RBI’s 2026 Directions on Fraudulent Electronic Banking Transactions in Regional Rural Banks

The Reserve Bank of India has overhauled the customer protection norms for fraudulent electronic banking transactions in the Regional Rural Banks (RRB) segment through the Reserve Bank of India (Regional Rural Banks – Responsible Business Conduct) Third Amendment Directions, 2026. These Directions substantially tighten the standards of responsible conduct, internal controls, complaint handling and compensation, with effect for all qualifying electronic banking transactions executed on or after January 1, 2027.

Issued under Section 35A of the Banking Regulation Act, 1949, the revised framework is embedded within the existing Reserve Bank of India (Regional Rural Banks – Responsible Business Conduct) Directions, 2025, and replaces the earlier chapter on “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”.

For compliance, risk, and legal teams of RRBs, as well as advisors to these entities, it is crucial to understand the new definitions, allocation of liability, and compensation structure that now apply to fraudulent electronic banking transactions (EBTs).

1. Scope, commencement and statutory backing

  • The Amendment Directions are issued in exercise of powers conferred on the Reserve Bank under Section 35A of the Banking Regulation Act, 1949.
  • RBI has recorded its satisfaction that the measures are required in the public interest, which reinforces the expectation of strict implementation by all RRBs.

1.2 Applicability and effective date

  • The Directions are titled “Reserve Bank of India (Regional Rural Banks – Responsible Business Conduct) Third Amendment Directions, 2026.”
  • They apply to electronic banking transactions undertaken by customers of an RRB on or after January 1, 2027.
  • The amendments modify and substitute specific paragraphs and annexures of the Reserve Bank of India (Regional Rural Banks – Responsible Business Conduct) Directions, 2025, especially the customer protection chapter.

2. Key definitions introduced or expanded

A large part of the amendment focuses on harmonising terminology and clarifying when and how liability shifts between customer, RRB and third parties.

2.1 Card Present and Card Not Present transactions

The Directions link the following terms to the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025:

  • 4(6.1A) Card Not Present transaction – will carry the same meaning as in the 2025 Authentication Directions.
  • 4(6.1B) Card Present transaction – similarly adopts the meaning from the 2025 Authentication Directions.

2.2 Electronic banking transaction (EBT)

  • 4(10D) Electronic banking transaction (EBT) is equated with “electronic funds transfer” as defined in Section 2(c) of the Payment and Settlement Systems Act, 2007.
  • It expressly includes both Card Present and Card Not Present transactions.

2.3 Fraudulent EBT and Unauthorised EBT

  • 4(15A) Fraudulent electronic banking transaction (Fraudulent EBT) is defined to include:

    • Transactions initiated by a third party using credentials obtained from the customer through fraudulent means, or
    • Transactions carried out by the customer while acting under coercion or duress, and / or
    • Any Unauthorised electronic banking transaction (Unauthorised EBT) as separately defined.

  • 4(26B) Unauthorised electronic banking transaction (Unauthorised EBT) is specified as:

    • An EBT not authorised by the customer; and
    • Includes transactions arising from Negligence by an RRB and / or a third-party breach.

2.4 Negligence by customer vs negligence by RRB

The Directions clearly differentiate negligence at the customer and RRB level.

2.4.1 Negligence by a customer – 4(20B)

Customer negligence includes, among other things:

  • Not taking reasonable care of confidential credentials like PIN, password, OTP (e.g., sharing credentials, storing PIN with the card, etc.).
  • Failing to promptly inform the RRB upon discovering a fraudulent EBT or loss of debit / credit card.
  • Ignoring clear, specific warnings issued by the RRB that a proposed transaction may be a scam.
  • Downloading malicious applications.
  • Not updating registered mobile number or email address with the RRB when changes occur.

2.4.2 Negligence by an RRB – 4(20C)

Negligence on part of the RRB covers, inter alia:

  • Failure to implement mandated safety and security systems for EBTs.
  • Non-issuance of mandatory transaction alerts.
  • Not providing 24×7 channels to report fraudulent EBTs or card loss.
  • Not acting with due diligence after customer reports an unauthorised EBT or card loss.
  • System malfunction, security compromise or internal fraud leading to unauthorised EBTs.

2.5 Third-party breach – 4(26.1A)

  • A third-party breach arises where the deficiency is located outside both the RRB and the customer.
  • The breach may be at the level of intermediaries such as:
    • Third-Party Application Provider (TPAP)
    • Payment Aggregator (PA)
    • Payment Gateway (PG)
    • Telecom Service Provider (TSP)
    • Any other system participant.

2.6 Shadow reversal – 4(25A)

  • Shadow reversal is a temporary / provisional credit for the amount involved in fraudulent EBT(s) given by an RRB to the customer upon receipt of notification.
  • It is provided before completion of internal investigation, insurance settlement, or other inter-party settlement.
  • Customer cannot utilise this credited amount, but:
    • Will not suffer any loss of interest, and
    • Will not be burdened with additional interest or charges on that amount.

3. Mandatory customer protection policy and internal systems

3.1 Board-approved policy on customer protection – 128A

Each RRB must frame and adopt a clear, transparent policy addressing:

1.