In a historic order on accountability, the adjudicating authority (AA), under the Information Technology (IT) Act, held Axis Bank responsible for failing to ensure reasonable security practices and procedures which directly contributed to unauthorised transactions from a customer's account. The AA directed Axis Bank to reimburse the actual loss of Rs1.76 crore with 18% interest and pay Rs53 lakh as compensation and legal costs to the customer.
In an order on Tuesday, Parrag Jaiin Nainutia, principal secretary of the department of information technology for Maharashtra (adjudicating authority under the IT Act), says, "...in my considered view, Axis Bank's failure to ensure reasonable security practices and procedures, as mandated under Section 43A of the IT Act directly contributed to the unauthorised transactions. The hacking of its systems, as admitted in the first information report (FIR), indicates a lapse in implementing adequate measures to protect sensitive customer data. Section 43A imposes liability on entities that handle sensitive personal data and fail to maintain reasonable security safeguards, resulting in wrongful loss or damage. In this case, Axis Bank's negligence in securing its systems led to the compromise of the complainant's confidential information and subsequent fraudulent transactions."
"Additionally, the absence of robust real-time monitoring and fraud detection mechanisms underscores Axis Bank's failure to comply with the prescribed standards for data protection and security under the IT Act and Reserve Bank of India (RBI) guidelines. This lack of vigilance not only facilitated the unauthorised transactions but also caused immense financial and reputational harm to the complainant, highlighting the bank's non-compliance with statutory obligations," the AA says in the order.
Under the Act, the state IT secretary is the adjudicating authority who can adjudicate cyber fraud matters in which the claim for damage does not exceed Rs5 crore. The AA has the powers of a civil court.
Dhule Vikas Sahakari Bank Ltd, represented by advocate Dr Prashant Mali, had filed a case against Axis Bank to recover money lost in unauthorised transactions. Dhule Vikas Sahakari Bank has a current account and uses Axis Bank's platform of cash management services (CMS), and national electronic funds transfer (NEFT) and real-time gross settlement system (RTGS) transactions.
On 8 June 2020, an employee of Dhule Vikas Sahakari Bank logged into the lender's Axis Bank account and discovered 26 unauthorised transactions valued at Rs2.06 crore. This was in addition to a single NEFT transaction on 7 June 2020 These transactions occurred between 7am and 10am, before Dhule Vikas Sahakari Bank's working hours.
Dhule Vikas Sahakari Bank asserted that neither the maker nor the checker (two different persons using separate mobile numbers) received the mandatory one-time passcode (OTP) required to complete these transactions.
"Additionally, no batch numbers were generated for the transactions, which is a critical step in their internal processes. The lack of OTPs and batch numbers suggests a significant lapse in the security measures implemented by Axis Bank," says advocate Dr Mali, representing Dhule Vikas Sahakari Bank.
He further submitted that Rs30.43 lakh was frozen out of the Rs2.06 crore fraudulent transactions, and hence, he sought actual reimbursement of Rs1.76 crore from Axis Bank.
Officials from Dhule Vikas Sahakari Bank immediately reported the issue to Axis Bank, which, on 10 June 2020, filed a first information report (FIR) at Dhule city police station for investigation. On 18 June 2020, Dhule Vikas Sahakari Bank also filed a formal complaint with the police station, sharing details of the fraudulent transactions.
During the hearing before the AA, advocate Dr Mali highlighted that the know-your-customer (KYC) details of the beneficiary accounts (where the money was fraudulently transferred from Dhule Vikas Sahakari Bank's account), including those held at ICICI Bank and HDFC Bank, should have been verified to prevent unauthorised withdrawals. "Axis Bank's failure to adhere to RBI guidelines on KYC and anti-money laundering practices facilitated the fraudulent transactions."
Advocate Naveen Raheja, representing Axis Bank, contended that 'Any Desk' software was installed for remote access at Dhule Vikas Sahakari Bank (DVSB). "As per the SAP report from DVSB, the hacking was done in DVSB's servers. There were host-to-host mode (H2H) transactions wherein OTP generation was not required."
With the help of an investigation report by the KPMG cyber forensic team, Axis Bank stated, "While analysing the remote access connection, it was observed that five successful remote desktop logons were made on 6 June 2020 from different IP addresses."
However, the AA observed that KPMG did not perform the audit. In its report, the audit firm submitted that "KPMG has not performed an audit and does not express an opinion or any other form of assurance. Further, comments in our report are not intended, nor should they be interpreted to be legal advice or opinion."
Mr Nainutia, the principal secretary of IT, also noted that "the transaction conducted on 7 June 2020 occurred on a Sunday, which was a bank holiday, directly contradicting the statements made by Axis Bank."
Holding Axis Bank responsible for the unauthorised transactions, the AA directed the lender to reimburse the actual loss of Rs1.76 crore with 18% interest and pay compensation of Rs50 lakh and Rs3 lakh as legal charges to Dhule Vikas Sahakari Bank.
(Complaint Case File No.3 of 2019 Date: 21 January 2025)