Calling 1930 for cyber-fraud — the 24-hour rule and your bank's liability

The Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS) — operated through the 1930 helpline under the Indian Cybercrime Coordination Centre — is the procedural front-end of a layered legal regime. The 24-hour reporting window matters not because the helpline is itself a statutory authority, but because it is the operational hook into RBI's Customer-Liability Circular DBR.No.Leg.BC.78/09.07.005/2017-18 of 6 July 2017, which graduates customer liability for unauthorised electronic banking transactions from zero (within 3 working days) to limited (4 to 7 days) to full (after 7 days). The substantive law rests on Section 43 of the IT Act, 2000, the BNS overlay on cheating, and the RBI Banking Ombudsman / NCDRC route — not on the helpline call itself.

The 1930 helpline has acquired a reputation in public discourse as a kind of statutory rescue rope — a number to be dialled within the first hour of a digital banking fraud to "get the money back." The reputation is half-right and doctrinally misleading. The helpline is the call-centre entry to the Citizen Financial Cyber Fraud Reporting and Management System, an inter-agency platform that connects the complainant's report to the beneficiary bank and the payment intermediary so that the disputed funds can be held in the payee account before they are layered onward. It is, in operational terms, a chargeback-coordination instrument. In legal terms, the recovery rests on a separate piece of law — the Reserve Bank of India's Circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017 on "Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions" — and on the substantive criminal-law and consumer-law remedies that operate alongside it. The helpline call is the procedural hook; the RBI circular and the IT Act are the substantive law.

What CFCFRMS is — the I4C operational architecture

The Citizen Financial Cyber Fraud Reporting and Management System is an integrated platform operated under the Indian Cybercrime Coordination Centre scheme of the Ministry of Home Affairs, with technical participation from the Reserve Bank of India, major scheduled commercial banks, payment system operators (the National Payments Corporation of India, card networks and major payment aggregators), and the State and Union Territory police forces. The 1930 helpline is its citizen-facing intake channel; the platform itself is a workflow system that, on receipt of a fraud report, generates an alert to the beneficiary bank or payment intermediary requesting a hold on the disputed amount in the payee account before it is withdrawn or layered onward.

The platform's effectiveness depends on speed. The fraudster's modus operandi in most cyber-financial-fraud matters involves moving the deceptively obtained funds through a chain of mule accounts within hours of receipt, often across multiple banks and payment platforms. The "24-hour rule" — sometimes called the golden hour — is the operational window within which the platform can ordinarily intercept the funds in the first-layer payee account before they are dissipated. The rule is operational, not statutory; the helpline does not derive its hold-on-payee-account power from any standalone statute. It derives it from the banks' and payment intermediaries' contractual and regulatory obligation to cooperate with law-enforcement requests under the RBI's prudential framework, the Information Technology Act regime, and their own fraud-management policies.

A 1930 call generates a complaint ticket that is automatically mirrored on the National Cyber Crime Reporting Portal at cybercrime.gov.in. The complainant is required to follow up — typically within 24 hours — by completing the portal complaint with supporting documents (transaction SMS, bank statement, account details of the fraudster where known, screenshots of the deceptive communication). The portal complaint is then routed to the State police having territorial jurisdiction for consideration of FIR registration. This dual-track — operational fund-hold via CFCFRMS, statutory criminal action via FIR — is the architecture the user must internalise.

The RBI 6 July 2017 Circular — the substantive recovery regime

The legal weight of the recovery sits in the Reserve Bank of India's Circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017, titled "Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions." The Circular was issued under the RBI's powers under the Banking Regulation Act, 1949 and the Payment and Settlement Systems Act, 2007, and is binding on all scheduled commercial banks, payments banks, small finance banks, regional rural banks, and urban cooperative banks. The Circular calibrates a customer's liability for unauthorised electronic banking transactions on three axes — the cause of the unauthorised transaction, the customer's role in the breach, and the time elapsed between the transaction and the customer's reporting to the bank.

The headline rule, in its commonly-stated form — the customer has zero liability where the unauthorised transaction is the result of a contributory fraud, negligence or deficiency on the part of the bank (irrespective of customer-side reporting), or where the unauthorised transaction is the result of a third-party breach, neither attributable to the bank nor to the customer, and the customer notifies the bank within 3 working days of receiving the communication regarding the unauthorised transaction. Where the third-party breach is reported within 4 to 7 working days, the customer's liability is limited to the transaction value or a graduated cap (₹5,000 / ₹10,000 / ₹25,000 depending on the type of account and instrument) as set out in the Circular's tables. Where the reporting is delayed beyond 7 working days, the customer's liability is governed by the bank's Board-approved policy and may, in the limiting case, be the full transaction value.

