A background note can be accessed here: RBI: Limiting Customer Liability in Digital Transactions
RBI’s draft introduces a shared compensation mechanism for small-value digital fraud losses reported within a defined time window. How should liability rules be designed so that stronger consumer protection does not weaken incentives for both customers and financial institutions to maintain prudent digital-security practices?
Concerns that compensation frameworks will spur misuse are understandable, but for low- to middle-income (LMI) users, the more immediate issue is under-reporting. Evidence shows that over 50 percent have faced phishing or vishing, yet fewer than 40 percent report incidents, and resolution rates are similarly low. A shared liability regime can therefore improve reporting, generating actionable data for financial service providers (FSPs) to strengthen fraud detection and prevention.
Design hinges on how “customer negligence” is defined. With increasingly sophisticated social engineering, broad or vague standards risk unfairly shifting liability onto victims and enabling claim denial. Definitions must be narrow, precise, and consistently applied.
The proposed phased reduction of the current 65 percent subsidy should be tied to explicit, time-bound milestones to ensure that FSPs invest in internal fraud prevention capacity. Publishing bank-wise fraud prevention and resolution metrics can further create reputational incentives.
Ultimately, liability design should complement, not substitute, prevention. Scalable behavioural AI systems that detect anomalous transactions in real time are essential to reducing fraud incidence at the source.
RBI’s framework expands the definition of fraudulent transactions and places the burden of proof on banks while mandating real-time alerts and faster complaint processing. What operational and supervisory challenges could arise for banks and payment intermediaries in implementing these standards at scale in India’s high-volume digital payments ecosystem?
Implementing expanded liability and real-time obligations across India’s high-volume payments ecosystem – processing over 228 billion UPI transactions annually – poses asymmetric challenges. Larger banks can adapt with incremental upgrades, but smaller institutions, including regional rural banks and small finance banks serving LMI populations, face binding constraints in technology, staffing, and compliance capacity.
A uniform implementation deadline risks two outcomes: widespread non-compliance or strategic withdrawal from higher-risk customer segments, both of which undermine financial inclusion. The framework should therefore adopt differentiated timelines calibrated to institutional capacity, alongside structured technical support from the RBI and sponsor banks.
Shared infrastructure is critical. Open, interoperable fraud detection tools – such as behavioural anomaly detection systems akin to MuleHunter.AI – can reduce duplication and lower entry barriers. Expecting each institution to independently build advanced systems is neither efficient nor feasible.
Supervisory design must also evolve: monitoring should focus on system-level resilience and coordinated response capabilities, rather than uniform compliance checklists that may not reflect institutional diversity.
How should regulators balance stronger liability protections with innovation and financial inclusion objectives so that enhanced safeguards reinforce, rather than slow, the growth of digital transactions?
India’s digital payments growth has been driven by ease of use, but sustaining it now depends on trust. Fraud is a material deterrent: roughly one in five UPI users has experienced it, and nearly half of affected users reduce or stop using digital financial services due to fear of loss. Strengthening liability protections can help restore confidence, if paired with ecosystem-wide safeguards.
First, consumer awareness must move beyond static information campaigns to experiential learning. Gamified, vernacular, mobile-first modules embedded in UPI onboarding can build practical fraud recognition skills at scale.
Second, enforcement against dark patterns is essential. Regulators need systematic monitoring and credible penalties to ensure compliance with RBI guidelines that prohibit deceptive interface designs that nudge unintended transactions.
Third, the regulatory sandbox should function as a co-creation platform. RBI, NPCI, banks, and fintechs can jointly develop and deploy open-source fraud prevention tools, made accessible at subsidised costs to all regulated entities.
Together, these measures shift the system from reactive compensation to proactive trust-building, supporting both continued innovation and deeper financial inclusion.