Banking has always been built on trust—a fiduciary contract where the bank is responsible for safeguarding customer funds and honouring their instructions. Traditionally, this function was carried out by tellers, who verified signatures and ensured that transactions were legitimate. If a forged cheque was honoured, the bank bore the responsibility and had to restore the lost funds. But in the digital era, where customers now execute transactions themselves using passwords and one-time passcodes (OTPs), does this fundamental principle still hold? If an online banking password is stolen and misused, can the bank deny liability?
The core question remains the same: When fraud occurs, who is responsible?
Traditionally, bank tellers were responsible for verifying a customer's identity and financial details before processing routine transactions like cashing cheques or deposits. A failure to verify a signature resulting in wrongful payment makes the bank liable to restore the amount.
If the fault is that of the paying bank, it is responsible for the breach of contract and has to restore the amount to the account. If the fault was that of the collecting bank, then it is liable for conversion and has the liability under the law of torts to restore the amount. The protection under the Negotiable Instruments Act for payment to the holder in due course will not apply.
The Consumer Protection Act provides an additional fast and effective remedy for the account-holder in such cases by making it a deficiency of service with the liability to restore the amount paid out. Since it is the teller's responsibility whether the cheque is presented at the counter or through a collecting bank, the failure to verify the authenticity of the account-holder's signature is clearly a deficiency in service.
Forgery was defined in the Indian penal code (IPC) as "Whoever makes any false document or part of a document with intent to cause damage or injury, to the public or to any person, or to support any claim or title, or to cause any person to part with property, or to enter into any express or implied contract, or with intent to commit fraud or that fraud may be committed, commits forgery", Section 463. Consequently, putting the signature of another person on his cheque leaf is forgery and it is the job of the teller to verify.
What if the cheque is stolen and is honoured by the teller? The Supreme court in
Canara Bank vs Canara Sales Corporation and ors., held that "When a cheque, duly signed by a customer, is presented before a bank with whom he has an account there is a mandate on the bank to pay the amount covered by the cheque. However, if the signature on the cheque is not genuine, there is no mandate on the bank to pay. The bank, when making payment on such a cheque, cannot resist the claim of the customer with the defence of negligence on his part such as leaving the cheque book carelessly so that third parties would easily get hold of it. This is because a document (in cheque form) on which the customer's signature as drawer is forged is a mere nullity."
The apex court also observed that there is no duty for a customer to inform the bank of fraud committed on him of which he was unaware. Nor can inaction for a reasonably long time in not discovering fraud or irregularity be made a defence to defeat a customer in an action for loss.
Let us now turn to the current online banking scene. In Japan, there was a law to regulate door-to-door salesmen activities. When the salesmen appeared through Microsoft Windows, they did not make a new law but adapted the old law of the door to Windows. Similarly, we need to see how the principle laid down by the Supreme Court could be applied to digital banking.
In the digitalised bank also the teller sits at his counter and when a cheque is presented he goes through the same verification process and instead of writing in the ledger, he enters the data in the computer for which he is given access through a password.
When the customer is given online access, the job of the teller is outsourced to the customer himself. He gets access through a password and executes the order to transfer funds from his own account to another person's account. The presentation of the self cheque is done through the automated teller machine (ATM) where too he verifies his own identity by a PIN number and authorises the machine to give him the cash.
Can this mean that when his password is stolen, the bank has no responsibility for the wrong payouts? Will contributory negligence prevent him from asking the bank to restore money lost?
The definition of forgery has been updated by the Information Technology Act, 2000 to include false electronic record and part of electronic record. Hence, changing the password without the knowledge of the customer will be forgery.
The Supreme Court has explained the fiduciary relationship as "The relationship between the customer of a bank and the bank is that of a creditor and debtor. When a cheque presented for encashment contains a forged signature, the bank has no authority to make payment against such a cheque. The bank would be acting against law in debiting the customer with the amounts covered by such cheques. When a customer demands payment for the amount covered by such cheques, the bank would be liable to pay the payment to the customer. The bank can succeed in denying payment only when it establishes that the customer is disentitled to make a claim either on account of adoption, estoppel or ratification. If banks claim that fraud resulted from customer negligence, they must provide concrete evidence. Mere assertions are insufficient to shift liability onto customers."
The Reserve Bank of India (RBI) has mandated in Rule 3a of Annexure II of the
master circular on mobile banking that all mobile banking transactions involving debit to the account shall be permitted only by validation through a two-factor authentication (2FA).
Annexure III addresses the issues of deficiency of service: "Banks are required to maintain secrecy and confidentiality of customers' accounts. In the mobile banking scenario, the risk of banks not meeting the above obligation is high. Banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service, etc., on account of hacking/ other technological failures."
The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. Currently, the rights and liabilities of customers availing mobile banking services are being determined by bilateral agreements between the banks and customers.
Taking into account the risks arising out of unauthorised transfer through hacking, denial of service on account of technological failure, banks providing mobile banking would need to assess the liabilities arising out of such events and take appropriate countermeasures like insuring themselves against such risks, as in the case with internet banking."
In this context, it has to be accepted that even the two-factor authorisation is liable to be hacked. For instance, a helper of a senior citizen may steal the phone and use the OTP and delete it such that the customer does not even know that a transaction has taken place.
The Delhi High Court in the case of
Hare Ram Singh vs RBI pointed out that the burden of proving the customer's liability in case of unauthorised electronic banking, lies on the bank. The Court also criticised State Bank of India (SBI) for failing to follow its obligations under the RBI's master direction on digital payment security controls issued on 18 February 2021, which requires banks to implement systems to detect unusual login activities, facilitate immediate customer reporting of fraudulent transactions, and establish an inter-bank fraud reporting mechanism for seamless coordination with other regulated entities.
The Court, thereafter, ruled that the petitioner was entitled to 'zero liability' protection, citing cl. 6 of the RBI circular, as the transaction resulted from a 'third-party breach' and was not due to the petitioner's negligence.
In the latest decision in
SBI vs PALLABH BHOWMICK & ORS the Supreme Court observed: It is the responsibility of the bank so far as such unauthorised and fraudulent transactions are concerned. The bank should remain vigilant. The bank has the best of the technology available today to detect and prevent such unauthorised and fraudulent transactions. Further, clauses 8 and 9 respectively of the
RBI's Circular dated 6-7-2017 make the position further clear. Not tracing and reversing the outflow was also a deficiency in service of the bank.
SBI itself has reiterated in para 4 of its
policy statement that in case any amount has been debited to the account of a customer on account of fraudulent transaction(s) and the bank is at fault, the amount will be restored to the affected customer account without delay/demur, once the fraud is established, with due verification. Once a potential fraudulent transaction is flagged, banks deploy specialised investigation teams. These professionals, often with backgrounds in finance and cybersecurity, examine the electronic trails of transactions and apply account-based rules to trace the origin of the suspected fraud. Not making such an investigation will also amount to deficiency in service.
Thus, it is clear that stealing the password to access the internet banking account is digital forgery akin to a stolen cheque and the customer cannot be denied restoration of the lost funds just because he has been asked to function as a teller for his own account. After all, the fiduciary contract still exists and the bank is a debtor to the customer as recognised by RBI.
(Justice TNC Rangarajan is a former judge of Madras and Andhra Pradesh High Courts. This article can be reproduced freely for stimulating discussion, provided authorship is acknowledged.)
