Know The Law | Banks' Liability When Customers Lose Money Due To Unauthorised Transactions
While upholding State Bank of India's liability for a fraudulent and unauthorized transaction reported in a customer's bank account, the Supreme Court recently observed that banks cannot shy away from the responsibility to safeguard their customers from unauthorized transactions reported from their accounts.The order was passed in the case of a customer who indulged in online shopping and...
While upholding State Bank of India's liability for a fraudulent and unauthorized transaction reported in a customer's bank account, the Supreme Court recently observed that banks cannot shy away from the responsibility to safeguard their customers from unauthorized transactions reported from their accounts.
The order was passed in the case of a customer who indulged in online shopping and later tried to return the item. He downloaded an app following a call from a fraudster posing as customer care for the retailer, which led to unauthorized transactions totaling Rs.94,204.80. His bank (SBI) denied liability on the ground that the transactions was authorized as the customer shared OTP (One Time Password) and M-PIN. But, the customer maintained that he did not share OTP or MPIN and the fraud occurred due to a data breach on the retailer's website, over which he had no control.
Noting that the customer brought the fraudulent transaction to the notice of the Bank within 24 hours, the Supreme Court rejected SBI's argument that it did not owe liability towards the customer. While cautioning bank account holders against sharing of OTPs with third-parties, the Court however said that in some circumstances, even account holders can be held responsible for negligence.
In the backdrop of this order, let's see some of the other instances where judicial/quasi judicial authorities propounded on customers' and banks' liability in cases of unauthorized and fraudulent transactions. We shall also briefly look at RBI's circular dated July 6, 2017 which extensively dealt with the issue and is relied upon by authorities to decide cases of fraudulent/unauthorized banking transactions.
RBI Circular On Customers' And Banks' Liability
On July 6, 2017, RBI issued a circular to banks across the country regarding unauthorized electronic banking transactions. This circular was the result of a review of criteria for customer liability in cases of unauthorized transactions, given increased emphasis on consumer protection and a surge in grievances pertaining to unauthorized debits from consumer accounts.
Among other things, the circular called on banks to put in place fraud detection and prevention mechanism, a mechanism to assess and mitigate risks, as well as a system of continually advising customers on how to safeguard themselves against banking and payments related fraud. As regards reporting of unauthorized transactions, it necessitated that banks intimate customers about the importance of prompt reporting, as longer the delay, higher the risk (to the bank/customer).
In terms of the circular, banks are to provide customers with 24x7 access through multiple channels via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting unauthorized transactions. The fraud reporting system of banks is also to ensure that customers' complaint is immediately responded to with a registered complaint number. In case a report is made regarding unauthorized transaction in an account, it is for the banks to ensure that no further unauthorized transaction takes place in the account.
Adverting to customers' liability in case of unauthorized transactions, the circular provided for two scenarios : one, where customer would have ZERO liability, and two, where customer would have LIMITED liability.
A customer is to have zero liability if unauthorized transaction takes place in the event of:
(i) Contributory fraud/negligence/deficiency on the part of the bank (in this scenario, whether the transaction is reported by the customer or not is irrelevant);
(ii) Third-party breach, where deficiency lies in the banking system (not with a bank/customer) and the customer notifies the bank within 3 working days of receiving the communication from the bank regarding the unauthorized transaction.
A customer would share liability for an unauthorized transaction if:
(i) Loss occurs due to his negligence: For instance, if customer shares payment credentials, he will bear entire loss until he reports the unauthorized transaction to the bank. If loss occurs after the customer reports, it shall be borne by the bank.
(ii) There is a third-party breach and delay (of >3 working days) in reporting: If responsibility for the transaction lies in the banking system (not with a bank/customer) and there is a delay in reporting of the same by the customer to the bank. If the delay is of 4-7 working days since receipt of communication from the bank, per transaction liability of the customer shall be limited to the transaction amount or as stipulated in Table 1 of the circular (whichever is lower). If delay is of over 7 working days, the customer's liability shall be as per bank's Board approved policy.
