Victim of cyber fraud? You may be able to recover money before culprit is caught

The rapid growth of digital banking, online payments, mobile banking, and Unified Payments Interface (UPI) systems has transformed financial transactions in India. While digital banking has improved convenience and financial inclusion, it has also resulted in a significant rise in cyber financial fraud, including phishing attacks, fake KYC scams, OTP frauds, SIM swap frauds, card cloning, remote-access scams, and unauthorised electronic transactions.

In response to the increasing number of complaints from consumers, the Reserve Bank of India (RBI) introduced the framework titled “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions” in 2017 to protect consumers from unfair financial losses.

The RBI circular noted that with the increased thrust on financial inclusion and customer protection, and considering the surge in complaints relating to unauthorised electronic transactions, the criteria for determining customer liability required urgent review. The framework applies to both remote or online payment transactions, such as internet banking, mobile banking, card-not-present transactions, and prepaid payment instruments, as well as face-to-face transactions involving ATMs and point-of-sale machines.

The RBI also emphasised that banks must create systems and procedures that make customers feel safe while carrying out digital transactions. Banks are therefore required to maintain robust and dynamic fraud detection systems, continuously assess risks arising from unauthorised transactions, implement safeguards to mitigate losses, and repeatedly educate customers regarding protection against cyber fraud. Banks are also obligated to provide customers with 247 complaint reporting mechanisms through websites, SMS, email, toll-free helplines, mobile applications, and branch reporting facilities.

One of the most important consumer protections under the RBI framework is the concept of “Zero Liability.” Under Clause 6 of the 2017 RBI Circular, customers are entitled to zero liability if the unauthorised transaction occurs due to negligence, fraud, or deficiency on the part of the bank. Further, even in cases involving third-party breaches where the fault lies neither with the customer nor the bank, customers are entitled to zero liability if they report the fraud within three working days of receiving communication regarding the transaction.

The importance of these protections was recently reinforced by a Delhi Court on 11 May in a case involving the Indian Bank. Additional Sessions Judge Hargurvarinder Singh Jaggi directed the bank to permanently reverse and release a withheld amount of 77,000 to a petitioner who had become a victim of cyber fraud. The Court noted that “shadow credit is a statutory mandate under Clause 9 of the RBI Circular, meant to be finalised in favour of a customer who reports the fraud instantly.” The Court observed that the claimant had reported the fraud on the very same day both to the bank and to the Cyber Cell of Delhi Police.

The Court further held that by notifying the bank within the three days prescribed by the RBI, the petitioner had successfully triggered the protection available under Clause 6(ii) of the Circular. The judgment reaffirmed that where the fraud results from a third-party breach and the customer promptly informs the bank, the customer is entitled to complete protection from liability.

Importantly, the Court also clarified the position even in situations where banks allege customer negligence. Referring to Clause 7(i) of the RBI Circular, the Court emphasised that “Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.” Thus, once a customer reports fraud, the bank becomes responsible for preventing further losses.

The Delhi Court strongly criticised Indian Bank’s attempt to deny liability through an internal committee decision that labelled the matter as “Not Fraud on Bank.” The Court held that such unilateral internal findings cannot override statutory consumer protections. Most significantly, the Court reiterated Clause 12 of the RBI Circular, which states that the burden of proving customer negligence lies entirely upon the bank. Mere allegations that a customer shared OTPs or credentials are insufficient unless supported by clear and conclusive evidence.

Legal experts have also highlighted the importance of immediate action by victims of cyber fraud. Advocate Nitika Jain, Partner at CMS INDUSLAW, has emphasised that customers should report fraud immediately to the bank and simultaneously lodge complaints on the National Cyber Crime Reporting Portal or by calling the cybercrime helpline number 1930. She further advises customers to preserve SMS alerts, screenshots, fraudulent links, and call logs as evidence. According to her, customers must never share OTPs, PINs, or passwords because sharing such credentials may weaken claims for recovery.

Advocate Sanjay K. Chadha of BSK Legal has similarly observed that the recent Delhi Court ruling reinforces the principle that vigilant customers cannot be denied protection merely because a bank internally classifies a fraud differently. He notes that many banks routinely reject complaints alleging “customer negligence” without properly examining whether the customer acted promptly or whether the bank’s own fraud-detection systems failed. Courts are increasingly scrutinising such conduct and insisting that banks establish actual contributory negligence through proper evidence.

From the banking sector’s perspective, the RBI regulations have substantially increased accountability standards. Banks are now expected to maintain stronger fraud-monitoring systems, rapid freezing mechanisms, and transparent grievance redressal procedures. In line with this objective, the RBI has also introduced the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, which mandate stronger authentication systems, enhanced fraud prevention measures, and risk-based security checks.

Chadha also points out that in 2025, the RBI announced the introduction of exclusive “bank. in” and “fin. in” internet domains for banks and regulated financial institutions. This initiative aims to help customers identify genuine financial websites more easily and reduce phishing and fake-domain scams.

Jain also pointed out that following the RBI mandate, banks are now increasingly investing in fraud detection systems and AI-based tools to identify suspicious transactions and freeze mule accounts, while also expanding cybersecurity awareness initiatives for customers.

According to experts, the RBI’s consumer protection framework represents a major advancement in safeguarding customers against cyber financial fraud. The law recognises that banks, as custodians of digital payment systems, bear substantial responsibility for maintaining secure systems and protecting customer funds. Consumers who act promptly and responsibly are entitled to significant legal protection, including zero liability in many situations. The recent Delhi Court ruling further strengthens these protections and signals a growing judicial commitment toward ensuring accountability in India’s digital banking ecosystem.

- Ends