The Circular places three operational obligations on the bank — to provide the customer with multiple channels to report unauthorised transactions on a 24/7 basis (including an SMS or email shortcode), to acknowledge a reported complaint with a unique reference number within a short defined window, and to credit the disputed amount in a "shadow reversal" to the customer's account within 10 working days from the date of notification, pending completion of the investigation. The shadow-reversal mechanism is the most under-appreciated feature of the Circular — it places the burden of carrying the disputed amount on the bank, not on the customer, during the investigation period, and a bank that defaults on the 10-working-day timeline is itself in breach of a binding RBI direction.

The Circular's relevance to the 1930 helpline call is direct. A 1930 call, followed by a portal complaint, followed by a written complaint to the bank within the 3-working-day window, places the customer squarely in the zero-liability tier for third-party-breach transactions. The same sequence, completed within 7 days, places the customer in the limited-liability tier. A customer who delays beyond 7 days loses the Circular's protective shield and must fall back on the contractual and tortious remedies, which are slower and more contested.

The IT Act and BNS substrate — Sections 43, 66C, 66D and the cheating overlay

The criminal-law substrate of cyber-financial fraud is supplied by the Information Technology Act, 2000 read with the Bharatiya Nyaya Sanhita, 2023. Section 43 of the IT Act, 2000 enumerates ten acts — including unauthorised access, downloading of data, introduction of contaminants, denial of service, account-tampering for charging services to a third party, destruction or alteration of information, and theft of computer source code — that attract civil compensation under the Section's penalty-and-compensation regime. The Section's clause (h), inserted by the 2008 Amendment, addresses the most common cyber-fraud pattern — charging the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system or computer network. The Section's compensation jurisdiction lies with the Adjudicating Officer under Sections 46 and 47 of the IT Act (the Secretary, Department of Information Technology of the State or such other officer as the Central Government may appoint, holding the rank of Director to the Government of India or equivalent).

Section 66 of the IT Act, 2000, in its post-2008 form, criminalises any of the Section 43 acts done dishonestly or fraudulently — with punishment extending to three years' imprisonment or fine up to ₹5 lakh or both. Section 66C punishes identity theft through the fraudulent use of an electronic signature, password or unique identification feature; Section 66D punishes cheating by personation by means of a computer resource or communication device. Both are the most commonly invoked criminal heads in OTP-phishing, vishing, fake-customer-care and account-takeover fraud patterns.

The Bharatiya Nyaya Sanhita overlay attaches the cheating, personation and breach-of-trust heads. Section 318 of the Bharatiya Nyaya Sanhita, 2023 [Section 420 of the IPC, 1860] punishes cheating with imprisonment up to seven years and fine. Section 319 BNS [Section 416 IPC] punishes cheating by personation. Section 316 BNS [Section 405 / 406 IPC] punishes criminal breach of trust where the fraudster has, through some artifice, been entrusted with property or dominion over property. The interface between the IT Act and BNS heads is governed by Sharat Babu Digumarti v Govt of NCT of Delhi, (2017) 2 SCC 18 — where the IT Act squarely covers the act, the IT Act's special-law character prevails and the BNS cheating heads cannot run as a parallel head on the same set of facts. The post-Sharat Babu Digumarti practice in cyber-financial-fraud FIRs has been to charge Sections 66C and 66D of the IT Act together with Section 318 BNS — a combination that survives Sharat Babu Digumarti scrutiny because the BNS cheating provision captures elements (the inducement to part with property, the wrongful loss to the victim) that the IT Act provisions do not directly target.