Therefore, unless there is contributory fraud/negligence/deficiency on the part of a bank, the customer's liability depends on the time taken by him to report a fraudulent transaction. When computing the delay, number of working days shall exclude the date of receipt of communication.
Compensation: So far as reversal of fraudulently debited amounts, the circular stipulated that on being notified by a customer, a bank is to credit (shadow reversal) the amount involved in the unauthorized electronic transaction to the customer's account within 10 working days from the date of notification by the customer. The bank may, at its discretion, decide to waive off any customer liability in case of unauthorized electronic banking transactions even if there was customer negligence.
Notably, as per the circular, a consumer's complaint shall be resolved (and his liability determined) within 90 days of its receipt by the bank. The burden of proving customer liability in case of unauthorized electronic banking transactions shall lie on the bank. Further, banks must formulate/revise their customer relations policy, so that they are transparent, non-discriminatory and stipulate compensation mechanism for unauthorized transactions.
Judicial/Quasi-Judicial Decisions On Banks' and Consumers' Liability
Now, let's look at some of the cases where courts/consumer commissions propounded on liability in case of unauthorized banking transactions.
♦ Bank Liable For Fraudulent Online Transaction If Account Holder's Fault Not Proved : NCDRC
In January, 2021, the National Consumer Disputes Redressal Commission (NCDRC) held that in case of fraudulent transactions leading to withdrawal of money from a bank account, the concerned bank shall be responsible for the loss, not the consumer/account-holder, if it is not proven that the fraudulent transaction had taken place due to the consumer's fault. It was opined that in the modern digital age, possibility that a credit card was hacked or forged cannot be ruled out.
In this case, the disputed transactions (29 in number) took place from an HDFC Bank credit card, stated to be in possession of the consumer-complainant at the relevant time. The transactions were alleged to have taken place remotely, several miles away from the consumer's actual location. As such, it was argued that the card must have been forged/hacked or there was some other technical and/or security lapse in the electronic banking system through which the transactions had taken place.
The Bank, on the other hand, maintained that the credit card must have been stolen and it was due to the card holder's negligence that she lost safe custody of her card.
Referring to RBI circular dated July 6, 2017, the Commission noted that a customer has zero liability where the deficiency lies in the banking system. On facts, it was observed that within 3 days of receiving information form the Bank, the consumer's father notified the Bank that the transactions were unauthorized. Holding in favor of the consumer, the Commission said,
"Bank cannot rely on arbitrary terms and conditions to wriggle out of its liability towards customers and any such terms and conditions must be in conformity with the directions issued by the RBI which is responsible for safekeeping of the Banking Systems and maintaining checks and balances in the same."
Reliance was placed on Punjab National Bank & Anr. v. Leader Valves II, where the Commission observed:
"The first fundamental question that arises is whether the Bank is responsible for an unauthorized transfer occasioned by an act of malfeasance on the part of functionaries of the Bank or by an act of malfeasance by any other person (except the Complainant/account-holder). The answer, straightaway, is in the affirmative. If an account is maintained by the Bank, the Bank itself is responsible for its safety and security. Any systemic failure, whether by malfeasance on the part of its functionaries or by any other person (except the consumer/account-holder), is its responsibility, and not of the consumer."
In September, 2023, Gauhati High Court directed SBI to reverse an amount of Rs. 4,44,699.17 in the bank account of a cyber-crime victim, which was deducted from their account due to several unauthorized transactions.
The petitioner in this case (complainant) was holder of an SBI account, who alleged that unauthorized online transactions amounting to Rs. 4,44,699.17 occurred in his account without his knowledge or consent. He claimed that he did not receive any SMS alerts notifying him of these transactions on his registered mobile number.
