Customer Did Not Share OTP But SBI's "Most Hyped" 2-Factor Authentication Failed, Resulting In Cyber Fraud: Delhi HC Orders Compensation

In a case of cyber fraud where a man lost money from his State Bank of India (SBI) account after clicking a link in an SMS, the Delhi High Court directed the SBI to compensate the customer for the lost amount, noting a “glaring service deficiency” on the part of the bank.The Court noted that the unauthorized transactions occurred without the customer sharing any OTPs, implying a breach in the bank's security systems. Terming the SBI's security protocols the "most hyped 2-Factor Authentication [2FA]," the Court said that the SBI was responsible for deficiency in service. “In the present case, the petitioner had taken care not to share the OTPs, in fact he had no occasion do so, and if that is the case, it would imply that even the most hyped 2 Factor Authentication [“2FA”] was breached as the same was not secure, which is directly attributable to deficiency in service provided by the respondent no. 2 & 3 SBI” Justice Dharmesh Sharma noted.BackgroundThe petitioner, aged 55 years, received an SMS containing a link on 18.04.2021. He then received a call from an unknown caller asking him click on the said link to keep his SMS services operational. Upon clicking the link, a total sum of Rs. 2,60,000 was withdrawn from his SBI savings bank account in two transactions. The petitioner immediately called the SBI's Customer Care to register a complaint and seek a hold on the two transactions. However, it was unsuccessful as the transactions had already been processed. He then filed a complaint before Branch Manager, SBI, Greater Noida, in addition to filing a cyber complaint and police complaint. As the SBI did not resolve petitioner's grievance, he filed a complaint before the Banking Ombudsman (BO) against SBI on 26.04.2021. During the pendency of the complaint, the Chief Manager of SBI sent a letter to petitioner stating that his complaint is rejected on the grounds that the transaction took place through internet banking where the OTPs were received by him and that he clicked a link sent by an unknown person. Subsequently, the BO ordered that the SBI deposit a sum of one-third of the disputed amount i.e., Rs. 33,334 to the petitioner's account. The SBI deposited the said amount and the complaint was closed. The petitioner approached the Court to seeking SBI to restore the entire amount lost due to the cyber fraud. Liability Of Customers For Unauthorized Transactions The Court noted that the petitioner denied sharing OTPs with the unknown callers. The Court referenced SBI's written submission, which indicated that, according to the documentary evidence provided by the bank, the BO observed the petitioner was logged into internet banking and that OTPs were received on his mobile number for approval. However, the Court noted that the documentary evidence was not submitted on record by SBI, stating that it had been “deliberately kept away”. The SBI relied on a RBI Circular “Customer Protection– Limiting Liability of Customers in Unauthorized Electronic Banking Transactions” dated 06.07.2017. Clause 7 of the Circular states that a customer shall be liable for the loss occurring due to unauthorized transactions in cases where the loss is due to negligence of the customer. Here, the Court was of the view that there was no 'negligence' on part of the petitioner. It observed that the petitioner did not share any payment credentials or OTPs. It noted that the unauthorized transactions took place only upon clicking the link received through SMS. “The record shows that he had never shared the payment credentials, which fact is fortified from the written submissions filed by the respondents that the OTPs were not shared by the petitioner as such. It is merely upon clicking on a link received on his mobile phone after he was duped into believing that his SMS services would be blocked, that the said unauthorized transactions took place.” The Court opined that the petitioner was a “victim of cyber fraud” and not 'negligent' in any manner under the context of civil or criminal law, It stated that negligence implies duty of care that would be expected from a person of ordinary prudence. Negligence of customer should be such which is “gross, utterly reckless and unconscionable”, it added. The Court noted that SBI failed to provide a satisfactory explanation for their inability to initiate a chargeback or block the amount despite the petitioner's complaint to the customer care within a few minutes from the unauthorized transaction. Deficiency In Services By SBI The Court referred to the RBI's Circular “Master Direction on Digital Payment Security Controls” dated 18.02.2021, which lays down guidelines for governance and management of security risks. Regulation 4 provides that 'Regulated Entities' (RE), which include scheduled commercial banks should formulate policies for efficient dispute resolution mechanism and handling of customer grievance. Further, Regulation 50 provides that the REs should endeavour to build instant reporting ...

Customer Did Not Share OTP But SBI's "Most Hyped" 2-Factor Authentication Failed, Resulting In Cyber Fraud: Delhi HC Orders Compensation

Sanjana Dadmi

Tags