This article is for educational and legal awareness purposes only. It does not constitute legal advice or solicitation. Please consult a qualified advocate for advice on specific legal matters.
Introduction
Unauthorized bank transactions — whether through cloned ATM cards, phishing emails, compromised net banking credentials, or fraudulent UPI transfers — have become one of the most common forms of cyber crime in India. The Reserve Bank of India (RBI) has established a protective framework through its circular dated 6 July 2017 (RBI/2017-18/15) that limits customer liability and places the burden of proof on banks. Additionally, the Information Technology Act, 2000 and the Bharatiya Nyaya Sanhita (BNS), 2023 provide criminal remedies against perpetrators.
This article explains the types of bank fraud, the RBI’s customer protection framework, the step-by-step process for reporting and recovering funds, applicable criminal provisions, and key case law.
Common Types of Bank Account Fraud
ATM/Debit Card Fraud
Criminals use card skimming devices attached to ATM machines to copy card data, or install hidden cameras to capture PINs. Cloned cards are then used for unauthorized withdrawals.
Credit Card Fraud
Unauthorized card-not-present (CNP) transactions through stolen card details, or physical card theft followed by contactless or signature-based transactions before the card is blocked.
Net Banking and Mobile Banking Fraud
Fraudsters obtain login credentials through phishing emails, fake banking websites, malware, or vishing (phone calls impersonating bank officials). Once credentials are compromised, funds are transferred out.
UPI Fraud
Common methods include sending fake payment requests disguised as refunds, “collect” requests from unknown parties, or tricking victims into scanning malicious QR codes that debit (rather than credit) their accounts.
SIM Swap Fraud
Fraudsters obtain a duplicate SIM card of the victim’s mobile number by impersonating the victim before the telecom operator. Once the SIM is swapped, all OTPs are received by the fraudster, enabling unauthorized transactions.
Social Engineering
Calls or messages impersonating bank officials, RBI officers, or government authorities, inducing victims to share OTPs, PINs, CVVs, or install remote access applications on their devices.
RBI Customer Protection Framework
RBI Circular — 6 July 2017 (RBI/2017-18/15)
The RBI circular titled “Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions” establishes a three-tier liability framework based on the cause of the fraud and the speed of reporting.
Zero Liability of Customer
A customer has zero liability (bears no financial loss) in two situations:
- Bank’s fault: The unauthorized transaction occurs due to contributory fraud, negligence, or deficiency on the part of the bank — regardless of when the customer reports it
- Third-party breach reported within 3 days: The unauthorized transaction is caused by a third party (not the bank or the customer), and the customer reports it to the bank within 3 working days of receiving communication from the bank regarding the transaction
Limited Liability of Customer
If the unauthorized transaction is caused by a third party and the customer reports it between 4 and 7 working days of receiving communication, the customer’s liability is capped at the following amounts:
| Account Category | Maximum Customer Liability Per Transaction |
|---|---|
| Basic Savings Bank Deposit (BSBD) accounts | Rs 5,000 |
| Basic savings accounts, pre-paid instruments (PPIs), MSME overdraft accounts, individual current accounts (up to Rs 25 lakh balance), credit cards (up to Rs 5 lakh limit) | Rs 10,000 |
| All other current/overdraft accounts, credit cards (above Rs 5 lakh limit) | Rs 25,000 |
Customer Bears Full Loss
The customer bears the entire loss in two scenarios:
- Customer negligence: Where the loss is due to the customer’s own negligence — such as sharing payment credentials (PIN, OTP, password, CVV) — the customer bears the loss until they report the unauthorized transaction to the bank. After reporting, the bank bears any further loss.
- Delayed reporting beyond 7 days: If the customer reports the unauthorized transaction after 7 working days, liability is determined as per the bank’s Board-approved policy.
Bank’s Mandatory Obligations
The RBI circular imposes specific obligations on banks:
- Shadow reversal within 10 working days: The bank must credit the disputed amount back to the customer’s account within 10 working days of the customer’s notification, without waiting for settlement of the insurance claim or completion of investigation
- Resolution within 90 days: The complaint must be resolved and liability determined within 90 days from the date of receipt of the complaint
- Burden of proof on the bank: The bank must prove that the customer was negligent — the customer does not have to prove innocence
- SMS/Email alerts: Banks must send real-time transaction alerts and provide easy mechanisms for customers to report unauthorized transactions (toll-free helpline, SMS, email, website, and dedicated toll-free number for card blocking)
Immediate Steps After Discovering Unauthorized Transactions
Step 1: Report to the Bank Immediately
- Call the bank’s 24/7 customer care and report the unauthorized transaction
- Request immediate blocking of the compromised card, net banking access, or UPI ID
- Note down the complaint reference number and the name of the representative
- Follow up with a written complaint via email or the bank’s online grievance portal
Important: The 3-day clock for zero liability starts from the date the bank sends communication (SMS/email alert) about the transaction. Report as soon as possible.
