Delhi High Court Directs SBI To Compensate Cyber Fraud Victim
Bhavini Srivastava (Bar  and  Bench) 20 November 2024
The Delhi High Court recently directed the State Bank of India (SBI) to compensate a bank customer who was a victim of a cyber attack that had led to the withdrawal of 2.6 lakhs from this savings account (Hare Ram Singh vs. Reserve Bank of India & Ors.).
 
The customer, Hare Ram Singh told the Court that he had immediately reached out to the SBI customer care and its branch manager after falling victim to a phishing attack, but did not get any assistance.
 
A few months after the incident, SBI rejected Singh’s claim on two grounds. Firstly, SBI cited the withdrawal having occurred through the internet banking system, which required one-time passwords (OTPs) from Singh for transactions to go through. Secondly, the SBI noted that Singh himself had clicked a link which led to the cyber attack. Singh, however, denied having shared any OTPs, contrary to SBI's stance.
 
Justice Dharmesh Sharma of the High Court found that there was “glaring service deficiency” on part of the SBI in responding to Singh's complaint. 
 
Justice Sharma noted that even though Singh had promptly notified SBI about his account breach, the bank showed no urgency in responding to the complaint and failed to exercise due care. SBI neglected in its duty to act swiftly and block the suspicious transactions from going through, the Court observed. 
 
“It has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, that the petitioner suffered monetary losses,” the Court said.
 
The Court added that SBI failed to comply with the Reserve Bank of India's (RBI) Master Direction on Digital Payment Security Controls which lays down certain guidelines with regards to security risks.
 
“The transactions in question would resultantly fall within the sweep of 'zero liability' as referred to in the aforesaid RBI Circulars. Therefore, respondents No. 2 and 3/SBI are liable to compensate the petitioner for the incurred loss, along with interest, and pay token compensation,” the Court held.
 
The Court proceeded to order SBI to pay Singh the lost 2.6 lakhs along with 9 per cent as interest from April 18, 2021, when the cyber fraud was reported. SBI was also ordered to pay 25,000 as costs.
 
Singh had earlier filed a complaint with the Banking Ombudsman, apart from notifying the RBI after the SBI failed to assist him with his complaint. 
 
The Banking Ombudsman eventually ordered SBI to credit a part of the amount (about 33,000) to Singh's account and closed his complaint. Aggrieved by the failure to pay the remaining amount, Singh moved the High Court for relief.
 
The High Court, while granting him relief, also emphasised that banks have an implied duty of care towards its customers.
 
“it is well established under the Common Law, that funds in a bank account belong to the bank, but the bank acts as an agent for the principal (the customer). Consequently, the bank cannot refuse to process an online transfer if it appears to be authorized by the customer, however, upon detecting fraud, the bank has an implied duty to exercise reasonable care and take prompt action," the Court said. 
 
It also took critical note that that SBI’s security protocols such as “2FA” or OTP verification had been breached by a simple “malware” deployed by the cyber fraudsters.
 
It added that Singh could not be blamed for the cyber attack, more so since he was categorical in stating that he never shared any OTPs.
 
"Anyone, regardless of age, education, or experience, can fall victim to the sophisticated cyber-attacks prevalent today. At the same time, it is also an admitted fact that the petitioner promptly dialed SBI Customer Care Service and lodged a report, but unfortunately, the transaction had already been processed," the Court added. 
 
Comments
Raheja Developers Admitted to Insolvency Process after Gurugram Home-buyers Move NCLT
SN Thyagarajan (Bar  and  Bench) 20 November 2024
The National Company Law Tribunal (NCLT) on Tuesday admitted Raheja Developers Limited to the Corporate Insolvency Resolution Process (CIRP) after a plea was filed by homebuyers over non-delivery of homes.
 
The Tribunal has...
HDFC Standard Life Insurance Asked To Pay Rs50 Lakh Death Insurance Claim with 9% Interest
Moneylife Digital Team 18 November 2024
Refuting HDFC Standard Life Insurance Company Ltd's contention that the deceased life insured (DLI) failed to disclose pre-existing medical conditions, the national consumer disputes redressal commission (NCDRC) ruled that the DLI...
KYC Nightmare: How Banks Are Asking for Re-KYCs Illegally and in the Process Collecting Additional Data from Customers
Moneylife Digital Team 15 November 2024
One fine day, Bengaluru-based M Ramachandran (name changed), a senior citizen who retired as an official from Reserve Bank of India (RBI), found his account in State Bank of India (SBI) frozen for want of renewal of his...
Fraud Alert: How Mobile Number Spoofing Works
Yogesh Sapkale, 15 November 2024
In the last week of October, I started receiving three missed calls every day from four different US numbers (all from Miami, to be precise). It continued for four days. I do not have any relatives, friends or colleagues staying in...
ArrayArray
Free Helpline
Legal Credit
Feedback