Bombay High Court Orders HDFC Bank To Remit ₹38.04 Lakhs To Businessman Who Lost Amount In Cyber Fraud

The Bombay High Court recently while ordering the HDFC Bank to remit a total of Rs 38.04 lakhs to a Pune-based businessman, who lost the amount in a cyber fraud, noted that no liability could be fastened on the customer as the amounts were illegally transacted through SIM swapping/cloning mode.

A division bench of Justice Bharati Dangre and Justice Manjusha Deshpande refused to accept the contention of the Bank that it had sent SMS Alerts to petitioner customer - Subodh Korde, who was defrauded.

The judges noted from the record, that the fraudsters had used the modus operandi of SIM swapping/cloning and even explained how this particular modus, which is on the rise in India, works, with the SIM of the original customers put into "no network" and then impersonating as the customer and fraudulently resorting to illegal transactions.

The bench noted that on September 14, 2021 three unknown persons were added as "beneficiaries" into his account through netbanking and that he did not receive any alert of the same. On the following day, within a timespan of 41 minutes, there were at least eight illegal transactions by which Rs 38.04 lakhs were siphoned off from his savings and current account.

The judges noted the Korde got to know of the amounts being debited only after the transactions took place and he subsequently emailed to the Relations Manager of the bank and even tried to call on its helpline number, which was not working. They noted that on the subsequent day, Korde lodged a complaint with the local police station about the fraudulent transactions.

"In no case, we find that the Petitioner was careless or that he had shared the password with anyone and ultimately the burden is upon the bank to establish that he was careless or negligent, which the bank in our view, has failed to establish," the bench said in the order passed on April 6. The bench said that in consonance of the RBI's circular dated July 6, 2017, since the Petitioner did not contribute to the fraud nor was he negligent and he immediately reported about his accounts being debited, or he receiving only one message and that too, after a lapse of time and with the specific stand of the BSNL, reflecting that there was swapping of his SIM card, and accordingly held the Petitioner is a "victim of cyber fraud."

"Surprisingly, the Bank, despite the alert created, has not taken any serious steps and has adopted a stand simplicitor that it had discharged its obligations, once it sent OTPs. The Petitioner never received the OTPs nor did he receive any e-mail communication in respect of the unauthorized transactions," the bench noted.

The bench opined that since Korde's SIM card was cloned/swapped and, therefore, somebody else other than him, had received the OTP and probably, shared the OTP so as to authenticate the transaction.

"The Petitioner, however, acted promptly, once he realised that some amount is debited to his account and he reported the matter to the higher officer and did whatever was possible to him to do. The Petitioner is, therefore, entitled for the benefit of 'zero liability', as we do not conclusively say that the Bank was deficient, but it appears that the Bank was casual in stating that it had sent the OTP and put the blame on the Petitioner, of being negligent in sharing the password, which the Petitioner never did," the judges held.

The judges noted that the bank failed to produce any evidence except some excerpts from the logsheets of private agencies to show that SMS alerts were sent to Korde.

The judges highlighted the fact that as per the investigation report of the HDFC Bank, IP location of four transactions adding beneficiary and the transaction modifying the TPT limit is Chennai and the same IP location is to be found in respect of the transaction on July 15, 2021 (the day when the transactions took place). "Therefore, the IP investigation of the Bank has clearly inferred that the disputed transaction IP do not match with the genuine transaction IP of the customer. Therefore, there is no merit in the stand of the Bank that somebody messed up with the device of the Petitoner or he shared the password as it not uncommon for the fraudster to mimic devised ID, but for all the unauthorized transactions, the IP is different than the genuine IP and the IP location is different than the genuine IP and this is also a indicator that the Petitioner has not done the transaction," the judges held.

The bench noted that the bank was aware that no alert was created as the account in question was described as "Blacklisted Account" and that the customer this could not be contacted when the amount was transacted. This, the judges said, showed that the bank, itself made a request to ICICI Bank for reversal of the amounts.

"It is, therefore, evident that the HDFC Bank attempted to take necessary steps and was conscious that no alert was created and when beneficiary addition attempt got alerted, the report disclose 'tried calling the customer, but unable to establish contact.' This is repeated in the transactions adding beneficiary and also when the transaction limit was enhanced. The alert was sounded since even according to the HDFC Bank, it was a super high value case and thus the officers in helm of affairs of the Bank immediately initiated the investigation," the judges noted. In no case, the judges said, they won't put the blame of the unauthorized transactions on the Bank, but when the fault is neither with the Bank nor with the customer/Petitioner, the RBI circular dated July 6, 2017 and in particular, the clause fixing zero liability on the customer gets triggered and the Petitioner is entitled for its benefit."The whole purpose of the circular/guidelines issued by the RBI is to provide a buffer to a customer, who is diligent, and is not responsible for negligence or contribute to the fraud by sharing OTP/password and since, the Bank has failed to establish that the Petitioner did so, in our view, the Petitioner is entitled for the benefit under the circular of RBI dated July 6, 2017 and he deserve the amount of which he is deprived back in his account," the bench opined.

Accordingly, the judges ordered the HDFC Bank to remit the amount within a period of eight weeks and if it failed to do so within the said period, it shall carry interest at the rate of 8 per cent per annum.

Appearance:

Senior Advocate Sharan Jagtiani along with Advocates Priyank Kapadia, Sapna Pande and Akshay Pansare appeared for the Petitioner.

Senior Advocate Prateek Seksaria along with Advocates Ishwar Nankani, Huzefa Khokhawala, Karan Parmar and Kartik Gupta instructed by M/s.Nankani & Associates represented the HDFC Bank.

Advocates Mayur Khandeparkar, Mayur Bhojwani, Ulrik Jehangir and Dhamini Nagpal instructed by M/s. Manilal Kher Ambalal & Co. represented the ICICI Bank.

Advovates Prasad Shenoy, Aditi Phatak and P Zaiwalla instructed by BLAC Co represented RBI. Advocates Ashutosh Mishra, Vinit Jain, Ashok Varma and Gaurav Mhatre represented Union of India. Assisted Government Pleader Manish Pabale represented the State.Advocate Aparna Shrivastava instructed by Reliable Legal Partners represented the BSNL.

Case Title: Subodh C Korde vs Union of India (Writ Petition 11990 of 2023)

Citation: 2026 LiveLaw (Bom) 175

Click Here To Read/Download Judgment