Court orders SBI to repay fraud victim, setting a precedent for robust consumer protection in cybercrime.
New Delhi: The Delhi High Court came to the rescue of a Noida-based 55-year-old academician who lost Rs 2.60 lakh to cyber fraud despite not sharing a one-time password but was refused any assistance by both the State Bank of India and the Reserve Bank of India. After several efforts by the petitioner, the banking ombudsman asked the SBI to compensate him with a meager Rs 33,000 for his loss, after which he approached the court.
In a ruling with wide ramifications in the field of protecting the rights of consumers and placing the onus of protecting the rights of its customers on banks, Justice Dharmesh Sharma , in his order on 18 November, asked SBI to return Rs 2.60 lakh to the victim with 9 percent interest from the date the fraud was reported, along with Rs 25,000 as costs for legal proceedings, making the bank liable to pay Rs 3.90 lakh in total.
This judgment is being seen as a departure from the norm, where courts in most cases rule in favor of financial institutions if they are able to show that the victim, under the impression that he/she was interacting with a bona fide official, ‘clicked’ or submitted details that led to the fraud.
The said customer, who was operating a savings bank account at the SBI Branch in Greater Noida, was defrauded through a vishing attack, a form of cyber fraud that involves voice phishing. In this case, the victim, Hare Ram Singh, on 18 April 2021, received an SMS containing a link, which led to a phone call from an unknown individual. This caller convinced him to click the link to keep his SMS service operational. Upon clicking the link, unauthorized transactions totaling Rs 2.60 lakh were made from his bank account without his consent.
Singh’s account was debited in two transactions: one for Rs 1 lakh and another for Rs 1.60 lakh. The funds were transferred to accounts at IDFC Bank and One97 Communications Ltd (Paytm) respectively. After realizing that he had been defrauded, he immediately reported the fraud by contacting the State Bank of India (SBI) customer care and filing complaints with both the bank and local police.
Despite his timely reporting, SBI rejected his claims on the grounds that he had accessed a link sent by an unknown party and received OTPs (One-Time Passwords) for the transactions. Later, after being approached by the customer, the Banking Ombudsman acknowledged that Singh was indeed a victim of vishing but concluded that some negligence on his part could not be ruled out since he had interacted with the fraudulent link.
The Ombudsman, in its order, asked the bank to return a portion of the funds, but a significant amount was not returned on the grounds of negligence by the customer.
In their defense, SBI contended that Singh was negligent because he accessed a link sent by an unknown party, which led to the unauthorized transactions. They argued that since the transactions were conducted using Internet Banking (INB) credentials and involved One-Time Passwords (OTPs), it suggested that Singh may have inadvertently shared his OTP with the fraudster.
SBI also rejected Singh’s complaint, stating that he had received OTPs for the transactions, indicating that he had authorized them in some manner. This was a crucial point in their defense, as they maintained that because Singh had interacted with the fraudulent link, he bore some responsibility for the losses incurred.
SBI further claimed that their actions aligned with the RBI’s guidelines regarding customer liability in cases of unauthorized electronic banking transactions. They argued that Singh’s situation fell under the category of limited liability due to his negligence.
The RBI, in its response, challenged the maintainability of Singh’s petition, arguing that there was no direct cause of action against them. They stated that while Singh was recognized as a victim of vishing, his case fell under provisions that allowed for limited liability due to potential negligence on his part. It also reiterated the points raised by SBI that customers must exercise caution and not engage with unknown links or calls, while supporting SBI’s arguments that negligence on the part of the customer could lead to liability for losses incurred during unauthorized transactions. Both the institutions also challenged the said petition on the ground of territorial jurisdiction stating that the case should not be heard in Delhi. However, the court found no merit in this argument given the operations of SBI and RBI across India and the debited amount was remitted in Delhi. In its order, the court decided in favor of the bank customer and stated that he was a victim of a vishing attack, where he was tricked into clicking a malicious link that led to unauthorized withdrawals from his bank account.
It noted that such sophisticated cyber fraud can easily deceive individuals regardless of their awareness or experience. The court relied on the RBI circular dated 6 July 2017, which outlines customer protection and liability in cases of unauthorized electronic transactions and highlights provisions for zero liability when the bank is found to be at fault or when there is a third-party breach.
The court stated that SBI had not adequately protected Singh’s interests as a customer. It emphasized that the bank has a duty to implement robust security measures to safeguard customers against such frauds.
With the court putting the onus of bearing the loss on the bank rather than the individual, it will push the banks to employ more stringent measures to tackle banking cyber frauds.