Customer Liability for Unauthorised Transactions
When an unauthorised transaction drains a bank account, the first exam-relevant question is not who committed the fraud but who bears the loss — and that is exactly what customer liability for unauthorised transactions determines. RBI's 2017 customer-protection circular splits this liability into zero, limited, and full categories depending almost entirely on how fast the account holder reports the incident. For JAIIB and CAIIB candidates preparing the Prevention of Cyber Crime paper, this reporting-linked liability ladder is one of the most frequently tested numerical concepts, and it sits right next to the broader Computer Fraud Protection chapter in your syllabus.
🛡️ What Customer Liability for Unauthorised Transactions Actually Covers
The framework comes from RBI circular RBI/2017-18/15, DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017, titled "Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions." It applies to all scheduled commercial banks (including regional rural banks), all small finance banks, and all payments banks. The circular was framed after RBI recognised that customers were often left to absorb losses from card cloning, phishing, and net-banking takeovers even when the fault lay with the bank's systems or a third party outside both parties' control. Instead of a one-size-fits-all rule, the RBI created a three-tier ladder — zero liability, limited liability, and liability as per the bank's board-approved policy — and tied the tier almost entirely to the customer's reporting speed after the unauthorised debit. Understanding this ladder also reinforces concepts from the Incident Management chapter, since a bank's internal escalation process determines how quickly the customer even learns that a transaction occurred. You can read the original notification on the RBI website for the full text and annexures.
✅ Zero Liability — When the Customer Pays Nothing
Zero liability under this framework applies in two situations. First, where the unauthorised transaction results from contributory fraud, negligence, or deficiency of service on the part of the bank — regardless of whether the customer reports it immediately or late — the customer pays nothing. Second, where the loss occurs due to a third-party breach and neither the bank nor the customer is at fault, the customer still gets zero liability provided the unauthorised transaction is reported to the bank within 3 working days of receiving communication from the bank about it. This 3-working-day window is the single most exam-tested number in this topic. A classic third-party-breach scenario is a cloned SIM used to intercept OTPs; candidates should cross-check this with our guide on SIM swap fraud prevention in mobile banking, since the liability outcome depends heavily on how fast the victim notices and reports the compromise.

⏳ Limited Liability — The 4-to-7 Working Day Window
If the customer notifies the bank between 4 and 7 working days after receiving the transaction communication, liability shifts to the "limited liability" slab — but only for cases where fault lies neither with the bank nor clearly with the customer. Here, the customer's liability is capped at the transaction value or the amount specified in RBI's Table 1, whichever is lower. The slabs are: ₹5,000 for Basic Savings Bank Deposit Accounts (BSBDA); ₹10,000 for all other savings accounts, prepaid instruments, MSME current/cash-credit/overdraft accounts, and credit cards with limits up to ₹5 lakh; and ₹25,000 for current/cash-credit/overdraft accounts and credit cards above that threshold. These slabs frequently appear in card-fraud numericals, so pair this section with the Electronic Card Frauds chapter for scenario-based practice.
💡 Exam Tip: Memorise the pair "3 working days = zero liability" and "4–7 working days = limited liability (lower of actual loss or Table 1 slab)." Examiners routinely swap these numbers in distractor options.
🚫 Full Liability and the Board-Approved Policy Beyond 7 Days
Two situations push liability fully (or largely) onto the customer. First, if the customer delays reporting beyond 7 working days from receiving the bank's communication, the liability is determined as per the bank's own board-approved customer-liability policy — which can mean the customer bears the entire loss. Second, and independent of reporting speed, if the loss arises from the customer's own negligence — such as sharing an OTP, PIN, password, or card details voluntarily — the customer bears full liability regardless of how quickly it is reported afterward. This is why prevention content, including our guide on fraud management in banking, keeps repeating "never share OTP" — it isn't just security advice, it directly determines who absorbs the financial loss under RBI's own rules.
⚠️ Common Mistake: Students often assume zero liability applies to every unauthorised transaction. It does not — zero liability is conditional on either bank-side fault or prompt (3-day) reporting of a genuine third-party breach.

