Money Debited by Fraud? Get a Refund in 2026

Reviewed on: 2026-06-19.

The Reserve Bank of India circular RBI/2017-18/15 (DBR.No.Leg.BC.78/09.07.005/2017-18, dated 6 July 2017) is the governing document. It applies to all scheduled commercial banks, small finance banks, regional rural banks, and payments banks.

The circular creates three categories of customer liability:

Zero liability (you owe nothing):

• The bank itself was at fault, for example a data breach on its systems, a deficiency in its processes, or fraud by a bank employee.
• A third party (someone outside both you and your bank) breached the system AND you reported the unauthorised transaction to your bank within 3 working days of receiving the bank's communication (SMS or email alert) about that transaction.

Limited liability (you bear a capped amount):

If you reported between 4 and 7 working days after receiving the bank alert, your maximum personal loss is:

Your bank must compare the capped amount above with the actual transaction value and apply whichever is lower.

Your liability determined by bank policy: If you reported after 7 working days, your bank's Board-approved policy decides. This is why speed matters.

Important: If you shared your OTP, PIN, or password with the caller, the RBI circular treats that as your negligence. In that case you bear the full loss until you report it; losses after you notify the bank shift back to the bank. See how OTP scams work for how to avoid this trap.

Time is money, literally. Before filling any form, do these in the first 30 minutes:

1. Call 1930: the national cyber crime financial fraud helpline. Ask the operator to flag the transaction. This creates a time-stamped record that can help freeze mule accounts before money moves further.
2. Call your bank's 24×7 helpline: ask them to block your card/UPI/net banking and raise an internal dispute ticket. Note the ticket number.
3. Do not call back the number that defrauded you. That is a common re-victimisation method.
4. Screenshot your bank statement showing the debit before any reversal entries appear.

Go to cybercrime.gov.in and select “Financial Fraud” under Report a Complaint. Choose “Register and Track” so you get a complaint reference number.

You will need:

• Your mobile number (for OTP verification)
• Your bank account or card number
• The date, time, and amount of the fraud transaction
• Any transaction reference number from your bank alert
• Screenshots or call recordings if you have them

You can also track your complaint later using the cybercrime complaint status tracker.

A phone call is not enough. Email or hand-deliver a written complaint to your branch manager or the bank's nodal officer within the same day. State:

• Date and time of the fraudulent transaction
• Amount debited
• That you did not authorise the transaction
• Your request for reversal under the RBI circular dated 6 July 2017

The bank must acknowledge and credit the amount provisionally (shadow reversal) within 10 working days of your notification. The full resolution, including determining final liability, must happen within 90 days.

Ask for the complaint acknowledgement in writing. Keep it.

If the fraud happened via UPI, you can also raise a dispute through your UPI app (Google Pay, PhonePe, Paytm, BHIM etc.) using the in-app “Report an issue” or “Raise dispute” option. The dispute flows through the acquiring bank. For more detail on the UPI-specific process, verify the current mechanism on npci.org.in, as NPCI updates these procedures periodically. Also see how to file a UPI fraud complaint.

If your bank does not respond within 30 days, or gives an unsatisfactory response, escalate to the Reserve Bank - Integrated Ombudsman Scheme. File at cms.rbi.org.in. You do not need a lawyer. The Ombudsman covers banks, NBFCs, and prepaid payment instrument issuers.

For a detailed walkthrough of filing with the Ombudsman, see how to use the Banking Ombudsman.

The Ombudsman can:

• Direct the bank to reverse the fraudulent debit
• Award compensation for mental agony and harassment (up to limits prescribed in the scheme)
• Direct the bank to pay interest for delayed reversal

This is treated as customer negligence under the RBI circular, so you bear the full loss that occurred before you reported it to your bank. Once you notify your bank, the bank covers any further losses. That said, file with your bank and on 1930 anyway. Some banks may still offer partial relief as a goodwill gesture, and the police record matters for an FIR if you choose to escalate.

The RBI circular places the burden of proof on the bank, not on you. The bank must prove you were negligent. If you believe their decision is wrong, escalate to the RBI Integrated Ombudsman at cms.rbi.org.in within 30 days of the bank's final response.

The answer depends on whether you shared credentials. If the caller extracted your OTP or PIN and used it, courts and banks generally treat that as the customer's contributory negligence because the credentials passed through you. If the fraud happened entirely without you providing anything (for example a SIM-swap attack or a card-skimming breach), that is more likely a third-party breach. Report to 1930 and let the bank's investigation run, but also file an FIR with your local police.

Your bank must do a provisional (shadow) credit within 10 working days. The final determination of who bears the loss must happen within 90 days. If you escalate to the Ombudsman, the typical resolution timeframe is longer; verify current timelines on the RBI website.

File directly on cybercrime.gov.in online. Also file an FIR at your nearest police station under sections of the Bharatiya Nyaya Sanhita dealing with cheating and fraud. Lodge the written complaint with your bank simultaneously. See reporting cyber fraud via 1930 for alternatives.

Be very careful. Fraudsters often call or message victims saying “we are processing your refund, share an OTP to receive it.” No legitimate bank or government agency will ever ask you for an OTP to credit money. If you receive such a message, it is a second fraud attempt.

Yes. The RBI circular covers credit cards as well. The same zero-liability and limited-liability rules apply, with the cap depending on whether your credit limit is above or below Rs 5 lakh.

If you want official data or internal records about fraud complaint processing, ask RBI under the RTI Act 2005.

• How many unauthorised electronic transaction complaints were received in the last financial year and how many were resolved within 90 days?
• What action has RBI taken against banks that failed to make shadow reversals within 10 working days under circular DBR.No.Leg.BC.78/09.07.005/2017-18?
• What is the total amount involved in unauthorised electronic transaction complaints resolved under the Integrated Ombudsman Scheme in the last financial year?
• What inspections or audits has RBI conducted to verify bank compliance with mandatory SMS/email alert requirements for electronic transactions?
• How many banks have been penalised for non-compliance with the zero-liability / limited-liability customer protection framework?

→ Use our free AI RTI Drafter to generate a complete Section 6(1) application.

• RBI Circular RBI/2017-18/15 dated 6 July 2017: Customer Protection - Limiting Liability of Customers in Unauthorised Electronic Banking Transactions
• National Cyber Crime Reporting Portal - cybercrime.gov.in
• Reserve Bank - Integrated Ombudsman Scheme complaint portal
• RBI Complaints and Ombudsman information page
• National Payments Corporation of India - npci.org.in

By Dr. Shrawan Kumar Pathak