RBI's Digital Fraud Compensation Framework: How Victims Recover Losses up to Rs 50,000

A dedicated compensation pool: The RBI has notified a revised compensation framework specifically for victims of small-value digital banking fraud. The big change is that, beyond merely defining who bears liability, the framework creates an actual compensation mechanism in which the regulator itself contributes the largest share. It covers losses from fraudulent electronic banking transactions (EBTs) of up to Rs 50,000.

Effective date: The framework applies to EBTs undertaken on or after 1 January 2027 (deferred by six months from an earlier date of 1 July 2026), and is available for frauds occurring within one year of the directions coming into effect.

Why it matters: Earlier rules (the 2017 circular) told customers when they would bear zero or limited liability, but actual recovery often depended on banks establishing liability and on lengthy disputes. The new framework guarantees a defined, pro-consumer payout for genuine small-value victims and shifts most of the cost away from the customer.

Scope and limits: It covers individuals and sole proprietors, can be used only once in a lifetime, and offers no specified compensation for frauds above Rs 50,000 — meaning it is targeted at protecting ordinary retail users from everyday cyber fraud.

The core entitlement: A bona fide victim is entitled to compensation equal to 85% of the net loss amount or Rs 25,000, whichever is lower. "Net loss" is the gross fraud amount minus any sum recovered. The benefit can be claimed only once in a lifetime.

Reporting within five days: To qualify, the customer must report the fraud within five calendar days of the transaction, both to the bank and to the National Cyber Crime Reporting Portal or Helpline 1930. Prompt reporting is the single most important condition for protection.

Burden of proof on the bank: The RBI has made clear that the burden of proving customer liability rests with the bank. Unless the bank establishes that the customer was negligent, the customer continues to be protected.

On receiving a complaint, the bank must take prompt steps to prevent further unauthorised transactions in the customer's account.

The novel feature — RBI pays the most: Of the compensation paid, the RBI bears about 76.5%. For a domestic fraud, the victim's bank and the beneficiary bank (where the stolen money lands) bear roughly 11.76% each; for a cross-border fraud, the victim's bank bears about 23.5% (as there is no domestic beneficiary bank).

Two tiers by loss size: For losses below Rs 29,412, compensation equals 85% of the net loss (split as RBI 65%, victim's bank 10% and beneficiary bank 10% of the loss in domestic cases; the victim's bank's share rises to 20% in cross-border cases). For losses of Rs 29,412 up to Rs 50,000, compensation is capped at Rs 25,000, of which the RBI pays Rs 19,118 and the two banks pay about Rs 2,941 each (domestic), or the victim's bank pays Rs 5,882 (cross-border).

A worked example: If Rs 40,000 is lost and Rs 15,000 is later recovered, the net loss is Rs 25,000 and the victim gets 85%, i.e. Rs 21,250 — with the RBI paying Rs 16,250 and the victim's and beneficiary banks Rs 2,500 each. If nothing is recovered, the net loss of Rs 40,000 exceeds the cap, so the victim is paid Rs 25,000.

Multiple beneficiary banks and later recovery: Where the money is split across several beneficiary banks, each bears compensation in proportion to the amount credited to it; and if money is recovered after compensation is paid, the bank recalculates the net loss and adjusts the amount.

The 2017 foundation: The current protections rest on the RBI circular of 6 July 2017, "Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions," which established the principle of zero and limited liability and shifted the balance towards the customer.

Zero liability: A customer bears no loss where the fraud results from the bank's negligence, deficiency or a system failure (irrespective of reporting), or from a third-party breach where the fault lies neither with the bank nor the customer, provided the customer reports promptly. The new framework preserves these zero-liability protections.

Limited liability: Where the loss is due to the customer's own negligence (for example, sharing the PIN/OTP), the customer bears the loss until reporting; for delays in reporting, liability is capped (commonly Rs 5,000 for basic savings accounts and Rs 10,000–25,000 for other accounts, depending on type). Beyond the prescribed window, liability follows the bank's board-approved policy.

What changed: The new framework adds a guaranteed compensation payout for small-value frauds, makes the RBI a funder, and shortens complaint-resolution timelines (from 90 days under the old rules to 45/60 days now).

Defined bank negligence: The amended directions define a bank's negligence to include failure to implement mandated security systems, non-issuance of transaction alerts (alerts are mandatory for EBTs above Rs 500), the absence of 24x7 reporting channels, system malfunctions, security breaches, internal frauds, and failure to act diligently on customer complaints.

Resolution timelines: Banks must examine the complaint, determine liability and respond within 45 calendar days for domestic frauds and 60 calendar days for cross-border frauds.

Shadow reversal: For fraudulent credit-card transactions, the bank must provide a "shadow reversal" of the disputed amount within five calendar days of the customer's complaint, during which the customer bears no extra interest or charges.

Round-the-clock reporting: Banks must offer 24x7 channels for reporting fraudulent transactions and the loss of cards.

Bank-fraud data (FY26): The RBI's Annual Report shows banks reported 10,114 fraud cases worth Rs 48,021 crore in FY26 — cases fell about 57% year-on-year, but the value rose about 46%. Crucially, this total is dominated by loan/advances frauds (around Rs 40,774 crore), and was inflated by legacy cases re-reported after a Supreme Court judgment; it is not the same as retail digital fraud.

Digital payment fraud specifically: In the RBI's card/internet/digital-payments category (frauds of Rs 1 lakh and above), reported cases fell sharply to 293 (Rs 29 crore) in FY26 from 13,332 (Rs 517 crore) in FY25. However, the vast bulk of small-value cyber fraud against individuals (often below Rs 1 lakh) is captured not here but on the cyber-crime reporting system — which is exactly the gap the new framework addresses.

The reporting architecture: Victims report cyber fraud through the National Cyber Crime Reporting Portal and the Helpline 1930, run via the Citizen Financial Cyber Fraud Reporting and Management System under the Indian Cyber Crime Coordination Centre (I4C) of the Ministry of Home Affairs.

Common fraud types: These include phishing, vishing (voice-call fraud), SIM-swap, OTP theft, fake UPI handles and collect-request scams, QR-code scams, malware/remote-access apps, and emerging AI/deepfake-driven frauds — disproportionately affecting the elderly, first-time and rural users.

Low cap and one-time use: The Rs 50,000 ceiling and once-in-a-lifetime limit mean that larger frauds and repeat victims fall outside the guaranteed payout, relying instead on the older liability rules and litigation.

The "negligence" grey zone: Where a fraud uses sophisticated social engineering, deciding whether the customer was "negligent" remains contested; courts have held banks liable even for OTP-authenticated transactions in some social-engineering cases, underscoring the need for clarity.

Regulator funding a payout: Having the RBI bear most of the compensation is unusual and pro-consumer, but it raises questions about incentives — whether banks will invest enough in prevention if much of the cost is socialised.

Effective enforcement: The framework's value depends on fast complaint resolution, robust real-time fraud monitoring, action on mule accounts, and customer awareness so that the five-day reporting window is actually met.

Raise awareness of the five-day window: Wide, multilingual public communication is essential so victims report in time and actually benefit from the framework.

Strengthen prevention, not just payout: Pair compensation with real-time fraud monitoring, mule-account crackdowns and stronger authentication so banks retain the incentive to prevent fraud.

Clarify the negligence standard: A clearer, enforceable definition of "customer negligence" would reduce disputes and protect victims of sophisticated scams.

Coordinate agencies: Tighter linkage between banks, the RBI, the I4C/1930 system and police is needed for faster freezing and recovery of defrauded funds.