Internet banking and Customer protection Policy
APPROVED BY
Resolution of the Committee
dated 06/04/2026 No.PA-236A-2025
INTERNET BANKING AND CUSTOMER PROTECTION POLICY
(BRANCH OF SBERBANK OF RUSSIA IN THE REPUBLIC OF INDIA)
VERSION 3
1. GENERAL PROVISIONS
The purpose of this policy is to enhance access interface to Sberbank Branch in India’s clients. This is viewed as an extension of existing access mechanism to allow clients to send domestic payments for processing as well as retrieving their account balance and transaction information. While providing Internet banking services and products to its customers, Sberbank Branch in India (hereinafter referred to as “Sberbank / “Branch” / “Bank”) shall adhere to the following policies and procedures:
1.1. Internet banking services will only be provided to customers of the Branch after verifying the identity of customers and completion of KYC formalities in accordance with the KYC & AML Policy and procedures of the Bank. The Bank may receive a request from the Branch’s customer through its Customer Relationship Team (CRM) or through the Branch’s Internet Banking application form. However, accounts should only be opened after conducting due diligence and verification of the identity of the prospective customer.
1.2. The Bank’s services include local currency products only.
1.3. The Bank shall ensure that it maintains secrecy and confidentiality of its customers’ accounts and data.
1.4. The Bank shall enter into such documentation and agreements with its customers as deemed appropriate by the respective department of the Branch.
1.5. The Bank will report to RBI every breach or failure of security systems and procedure.
1.6. The Bank also has HPLBC approved IT and Information Security Policy.
2. APPLICATION
The facility of Internet Banking will be provided by the Bank to a customer only after obtaining his/her Internet Banking application form in the prescribed manner. All requests received from the Bank’s customer shall be routed to his/her/their designated customer relationship manager. The requests of the Bank’s customers become effective from the time when the services are configured and activated by the Branch. While request, the customer shall be informed about the time usually taken by the Bank for fulfilment of such requests.
In compliance with RBI’s circular on two-factor authentication and SMS alert requirements, mobile and email credentials are mandatory for service activation.
3. OBLIGATION OF THE BANK
3.1 Considering the prevailing legal position, there is an obligation on the part of the Bank to establish the customer identity opting for internet banking only after verification of the customer’s identity and compliance with KYC norms in accordance with RBI Master Direction onKYC.
3.2 Despite all reasonable precautions, the Bank may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking / technological failures. The Bank, therefore, has proper cybersecurity in place to safeguard the details of the customers.
4. BANK’S RIGHT
4.1 The rules and regulations of the normal banking transactions will be applicable for the transactions done through Internet Banking service;
4.2 The Internet Banking service cannot be claimed as a right of customer. The Bank may also convert the service into a discretionary service upon minimum 7 calendar days’ notice unless discontinued due to fraud, misuse, or regulatory compliance issue. The Bank may also impose and vary any restrictions on the use of the service at any time including any minimum and maximum daily limits for transactions effected over it;
4.3 Transactions over the internet may be subject to interruption, transmission blackout, delayed transmission due to internet traffic, or incorrect data transmission due to the public nature of internet. The Bank shall not assume responsibility for malfunctions in communications facilities not under control of the Bank that may affect the accuracy or timelines of messages the customer send.
4.4 The Bank reserves the right to modify, change, add or cancel any of the services offered through Internet Banking without prior notice to the users or by reasonable prior notice to the customer. The changes will be notified to the customer(s) through a notification on the Bank’s website / Branch Notice Board / email.
5. BANK’S WORK FLOW
5.1 The application form(s) should be held with the Branch where the applicant(s) maintain his / her / their account(s). The customer is expected to provide necessary KYC documents and to fulfil KYC procedures;
5.2 Internet Banking can be registered only at Sberbank and all the accounts associated with customer’s information file (CIF) will be auto registered for Internet Banking, hence separate account wise registration is not required. All the accounts linked with the CIF of customer will be made available on Internet Banking. Henceforth the customer will be notified of all linked accounts and must confirm activation through OTP validation or signed consent;
5.3 The customer’s Internet Banking services will be activated after receipt of the application by the Branch. The Branch will verify the application and after necessary due-diligence, the services will be activated for the customer.
6. CUSTOMERS WORK FLOW AND OBLIGATIONS
6.1 Customer prompted to change the password at the time of first login. Without setting a new password system will not allow to login in Internet Banking;
6.2 The customers are free to choose the password of his/her/their choice as per the password policy of Bank. However, the customer is advised to avoid choosing a password that is generic in nature, guessable / inferable from the personal data such as name, date of birth, address, telephone number, driving license / car number etc. The customer should not use the password for accessing other services (for example, connection to the internet or accessing other websites).
