Your phone buzzes. A transaction alert: ₹15,000 debited. You didn’t make it. You call the bank. After twenty minutes on hold, an executive says: “The transaction was OTP-verified there is nothing we can do. Please file a police complaint.”

This happens to thousands of Indians every day. Most accept it. They should not.

Indian law anchored in a binding Reserve Bank of India circular and reinforced by consumer courts, High Courts, and the Supreme Court gives every bank customer a specific and enforceable protection: zero liability for unauthorised card and banking transactions, if you act within three working days. Most people have never heard of it.

The RBI Circular That Changed Everything

The Reserve Bank of India issued a comprehensive and binding circular on 6 July 2017 (No. RBI/2017-18/15 DBR.No.Leg.BC.78/09.07.005/2017-18) titled “Customer Protection Limiting Liability of Customers in Unauthorised Electronic Banking Transactions.” This applies to every scheduled commercial bank, small finance bank, payment bank, and prepaid payment instrument issuer in India.

The circular establishes three tiers of customer liability:

Zero Liability applies when: (a) the fraud is due to the bank’s own negligence or a third-party breach and the customer had no role in it; or (b) the customer reports the unauthorised transaction within 3 working days of receiving the bank’s communication about the transaction.

Limited Liability applies when the customer reports within 4–7 working days. The cap on what you must bear: ₹5,000 for basic savings accounts; ₹10,000 for other savings accounts and prepaid instruments; ₹25,000 for credit cards with limits above ₹5 lakh.

Full Liability (customer bears the loss) applies only where: (a) the loss results entirely from the customer’s own negligence voluntarily sharing credentials without any manipulation; and (b) the customer fails to report beyond 7 working days.

The critical number: 3 working days from the date you receive the bank’s communication not from the date you discover the fraud yourself. If the bank sent you an SMS alert, that is the clock starting.

Once you report, the RBI circular requires banks to provisionally credit the disputed amount to your account within 10 working days and complete the investigation within 90 days.

“But I Shared the OTP” What Courts Say

The most common reason banks refuse refunds is: “The transaction was OTP-verified, so you authorised it.” This argument has been specifically rejected by Indian courts.

The Delhi High Court, in Hare Ram Singh v. Reserve Bank of India & Ors. [W.P.(C) 13497/2022], held that when fraud involves complex social engineering phishing calls, vishing, or technical manipulation banks cannot rely on OTP generation alone as a complete defence. The burden of proving the customer’s negligence lies on the bank, not on you.

The Supreme Court in State Bank of India v. Pallabh Bhowmick & Ors. SLP (C) No. 30677 of 2024, order dated 03.01.2025 went further, holding that banks must use the best available technology to detect and prevent unauthorised transactions. A bank’s obligation does not end with issuing an OTP.

There is a further protection most people miss: even if your own negligence contributed to the fraud before reporting, once you report the transaction, your liability for all losses occurring after that point is zero. Reporting cuts off your exposure immediately.

In Roopam Kumar v. SBI Cards & Payment Services Pvt. Ltd. [District Consumer Disputes Redressal Commission, Chandigarh, 6 February 2026], the Commission directed the bank to refund the disputed amount, remove the complainant from CIBIL records, and pay compensation squarely applying the zero liability principle.

Step-by-Step: What to Do Immediately

Acting quickly and in sequence is what determines whether you recover your money.

1. Call your bank immediately. Block the card. Note the complaint reference number, date, and time.
2. Send a written complaint within 3 working days. An email to the bank’s official registered ID creates an undeniable timestamp. Cite: “I am claiming zero liability under RBI Circular No. RBI/2017-18/15 DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017.”
3. Preserve all evidence. Screenshots of the transaction alert, your complaint reference number, all email exchanges, and any fraudulent call or SMS received.
4. Follow up in writing. The bank must provisionally credit the amount within 10 working days. If they do not, their silence itself is a deficiency in service.
5. Escalate if the bank refuses.

• RBI Banking Ombudsman: File at cms.rbi.org.in under the Integrated Ombudsman Scheme, 2021. Free, fast, and carries regulatory authority.
• District Consumer Commission / NCDRC: Under the Consumer Protection Act, 2019 claim the refund, compensation, and litigation costs.
• National Cyber Crime Portal: Report at cybercrime.gov.in, especially if the fraud involved impersonation, phishing, or vishing.
•  

Can the Bank Report You to CIBIL?

If you are disputing a fraudulent transaction and have not paid the disputed amount, the bank is not permitted to report you as a defaulter to credit bureaus for that amount during the pendency of the dispute. Courts have consistently directed banks to remove complainants from CIBIL defaulter lists in proven fraud cases. Make this a specific, written demand in your complaint from Day 1.

Conclusion

The 3-day window under the RBI circular is not a favour it is a legally binding obligation enforceable against every scheduled bank in India. Do not accept a bank’s first refusal. Send a written complaint, cite the RBI circular by number and date, and escalate methodically. The legal tools are in place. The question is only whether you know how to use them.