Bank Allowing Unauthorized Transaction Exceeding Account Holder's Credit Limit Constitutes Deficiency In Service: Kerala Consumer Commission

The District Consumer Disputes Redressal Commission at Ernakulam recently held that unauthorized transactions exceeding the credit limit of an account holder, particularly when such a person did not opt for over-the-limit transaction, would constitute a deficiency of service. 

The Bench comprising President D.B. Binu, and Members V. Ramachandran, and Sreevidhia T.N. relied upon the decision in State Bank of India v. P.V.George (2019) which laid down the duty of care banks have in protecting the interests of the customer, including safeguarding them from unauthorized transactions.

"As per the Reserve Bank of India's guidelines, customers are not liable if the fault lies elsewhere in the system. In this case, the bank's failure to prevent unauthorized transactions and secure the electronic banking environment constitutes a breach of its duty, and it cannot evade liability by shifting the blame entirely onto the customer,"  the Bench observed. 

The complainant in this case held an SBI credit card with a credit limit of Rs.1,32,000/-. However, there was allegedly an unauthorized withdrawal of Rs 39,507 from his credit card account, when the available credit was Rs 39,000, even though he had not opted for over-the-limit transactions.

The complainant submitted that he had received phone calls from unknown numbers, including one which appeared to be from SBI, as a result of which he provided his card number. He submitted that following this, an amount exceeding his credit limit was withdrawn from his account. 

The complainant argued that the opposite party bank was vested with the responsibility to establish a secure electronic banking system to prevent any unauthorized activities causing financial loss to customers and that their failure to do so constituted a deficiency in service.

He thus sought to recover the amount that had been fraudulently withdrawn from his account, along with interest from the date of the loss until recovery, along with a compensation of Rs. 20,000 for the hardship and financial loss suffered by him. 

The Bank however disputed the claims and submitted that the complainant suffered the loss because he shared his card number and OTP voluntarily. It averred that the complainant had shared these details despite clear warnings being issued by the bank not to share personal information, including OTP, with anyone.

It also cited RBI's circular which states that customers would be liable for losses due to unauthorized transactions resulting from their negligence. The circular holds customers liable for the entire loss until they report the unauthorized transaction to the bank.

The Commission took note of the decision in SBI v. P.V. George (Supra) wherein the Kerala High Court had laid down that Banks could not deny liability even when customers do not respond to SMS alerts on fraudulent withdrawals.

The said decision had also categorically ruled that Banks are vested with the responsibility to exercise reasonable care in safeguarding customer interests, particularly in preventing unauthorized transactions, and also to establish a secure electronic banking environment. 

The Commission noted that banks offering electronic banking services are obligated to establish a secure electronic banking environment to prevent any malicious activities, which is an implied term in contracts between banks and their customers, requiring the banks to safeguard their customers' funds against such unauthorized transactions. 

It further ascertained that the RBI had also issued guidelines to Banks to implement systems and procedures for ensuring the safety and Security of electronic banking transactions, establish mechanisms for fraud detection and prevention, assess risks from unauthorized transactions, and take appropriate measures to mitigate these risks.

"The RBl's circular specifically states that customers bear no liability in cases of third-party breaches where the fault does not lie with the bank or the customer, but elsewhere in the system, The only requirement for customers, as per the circular, is to promptly report any unauthorized transactions to their bank to enable account blocking. The circular serves as a reminder of the banks' responsibilities and does not create new rights or obligations," it added. 

The Commission thus determined that the bank's failure to prevent unauthorized transactions and secure the electronic banking environment constituted a breach of its duty and that it could not evade its liability by shifting the blame entirely onto the customer. 

"In conclusion, the opposite party bank failed to uphold its duty of care, resulting in unauthorized transactions beyond the credit limit. While the complainant did share his card details. this does not excuse the bank's failure to protect its customers. The complainant is eligible for significant compensation from the opposite party in this matter; however, due to their contributory negligence, we are inclined to reduce the amount of compensation awarded. Banks must ensure secure systems to protect customers from unauthorized transactions, while customers must exercise due care in safeguarding their banking credentials. Both parties bear a measure of responsibility in preventing such incidents," the Commission declared. 

It thereby directed the Opposite Party Bank to refund the amount that had been fraudulently withdrawn from the complainant's account, and to pay compensation of Rs. 20,000/- for the mental distress, hardships and financial losses incurred by him, and Rs. 15,000/- towards the cost of proceedings. 

The complainant was represented by Advocate Tom Joseph. 

Advocates Jithesh Menon and Mahesh Kumar P.G. appeared on behalf of the opposite party. 

Case Title: Aliyar T.M. v. M/S SBI Cards & Payment Services Ltd.

Case Number: C.C. No. 380/ 2020

Click Here To Read/Download The Order