What holds banks back from supporting customers in case of frauds despite RBI directives?
Tejinder Singh Bedi
Considering the dire need for limiting the liability of customers in unforeseen situations of unauthorized electronic banking transactions and to make the banks more accountable for such unsuspected losses to its customers, the Reserve Bank of India (RBI) has laid clear directives but much remains to be done in ensuring that these are diligently followed by all of the banks.
A recent circular of the RBI has again highlighted that in cases of frauds due to any wrongdoing in the electronic media, all scheduled banks including RRBs have to return /refund the money within 10 days provided a complaint has been lodged within 3 days of the fraudulent transaction.
My wife, Mrs. Ravinder Bedi, a Senior Citizen had a Savings Bank A/C No 039901550531 with the ICICI bank’s branch in Sun City, Sector 54 Gurgaon since transferred to Noida.
She had never opted for Internet Banking either in writing or through any other mode of communication. She has not been email friendly nor a user of the common ITES services and hence also for this account. She had been accessing bank through personal visits only and very rarely and as such this account remained fairly dormant in which she had been putting her limited savings of and on to be able to use the same for unforeseen exigencies in her advancing age.
I am also by now a retired private sector professional with no regular income nor any pension with our limited lifelong savings supporting us in this phase.
On April 15, 2015, my wife was reached on her registered mobile phone around 12.06 hrs asking her to update her KYC details as otherwise her account might be closed.
The number from which the call came was 7091765502. As the conversation was progressing with the online fraudulent transaction being attempted on NPCI’s (National Payments Corporation of India’s) platform another call came from ICICI’s own number 4033468200, stating that suspecting the fraudulent transaction the bank was blocking my wife’s linked ATM Card and that the transaction was being monitored and that the debit will not be reflected in her account.The hoax call had been detected within minutes of its start by the bank.
By the evening of the same day, however, my wife got a message on her registered mobile that her said account had been debited for an amount of Rs 40005.62 (on 15.04.2015 at 12.06.18) and credited into an unknown account (Info.MMT*510512364116**164*).
A complaint was immediately registered on the Website of the ICICI Bank. My wife and myself personally visited the branch in Gurgaon the next day and explained the matter to the Deputy Branch Manager, Sachin Saini, who confirmed that the phone call that immediately intercepted the fraudulent transaction occurring for an unusually big amount for her in a more or less dormant account was actually from the ICICI’s cyber crime cell at Hyderabad and that the cell will be investigating the matter and update me about the details.
As advised I also followed up the matter with the Risk Management Division of the ICICI Bank in Jhandewalla — where I was told by one Harish on May 11, 2015 at 10.24 hrs that the bank was not in a position to offer any resolution to our loss except calling for all the details already shared multiple numbers of times with the various officials and offices of the bank.
As advised by the bank further, I kept following up with one Krishan Govindan and another Shiva Kumar Todikonda of the bank but no updates were ever provided as they pleaded helplessly to share any details with me. An interim update from the bank subsequently said that I would be updated about the progress of the internal investigations by May 18, 2015, which was subsequently further extended to May 27, 2015.
Having faith in the hugely promoted leadership stature of Mrs. Chanda Kochhar the Chairperson of the ICICI bank by the media, I finally approached her to look into the matter and have it resolved as soon as possible and to ensure that my wife’s account was atleast shadow credited for this unjustified, unaccepted, illegal, not opted for transaction of Rs 40005.62 together with the interest being lost on the same till the date of credit (besides accompanying inconvenience being caused to both of us for uncalled for repeated calls, follow-ups) immediately, when the bank itself had acknowledged the fradulent transaction happening having been detected almost parallelly, within minutes of its occurance and our formal written complaint had also been lodged with the concerned Bank’s Deputy Branch Manager (its highest official then) the very next day.
Having shared all of the best details saved by us with the bank, I also requested the bank officials to share with me the details of the complete account number, the beneficiary (Name), bank/organization with its addresses and contacts this debit had been credited to — though it has been nearly three years that no update has come from the ICICI Bank. In addition in the intervening period for most of the time, her account was also frozen and the debit card kept locked.
The recent circular from RBI further clarifies that the police complaint, insurance claim, (if necessitated) are to be initiated by the bank and not by the customers. Referring to its earlier circular No. DBOD.Leg.BC.86/09.07.007/2001–02 dated April 8, 2002, (and another Master Circular DBR.No.FSD.BC.18/24.01.009/2015–16 dated July 1, 2015 ) on the subject and regarding the reversal of erroneous debits arising from fraudulent or other transactions, the RBI has further addressed its directives vide circular number RBI/2017–18/15 DBR.No.Leg.BC.78/09.07.005/2017–18 July 6, 2017.
