Online banking fraud — how much your bank has to refund
The Reserve Bank of India's circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017 — "Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions" — is the operative customer-side text in every online-banking-fraud claim in India. Issued under Section 35A of the Banking Regulation Act, 1949, it allocates loss across three liability buckets, places the burden of proving customer negligence squarely on the bank, and requires shadow-reversal within ten working days. The Information Technology Act, 2000 sits on top of it as the offence-side overlay.
Before the Reserve Bank of India's circular of 6 July 2017, an Indian retail customer whose savings account had been drained by a phishing-page fraud, a SIM-swap takeover or a corrupted internet-banking session sat in a doctrinal vacuum. The Negotiable Instruments Act, 1881 governed paper instruments. The Payment and Settlement Systems Act, 2007 governed the architecture but said nothing about who must bear the loss. The Consumer Protection Act, 1986 (now 2019) recognised "deficiency in service" but supplied no specific allocation rule. Banks defended liability claims on the ground that the customer's PIN-or-password authentication was conclusive, and consumer fora struggled to articulate a workable test. The 2017 circular, issued under Section 35A of the Banking Regulation Act, 1949, filled that vacuum with a single binding text — a three-bucket liability framework, a burden-of-proof allocation, and a time-bound shadow-reversal rule. This article is a doctrinal map of that circular and the statutes that sit alongside it.
The source of authority — Section 35A of the Banking Regulation Act, 1949
The 2017 circular is not a statute. It is a binding direction issued by the Reserve Bank under Section 35A of the Banking Regulation Act, 1949, which empowers the RBI to issue such directions as it considers necessary in the public interest, in the interest of banking policy, to prevent the affairs of a banking company being conducted in a manner detrimental to the interests of depositors, or to secure the proper management of any banking company. A direction under Section 35A is binding on the banking company to which it is addressed; non-compliance attracts penalty under Sections 46 and 47A of the Banking Regulation Act, 1949 and, in the case of electronic-payment-related directions, additionally engages the RBI's powers under Section 18 of the Payment and Settlement Systems Act, 2007.
The Section 35A footing matters in litigation. The bank cannot defend a liability claim by characterising the circular as soft guidance or a best-practice note — the Supreme Court and a steady consumer-fora line have treated Section 35A directions as binding regulatory law. The circular's normative force flows from this statutory pedigree.
The circular applies to all scheduled commercial banks (including the State Bank of India and its associates), regional rural banks, all foreign banks operating in India, all small finance banks, all payments banks and all cooperative banks regulated by the RBI. It does not, on its face, apply to non-banking financial companies or to authorised non-bank prepaid-payment instrument issuers; analogous customer-protection directions have been issued separately for prepaid instruments and are outside the scope of this article.
The three liability buckets
The circular's operative scheme rests on three buckets that turn on two variables — where the fault lay (bank, third party, or customer) and how quickly the customer reported the unauthorised transaction after the bank's communication.
Bucket one — zero customer liability. The customer bears nothing in two situations. First, where the unauthorised transaction occurred because of contributory fraud, negligence or deficiency on the part of the bank, irrespective of when the customer reports — the time of reporting is immaterial because the bank is itself at fault. Second, where the loss is caused by a third-party breach where the deficiency lies neither with the bank nor with the customer (a "system" breach — server compromise, network-level interception, an exploited vulnerability in the bank's authentication system), and the customer notifies the bank within three working days of receiving the bank's communication. The communication clock runs from the SMS or email alert, not from the date of debit, which can be a meaningful distinction when alerts are delayed.
Bucket two — limited customer liability. Two sub-cases. First, where the loss is due to negligence on the customer's part — a shared password, a voluntarily disclosed OTP, an unsecured device left with credentials cached — the customer bears the entire loss until the bank is notified; once notified, the loss passes to the bank. The notification cut-off is the operational hinge. Second, where the loss is due to a third-party breach (no fault on either side) and the customer notifies between four and seven working days after the bank's communication, the customer's liability is capped per transaction by reference to the account type. Annex II of the circular specifies the cap — Rs 5,000 for Basic Savings Bank Deposit accounts; Rs 10,000 for savings accounts other than BSBD, current and overdraft accounts of MSMEs, current accounts and credit card accounts up to Rs 5 lakh credit limit, and prepaid payment instruments; and Rs 25,000 for other current and overdraft accounts, and credit card accounts above Rs 5 lakh credit limit. The cap is the customer's exposure; the residue passes to the bank.
