RBI tightens leash on banks: New rules for credit card fraud protection from 2027

The central bank’s latest framework mandates five-day reversals for fraudulent electronic transactions, shifting the burden of security from the customer to the institution.

The Reserve Bank of India (RBI) has issued a significant directive that changes the landscape for digital payments and credit card users across the country. In a move aimed at curbing the rising tide of financial fraud, the central bank has mandated that banks must provide "shadow reversal" or provisional credit to customers within five days of a reported fraudulent electronic transaction. This policy, which aims to protect the retail consumer, is set to be fully implemented by January 1, 2027.

The new mandate: Shifting the responsibility

For years, the panic associated with an unauthorized transaction has been exacerbated by the long wait for resolution. Under these updated guidelines, the central bank is effectively limiting customer liability in digital transactions. If a customer reports a fraudulent incident, banks are now duty-bound to take immediate action, including securing the account against future unauthorized debits.

Crucially, the RBI has clarified that if the fraud is a result of a bank’s own technical negligence, the customer is entitled to a full refund regardless of whether they filed a formal complaint. In cases where neither the bank nor the customer is at fault, reporting the incident within five days grants the user the right to have the transaction reversed.

Enhanced monitoring and communication

Transparency is a key pillar of this framework. Banks are now required to maintain robust communication systems that log the exact date and time of every alert sent to a user, alongside any subsequent response received. SMS alerts have become mandatory for all transactions exceeding ₹500, while banks retain the discretion to send notifications for amounts below that threshold.

These instructions are not sudden; they follow a period of deliberation that began in March, when the RBI released draft proposals to expand the scope of customer protection in electronic banking. After reviewing feedback from various stakeholders, the regulator has solidified these rules to ensure that banks design their internal systems with the user’s safety as a primary focus.

Why it matters: The bigger picture

This move signals a shift in the regulatory philosophy of India's banking sector. By forcing banks to absorb the immediate financial impact of fraud, the regulator is creating a strong incentive for financial institutions to harden their cybersecurity infrastructure.

For the average user, the policy serves as a necessary safety net in an increasingly cashless economy. As digital adoption grows, so does the sophistication of cyber-attacks. By mandating a five-day turnaround for provisional credit, the RBI is moving away from the era of "caveat emptor" (buyer beware) and toward a system where the entity best equipped to prevent fraud—the bank—bears the responsibility for failing to do so. This is a clear signal that, in the eyes of the regulator, convenience should never come at the cost of consumer security.