Sympathising with the victim of a cyber-crime, the Bombay High Court has clarified that writ petition under Article 226 of the Constitution of India is maintainable against a private scheduled bank for the enforcement of the Reserve Bank of India’s circulars and guidelines issued in the public interest, as the bank discharges a public function when acting in a capacity that involves public interest and the protection of customers in electronic banking.
The Court also clarified that under the RBI Circular dated 06/07/2017, a customer has zero liability in cases of unauthorized electronic banking transactions arising out of a third-party breach where the deficiency lies neither with the bank nor with the customer but elsewhere in the system, provided the customer notifies the bank within three working days of receiving communication regarding the unauthorized transaction.
Thus, the Court ruled that the burden of proving customer liability or negligence in unauthorized electronic banking transactions rests strictly on the bank, and the bank cannot absolve itself of liability merely by claiming that OTPs were generated and sent, without conclusively establishing the customer’s complicity or negligence in sharing the credentials.
The Division Bench comprising Justice Bharati Dangre and Justice Manjusha Deshpande observed that while HDFC Bank may not be a ‘State’ or its instrumentality under Article 12 of the Constitution, a writ petition under Article 226 is maintainable against it because the Bank discharges a public function when it implements the guidelines formulated by the Reserve Bank of India (RBI) under Section 35A of the Banking Regulation Act for the protection of customers in electronic banking transactions.
The Bench Court observed that the RBI Circular dated 06/07/2017 on ‘Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions’ is independent of any criminal investigation to be conducted to establish any cyber-crime, as the RBI intended to protect the customer who has suffered financial loss on account of fraudulent or unauthorized electronic banking transactions.
Further, the Bench noted that the burden of proving the customer’s liability in case of unauthorized electronic banking transactions lies entirely on the bank. Since the Bank failed to establish that the Petitioner was careless or negligent, or that he had shared the password or OTP with anyone, the Bench observed that the Petitioner was a victim of a SIM swapping fraud, which is a sophisticated form of identity theft where fraudsters take over a victim’s phone number, resulting in the OTPs and banking alerts being received on a cloned/duplicate SIM in the hands of the fraudster.
The Bench noted that the Bank’s internal investigation report clearly admitted that the transactions were not alerted because the risk score was 691, and the alert was declined despite the IP location of the disputed transactions (Chennai) being different from the genuine transaction IP location of the customer (Pune).
Since the Bank did not produce a single original log of sending messages or e-mails and its receipt by the Petitioner, but merely placed excerpts from the Log Book of a private agency to urge that the Bank had sent OTPs and e-mails, the Bench concluded that since the fault lies neither with the Bank nor with the customer, but elsewhere in the system (third-party breach), and the customer notified the bank promptly, the clause fixing ‘zero liability’ on the customer gets triggered, entitling the Petitioner to a full refund.
Briefly, the Petitioner, freelancer, maintained a saving and current bank account with the HDFC Bank since 2011 and 2016 respectively. In 2021, three unknown persons namely Samir Tamang, Aloke Pal, and Subhomoy Biswas were added as beneficiaries in the Petitioner’s account for the purpose of enabling net-banking transactions. The permissible net banking limit qua his account of Rs. 4 lakhs were enhanced to Rs. 40 lakhs. No OTPs were received by the Petitioner from HDFC Bank for both the activities, i.e., addition of beneficiaries or enhancement of transfer limit.
Although the security system of the HDFC Bank flagged and alerted the addition of these beneficiaries, recommending ‘Decline add payee’ and alerting “Transaction IP does not match with genuine transaction IP of customer”, the addition of beneficiaries was manually approved by the Bank. The Petitioner lost a sum of Rs. 38 lakhs through eight unauthorized bank transfers, which took place within a span of 41 minutes, and the money was transferred to the accounts of the beneficiaries added on the previous day.
The Petitioner received intimation of one such transfer of Rs. 2.14 lakhs at 17:55 hours on 15/07/2021, which was after two hours of the last transaction. Upon receiving the SMS alert, the Petitioner logged on to the net-banking facility, realized the fraud, addressed an email to the relationship manager, tried to connect to the HDFC toll-free number, issued written instructions to block the account at 18:03 hours, and lodged an FIR with the local police station on the next date.
HDFC Bank addressed an email to the Petitioner denying its liability and alleging breach of confidential information at the Petitioner’s end, stating that the transactions were authenticated with OTPs sent to the registered mobile number and email ID. The Police Inspector, Wakad Police Station, submitted a report stating that no error or negligence was found against the Petitioner and directed the Bank to refund the amount.
The complaint filed by the Petitioner was closed by the Banking Ombudsman on 28/03/2022 under clause 16(2)(a) of the Reserve Bank Integrated Ombudsman Scheme 2021, citing that transactions were performed through the same device and secure credentials. An affidavit filed by BSNL revealed that the Petitioner’s SIM card was swapped/replaced on four occasions between 12/07/2021 and 15/07/2021 by fraudsters using fake documents, which caused the Petitioner to lose network connectivity and fail to receive the OTPs.
Appearances:
Senior Advocate Sharan Jagtiani along with Advocates Priyank Kapadia, Sapna Pande, and Akshay Pansare, for the Petitioner
Senior Advocate Prateek Seksaria, A.G.P., M.M. Pable, along with Advocates Ishwar Nankani, Huzefa Khokhawala, Karan Parmar, Kartik Gupta, Mayur Khandeparkar, Mayur Bhojwani, Ulrik Jehangir, Dhamini Nagpal, Prasad Shenoy, Aditi Phatak, Ashutosh Mishra, Vinit Jain, Ashok R. Varma, Gaurav Mhatre, and Aparna Shrivastava, for the Respondents
