How to get Money Back in Online Fraud Cases

Money Refund Process in Online Fraud Cases:

There has been a sudden surge in number of people using online banking services. The underlying factors include government thrust on digital payments especially post demonetization, cheaper internet facility and smart phone becoming ubiquitous in India. However, with rise in online payments, there has been similar increase in online fraudulent transactions too. 

According to RBI annual report for the year 2018-19, the number of cases of frauds reported by banks increased by roughly 15% vis-à-vis last year. And as per crime data, identity theft accounts for 77% of the fraud cases registered in India. Another analysis suggests that, “one in every three Indian will be affected by identity theft at some point in their lives”.

Thus, virtual world crimes including cyber frauds are rising at an alarming rate. Victims in cyber fraud cases are concerned not only with conviction of cyber criminals but also with refund of money. Hence, this blog, focuses on legal aspect of refund of money as well as procedure for the same.

RBI Notification:
The bank’s (All scheduled commercial banks, Small finance bank and Payment Banks) liability in case of Unauthorized Electronic Banking Transactions is governed by RBI circular - RBI/2017-18/15, DBR.No.Leg.BC.78/09.07.005/2017-18 dated July 06, 2017.

Salient Points of Circular:
Broadly, the electronic banking transactions are divided into two categories:

1. Remote/ online payment transactions (transactions that do not require physical payment instruments to be presented at the point of transactions e.g. internet banking, mobile banking, card not present (CNP) transactions), Pre-paid Payment Instruments (PPI), and
2. Face-to-face/ proximity payment transactions (transactions which require the physical payment instrument such as a card or mobile phone to be present at the point of transaction e.g. ATM, POS, etc.)

Reporting of Unauthorized Transactions by Customers to Banks:

1. Banks must ask their customers to mandatorily register for SMS alerts and wherever available register for e-mail alerts, for electronic banking transactions.
2. The SMS alerts shall mandatorily be sent to the customers, while email alerts may be sent, wherever registered.
3. The customers must be advised to notify their bank of any unauthorized electronic banking transaction at the earliest after the occurrence of such transaction, and informed that the longer the time taken to notify the bank, the higher will be the risk of loss to the bank/ customer.
4. To facilitate this, banks must provide customers with 24x7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting Unauthorized transactions that have taken place and/ or loss or theft of payment instrument such as card, etc.
5. Banks shall also enable customers to instantly respond by "Reply" to the SMS and e-mail alerts and the customers should not be required to search for a web page or an e-mail address to notify the objection, if any.
6. Further, a direct link for lodging the complaints, with specific option to report unauthorized electronic transactions shall be provided by banks on home page of their website. The loss/ fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number.
7. The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer’s response, if any, to them. This shall be important in determining the extent of a customer’s liability.
8. The banks may not offer facility of electronic transactions, other than ATM cash withdrawals, to customers who do not provide mobile numbers to the bank.
9. On receipt of report of an unauthorized transaction from the customer, banks must take immediate steps to prevent further unauthorized transactions in the account.

Limited Liablity of a Customer:

1. Zero Liability of a Customer

• A customer’s entitlement to zero liability shall arise where the unauthorized transaction occurs in the following events:
• Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
• Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction.

2. Limited Liability of a Customer:
A customer shall be liable for the loss occurring due to unauthorized transactions in the following cases:

• In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after the reporting of the unauthorized transaction shall be borne by the bank.
• In cases where the responsibility for the Unauthorized electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table, whichever is lower.

Image Source: BusinessToday Magazine

Reversal Timeline for Zero Liability/ Limited Liability of customer:
On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the Unauthorized electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). Banks may also at their discretion decide to waive off any customer liability in case of unauthorized electronic banking transactions even in cases of customer negligence. The credit shall be value dated to be as of the date of the unauthorized transaction.

Further, banks shall ensure that:

• A complaint is resolved and liability of the customer, if any, established within such time, as may be specified in the bank’s Board approved policy, but not exceeding 90 days from the date of receipt of the complaint, and the customer is compensated as per provisions of paragraphs 6 to 9 above;
• Where it is unable to resolve the complaint or determine the customer liability, if any, within 90 days, the compensation as prescribed in paragraphs 6 to 9 is paid to the customer; and
• In case of debit card/ bank account, the customer does not suffer loss of interest, and in case of credit card, the customer does not bear any additional burden of interest.

Importance of OTP:
RBI guideline says - In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after the reporting of the unauthorized transaction shall be borne by the bank.

As such, OTP is of paramount importance in this entire money refund process. Customers enjoy zero liability and are eligible for full money refund, only if the victim had not shared OTP or any other sensitive details like UPI PIN with the fraudster.

Cyber Cops Services Website: services.cyber-cops.com

What has Changed Primarily with this Notification?

