BQ Explains: Hit By A Payment Fraud? Here’s What You Need To Do

Hit by a payment fraud? Here’s what you need to do.

(Photo: BloombergQuint)
(Photo: BloombergQuint)

Instances of payment frauds have been increasing over the last three months in the wake of the Covid-19 pandemic. Fraudsters have been using various techniques to defraud customers via digital payments platforms for months now and complaints of such instances have risen in recent months. Tactics have changed along the way as well.

Despite public campaigns by the National Payments Corporation of India, banks and the Reserve Bank of India, customers are falling prey to such frauds. Often, after such financial accidents they are also uncertain about how to seek redressal through formal channels. Instead, many take to social media to complain in the hope that authorities will step in.

Have you been hit by a payment fraud? Read on to understand what steps you should take to protect yourself.

What should I do if I have been defrauded?

When a customer has been hit by a fraud via a digital transaction, they must first save screenshots of any SMS, email, fraudulent website, UPI handle or mobile number through which the fraud occurred.

If customers are defrauded through e-commerce platforms they should save a screenshot of the merchant’s web page.

If they fall victim to ATM skimming, which means stealing of customer details through a device placed illegally at an ATM terminal, the customer should document the ATM location, address and number which is listed on top of the machine.

Similarly, they should note the merchant’s address if a point-of-sale device has skimmed their card details.

Customers should also note down any transaction ID numbers, in any of the above instances.

BQ Explains: Hit By A Payment Fraud? Here’s What You Need To Do

Who should I report to?

Once you realise you have been hit by a payment fraud and you note down the details available, you need to start the process of reporting.

Your first stop is the bank, NBFC or payment platform you were using when defrauded.

In the case of UPI, customers should report the fraud to both their bank and the payment company whether it is Google Pay, Paytm, PhonePe or others.

In case of a payment fraud on an e-commerce website, a PoS device or an ATM, customers should file the complaint with the card issuing bank. So if you’ve used an SBI debit or credit card for the transaction, you should report the fraud to SBI.

Once the complaint has been registered with the concerned company, customers should file a first information report or FIR with their local cyber-crime police department. The Ministry of Home Affairs has a specific portal related to cyber crimes, listing the relevant cyber-crime police stations across states.

The NPCI has published various FAQs detailing the steps to be taken by customers in case of a UPI, IMPS, FASTag, Aadhar Enabled Payments System or Bharat QR fraud. There is also a specific portal for reporting complaints on the Bharat Bill Payment System.

Should a consumer not get a response from their bank or payment service provider within a month, or if a customer isn’t satisfied with the response, they can approach the RBI’s Banking Ombudsman.

Who bears the loss in the case of a fraud?

According to the Reserve Bank of India’s July 2017 notification, a customer will get the full amount back in the following circumstances. First, if the fraud occurs due to negligence/deficiency on the part of the bank. Second, if it is a third party breach but the customer notifies the bank within three working days.

If the customer has reported the unauthorised transaction or a case of third-party fraud, four to seven days after the transaction, then the maximum liability for customer would be as per the following matrix:

According to Puneet Kapoor, president of products, alternate channels and customer experience delivery at Kotak Mahindra Bank, customers have to report unauthorised transactions within three working days from the date of the unauthorised transaction to be entitled to zero liability, otherwise there is limited liability on the bank.

“If it is an unsecured e-commerce transaction which is not authenticated by second factor authentication, then the bank has charge back rights against the merchant and will compensate the customer for the loss accordingly,” he said.

Harshil Mathur, chief executive officer and co-founder of Razorpay, said that from the RBI’s perspective banks are responsible. But banks have their own agreements with payments companies they work with and pass the liability onto them in case the fraud takes place on their network

“The RBI framework applies to all instruments and transaction types like UPI, PPIs in addition to cards since ultimately, the bank account is being defrauded. Payment companies can assist the customers with fraud cases but they should always report frauds, regardless of the channel, to their bank,” he said.

Similar to its banking guideline, the customer’s liability in the case of unauthorised transactions via pre-paid instruments is as per the following matrix:

Zulfiquar Memon, managing partner at MZM Legal, said that regardless of whether it is a bank or payment company, there has to be an internal investigation by the company to find the source, the method and the genuineness of the complaint.

“The bank or the payment company will have to take care of the liability to the full extent if the fraud is reported within three days and if they find the complaint is genuine. But if the customer takes longer than three days to report the fraud, it becomes difficult to claim a full liability,” he said.

What if I am at fault?

Let’s be honest. A number of frauds take place because customers are careless. For instance, giving out OTPs or KYC details on phone is not something any customer should do.

But it can happen. Will customers still be compensated if they are at fault? Not always.

In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank, the RBI notification said.

For both unauthorised electronic bank and PPI transactions if the customer contributed to the fraud due to their own negligence neither the bank nor PPI issuer will payout the claim. Unless, there are further unauthorised transactions conducted after the customer has filed a report then the bank and PPI issuer will bear the loss.

What are the grey areas?

Payment frauds and liability for such frauds is not an open and shut case. There are a number of grey areas being debated.

Recently, Paytm filed a case with the Delhi High Court against the government and telecom companies.

According to the petition, a copy of which BloombergQuint has seen, Paytm has lost over Rs 10 crore of their customers’ money to fraudsters between June 2019 and April 2020. These fraudsters duped customers through various methods using mass SMS  services provided by the telecom players.

Paytm alleges that the telcom operators have failed to curb these phishing attempts and the problem of unsolicited commercial communications. It has, therefore, sought damages worth Rs 100 crore from them.

There’s also a debate about the liability between the customer’s ‘issuing bank’ and the ‘acquiring bank’ used by fraudulent merchant users.

The obvious loophole in present regulations is the absence of liability on the acquiring bank, which is used by the merchant to conduct the fraud. The regulator should also make the bank to where the money is being siphoned liable for fraud transactions,” said NS Nappinai, advocate at Supreme Court of India and founder of Cyber Saathi.

Another problem is the delay in resolving and reimbursing customers even after they follow the timelines on reporting payment frauds.  Even after the customer reports the fraud within three days there is a lot of back-and-forth between companies and the customer and with third-parties if they are involved as well, Memon said. While the RBI guideline says that customer frauds should be resolved within 90 days, in practice sometimes it takes longer, he said.

Payment Frauds And Cyberattacks Rise In The Wake Of Covid-19 Pandemic