Delhi High Court: In a writ petition filed to seek directions for quashing the rejection order passed by the State Bank of India (‘SBI’) (Greater Noida Branch) (respondents 2 and 3) and to direct the respondents to restore the amount illegally siphoned off from the petitioner’s SBI savings account by unknown parties, a Single Judge Bench of Dharmesh Sharma, J. set aside the impugned order dated 20-10-2021 passed by the Banking Ombudsman (‘BO’) and issued a writ of mandamus against SBI to pay the amount withdrawn in an unauthorized manner along with 9 percent interest within four weeks.
Background
On 18-04-2021, the petitioner, a 55-year-old academician, received a call from an unknown caller who convinced him to click on a link mentioned in an SMS received by the petitioner. As soon as he clicked on the link, approximately Rs. 2,60,000/- was withdrawn in an unauthorized manner by way of two transactions from the petitioner’s bank account at SBI.
On perusal of the petitioner’s bank statement, it was found that the first transaction of Rs. 1,00,000/- was made to a bank account in IDFC bank and the second transaction of Rs. 1,60,000/- was made to One97 Communications Ltd. (Paytm) by way of internet banking.
Upon realizing that he had been defrauded, the petitioner immediately reached out to the customer care department of SBI to register a complaint and sought to hold the transactions, however his effort went in vain. On 20-04-2021, the petitioner filed a complaint before the Branch Manager of SBI. He had previously filed a cyber complaint dated 18-04-2021 and a complaint dated 19-04-2021 in the Hajipur Police Station, Bihar. He also registered his grievance under the Centralized Public Grievance Redress and Monitoring System (‘CPGRMS’) against the unauthorized withdrawal.
On 26-04-2021, the petitioner filed a complaint before the BO against SBI for its inaction and failure to resolve the matter. During the pendency of this complaint, he regularly served reminders upon the Chairman of the SBI seeking status of the action being taken upon his complaint.
On 26-07-2021, the Chief Manager of SBI issued a rejection letter to the petitioner, wherein the petitioner’s complaint was rejected on the ground that the transaction had taken place through internet banking for which hehad received One Time Passwords (‘OTPs’) and that he had accessed a link forwarded by an unknown person which led to the deduction of funds from his bank account.
Aggrieved by the rejection letter, the petitioner again approached the Reserve Bank of India (‘RBI’) (respondent 1) by way of complaints dated 06-08-2021 and 31-08-2021 to seek reinvestigation and expeditious disposal of his complaint, wherein he specifically mentioned that he did not share any One Time Password (‘OTP’) with the unknown caller.
Pursuant to the order passed by the BO, one-third of the disputed amount of Rs. 1,00,000/- i.e. Rs. 33,334/- was credited by SBI to the petitioner’s account on 06-10-2021 and the complaint was closed. However, Rs. 2,27,000/- had not been restored by SBI despite the guidelines issued by RBI vide circular titled ‘Customer Protection — Limiting Liability of Customers in Unauthorized Electronic Banking Transactions’ dated 06-07-2017 and thus, the present petition was filed.
Analysis and Decision
The Court stated that the challenge by SBI to the territorial jurisdiction of the Court to entertain and adjudicate upon the present writ petition was not maintainable in law because even though the transaction took place in relation to an account in the Greater Noida branch of SBI, the decision by the BO was made in Delhi and SBI has its Regional Office in Delhi as well. Moreover, the Court said that the amount in question had been remitted to financial concerns in Delhi.
The Court found it significant that the petitioner categorically submitted that he had never shared the OTPs even though he did receive the same. It was said that the moment the link was clicked, the petitioner’s mobile was hacked, and the OTPs were accessed by the fraudster.
The Court perusedRBI’s written submissions wherein it elaborated that based on the documentary evidence produced by SBI, the BO observed that the petitioner’s internet banking was successfully logged in at 5:09:55 and 5:28:03 on 18-04-2021 and the OTPs were delivered on his registered mobile number thrice — at 5:10:18, 5:28:15, and 5:29:15 on the same date for approval of transactions worth Rs. 10/-, Rs. 1,00,000/-, and Rs. 1,00,000/-. It was said that this documentary evidence had not been placed on record and had been deliberately kept away.
The Court agreed that the petitioner was negligent so as to fall prey to the scamsters, but also said that considering the sophisticated cyber-attacks prevalent today, anyone, regardless of age, education, or experience could fall victim to them.
The Court perused the RBI Circular dated 06-07-2017 titled “Customer Protection — Limiting Liability of Customers in Unauthorized Electronic Banking Transactions” and said that the burden of proving the customer’s liability in case of unauthorized electronic banking, lies upon the bank.
The Court stated that the petitioner was a ‘victim’ of cyber fraud and cannot be said to be ‘negligent’ because the negligent act on the part of the customer should be such which is gross, utterly reckless, and unconscionable. However, in the present matter, the petitioner had taken care not to share the OTPs and this implied that the most hyped 2 Factor Authentication was breached which directly attributed to the deficiency in service by SBI.
The Court said that what turned the table against SBI was that even after it had tracked where the amount had been transferred, it failed to provide a satisfactory explanation for its inability to initiate a chargeback, reclaim, or block the amount despite the petitioner’s prompt complaint. The Court found SBI’s justification to be weak whereby it claimed that the relevant rules of RBI did not cover One97 Communications Ltd. and only apply to commercial, regional rural, and scheduled primary cooperative banks.
The Court said that it is undeniable that customer care services play a crucial role in supporting bank customers and that SBI demonstrated a glaring service deficiency because despite prompt intimation from the petitioner they showed no urgency and neglected their duty to act swiftly upon notification of the fraudulent withdrawal. Additionally, they took no steps towards chargeback, retrieval, or freezing the suspicious accounts maintained with IDFC Bank and One97 Communications Ltd.
The Court found it evident that security protocols such as 2 Factor Authentication and OTP verification had been breached by a simple malware deployed by the cyber fraudsters because the security apparatus of SBI failed to detect any unusual logging activity from a different IP address. Thus, the Court presumed that the petitioner suffered monetary losses due to the bank’s failure to put in place a system which prevents such withdrawals.
The Court said that upon detecting fraud, the bank has an implied duty to exercise reasonable care and take prompt action, but SBI failed to take immediate measures to take up the issue with other Regulated Entities to whom the online payment had been remitted.
Further, the Court found that the BO had failed to judiciously consider the entire gamut of the controversy by overlooking the key aspects of the matter and completely misdirected itself in law. Consequently, the Court found the impugned order dated 20-10-2021 to be legally unsustainable.
The Court, while allowing the writ petition, said that the transactions in question would fall within the sweep of ‘zero liability’ and set aside the order dated 20-10-2021 passed by the BO. A writ of mandamus was also issued against SBI to make payment of Rs.2,60,000/- to the petitioner with 9 percent interest per annum from the date the fraud was reported. SBI was further directed to pay Rs. 25,000/- as cost along with the afore-mentioned amount within four weeks.
[Hare Ram Singh v. Reserve Bank of India, 2024 SCC OnLine Del 8039, Decided on 18-11-2024]
Judgment authored by Justice Dharmesh Sharma
Advocates who appeared in this case :
For Petitioner — Advocate Ravi Chandra
For Respondent — Advocate Rajiv Kapur, Advocate Akshit Kapur, Advocate Riya, Advocate Abhinav Sharma