For the safety of other common bank account holders, I deem it pertinent to note here that most of the banking institutions have not given adequate or even basic publicity about such provisions to their customers in the past. Most post introduction of credit/debit card products after mid-nineties have been selling these products very aggressively to even unregistered and uninterested customers, but none seem to have done enough to educate and train their customers, especially housewives, young students and majorly most of the other non-IT savvy population exposed to misuses and frauds possible through such alternate products. Lack of adequate awareness drives and training and education of the customers for their accountability as envisaged by the RBI as such only seems to be a natural fall out of this overall scheme of things.
As per RBI’s circular, the electronic banking transactions are divided into two categories viz; firstly remote/ online payment transactions (transactions that do not require physical payment instruments to be presented at the point of transactions e.g. internet banking, mobile banking, card not present (CNP) transactions), Pre-paid Payment Instruments (PPI), and secondly face-to-face/ proximity payment transactions (transactions which require the physical payment instrument such as a card or mobile phone to be present at the point of transaction e.g. ATM, POS, etc.
The systems and procedures in banks have to be designed to make customers feel safe about carrying out electronic banking transactions. To achieve this, banks must put in place appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers; robust and dynamic fraud detection and prevention mechanism; mechanism to assess the risks (for example, gaps in the bank’s existing systems) resulting from unauthorised transactions and measure the liabilities arising out of such events; appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom; and a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments related fraud.
As per RBI directives, the liability of the customer in cases of fraudulent transactions in his/her account varies from zero to the actual loss. A customer’s entitlement to zero liability arises where the unauthorised transaction occurs in the following events; viz Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer), Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction and a limited liability of a Customer arises for the loss occurring due to unauthorised transactions in the following cases i.e. Where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Further, any loss occurring after the reporting of the unauthorized transaction has to be borne by the bank. Further in cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in a separate schedule notified by the RBI. On being notified by the customer, the bank has to credit (shadow reversal) the amount involved in the unauthorized electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any).
As per RBI’s directives, banks also have the discretion to waive off any customer liability in case of unauthorized electronic banking transactions even in cases of customer negligence. In such cases, the credit shall be value dated to be as of the date of the unauthorized transaction.
Further, banks have to ensure that a complaint is resolved and liability of the customer, if any, established within such time, as may be specified in the bank’s Board approved policy, but not exceeding 90 days from the date of receipt of the complaint, and the customer is compensated as per provisions covering the same — where it is unable to resolve the complaint or determine the customer liability, if any, within 90 days, the compensation as prescribed is paid to the customer; and in case of debit card/ bank account, the customer does not suffer loss of interest, and in case of credit card, the customer does not bear any additional burden of interest.
The burden of proving customer liability in case of unauthorized electronic banking transactions lies on the bank. The banks are also required to put in place a suitable mechanism and structure for the reporting of the customer liability cases to the Board or one of its Committees. The reporting has to inter alia, include volume/ number of cases and the aggregate value involved and distribution across various categories of cases viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM transactions, etc. The Standing Committee on Customer Service in each bank shall periodically review the unauthorized electronic banking transactions reported by customers or otherwise, as also the action taken thereon, the functioning of the grievance redress mechanism and take appropriate measures to improve the systems and procedures. All such transactions are also required to be reviewed by the bank’s internal auditors.
Having reached no where near a resolution by the bank so far, I deem it appropriate to raise a few questions in the interest of many other unsuspecting customers of big banks like this, whose petty savings planned to cover their superannuated lives or medical needs in advancing age can be taken for a ride by any small to big-time cyber criminal too.
Why has the NPC’s technology and that of the banks provided for transactions to even unknown, unverified accounts and unregistered beneficiaries through IMPS when hundreds of checks are mandatorily carried out for any other internet transactions or even physically carried transactions?
Even if speed is the criteria, why is it that IMPS permits transfer of amounts to any beneficiary’s account without having to know or personally key in the recipient’s account, IFSC code, especially where the beneficiaries are not registered, authorized and so accepted by the bank?
Why is it if the cyber cell of the bank in question had got auto alerted and had noticed the ongoing conversation from the stated number that though it could intercept, intervene it could not stop the process of transfer, credit, and debits immediately as normally happens in all secure internet banking transactions?
I feel very strongly about these issues for many more unsuspecting account holders in this or other banks can be at the mercy of such rascals and besides creating every possible preventive poka-yoke tool in such technological processes, such fraudsters and gangs need to be brought to books as soon as possible and the affected customers duly compensated.
The least that the banks with whom customers have maintained their savings accounts for long is as a must to give back an advance credit of amounts siphoned off as such, especially when this has already come to their notices through their own cyber crime cells or on complaints from customers and I am sure that the IT professionals managing these keys to the kingdoms these days for their absolute rights to reconfigure, access and control any systems would go all the way out to help us and customers like us
If a huge bank like the ICICI after repeated follow-ups as in the case of my wife’s account for over three years now, has not shared what it had done or achieved to resolve the issue — can the nation continue to believe in such banking systems, bank officials any further?
And does all of such indifference towards the affected customers, point to the involvement of some of the internal staff members or officers of the bank too in such frauds, which the banks may be overlooking or ignoring?