Bank has to refund money if customer's negligence is not proved: Gauhati High Court

The Gauhati HC has ruled that a bank is liable to compensate a customer in cases involving fraudulent online transactions if it fails to establish that the customer concerned negligently shared password, OTP, MPIN etc., with the cyber criminal(s).
Bank has to refund money if customer's negligence is not proved: Gauhati High Court
Published on

Fraudulent online transactions

STAFF REPORTER

GUWAHATI: The Gauhati High Court has ruled that a bank is liable to compensate a customer in cases involving fraudulent online transactions if it fails to establish that the customer concerned negligently shared password, OTP, MPIN etc., with the cyber criminal(s). Accordingly, the court directed the State Bank of India (SBI) to deposit the amount of Rs 94,204.80 in the bank account of the petitioner concerned within 30 days.

This ruling came in response to a Writ Petition filed an advocate who became a victim of an online banking fraud. The petitioner has an account with the SBI, Guwahati branch. On October 18 last year, he made an online purchase of some garments from the 'Louis Philippe' store which he wanted to return and get the money back. The petitioner received a call from a fraudster, who was later identified as one Papendra Kumar of Uttar Pradesh.

Posing as the customer care manager of 'Louis Philippe', the fraudster had asked the petitioner to download a mobile app for the purpose of making a refund of Rs 4,000 in lieu of return of a garment. Believing that the call was from the customer care department of 'Louis Philippe', the petitioner had downloaded the mobile app. Soon thereafter, a sum of Rs 94,204 was siphoned off from the bank account of the petitioner via three separate online transactions. On October 18, 2021 an amount of Rs 64,017 was transferred from the bank account of the petitioner by Payment Gateway (PG) transactions. Immediately thereafter, two other transactions took place for the amounts of Rs 15,093 each. The fraudulent transactions took place through mobile phones bearing numbers +91 7789956974 and +91 9188762299. The amounts were initially transferred to an account in the Federal Bank and thereafter shifted to other bank accounts.

The petitioner had lodged an FIR at the Jalukbari Police Station, along with three complaints with the Cyber Crime Cell of Criminal Investigation Department (CID). The petitioner also reported the matter to the National Cyber Crime Reporting Portal (NCCRP) of the Ministry of Home Affairs.

The petitioner then claimed refund of the pilfered amount from the SBI on the day after the cyber crime occurred, but faced refusal. He subsequently filed a complaint with RBI ombudsman, Guwahati, seeking redress. However, the ombudsman too rejected the refund claim via an order dated March 7 this year on the ground that the SBI was not liable to compensate him as the fraud took place due to his negligence because the transactions were successful and authorized via OTP and MPIN, and no deficiency could be attributed to the service of the bank under Clause 10 of the Reserve Bank- Integrated Ombudsman Scheme, 2021.

The petitioner, however, asserted before the court that he had not shared OTP, MPIN etc., with the fraudster.

The High Court observed in its judgment, "From a reading of the relevant provisions of the RBI circular what can be seen is that Clause 8 deals with third party breaches where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system. As per Clause 6 (ii), the liability of the customer in such cases would be zero when the customer notifies the bank within three working days of receiving the communication from the bank regarding unauthorized transaction(s)… In the present case, even if it is assumed that the fraudulent transaction had taken place due to "third party breach" i.e., breach in the customer database of the bank, even then, the fraud/ unauthorized transaction was reported to the bank on 19/10/2021, i.e., within one working day. Therefore, as per Clause -8 of the RBI circular, the liability of the customer/ writ petitioner in this case ought to be zero."

The court observed that the SBI and the RBI ombudsman had failed to substantiate their claim that the petitioner had shared OTP, MPIN etc., with the fraudster.

The court further noted: "It can be inferred that in case of unauthorized electronic transactions the bank would have a duty to reverse the payment and credit the amount involved in the unauthorized transaction within a time frame, provided the fraudulent transaction is reported by the customer within the time frame provided in the (RBI) Circular… Had the Bank installed effective cyber security system and online fraud control measures then in that event, even if a mobile app is downloaded by a customer, money could not have been transferred from the bank account without proper authorization. Regardless of whether it was a UPI or PG transaction, it is not believable that the petitioner would deliberately share his OTP, password and MPIN so as to allow his hard-earned money to be siphoned off from the bank account by a fraudster, that too, on three consecutive occasions, in quick successions. Rather, the incident appears to be pure and simple case of cyber crime whereby, the fraudster had hacked the database of respondent No 3 (SBI) and thereafter, got access to sensitive information pertaining to various customers of 'Louis Philippe', including the petitioner…"

The court, however, said that the SBI would be at liberty to recover the amount from Louis Philippe, but added that the SBI would have to pay interest @ 9% per annum to the petitioner if the money is not refunded within 30 days.

Also Watch:

Top News

No stories found.
Sentinel Assam
www.sentinelassam.com