SBI’s inability to set up a secure system resulted in financial losses for a customer. The Delhi High Court has ordered the bank to pay ₹2.6 lakhs in compensation to the victim of cyber fraud.
The Delhi High Court recently sided with a bank customer, ordering the State Bank of India (SBI) to compensate him for a cyberattack that resulted in a fraudulent withdrawal of ₹2.6 lakhs from his savings account. The customer was a victim of a phishing attack, which allowed unauthorized transactions. After noticing the fraud, he quickly reached out to SBI’s customer service and branch manager for assistance. However, he claimed that the bank did not respond promptly or take necessary steps to stop further losses. A few months later, SBI denied his claim, citing two reasons: first, that the withdrawals were made through its internet banking system, which required One-Time Passwords (OTPs) for authorization; and second, that he had clicked on a link that caused the cyberattack. He denied sharing any OTPs and challenged the bank’s position.
Justice Dharmesh Sharma found SBI’s response to the complaint inadequate. The Court noted a significant “service deficiency” on SBI’s part, highlighting that even though the customer reported the breach quickly, the bank did not act in a timely or thorough manner. The failure to block suspicious transactions and prevent further withdrawals was seen as a major oversight. The Court concluded that the losses incurred were due to SBI’s negligence in maintaining effective security measures against such frauds. The Court remarked that the customer’s financial losses were a result of the bank’s failure to implement a system to prevent these withdrawals.
Advocate Ravi Chandra represented the petitioner, while Advocate Abhinav Sharma represented the respondents. The Court noted that SBI breached the guidelines from the Reserve Bank of India (RBI) regarding Digital Payment Security Controls, which are meant to prevent digital fraud. The Court stated, “The transactions in question fall under the ‘zero liability’ clause mentioned in the RBI Circulars. Thus, respondents No. 2 and 3/SBI must compensate the petitioner for the loss incurred, along with interest, and provide token compensation.” The Court further explained, “According to Common Law, funds in a bank account belong to the bank, which acts as an agent for the customer. Therefore, the bank cannot deny processing an online transfer if it seems authorized by the customer. However, if fraud is detected, the bank has a duty to act with reasonable care and respond quickly.”
Before going to the High Court, he had filed a complaint with the Banking Ombudsman, which led to SBI crediting a partial amount of ₹33,000 to his account. However, the bank did not return the rest of the money, leading him to seek more help from the court. The Court also highlighted that SBI’s security measures, such as Two-Factor Authentication (2FA) and OTP verification, were compromised by a simple malware attack from the fraudsters. He could not be held responsible for the cyberattack since he never shared any OTPs, and the bank did not respond to his immediate report.
The Court stated that anyone, no matter their age, education, or experience, can be a target of today’s advanced cyber-attacks. It was also acknowledged that the petitioner quickly contacted SBI Customer Care and filed a report, but sadly, the transaction had already gone through. Consequently, the Delhi High Court directed SBI to pay the full amount of ₹2.6 lakhs plus 9% interest from April 18, 2021, the day the fraud was reported. The bank was also ordered to cover ₹25,000 for the petitioner’s legal costs.
Cause Title: Hare Ram Singh v. Reserve Bank of India & Ors., [2024:DHC:8816]
Appearance:
Respondents: Advocates Abhinav Sharma, Rajiv Kapur, Akshit Kapur, and Riya