RBI issues directive limiting the liability of customers in unauthorised electronic payment transactions in Prepaid Payment Instruments issued by authorised Non-Bank Issuers.
The Reserve Bank of India (RBI) vide its Notification No. DPSS.CO.PD.No.1417/02.14.006/2018-19 dated 4 January 2019 (“the Directive”) has taken steps to limit the liability of customers in respect of unauthorized electronic payment transactions through Prepaid Payment Instruments (PPIs) issued by Authorised Non-banks. The said Directive should be read alongside with the paragraphs 15 and 16 of RBI’s Master Direction on Issuance and Operation of Prepaid Payment Instruments (“the PPI Master Direction”) which already provides a framework for ‘Risk Management’ and ‘Customer Protection’. Under the present Directive, the criteria for determining customers’ liability under the extant framework have been further reviewed.
The provisions of the Directive will be applicable to all authorised non-bank PPI issuers only. Bank PPI issuers will not have to follow the provisions of the Directive. Furthermore, PPI for Mass Transit Systems (PPI-MTS) will be outside the purview of the Directive, except for cases of contributory fraud/ negligence/ deficiency on the part of the PPI-MTS.
For the purpose of the Directive, electronic payment transactions have been divided into two categories for the purpose of the Directive:
- Remote/Online payments transactions e.g. wallets, card not present (CNP) transactions.
- Face-to-face/Proximity payment transactions e.g. transactions at point of sale.
The Directive brings forth the following two important changes:
Reporting of unauthorised payment transactions by customers to PPI issuers:
PPI issuers will have to comply with the following conditions:
- PPI issuers must ensure that their customers mandatorily register for SMS alert or e-mail alerts (wherever available), and that mandatory SMS or e-mail alert is sent to the customers, and the transaction alert has a contact number and / or e-mail id on which the customer can report unauthorised transactions or notify the objection. Customers must also have 24´7 access via website, SMS, e-mail, or a dedicated toll-free helpline number.
- Customers must be advised by the PPI issuers to notify the PPI issuer of any unauthorized electronic payment transaction at the earliest, and that the longer the customer takes to notify the PPI issuer, the higher will be liability of the customer.
A direct link for lodging complaints, with a specific option to report unauthorized transactions, must be provided by PPI issuers on their mobile app, home page of website, or any other evolving acceptance mode. PPI issuers must ensure to resolve the complaint within 90 days from the receipt of the complaint.
- PPI issuers should have in place a loss/ fraud reporting system to send immediate response (including auto-response) to customers acknowledging the complaint. All the relevant data pertaining to time and date of deliveries and receipt of customer response must also be recorded within the PPI issuers’ systems.
- Limited Liability of a customer:
The Directive limits the liability of customers in stipulated cases based on the number of days the customer takes to report the issue, the longer time the customer takes to report, the higher is his/her liability. The classification of liability is broken down as follows:
- In case of contributory fraud/negligence/deficiency on part of the PPI issuer, there is no liability of customer.
- In case of a third-party breach, i.e. neither the customer nor the PPI issuer being responsible for the deficiency, the customer liability will depend upon the number of days lapsed between receipt of transaction communication and the reporting of unauthorised transaction by the customer-
- If within three days, then no customer liability.
- If within four to seven days then customer will be liable for the transaction value or Rs. 10,000 per transaction, whichever is lower
- Beyond seven days the customer liability will be as per the approved policy of the board of directors of the PPI issuer.
- In case where the loss is due to the negligence of the customer, i.e. cases where customer shares the payment credentials themselves, the customer will bear the entire loss until the customer reports the unauthorised transaction to the PPI issuer. If any loss occurs after the reporting of the unauthorized transaction, it shall be borne by the PPI issuer.
PPI issuers may also decide to waive off any customer liability at their own discretion even if it involves customer’s negligence.
Even in cases where customers are sought to made liable, the burden of proof of negligence/deficiency/liability shall at all times lie with the PPI issuers. Further, the Directive requires the PPI issuer to credit the amount involved in unauthorized transaction within 10 days from the date when customer notifies the PPI issuer about unauthorised electronic payment. This should be done even if such reversal breaches the maximum permissible limit applicable to that type / category of PPI.
The Directive also imposes important compliances in the form of requirement for a board approved policy for customer protection, reporting and monitoring of compliances.