The 1930 call is not an FIR — Section 173 BNSS and the parallel track

The doctrinal point that matters most for the complainant is that a 1930 call and a CFCFRMS ticket do not constitute the registration of a First Information Report under Section 173 of the Bharatiya Nagarik Suraksha Sanhita, 2023 [Section 154 of the Code of Criminal Procedure, 1973]. The helpline is an operational intake; the FIR is the statutory document that triggers cognizable-offence investigation under Sections 175 and 176 BNSS [Sections 156 and 157 CrPC]. The Supreme Court's mandate in Lalita Kumari v Govt of UP, (2014) 2 SCC 1, requires the State police, on receiving information disclosing a cognizable offence, to register an FIR without preliminary inquiry except in a narrow set of carve-out categories. The IT Act offences (Sections 66, 66C, 66D and so on) and the BNS cheating heads (Section 318 BNS) are cognizable, attracting the Lalita Kumari mandate directly.

The two tracks therefore run in parallel. Track one — the 1930 call and the CFCFRMS ticket — drives the operational fund-hold and feeds the RBI Circular timeline for the customer's bank-side notification. Track two — the FIR routed through cybercrime.gov.in to the jurisdictional State police — drives the substantive criminal investigation. A complainant whose 1930 call has secured a fund-hold but whose FIR has not been registered is not, in the criminal-law sense, a complainant at all — the police have not opened the matter for investigation, no Section 161 BNSS [Section 161 CrPC] statement has been recorded, and the investigation timeline has not started. The Section 175(3) BNSS [Section 156(3) CrPC] application to the jurisdictional Magistrate is the corrective remedy where the police have failed to register an FIR despite cognizable allegations.

Jurisdictional questions are governed by Section 75 of the IT Act, 2000 (extraterritorial application where the offence involves a computer, computer system or computer network located in India) read with Section 197 BNSS [Section 178 CrPC] (trial at the place where the offence was committed, the consequence ensued, or the property was found). The State of the complainant's residence is, in most cyber-financial-fraud matters, the place where the deceptive communication was received and where the financial loss was suffered — making the local police the ordinary forum for FIR registration. The CFCFRMS platform's routing engine reflects this, defaulting to the complainant's State unless the case has an interstate dimension that warrants escalation to the Joint Cyber Coordination Teams.

The Ombudsman and NCDRC routes — when the bank does not credit back

A customer whose bank has failed to apply the RBI Circular's shadow-reversal mechanism, or who has been placed in a higher-liability tier than the timeline justifies, has two parallel adjudicatory remedies that operate independently of the criminal-law track.

The first is the Reserve Bank — Integrated Ombudsman Scheme, 2021, which replaced the earlier Banking Ombudsman, Ombudsman for NBFCs and Ombudsman for Digital Transactions schemes. A complaint under the Scheme can be filed online at the RBI's complaint management system after the customer has first raised a complaint with the bank and either received an unsatisfactory reply or no reply within 30 days. The Ombudsman has jurisdiction to award compensation up to ₹20 lakh (with mental-agony compensation capped at ₹1 lakh) and is bound to consider the RBI Circular's allocation of liability when adjudicating the dispute. The Ombudsman process is documentary and fast — typically resolved within 30 to 90 days — and is the natural escalation for a bank that has not honoured the Circular.

The second is the consumer-forum remedy under the Consumer Protection Act, 2019. The customer is a "consumer" of banking services within Section 2(7) CPA, 2019, and a bank that has failed to apply the Circular has rendered a "deficient service" within Section 2(11). Pecuniary jurisdiction lies with the District Commission for claims up to ₹50 lakh under Section 34, the State Commission for claims up to ₹2 crore under Section 47, and the National Commission for claims above ₹2 crore under Section 58. The NCDRC has, in a steady line of orders, treated the 6 July 2017 RBI Circular as a binding direction whose breach gives rise to a deficiency-of-service claim — the customer who has complied with the reporting timeline and whose bank has nonetheless withheld the shadow-reversal is, on the consumer-forum jurisprudence, entitled to the disputed amount plus interest plus litigation costs.

The substantive case-line on unauthorised banking transactions has clustered around two themes. The first is whether the bank can place the customer in a higher-liability tier on a finding of customer negligence (sharing OTP, falling for a phishing call, installing a remote-access application). The Circular's text places the burden on the bank to prove customer negligence, and the consumer fora have read that burden strictly — a bare assertion that the customer must have shared the OTP is insufficient; the bank must produce log evidence and adverse forensic findings. The second is the timing dispute — whether the customer's first call to the bank's general helpline, before the formal written complaint, counts as "notification" under the Circular. The fora have largely answered this in the customer's favour, holding that the first contemporaneous report by any reasonable channel triggers the Circular's timer.

