RBI Tightens Customer Protection Rules for Fraudulent Electronic Banking in Small Finance Banks

The Reserve Bank of India has overhauled the customer protection regime for unauthorised and fraudulent electronic banking transactions in Small Finance Banks (SFBs) through the Reserve Bank of India (Small Finance Banks – Responsible Business Conduct) Third Amendment Directions, 2026.

These revised norms, issued under Section 35A of the Banking Regulation Act, 1949, substantially expand the framework on customer liability, fraud reporting, complaint handling, and compensation for small-value fraud losses. The new regime applies to electronic banking transactions conducted on or after January 1, 2027 by customers of SFBs.

The amendments modify and supplement the existing Reserve Bank of India (Small Finance Banks – Responsible Business Conduct) Directions, 2025, replacing the earlier section on “Limiting Liability of Customers in Unauthorised Electronic Banking Transactions” with a much more detailed and structured framework under the new heading “Customer Protection in Fraudulent Electronic Banking Transactions”.

1. Statutory Basis and Applicability

The Reserve Bank has exercised its powers under Section 35A of the Banking Regulation Act, 1949 to prescribe binding directions for SFBs. The RBI records that these measures are necessary and expedient in the public interest to safeguard customers using digital and electronic banking channels.

1.2 Effective date

  • The amended Directions are titled:

    “Reserve Bank of India (Small Finance Banks – Responsible Business Conduct) Third Amendment Directions, 2026.”

  • Applicability:

    • They apply to electronic banking transactions (EBTs) undertaken by customers of SFBs
    • Only for transactions on or after January 1, 2027

Accordingly, SFBs must ensure their systems, internal policies, customer communication, and grievance redressal mechanisms comply fully before that cut-off date.

2. New and Clarified Definitions

The Directions introduce several critical definitions that form the backbone of the customer protection framework. These must be incorporated verbatim in SFB policies, although this article explains them in simpler language.

2.1 Card Present and Card Not Present

Two new sub-paragraphs are inserted into paragraph 4 of the 2025 Directions:

  • 4(6.1A)Card Not Present transaction
    • It has the same meaning as under the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025.
  • 4(6.1B)Card Present transaction
    • Also has the same meaning as in the above Authentication Directions.

These definitions ensure alignment of SFB norms with the RBI’s broader digital payment security framework.

2.2 Electronic banking transaction (EBT)

A new clause 4(10D) defines:

  • Electronic banking transaction (EBT)
    • It carries the same meaning as ‘electronic funds transfer’ in Section 2(c) of the Payment and Settlement Systems Act, 2007
    • It includes both Card Not Present and Card Present transactions

Thus, the customer protection framework now covers all forms of electronic transfers, not only internet or mobile banking, but also card-based payments.

2.3 Fraudulent EBT

Under 4(15A), fraudulent electronic banking transaction (Fraudulent EBT) is defined to include:

  • An EBT executed by a third-party who has fraudulently obtained the customer’s credentials, or
  • An EBT executed by the customer under coercion or duress from a third-party, and / or
  • An unauthorised EBT as explained in 4(26B)

This composite definition ensures that both classic fraud (like phishing or SIM swap) and transactions forced under threat are captured.

2.4 Negligence by customer

Clause 4(20B) elaborates what is considered customer negligence, including situations such as:

  • Careless handling of credentials (PIN, passwords, OTPs) or sharing them with others
  • Delay in reporting fraudulent EBTs or loss/theft of cards
  • Ignoring clear, targeted warnings issued by the SFB that a specific transaction is probably a scam
  • Downloading malicious applications
  • Not updating registered mobile number or email with the SFB after a change

These examples are expressly stated to be illustrative; SFBs must evaluate conduct case-wise, but these will be strong indicators of negligence.

2.5 Negligence by SFB

Under 4(20C), negligence by an SFB includes, among others:

  • Failure to install mandated security systems and processes for EBTs
  • Non-issuance of mandatory alerts
  • Absence of 24×7 channels for reporting fraud or card loss
  • Failure to act with due promptness after customer intimation of unauthorised transactions or card loss
  • System failures, security breaches, or internal frauds leading to unauthorised EBTs

Where such deficiencies are established, customers will typically be entitled to zero liability.

2.6 Shadow reversal

A new clause 4(25A) introduces shadow reversal, defined as:

  • A temporary or provisional credit of the disputed amount provided by an SFB
  • Granted once the SFB receives the customer’s notification of fraudulent EBTs
  • Before completion of internal investigation or settlement with insurers or other parties

Key features:

  • The assessee (customer) cannot use the shadow reversal amount
  • However, the assessee will not bear any extra interest or charges on that amount

This is particularly important for credit card cases, where the repayment cycle may trigger interest and fees despite ongoing investigation.

2.7 Third-party breach

Clause 4(26.1A) defines third-party breach as a situation: