RBI’s Digital Fraud Liability Framework Creates Board-Level Risk Allocation Problems

The Reserve Bank of India has introduced a shared liability framework for digital payment fraud in its Vision 2028 document, marking the first formal regulatory attempt to distribute fraud losses among banks, payment aggregators, and customers.

The framework establishes liability caps and mechanisms for sharing across the digital payments ecosystem. Banks will bear primary responsibility for fraud occurring due to system vulnerabilities, while customers assume liability for negligent behavior like sharing credentials. Payment intermediaries face proportionate liability based on their role in transaction processing.

The regulatory pattern reveals RBI’s recognition that traditional bank-centric fraud liability models cannot handle the complexity of multi-party digital transactions. Current frameworks place disproportionate risk on issuing banks, thereby creating insufficient incentives for payment processors and aggregators to invest in fraud-prevention systems.

What the circular does not address is the operational distinction between “system vulnerability” and “customer negligence.” These determinations will likely require forensic analysis in disputed cases, creating new categories of compliance costs and legal risks for financial institutions. The framework also lacks clarity on liability allocation when multiple system failures contribute to a single fraud incident.

For boards overseeing digital payment operations, this represents a fundamental shift in risk governance. Directors can no longer assume fraud losses will follow established banking precedents. The new framework requires boards to evaluate fraud prevention investments across the entire payment chain, not just internal controls.

The open card ecosystem component of Vision 2028 compounds these complexities. By enabling multiple payment networks to process transactions on a single card, the RBI is creating scenarios in which fraud liability must be allocated among entities that may have limited visibility into each other’s security protocols.

Risk committee oversight becomes more challenging when liability determination depends on technical forensics rather than clear procedural failures. Boards will need enhanced reporting mechanisms to track fraud patterns across different payment channels and third-party integrations.

The framework’s emphasis on “proportionate liability” based on each party’s role suggests RBI expects detailed transaction-level attribution in fraud cases. This will require significant upgrades to monitoring and audit trail systems across the payments ecosystem. Companies without robust transaction logging capabilities face higher liability exposure under the new framework.

From a governance perspective, the timing coincides with increasing regulatory scrutiny of digital payment security following several high-profile fraud incidents. The shared liability approach appears designed to create collective incentives for ecosystem-wide security improvements rather than relying solely on regulatory penalties.

My Boardroom Takeaway: Directors should immediately assess their organization’s fraud liability exposure under the new framework and evaluate whether current insurance coverage adequately addresses shared liability scenarios. Risk committees may need to establish new KPIs to measure fraud-prevention effectiveness across third-party payment relationships, not just internal systems.