Step 2: Call the Cyber Crime Helpline — 1930
The Government of India operates a Cyber Financial Fraud Reporting Helpline (1930), managed under the Citizen Financial Cyber Frauds Reporting and Management System (CFCFRMS). This system is designed for real-time interception:
- Call 1930 and report the fraud with transaction details
- The system alerts the recipient bank/wallet to freeze the fraudulent account before funds are withdrawn
- Available 24 hours, 7 days a week
Step 3: File a Complaint on the National Cyber Crime Reporting Portal
Visit https://cybercrime.gov.in and file a detailed complaint:
- Select “Report Cyber Crime” → “Report Other Cyber Crime” or “Financial Fraud”
- Provide personal details and a description of the fraud
- Upload supporting evidence — bank statements, transaction alerts, screenshots
- A complaint acknowledgement number is generated for tracking
Step 4: File an FIR at the Local Police Station
If the cyber crime portal alone is insufficient, file a First Information Report (FIR) at the nearest police station or the dedicated Cyber Crime Cell:
- In Uttar Pradesh, Cyber Crime cells operate at the district level under the supervision of the SP (Crime)
- In Lucknow, the Cyber Crime Police Station is located at Hazratganj
- Provide copies of bank statements, transaction details, and the complaint filed on cybercrime.gov.in
Step 5: Approach the Banking Ombudsman (if Bank Does Not Resolve)
If the bank does not resolve the complaint within 30 days, or if the resolution is unsatisfactory, file a complaint with the RBI Ombudsman through the Complaint Management System (CMS):
- Online portal: https://cms.rbi.org.in
- Toll-free number: 14448
- Email: crpc@rbi.org.in (for general queries)
The Ombudsman can award compensation including the disputed amount, interest, and costs.
Criminal Provisions — IT Act 2000 and BNS 2023
Information Technology Act, 2000
| Section | Offence | Punishment |
|---|---|---|
| 43 | Unauthorized access to a computer system, downloading data, introducing viruses | Compensation up to Rs 5 crore (adjudication by IT Adjudicating Officer) |
| 43A | Failure to protect sensitive personal data by a body corporate | Compensation to affected person (no upper limit specified) |
| 66 | Computer-related offences (dishonestly or fraudulently performing any act referred to in Section 43) | Imprisonment up to 3 years, or fine up to Rs 5 lakh, or both |
| 66C | Identity theft — fraudulent use of electronic signature, password, or unique identification feature | Imprisonment up to 3 years, and fine up to Rs 1 lakh |
| 66D | Cheating by personation using a computer resource | Imprisonment up to 3 years, and fine up to Rs 1 lakh |
Bharatiya Nyaya Sanhita (BNS), 2023
The BNS replaced the Indian Penal Code with effect from 1 July 2024. Key provisions applicable to bank fraud include:
| BNS Section | Offence (IPC Equivalent) | Punishment |
|---|---|---|
| 318 | Cheating (IPC 420) — dishonestly inducing delivery of property | Imprisonment up to 7 years, and fine |
| 319 | Cheating by personation (IPC 416) | Imprisonment up to 5 years, or fine, or both |
| 316 | Cheating (IPC 415) — general definition | As per specific punishment sections |
| 336(3) | Forgery of a valuable security or electronic record (IPC 467) | Imprisonment up to 10 years, and fine |
| 340 | Using a forged document or electronic record as genuine (IPC 471) | Punishment as if the person had forged the document |
Section 46 — IT Act Adjudicating Officer
For compensation claims up to Rs 5 crore arising from unauthorized access, data theft, or failure to protect data (Sections 43 and 43A), an affected person may approach the Adjudicating Officer appointed under Section 46 of the IT Act. This provides a faster remedy than filing a civil suit.
