In a significant ruling underscoring the responsibilities of banks in securing electronic transactions, the national consumer disputes redressal commission (NCDRC) has dismissed a revision petition filed by the State Bank of India (SBI) and upheld findings that the bank failed to prevent fraudulent withdrawals at an automated teller machine (ATM) from a customer’s account despite a prompt change of personal identification number (PIN). The order, pronounced on 17 November 2025, requires SBI to refund ₹35,458 with an interest of 9%pa (per annum), from 19 January 2015 till the date of realisation and pay ₹30,000 as costs to the complainants.
In the order, the NCDRC bench of air vice-marshal (AVM) J Rajendra (retd) and justice Anoop Kumar Mendiratta says, "Admittedly, no explanation has been put forth on behalf (of) the Bank to explain as to how the money could have been withdrawn despite changing PIN of ATM card which had been freshly issued to the complainant, after he suspected the call to be fraudulent. The amount according to the complainant was duly reflected as ₹35,527.71 after changing PIN. The withdrawal of the amount through old ATM card despite issuance of new ATM card, evidently reflects an illegal and unauthorised access to the account of the customer. It is also a matter of concern as pointed out in the order of learned state commission that unauthorised access to the customer database cannot be ruled out since there was a specific reference by the fraudulent caller to the new ATM card, which had been issued to the complainant. It is inexplicable as to how the transactions could have been effected through the old lost ATM card in case the new ATM card had been issued and activated by setting or change of PIN."
"The negligence has not been proved on the part of the complainant as the amount through unauthorised transactions had been withdrawn after the change of the PIN. In the facts and circumstances, the complainant cannot be saddled with liability on account of fraudulent withdrawal of amount, whereby there is a breach by a third party on account of a gap in maintaining the systems by the bank," NCDRC says.
The case arose after joint account holders Kodudhala Joji Reddy (now deceased) and his wife, K Venkta Lakshami Narsamma, lost ₹35,458 in a series of unauthorised ATM withdrawals on 19 January 2015, even though they had changed their ATM PIN minutes before the transactions took place. The state commission and the district forum had earlier found SBI liable for deficiency in service and directed the bank to recredit the amount along with interest, compensation, and costs. SBI challenged those orders before NCDRC.
According to the complaint, the consumers had recently been issued a new ATM card after misplacing the old one. Shortly thereafter, Ms Narsamma received a call from a person claiming to be from SBI’s debit card section. The caller correctly recited the confidential PIN assigned to the newly issued card and claimed the card was blocked pending verification. Believing the call to be genuine, she disclosed the card details. However, Mr Reddy immediately suspected something amiss and rushed to the SBI ATM at West Marredpally, where he changed the PIN. At the time, the account balance reflected ₹35,527.71.
But within minutes, when he returned to the ATM to withdraw the funds on his son's advice, he discovered the balance had dropped to just ₹69.71. Six withdrawals from ATMs had been made by unknown persons in Noida and Mumbai during that interval. A first information report (FIR) was lodged, but the fraudster was never traced.
SBI argued that the customers had been negligent in sharing their PIN and that the bank could not be held liable for their actions. It maintained that the PIN was confidential information expected to be safeguarded by the cardholder.
However, both the district forum and the state commission found troubling gaps in SBI’s conduct and systems. The state commission noted that the fraudulent caller had access to the complainants' mobile number and the newly issued PIN—details that should have been known only to the Bank. The PIN had been dispatched through a third-party vendor, Venture InfoTech Global Pvt Ltd, raising a presumption of possible data leakage.
Compounding the issue, SBI failed to produce CCTV footage from its ATM, despite specific directions to do so in 2016. It later submitted only a screenshot showing that the old ATM card number had been used for the withdrawals which raised further concerns, since a new card had already been issued.
The commission found this discrepancy 'puzzling', noting it was unclear how transactions could be carried out using the old ATM card if the new one had been activated and a fresh PIN had been set. It held this as indicative of 'deficiency in service' and a lapse in SBI’s responsibility to secure customer transactions.
Dismissing the revision petition, NCDRC agreed with the lower forums that no negligence had been established on the part of the complainants. It held that the key issue was unauthorised withdrawal after the PIN was changed. SBI, it says, failed to explain how this was possible.
“It is inexplicable as to how the transactions could have been effected through the old lost ATM card in case the new ATM card had been issued and activated… The same clearly reflects some gaps in the system,” the commission observed.
The commission noted that SBI had not been able to show how the fraudulent caller knew the new card’s PIN and the complainants’ mobile number. It also highlighted that the withdrawals were made from distant locations—Noida and Mumbai—within minutes of the PIN change, raising serious questions about the security of the Bank’s systems.
NCDRC drew parallels with a 2024 Guwahati High Court judgement involving unauthorised online transfers, in which the Court held that banks must prove customer negligence to deny liability. It reiterated that banks cannot rely on 'perceived negligence' and must provide concrete evidence.
The commission cited RBI’s notification on electronic banking security, under which banks must install robust fraud detection systems and ensure customer protection in unauthorised transactions. It noted that SBI failed to meet these obligations, especially as no one-time passcode (OTP) was received for the disputed transactions.
The police, too, had found that CCTV cameras were not installed at the ATM visited by the complainant—an additional violation of RBI guidelines.
Holding that SBI had not established any negligence by the complainants but had exhibited significant lapses in security and response, NCDRC upheld the state commission’s decision directing SBI to recredit the lost amount, pay compensation, and bear costs. The revision petition was dismissed with ₹30,000 costs payable to the complainants.
(Revision Petition No1381 of 2018 Date: 17 November 2025)
