🏛️ Evolution of RBI's Cyber Security Framework

The Reserve Bank of India has progressively strengthened its cyber security and fraud reporting framework in response to increasing digital payment frauds. The key regulatory milestones include:

1

IT Act 2000 & Amendments

Foundation of electronic banking law — Section 43 (computer offences), Section 66 (hacking), Section 72 (breach of confidentiality)

2000 / 2008
2

RBI Master Circular on Fraud Classification

Comprehensive framework for fraud reporting, classification, and monitoring by banks

July 2016
3

Customer Protection Circular (RBI/2017-18/15)

Zero liability, limited liability, and customer duty norms for unauthorized electronic transactions

July 2017
4

Cyber Security Framework for Banks

Mandatory cyber security operations centre (C-SOC), incident reporting, and resilience requirements

June 2016
5

Integrated Ombudsman Scheme 2021

Single-window complaint redressal for all banking, NBFC, and payment system complaints

November 2021

📋 Master Circular on Fraud — Key Provisions

📌 RBI Master Direction on Frauds (DBS.FrMC.BC.No.1/23.04.001/2016-17)
This circular mandates banks to report all frauds of ₹1 lakh and above to RBI within 3 weeks. It establishes a comprehensive fraud monitoring system with quarterly reporting requirements.

Fraud Classification Categories

💳

Card Fraud

Skimming, cloning, CNP fraud, ATM attacks

🌐

Internet Banking

Phishing, vishing, malware, unauthorized access

📱

Mobile Banking

SIM swap, app cloning, fake apps, smishing

💸

UPI Frauds

Collect request scams, fake UPI IDs, QR code fraud

Reporting Thresholds & Timelines

Fraud Amount Reporting To Timeline Form
₹1 lakh to ₹50 lakh RBI Regional Office Within 3 weeks FMR-1
₹50 lakh to ₹1 crore RBI + Police Within 3 weeks FMR-1 + FIR
₹1 crore to ₹25 crore RBI + CBI/Local Police Within 3 weeks FMR-1 + FIR
Above ₹25 crore RBI + CBI (Mandatory) Immediate + 3 weeks FMR-1 + FIR

🔐 Bank Security Obligations

RBI has mandated comprehensive security requirements for banks conducting electronic banking operations:

Technical Security Requirements

  • Two-Factor Authentication (2FA): Mandatory for all electronic transactions above threshold
  • SMS/Email Alerts: Real-time transaction alerts to registered mobile/email
  • Cooling-Off Period: For high-value beneficiary additions (varies by bank)
  • Session Timeout: Auto-logout after inactivity in internet/mobile banking
  • Device Binding: Mobile banking restricted to registered devices
  • IP Monitoring: Geo-location based transaction monitoring

Organizational Requirements

  • CISO Appointment: Chief Information Security Officer at senior level
  • Cyber Security Operations Centre (C-SOC): 24x7 monitoring
  • Incident Response Team: Dedicated team for cyber incident handling
  • Annual VAPT: Vulnerability Assessment & Penetration Testing
  • ISO 27001 Certification: Information security management system
💡 Real-World Example: Security Failure → Bank Liability
Scenario
Mr. Sharma received a phishing link. However, the bank's system allowed ₹5 lakh transfer without OTP because of a "technical glitch" that bypassed 2FA. Mr. Sharma reported within 24 hours.
Result
Bank 100% liable — The bank's failure to implement mandatory 2FA constitutes negligence. Customer gets full refund regardless of clicking the phishing link, as the bank's system security failure was the proximate cause.

⏱️ Customer Reporting Timelines

The 2017 Customer Protection Circular establishes strict timelines for customers to report unauthorized transactions:

📌 Critical Rule: Report IMMEDIATELY
The moment a customer notices any unauthorized transaction, they must report it to the bank. Delay in reporting directly affects liability allocation — from zero liability to full customer liability.
Reporting Timeline Customer Liability Bank Liability
Within 3 working days Zero (if bank/third-party fault) 100%
4 to 7 working days Limited (max ₹10,000-₹25,000) Balance amount
Beyond 7 working days As per bank's Board-approved policy Varies
⚠️ Critical Practice Point
Always advise clients to report fraud IMMEDIATELY — same day if possible. The difference between Day 3 and Day 4 can mean the difference between zero liability and ₹25,000 customer liability!

📧 Mandatory Communication Channels

Banks must provide multiple 24x7 channels for customers to report unauthorized transactions:

  • Dedicated Helpline: 24x7 toll-free number for fraud reporting
  • SMS: Send "BLOCK CARD" or similar keyword to registered number
  • Email: Dedicated fraud reporting email address
  • Mobile App: In-app fraud reporting feature
  • Branch Visit: During banking hours
  • Website: Online complaint form
✅ Best Practice for Lawyers
Always advise clients to report through multiple channels simultaneously — call the helpline AND send an email AND visit the branch. This creates multiple timestamps and prevents banks from claiming "no record of complaint."

Documentation to Preserve

  • Screenshot of transaction SMS/notification
  • Call recording of helpline complaint (if possible)
  • Complaint acknowledgment number
  • Copy of email sent to bank
  • Bank statement showing unauthorized transaction
  • Police FIR/NC copy

📝 Part 11.1 Quiz

Q1: RBI Customer Protection Circular for electronic banking was issued in:

Q2: Banks must report frauds above ₹1 lakh to RBI within:

Q3: For frauds above ₹25 crore, reporting to which agency is mandatory?

Q4: Customer gets zero liability if they report fraud within:

Q5: Which of the following is NOT a mandatory bank security requirement?

Q6: C-SOC stands for:

Q7: RBI Integrated Ombudsman Scheme was launched in:

Q8: Form for reporting fraud to RBI is:

Q9: If bank's 2FA system fails and fraud occurs, who bears liability?

Q10: Best practice when reporting fraud is to: