Draft digital fraud compensation norm: Payout one-time, vigilance still key

The Reserve Bank of India (RBI) has issued draft directions to partly compensate victims of small-value digital payment frauds. Experts say the framework could strengthen trust in India’s digital payment system, especially among senior citizens and first-time users. At the same time, they caution that the proposal has limits and does not reduce the need for customers to exercise safeguards.

 

Key positives 

Under the draft, an eligible victim will receive 85 per cent of the net loss amount, or ₹25,000, whichever is lower. The compensation will apply only where the gross loss is up to ₹50,000. 

“The framework addresses the segment in which most incidents occur,” says S Anand, founder and chief executive officer (CEO), PaySprint. 

“It also marks a shift from a liability-sharing framework to a protection-oriented framework,” says Jyoti Prakash Gadia, managing director, Resurgent India. 

Customers will qualify for compensation even if they mistakenly share the one-time password (OTP). “Earlier mechanisms were more focused on assessing customer negligence before providing compensation,” says Shams Tabrej, cofounder and CEO, Ezeepay. 

Banks must provide time-bound relief to victims. They will need to process and credit compensation within five days of receiving a valid complaint. 

The framework also places greater responsibility on banks during dispute resolution. Banks will have to justify their decisions with supporting data before rejecting claims. “They would now need to provide OTP logs, SMS records, and transaction authentication details if they reject a complaint,” says Anand. 

This requirement is expected to improve transparency in investigations. “It will reduce arbitrary rejection of complaints and strengthen consumer rights in digital banking disputes,” says Rahul Sheth, vice president, BusinessNext. 

The framework also introduces a more structured compensation mechanism. Earlier, compensation could vary across institutions. 

This benefit is available only once in an individual’s lifetime. “This can prevent misuse of the structure and keep it financially viable,” says Tabrej. 

Gadia adds that it will discourage moral hazard and encourage vigilance among users in protecting their digital credentials. 

Under the existing system, liability is zero if a customer reports an unauthorised transaction within three working days (if they were not negligent). It is capped according to the type of account if the transaction is reported within four to seven days. Under the new framework, compensation will be uniform, irrespective of account category, provided it is reported within five days. 

A few limitations 

The compensation is capped at ₹25,000, so it will not fully protect people who lose more. “As digital transactions grow, fraud values may increase, which could make the cap restrictive,” says Anand. 

The relief is also a one-time benefit. “This means limited support for people who are victimised multiple times,” says Tabrej. Gadia says customers will not receive full cover even when fraudsters execute multiple small transactions within a short period. 

Customers could be deprived of compensation if they don’t detect the fraud in good time. “The five-day reporting requirement may be challenging for such victims,” says Sheth. 

What customers need to do 

The final guidelines are awaited. They are likely to come into effect from July 1. 

Given the limited, one-time compensation, users must exercise all possible precautions while conducting digital transactions. Always double-check the receiver’s name and details before confirming a payment. “For new payees, first send a small amount on UPI to verify the recipient before sending larger sums,” says Akshay Garkel, partner and leader - cyber, Grant Thornton Bharat. Use only the ‘Pay’ option in UPI and do not approve unexpected ‘Collect’ requests. 

“Beneficiary-change requests received on WhatsApp should be verified by calling the vendor on the listed number,” says Dip Mehta, partner, EY Forensic and Integrity Services. Do not reveal OTPs and UPI PINs. “Customers should hang up and call the bank helpline if asked for them during a call,” adds Mehta. 

Be on guard against phishing attempts. “Avoid clicking on links sent through SMS, WhatsApp or email asking for KYC updates, deliveries or refunds,” says Garkel.

 

Don’t drop your guard

• Pause and verify before you pay, especially if request is urgent
• Short cooling period or call-back verification can disrupt scams that rely on urgency and isolation
• Review periodically the app permissions you have given and revoke those that are unnecessary  
• Secure your device and apps with a lock, use current software, and install official apps

 

The writer is a Mumbai-based independent journalist