RBI has finalised a compensation framework for victims of small-value digital fraud in banking, effective from January 1, 2027. A bona fide individual victim with a gross loss of up to ₹50,000 from a fraudulent electronic banking transaction will be compensated 85 percent of the net loss, or ₹25,000, whichever is lower, available once in a customer’s lifetime. No compensation is provided for losses above ₹50,000. To qualify, the customer must report the fraud to their bank and to the National Cyber Crime Reporting Portal or Helpline 1930 within five calendar days. The compensation cost is shared between RBI, the customer’s bank, and the beneficiary bank, and the burden of proving customer liability now rests with the bank, not the customer.
TABLE OF CONTENTS
- What Just Changed and Why the Timeline Matters
- The Compensation Formula, Explained with Real Numbers
- Who Pays: The Three-Way Cost-Sharing Model
- The Five-Day Reporting Rule and Why It Is Strict
- The OTP Exception That Changes Everything
- Zero Liability: When the Bank Pays in Full
- What This Means for Banks Operationally
- How This Fits Into RBI’s Broader Fraud Risk Agenda
- Master Reference Table
- Frequently Asked Questions
RBI has finalised its long-anticipated compensation framework for victims of small-value digital banking fraud. The framework was originally proposed as a draft earlier in 2026, with an initial effective date of July 1, 2026. RBI has since deferred implementation by six months, and the directions will now apply to electronic banking transactions conducted on or after January 1, 2027.
This deferral matters for two reasons. First, it gives banks a longer runway to build the systems, cost-sharing mechanisms, and reporting infrastructure the framework requires, rather than scrambling to comply within weeks of finalisation. Second, it signals that RBI is treating this as a structural, permanent change to fraud liability in India, not a quick patch, since structural changes of this scale typically need more than a few months of lead time to implement correctly.
For BFSI risk, compliance, and customer service teams, the practical message is the same regardless of the exact date: the framework is final, the mechanics are now known in detail, and the months before January 2027 should be spent building the operational capability to execute it correctly from day one.
The Compensation Formula, Explained with Real Numbers
The compensation rule sounds simple, but the actual formula has two distinct bands depending on the size of the loss, and understanding both is essential to explaining this correctly to customers, auditors, or your own board.
For losses below ₹29,412, the victim receives 85 percent of the net loss amount. For example, a loss of ₹20,000 results in a payout of ₹17,000, since 85 percent of ₹20,000 is ₹17,000, comfortably under the ₹25,000 cap.
For losses of ₹29,412 or more, up to the ₹50,000 ceiling, the compensation is capped at a flat ₹25,000, because 85 percent of any amount in this band would exceed ₹25,000. For example, a loss of ₹50,000 results in a payout of exactly ₹25,000, not 85 percent of ₹50,000, which would have been ₹42,500.
The number ₹29,412 is not arbitrary. It is the precise point at which 85 percent of the loss equals exactly ₹25,000, which is why it functions as the breakpoint between the two calculation bands.
Critically, there is no compensation at all for losses exceeding ₹50,000 under this specific framework. This is a small-value fraud protection mechanism, not a general fraud insurance scheme, and institutions need to be precise about this distinction when communicating with customers who may assume the protection is broader than it actually is.
The benefit is available only once during a customer’s lifetime, which is a deliberate design choice to prevent misuse of the facility, and which also means banks need a reliable way to check whether a customer has already claimed this benefit before processing a new claim.
Who Pays: The Three-Way Cost-Sharing Model
One of the more distinctive features of this framework is that the compensation cost is shared across three parties: RBI itself, the customer’s own bank, and the beneficiary bank that received the fraudulently transferred funds.
For losses below ₹29,412, where 85 percent of the loss is paid out, RBI bears 65 percent of that compensation amount, while the customer’s bank and the beneficiary bank each contribute 10 percent.
For losses between ₹29,412 and ₹50,000, where compensation is capped at ₹25,000, RBI contributes ₹19,118, while the customer’s bank and the beneficiary bank each contribute ₹2,941.
For cross-border fraudulent transactions specifically, the split changes slightly: RBI contributes ₹19,118 and the customer’s bank contributes ₹5,882, reflecting the absence of a domestic beneficiary bank in many cross-border fraud scenarios.
