RBI’s New Digital Banking Fraud Rules from July 1, 2026: What Every Customer Should Know

India’s digital payments ecosystem has grown at an incredible pace over the last few years. From UPI transactions and mobile banking to online card payments, millions of people now rely on digital channels for their everyday financial needs. While this convenience has transformed banking, it has also opened the door to increasingly sophisticated cyber frauds.

To address these challenges, the Reserve Bank of India (RBI) has proposed a new set of rules through its Draft Third Amendment Directions, 2026 under the Responsible Business Conduct framework. Scheduled to come into effect on July 1, 2026, these proposed measures aim to provide stronger protection for customers who fall victim to digital banking fraud.

Stronger Protection for Digital Banking Users

The draft framework focuses on fraud involving electronic banking channels such as:

• UPI payments

• Internet banking

• Mobile banking

• Debit card transactions

• Credit card transactions

• ATM withdrawals

The proposed rules would apply to transactions carried out on or after July 1, 2026. They are intended for commercial banks, while small finance banks, payments banks, regional rural banks, and local area banks are currently outside the scope of these directions.

Revised Guidelines on Customer Liability

One of the most significant aspects of the proposal is the revision of customer liability rules for unauthorised electronic transactions.

According to the RBI’s draft issued on March 6, 2026, electronic banking transactions include payments made through internet banking, mobile banking, cards, or any other digital mode that qualifies as an electronic funds transfer under the Payment and Settlement Systems Act, 2007.

The objective is to create greater clarity around who bears responsibility when fraud occurs.

Clear Distinction Between Authorised and Fraudulent Transactions

The RBI has proposed a clearer definition of what constitutes an authorised transaction.

Any payment completed using customer authentication methods such as OTPs, PINs, passwords, or card credentials will generally be treated as an authorised transaction. Similarly, payments executed through standing instructions or mandates previously approved by the customer will also fall under this category.

However, the presence of authentication alone does not automatically eliminate the possibility of fraud.

Situations That May Still Be Considered Fraud

The draft directions recognise that many scams involve manipulation rather than direct system breaches. Certain transactions may still qualify as fraudulent, including:

• When a fraudster obtains banking credentials through deception and uses them to execute transactions.

• When a customer authorises a payment under coercion or pressure from scammers.

• When a customer is tricked into sending money to someone falsely posing as a legitimate individual or organisation.

These provisions acknowledge the growing prevalence of social engineering and online scams.

Defining Bank and Customer Negligence

The RBI has also attempted to clarify the responsibilities of both banks and customers.

Bank Negligence

Banks may be considered negligent if they:

• Fail to maintain secure digital systems.

• Do not send timely transaction alerts.

• Lack effective channels for customers to report fraud promptly.

Customer Negligence

Customers may be held responsible if they:

• Share passwords, PINs, or OTPs with others.

• Ignore fraud warnings issued by their bank.

• Download malicious applications that compromise account security.

The framework aims to encourage accountability on both sides while ensuring fair treatment during fraud investigations.

Recognition of Third-Party Breaches

Modern digital payments often involve multiple intermediaries beyond banks.

The RBI’s draft introduces the concept of third-party breaches, where the fault may lie with entities such as:

• Third-party application providers

• Payment aggregators

• Payment gateways

• Telecom service providers

By recognising failures across the wider payment ecosystem, the framework seeks to ensure that liability is assigned more appropriately.

Immediate Reporting Is Crucial

The RBI advises customers to report suspected fraudulent transactions without delay.

Victims should:

1. Inform their bank immediately.

2. File a complaint through the National Cyber Crime Reporting Portal.

3. Contact the National Cyber Crime Helpline at 1930 as soon as possible.

Prompt reporting can significantly improve the chances of recovery and strengthen eligibility for customer protection measures.

Proposed Compensation for Small-Value Fraud

One of the most customer-friendly proposals is the introduction of a compensation mechanism for genuine small-value digital fraud cases.

Under the draft:

• Individual customers suffering fraudulent losses of up to ₹50,000 may receive compensation.

• Eligible customers could receive 85% of the net loss or ₹25,000, whichever is lower.

• This benefit would be available once during the customer’s lifetime.

• The fraud must be reported to both the bank and the National Cyber Crime Portal or Helpline within five days of the incident.

The RBI has also indicated that most of this compensation would be funded by the central bank, with smaller contributions from the customer’s bank and the beneficiary bank. If stolen funds are later recovered, the compensation amount may be adjusted accordingly.

Final Thoughts

As digital payments become an integral part of daily life, fraud prevention has become equally important. The RBI’s proposed amendments represent a significant step toward strengthening consumer protection by clarifying liability, encouraging prompt reporting, and introducing financial relief for victims of genuine fraud.

While the framework is still in draft form, it signals a broader effort to build greater trust and confidence in India’s rapidly expanding digital banking ecosystem. For customers, the message is clear: remain vigilant, safeguard your banking credentials, and report suspicious transactions immediately to maximise available protections.

Disclaimer: This article is intended solely for educational and informational purposes. It is based on the RBI’s draft proposals and should not be interpreted as legal, financial, or investment advice. Readers should refer to official notifications and consult qualified professionals before making financial or legal decisions.