Golden-hour zero liability: the exact RBI math for cyber fraud

If you are short on time, jump to the liability matrix in one table and the sample notice to your bank. Copy both, paste into a new email to your bank, send before the third working day ends.

You have just lost money in a cyber fraud. You called 1930 and filed at NCRP. The next 72 hours decide whether you get every rupee back, get a partial cap, or carry the full loss. Most citizens do not know India has a statutory zero-liability rule. They wait two weeks while the bank “investigates”, miss the window, and accept whatever the branch manager offers.

This article is the math: the exact circular, the words that count as a report, the timing, the escalation if the bank stalls. For the call script, see the 1930 helpline script. For the freeze on the fraudster's account, see bank freeze process after cyber fraud. This page picks up where those two finish, forcing your own bank to refund you.

The phrase golden hour in cyber-fraud writing carries two meanings with different clocks. The first golden hour is the 60 minutes after the fraud. It is the window in which 1930 can ask the beneficiary bank to place a lien on the fraudster's account before the money is withdrawn. See the UPI fraud recovery walkthrough for those operational steps.

The second golden hour, the one this article covers, is 3 working days wide. It is the RBI's zero-liability window. You are not racing the fraudster, you are racing the clock the regulator set for your own bank. Report inside those 3 working days, the bank carries the loss. Miss by one day, your cap jumps from zero to thousands. Both clocks start the moment you become aware of the fraud, usually the debit SMS. Run them in parallel; the 1930 call and the bank email are two separate actions.

The instrument that creates the zero-liability rule is RBI circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017, titled “Customer Protection, Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”. RBI extended the same protection to cooperative banks via circular DCBR.BPD.(PCB/RCB).Cir.No.06/12.05.001/2017-18 dated 14 December 2017. The framework continues in force in 2026, layered over by the RBI Master Direction on Digital Payments Security Controls (DoS.CO.CSITE.SEC.No.1852/31.01.015/2020-21 dated 18 February 2021). Verify the circular is still live on https://rbi.org.in/ before you cite it in a legal notice.

In one paragraph, the circular says this. If money leaves your account in an electronic transaction you did not authorise, your liability depends on who was at fault and how fast you told the bank. If the bank caused the loss, you owe nothing regardless of timing. If a third party caused it and you reported inside 3 working days, you still owe nothing. If you reported between 4 and 7 working days, your liability is capped by account type. If you reported after 7 working days, the bank's board-approved policy decides. If you caused the loss by sharing your OTP or PIN, the protection does not apply until you tell the bank, after which the same clock starts.

The “working day” in the circular is the working day of the home branch where the account is maintained. Sundays, bank holidays under the Negotiable Instruments Act, and the second and fourth Saturdays are not working days. A Friday night fraud followed by a Monday email is one working day later, not three.

The circular sets out three buckets. Drop your own situation into one of them before you write to the bank, the bucket determines your tone and your cap.

You owe nothing in any of these three situations.

1. Bank's fault. The fraud happened because of a bank-side failure, for example a fraudulent debit while your card was in your wallet, an internal employee diverting funds, or a server bug. Liability is zero whether or not you reported quickly.
2. Third-party breach, you reported inside 3 working days. Someone phished, vished or SIM-swapped you. The contributory cause is outside both you and the bank. As long as you tell the bank inside the 3-working-day window, you owe zero.
3. Bank failed to register your alert. You tried to call the helpline or the branch refused to log the complaint. The clock pauses on you and resumes on them.

If the third-party fraud is the cause and you reported between 4 and 7 working days of the bank's communication, your liability is capped at the lower of the transaction value or the cap for your account type. The cap is set in the circular's annex and reproduced in the matrix below. You do not pay the full loss, you pay only the cap.

If you reported after the 7-working-day window, the cap is gone. Your liability is whatever the bank's board-approved customer-grievance policy decides. Most banks will negotiate, very few will refund the full amount, all will demand the police FIR and the NCRP printout before they sit down. This is the worst place to be. The matrix and the notice template are designed to keep you out of it.

This is the annex to the 2017 circular, restated in rupees. Confirm against the version your bank cites in its board-approved policy on customer protection, the figures are stable but every bank publishes its own copy under the Citizen Charter section of its website.

Three things to read off this table.

