RBI mandates Bank liability for POS frauds

RBI had announced certain risk mitigation measures for Card Present transactions vide 22nd Sept 2011. Under this circular, it had been mandated that Banks should implement commercial readiness of acquiring infrastructure to support PIN based POS systems before June 30, 2013.  (Ref circular of 22nd sept 2011).

RBI again reiterated vide its circular of February 28, 2013 (Refer circular of 28th Feb 2013) along with detailed guidelines for securing card payment transactions.

Unfortunately, Banks were not ready to implement the security measures in time and hence on June 24, 2013, RBI was forced to extend the deadline for implementation from June 30, 2013 to September 30, 2013.

However, RBI has today vide its circular (Refer circular dated 27th September 2013) indicated that   It has been decided not to grant any further extention of time for implementation of technology requirements as indicated in its circulars of Sept 2011 and 28th February 2013.

More importantly, RBI has also indicated that Banks not complying with the requirements shall compensate loss, if any,incurred by the card holder using card at POS terminals not adhereing to the mandatory standards. The responsibility would be that of the acquiring Bank but the card issuing Bank should make the payment to the customer when a fraud is notified and then recover the money from the acquiring Bank.

Procedure for settlement of the claim shall be as under.

(a) The issuing bank would ascertain, within 3 working days from the date of cardholder approaching the bank, whether the respective POS terminal/s where the said transaction/s occurred is/are compliant with TLE and UKPT/DUKPT as mandated.

(b) In the event it is found that the POS terminals are non-compliant as mandated, the issuing bank shall pay the disputed amount to the customer within 7 working days, failing which a compensation of Rs.100 per day will be payable to the customer from the 8th working day.

(c) The issuing bank shall claim the amount paid by it to the customer from the respective bank/s which have acquired the POS transaction/s in question.

(d) The acquiring banks have to pay the amount paid by the issuing bank without demur within 3 working days of the issuing bank raising the claim, failing which the Reserve Bank of India would be constrained to compensate the issuing bank by debiting the account of the acquiring bank maintained with the Bank.

Naavi.org appreciates the spirit behind the circular which for the first time has demonstrated that RBI is willing to impose its authority on the Banks who are refusing to implement security measures as recommended by the regulator and the law.

We hope that RBI will continue to adopt a similar stringent practice for imposing KYC, GGWG recommendations and security of mobile Banking etc.

It may be mentioned here that Naavi has raised the issue of “Face Book Banking App” which ICICI Bank has launched and asked RBI to clarify if this method of Banking is approved and whether the security audits have been undertaken before the app was launched etc.

Hope RBI will respond to this query and exhibit the same tenacious approach that it has now displayed for securing the Card Not Present transactions even in respect of Internet and Face Book Banking.

It has been the continuing demand of Naavi that RBI should mandate Cyber Crime insurance for all internet and mobile banking transactions and it is reiterated in the current context.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Bank, RBI. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.