On 12 March 2026, Priya Mehta in Pune checked her SMS and discovered ₹48,700 debited from her State Bank debit card at 3:47 AM—while the card sat in her purse and she slept. She had never shared her PIN, never clicked a phishing link, yet money vanished. Banks advertise “safe banking,” but liability, recovery timelines, and police protocols remain opaque to most cardholders until fraud strikes.
Citizen Crisis Response Network
Report unauthorized transaction within 3 working days for zero liability (RBI customer-liability circular, 6 July 2017), freeze card via SMS/app/call immediately, file cyber crime FIR within 24 hours, submit written complaint to bank's nodal officer, escalate to Banking Ombudsman if bank delays reversal beyond 10 days, preserve all SMS/email evidence, do not pay “recovery agents” claiming card misuse liability.
Under the Reserve Bank of India circular dated 6 July 2017 on “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”, customers bear zero liability for unauthorized debit card transactions reported within three working days if the fraud occurred due to bank/payment system/third-party breach—not customer negligence. Limited liability applies for reports between 4–7 working days, capped at the transaction value or the amount in the RBI table (₹5,000 for basic savings accounts, ₹10,000 for ordinary savings/salary accounts, up to ₹25,000 for higher-value accounts), whichever is lower. Beyond seven days, liability is determined per the bank's board-approved policy. Section 319 Bharatiya Nyaya Sanhita 2023 (cheating by personation) and Sections 66C/66D Information Technology Act 2000 cover penal remedies; Consumer Protection Act 2019 Section 2(11) defines the “deficiency” in service that grounds a consumer claim. Banks must shadow-reverse the disputed amount within ten working days of the customer's notification.
The Reserve Bank of India circular dated 6 July 2017 on “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions” establishes a three-tier liability structure for unauthorized electronic banking transactions, including debit card fraud:
Tier 1 (Zero liability): Customer reports fraud within three working days of receiving transaction notification. Liability is zero if fraud resulted from contributory fraud/negligence/deficiency on the part of the bank or payment system provider, regardless of whether the customer was negligent. Zero liability also applies if the fraud is due to third-party breach where neither the bank nor customer is at fault.
Tier 2 (Limited liability): Report made between four to seven working days. Customer liability is capped at the transaction amount or the amount specified in the RBI table, whichever is lower — ₹5,000 for basic savings (BSBD) accounts, ₹10,000 for ordinary savings/salary accounts and most current accounts, and up to ₹25,000 for higher-value current accounts and high-limit cards.
Tier 3 (Case-by-case determination): Reported beyond seven working days. Liability decided per the bank's board-approved policy, subject to RBI review and Banking Ombudsman appeal.
Critical caveat: If the customer's gross negligence caused the loss—sharing PIN, writing PIN on card, responding to phishing with OTP—zero liability may not apply. However, burden of proof lies on the bank to demonstrate customer negligence, not the other way around.
Most citizens miss this — The three-day clock starts from transaction SMS/email receipt, not from when you discover missing money weeks later. Enable real-time SMS/email alerts on your debit card account immediately.
Step 1 (Minutes 0–5): Block/freeze the compromised debit card. Use the bank's mobile app “Block Card” feature, SMS hotline (e.g., “BLOCK <last-four-digits>” to bank's shortcode), or 24×7 customer care number. Do not wait for office hours. Document the exact time of blocking request; request SMS confirmation.
Step 2 (Minutes 5–15): Take screenshots of all unauthorized transaction SMS/email alerts, banking app transaction history, and card-block confirmation. Export bank statements in PDF covering 30 days before the fraud. Archive these files with timestamps.
Step 3 (Hour 1): Lodge an online complaint at the National Cyber Crime Reporting Portal (https://cybercrime.gov.in) under “Financial Fraud – Unauthorized Transaction.” Portal provides a unique acknowledgment number. This is not a formal FIR but triggers police awareness and may freeze mule accounts if reported swiftly.
Step 4 (Hour 2–6): Visit or phone the local cyber crime police station to register a formal FIR under Section 318 BNS 2023 (cheating — covering the fraudulent inducement of delivery of property), Section 319 BNS 2023 (cheating by personation), and Sections 66C/66D Information Technology Act 2000. Carry printouts of transaction alerts, card-block confirmation, cyber crime portal acknowledgment, identity proof, and card copy (front only, CVV masked). Insist on an FIR, not an NCR (Non-Cognizable Report).
