Central Bank of Russia outlines 2027 Antifraud 2.0 law requiring banks to reimburse malware-related online banking theft and capping individuals at 20 payment cards

The Central Bank of Russia has outlined the Antifraud 2.0 package adopted by the State Duma, which will take effect in 2027 and require banks to reimburse customers for funds stolen by fraudsters who hack online banking applications using malware. The package also extends financial liability for antifraud failures to telecom operators and introduces a cap of 20 payment cards per individual across all banks. With a customer’s permission, banks will have to check whether the device running the online banking application contains malware. If malware is found, the bank must reject the transaction, notify the customer and suggest completing it from another secure device or at a bank office. The law also sets retention periods for individuals entered in the fraud database that limits remote banking services: one year for a first entry and three years for a second or subsequent entry, with earlier deletion if law enforcement reports that the related criminal fraud investigation has been closed. Individuals retain the right to challenge inclusion of their data. Telecom operators will be required to detect fraudulent calls and take measures to protect people from them, with losses reimbursed by the non-compliant party, whether the bank or the telecom operator, if money is stolen. Further detail on information exchange between banks and telecom operators through the Antifraud information system is still to be developed, and the reimbursement procedure for telecom operators will be set by a Russian Government resolution coordinated with the Bank of Russia.