If funds are later recovered after compensation has already been paid, the customer’s bank is required to recalculate the payout based on the revised net loss figure and adjust the recovered amount accordingly, meaning the compensation process does not simply end once the initial payout is made.
This shared-cost model is a deliberate incentive design. By making both the customer’s bank and the beneficiary bank financially responsible for a share of every compensation payout, RBI is creating a direct financial incentive for both institutions to strengthen the controls that prevent fraud in the first place, not just process compensation claims efficiently after the fact.
The Five-Day Reporting Rule and Why It Is Strict
To qualify for compensation, a customer must report the fraudulent transaction within five calendar days of its occurrence, and this report must go to two separate places: the customer’s own bank, and the National Cyber Crime Reporting Portal or its Helpline 1930.
Once a valid complaint is received, banks are required to compensate the customer within five calendar days, which is a notably fast turnaround compared to many existing grievance redressal timelines in Indian banking.
The five-day reporting window is strict by design. It exists to preserve the evidentiary trail, including OTP logs, SMS logs, and transaction history, that banks need to genuinely verify whether a claim is legitimate, and to limit the window during which a fraudulently transferred amount might otherwise be moved further and become unrecoverable.
For joint accounts, only one account holder may submit a compensation claim, which is a detail that customer service teams need to be specifically briefed on, since it is a likely source of confusion and escalation if not communicated clearly upfront.
The OTP Exception That Changes Everything
Perhaps the most significant shift in this framework, compared to how Indian banks have historically treated digital fraud claims, concerns One-Time Passwords.
Previously, a customer who had shared their OTP, even under deception, was frequently treated as having contributed to their own loss through negligence, which often resulted in compensation being denied entirely. Under the new framework, victims of small-value digital fraud can qualify for compensation even where the fraud occurred after an OTP was shared, provided the loss was not the result of intentional customer misconduct.
This change directly reflects how sophisticated digital fraud has become. Phishing calls, fake bank representative scams, and social engineering attacks that convince a genuine customer to share an OTP under false pretences are now recognised as a form of victimisation, not simply customer carelessness, as long as the customer did not act with deliberate intent to defraud their own account.
For BFSI institutions, this means fraud investigation teams need updated criteria for distinguishing genuine victimisation from actual customer negligence, since the bar for denying a claim purely on the basis of OTP sharing has now moved meaningfully.
Zero Liability: When the Bank Pays in Full
Separate from the 85 percent and ₹25,000 compensation mechanism, the framework preserves and reinforces a zero liability principle in two specific circumstances.
A customer is entitled to zero liability and full reversal of the transaction where the fraudulent transaction occurred due to negligence or deficiency on the part of the bank itself, regardless of whether the customer reported the transaction promptly or not. Bank negligence in this context includes failing to implement mandated security systems, not sending required transaction alerts, system malfunctions, security breaches, or internal fraud originating from within the bank.
Zero liability also applies in cases of third-party breach, such as a fraud originating from a merchant’s systems or a payment gateway rather than the bank or the customer, provided the customer reports the unauthorised transaction within five calendar days of its occurrence.
The framework places the burden of proving customer liability squarely on the bank, not the customer. If a bank rejects a compensation claim, it must provide specific reasons along with supporting evidence, such as OTP logs, SMS logs, or transaction history, rather than simply denying the claim without justification.
What This Means for Banks Operationally
Banks now need a documented, auditable process for distinguishing four different liability scenarios: bank negligence with zero liability, third-party breach with zero liability if reported in time, qualifying small-value fraud eligible for the 85 percent or ₹25,000 compensation, and cases that fall outside the framework entirely, including losses above ₹50,000 or claims where the customer has already used their lifetime benefit.
Transaction alert systems need review. The broader directions accompanying this framework mandate instant SMS notifications for all electronic banking transactions above ₹500, with banks given discretion for transactions at or below that threshold. Banks cannot charge customers for SMS alerts sent to meet regulatory requirements.
Board-level reporting expectations have increased. Banks are required to periodically report complaints related to fraudulent electronic transactions to their boards or board-level committees, with details broken down across categories including card-present, card-not-present, internet banking, and mobile banking transactions.
