RBI Draft Directions 2026: Revised Customer Protection Framework for Payments Banks on Unauthorised Electronic Banking Transactions

Overview

The Reserve Bank of India has released a draft set of revised directions titled the Draft Reserve Bank of India (Payments Banks – Responsible Business Conduct) Second Amendment Directions, 2026, aimed at strengthening the framework that governs customer protection in electronic banking transactions conducted through Payments Banks (PBs). These directions are issued under the authority of Section 35A of the Banking Regulation Act, 1949, and will govern all electronic banking transactions undertaken by customers on or after 1 July 2026.

The draft consolidates and revises the earlier instructions embedded in the Reserve Bank of India (Payments Banks – Responsible Business Conduct) Directions, 2025, particularly those relating to limiting customer liability in fraudulent or unauthorised electronic transactions. Reference: DOR.MCS.REC.No./01-01-034/2025-26, dated March 2026.

Legal Basis and Applicability

These directions are issued by the Reserve Bank of India in exercise of powers under Section 35A of the Banking Regulation Act, 1949, on the grounds that it is necessary and expedient in the public interest to do so.

Applicability:

• Covers all electronic banking transactions conducted by customers of Payments Banks (PBs)
• Effective from 1 July 2026 onwards
• Applies to all PBs regulated under the Reserve Bank of India (Payments Banks – Responsible Business Conduct) Directions, 2025

Key Definitional Changes Introduced

One of the most significant aspects of the draft directions is the introduction of several new and expanded definitions that bring much-needed clarity to how various types of transactions and liabilities are categorised. These definitions are inserted into paragraph 4 of the parent directions.

Authorised Electronic Banking Transaction — Paragraph 4(2A)

Under the draft, an authorised electronic banking transaction includes:

1. A transaction executed by the customer or an approved third party registered with the PB through standing instructions or any form of additional authentication such as a static password, dynamic password (e.g., OTP), challenge questions, card details (CVV/Expiry date/PIN), or other electronic authentication methods provided by the PB.

2. A transaction that is:

   • Executed by a third party using credentials fraudulently obtained from the customer
   • Executed by the customer under coercion or duress imposed by a third party
   • Executed by the customer after being deceived into voluntarily transferring funds to a scammer posing as a legitimate recipient

This expanded definition is critical — it captures socially engineered frauds and coercion-based fraud scenarios that were previously ambiguous.

Card Present and Card Not Present Transactions — Paragraphs 4(4A) and 4(4B)

Both Card Not Present transactions and Card Present transactions shall carry the same meaning as defined in the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025.

Electronic Banking Transaction — Paragraph 4(7D)

An electronic banking transaction shall carry the same meaning as 'electronic funds transfer' under Section 2(c) of the Payment and Settlement Systems Act, 2007, and shall encompass both Card Not Present and Card Present transactions.

Fraudulent Electronic Banking Transaction — Paragraph 4(9A)

A fraudulent electronic banking transaction means:

• An authorised electronic banking transaction falling under the categories described at paragraph 4(2A)(ii), or
• An unauthorised electronic banking transaction as defined at paragraph 4(13B)

Negligence by a PB — Paragraph 4(10A)

Negligence on the part of a Payments Bank shall inter alia include:

• Failure to implement mandated systems and procedures for the safety and security of electronic banking transactions
• Non-dispatch of mandatory transaction alerts to customers
• Failure to provide mandated channels for reporting fraudulent transactions or loss of payment instruments such as cards
• Not acting diligently on customer notifications about unauthorised transactions or lost payment instruments
• System malfunctions, security breaches, or internal frauds resulting in unauthorised transactions

Negligence by a Customer — Paragraph 4(10B)

Customer negligence shall inter alia include: