RBI Strengthens Customer Protection Framework for Payments Banks: A Comprehensive Analysis of the Second Amendment Directions, 2026

Overview and Background

The Reserve Bank of India has issued a landmark regulatory update through the Reserve Bank of India (Payments Banks – Responsible Business Conduct) Second Amendment Directions, 2026, substantially overhauling the customer protection architecture governing fraudulent electronic banking transactions conducted via Payments Banks. These Directions, issued under reference RBI/2026-27/169 DOR.MCS.REC.No.132/01-01-034/2026-27 dated June 24, 2026, will come into force with respect to all electronic banking transactions undertaken by customers of Payments Banks on or after January 1, 2027.

The regulatory intervention builds upon the existing Reserve Bank of India (Payments Banks – Responsible Business Conduct) Directions, 2025, which had earlier consolidated instructions on limiting customer liability in unauthorised electronic banking transactions. Upon comprehensive review, the RBI has determined that a revised and expanded framework is warranted, particularly in light of the rising incidence of digital financial fraud and the need for robust, transparent accountability mechanisms across the payments ecosystem.

Important Note: These Directions are issued in exercise of powers conferred under Section 35A of the Banking Regulation Act, 1949, the Reserve Bank being satisfied that issuance of such directions is necessary and expedient in public interest.

Key Definitional Expansions Introduced

One of the foundational changes brought about by these Amendment Directions is the insertion of several new definitions into paragraph 4 of the principal Directions. These definitions establish the legal vocabulary around which the entire customer protection framework operates.

Electronic Banking Transaction (EBT)

A new sub-paragraph 4(7D) has been inserted, defining Electronic Banking Transaction (EBT) to carry the same meaning as electronic funds transfer under Section 2(c) of the Payment and Settlement Systems Act, 2007, and specifically covering both Card Not Present and Card Present transactions.

The terms Card Not Present transaction and Card Present transaction are themselves defined by cross-reference to the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, inserted as sub-paragraphs 4(4.1A) and 4(4.1B) respectively.

Fraudulent Electronic Banking Transaction (Fraudulent EBT)

Sub-paragraph 4(9A) introduces the concept of a Fraudulent EBT, defining it as:

  • An EBT executed by a third party using credentials obtained from the assessee/customer through fraudulent means, or
  • An EBT carried out by the customer under coercion or duress imposed by a third party, and/or
  • An Unauthorised EBT as defined under sub-paragraph 4(13B)

Unauthorised Electronic Banking Transaction

Sub-paragraph 4(13B) defines an Unauthorised EBT as any EBT not authorised by the customer, which expressly includes transactions arising from bank negligence or third-party breaches.

Negligence by a Customer

Sub-paragraph 4(10B) sets out an inclusive list of actions constituting customer negligence, including:

  • Failing to exercise due care over credentials such as PIN, password, or OTP (e.g., sharing credentials with another person, storing a PIN alongside a debit card)
  • Delayed reporting of a fraudulent EBT or loss of a debit card to the Payments Bank
  • Disregarding specific, targeted, and unambiguous warnings from the Payments Bank that a transaction may be a scam
  • Downloading applications known to be malicious
  • Failing to update registered mobile number or email address with the Payments Bank upon change

Negligence by a Payments Bank

Sub-paragraph 4(10C) correspondingly defines Payments Bank (PB) negligence to include:

  • Failure to implement mandated systems and procedures ensuring the security of EBTs
  • Non-dispatch of mandatory transaction alerts
  • Absence of round-the-clock channels for reporting fraudulent EBTs or debit card loss
  • Failure to act with due diligence upon customer notification of an unauthorised EBT or card loss
  • System failures, security breaches, or internal fraudulent conduct leading to unauthorised EBTs

Third-Party Breach

Sub-paragraph 4(13.1A) introduces the concept of a Third-Party Breach, defined as a deficiency residing neither with the Payments Bank nor the customer, but elsewhere in the system — including intermediaries such as Third-Party Application Providers (TPAPs), Payment Aggregators (PAs), Payment Gateways (PGs), and Telecom Service Providers (TSPs).

Customer Protection Policy Obligations on Payments Banks

Mandatory Policy Formulation (Paragraph 33A)

Every Payments Bank is required to formulate a comprehensive customer protection policy covering: