The bank will now have to make good your entire loss if it happens through an unauthorized transaction or due to a fault within the bank’s systems
This would easily qualify as one of the worst moments of your life. That ping which says: your account debited with Rs30,000, and your current balance is now Rs2,467.20. Your blood chills and hands shake as you realise that you’ve been robbed—this is not a transaction you just made. Did I schedule a payment and forget about it? Did my spouse, who has my personal identification number (PIN), make a transaction? But I did not get a one-time password (OTP). You feel exactly the same way as you would, had somebody physically snatched your purse out of your hands. Robbery leaves the same feeling of disbelief and damage, whether it is virtual or not—the loss is very real.
While the loss you take home when cash is ripped out of your hand is yours, the responsibility is that of the bank when it happens in the virtual world. The banking regulator, Reserve Bank of India (RBI), has taken forward the draft it had released in August 2016 that thought through liability issues of electronic theft of money. The bank will now have to make good your entire loss if it happens through an unauthorized transaction or if the electronic theft happens due to a fault within the bank’s systems. You don’t even need to report this. For instance, when the data of nearly 3.2 million debit cards was compromised between May and July 2016, it was due to a virus in the systems of Hitachi Payment Services, the firm that manages the bank’s ATM network. In an event such as this, you do not have to report the loss of money, the bank will have to make good on it because its system failure caused the loss and many people are affected.
What if you lose money due to somebody cloning your ATM PIN and withdrawing cash, or a waiter in a restaurant copying your card details seeing your PIN as you key it in? RBI says that in such cases, where the deficiency is not with the bank or the customer, but with a third party, you need to notify the bank in 3 working days from the time you got an alert from the bank about the unauthorized debit. If you do that, the bank will make good your loss. What if you are unable to report in 3 days? Between day four and seven, the bank and you will share the loss with your liability ranging from Rs5,000 to Rs25,000. Read the RBI release to see the exact details of this here. What if you are abroad and your phone and e-mail are off? Post seven days, the loss sharing will be determined by the bank’s board-determined policy.
Many people use their personal credit cards for office use or share details of PIN numbers with staff for banking transactions. If this facility is misused, you will bear the loss till the time you report this to the bank. Once you have reported it and if the money continues to be stolen, the bank has to make good your loss. The bank has to credit your account, after you report the theft, within 10 working days. The bank must ensure that you can reach it 24x7 through many routes—phone, email, SMS, toll free helpline. You can also just hit reply to the debit SMS or mail, so that you don’t have to search for the complaint details. Many of us remember searching frantically for the complaint number on getting an unauthorized debit SMS. Sometimes you are travelling or in meetings and cannot immediately spend the 10-15 minutes needed for this. Just hitting reply is a no-brainer but it has taken the regulator to suggest it to the otherwise always-on tech-savvy and with-it banking channel.
There are many good things in the RBI step. One, RBI has bounced the responsibility of safety of electronic money at the banks. The banks, says the RBI release, must have systems and procedures “designed to make customers feel safe about carrying out electronic banking transaction”. Two, RBI is closing the doors that allow banks to escape responsibility. For instance, RBI telling banks that the customer should be able to hit reply to the SMS or mail that reports a debit to you, shows a new pragmatism in understanding the customer and also the capacity for obfuscation of banks. This is good stuff. RBI and other financial sector regulators must take the same philosophy forward when they think about consumer protection in general. The liability of an accident must lie with the service provider. Only then will the firms ensure that their processes and incentives nudge customer-friendly behaviour.
What should you do? RBI wants the banks to make it mandatory for you to register for SMS alerts and register your email addresses. So please go ahead and sign up. I know the banks charge for this, and RBI needs to think this through better, but a few rupees is a small price to pay for safety. Be careful with your passwords and PINs. Do not grandly key in the credit card PIN at a shop. The check-out guy may not be looking but his assistant right behind your left shoulder may be peering carefully at your finger movements. In this age of multiple cards, have a system in your wallet that alerts you if one card is missing. It sounds terribly boring but having the complaint number added to the name of the bank in your phone address book is not a bad idea.