Read Time: 10 minutes

Synopsis

On Monday, the Delhi High Court ruled that a bank has an implied duty to take immediate action upon detecting fraud in online transactions. The court observed that the victim’s online banking service was linked to his mobile number, which was used for authenticating his transactions. 

Consequently, the court observed that the security system of the State Bank of India (SBI) failed to detect any abnormal login activity originating from a different Internet Protocol Address utilized by the fraudsters. The court concluded that the petitioner suffered monetary losses due to the bank’s failure to implement an effective system to prevent such withdrawals.

The petitioner, a 55-year-old academician, was a victim of cyber fraud via a voice-phishing (vishing) attack on April 18, 2021. He received an SMS link and a subsequent call from an unknown fraudster, who convinced him to click the link. This led to unauthorized withdrawals totaling ₹2,60,000 from his SBI account, with transactions directed to IDFC Bank and Paytm.  

Despite immediate complaints to SBI, the police, and the cybercrime division, the petitioner’s grievances were not resolved. His complaint to the Banking Ombudsman resulted in a partial refund of ₹33,334, but ₹2,27,000 remains unrecovered. SBI rejected his claims, stating the transactions were made via Internet Banking and linked to his access of the suspicious link.  

The petitioner escalated the matter to the RBI and cited its 2017 guidelines on customer protection in fraudulent electronic transactions. Dissatisfied with SBI's inaction, he filed the petition seeking recovery of the remaining amount. 

Advocate Ravi Chandra, representing the petitioner, argued that SBI should implement stronger security measures beyond the secured socket layer connection to combat fraud and protect account holders. 

Advocate Abhinav Sharma, representing RBI, contested the petition's maintainability, stating no cause of action or relief against the RBI was pleaded. On merits, it was argued that the petitioner’s negligence could not be ruled out, as the transactions were Two-Factor Authenticated (2FA), suggesting the petitioner may have shared an OTP.

Advocate Rajiv Kapur, representing SBI, also challenged jurisdiction and maintained that the case involved factual disputes unsuitable for resolution in these proceedings. Advocate Kapur argued the petitioner was negligent in accessing an unknown link, placing the case under clause (7)(b)(i) of the RBI circular. 

On the issue of jurisdiction, the court noted that although the disputed transaction occurred at the SBI branch in Greater Noida, the Banking Ombudsman (BO) made the decision in Delhi, and the SBI’s Regional Office is also located in Delhi. Moreover, the funds in question were remitted to entities operating in Delhi. Thus, it was evident that both the respondents' operations and a significant portion of the cause of action arose within Delhi.

The court observed that the petitioner was subjected to a cyber fraud involving phishing and vishing tactics. The fraudster sent an SMS containing a malicious link to the petitioner’s mobile number, along with a call threatening service disruption if the link was not clicked. After clicking the link, the petitioner received multiple OTPs, which were subsequently used by the fraudster to withdraw ₹1,00,000 and ₹1,60,000 from the petitioner’s account. The petitioner promptly lodged complaints with SBI Customer Care, the Cyber Crime Portal, and the police on successive days, but the transactions had already been processed.

The court also noted that per evidence clicking on the malicious link allowed the fraudsters to access the OTPs and execute unauthorized transactions. The petitioner’s actions did not amount to gross negligence; instead, the breach occurred due to sophisticated cyber-attack methods.

Furthermore, the court observed that the bank's failure to act swiftly was evident. Despite promptly identifying the accounts where the defrauded amounts were transferred, the respondents did not initiate chargebacks or freeze the suspicious accounts. Their justification that certain rules did not cover entities like One97 Communications Limited (OCL) was unsatisfactory.

“It is well established under the Common Law, that funds in a bank account belong to the bank, but the bank acts as an agent for the principal (the customer)”, the court emphasized. The court also held that, under established legal principles, the bank had a duty to exercise reasonable care and act promptly upon detecting fraudulent activity. 

Therefore, the court held that SBI violated the mandatory Master Guidelines issued by the RBI. The petitioner’s losses qualified under the "zero liability" provision of the RBI Circulars. Accordingly, SBI was held liable to compensate the petitioner for the financial loss incurred, along with interest and token compensation.

For Petitioner: Advocate Ravi Chandra
For Respondent: Advocates Rajiv Kapur, Akshit Kapur and Riya for SBI with Advocate Abhinav Sharma for RBI
Case Title: Hare Ram Singh v Reserve Bank Of India (2024:DHC:8816)