Draft RBI Directions on Small Finance Banks: New Customer Protection Framework for Electronic Transactions (Effective 1 July 2026)

The Reserve Bank of India has released the Draft Reserve Bank of India (Small Finance Banks – Responsible Business Conduct) Third Amendment Directions, 2026, proposing a comprehensive overhaul of how Small Finance Banks (SFBs) manage and allocate liability for unauthorised and fraudulent electronic banking transactions. These draft norms, issued under Section 35A of the Banking Regulation Act, 1949, will apply to all eligible electronic banking transactions undertaken on or after 1 July 2026, once finalised.

The revised framework consolidates and replaces earlier guidance on limiting liability of customers in unauthorised electronic banking transactions and embeds it into the broader Reserve Bank of India (Small Finance Banks – Responsible Business Conduct) Directions, 2025, with substantial expansion and clarification.

Statutory Basis and Scope

The Reserve Bank, acting under powers conferred by Section 35A of the Banking Regulation Act, 1949, has proposed these amendment directions after concluding that revised norms are required in the public interest to:

  • Strengthen customer protection in digital transactions
  • Clarify allocation of liability among SFBs, customers and intermediaries
  • Create a standardised compensation mechanism for small-value frauds

Once made effective, these Third Amendment Directions, 2026 will govern electronic banking transactions carried out by customers of SFBs on or after 1 July 2026.

Key Definitions Introduced or Clarified

The draft directions significantly expand the definitional framework under the 2025 Directions by inserting several new sub-paragraphs into paragraph 4.

Authorised electronic banking transaction – expanded concept

A new sub-paragraph 4(3A) defines authorised electronic banking transaction to include both:

  1. Regular, authenticated transactions, i.e.:

    • Transactions initiated by the customer directly, or
    • Transactions initiated by a previously authorised third party registered with the SFB
      where the customer has provided consent via:
      • Standing instruction / mandate, or
      • Additional authentication methods such as:
        • Static password
        • Dynamic password (e.g., OTP)
        • Challenge questions
        • Card details (CVV / expiry date / PIN)
        • Any other electronic authentication mode prescribed by the SFB.

  2. Fraudulently induced or coerced authorisations, where:

    • A third party executes a transaction using credentials fraudulently obtained from the customer, or
    • The customer authorises the transaction under coercion or duress, or
    • The customer is deceived into willingly sending money to a fraudster impersonating a legitimate recipient.

This is significant because such fraudulently induced but technically “authorised” transactions are explicitly treated as part of the fraudulent electronic banking transaction framework.

Card Present and Card Not Present transactions

New sub-paragraphs 4(6B) and 4(6C) adopt definitions from the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025:

  • 4(6B) Card Not Present transaction – to have the same meaning as under the above authentication directions.
  • 4(6C) Card Present transaction – likewise, to have the same meaning as in those directions.

These definitions ensure uniformity across RBI’s regulatory instruments.

Electronic banking transaction

A new 4(10D) clarifies that:

  • Electronic banking transaction shall have the same meaning as “electronic funds transfer” in Section 2(c) of the Payment and Settlement Systems Act, 2007`, and
  • It explicitly includes both Card Present and Card Not Present transactions.

Fraudulent electronic banking transaction

Under new 4(15A):

  • Fraudulent electronic banking transaction covers:
    • Authorised electronic banking transactions classified under 4(3A)(ii) (i.e., scams, coercion, credential theft), and
    • All unauthorised electronic banking transactions as later defined in 4(26B).

This integrates both unauthorised access and “authorised under deception or pressure” transactions into a single conceptual category for liability assessment.

Negligence by SFB vs.