Bucket three — full customer liability. Where the customer reports beyond seven working days after the bank's communication, the customer's liability is to be determined as per the Board-approved policy of the bank. In practice the bank's policy almost invariably imposes the full loss on the customer in this bucket, on the reasoning that the delayed notification has prevented the bank from initiating timely beneficiary-side recovery. The three buckets are not exhaustive of every fact pattern — there are borderline situations (delayed alerts, contested notification timestamps, customer-initiated but fraud-induced authorisations) where consumer fora and the Ombudsman have had to allocate by reference to the circular's underlying logic rather than its precise text.
The bank's burden of proof — paragraph 6
The single most consequential paragraph in the circular is paragraph 6, which reads that "the burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank." The allocation reverses the common-law default that the party alleging negligence carries the proof. Once the customer has notified the bank of an unauthorised transaction, the customer's only burden is to establish that the transaction is not one the customer authorised; the further burden of establishing customer negligence — sharing of OTP, sharing of PIN, contributory carelessness — lies on the bank.
Paragraph 6 is the doctrinal hinge of every successful customer claim. In the Punjab National Bank v Leader Valves Ltd line, the National Consumer Disputes Redressal Commission held that an issuer bank's bare assertion that the OTP must have been shared, unsupported by transaction-trail evidence, call-recording logs or device-fingerprint analysis, does not discharge the paragraph-6 burden. The State Bank of India v K K Misra line has been to the same effect — a bank that has failed to produce contemporaneous evidence of the customer's negligence has, in the eyes of consumer fora, failed to discharge its burden, and the loss falls back into bucket one or bucket two regardless of how the bank's complaints department initially characterised the case.
The burden is also temporal. Paragraph 6 reads with the circular's three-day, seven-day and shadow-reversal clocks — a bank that has failed to investigate within the time-windows the circular contemplates cannot, by the same token, discharge a burden of proof on facts the bank has itself failed to record. The longer the bank's inquiry stalls, the harder paragraph 6 cuts against it.
Shadow-reversal within ten working days
Paragraph 9 of the circular requires the bank, on receipt of customer notification of an unauthorised transaction, to credit (shadow-reverse) the disputed amount to the customer's account within ten working days from the date of notification, regardless of where the liability ultimately falls. The credit is provisional — it operates as a working balance pending the bank's internal inquiry — but it is not discretionary. The bank cannot withhold the credit pending the outcome of the inquiry; it cannot impose preconditions; it cannot peg the credit to the customer's signing of an indemnity or a waiver.
The shadow-reversal rule has been the most heavily litigated feature of the circular. Consumer fora in the Manju Devi series have treated unjustified withholding of the credit as a freestanding deficiency in service warranting full restitution plus compensation for mental anguish — independently of the underlying liability question. The reasoning is that the circular's customer-protection objective would be defeated if the bank could starve the customer of working balance during a multi-month internal inquiry.
The credit, once made, remains in the customer's account until the bank concludes its internal inquiry and either retains the credit (where the loss falls to the bank under buckets one or two) or reverses it (where the loss falls on the customer). The bank is, under the circular, required to complete the internal inquiry within ninety days from the date of receipt of the customer complaint; failure to do so leaves the credit permanent regardless of the liability merits.
The IT Act overlay — Sections 43, 43A, 66 and 72A
The 2017 circular allocates the loss; the Information Technology Act, 2000 punishes the conduct that caused it. The two operate on different tracks and the customer's recovery is not foreclosed by the absence of a successful criminal prosecution.
Section 43 of the IT Act, 2000 is the civil-penalty provision — unauthorised access to a computer, computer system or computer network; downloading or copying of data; causing disruption; charging the services availed of by one person to the account of another — all of these attract liability for damages by way of compensation, recoverable in a proceeding before the Adjudicating Officer appointed under Section 46 of the Act. Section 43 has a long-tail relevance in online-banking-fraud cases because the damages recoverable under Section 43 are uncapped (the earlier ceiling of one crore having been removed by the Information Technology (Amendment) Act, 2008).
Section 43A of the IT Act imposes liability on a body corporate that, while possessing, dealing or handling any sensitive personal data or information in a computer resource it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person. Banks fall squarely within the body-corporate definition; "sensitive personal data" includes financial credentials, account information and authentication details under the 2011 SPDI Rules made under Section 87 of the Act. Section 43A is therefore the statutory floor for the bank's data-security obligation in any online-banking fraud where credentials were leaked from the bank's own systems.
Section 66 of the IT Act, as amended by the Information Technology (Amendment) Act, 2008, makes the Section 43 offences punishable when done dishonestly or fraudulently — imprisonment up to three years and fine up to five lakh rupees. The Supreme Court in Shreya Singhal v Union of India, AIR 2015 SC 1523, while striking down Section 66A, expressly distinguished Section 66 as a section whose ingredients are defined with sufficient specificity to survive the void-for-vagueness analysis. Section 66 is the offence-side workhorse in online-banking-fraud FIRs.
Section 72A of the IT Act punishes disclosure of information in breach of a lawful contract — relevant where a bank employee, a call-centre agent or a third-party processor has leaked customer information that was subsequently used to perpetrate the fraud. The offence is punishable up to three years' imprisonment or fine up to five lakh rupees, or both. The provision sits in the background of nearly every insider-leak and call-centre-data-broker fraud and is the offence-side mirror of Section 43A's civil liability.
The cheating offences under the Bharatiya Nyaya Sanhita, 2023 — Section 318 (cheating, the BNS successor to Section 420 IPC) and Section 319 (cheating by personation, the successor to Section 416 IPC) — are routinely framed together with the IT Act sections in online-banking-fraud charge-sheets. Where the perpetrator has impersonated a bank, a payment app or an institutional sender, the Section 319 BNS charge and the Section 66D IT Act charge are both made out and are not treated as duplicative because the gravamen differs.
Statute-comparison — the circular against the IT Act and the PSS Act
The three principal texts in this field — the 2017 circular, the Information Technology Act, 2000, and the Payment and Settlement Systems Act, 2007 — occupy distinct doctrinal spaces and answer different questions. A short comparison clarifies which text does what.
The PSS Act, 2007 defines the architecture. Section 4 makes RBI authorisation a precondition to operating any payment system; Section 7 governs the authorisation; Section 18 gives the RBI directive power over payment systems. The Act is silent on customer-side liability for unauthorised transactions — that gap is filled by the 2017 circular. The PSS Act is also the source of the RBI Integrated Ombudsman Scheme's payment-system jurisdiction.
The 2017 circular allocates the loss between bank and customer. It is silent on (a) the architecture and (b) the offence-side picture. Its operational levers — the three buckets, paragraph 6's burden allocation, paragraph 9's shadow-reversal mandate — are customer-protection levers, not architectural or punitive levers.
The IT Act, 2000 punishes the conduct. Sections 43 and 43A operate on the civil-penalty track; Sections 66, 66C, 66D and 72A operate on the criminal track. The Act is silent on the bank-customer liability allocation, which is the 2017 circular's domain.
A complete online-banking-fraud claim therefore pulls on all three texts. The customer invokes the 2017 circular against the bank for restitution; invokes the IT Act for civil damages under Section 43 (against the perpetrator and, where applicable, against the bank under Section 43A); and supports the FIR under Section 173 of the Bharatiya Nagarik Suraksha Sanhita, 2023 [Section 154 CrPC] with IT Act and BNS criminal charges. The three tracks proceed in parallel and are not interdependent.
Escalation — RBI Integrated Ombudsman Scheme, 2021 and the consumer fora
The 2017 circular does not provide a dedicated dispute-resolution forum. Where the bank rejects the customer's claim or fails to act within the circular's time-frames, two principal escalation routes are available.
