. The ruling preserves Fed independence for now and keeps a politically charged removal case alive in the courts.
The US Supreme Court, splitting along ideological lines, has allowed the Trump administration to end Temporary Protected Status for Haitian and Syrian immigrants.
The U.S. Supreme Court ruled against TPS protections in a case centered on Haitian migrants, leaving 1.3 million people from over a dozen countries vulnerable to deportation. Many affected individuals have lived legally in the U.S. for decades, with the ruling removing a key legal shield used to resist removal.