Cyber frauds have been a hot topic of late with the Department of Financial Services hosting a meeting of stakeholders in New Delhi last week. Many bank account holders across the country have reported losses to cyber/digital/electronic frauds.

Though the amount in aggregate is small vis-à-vis the total volume taking place daily in the country, for ordinary customers such losses are material.

Aside from the fact that people lose savings, what should be worrisome is that in all such instances money gets siphoned out of the country’s banking system with potential use for illegal activities including drug trade, financing terrorism and anti-national activities. These frauds thus acquire a national security dimension too.

It is a cat and mouse game between fraudsters and the system always, with both trying to be one step ahead.

Telecom, banks

How then can the common man’s interest be protected through tightening and harmonisation of regulatory fiats in both the telecom and banking sectors, better coordination among financial institutions, telecom companies and utilisation of the banking ombudsman scheme in case of disputes regarding redress/compensation to fraud victims?

There are three areas where immediate changes are required.

First is the need for the DoT/TRAI to tighten the regulation regarding KYC/Customer Acceptance for giving mobile/internet connections. A mobile/broadband connection is integral to cyber frauds. Customer due diligence (CDD) and subscriber verification is a responsibility which should be pinned firmly and squarely on the service providers.

At present, the relevant rules prescribe paltry penalties for laxity/lapses in subscriber verification. The penalty imposed on a telecom major after a recent Customer Application Forms audit by the DoT was just ₹1.07 lakh.

A SIM card becomes the gateway for frauds/illegal activities and we can ill afford any compromise with customer identification. The RBI has comprehensively defined KYC responsibility in the financial sector. Its KYC directives to all regulated entities (RE) including banks (Master Direction 2016, updated last on October 17, 2023) is a model which can be tweaked for adoption in the telecom sector. Tighter norms which would convey the seriousness of the customer identity verification responsibility to service providers is an immediate requirement.

Secondly, RBI may need to examine harmonisation of its current instructions to banks regarding KYC norms, cited above and the notification on redress/compensation for customers losing money to electronic frauds (issued on July 6, 2017).

The 2017 notification is clear with regard to customers’ liability in cases where their credentials like password and OTP have been compromised through negligence and in other cases where there has been no contributory negligence.

The Master Direction on KYC norms states clearly the REs should ensure that “no account is opened in anonymous or fictitious/benami names”. Further it states “REs shall undertake on-going due diligence of customers to ensure that their transactions are consistent with their knowledge about customers, customers’ business and risk profile, the source of funds/wealth”.

Now, in electronic frauds, two bank accounts will be involved — the account defrauded and the account used for routing the proceeds of the fraud.

In almost all cases, there would be compromise with KYC norms by the bank opening the account of the fraudster. This will hold good even in cases of “money mules” being used for frauds because of the RBI norms on transaction and velocity monitoring (February 28, 2013 notification) which, if adopted using the right technology, could prevent frauds.

Better harmonisation

Therefore what would ultimately emerge are lapses in KYC/transaction monitoring on the part of banks opening accounts used to defraud. The RBI must look at removing inconsistencies and better harmonisation of its instructions so that the issue of compensation to fraud victims is addressed fully. If there are KYC lapses, it is the end-to-end integrity of our banking system that comes into question in such cases.

At present, the instructions in such cases are not clear cut and it is left to the discretion of the RBI Ombudsmen dealing with the claims of compensation of fraud victims.

Even though the Ombudsman system is integrated, there could be inconsistency among RBI Ombudsmen in their orders of compensation in the absence of clear notifications. In the interest of transparency, the percentage of compensation (similar to the 2017 electronic frauds circular) in broad categories, may be defined and codified. If this is done, banks themselves may settle the claims without burdening the RBI’s Ombudsmen system.

Third is the imperative for either RBI or IBA to define terms to be used by banks and the procedure, while lodging claims on behalf of fraud victims with banks which have provided the conduit for the fraud with KYC-lax accounts.

Currently, banks are making what is termed as a “charge back claim” for refund of the defrauded money with its transaction counterpart.

The reply in such cases may be that the money has been siphoned out of the accounts and there is no balance. If there is any balance, the money is frozen or a “hold/freeze” is put on the balance in view of the reported fraud. These terms (charge back, hold/freeze etc) in the context of cyber/electronic frauds, have not been standardised nor are norms clear as to within what period a claim should be honoured if there are KYC-compromises.

These standardisations will enable banks to settle claims themselves without even referring to the Ombudsmen.

Action on these three areas will make the cyber frauds redress process robust, in alignment with the need of our times.

The writer is a commentator on banking and finance

comment COMMENT NOW