January 04, 2019
All Authorised Non-bank Prepaid Payment Instrument Issuers
Madam / Dear Sir,
Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Payment Transactions in Prepaid Payment Instruments (PPIs) issued by Authorised Non-banks
Please refer to paragraph 9 of Statement on Developmental and Regulatory Policies regarding framework for limiting customer liability in respect of unauthorised electronic payment transactions involving PPIs, announced in the Fifth Bi-monthly Monetary Policy Statement for 2018-19 by the Reserve Bank of India (RBI).
2. As you are aware, a framework for ‘Risk Management’ and ‘Customer Protection’ has already been laid down in paragraphs 15 and 16 of Master Direction on Issuance and Operation of Prepaid Payment Instruments (PPI MD) issued vide DPSS.CO.PD.No.1164/02.14.006/2017-18 dated October 11, 2017 (updated as on December 29, 2017). With a view to further strengthen customer protection for the PPIs which are issued by entities other than banks, the criteria for determining the customers’ liability in unauthorised electronic payment transactions resulting in debit to their PPIs have been reviewed as under:
3. The provisions of these directions will be applicable to all authorised non-bank PPI issuers (referred to as ‘PPI issuer’ hereafter). Bank PPI issuers will continue to be guided by DBR.No.Leg.BC.78/09.07.005/2017-18 dated July 6, 2017 or DCBR.BPD.(PCB / RCB). Cir.No.06/12.05.001/2017-18 dated December 14, 2017, as applicable. PPIs issued under the arrangement of PPI-MTS (PPIs for Mass Transit Systems) as per paragraph 10.2 of PPI MD will be outside the purview of these directions except for the cases of contributory fraud / negligence / deficiency on the part of the PPI-MTS issuer.
Categories of electronic payment transactions
4. For the purpose of this circular, electronic payment transactions have been divided into two categories:
5. Reporting of unauthorised payment transactions by customers to PPI issuers
Limited liability of a customer
6. A customer’s liability arising out of an unauthorised payment transaction will be limited to:
The above shall be clearly communicated to all PPI holders.
Reversal timeline for zero liability / limited liability of a customer
7. On being notified by the customer, the PPI issuer shall credit (notional reversal) the amount involved in the unauthorised electronic payment transaction to the customer’s PPI within 10 days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any), even if such reversal breaches the maximum permissible limit applicable to that type / category of PPI. The credit shall be value-dated to be as of the date of the unauthorised transaction.
8. Further, PPI issuers shall ensure that a complaint is resolved and liability of the customer, if any, established within such time, as may be specified in the PPI issuer’s Board approved policy, but not exceeding 90 days from the date of receipt of the complaint, and the customer is compensated as per provisions of paragraph 6 above. In case the PPI issuer is unable to resolve the complaint or determine the customer liability, if any, within 90 days, the amount as prescribed in paragraph 6 shall be paid to the customer, irrespective of whether the negligence is on the part of customer or otherwise.
Board approved policy for customer protection
9. Taking into account the risks arising out of unauthorised debits to PPIs owing to customer negligence / PPI issuer negligence / system frauds / third party breaches, PPI issuers need to clearly define the rights and obligations of customers in case of unauthorised payment transactions in specified scenarios. PPI issuers shall formulate / revise their customer relations policy, with approval of their Boards, to cover aspects of customer protection, including the mechanism of creating customer awareness on the risks and responsibilities involved in electronic payment transactions and customer liability in such cases of unauthorised electronic payment transactions. The policy must be transparent, non-discriminatory and should stipulate the mechanism of compensating the customers for the unauthorised electronic payment transactions and also prescribe the timelines for effecting such compensation. PPI issuers shall provide the details of their Board approved policy in regard to customers’ liability formulated in pursuance of these directions, as well as the provisions of paragraph 15 and 16 of PPI MD, to all customers at the time of issuing the PPI. PPI issuers shall display their Board approved policy, along with the details of grievance handling / escalation procedure, in public domain / website / app for wider dissemination.
Burden of proof
10. The burden of proving customer liability in case of unauthorised electronic payment transactions shall lie on the PPI issuer.
Reporting and monitoring requirements
11. The PPI issuers shall put in place a suitable mechanism and structure for reporting of the customer liability cases to the Board or one of its Committees. The reporting shall, inter-alia, include volume / number of cases and the aggregate value involved and distribution across various categories of cases. The Board or one of its Committees shall periodically review the unauthorised electronic payment transactions reported by customers or otherwise, as also the action taken thereon, the functioning of the grievance redressal mechanism and take appropriate measures to improve the systems and procedures.
12. Directions contained in paragraph 16.4 of PPI MD as applicable to non-bank PPI issuers are being modified accordingly.
13. The directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007), and shall come into effect from March 01, 2019.
Source: RBI Notifications