1. The cap is on you, not on the loss. A ₹4,70,000 fraud on a regular savings account, reported on day 5, costs you ₹10,000 and costs the bank ₹4,60,000.
2. The cap is the maximum the bank can charge you. If the actual transaction value is lower than the cap, you pay the transaction value. A ₹3,000 fraud on a regular savings account, reported on day 5, costs you ₹3,000, not ₹10,000.
3. BSBDA accounts carry the strongest protection. If a Jan Dhan account holder is the victim, the cap drops to ₹5,000 in scenario B. Most public-sector banks process these refunds without resistance.

The circular is silent on the exact channel, but the RBI Ombudsman has consistently held that a citizen has reported the moment they sent a written communication that the bank received. Three channels qualify, in descending order of evidential weight.

1. Email to the bank's published cyber-fraud or customer-care address, with the disputed transaction details and the words “unauthorised electronic transaction reported under circular DBR.No.Leg.BC.78/09.07.005/2017-18”. Save the sent copy and the delivery receipt. This is the strongest record.
2. Branch visit with a written letter, stamped received with date and time by the branch staff. Demand the stamp; do not leave with an unstamped acknowledgement.
3. Call to the bank's 24×7 customer-care number with the call reference number written down. Banks log every call; ask the agent to read out the service request number and quote the circular by name. This works on its own only if you also send an email within 24 hours pointing back to the call ref.

What does not count, on its own.

1. A phone call without a written follow-up. The call log alone has been rejected by ombudsmen when the bank claimed it was a routine enquiry.
2. A WhatsApp message to a relationship manager. Personal-chat channels are not the bank's record-keeping system.
3. A complaint filed only at 1930 or NCRP. The 1930 channel triggers freeze action on the fraudster's account, not a dispute against your account. You must report separately to your own bank.
4. The bank's mobile-app “report fraud” button, on its own. Use it, but follow up by email with a screenshot of the app reference.

Send the email and call the branch and raise the in-app ticket. Three records, three timestamps. If the bank later disputes the date, you have triple proof.

This is the half of the circular that most citizens do not read past the liability table. The bank's obligation does not end at “we accept your complaint”. The circular requires the bank to credit the disputed amount, on a provisional basis, to your account within 10 working days from the date of your reporting. This is called the shadow credit or provisional credit.

In plain English, the bank must put the money back in your account first, while it investigates whether the transaction was genuinely unauthorised. You get to use the money during the investigation. If the bank later concludes the transaction was authorised, it can claw the shadow credit back. If it concludes the transaction was unauthorised, the shadow credit becomes the final refund.

The 10-working-day clock starts on the date you reported, not on the date the bank chose to begin its enquiry. A bank that says “we will refund after our 90-day investigation” is in breach of the circular. Quote the shadow-credit rule by name when you reply.

If the shadow credit does not appear by working day 10, you have two next moves. File a first-level complaint with the bank's nodal officer for customer protection, every bank publishes the email under “Customer Service” or “Grievance Redressal”. Wait 30 days. If the bank still has not credited, escalate to the RBI Ombudsman under the Reserve Bank-Integrated Ombudsman Scheme 2021. Read the RB-IOS 2021 walkthrough for the form-by-form steps.

The single way to lose the zero-liability protection by your own hand is sharing your secrets. The circular carves out an exception for cases of “customer negligence”, where the customer has shared the payment credentials with another person. The classic examples.

1. Reading out your OTP to a caller claiming to be from the bank.
2. Sharing your UPI PIN with a relative who then transferred funds.
3. Letting a “remote support” caller install AnyDesk or a screen-sharing app and watch you type credentials.
4. Approving a collect request on a UPI app without reading what you were approving.
5. Writing the debit-card PIN on the back of the card and losing the card.

In each of these, the circular allows the bank to argue contributory negligence and refuse the zero-liability protection. But, and this is the part the bank does not volunteer, the moment you tell the bank, a fresh clock starts. From that moment forward, any further unauthorised debits are at zero liability, even if the original fraud was your own OTP slip. The protection is not extinguished, it is reset.

The bank will still pressure you to admit the OTP share in writing. Do not. State the facts neutrally in your notice: “On dd-mm-2026 at hh:mm, an unauthorised debit of ₹X occurred. I report it under the circular.” Let the bank prove contributory negligence; do not concede it.

For the OTP-sharing fact patterns specifically, see SIM swap fraud recovery and the broader citizen RTI playbook.

Twelve actions, in order. Each action has a clock.

The debit alert SMS or push notification is your reporting clock starter. Screenshot it. Note the exact timestamp on the SMS itself, not on your phone's notification banner. The SMS carries the bank's own time, which is the time the circular cares about.

