The Delhi High Court has directed the State Bank of India (SBI) to compensate a customer for ₹2,60,000 lost to cyber fraud, citing “glaring service deficiency” on the bank's part. The petitioner, a victim of unauthorized transactions after clicking a fraudulent SMS link, was awarded compensation with interest and legal costs due to lapses in SBI’s security protocols.

The Court noted that the transactions were executed without the petitioner sharing any OTPs, highlighting a breach in SBI's "most hyped 2-Factor Authentication [2FA]" system. Justice Dharmesh Sharma remarked, “In the present case, the petitioner had taken care not to share the OTPs, in fact he had no occasion to do so, and if that is the case, it would imply that even the most hyped 2 Factor Authentication [‘2FA’] was breached as the same was not secure, which is directly attributable to deficiency in service provided by the respondent no. 2 & 3 SBI.”

Background

The petitioner, aged 55, received an SMS with a link on April 18, 2021, followed by a call from an unknown individual instructing him to click the link to keep his SMS services operational. Upon clicking the link, ₹2,60,000 was withdrawn from his SBI savings account across two transactions. The petitioner promptly contacted SBI's customer care to report the fraud and freeze the transactions, but the payments had already been processed.

The petitioner lodged a formal complaint with SBI’s Branch Manager in Greater Noida and filed cybercrime and police complaints. Dissatisfied with SBI’s response, the petitioner approached the Banking Ombudsman (BO) on April 26, 2021. The BO later directed SBI to reimburse one-third of the disputed amount (₹33,334), which was credited to the petitioner’s account, and the case was closed. However, the petitioner subsequently filed a case in the High Court, seeking full compensation for the loss incurred.

Court Observations

The Court addressed SBI’s reliance on the RBI Circular titled “Customer Protection– Limiting Liability of Customers in Unauthorized Electronic Banking Transactions” dated July 6, 2017, which states that customers are liable for losses arising from their own negligence. However, the Court found no evidence of negligence on the petitioner’s part. It noted that the petitioner did not share OTPs or payment credentials and that the unauthorized transactions occurred solely because of the fraudulent SMS link.

“The record shows that he had never shared the payment credentials, which fact is fortified from the written submissions filed by the respondents that the OTPs were not shared by the petitioner as such. It is merely upon clicking on a link received on his mobile phone after he was duped into believing that his SMS services would be blocked, that the said unauthorized transactions took place,” the Court noted.

The Court emphasized that negligence implies a lack of ordinary care expected from a prudent person. It clarified that negligence must be “gross, utterly reckless and unconscionable,” which was not applicable in this case.

Deficiency in SBI’s Services

The Court criticized SBI’s inadequate response, including its failure to promptly initiate a chargeback or address the fraud with the recipient banks. It also highlighted deficiencies in SBI’s security systems, stating that the “2FA” and OTP verification protocols were bypassed using a simple malware. “In the light of the aforesaid regulations, it is evident that the security protocols such as ‘2FA’ or OTP verification had been breached by a simple ‘malware’ deployed by the cyber fraudsters,” the Court remarked.

The Court referenced the RBI’s “Master Direction on Digital Payment Security Controls” dated February 18, 2021, which mandates banks to implement robust dispute resolution mechanisms and address fraudulent transactions promptly. It observed that SBI failed to detect unusual login activities, such as different IP addresses used by fraudsters, and did not act swiftly to prevent the monetary loss.

Noting SBI’s response as “lukewarm, defective, and not prompt,” the Court concluded that there was a significant deficiency in services. It determined that the unauthorized transactions fell under the “zero liability” category outlined in the RBI’s 2017 Circular, entitling the petitioner to compensation.

Verdict

The Court found SBI liable for the petitioner’s losses and directed the bank to compensate ₹2,60,000 with 9% annual interest. Additionally, the Court ordered SBI to pay ₹25,000 to cover the petitioner’s legal costs.

Case title: Hare Ram Singh vs. Reserve Bank Of India & Ors.

Case Number: (W.P.(C) 13497/2022)

Date: November-18-2024

Coram: Justice Dharmesh Sharma

[Read/Download order]