Bombay High Court Orders HDFC Bank To Remit ₹38.04 Lakhs To Businessman Who Lost Amount In Cyber Fraud

The Bombay High Court recently while ordering the HDFC Bank to remit a total of Rs 38.04 lakhs to a Pune-based businessman, who lost the amount in a cyber fraud, noted that no liability could be fastened on the customer as the amounts were illegally transacted through SIM swapping/cloning mode. A division bench of Justice Bharati Dangre and Justice Manjusha Deshpande refused to accept the contention of the Bank that it had sent SMS Alerts to petitioner customer - Subodh Korde, who was defrauded. The judges noted from the record, that the fraudsters had used the modus operandi of SIM swapping/cloning and even explained how this particular modus, which is on the rise in India, works, with the SIM of the original customers put into "no network" and then impersonating as the customer and fraudulently resorting to illegal transactions. The bench noted that on September 14, 2021 three unknown persons were added as "beneficiaries" into his account through netbanking and that he did not receive any alert of the same. On the following day, within a timespan of 41 minutes, there were at least eight illegal transactions by which Rs 38.04 lakhs were siphoned off from his savings and current account. The judges noted the Korde got to know of the amounts being debited only after the transactions took place and he subsequently emailed to the Relations Manager of the bank and even tried to call on its helpline number, which was not working. They noted that on the subsequent day, Korde lodged a complaint with the local police station about the fraudulent transactions. "In no case, we find that the Petitioner was careless or that he had shared the password with anyone and ultimately the burden is upon the bank to establish that he was careless or negligent, which the bank in our view, has failed to establish," the bench said in the order passed on April 6. The bench said that in consonance of the RBI's circular dated July 6, 2017, since the Petitioner did not contribute to the fraud nor was he negligent and he immediately reported about his accounts being debited, or he receiving only one message and that too, after a lapse of time and with the specific stand of the BSNL, reflecting that there was swapping of his SIM card, and accordingly held the Petitioner is a "victim of cyber fraud.""Surprisingly, the Bank, despite the alert created, has not taken any serious steps and has adopted a stand simplicitor that it had discharged its obligations, once it sent OTPs. The Petitioner never received the OTPs nor did he receive any e-mail communication in respect of the unauthorized transactions," the bench noted. The bench opined that since Korde's SIM card was cloned/swapped and, therefore, somebody else other than him, had received the OTP and probably, shared the OTP so as to authenticate the transaction. "The Petitioner, however, acted promptly, once he realised that some amount is debited to his account and he reported the matter to the higher officer and did whatever was possible to him to do. The Petitioner is, therefore, entitled for the benefit of 'zero liability', as we do not conclusively say that the Bank was deficient, but it appears that the Bank was casual in stating that it had sent the OTP and put the blame on the Petitioner, of being negligent in sharing the password, which the Petitioner never did," the judges held. The judges noted that the bank failed to produce any evidence except some excerpts from the logsheets of private agencies to show that SMS alerts were sent to Korde. The judges highlighted the fact that as per the investigation report of the HDFC Bank, IP location of four transactions adding beneficiary and the transaction modifying the TPT limit is Chennai and the same IP location is to be found in respect of the transaction on July 15, 2021 (the day when the transactions took place). "Therefore, the IP investigation of the Bank has clearly inferred that the disputed transaction IP do not match with the genuine transaction IP of the customer. Therefore, there is no merit in the stand of the Bank that somebody messed up with the device of the Petitoner or he shared the password as it not uncommon for the fraudster to mimic devised ID, but for all the unauthorized transactions, the IP is different than the genuine IP and the IP location is different than the genuine IP and this is also a indicator that the Petitioner has not done the transaction," the judges held. The bench noted that the bank was aware that no alert was created as the account in question was described as "Blacklisted Account" and that the customer this could not be contacted when the amount was transacted. This, the judges said, showed that the bank, itself made a request to ICICI Bank for reversal of the amounts. "It is, therefore, evident that the HDFC Bank attempted to take necessary steps and was conscious that no alert was created and when beneficiary addition attempt got alerted, the report disclose 'tried calling the...

Bombay High Court Orders HDFC Bank To Remit ₹38.04 Lakhs To Businessman Who Lost Amount In Cyber Fraud

Narsi Benwal

Tags