While in earlier approach, the onus was on the de-frauded customer to prove that he/ she has not shared crucial details like OTP with the fraudster. Now, the same has been shifted to banks – now banks have to prove that the customer was at fault and not careful enough while using it’s online services. 

The earlier system led to harassment of victims - either banks didn’t refund the money or took too long to reverse it. The problem was compounded by lack of clear guidelines or stipulated period for refunds. As frauds rose, people were becoming apprehensive about online transaction, which would have been regressive step for all the stakeholders in virtual world transactions. Hence, the newer guidelines. 

The earlier system also provided no incentives for banks to invest in fraud monitoring systems, as liability was on customers. Now, since the onus has shifted to banks, they are likely to implement a robust and dynamic fraud detection and prevention mechanism. Simultaneously, they will access and fill in the gaps found in the system. 

Examples:

Example 1: 
The systems of Hitachi Payment Services, to which few banks had outsourced their ATM transaction processing, were compromised. In this scenario, if a customer becomes victim due to breached details of Hitachi services, banks will have to refund the entire money lost. The only pre-requisite is customer informing the bank about the fraudulent transaction within three working days after receiving the communication of un-authorized financial transaction. 

Example 2: 
Consider another scenario where the database of banks is accessed unlawfully by hackers or card details of customers are leaked to world, due to ignorance or negligence of bank authorities. Again, any loss to customer due to fault on the banks, will be borne completely the banks. 

Procedure Victim should Follow:
There is no strict procedure to be followed, except for rigid timelines as enumerated before. However, for maximum efficiency, following procedure is recommended:

Step 1: The complainant/ victim should lodge a complaint with the nearest Police Station or Cyber Cell. Following documents should be submitted along with the complaint –

• Self attested, Government ID proof of the complainant
• Screen Shots of the SMS which reflects the unauthorized transaction details (received on the victim's registered mobile number)
• A detailed application describing the whole incident i.e., how the caller obtained the private information like card details and OTP etc.
• Name of any suspected webpage or application used by the victim
• Phone numbers of the fraudster (if available) i.e., Whatsapp, IMO, WeChat, Skype, email etc
• Updated bank statement reflecting the unauthorized transactions
• Any other relevant detail

The chats, fraudulent mails, voice recordings, phone messages etc. should be retained in the “Original Device” as such. This is important to enable adduce them as evidence in the Court of Law. Once, the contents from original device are deleted, they lose their sanctity (even though present in other devices, as forwarded materials). Hence, care must be taken not to delete the original incriminating evidences.   

Ideally, an FIR should be lodged (U/S 154 Cr.P.C), but if police resists get a DDR (Daily Diary Register) entry made and receive a stamped copy of the proof of submission of the complaint. Now-a-days several state police allows lodging similar complaint via mobile application or web based interfaces too. The whole idea is to lend weight and credibility to the complaint you shall finally make to your bank, with the use of such FIR/ DDR entry.

After informing the bank, you should also block your card through mobile application, online banking or via toll free number written on the back side of your ATM card. Don't search numbers via Google search, otherwise you may end having fraudster's number, leading to further victimization. 

Step 2: Submit a similar complaint to the nearest bank branch and the RBI branch. The complaint to RBI branch is primarily meant to pressurize the bank to deal with the case swiftly and strictly as per the procedure prescribed by RBI.

RBI Bank branches: The RBI branches pan India can be seen using this link -https://www.rbi.org.in/Scripts/Regionaloffices.aspx

Care must be taken to ensure you notify the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction, to enjoy zero customer liability.  

Step 3: Stay in contact with bank officials, seeking refund as per RBI guidelines. In case of delay, seek reasons for the same.  

How to Prevent being Victims of Online Frauds?
Here are some of the precautions to keep in mind, to prevent being victim of online fraudulent transaction. 

• Never share sensitive personal information like OTPs, UPI PIN, card details etc. with any stranger or untrustworthy person. 
• Don’t use public device like friend’s phone, public computer, cyber café for making online transaction. They may have key-loggers installed, that can harvest your log-in credentials. 
• Check for any spy apps installed in your device, especially if you share your device for long time. E.g., for servicing or repairing. It can be by checking apps installed in your phone or by using free Android app “NetCapture”, to analyze the outgoing packets from your phone, and thus deduce the different apps present in your phone. 
• Use latest anti-virus and anti-phishing solutions in your devices. Also, update them regularly for enhanced efficiency. 
• Enable two-step verification or multi step verification, whichever available, for your bank account. After doing so, even if your login credentials get compromised, hacker would still require OTP sent on your device for log-ins. Thereby, saving you from un-authorized intrusions in your account. 
• Always remember banks and other financial institutions will never call you to seek personal information like card details. Also, don’t auto save your card details in your phone or in websites. 

Learn how and where to report cyber crimes in India officially, here: https://cyber-cops.com/blog/how-and-where-to-report-cyber-crimes-in-india-officially