This protects the first golden hour, the freeze on the beneficiary's account. The 1930 call does not start the RBI clock with your bank. You still need to do step 4. See the 1930 helpline script.

Go to https://cybercrime.gov.in/ and file the financial fraud complaint. Save the acknowledgement PDF. This becomes evidence for the bank that the matter is on the record with the central cyber-crime portal.

Use the sample notice in the next section. Send it to the bank's published cyber-fraud email and to the branch manager and to the nodal officer for customer protection. CC yourself. This is the action that triggers the zero-liability protection.

While the email is in the outbox, call the branch and read out the email. Ask for the service request number. Write it on the same screenshot you took in step 1.

Carry a printed copy of the email, the 1930 complaint number, the NCRP acknowledgement and your ID. Get the branch to stamp a copy of the email as received. Most banks will ask you to fill Form 15G for dispute, fill it on the spot.

The bank has 10 working days from step 4 to put the disputed amount back as a shadow credit. Check your statement on working day 8, 9 and 10. Take a screenshot of the credited entry.

Email the same chain with subject “Reminder, shadow credit overdue under RBI circular DBR.No.Leg.BC.78”. Give the bank 5 working days to respond.

Every bank publishes a principal nodal officer for customer protection under the Grievance Redressal section of its website. Email the officer; the response window is 30 days under the bank's own policy.

After 30 days from step 9, or earlier if the bank has rejected the complaint in writing, file at https://cms.rbi.org.in/. See the RB-IOS 2021 walkthrough.

For losses above ₹50,000, parallel-file at the District Consumer Disputes Redressal Commission under the Consumer Protection Act 2019. The bank is a service provider, the dispute is a deficiency-in-service. Fee is nominal.

To squeeze out the bank's internal file movement, file three parallel RTI applications. To RBI asking for the inspection-report compliance on customer protection at your bank. To NPCI asking for the UPI dispute SLA log for your transaction ID. To your bank's PIO asking for the file movement on your specific complaint number. Use the AI RTI Drafter to generate all three in two minutes.

Copy this verbatim. Replace the bracketed fields. Send by email to the bank's cyber-fraud address, the branch manager and the nodal officer. Print, sign, hand-deliver at the branch within 48 hours.

Subject: Unauthorised electronic transaction reported under RBI circular
DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017

To,
The Branch Manager
[Bank name], [Branch name and address]
And,
The Nodal Officer, Customer Protection
[Bank name], [Head office address]

Date: [dd-mm-2026]

Sir/Madam,

I am [your full name], holder of account number [account no.] at your
[branch name] branch. I am writing under the captioned RBI circular to
report an unauthorised electronic banking transaction.

1. Transaction details
   Date and time of debit: [dd-mm-2026, hh:mm]
   Channel: [UPI / NEFT / IMPS / debit card / internet banking]
   Amount: Rs. [exact figure]
   UTR or transaction ID: [12-digit string]
   Beneficiary VPA, account or merchant: [as in SMS]

2. I did not authorise this transaction. I became aware of the
   transaction at [hh:mm] on [dd-mm-2026] through the debit alert SMS,
   a copy of which is enclosed.

3. I have, on [date], registered the matter with the National Cyber
   Crime Helpline 1930 (complaint reference [number]) and at the
   National Cyber Crime Reporting Portal (acknowledgement number
   [number]). Copies enclosed.

4. The present notice is delivered to you on [date], which is within
   3 working days of my receipt of the bank's communication about the
   transaction. Accordingly, my liability under the captioned circular
   is zero.

5. I require the bank to:
   a. Shadow-credit the disputed amount of Rs. [figure] to my account
      within 10 working days of this notice, as mandated by the
      circular.
   b. Reverse all consequent charges, including any minimum-balance
      penalties or return charges that arose from the disputed debit.
   c. Confirm in writing the date on which the shadow credit is
      applied and the final disposal of the dispute.

6. Failure to comply will be escalated to the principal nodal officer,
   the Banking Ombudsman under the Reserve Bank-Integrated Ombudsman
   Scheme 2021, and, if required, the District Consumer Disputes
   Redressal Commission under the Consumer Protection Act 2019.

7. Service of this notice may be acknowledged by reply email and by
   stamped receipt at the branch.

Yours faithfully,

[Signature]
[Full name]
[Address]
[Registered mobile]
[Email]

Enclosures:
  - Debit SMS screenshot
  - 1930 helpline complaint slip
  - NCRP acknowledgement PDF
  - Account passbook last page
  - Aadhaar and PAN copies

The most common bank tactics, and the answer to each.

