No More Passing the Buck: RBI Forces Banks to Own Digital Fraud
- Ramesh Vaidyanathan

- 2 days ago
- 3 min read
Ramesh Vaidyanathan and Sidharth Kumar
The Reserve Bank of India’s latest amendment on digital fraud is a blunt intervention in a system that has long thrived on ambiguity. For years, fraud victims have been caught in a predictable loop-banks, fintechs and telecom providers each pointing fingers while the customer waited for relief.
That system has now been decisively disrupted.
For the first time, the RBI clearly defines “third-party breaches”, covering failures caused by intermediaries such as payment aggregators, fintech platforms and telecom networks. More importantly, it changes the sequence of responsibility. If a customer reports such a fraud within five days, they bear zero loss. The bank must credit the customer immediately-before fault is determined-and then recover the amount separately from the party responsible.
This is not technical clarification. It is a clear policy choice: protect the customer first and push the complexity into the system.
The biggest strength of the framework is that it kills the industry’s favourite habit-deflection. The RBI has effectively said that customers cannot be made to suffer while institutions argue over liability. Someone must take ownership upfront, and that someone is the bank.
It also reflects a much-needed recognition of how digital finance works. Modern banking is no longer a closed ecosystem. It is an interconnected stack of vendors, APIs and shared infrastructure. By acknowledging third-party failures as a separate category, the RBI brings the law closer to operational reality.
Equally important, the rules force genuine accountability into the system. By making banks bear the immediate cost, the RBI ensures that a party with a strong balance sheet has both the incentive and the ability to enforce discipline across the ecosystem. This will inevitably push banks to demand better contracts, stronger indemnities and far greater oversight of their vendors. The days of treating cybersecurity as a compliance checkbox are effectively over.
But the clarity of the rule also exposes its most significant weakness: it turns banks into the system’s default shock absorbers.
Banks must now pay first, even where the failure lies entirely outside their control. While the theory is that they can recover these losses from vendors, the reality will be far messier. Existing contracts are built on capped liability and limited exposure, which are structures that are now fundamentally misaligned with the regulatory position. Renegotiations will be inevitable, and where those fail, disputes and litigation will follow.
In other words, regulatory certainty at the customer level may well translate into contractual instability within the system.
There is also a broader coordination problem that the framework only partially addresses. Digital fraud typically cuts across multiple institutions-the customer’s bank, the beneficiary bank, intermediaries and platform operators. While the RBI acknowledges shared liability pools, it does not fully resolve the operational question of who leads recovery and how quickly. That gap could slow resolution even as customers are protected upfront.
Perhaps the most notable omission is that the framework focuses far more on liability after fraud than on prevention before it. There is limited emphasis on mandatory real-time detection systems, shared security infrastructure or proactive risk mitigation standards. Without these, the system risks becoming efficient at refunding fraud, without necessarily becoming better at preventing it.
Finally, there is the question of cost. Stricter oversight, deeper audits and expanded liability will inevitably make participation in the financial ecosystem more expensive. Large, well-capitalised players will adapt. Smaller fintech companies, however, may find it harder to meet the new expectations, not because their businesses are unsound, but because the liability environment has become significantly more demanding.
This marks a decisive shift in regulatory philosophy. The question is no longer who is at fault, but who pays first.
The RBI has prioritised consumer trust over institutional convenience-and that is, on balance, the right move. But it has also shifted a disproportionate burden onto banks, asking them to underwrite risks that originate across a fragmented ecosystem.
Whether this proves to be a structural reform or merely a redistribution of losses will depend on what follows. If it leads to stronger contracts, better security standards and more accountable fintech partnerships, it will be a meaningful step forward. If not, it risks becoming an elegant solution that fixes outcomes for customers without fully addressing the underlying problem.


