RBI’s 2026 Draft Framework on Customer Protection in Electronic Banking Transactions
The Reserve Bank of India has proposed a fresh set of norms to redefine and strengthen customer protection in the sphere of electronic banking. Through the Draft Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026, the regulator has recast the rules around liability, fraud reporting, and compensation in digital transactions carried out with commercial banks.
Issued under the powers granted by Section 35A of the Banking Regulation Act, 1949, these draft Directions will be applicable to electronic banking transactions conducted on or after 1 July 2026. They amend and update the Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Directions, 2025 for commercial banks (excluding Small Finance Banks, Payments Banks, Regional Rural Banks, and Local Area Banks).
The proposed framework seeks to clearly demarcate when an assessee (bank customer) bears loss, when the bank is responsible, and how third-party breaches are to be treated. It also introduces a structured compensation mechanism for small-value digital frauds up to ₹50,000, with defined cost-sharing between the Reserve Bank, the customer’s bank, and the beneficiary bank.
Legal Basis and Scope of the Draft Directions
The draft Amendment Directions are grounded in RBI’s statutory authority to issue binding instructions to banks under Section 35A of the **Banking Regulation Act, 1949`. The Reserve Bank has recorded that issuing these Directions is necessary and expedient in the public interest, particularly to address the rising incidence and sophistication of digital payment frauds.
Short Title and Commencement
- The Directions are titled Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026.
- They will apply to electronic banking transactions carried out by customers of a bank on or after July 1, 2026.
These Directions modify the parent Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Directions, 2025 by inserting new definitions, replacing the earlier section on limiting customer liability, and introducing a dedicated compensation mechanism for small-value digital frauds.
Revised and New Definitions in the Draft Directions
A key feature of the 2026 draft is the introduction of expanded definitions that more accurately address the practical realities of digital banking and fraud scenarios.
Authorised Electronic Banking Transaction – Expanded Concept
A new sub-para 4(3A) is proposed to be inserted to define “Authorised electronic banking transaction”. It covers two broad categories:
Transactions performed by the customer or authorised third-party
These include transactions where:- The customer carries out the transaction directly; or
- A previously authorised third-party, registered with the bank, executes the transaction
and where such transactions are approved using any of the following or similar modes:- Standing instruction or mandate
- Static or dynamic password (such as OTP)
- Challenge questions
- Card details like CVV, expiry date, PIN
- Any other electronic authentication mode provided by the bank.