“We need 90 days to investigate before we can credit you.” The circular does not give the bank 90 days. The shadow credit is due in 10 working days, the investigation can continue past that point. Quote paragraph 9 of the circular by reference.

“You shared the OTP, so the circular does not apply.” Sharing the OTP triggers the contributory-negligence exception only for transactions before you reported. From the moment of reporting, the protection resets. Cite this in your reminder email.

“Please come to the branch and we will discuss settlement.” Settlement here usually means asking you to accept 50% of the loss and sign a release. Do not sign anything that waives the circular. Insist on the shadow credit first, settlement later.

“The matter is with our cyber-fraud team in Mumbai, we cannot give a timeline.” This is the cue to escalate. File with the nodal officer, then with RB-IOS 2021. The ombudsman will direct the bank to comply.

“You have not given us the FIR yet.” The circular does not require an FIR before the shadow credit. NCRP acknowledgement is sufficient. Provide the FIR if you have one, but do not let the absence stop the credit.

The formal escalation ladder is RBI Ombudsman, then consumer commission, then a writ under Article 226 if it is a public-sector bank ignoring an RBI direction. Most cases never reach step three; the ombudsman alone resolves over 80% of cyber-fraud disputes in the citizen's favour per RBI's annual ombudsman report.

Numbers make the rule stick. Each example is anonymised but the calculation is the same one you will do tonight.

[Resident A] runs a textile shop in Surat. On Monday 11 May 2026 at 11:47 PM, three UPI debits of ₹1,50,000, ₹1,70,000 and ₹1,50,000 cleared her HDFC savings account. Total ₹4,70,000.

She called 1930 at 11:54 PM the same night, filed NCRP at 9:00 AM Tuesday 12 May, and emailed the bank at 9:30 AM citing the circular. Tuesday 12 May was working day 1. She reported well inside the 3-day window. Under the circular, her liability is zero. The bank shadow-credited ₹4,70,000 on Friday 22 May, within the 10-working-day shadow-credit clock.

[Resident B] is a daily-wage labourer in Patna with a Jan Dhan account at SBI. On Friday 1 May 2026, a ₹85,000 international card debit cleared. He noticed on Tuesday 5 May when the ATM showed insufficient balance and reached the branch on Wednesday 6 May with a written letter.

Counting working days, Friday is day 0, Monday is day 1, Tuesday is day 2, Wednesday is day 3. He reported on working day 3, just inside the zero-liability window. Liability: zero. Had he walked in on Friday 8 May (working day 5) he would have been in Scenario B and his BSBDA cap of ₹5,000 would have kicked in. Two days of delay cost ₹5,000.

[Resident C] runs a kirana shop with a current account at Bank of Baroda, limit ₹15 lakh. On Tuesday 14 April 2026, ₹12,000 vanished via IMPS. He assumed his accountant had paid a supplier. He realised it was fraud on Friday 24 April and emailed on Saturday 25 April. Saturday is not a working day, the email was received Monday 27 April. 14 April to 27 April is 9 working days. He missed the 7-day window by 2 days, landing in Scenario C, open liability.

The bank's board policy capped refunds at 50% beyond the 7-day window. He recovered ₹6,000 and absorbed ₹6,000. Two days of confusion cost half the loss.

The pattern in all three examples is the same. Working days, not calendar days, decide the cap. Send the email the same day you spot the debit. Do not wait for Monday.

If you have just lost money in a cyber fraud, do these in order.

1. Save the debit SMS and the bank push notification. Screenshot both.
2. Call 1930 and complete the 7-minute script.
3. File at NCRP at https://cybercrime.gov.in/ and save the acknowledgement.
4. Email your bank using the sample notice above. Cc yourself.
5. Call the branch and capture the service request number.
6. Diarise working day 10 in your phone for the shadow-credit deadline.
7. Pull the bank's nodal officer email off the bank's website and keep it ready.
8. Forward this article to every family member who banks online.

Yes. The circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017 remains the primary instrument on customer liability for unauthorised electronic banking transactions. The 2021 Master Direction on Digital Payments Security Controls layered on top, it did not replace the 2017 liability framework. Verify on https://rbi.org.in/ before citing in a legal notice. If RBI issues a fresh circular between now and your fraud date, the principle holds, the citation updates.

