From 1 January 2027, even if a fraud happened because you shared your OTP or password, you can claim a one-time refund of 85 per cent of your net loss or Rs 25,000, whichever is lower, on a fraudulent electronic banking transaction with a gross loss up to Rs 50,000. This is a brand new cushion, and it does not touch the older zero-liability protections that still apply when the bank was at fault or when you reported a third-party fraud in time.
Quick answer. The new payout is in the RBI Responsible Business Conduct Third Amendment Directions, 2026 (RBI/2026-27/167, dated 24 June 2026). It applies only to transactions on or after 1 January 2027. It helps the one situation you were never covered for before: when you were careless and shared credentials. You can use it once in your lifetime.
Short on time? Jump to the how-to-report steps and file with your bank the same day you spot the fraud.
The biggest mistake people make is assuming the new Rs 25,000 cap is all you can ever get back. It is not. Whether you get a full refund or only the capped amount depends entirely on why the fraud happened and how fast you reported it.
The new rule does not replace the existing protections. It adds a floor for the one case that had none. Read the table left to right and find your row.
| Your situation | Who was at fault | What you get back | When it applies |
|---|---|---|---|
| Bank negligence or bank fraud | The bank or its system | Zero liability. Full money back, no matter when you report | Already in force today |
| Third-party breach, you reported within 5 calendar days | A fraudster, not you, not the bank | Zero liability. Full money back if reported in 5 days | Already in force today |
| You shared your OTP, PIN or password | You were negligent | New cushion: 85 per cent of net loss or Rs 25,000, whichever is less, for gross loss up to Rs 50,000, once in your lifetime | New, from 1 January 2027 |
Note: rows one and two are unchanged. If the bank was careless or a stranger drained your account and you reported within 5 days, you still get every rupee back. The new rule in row three is for the situation where you previously bore the full loss because you handed over your secret credentials yourself.
Until now, the line was harsh. If a fraudster tricked you into reading out your OTP, the loss was treated as yours alone. Banks would often refuse any refund because you, not they, shared the secret.
The RBI Third Amendment Directions, 2026 soften that line for small losses. They accept that ordinary, honest people get manipulated by clever scams. So for a bona fide individual victim, including a sole proprietor, the bank must now pay a capped amount even in a self-negligence case.
It is deliberately a small, once-in-a-lifetime cushion, not a blank cheque. It rewards honesty and reporting, while still expecting you to guard your credentials.
Say a scammer convinces an unnamed citizen to share an OTP on 5 January 2027. Rs 40,000 leaves the account in one fraudulent transfer.
The citizen bears the remaining Rs 15,000, because the rule is a partial cushion for a negligence case, not a full refund. Had the same fraud been a third-party breach reported within 5 days, the full Rs 40,000 would have come back under the older zero-liability rule.
Speed matters even for the new cushion. Reporting fast also keeps your zero-liability options open if it turns out the fraud was not your fault after all.
Call the bank fraud helpline and freeze the account or card the moment you notice the fraud. Follow up in writing, by email or the netbanking grievance form, so you have a dated record. Keep the complaint reference number.
Dial the national cyber-crime helpline 1930 and lodge a complaint at cybercrime.gov.in. A fast report can help the bank trace and freeze the fraudster's account before the money moves on.
The bank should investigate and credit any compensation due. If it refuses, delays, or pays the wrong amount, escalate to the RBI Ombudsman under the Reserve Bank Integrated Ombudsman Scheme. See what to do when the RBI Ombudsman closes or rejects your complaint.
If the bank stonewalls, ask it in writing for the fraud investigation report and the reason for any refusal. You can draft a clean, citation-ready request with the AI RTI draft tool and read the deeper playbook in the golden-hour zero-liability guide.
No. The cap applies only to the negligence case where you shared your credentials. If the bank was at fault, or a third party defrauded you and you reported within 5 calendar days, you still get a full zero-liability refund. The new rule adds a floor where there was none. It never shrinks an existing full refund.
It applies to electronic banking transactions on or after 1 January 2027. It is an upcoming rule announced in the RBI Responsible Business Conduct Third Amendment Directions, 2026, dated 24 June 2026. A fraud before that date is not covered by this new cushion.
Once. The 85 per cent or Rs 25,000 capped compensation is available a single time during the customer's lifetime. After you have claimed it once, you cannot claim it again for another negligence-based fraud.
A bona fide individual victim, including a sole proprietor, whose gross loss on a single fraudulent electronic banking transaction is up to Rs 50,000, in a situation where the customer was negligent, for example by sharing an OTP, PIN or password. Larger losses and non-individual accounts are outside this specific provision.
Then you are likely in the zero-liability category, not the capped one. Reporting a third-party breach within 5 calendar days means the bank should refund the full amount. Always report fast, because the speed of your complaint can decide whether you get everything back or only the capped amount.
In the RBI Responsible Business Conduct Third Amendment Directions, 2026, reference RBI/2026-27/167, DOR.MCS.REC.No.130/01-01-032/2026-27, dated 24 June 2026. The compensation provision sits in the para 76T area of the Directions and is a final, binding Direction, not a draft.
For the full citizen toolkit on filing, appealing and escalating, see The RTI Playbook.