The High Court noted that the Bank did not preserve its record of having sent SMS alert to the petitioner regarding e-commerce or internet use of his ATM card. Further, it observed that transactions that had taken place from the petitioner's account vide ATM card were unauthorized and fraudulent in nature because as per the investigation carried out by the State CID, 12 of the IP addresses through which transactions were made were located in Thane, Maharashtra and 2 of them were fake.
In December, 2023, Kerala District Commission held that unauthorized transactions exceeding credit limit of an account holder, particularly when such a person did not opt for over-the-limit transaction, would constitute a deficiency of service.
The consumer in this case held an SBI credit card with a credit limit of Rs.1,32,000/-, on which, there was an alleged unauthorized withdrawal of Rs. 39,507, when the available credit was Rs. 39,000 (even though the consumer had not opted for over-the-limit transactions). The consumer claimed that he received phone calls from unknown numbers, including one which appeared to be from SBI, as a result of which he provided his card number; following the same, an amount exceeding the credit limit was withdrawn from his account.
The Bank however disputed the claims, arguing that the consumer suffered the loss because he shared his card number and OTP voluntarily. It emphasized that the consumer shared these details despite clear warnings issued by the bank not to share personal information, including OTP, with anyone.
Directing the bank to refund the amount fraudulently withdrawn from the consumer's account, the Commission held that the bank's failure to prevent unauthorized transactions and secure the electronic banking environment constituted a breach of its duty and it could not evade its liability by shifting the blame entirely onto the consumer. In relation to the RBI circular dated July 6, 2017, it was observed,
"The RBl's circular specifically states that customers bear no liability in cases of third-party breaches where the fault does not lie with the bank or the customer, but elsewhere in the system, The only requirement for customers, as per the circular, is to promptly report any unauthorized transactions to their bank to enable account blocking. The circular serves as a reminder of the banks' responsibilities and does not create new rights or obligations."
The Commission placed reliance upon Kerala High Court's decision in State Bank of India v. P.V. George (2019) which dealt with the duty of care banks have in protecting the interests of customers, including safeguarding them from unauthorized transactions. In this case, the High Court laid down that Banks cannot deny liability even when customers do not respond to SMS alerts on fraudulent withdrawals.
In March, 2024, Chandigarh District Commission held Standard Chartered Bank liable to reverse Rs. 2,60,000/- debited from a consumer's account as a result of unauthorized transactions, alongwith interest from the date of deduction till actual realization.
In this case, the consumer was holder of an SCB Credit Card. One day, he received an SMS from the bank indicating OTPs for seven unauthorized transactions. The consumer promptly notified the bank, resulting in the blocking of his credit card and the initial reversal of the debited amount. However, the amount was later reversed and debited again from his card account.
Aggrieved, he approached the Commission, urging that he did not receive any prior alerts from the bank regarding exceeding of the credit limit. Further, he claimed zero liability, as the transactions were reported within 3 working days. The bank, on the other hand, argued that as per investigation, the transactions were Online Secured Transactions, requiring both credit card details and OTP for validation. It asserted that it was the responsibility of the cardholder (consumer) to keep card details confidential until loss reporting.
Eventually, the Commission ruled against the Bank, as it could not prove any negligence on the consumer's part. Further, it was observed that the consumer informed the bank promptly within 3 days, as per RBI guidelines.
In July, 2024, Bangalore District Commission held State Bank of India liable for deficiency in services due to its failure to safeguard the FD account of an 83-yr old consumer which resulted in unauthorized transactions amounting to Rs. 25,000/-.
The complainant-consumer in this case received a message prompting him to update his PAN card. Apparently, he provided the OTP under the impression that it came from the State Bank of India. On the same day, amounts of Rs. 25,000/- (from his FD account), Rs. 20,000/- (from his SB account), and Rs. 19,000/- (from his SB account), totaling Rs. 64,000/-, were debited. Due to bank holidays, the consumer could approach the Bank only a few days later.
When the matter reached the Commission, the Bank argued that since the consumer shared login credentials and OTP, it bore no responsibility for any service deficiency.