Yes. UPI is an electronic banking channel and the circular covers all electronic banking transactions, including card, internet banking, IMPS, NEFT, RTGS, UPI, mobile wallet and AEPS. The specific NPCI UPI dispute redress process runs in parallel; it does not displace the RBI circular. See UPI deducted but not received for the UPI-specific workflow.

The protection attaches to the account, not the individual holder. Either joint holder can serve the notice, both should sign if available. The bank cannot demand both signatures to register the report, the law treats either signature as sufficient. Document who signed and store a copy in the joint cloud folder.

Yes, AEPS transactions are electronic banking transactions for the purpose of this circular. The zero-liability test, the 3-working-day window and the 10-working-day shadow credit all apply identically. AEPS frauds carry an additional Aadhaar-biometric-lock remedy at the UIDAI side. See AEPS Aadhaar fraud recovery.

Yes, but the bank may credit the shadow amount and then immediately apply the lien to the credited amount. To free the shadow credit, you must also work on the lien removal. See lien amount in bank account, how to remove. The two processes run in parallel.

Partly. The OTP share gives the bank a contributory-negligence argument, but only for transactions before you reported. The moment you tell the bank in writing, the protection resets for all transactions after that point. Also, courts have read down the contributory-negligence exception when the bank's own systems failed to detect obvious red flags (multiple high-value debits to a new beneficiary in minutes). Do not concede the share in writing; let the bank prove it.

No. The circular does not condition the shadow credit on an FIR. NCRP acknowledgement is sufficient. Banks routinely ask for the FIR to slow the process. Reply that the FIR is being pursued in parallel but is not a precondition under the circular. Cite paragraph 9 of the circular by name.

A shadow credit is a provisional reversal that lets you use the money while the bank investigates. A final refund is the settlement after the investigation. If the bank concludes the transaction was unauthorised, the shadow credit becomes the final refund and is locked in. If the bank concludes you authorised the transaction, the shadow credit is reversed and your account balance returns to the post-fraud state. The 10-working-day deadline applies to the shadow credit, not the final refund.

Recovery is harder, not impossible. In Scenario C the bank's board policy controls the cap. Most banks settle for 50% to 70% of the loss after pressure from the nodal officer or the ombudsman. File the complaint, parallel-file at the consumer commission, and use the AI RTI Drafter to file three RTIs to RBI, NPCI and the bank PIO. Public-record pressure often unlocks settlement.

On the bank's website under “Customer Service” or “Citizen Charter” or “Policies”. The document is titled something like “Customer Protection Policy on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”. It must be published, by direction of RBI. If your bank's site does not have it, that is itself a complaint ground at the ombudsman.

1. RBI circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017, Customer Protection, Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, available at https://rbi.org.in/Scripts/NotificationUser.aspx (search the notification number).
2. RBI circular DCBR.BPD.(PCB/RCB).Cir.No.06/12.05.001/2017-18 dated 14 December 2017, the cooperative-banks extension.
3. RBI Master Direction on Digital Payments Security Controls (DoS.CO.CSITE.SEC.No.1852/31.01.015/2020-21 dated 18 February 2021), available at https://rbi.org.in/.
4. Reserve Bank-Integrated Ombudsman Scheme 2021, complaint portal https://cms.rbi.org.in/.
5. National Cyber Crime Reporting Portal, https://cybercrime.gov.in/.
6. National Cyber Crime Helpline, dial 1930.
7. Information Technology Act 2000, §66C (identity theft) and §66D (cheating by personation using computer resource).
8. Bharatiya Nyaya Sanhita 2023, §318 (cheating) and §319 (cheating by personation).
9. Bharatiya Nagarik Suraksha Sanhita 2023, §106 (FIR registration for cognisable offences).
10. Consumer Protection Act 2019, the deficiency-in-service ground for parallel relief at the District Commission.

1. 1930 cyber fraud helpline, the exact 7-minute script
2. Bank freeze process after cyber fraud
3. Lien amount in bank account, how to remove
4. UPI deducted but not received, action plan
5. Recover money from UPI fraud, 2026 walkthrough
6. RB-IOS 2021 banking ombudsman walkthrough
7. AEPS Aadhaar fraud recovery
8. SIM swap fraud recovery
9. Citizen RTI playbook, the pillar guide
10. AI RTI Drafter, generate the three RTIs in two minutes

Last reviewed: 15 May 2026. RTI Wiki editorial team. Verify the RBI circular reference is current on rbi.org.in before citing in a legal notice.