💳 Shadow Reversal, the 90-Day Clock and Where to Report
Two timelines complete the picture. First, once a customer reports an unauthorised transaction that qualifies for zero or limited liability, the bank must credit (or "shadow reverse") the disputed amount to the customer's account within 10 working days of the date of notification — without waiting for the outcome of the investigation, so the customer isn't left cash-strapped during the inquiry. Second, the bank must complete the entire investigation and conclusively establish the customer's liability within 90 days from the date the complaint is received. Alongside the bank's internal grievance channel, victims should also lodge a complaint through the national cybercrime helpline (1930) or cybercrime.gov.in — a separate criminal-law track covered in depth in our piece on cyber incident reporting timelines. Reporting to both the bank and law-enforcement channels in parallel gives the strongest protection.
📌 Remember: Shadow reversal credit = within 10 working days. Final liability determination = within 90 days of complaint receipt. Both numbers are distinct and both get tested.
| Scenario | Reporting Window | Customer Liability | Zero Liability? |
|---|---|---|---|
| Bank's system compromised / contributory negligence by bank | Any time | Nil | ✅ Yes |
| Genuine third-party breach, no fault of bank or customer | Within 3 working days of bank's communication | Nil | Yes |
| Fault lies with neither bank nor customer (system-level) | 4–7 working days | Lower of transaction value or Table 1 slab (₹5,000–₹25,000) | No (Limited) |
| Reporting delayed | Beyond 7 working days | As per bank's board-approved policy | No |
| Customer shared OTP/PIN/password (own negligence) | Any time | Full transaction value | ❌ No |
IIBF candidates studying Prevention of Cyber Crime alongside Indian Economy and Indian Financial System will notice the same "who bears the cost" logic runs through unrelated macro topics too — for instance, our explainer on types of inflation in India is another frequently tested numerical-classification topic worth revising in the same sitting. For the full library of prevention-focused chapters, browse the Prevention of Cyber Crime tag hub on our blog.

🧠 Practice MCQs: Customer Liability for Unauthorised Transactions
Q1. Under RBI's 2017 circular on limiting customer liability, in a genuine third-party breach case, within how many working days of receiving the bank's communication must the customer report the transaction to get zero liability? (a) 2 working days (b) 3 working days (c) 5 working days (d) 7 working days
Answer: (b) — Zero liability for a third-party breach requires reporting within 3 working days of the bank's communication.
Q2. If a customer reports an unauthorised transaction between 4 and 7 working days, the liability is capped at the transaction value or the RBI Table 1 slab, whichever is: (a) higher (b) lower (c) average of both (d) not applicable
Answer: (b) — Limited liability is the lower of the actual transaction amount or the applicable Table 1 slab.
Q3. Within how many days from receipt of complaint must a bank conclusively establish and communicate the customer's liability for an unauthorised transaction? (a) 30 days (b) 45 days (c) 60 days (d) 90 days
Answer: (d) — RBI mandates resolution and liability determination within 90 days of complaint receipt.
Q4. As per RBI's Table 1, the maximum customer liability slab for a Basic Savings Bank Deposit Account (BSBDA) under limited liability is: (a) ₹5,000 (b) ₹10,000 (c) ₹25,000 (d) ₹1,00,000
Answer: (a) — BSBDA accounts carry the lowest slab at ₹5,000 under limited liability.
Q5. After a customer notifies the bank of a zero/limited-liability unauthorised transaction, within how many working days must the bank shadow-reverse the disputed amount into the customer's account? (a) 3 working days (b) 5 working days (c) 10 working days (d) 15 working days
Answer: (c) — Banks must credit (shadow reverse) the amount within 10 working days of notification, pending investigation.
Want chapter-wise mock tests with 100+ MCQs? Start practising free →
Frequently Asked Questions
Which RBI circular governs customer liability for unauthorised transactions?
RBI circular RBI/2017-18/15, DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017, titled "Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions," is the governing framework.
Does zero liability apply if the customer shared their OTP or PIN?
No. Sharing OTP, PIN, password, or card credentials is treated as customer negligence, and the customer bears full liability for the resulting loss regardless of how quickly it is reported afterward.
What happens if the bank delays crediting the disputed amount?
RBI requires banks to shadow-reverse the disputed amount into the customer's account within 10 working days of notification for zero and limited liability cases, without waiting for the investigation to conclude.
Is customer liability for unauthorised transactions the same across all account types?
No. RBI's Table 1 sets different liability slabs — ₹5,000, ₹10,000, or ₹25,000 — depending on the account type and limit, applicable only in the 4-to-7-working-day limited liability window.
Customer liability for unauthorised transactions is a compact but high-yield topic for both JAIIB and CAIIB — a handful of numbers (3 days, 7 days, 90 days, 10 working days, and the three Table 1 slabs) cover almost every question examiners ask. Lock these into memory with scenario-based practice on iibf.store/tests, or work through the full Prevention of Cyber Crime module inside the CAIIB course to see how this topic connects to fraud management and incident reporting.
Practice this topic
Take a free mock test, download chapter PDFs, or watch a video class — all included on iibf.store.
Keep reading