My wife was cheated of Rs 40k in a bank fraud. What are RBI's rules for?
Considering the dire need for limiting the liability of customers in case of unauthorised electronic banking transactions and to make the banks more accountable for losses suffered by customers, the Reserve Bank of India (RBI) has laid down clear directives but much remains to be done in ensuring that its diktats are diligently followed.
Succesive circulars of the RBI have highlighted that in case of online frauds, all scheduled banks, including RRBs, have to return/refund the money within 10 days provided a complaint has been lodged within three days of the fraudulent transaction.
Recently, my wife, who has an account with a private bank in Delhi/NCR became a victim of such a transaction.
She has never opted for internet banking and is used to accessing banking services through personal visits. This account has been lying fairly dormant and my wife was using it to pool in her limited savings, to use them for unforeseen exigencies in her advancing age.
I am a retired private sector professional with no regular income nor any pension, with our limited lifelong savings alone supporting us.
On April 15, 2015, my wife was contacted on her registered mobile phone around 12.06pm and asked to update her KYC details, failing which her account — she was warned — would be closed.
The number from which she got the call was 7091765502. As the conversation progressed with the online fraudulent transaction being attempted on NPCI’s (National Payments Corporation of India) platform, another call came from the bank's official number, stating that suspecting a fraudulent transaction, the bank was blocking my wife’s linked ATM Card and that the transaction was being monitored and that money would not be debited from her account. The hoax call had been detected within minutes by the bank.
By the evening, however, my wife got a message on her registered mobile that an amount of Rs 40,005.62 had indeed been debited from her account — and credited into an unknown account. A complaint was immediately registered on the bank’s website. My wife and I visited the branch the next day and explained the matter to the deputy branch manager, Sachin Saini, who confirmed that the phone call that immediately intercepted the fraudulent transaction occurring for an unusually big amount for her in a more or less dormant account was actually from the bank’s cyber crime cell at Hyderabad and that the cell would investigate the matter and keep us informed about the details.
As advised, I also followed up the matter with the Risk Management Division of the bank in Jhandewalan — where I was told that the bank was not in a position to offer any resolution to our loss except calling for all the details we had already shared many times.
As further advised by the bank, I kept following up with its officials but no updates were really provided. Subsequently, I was told that I would be updated about the progress of the internal investigations by May 18, 2015, which was extended to May 27, 2015.
Having shared all every detail about the fraud with the bank, I requested the bank officials to share with me the complete account number, the beneficiary (name) and bank/organisation with its addresses of the offender. To my utter dismay, nearly three years after the fraud, there has been no update from the bank.
In the intervening period, my wife’s account was frozen and her debit card kept locked.
The recent circular from RBI further clarifies that the police complaint and insurance claim (if necessary) are to be initiated by the bank and not by the customers.
That’s that.
For the financial safety of other ordinary bank account holders, I think it’s pertinent to note here that most banking institutions have not given adequate or even basic information about RBI-mandated provisions to their customers in the past.
Most banks, post the introduction of credit/debit card products after mid-90s, have been selling these products very aggressively to even unregistered and uninterested customers, but none seem to have done enough to educate and train their customers, especially homemakers, young students and majorly most of the other non-IT savvy population exposed to misuse and fraud possible through such alternatives.
Lack of adequate awareness drives and training and education of the customers for their accountability, as envisaged by the RBI as such, seems to be a natural fallout of the overall functioning.
Systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions. To achieve this, banks must put in place appropriate systems to ensure the safety and security of online transactions; robust and dynamic fraud detection and prevention mechanism; mechanism to assess the risks (for example, gaps in the bank’s existing systems) resulting from unauthorised transactions and measure the liabilities arising out of such events; appropriate measures to mitigate the risks and protect themselves against liabilities; and a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments-related fraud.
According to RBI directives, the strictures are customer-friendly to say the least.
In the interest of many other unsuspecting customers like my wife, whose meagre savings are meant to cover their superannuated lives or medical needs in advancing age, and who can be taken for a ride by cyber criminals, I would like to raise a few questions.
Why does the NPC and banks’ technology permit transactions to even unknown, unverified accounts and unregistered beneficiaries through IMPS when hundreds of checks are mandatorily carried out for any other internet transactions or even physical transactions?
Even if speed is the criterion, why is it that IMPS permits transfer of amounts to just any beneficiary’s account without having to know or personally key in the recipient’s account number and IFSC code — let alone when the beneficiaries are not registered, authorised and so accepted by the bank?
Why is it that when the cyber cell of a bank can intercept a fraudulent call and intervene, it can’t stop the process of transfer, credit, and debit immediately — as normally happens in all secure internet banking transactions?
The least that the banks with which customers have maintained their savings accounts must do is give back an advance credit of the amounts siphoned off. I am sure that the IT professionals managing the keys to the kingdoms today would go all out to help customers like us.
More importantly, does such indifference towards the affected customers point to the involvement of staff members or officers of the bank in such frauds, which the banks may be overlooking or ignoring?