Step 5 (Hour 12–24): Submit a written complaint to the bank's branch manager or designated nodal officer (name/contact published on bank website under “Customer Grievances”). The complaint must state: card number (masked), date-time of unauthorized transactions, amount, that card was in your possession, PIN never shared, request for immediate provisional credit under the RBI customer-liability circular. Send via registered post or hand-deliver with acknowledgment copy.
Do this immediately — Banks often claim “no written complaint received.” Always carry two printed copies, get one stamped/signed with date by bank staff, keep it as your only proof of three-day compliance.
The Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS, in force from 1 July 2024, replacing the CrPC) governs FIR registration. Section 173 BNSS mandates police to register an FIR for cognizable offenses; debit card fraud qualifies under BNS 2023 Section 318/319 and the IT Act 2000.
Jurisdiction: Cyber crime can be registered (a) where you reside, (b) where the bank branch is located, or © where the fraudulent transaction server is located (usually unknown). Most metropolitan police have dedicated cyber crime cells; smaller towns may route through local police station with Economic Offenses Wing.
Key sections to cite in FIR application:
Police may initially hesitate, citing “civil dispute” or “banking matter.” Firmly state: Unauthorized access to banking systems and impersonation are cognizable offenses; victim is entitled to FIR under BNSS Section 173. If refused, note the officer's name/badge and file a complaint with the Superintendent of Police (cyber) via email, copying cybercrime.gov.in portal complaint ID.
Once FIR is registered, obtain a certified copy (FIR number, police station, investigating officer name). Submit this FIR copy to your bank within 24–48 hours; it strengthens your claim of third-party fraud and shifts liability burden to the bank/payment system.
Warning — An FIR is mandatory if you wish to later claim insurance (if debit card had coverage) or pursue criminal prosecution. Without an FIR, banks may internally classify it as “disputed transaction” rather than “fraud.”
Per the RBI customer-liability circular, upon receiving a written complaint of an unauthorized debit card transaction, the bank must:
Ground reality in 2026: Many public-sector banks provisionally credit within 7–10 days if (a) FIR copy submitted, (b) card was blocked promptly, © no prior fraud history on account. Private banks with robust fraud-detection systems often credit within 3–5 days. However, delays occur if:
If provisional credit is not received within 10 working days: Send a reminder email to the nodal officer, CC the principal nodal officer (name on bank website), citing the RBI customer-liability circular's clause on the provisional credit timeline. Mention intent to escalate to Banking Ombudsman if no response within five days.
Do not close the complaint prematurely: Some banks pressure customers to sign “settlement letters” in exchange for partial refunds. Refuse unless full amount plus compensation for deficiency of service is offered in writing.
Citizen tip — Maintain a complaint diary: date, mode (email/in-person), recipient name, acknowledgment number, response summary. Courts and Banking Ombudsman value chronological documentary evidence.
Zero liability protection does not apply if the bank proves the customer's gross negligence or willful misconduct caused the fraud. Common scenarios where customer may bear liability:
1. Sharing PIN/CVV/OTP: Writing PIN on the debit card, sharing it with family, or giving OTP to a caller (even if caller claimed to be “bank manager”) constitutes negligence. Banks routinely print disclaimers: “Never share OTP/PIN with anyone.”
2. Delayed reporting beyond reasonable time: Reporting 60 days after transaction, when SMS alerts were delivered daily, may weaken zero-liability claim. RBI expects “reasonable promptness.”
3. Using card on phishing sites with active security warnings: If you ignored browser security warnings, disabled antivirus, and entered card details on a known fraudulent site, contributory negligence applies.
4. Allowing third parties to use your card: Lending your card and PIN to friends/relatives who then misuse it is not “unauthorized” fraud; it's authorized misuse, recoverable only via civil suit against that person.
Burden of proof: Under the RBI framework and Consumer Protection Act 2019, the bank must prove customer negligence; customer need not prove innocence. If the bank claims “you shared OTP,” demand call recordings, SMS logs, or forensic evidence. Mere suspicion is insufficient.
Most citizens miss this — Even if you clicked a phishing link, if the bank's SMS alert arrived *after* fraud (not in real-time), the bank shares liability for deficient fraud-detection systems. Cite this in your complaint.
If the bank rejects your complaint, delays beyond 30 days without provisional credit, or offers inadequate compensation, escalate to the Reserve Bank – Integrated Ombudsman Scheme 2021 (RBI-IOS).
