Bank of Russia explains new legislative measures to counter cyberfraud

Banks will be obliged to reimburse customers for the amounts stolen by fraudsters through hacking online banking applications using malware. This is stipulated in the law (the Antifraud 2.0 package) adopted by the State Duma, with effect from 2027.

To counter this type of theft, credit institutions should, with a customer's permission, check whether the customer's device where an online banking application is installed contains malware. If it does, the bank should reject the transaction, inform the customer about it, and suggest making the transaction using another secure device or in a bank's office.

The law sets a period of time when information on an individual should be stored in the database on frauds, which limits the provision of remote banking services to such an individual. Specifically, if information on an individual is input into the database for the first time, it will be deleted after one year. If it is included there for the second time or more, it will be stored in the database for three years. This information will be excluded from the database early, if law enforcement agencies inform that the investigation of the relevant criminal fraud case has been closed. As before, individuals have the right to challenge the inclusion of their data in the database.

The document also establishes that one person may have no more than 20 payment cards opened with all banks in total. This measure is aimed at preventing cases where individuals receive numerous cards and give them to fraudsters for withdrawing and cashing out stolen money.

Under the law, telecom operators will be held financially liable for non-compliance with antifraud requirements. These rules will be applied in the same way as in the banking system where each funds transfer is checked for signs of fraud, with banks bearing financial liability for breaching anti-theft requirements. In their turn, telecom operators will detect fraudulent calls and take measures to protect people from them. In case of money theft, the loss will be reimbursed by the non-compliant party, i.e. the bank or the telecom operator. The information exchange between banks and telecom operators via the Antifraud information system will be elaborated in further detail. The reimbursement procedure for telecom operators will be established by a special resolution of the Russian Government in coordination with the Bank of Russia.