What changed
RBI inserted new definitions for Card Not Present, Card Present, electronic banking transaction, fraudulent EBT, customer negligence, PB negligence, and third-party breach into the 2025 Responsible Business Conduct Directions. These definitions clarify liability allocation for unauthorised transactions, effective from January 1, 2027.
What it means for you
Payments Banks must now clearly distinguish between customer negligence, bank negligence, and third-party breaches when handling unauthorised EBT claims. Banks face stricter accountability for system failures, delayed alerts, or inadequate reporting channels. Customers benefit from clearer rules on when they are liable, especially in scam or coercion scenarios.
What you must do
- Update internal policies and customer terms to reflect the new definitions by December 31, 2026.
- Ensure 24x7 reporting channels for fraudulent EBTs and debit card loss are operational and well-publicised.
- Train staff to assess customer negligence vs. bank negligence vs. third-party breach in each unauthorised transaction case.
- Review and strengthen alert systems and security protocols to meet the revised negligence standards.
Who it affects
Payments Banks, Customers of Payments Banks, Digital payment system operators
When do these new rules take effect?
The directions apply to electronic banking transactions undertaken on or after January 1, 2027.
What is a 'third-party breach' under these rules?
A third-party breach occurs when the deficiency lies neither with the Payments Bank nor the customer but elsewhere in the system, such as a network or technology provider failure.
Does this affect UPI transactions?
Yes, the definition of electronic banking transaction includes both Card Not Present and Card Present transactions, which covers UPI and other digital payments.