6.3 The customers are welcome to access Internet Banking from anywhere anytime where it is legal to do so in the relevant place[1]. However, as a matter of precaution and safety, the customer should avoid using personal computers with public access or internet cafe computers. Customers should be advised to adopt various good security precautions and practices in protecting their personal computer and to avoid conducting financial transactions from public or internet café;
6.4 In terms of keeping security, there is a possibility to reset the existing password using self-service or customer is able to approach the Branch / CRM to reset the password;
6.5 The customer must keep the User Name and Password/OTP strictly confidential and known only to himself / herself. The customer should not allow anyone else to use the User Name and Password/OTP, should not write down the User Name or Password/OTP on any device for accessing the Internet Banking service or on anything usually kept with or near it, and should not write down or record the User Name or Password without disguising it. The customer should refer to the security advice provided by the Bank from time to time. The Bank will not be responsible for any loss sustained by the customer arising out of a breach of such condition. Any breach arising due to customer’s failure to protect credentials shall render the customer liable under Clause 7 of this policy;
6.6 The Bank presupposes that login using valid User Name and Password is a valid session initiated by none other than the customer to whom the said User Name and Password belong. An authenticated session, together with its encryption protocol, remains intact throughout the interaction with the customer;
6.7 An online session is automatically terminated after a fixed period of time unless the customer is re-authenticated for the existing session to be maintained. This prevents an attacker from keeping an internet banking session alive indefinitely;
6.8 All transactions executed through a valid session as defined above will be construed to have been originated from the customer and will be legally binding on the customer. The customers are cautioned against leaving the computer or any device used to access internet banking unattended during a valid session;
6.9 If the customer notices that any information relating to his/her/their account(s) is incorrect or discrepant, the customer should visit the Sberbank India branch to rectify the same;
6.10 The customer should intimate the Bank immediately over telephone/e-mail/ branch visit, if the customers finds or believe that his/her/their User Name or Password/OTP has been compromised or stolen, or that unauthorized transactions have been conducted in the account;
6.11 The products under internet banking are restricted to account holders only. The customer will not attempt or permit others to attempt accessing Internet Banking through any unlawful means or use or attempt to use Internet Banking for any unlawful purposes.
6.12 The customer shall not attempt to decompile, reverse-engineer, translate, convert, adapt, alter, modify, enhance, add to, delete or in any way tamper with, or gain access to, any part of Internet Banking or any internet site or any software comprised in it.
7 LIMITED LIABILITY OF CUSTOMER
The Bank has made it compulsory for the customers to enable SMS facility before registering for Internet banking. The customers are advised to notify the Bank of any unauthorized electronic banking transaction at the earliest. To facilitate this, the Bank has provided customer care number / email ids to customers. Broadly, the electronic banking transactions can be Remote/ online payment transactions (transactions that do not require physical payment instruments to be presented at the point of transactions.
7.1 Zero Liability of a Customer
A customer’s entitlement to zero liability shall arise where the unauthorized transaction occurs in the following events:
7.2 Limited Liability of a Customer
A customer shall be liable for the loss occurring due to unauthorized transactions in the following cases:
Summary of Customer’s Liability
Time taken to report the fraudulent transaction from the date of receiving the communication from the Bank | Customer’s liability (Rs) |
Within 3 working days | Zero liability |
Within 4 to 7 working days (Current Accounts/ Cash Credit/ Overdraft Accounts of Individuals with annual average balance(during 365 days preceding the incidence of fraud) / limit up to Rs.25 lakh) | The transaction value or 10,000, whichever is lower |
Within 4 to 7 working days (All Other Current/ Cash credit/ Overdraft Accounts) | The transaction value or 25,000, whichever is lower |
Beyond 7 working days | As per bank’s Board approved policy |
Further, the Bank shall ensure that:
Reporting and Monitoring Requirements: The Bank shall put in place a suitable mechanism and structure for the reporting of the customer liability cases to the Board or one of its Committees. The reporting shall, inter alia, include volume/ number of cases and the aggregate value involved and distribution across various categories of cases viz., internet banking. The Standing Committee on Customer Service in the Bank shall periodically review the unauthorized electronic banking transactions reported by customers or otherwise, as also the action taken thereon, the functioning of the grievance redress mechanism and take appropriate measures to improve the systems and procedures. All such transactions shall be reviewed by the Bank’s internal auditors.
8. INTERNAL CONTROL SYSTEM
The Internal Control System would include internal inspection of systems and procedures related to internet banking as also ensuring that adequate safeguards are in place to protect integrity of data, customer confidentiality and security of data. The internal control system covers the following:
9. GOVERNING LAWS
The existing regulatory framework for the Bank is applicable to Internet Banking also. The Bank will follow all the instructions and guidelines from RBI regarding Internet Banking Services for ensuring smooth functioning of the scheme.
