RBI Limits Consumers' Liability for Fraudulent TransactionsSo What Should CISOs Do Now to Minimize Fraud Costs to Banks?
Following the cashless drive, the Reserve Bank of India is now requiring all banks, including scheduled commercial banks, small finance and payment banks, to limit consumers' liability for fraudulent credit and debit card transactions. As a result, CISOs must ramp up their fraud prevention efforts to help limit banks' losses.
See Also: Taking Advantage of EMV 3DS
Consumers now will pay nothing for fraud losses if the fraud was the fault of a bank or a third party or if the consumer reports the fraud within three working days of receiving a communication from the bank regarding the unauthorized transaction, according to a recent RBI notification.
In addition, consumers will have limited liability in cases where the fraud loss is due to their own negligence, such as when a consumer has shared payment credentials. In these cases, the consumer will bear the entire loss until they report the unauthorized transaction to the bank. Any loss occurring after the reporting of the transaction willl be borne by the bank.
RBI has prescribed maximum liability of a customer for various type of accounts, including savings bank accounts, BSBD accounts, pre-paid instruments, credit cards and overdraft accounts.
Some security experts say the RBI's move is in line with other nations, including the United States, where banks bear liability for certain fraud losses and consumer liability is limited.
"Such measures [by RBI] will boost consumer confidence," says Sriram Natarajan, chief operating officer and former chief risk officer at Quattro, a business process outsourcing firm. "Banks will reap the gains of enhanced usage of digital channels; customers feeling secure will mean more transactions and revenue for banks."
In January 2014, as part of its Code of Bank's Commitment to Customers, RBI had ruled that consumers would not be held liable for more than a $150 (US) loss due to fraud. Banks, however, generally did not follow this because the directive lacked details on how to implement it.
Prakash Baliarsingh, RBI's chief general manager, says the central bank took the action to further limit consumer liability to increase customer protection in the wake of a recent surge in customer grievances regarding unauthorized transactions resulting in fraudulent payments.
The liability protections apply to all kinds of banking transactions, including: remote/online payment transactions (transactions not requiring physical payment instruments to be presented at the point of transactions, such as internet banking, mobile banking and card-not-present transactions); pre-paid payment instruments; and face-to-face/proximity payment transactions (transactions requiring physical payment instruments, such as a card or mobile phone, to be present at the point of transaction).
RBI is also instructing banks to protect customers against fraud by:
- Strengthening systems and procedures;
- Establishing a process of reporting of unauthorized transactions by customers to banks;
- Establishing robust and dynamic fraud detection and prevention mechanism;
- Reporting and monitoring requirements;
- Implementing mechanisms to assess risks (for example, gaps in the bank's existing systems) resulting from unauthorized transactions and measuring liabilities;
- Adopting appropriate measures to mitigate risks and protect against liabilities; and
- Creating a system of continually and repeatedly advising customers on how to protect themselves from fraud related to electronic banking and payments.
The CISO's Role
The new directives - a revised set of instructions on customer protections that now encompasses all variants of online/electronic transactions - increase CISOs' responsibilities, says Sivakumar Krishnan, former head of information security at M Power Microfinance.
Compliance with the directives "involves implementing the new processes, ensuring relevant checks and balances are in-built in them, generating timely alerts and alarms for examination," Krishnan says.
CISOs need to stop using a checkbox security approach that focuses on narrow compliance issues and develop comprehensive approaches to securing online transactions, security experts say.
The biggest challenge, Natarajan says, is keeping pace with the evolving cyber threats posed by sophisticated fraudsters and hackers.
"CISO accountability increases in completely understanding additional controls that must be built into the process without disrupting the systems, with minimal changes on operations," Krishnan says.
Ashok K. Agarwal, head of IT audit at DCB Bank, says CISOs will now have to assess business risks in real time and also build an effective risk management framework and create a cybersecurity scorecard representing their true security posture to the board.
Action Plan Needed
In the ongoing effort to fight fraudulent transactions, CISOs must create a practical action plan to ensure endpoints are secure, minimize the risk of breaches and reduce stakeholder liability, some security practitioners say.
Banks must revamp their customer relations policy, with approval from their boards, to cover customer protection, and create customer awareness campaigns on the risks and responsibilities involved in cashless transactions, Baliarsingh says.
The policy must be transparent and non-discriminatory, stipulating the mechanism of compensating customers for unauthorized electronic banking transactions and prescribe timelines for compensation, he adds.
Krishnan suggest banks implement fraud identification, fraud analysis and behavioral systems, integrated within the core banking system or transaction systems to help control frauds.
Essential technologies for early fraud detection, Natarajan says, include machine learning, big data and cross-channel fraud monitoring software.
Enhancing SoC monitoring by deploying machine learning technology also will help in the effort to prevent fraud, Agarwal adds.