Eligibility:
Filing procedure (as of 2026):
Outcomes: Banking Ombudsman can direct the bank to refund the disputed amount and pass an Award up to the actual loss or ₹20,00,000 (₹20 lakh), whichever is lower, plus separately award compensation up to ₹1,00,000 (₹1 lakh) for loss of time, expenses, and mental agony/harassment. Award is binding on the bank; the customer may reject it and pursue civil litigation if dissatisfied.
Trust signal — Unauthorized/digital-payment transactions are consistently among the largest complaint categories disposed under the RBI ombudsman mechanism each year. Where the customer reports promptly and documents diligently, the burden to prove negligence stays on the bank, which materially strengthens the customer's position.
Criminal remedies:
Police investigation may trace beneficiary accounts (mule accounts), freeze funds, arrest perpetrators. However, recovery of defrauded amount via criminal process is slow; priority is prosecution, not restitution.
Civil remedies:
Parallel proceedings permitted: Filing consumer complaint does not bar Banking Ombudsman escalation or vice versa. However, once Banking Ombudsman awards relief and you accept, consumer forum claim on same facts is barred.
Limitation: Consumer complaint must be filed within two years of cause of action (transaction date or bank's final rejection, whichever is later); Banking Ombudsman within one year plus 30 days.
Do this immediately — If defrauded amount exceeds ₹50,000 and bank stonewalls, file consumer complaint simultaneously with Banking Ombudsman escalation. Courts recognize dual track as legitimate when bank delays.
National Payments Corporation of India (NPCI) operates RuPay debit cards and the Unified Payments Interface (UPI). For RuPay debit card unauthorized transactions, banks can raise a chargeback dispute via NPCI's dispute resolution system.
Chargeback eligibility:
Process: Customer's issuing bank (your bank) raises chargeback request to acquiring bank (merchant's bank). Acquiring bank must respond within 30 days with evidence (transaction logs, signed slip, authentication records). If evidence insufficient, transaction amount is reversed to customer.
For Visa/Mastercard debit cards: Similar chargeback rules apply under Visa Core Rules and Mastercard Chargeback Guide, enforceable via respective card network regulations. Indian banks follow these protocols for international network cards.
Limitation: Chargeback is a dispute resolution mechanism, not a legal remedy. If chargeback is denied, customer still retains rights to Banking Ombudsman and consumer forum. However, successful chargeback is fastest recovery route (15–45 days).
Your action: When submitting written complaint to bank, explicitly state: “Request immediate chargeback initiation under NPCI/Visa/Mastercard dispute protocols for unauthorized transaction dated [date], reference number [UTR/ARN].”
Citizen tip — Many bank frontline staff are unaware of chargeback procedures. Escalate immediately to the card services / fraud operations department, citing NPCI's dispute management framework for RuPay transactions and the relevant card-network chargeback rules.
Mandatory documents:
Supplementary evidence (strengthens case):
Preservation: Store all files in three places—cloud (Google Drive/Dropbox), local hard drive, one USB drive with a trusted family member. Courts and Banking Ombudsman require original/certified copies; digital submissions must be followed by physical copies via post.
Warning — Banks sometimes claim “insufficient evidence” when customer provides only verbal complaint or single SMS screenshot. A well-documented complaint with 8–10 supporting documents is rarely denied.
No. Under the RBI customer-liability circular, if you report between day 4–7 and you hold an ordinary savings account, your liability is capped at the lower of transaction value or ₹10,000 (₹5,000 for a basic BSBD account; up to ₹25,000 for higher-value accounts). So if fraud was ₹50,000, your maximum liability is ₹10,000; bank must refund ₹40,000. If fraud was ₹8,000, your liability is ₹8,000 (lower of the two). However, if bank proves fraud occurred due to bank's system failure, you bear zero liability even on day six, because liability arises only when customer negligence is proven, not from delayed reporting alone in tier-2 window.
OTP authentication alone does not prove authorization. If the OTP was obtained via phishing (fraudster impersonated bank official), social engineering, or malware on your phone, the transaction is unauthorized. Demand the bank provide: (a) call recordings if OTP was shared over phone, (b) SMS delivery logs showing OTP was delivered to your registered mobile, © evidence you accessed the URL/app where OTP was entered. Cite Section 2(11) CPA 2019 deficiency: bank must implement multi-factor authentication and behavioral analytics; relying solely on OTP when transaction pattern was anomalous (foreign merchant, odd hour, high value) is deficient service.
