- Facts
1.1 The Petitioner, Hare Ram Singh fell victim to cyber fraud after clicking a link in an SMS message prompted by a suspicious call. This resulted in two unauthorized transactions totalling Rs. 2,60,000 from his account in the State Bank of India (SBI), Respondent No. 2.
1.2 He promptly reported the incident to Respondent No. 2's customer care, the branch manager, the Cyber Crime Cell, the police, and through the Centralized Public Grievance Redress and Monitoring System (CPGRAMS). He also filed a complaint with the Banking Ombudsman (BO).
1.3 Respondent No. 2 rejected his complaint, citing that the transactions were conducted through Internet Banking (INB) and authenticated with OTPs received by the Petitioner. The BO acknowledged the "vishing" attack but noted the OTP security, instructing Respondent No. 2 to reimburse only Rs. 33,340 (1/3 of one transaction).
1.4 Aggrieved by the non-reimbursement of the remaining Rs. 2,27,000, the Petitioner filed a writ petition, arguing a violation of RBI guidelines on customer liability (RBI Circular dated 6.7.2017 titled "Customer Protection Limited Liability of Customers in Unauthorised Electronic Banking Transactions") in unauthorized electronic banking transactions.
- Issues
2.1 Whether the present petition is maintainable on the ground of territorial jurisdiction before the Hon'ble High Court of Delhi.
2.2 Did the Petitioner's actions constitute negligence, making him liable, or should Respondent No. 2 be responsible under RBI guidelines for unauthorized electronic transactions?
- Court's Analysis and Decision
3.1 On the issue of the maintainability of the present petition, the Hon'ble Court found the petition maintainable in Delhi because the Banking Ombudsman's decision was made in Delhi; Respondent No. 2 has a regional office in Delhi, and the disputed funds were remitted to financial entities in Delhi. These factors established that a substantial part of the cause of action arose in Delhi, justifying the court's jurisdiction.
3.2 On the issue of whether the Petitioner was negligent, the Hon'ble Court held that the Petitioner's actions did not constitute negligence, and the responsibility for the unauthorized electronic transactions lies with the Respondent No. 2 bank, as per the RBI guidelines. The evidence demonstrates that the Petitioner did not share sensitive financial credentials, such as OTPs, and the fraud occurred due to a breach of the bank's security mechanisms, specifically through phishing/vishing techniques used by cyber fraudsters. The Petitioner acted diligently by reporting the fraud to Respondent No. 2's Customer Care on the same day, followed by complaints to the Cyber Crime Portal and the police on subsequent days.
3.3 The Respondent No. 2 relied on the RBI Circular dated 06.07.2017 titled "Customer Protection– Limiting Liability of Customers in Unauthorised Electronic Banking Transactions." However, the circular places the burden of proving the customer's liability on the bank. It is evident that the petitioner did not act negligently or recklessly, as he neither shared his payment credentials nor was complicit in the fraud. Instead, the unauthorized transaction was the result of malware that compromised even the bank's two factor authentication system.
3.4 The Raghavendra Nath Sen v. Punjab National Bank, I (2015) CPJ 254 and State Bank of India v. K.K. Bhalla, II (2011) CPJ 106 (NC), relied on by the Respondent No. 2 do not apply here. These cases involved scenarios where the customer had shared sensitive credentials or ATM PINs, demonstrating gross negligence. Similarly, the case of Punjab National Bank v. Shri Sankar Mukherjee, MAT 2483 of 2023, where the petitioner shared credentials, was distinguishable from the present matter, where no such sharing occurred.
3.5 On the other hand, the case of Tony Enterprises v. Reserve Bank of India, AIR OnLine 2019 KER 674, decided by the Kerala High Court, is relevant here. It dealt with fraud enabled through a duplicate SIM card issued to the fraudster, leading to unauthorized withdrawals. The court, in that case, held the bank liable for failing to detect and prevent unauthorized activity, setting a precedent for similar cases of cyber fraud.
3.6 Respondent No. 2 also failed to follow RBI's Master Directions on Digital Payment Security Controls (dated 18.02.2021) that mandate banks to maintain robust security systems and mechanisms to prevent such fraud. Their inability to recover the funds, despite tracing them to accounts maintained with IDFC Bank and One97 Communications Limited, reflects a glaring deficiency in service under Section 2(11) of the Consumer Protection Act, 2019. This includes failure to act promptly on the petitioner's complaint, lack of a robust chargeback mechanism, and inadequate action to prevent further loss.
3.7 Given these facts, the Petitioner qualifies for "zero liability" under the RBI guidelines. The transactions fall squarely within the protective measures outlined in the regulations. Consequently, the respondent bank is liable to compensate the petitioner for the financial loss incurred, along with interest, and to pay token compensation for the inconvenience caused due to its deficient services. The Banking Ombudsman's order dated 20.10.2021, which failed to adequately consider the facts and laws, is legally unsustainable.
3.8 Hence, based on the following discussions and reference to the precedents, the Hon'ble Court allowed the writ petition, set aside the BO's order, and issued a writ of mandamus against the State Bank of India. The Court directed Respondent No. 2 to pay Rs. 2,60,000 to Petitioner with 9% annual interest from the date of the fraud (April 18, 2021), and pay Rs. 25,000 towards the costs of legal proceedings. The court declared that the transactions fell within the "zero liability" provision of the RBI circulars. The amount paid earlier by the bank to Petitioner was to be adjusted toward the interest.
- Conclusion
4.1 This case reinforces banks' responsibility to secure customer transactions and implement robust security measures against evolving cyber fraud. The Delhi High Court's ruling in Hare Ram Singh v. Reserve Bank of India & Ors. provides hope for cyber fraud victims, emphasizing consumer protection and holding SBI accountable for deficiencies in service. The judgment reaffirms the "zero liability" principle for customers when bank systems or procedures are at fault, promoting a fairer digital banking environment. It also highlights the need for systemic reform within the banking sector, urging financial institutions to prioritize security, transparency, and compliance with RBI guidelines, including investing in advanced technology, improving complaint management, and enhancing risk management practices. This decision is a significant step toward safeguarding consumer rights in India's rapidly digitizing economy.
Please click here to view the full article.
Originally published 12th Feb 2025.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
