UPSC Prelims Practice Questions — Has RBI changed the rules for scam compensation?

Q1. The foundational regulatory framework governing a customer's compensation for unauthorised digital banking fraud — the instrument that the RBI moved to amend in 2026 — is officially titled which one of the following?

  • A. Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions (2017)
  • B. Reserve Bank – Integrated Ombudsman Scheme, 2021
  • C. Ombudsman Scheme for Digital Transactions, 2019
  • D. Master Direction on Digital Payment Security Controls, 2021

Q2. With reference to how the RBI's 2026 amendment differs from the 2017 framework on customer liability, consider the following statements: 1. The 2017 framework obligated banks to compensate only where a transaction was unauthorised with no customer involvement, whereas the 2026 amendment extends liability to transactions where credentials were obtained by fraud or approval was given under coercion. 2. The 2026 amendment introduces the category of 'Fraudulent Electronic Banking Transactions' covering phishing and social-engineering scams that the 2017 framework did not cover. 3. Both the 2017 framework and the 2026 amendment were introduced as one-year pilots subject to review. Which of the statements given above is/are correct?

  1. The 2017 framework obligated banks to compensate only where a transaction was unauthorised with no customer involvement, whereas the 2026 amendment extends liability to transactions where credentials were obtained by fraud or approval was given under coercion.
  2. The 2026 amendment introduces the category of 'Fraudulent Electronic Banking Transactions' covering phishing and social-engineering scams that the 2017 framework did not cover.
  3. Both the 2017 framework and the 2026 amendment were introduced as one-year pilots subject to review.
  • A. 1 and 2 only
  • B. 2 and 3 only
  • C. 1 and 3 only
  • D. 1, 2 and 3

Q3. Under the RBI's 2026 amendment, which of the following are correctly identified as 'Fraudulent Electronic Banking Transactions'? 1. A payment executed by a third party using credentials obtained from the customer through fraudulent means. 2. An approval or authorisation obtained from the customer under coercion or duress. 3. A transfer where the customer was misled into sending money to a fraudster through phishing or social engineering. 4. A transaction the customer knowingly and willingly authorised to a genuine merchant. Which of the above are correctly identified?

  1. A payment executed by a third party using credentials obtained from the customer through fraudulent means.
  2. An approval or authorisation obtained from the customer under coercion or duress.
  3. A transfer where the customer was misled into sending money to a fraudster through phishing or social engineering.
  4. A transaction the customer knowingly and willingly authorised to a genuine merchant.
  • A. 1, 2 and 3 only
  • B. 1 and 4 only
  • C. 2, 3 and 4 only
  • D. 1, 2, 3 and 4

Q4. With reference to the design of the RBI's 2026 pilot framework on fraudulent electronic banking transactions, which of the following are correctly identified? 1. The new directions take effect for electronic banking transactions occurring on or after 1 January 2027. 2. The framework will initially run as a pilot for one year. 3. A draft circular on the framework was released for public comment in March 2026. 4. The pilot compensation applies to digital fraud losses of up to Rs 5 lakh. Which of the above are correctly identified?

  1. The new directions take effect for electronic banking transactions occurring on or after 1 January 2027.
  2. The framework will initially run as a pilot for one year.
  3. A draft circular on the framework was released for public comment in March 2026.
  4. The pilot compensation applies to digital fraud losses of up to Rs 5 lakh.
  • A. 1, 2 and 3 only
  • B. 1, 2 and 4 only
  • C. 2, 3 and 4 only
  • D. 1, 2, 3 and 4

Q5. Under the 2026 pilot framework on fraudulent electronic banking transactions, which one of the following authorities is the body empowered to decide on its permanent extension after the one-year pilot concludes?