An FIR is not “withdrawn” by the complainant; an offence can, where the law permits, be compounded under the compounding provisions of the BNSS (Section 359, which corresponds to the old CrPC Section 320), some categories requiring the permission of the court. Whether cheating offences in your case are compoundable depends on the specific section charged and the court's leave. However, withdrawing FIR may embolden fraudsters and reduce police ability to trace larger syndicates. Ethical approach: keep FIR active for investigation, inform police that your personal loss is recovered, cooperate if they need your testimony for prosecution. Many fraud rings operate across thousands of victims.
Likely, yes—sharing CVV constitutes gross negligence because (a) every card prints “Do not share CVV,” (b) banks repeatedly publicize warnings, © legitimate banks never ask for CVV over phone/email. However, nuance matters: If the caller spoofed your bank's official number, impersonated a senior official, and call occurred within minutes of a genuine transaction alert (social engineering sophistication), you may argue reduced liability. Document the spoofed number, file FIR for cheating/impersonation, and argue before Banking Ombudsman that bank's failure to implement caller-ID verification and customer education contributed to the loss. Courts have accepted shared liability in sophisticated phishing cases.
Bank must provide written justification citing evidence of customer negligence or investigation findings. If justification is vague (“investigation concluded transaction was authorized”), immediately: (1) demand detailed investigation report under bank's internal policy, (2) file RTI application to RBI asking for copies of guidelines on provisional credit reversal—banks must follow due process, (3) escalate to Banking Ombudsman within 30 days citing wrongful reversal. Ombudsman can reverse bank's decision. If bank claims “you authorized a family member,” demand proof—burden is on the bank.
Timelines vary by complexity. Straightforward cases with clear documentary evidence and an admitted bank delay or rejection are resolved relatively quickly, while complex cases involving forensic analysis or disputed negligence take longer, often through a conciliation process before any Award. If the Ombudsman requests additional documents, respond within the stipulated deadline to avoid delay. The Award is communicated by email and registered post, and the bank is required to comply within 30 days of the Award.
For RuPay cards, you may write to [email protected] detailing the fraud, attaching bank complaint and FIR, requesting their intervention with member banks. NPCI does not directly handle individual complaints but may flag systemic issues to banks and expedite chargeback. For Visa/Mastercard, contact details are on respective India websites; however, these card networks expect you to route through your issuing bank first. Direct escalation is useful if bank is unresponsive after 15 days.
Yes. Under Consumer Protection Act 2019 Section 2(11), deficiency of service includes mental agony caused by the bank's negligence or delay. Under the RBI Integrated Ombudsman Scheme 2021, the Ombudsman can direct the bank to make good the actual loss (up to ₹20 lakh) and separately award compensation up to ₹1 lakh for the complainant's loss of time, expenses, and mental agony/harassment. Consumer commissions can also award compensation for mental agony and litigation costs; the amount is at the commission's discretion and depends on the sum defrauded, the duration of the dispute, the bank's conduct, and any documented hardship (for example a frozen account causing a bounced EMI or rent cheque, or health impacts supported by a medical certificate).
Sample written complaint to bank (hand-deliver + registered post):
To, The Branch Manager / Nodal Officer – Customer Grievances [Bank Name and Branch] [Address] Date: [Date] Subject: Unauthorized Debit Card Transaction – Request for Immediate Provisional Credit under RBI Customer Protection Circular (Limiting Liability in Unauthorised Electronic Banking Transactions) Respected Sir/Madam, I, [Your Full Name], hold a Savings Account [Account Number] and debit card [mask middle 8 digits: 1234-XXXX-XXXX-5678] with your branch. On [Date, Time], I received SMS alerts indicating unauthorized transactions totaling ₹[Amount] debited from my account (Transaction IDs: [UTR1], [UTR2]). At the time of these transactions, the debit card was in my physical possession, and I did not authorize, initiate, or benefit from these transactions. I have never shared my PIN, CVV, or OTP with any person or entity. I immediately blocked the debit card via [App/Call/SMS] on [Date, Time] and received confirmation [Reference Number]. I filed an FIR at [Police Station Name] on [Date] under FIR No. [FIR Number], copy enclosed. Under the Reserve Bank of India circular on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions (dated 6 July 2017), I report this unauthorized transaction within three working days of the SMS alert and hereby request: 1. Immediate provisional credit of ₹[Amount] to my account within 10 working days as mandated. 2. Comprehensive investigation and written report within 90 days. 3. Compensation for deficiency of service and mental harassment. I affirm that I have exercised reasonable care in safeguarding my card and credentials. Any negligence or deficiency in your fraud detection systems or payment gateway security must not result in liability on my part. Kindly acknowledge receipt of this complaint via email/SMS and provide a complaint reference number within one working day. Enclosures: 1. Copy of FIR (certified) 2. SMS/Email transaction alerts (printouts) 3. Card block confirmation 4. Bank statement extract 5. Identity proof (Aadhaar, PAN copy) Yours faithfully, [Signature] [Your Name] [Registered Mobile Number] [Email Address]