From a legal perspective, security procedure adopted for authenticating a user needs to be recognized by law as a substitute for signature. The provisions of the Information Technology Act 2000, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”), the Digital Personal Data Protection Act, 2023 read along with all its amendments and Rules laid down thereunder. All other legal requirements including but not limited to data protection and privacy should be scrupulously adhered to.
The Internet Banking is offered only in jurisdictions where and when it may be lawful. The service and information relating to the service are not intended for access or use by persons in other jurisdictions. The jurisdiction for disputes between bank and the customer shall be as per the guideline of Consumer Protection Act, 2019.
The Bank shall adhere to the KYC guidelines / AML standards and the provisions and directions issued under the Prevention of Money Laundering Act, 2002 read with the Rules laid down thereunder.
10. SECURITY
10.1 SSL server certificate status - Internet banking links are secured with SSL or EV-SSL certificate;
10.2 Second channel notification / confirmation: The Bank notifies the customer, through email and SMS, for all payment or fund transfer transactions.
10.3 Implementation of two-factor authentication and other security measures for internet banking:
10.4 The Bank will take reasonable care to make use of the available technology for ensuring security and preventing unauthorized access to any of the services offered through the Internet Banking.
10.5 The Internet Banking service is a secure site. It assures that during the session, the two-way communication is secured with 256-bit TLS encryption technology, which ensures the confidentiality of the data during transmission. The access-control methods designed on the site afford a high level of security to the transactions conducted on Internet Banking;
10.6 The Bank shall follow best security practices to prevent unauthorized access to confidential information about the customer;
10.7 Re-establishment of any session after interruption requires normal user identification, authentication, and authorization. Moreover, strong server side validation is enabled.
10.8 Multifactor authentication methods are in place. The principal objectives of multifactor authentication are to protect the confidentiality of customer account data and transaction details as well as enhance confidence in internet banking by combating various cyber-attack mechanisms like phishing, key logging, spyware/malware and other internet based frauds targeted at the bank and their customers.
11. PRIVACY POLICY
In line with recognized international practice and for the information of customers and others who visit the Bank’s Internet Banking website, the Bank believes it is necessary to adhere to the Privacy Policy. The personal data shared with the Bank will be treated as private and will be processed in accordance with the terms of applicable Privacy Policy and Privacy Notice as provided on the Bank’s website. Recognition of customer(s)’ expectation of privacy.
The Bank recognize that customers expect privacy and security of their personal data and financial affairs. Moreover, the Bank shall understand that the customer has entrusted them to safeguard his/her/their personal and financial data.
The Bank shall take adequate precautions to protect personal data relating to the customer and their dealings with the Bank from the mischievous and the fraudsters. Customer confidentiality and privacy is of utmost concern to the Bank. The Bank shall handle the customer’s personal and financial data in the same responsible and confidential way that the Bank do for their own financial affairs. Customers shall have the right to request rectification, access, or erasure of their personal data in accordance with the provisions of the DPDP Act, 2023.
12. COOKIES
A cookie is a data file that websites write to customer computer's hard drive when the customer visit such sites. A cookie file can contain information such as a user identification code that the site uses to track the pages the customer has visited and use the information commercially. The Bank does use cookies on Internet Banking site.
12.1 Keeping customer data accurate
It is in the customer’s interest, and it shall be the Bank’s objective to have accurate, current and complete data concerning the customer and customers’ accounts. The Bank shall have strict procedures that employees abide to meet this objective. While some procedures are required by RBI regulations, the Bank shall implement processes to update latest data and remove outdated data. If the customer believes that Bank has incorrect data about the customer or customers’ accounts, he/she can complain to CRM / visit Branch. The Bank will correct any erroneous data as quickly as possible.
12.2 Limiting access to customer’s personal data by banks employees
The Bank has procedures that limit access to personal data to those employees with a business reason for knowing such information about the customer. The Bank shall educate the employees on their responsibility to protect the confidentiality of customer’s personal and financial data and hold them accountable if they violate this privacy policy.
12.3 Restricting the disclosure of customer information
The Bank does not disclose customer’s personal and financial data except as specified in the Bank’s Customer Rights policy, Privacy Policy and Privacy Notices for clients.
List of Abbreviations
HPLBC is High Power Local Branch Committee
Sberbank India Delhi Branch is Bank
Sberbank of Russia is Head Office
IT is Information Technology
IS is Information Security
SOP is Standard Operating Procedures
ASP is Application Service Provider
KYC is Know Your Customer
AML is Anti-Money Laundering
List of Reference Documents
The Bank shall comply with various guidelines issued by Reserve Bank of India as amended from time to time (including but not limited to):
[1] DISCLAIMER: “Bank shall not be liable for breaches occurring from jurisdictions with differing encryption, IP protection or financial data security laws.