Failure To Refund Money Deducted From Unauthorized Transactions, Hyderabad District Commission Holds Union Bank of India Liable

Brief Facts:

Mrs. Umabala Chunduru (“Complainant”), a senior citizen, held a Savings Bank Account and a Credit Card with the Union Bank of India (“Bank”). In 2022, the Complainant used her Credit Card to make an online purchase of apparel worth Rs. 399/- from Snapdeal, which was later cancelled. Upon contacting a customer care number provided by Snapdeal, the Complainant was deceived into providing her Credit Card details. Subsequently, she received seven unauthorized debit messages totalling Rs. 88,232/- on the same day. Despite reporting the fraudulent transactions immediately to the bank, the bank made a partial refund of Rs. 20,790/- to the Complainant. Therefore, the bank didn't pay Rs. 67,437.52/- to the Complainant. The Complainant made several communications with the bank but didn't receive a satisfactory response from it. Feeling aggrieved, the Complainant approached the District Consumer Disputes Redressal Commission – I, Hyderabad, Telangana (“District Commission”) and filed a consumer complaint against the bank. The Complainant contended that these transactions were unauthorized, and the bank failed to adhere to RBI Guidelines regarding Limited Liability/Zero Liability of a customer in the case of unauthorized transactions.

In response, the bank denied the allegations, asserting that the complaint involved fraud committed by a third party and fell beyond the scope of the consumer protection proceeding. It relied on RBI Guidelines, stating that in cases of customer negligence, where payment credentials are shared, the customer bears the entire loss until reporting the unauthorized transaction to the bank.

Observations by the Commission:

The District Commission noted that the RBI/2017-18/15 notification outlines circumstances leading to zero liability or limited liability for customers, emphasizing contributory fraud, negligence, or deficiency on the part of the bank as key factors. The bank contended that the customer bears the entire loss until the unauthorized transaction is reported to the bank. However, the District Commission noted that the Complainant promptly reported the transactions to the bank, well within the stipulated reporting period, as per the RBI Guidelines.

Further, the District Commission observed that the Complainant, admittedly, shared her Credit Card Number with a third party over the phone. However, it emphasized that the reported seven transactions required authentication using the OTP along with the CVV and credit card number with expiry date, which were solely in possession of the Complainant. It noted that the OTP for completion of the transactions was never received on the phone number of the Complainant. Further, the bank failed to provide evidence that the OTP for the transaction was sent to the registered phone number of the Complainant.

Referring to the RBI Notification on Digital Payment Security Controls, the District Commission highlighted the requirement for robust security measures on bank accounts, including multi-factor authentication. It held that the reported transactions could not have occurred without authentication and dismissed the bank's claim of contributory negligence on the part of the Complainant.

Additionally, the District Commission referred to Clause 9 of the RBI Notification, emphasizing the zero liability/limited liability of the customer. It noted that the bank partially refunded an amount of Rs. 20,796/- but failed to resolve and refund the balance amount of Rs. 67,435.40/- even after six months. The District Commission held the bank liable for deficiency in service.

Subsequently, the District Commission directed the bank to refund the balance amount of Rs. 67,437.52/- along with interest and pay a compensation of Rs. 20,000/- to the Complainant. Additionally, the District Commission directed the bank to pay Rs. 20,000/- for the litigation costs incurred by the Complainant.