—
Sample FIR/complaint text for cyber crime police station:
To, The Officer In-Charge Cyber Crime Police Station / [Local Police Station] [City, State] Date: [Date] Subject: Complaint for Registration of FIR – Unauthorized Debit Card Fraud (BNS Sections 318, 319; IT Act Sections 66C, 66D) Respected Sir/Madam, I, [Your Full Name], aged [Age], residing at [Full Address], [City], [State], [PIN], Mobile [Number], hereby lodge a formal complaint regarding unauthorized debit card fraud and request registration of FIR under cognizable offenses. Facts: 1. I hold debit card [mask: 1234-XXXX-XXXX-5678] linked to Savings Account [Number] at [Bank Name, Branch]. 2. On [Date] at [Time], I received SMS alerts of transactions totaling ₹[Amount] debited from my account for purchases/transfers at [Merchant Name / Unknown Online Platform / ATM Location]. 3. At the time of these transactions, I was at [Your Location, with proof if available], and the debit card was in my physical possession. I did not initiate, authorize, or benefit from these transactions. 4. I have never shared my PIN, CVV, or any OTP with anyone. I did not click on suspicious links or respond to phishing calls/emails. 5. I immediately blocked the card on [Date, Time] via [Method] and received confirmation [Reference]. 6. This constitutes cheating and cheating by personation, identity theft, and unauthorized access to banking systems using computer resources. Sections applicable: - Section 318 Bharatiya Nyaya Sanhita 2023 (Cheating) - Section 319 BNS 2023 (Cheating by personation) - Section 66C Information Technology Act 2000 (Identity theft) - Section 66D IT Act 2000 (Cheating by personation via computer) I have also reported this on National Cyber Crime Portal (Acknowledgment No. [Number]) and submitted complaint to my bank. Request: Kindly register an FIR, investigate the matter, trace the beneficiary accounts, freeze fraudulent transactions, and take necessary action under law. I am available for any further information or statement. Enclosures: 1. SMS/Email alerts (printouts) 2. Bank statement 3. Card block confirmation 4. Cyber Crime Portal acknowledgment 5. Identity and address proof Yours faithfully, [Signature] [Your Name] [Contact Details]
Citizen tip — Print these templates on letterhead or plain paper with your full address header. Police and banks take printed, signed complaints more seriously than handwritten notes or verbal requests.
| Myth | Reality |
|---|---|
| “Banks always refund fraud within 3 days automatically.” | Banks refund only after written complaint, investigation, and provisional credit timeline (up to 10 working days). Automatic reversal is rare and typically occurs only if fraud-detection algorithm flags transaction before customer reports. |
| “If I shared OTP, I lose all rights.” | Sharing OTP indicates negligence, but if obtained via sophisticated social engineering, impersonation, or while bank's alerts were delayed, you can argue contributory bank deficiency. Courts/Ombudsman examine context, not binary rule. |
| “Cyber crime FIR is useless; police won't investigate.” | FIR is critical for zero-liability claim, insurance (if any), and legal remedies. Police investigation quality varies, but FIR itself shifts burden of proof to bank and creates criminal record that aids Banking Ombudsman/consumer forum cases. |
| “Private banks refund faster than PSU banks.” | Turnaround varies within both categories and depends on the efficiency of the bank's internal fraud team, not on ownership. Some public-sector banks resolve quickly; some private banks delay citing “investigation.” Prompt reporting and complete documentation matter more than the type of bank. |
| “I can claim unlimited compensation for mental agony.” | Under the RBI Integrated Ombudsman Scheme 2021, the Ombudsman can direct repayment of the actual loss (up to ₹20 lakh) and, separately, award up to ₹1 lakh for loss of time, expenses, and mental agony/harassment. Consumer commissions can award compensation for mental agony and costs at their discretion, typically higher where medical evidence of stress-related illness or severe financial hardship (such as a loan default caused by frozen funds) is proven. |
| “Once Banking Ombudsman rules, bank must pay immediately.” | The bank has 30 days to comply with the Ombudsman's Award once it accepts (or the customer accepts) it. If the bank fails to comply, you can take the matter up with the RBI; if you remain dissatisfied with the outcome you retain the right to pursue the consumer commission or civil court on the same facts. |