The first is the Reserve Bank's Integrated Ombudsman Scheme, 2021, which replaced the earlier Banking Ombudsman Scheme, 2006, the Ombudsman Scheme for Non-Banking Financial Companies, 2018, and the Ombudsman Scheme for Digital Transactions, 2019. The Scheme is notified under Section 35A of the Banking Regulation Act, 1949 read with Section 18 of the Payment and Settlement Systems Act, 2007, and Section 45L of the Reserve Bank of India Act, 1934. A complaint is filed at cms.rbi.org.in once the bank has either rejected the complaint or failed to respond within thirty days. The Ombudsman has the power, under clause 12 of the Scheme, to direct compensation up to Rs 20 lakh for direct loss arising from a banking deficiency, plus an additional Rs 1 lakh for mental anguish and harassment. The Ombudsman's award is appellable within thirty days to the Appellate Authority, who is a Deputy Governor of the Reserve Bank.
The second is the consumer-fora hierarchy under the Consumer Protection Act, 2019. The District, State and National Consumer Disputes Redressal Commissions each have pecuniary jurisdiction over deficiency-in-service claims against banks — up to Rs 50 lakh at the District Commission, Rs 50 lakh to Rs 2 crore at the State Commission, and above at the National Commission. The consumer-fora line in the Manju Devi and the K K Misra tradition has been the principal forum where the 2017 circular has been operationalised; many of the doctrinal contours of paragraph 6 and paragraph 9 have been developed in consumer-fora awards.
The two routes are alternative, not cumulative — the Ombudsman Scheme expressly excludes from its jurisdiction matters that are pending or have been decided by the consumer commission, and a customer must elect at the threshold. The Ombudsman is the faster forum; the consumer commission is the more remedy-rich forum, with power to award compensation beyond the Ombudsman's Rs 20 lakh ceiling.
Where the framework sits today and what remains unresolved
The position in 2026 can be stated in four points without straining the doctrine.
One — the 2017 circular is settled regulatory law, binding under Section 35A of the Banking Regulation Act, 1949, and consistently applied in consumer fora and at the RBI Integrated Ombudsman. Its three-bucket framework, paragraph 6's burden allocation and paragraph 9's shadow-reversal mandate are no longer in serious doctrinal contention.
Two — the IT Act overlay (Sections 43, 43A, 66 and 72A) operates in parallel, and the Section 43A standard of reasonable security practice has begun to do real work — recent consumer-fora awards have grounded bank-fault findings in Section 43A failures (weak two-factor authentication, delayed transaction alerts, absence of behavioural-analytics fraud detection) and used those findings to push cases into bucket one. The Digital Personal Data Protection Act, 2023, when its rules are fully in force, will add a further data-protection overlay; the precise interface between the 2023 Act, the SPDI Rules under Section 43A and the 2017 circular is an area to watch.
Three — the Ombudsman and consumer-fora routes are well-trodden, and the Ombudsman's Rs 20 lakh compensation ceiling combined with the consumer-fora pecuniary jurisdiction covers the overwhelming bulk of retail online-banking-fraud claims. A specific tribunal for online-banking disputes has not been created and is unlikely.
Four — three doctrinal questions remain genuinely open. First, the application of the 2017 circular to customer-authenticated-but-fraud-induced transactions (collect-request scams, UPI authorisation under deception, vishing-induced beneficiary additions) — banks treat these as authorised and outside the circular; consumer fora have split. A clarificatory RBI direction would settle the field. Second, the position of non-bank payment-system participants — third-party application providers, payment aggregators, prepaid-instrument issuers — under the 2017 framework. The circular addresses banks; the analogous customer-protection texts for non-bank operators are thinner. Third, the cross-border dimension — where the fraudulent debit has been routed through an account outside India, the recovery levers of the issuer bank are limited and the residual loss often falls on the customer regardless of how the liability allocation reads on paper.
For the customer who notifies within three working days and presses the bank, the Ombudsman and the consumer commission in sequence on the strength of paragraph 6 and paragraph 9, the 2017 circular is a genuinely effective customer-protection text. For the customer who notifies on day nine, or who has authorised the transaction under deception, or whose fraudulent funds have left the regulated system, the framework is real but partial. The doctrine, in either case, runs through the same three statutes — the Banking Regulation Act, 1949 and the Payment and Settlement Systems Act, 2007 as the source of authority; the 2017 circular as the operational text; and the Information Technology Act, 2000 as the punitive and data-protection overlay.