Regular readers of my posts know my penchant for curating interesting stories of fraud that catch my eye through the week. What stood out last week was a total game-changer, amidst all the doom and gloom tales of wily scammers and hapless victims that fill up the honeycombs of the internet news feeds and social links.
The Consumer Disputes Redressal Committee (CDRC) of Navsari ordered one of India’s banking behemoths to pay a UPI fraud victim. For the money lost before reporting of the fraud. Wait, what?! Yes. The victim, personally walked into the branch to report the fraud same day she lost the money. While she also lodged a complaint with the cybercrime helpline. In turn the police were able to freeze the portion of funds that went to let’s call it bank A and got the money transferred back to her, following a court order. That said, the bank in question appeared to have taken no action whilst the other portion of the funds exited to a third bank B. As per the CDRC, “there is no evidence on record that the bank had acted on the complaint.” The bank’s claim of course, was that it was purely the customer’s carelessness. Note, the amount was transferred via UPI thereby without requiring OTP. Indian banks should stop and read the tea leaves here. Its no longer enough to check some boxes and then wag their fingers at defrauded customers. In a similar case the CDRC had in addition to ordering a refund also awarded damages. Again, the victim, had unknowingly installed a remote access software. Slow clap to the CDRC.
As per RBI’s own guidelines on customer liability, I quote from the website verbatim, “If the transaction has happened because of your negligence, that is, because of your sharing your password, PIN, OTP, etc., you will have to bear the loss till you report it to your bank. If the fraudulent transactions continue even after you have informed the bank, your bank will have to reimburse those amounts. If you delay the reporting, your loss will increase and it will be decided based on the RBI guidelines and the policy approved by your bank’s board.” The liability caps are based on some combinations of type of account and time taken to report the fraud from the time of receiving the communication.
In reality though, speaking to friends in fraud roles it seems like the rule of thumb is if MFA is cleared then the claims are denied outright. The shades of gray are mostly around remote access fraud. A former colleague from Australia showed some stats in that country of remote access losses in Sep ’23 dropping to the lowest ebb in 3 years. In most countries banks seem to be bracing for a shift in liability for all scams and coming up with similar magical solutions.
In fraud war rooms, whenever large losses come up for review, we all joyfully sing the anthem of fraud teams world-wide with our hand to our hearts “That claim won’t hit our net losses, so it’s not a real problem.” It’s time we made it somebody’s problem.