Customer service and fraud investigation teams need updated training specifically on the revised OTP-sharing standard, the five-day reporting and compensation timelines, and the documentation required to support both compensation approvals and rejections.
How This Fits Into RBI’s Broader Fraud Risk Agenda
This compensation framework does not exist in isolation. It builds directly on RBI’s Master Directions on Fraud Risk Management, issued in July 2024, which already require banks to report fraud cases within 14 days of classification, and to submit a flash report within one week of detection for major frauds involving ₹5 crore or more.
The scale of the underlying problem explains the urgency behind both sets of rules. India’s digital transaction volume surpassed ₹18,000 crore in FY 2024-25, and digital frauds amounting to ₹4,245 crore were reported in just the first ten months of that fiscal year. RBI has also been active on the enforcement side of fraud and compliance more broadly, having fined 353 regulated entities a combined ₹54.78 crore in FY 2024-25 for various compliance failures, including delayed fraud reporting.
Read together, the compensation framework and the existing fraud risk management directions represent a two-sided regulatory push: stricter fraud detection and reporting obligations on banks, paired with stronger, faster, more clearly defined compensation rights for customers when fraud does occur.
Master Reference Table
|
Loss Amount |
Compensation Formula |
Payout Example |
|
Below ₹29,412 |
85% of net loss |
₹20,000 loss → ₹17,000 payout |
|
₹29,412 to ₹50,000 |
Capped at ₹25,000 flat |
₹50,000 loss → ₹25,000 payout |
|
Above ₹50,000 |
Not covered by this framework | No compensation under this mechanism |
| Cost Share (loss below ₹29,412) | Percentage |
|
RBI |
65% |
|
Customer’s bank |
10% |
|
Beneficiary bank |
10% |
|
Cost Share (loss ₹29,412 to ₹50,000, capped at ₹25,000) |
Amount |
|
RBI |
₹19,118 |
|
Customer’s bank |
₹2,941 |
|
Beneficiary bank |
₹2,941 |
Frequently Asked Questions
Q1: When does RBI’s digital fraud compensation framework take effect?
The framework applies to electronic banking transactions conducted on or after January 1, 2027. The implementation date was deferred by six months from an originally proposed July 1, 2026 start date.
Q2: How much compensation can a customer actually receive under this framework?
A customer can receive 85 percent of their net loss, or ₹25,000, whichever is lower, for a gross loss of up to ₹50,000 from a single fraudulent electronic banking transaction. This is a once-in-a-lifetime benefit per customer, and there is no compensation under this specific framework for losses exceeding ₹50,000.
Q3: Will I still get compensation if I shared my OTP with a fraudster?
Possibly, yes. Under the new framework, victims of small-value digital fraud can qualify for compensation even if an OTP was shared, provided the loss did not result from intentional misconduct by the customer. Sharing an OTP under deception, such as during a phishing call, is no longer automatically treated as disqualifying negligence the way it often was previously.
Q4: What is the difference between this compensation framework and zero liability?
This 85 percent or ₹25,000 compensation framework applies specifically to small-value fraud cases up to ₹50,000 where the customer bears some responsibility for the situation, such as having shared information under deception. Zero liability is a separate, stronger protection that applies when the fraud results from the bank’s own negligence, or from a third-party breach reported within five calendar days, in which case the customer receives full reversal of the transaction rather than the capped compensation amount.
Q5: How quickly must a customer report fraud to qualify for compensation?
A customer must report the fraudulent transaction within five calendar days of its occurrence, to both their bank and the National Cyber Crime Reporting Portal or Helpline 1930. Once a valid complaint is received, the bank must compensate the customer within five calendar days.
Q6: Who actually pays for this compensation, the bank or RBI?
The cost is shared between three parties: RBI, the customer’s own bank, and the beneficiary bank that received the fraudulently transferred funds. The exact split depends on the loss amount, with RBI bearing the largest share in both compensation bands defined under the framework.
Q7: Does this framework cover all types of digital fraud?
The framework specifically covers fraudulent electronic banking transactions, including UPI, internet banking, mobile banking transfers, debit and credit card transactions, and ATM transactions, where the gross loss is up to ₹50,000. It does not provide compensation under this mechanism for losses above that threshold, and it operates alongside, not instead of, the existing zero liability protections for bank negligence and reported third-party breaches.