  • A. Reserve Bank of India
  • B. Indian Cyber Crime Coordination Centre (I4C)
  • C. Department of Financial Services, Ministry of Finance
  • D. Banking Codes and Standards Board of India

Q6. Under the RBI's 2017 framework, a customer bears ZERO liability in several defined situations. Which of the following is/are NOT a zero-liability situation? 1. Loss arising from contributory fraud or negligence on the part of the bank. 2. A third-party breach reported by the customer within three working days. 3. A case where the customer shares payment credentials and the loss occurs before the customer reports it. 4. A deficiency lying elsewhere in the system that is reported promptly within the prescribed window. Which of the above is/are NOT correct?

  1. Loss arising from contributory fraud or negligence on the part of the bank.
  2. A third-party breach reported by the customer within three working days.
  3. A case where the customer shares payment credentials and the loss occurs before the customer reports it.
  4. A deficiency lying elsewhere in the system that is reported promptly within the prescribed window.
  • A. 3 only
  • B. 1 and 3 only
  • C. 2 and 4 only
  • D. 3 and 4 only

Q7. Under Table 1 of the RBI's 2017 circular, which one of the following account categories carries the highest maximum customer liability for a third-party-breach transaction reported with delay?

  • A. Basic Savings Bank Deposit (BSBD) accounts
  • B. Savings accounts and prepaid payment instruments
  • C. Current/overdraft accounts of large entities and credit cards with limit above Rs 5 lakh
  • D. Small MSME current accounts and individual overdraft accounts up to Rs 25 lakh

Q8. Social-engineering scams such as 'digital arrest' and phishing-induced transfers were, for the first time, brought within the scope of mandatory bank compensation by which one of the following instruments?

  • A. The RBI's 2017 circular on Unauthorised Electronic Banking Transactions
  • B. The RBI's 2026 Amendment Directions introducing 'Fraudulent Electronic Banking Transactions'
  • C. The Information Technology Act, 2000
  • D. The Bharatiya Nyaya Sanhita, 2023

Q9. The RBI's Integrated Ombudsman Scheme, 2021 — its principal consumer grievance-redress mechanism covering digital payments — was framed under powers conferred by several statutes. Which of the following is NOT among those statutory sources? 1. The Reserve Bank of India Act, 1934. 2. The Banking Regulation Act, 1949. 3. The Payment and Settlement Systems Act, 2007. 4. The Securities and Exchange Board of India Act, 1992. Which of the above is/are NOT correct?

  1. The Reserve Bank of India Act, 1934.
  2. The Banking Regulation Act, 1949.
  3. The Payment and Settlement Systems Act, 2007.
  4. The Securities and Exchange Board of India Act, 1992.
  • A. 4 only
  • B. 3 and 4 only
  • C. 1 and 4 only
  • D. 2 only

Q10. According to Indian Cyber Crime Coordination Centre (I4C) data, approximately how much money did Indians lose to cyber/financial frauds during the year 2025?

  • A. About ₹8,189 crore
  • B. About ₹19,812 crore
  • C. About ₹22,845 crore
  • D. About ₹52,976 crore

Q11. With reference to how India's emerging scam-compensation regime compares with international approaches, consider the following statements: 1. The United Kingdom's mandatory APP fraud reimbursement regime, in force since October 2024, caps reimbursement at £85,000 shared equally between the sending and receiving payment firms. 2. India's 2026 pilot caps compensation at 85% of net loss or Rs 25,000 (whichever is lower) for losses up to Rs 50,000, a far lower ceiling than the UK regime. 3. The EU's PSD2 already mandates that victims of authorised push-payment scams be fully reimbursed by their bank, identical to the UK regime. Which of the statements given above is/are correct?

  1. The United Kingdom's mandatory APP fraud reimbursement regime, in force since October 2024, caps reimbursement at £85,000 shared equally between the sending and receiving payment firms.
  2. India's 2026 pilot caps compensation at 85% of net loss or Rs 25,000 (whichever is lower) for losses up to Rs 50,000, a far lower ceiling than the UK regime.
  3. The EU's PSD2 already mandates that victims of authorised push-payment scams be fully reimbursed by their bank, identical to the UK regime.
  • A. 1 and 2 only
  • B. 2 and 3 only
  • C. 1 and 3 only
  • D. 1, 2 and 3