The DPDP Act overlay — Section 43A IT Act and what has changed

The pre-2023 architecture of body-corporate data protection rested on Section 43A of the IT Act, 2000, which created a civil liability on any body corporate possessing, dealing with or handling any sensitive personal data or information in a computer resource that it owns, controls or operates, where the body corporate's negligence in implementing and maintaining reasonable security practices and procedures caused wrongful loss or wrongful gain to any person. Section 43A was operationalised through the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The Digital Personal Data Protection Act, 2023, supersedes much of this regime. The DPDP Act applies to all digital personal data and creates a statutory data-fiduciary regime with binding obligations on notice, consent, purpose limitation, data-principal rights, breach notification and Data Protection Board oversight. A bank whose customer-data has been breached, leading to the cyber-fraud incident, is potentially liable to the customer-data-principal under the DPDP framework in addition to its liabilities under the RBI Circular and the consumer-protection regime. The interplay between the DPDP Act and Section 43A IT Act is still being worked out in the early enforcement years; the safe reading is that the DPDP regime applies prospectively to breaches after the Act's effective date, and Section 43A continues to govern the pre-2023 cause of action.

Section 72 of the IT Act, 2000 punishes the breach of confidentiality by any person who, in pursuance of any of the powers conferred under the Act, has secured access to any electronic record, book, register, correspondence, information, document or other material. Section 72A penalises an intermediary or service provider that, in the course of providing services under a lawful contract, discloses personal information without consent or in breach of the contract. Both provisions sit alongside the DPDP regime and may be invoked in a fraud matter where the breach involves an insider at the bank, payment processor or intermediary.

Where the doctrine sits today — three persistent tensions

Three doctrinal tensions persist in the post-CFCFRMS architecture. The first is the procedural-substantive confusion the helpline itself has produced in public understanding. The 1930 call is a procedural intake into an operational fund-hold platform; it is not a complaint to the police, not a notification to the bank, and not a complaint to the Banking Ombudsman. A complainant who has called 1930 but has not separately notified the bank in writing within the RBI Circular's working-day window may discover, weeks later, that the helpline call alone does not satisfy the Circular's notification requirement — the Circular requires notification "to the bank," and the bank receives the CFCFRMS alert as a law-enforcement coordination request, not as a customer notification on the customer's account. The conservative practice is to notify the bank separately, by the bank's prescribed channels, contemporaneously with or immediately after the 1930 call.

The second is the gap between operational fund-hold and statutory recovery. A CFCFRMS-driven hold on the payee account is operational and revocable. The eventual recovery to the customer's account is governed by — depending on the route the customer takes — the RBI Circular's shadow-reversal mechanism, an Ombudsman award, an NCDRC order, or a Section 46/47 IT Act compensation order from the Adjudicating Officer. The helpline does not, on its own, transfer ownership of the held funds back to the customer; that transfer requires a separate adjudicatory or contractual basis.

The third is the IT Act / BNS overlap clarified by Sharat Babu Digumarti. In cyber-financial-fraud FIRs, the routine practice has been to invoke Sections 66C and 66D of the IT Act together with Section 318 BNS [Section 420 IPC]. The combination survives Sharat Babu Digumarti scrutiny where the BNS cheating provision captures an element the IT Act does not — typically the wrongful loss to the victim through the parting with property. Where, however, the FIR mechanically piles on the BNS forgery, criminal breach of trust and conspiracy heads without doctrinal justification, the accused has a serious Sharat Babu Digumarti argument at the FIR-quashing stage under Section 528 BNSS [Section 482 CrPC]. The post-2023 High Court jurisprudence on this point is still in formation.

The 1930 helpline, on balance, is an operational advance. It compresses a chain of bank, payment-platform and police coordination steps that, before 2020, took days into a workflow that runs in hours. It does not, however, replace the substantive legal architecture that surrounds it — the RBI 6 July 2017 Circular for civil recovery, the IT Act and BNS for criminal prosecution, the BNSS for FIR registration and investigation, the Banking Ombudsman and the consumer-forum hierarchy for adjudication, and the DPDP regime for data-protection consequences. The complainant who treats the helpline as a one-stop legal solution will lose the procedural deadlines that the substantive regime imposes; the complainant who treats it as a procedural hook into a layered legal architecture will use it for what it is and pursue, in parallel, the substantive remedies that actually transfer the money back.