Key Case Law
State Bank of India v. Pallabh Bhowmick & Ors. (2025)
The Supreme Court (Justice J.B. Pardiwala and Justice R. Mahadevan) dismissed SBI’s appeal in a case involving fraudulent withdrawals from a customer’s account. The Court upheld that the bank is fully liable for unauthorized transactions when the customer has not been negligent. The Court referenced Clauses 8 and 9 of the RBI Circular dated 6 July 2017 and held that banks must utilise the best available technology to detect and prevent unauthorized transactions. The customer was awarded a refund of Rs 94,204.80 with interest.
Key Legal Principle: Banks bear full liability for fraudulent withdrawals where the customer is not negligent; banks must deploy adequate technology safeguards.
Hare Ram Singh v. Reserve Bank of India (2024)
The Delhi High Court (Justice Dharmesh Sharma) delivered a significant ruling clarifying financial institutions’ duties to protect customers from cyber fraud. The Court held that banks are obligated to comply with RBI circulars on customer protection and cannot shift the burden of loss to customers by claiming standard terms and conditions.
Key Legal Principle: Banks cannot rely on standard terms and conditions to avoid liability for unauthorized transactions; RBI consumer protection circulars are binding.
National Payments Corporation of India — CFCFRMS Data (2024)
The Citizen Financial Cyber Frauds Reporting and Management System (CFCFRMS) — accessible through the 1930 helpline — has facilitated the interception and recovery of substantial amounts. According to the Ministry of Home Affairs, prompt reporting through 1930 has led to the freezing of funds in thousands of cases, underscoring the importance of immediate reporting.
Consumer Forum Remedy
If the bank fails to credit the disputed amount or resolve the complaint satisfactorily, an affected customer may file a consumer complaint under the Consumer Protection Act, 2019:
- District Commission: Claim value up to Rs 1 crore
- State Commission: Rs 1 crore to Rs 10 crore
- National Commission (NCDRC): Above Rs 10 crore
The complaint may be filed against the bank for “deficiency in service.” Consumer fora have consistently awarded refunds, interest (typically 9–12% per annum), and compensation for mental agony in bank fraud cases.
Online filing: Complaints may be filed electronically through the e-Daakhil portal at https://edaakhil.nic.in.
Limitation Periods
| Claim Type | Limitation Period | Authority |
|---|---|---|
| Report to bank (for zero liability) | 3 working days of receiving transaction alert | RBI Circular, 6 July 2017 |
| FIR / Criminal complaint | No limitation for cognizable offences | Bharatiya Nagarik Suraksha Sanhita |
| Consumer complaint | 2 years from cause of action | Section 69, Consumer Protection Act, 2019 |
| IT Act compensation (Adjudicating Officer) | No specific limitation prescribed | Information Technology Act, 2000 |
| Banking Ombudsman complaint | 1 year from the date of bank’s final reply (or 1 year and 30 days if no reply) | RBI Integrated Ombudsman Scheme, 2021 |
Important Points to Remember
- Report unauthorized transactions within 3 working days of receiving the bank’s transaction alert to ensure zero liability under RBI guidelines
- The burden of proof lies on the bank — the customer does not have to prove innocence; the bank must prove negligence
- The bank must credit the disputed amount within 10 working days of the customer’s report (shadow reversal), without waiting for investigation completion
- Never share OTP, PIN, CVV, or passwords with anyone, including persons claiming to be bank officials — banks never ask for these
- Call 1930 immediately after discovering fraud — the CFCFRMS system can freeze funds in real time before they are withdrawn
- File an online complaint at cybercrime.gov.in in addition to the bank complaint and 1930 call
- If the bank does not resolve the issue within 30 days, approach the RBI Ombudsman at https://cms.rbi.org.in
- Consumer forum complaints are an effective remedy — courts routinely award refund, interest, and compensation for mental agony
- The IT Act provides for compensation up to Rs 5 crore through the Adjudicating Officer for unauthorized access and data theft
Useful Resources
- National Cyber Crime Reporting Portal — File cyber fraud complaints online
- RBI Complaint Management System — Banking Ombudsman complaints
- e-Daakhil — File consumer complaints online
- RBI Customer Protection Circular — Full text of the 6 July 2017 circular
- Indian Kanoon — Search case law and statutory provisions
- Cyber Crime Helpline: 1930 (24/7)
- RBI Ombudsman Helpline: 14448
- EPFO-style missed call for bank balance: Contact your specific bank
Disclaimer: The information provided on this website is for general legal awareness and educational purposes only. It does not constitute legal advice, advertisement, or solicitation. No reader should act or refrain from acting based on this information without seeking professional legal counsel. Advocate Akhil Singh and this website are not liable for any actions taken based on the content provided herein.