Perusing the records, the Commission observed that the consumer promptly took measures to block his ATM card and SB account, registering complaints with both customer care and the cybercrime police. It referred to RBI circular dated July 6, 2017, noting that in cases of customer negligence (such as sharing payment credentials), the customer bears initial loss until reporting it to the bank.
As such, insofar as the consumer's FD account, the Commission found negligence on the part of the Bank and held it responsible for the losses incurred on the. However, the bank was not held liable for losses on the SB account. Be that as it may, the bank was directed to pay a compensation of Rs. 10,000/- to the consumer for mental agony and Rs. 10,000/- as litigation costs.
"The responsibility is on the bank to safeguard the fixed deposit and it is surprise as to how the fixed deposit has been tampered. We feel it is the duty of the bank to protect the FD kept by the customer...Further, the bank should not have debited the FD account without the permission of the complainant", observed the Commission.
In November, 2024, the NCDRC held DCB Bank liable for withdrawal of USD 53,000 from a consumer's account due to fraudulent transactions resulting from hacking.
The case pertained to a retired Chartered Accountant and his family, who opened a joint account with DCB Bank Ltd. and got an overdraft facility of Rs. 1.8 crores against their Rs. 2 crores fixed deposit. While abroad, they signed blank RTGS forms for monthly transfers to support their son's education in the USA. In January, 2015, they were shocked to find two large withdrawals totaling 53,000 USD from their account. The funds were transferred to a fraudulent beneficiary in USA via Standard Chartered Bank in New York. Despite their attempts to recall the money Standard Chartered Bank stated the funds had already been withdrawn and the case was closed.
The complainant-consumer argued that the account was hacked through a fake email ID which resulted in the withdrawal of $53,000. The bank, contrarily, denied liability on account of an undertaking signed by the complainant that the bank would not be responsible for verifying the authenticity or source of instructions including email instructions.
The NCDRC observed that the bank manager was negligent in processing the transfers of USD 25,000 and USD 28,000 (total USD 53,000) as they exceeded the standing instructions of USD 2,500 per month. Further, the Commission observed that the written undertaking provided by the consumer could not be interpreted as granting the bank permission to accept obviously fake instructions.
Accordingly, it was held that the bank's handling of the transaction based on fake instructions was careless and the undertaking did not waive the consumer's right to sue the bank.
In December, 2024, the NCDRC held Union Bank of India liable for deficiency in service owing to occurrence of unauthorized transactions.
The consumer in this case was a partnership firm. Messages on its registered mobile number informed about two unauthorized transfers of Rs. 4,50,000 each to two individuals' accounts. The bank assured the firm a refund, but no action was taken. When the State Commission directed the bank to pay Rs. 9,00,000 with 7% interest, Rs. 15,000 as compensation and Rs. 10,000 as litigation costs, the bank approached the NCDRC.
The bank's case was that the firm had requested for a SIM replacement for its prior to the fraudulent transactions and OTPs were sent to the registered mobile number only. The consumer on the other hand claimed that the registered mobile number for online banking was different from the one used for the disputed transactions.
The Commission noted that the consumer reported the transactions within the stipulated period, meeting the guidelines. As the unauthorized transactions were undisputed, it found the bank deficient in service for having failed to protect the account effectively.
Concluding Remarks
What would emerge from the above is that besides banks, bank account holders must also remain vigilant about transactions incurred from their accounts and SMS alerts received in response thereto. Prompt reporting of an unauthorized/fraudulent transaction to the bank can save customers from liability, but a delay beyond 3 working days (from the receipt of communication by bank) can cause them to incur shared liability.
In the backdrop of rising online scams and banking frauds, Courts/Consumer Commissions have time and again held in favor of customers. But as the recent Supreme Court order cautions, even customers can be held responsible in certain fact situations, and therefore, they must safeguard their sensitive information (like login credentials, OTPs) to prevent undue loss.
[The author is a Supreme Court Correspondent with LiveLaw. She can be reached at debby@livelaw.in]