RBI Sets New Fraud-Liability Rules for Payments Banks From January 2027
Money vanishes from your Payments Bank account overnight. Was it your slip-up, the bank's negligence, or a hacker's move? RBI has now drawn clearer lines to decide who pays.
- RBI circular RBI/2026-27/169 amends the 2025 Payments Banks (Responsible Business Conduct) Directions
- The revised rules apply to electronic banking transactions (EBTs) done on or after January 1, 2027
- RBI added seven definitions: Card Not Present, Card Present, electronic banking transaction, fraudulent EBT, customer negligence, PB negligence, and third-party breach
- Payments Banks must update policies, train staff, and confirm 24x7 fraud-reporting channels by December 31, 2026
- The rules apply to Payments Banks, their customers, and digital payment system operators
- RBI/2026-27/169 adds seven new definitions for Payments Banks, including fraudulent EBT and third-party breach, effective January 1, 2027
- UPI and card transactions are both explicitly covered under the new 'electronic banking transaction' definition
- Payments Banks must update policies, train staff, and strengthen alert systems by December 31, 2026
- Similar liability definitions have been issued for UCBs and RRBs around the same effective date, per BankPulse's related coverage
What did RBI actually change?
RBI has amended the 2025 Responsible Business Conduct Directions for Payments Banks under circular RBI/2026-27/169. The change: seven new definitions — including fraudulent EBT, customer negligence, PB negligence, and third-party breach — now spell out who pays when money disappears from an account. Earlier, banks judged unauthorised-transaction complaints against broader, vaguer standards; now a bank can't simply cite a "system issue" and close the case.
Why does this matter to you?
If you bank with a Payments Bank — via a wallet-linked savings account, UPI, or a debit card — this amendment decides how fast you get refunded after fraud. The new electronic banking transaction definition covers both Card Not Present (UPI, online payments) and Card Present (physical card swipe) transactions, so UPI users are covered. Banks now carry more responsibility for delayed alerts, weak reporting, or slow detection — shifting risk from customer to bank when the bank was at fault.
How will banks decide who pays?
The amendment sorts every unauthorised transaction into three buckets:
- Customer negligence — you shared an OTP, PIN, or fell for a scam call.
- PB negligence — the bank's alerts were late, its systems were weak, or its 24x7 reporting channel didn't work.
- Third-party breach — the fault sits outside both of you, such as a network or technology provider failure.
Similar liability frameworks apply elsewhere — see how urban co-operative banks got comparable fraud-liability rules and how rural co-operative bank customers gained similar protection from 2027.
What must Payments Banks do before December 31, 2026?
RBI expects Payments Banks to act well before the January 1, 2027 effective date:
- Update internal policies and customer terms to reflect the new definitions.
- Keep a 24x7 channel open for reporting fraudulent EBTs and lost debit cards, and publicise it clearly.
- Train staff to classify each case correctly: customer fault, bank fault, or third-party fault.
- Strengthen alert systems and security protocols to meet the revised negligence standards.
A comparable deadline applies to regional rural banks, which face the same January 1, 2027 effective date for their own version of these rules.
🔭 The angle nobody's covering
Most coverage will stop at "new fraud rules for Payments Banks." What's missed: RBI appears to be building one common liability language across bank categories — Payments Banks, RRBs, and UCBs are all landing on similar January 1, 2027 definitions for negligence and third-party breach (per BankPulse's tracking of related circulars). If confirmed, that points to standardised dispute resolution across the system, not four unrelated updates. Watch whether Scheduled Commercial Banks get a similar amendment next.
Questions people ask
They apply to electronic banking transactions done on or after January 1, 2027. Transactions before that date follow the older rules.
It's when neither the customer nor the Payments Bank is at fault — the deficiency lies elsewhere, such as a network or technology provider failure.
Yes. The 'electronic banking transaction' definition includes Card Not Present transactions, which covers UPI and other digital payments.
They must update policies and customer terms, ensure 24x7 fraud-reporting channels work, train staff to classify negligence correctly, and strengthen alert systems — all by December 31, 2026.
It's a similar framework issued separately for Payments Banks. RBI has issued comparable liability definitions for UCBs and RRBs around the same effective date — check the official RBI source for each circular's exact text.