Dismissing a writ appeal filed by State Bank of India (SBI), the Gauhati High Court (HC) has upheld an earlier order directing the Bank to refund ₹94,204.80 to a customer whose savings account was fraudulently debited through three unauthorised electronic transactions in October 2021. The division bench held that SBI failed to establish any negligence on the part of the customer and had not taken prompt or effective action, despite being informed of the fraud within one working day. The judgement, delivered on 13 September 2024 in State Bank of India vs Pallabh Bhowmick affirms the single judge’s earlier decision. The Supreme Court subsequently dismissed SBI’s special leave petition on 3 January 2025.
In the order, the bench of justice Lanusungkum Jamir and justice Kardak Ete, says, "All transactions relating to the account of Mr Bhowmick herein maintained with the bank were found to be unauthorised and fraudulent. It is the responsibility of the bank so far as such unauthorised and fraudulent transactions are concerned. The bank should remain vigilant. The bank has the best technology available today to detect and prevent such unauthorised and fraudulent transactions. Further, clauses 8 and 9 respectively of the Reserve Bank of India (RBI)'s circular dated 6 July 2017 make the position further clear. We also take notice of the fact that within 24 hours of the fraudulent transaction, the customer, brought it to the notice of the bank."
"We expect the customers, i.e., the account holders also to remain extremely vigilant and see to it that the one-time passcodes (OTPs) generated are not shared with any third party. In a given situation and in the facts and circumstances of some case, it is the customer also who could be held responsible for being negligent in some way or the other," the bench cautioned.
The case arose after Mr Bhowmick received a call from a fraudster impersonating the customer care of clothing brand Louis Philippe. Believing the call to be genuine, he downloaded a mobile application on his phone to process a refund of ₹4,000 for a returned garment. Immediately thereafter, three fraudulent transfers amounting to ₹94,204.80 were made from his SBI savings account on 18 October 2021. According to case records, the money was routed through a Federal Bank account opened in the name of Papendra Kumar from Uttar Pradesh, who was later identified by the police.
Mr Bhowmick informed SBI’s customer care centre the same day and filed a first information report (FIR) with Jalukbari police station. He also lodged complaints with the Assam police cybercrime cell and the national cybercrime reporting portal (NCRP). Despite this immediate reporting, the HC found that the Bank neither raised a charge-back request with the beneficiary bank nor lodged any complaint with cybercrime authorities. The Court observed that SBI’s only action was limited to blocking Mr Bhowmick’s debit card.
A crucial element in the Court’s reasoning was clause 8 of the Reserve Bank of India's (RBI’s) circular dated 6 July 2017, which provides for 'zero liability' of a customer in cases of third-party breaches when the fraud is reported within three working days. The bench held that Mr Bhowmick had reported the unauthorised transactions on the next working day, clearly satisfying the condition for zero customer liability.
Supporting Mr Bhowmick’s case was an email from Louis Philippe confirming that its customer database had been illegally breached between March and December 2021. The Court treated this as an admission of a third-party data breach, reinforcing that neither the Bank nor the customer was at fault. Mr Bhowmick had merely downloaded an app believing it to be an official communication from the brand and there was no evidence to suggest he had shared his OTP, mobile personal identification number (MPIN) or any sensitive credentials with the fraudster.
SBI argued that the transactions were authorised because they were completed using OTP and MPIN linked to Mr Bhowmick’s account. However, the HC rejected this contention, noting that the bank had produced no material to prove that Mr Bhowmick had disclosed these credentials or acted negligently. The court observed that it was 'not believable' that a customer would intentionally share critical banking information with a stranger in a scenario where he was expecting a refund, not initiating any payment.
The bench further criticised SBI for failing to take immediate steps that could have improved the chances of recovery, including initiating a charge-back with the beneficiary bank. The Federal Bank’s own communication revealed that the fraudster had quickly moved the funds to other accounts, but the HC stressed that SBI was duty-bound under clauses 9 and 10 of the RBI circular to undertake timely action and process a shadow reversal pending investigation.
Citing Supreme Court precedent in DAV Public School vs Indian Bank (2019) and the Gauhati High Court’s earlier ruling in justice (retd) Basudev Agarwal vs SBI, the division bench reaffirmed that a bank cannot attribute liability to a customer without proving negligence. Merely downloading an application at the request of a fraudster, the Court says, does not amount to negligence. The Court concluded that the three transactions were 'evidently unauthorised' and SBI failed to prove customer complicity or due diligence on its own part.
The HC upheld the single judge’s order directing SBI to refund the full amount of ₹94,204.80 within 30 days, granting the bank the liberty to recover the sum from Louis Philippe or the merchant involved.
The ruling reinforces the obligations of banks under RBI’s customer protection framework and reiterates their duty to act swiftly in cases of reported cyber fraud. With SBI’s subsequent SLP dismissed by the Supreme Court, the HC’s determination on the bank’s liability has now attained finality.
