In a significant ruling, Parrag Jaiin Nainutia, the adjudicating officer (AO) and principal secretary of Maharashtra's department of information technology has directed Yes Bank to reimburse Rs1.21 crore to Wardha Nagari Sahakari Adhikosh (Bank) Maryadit after a cyber fraud led to unauthorised transactions from the cooperative bank’s account. Additionally, Yes Bank has been ordered to pay Rs29.83 lakh in compensation for damages, including loss of reputation, public trust and litigation expenses.
In an order earlier this month, Mr Nainutia, an officer from the Indian Administrative Services (IAS) cadre, says, "After meticulously examining the submissions, I find that both the interim and final forensic audit reports submitted by Yes Bank affirm these security lapses. It is evident that Yes Bank failed to implement adequate real-time monitoring and security mechanisms to safeguard Wardha Nagari Sahakari Bank's real-time gross settlement (RTGS) transactions despite acting in the capacity of a sponsor bank. Such lapses amount to a violation of Section 43A of the IT Act, 2000, which mandates the maintenance of reasonable security practices by Yes Bank."
This ruling sets a precedent in India's banking and cybersecurity landscape, reinforcing the responsibility of financial institutions to safeguard customer transactions. It also underscores the critical need for banks to implement stricter security measures, including two-factor authentication and real-time fraud detection mechanisms.
The case, adjudicated under Section 46 of the Information Technology Act, 2000, was filed by Wardha Nagari Sahakari Bank through advocate Dr Mahendra Limaye after discovering unauthorised RTGS transactions totalling Rs1,21,16,004 from its account with Yes Bank's Nagpur branch. The transactions occurred on 24 May 2023 and, despite its internal security measures, multiple transactions were initiated without the authorisation of the Wardha Nagari Sahakari Bank's officials.
The fraudulent transactions, executed during the early morning hours (6am to 8.30am), went undetected due to the lack of two-factor authentication (2FA) and inadequate real-time monitoring on Yes Bank's digital banking platform. Additionally, Wardha Nagari Sahakari Bank's registered mobile number never received SMS alerts for the transactions, further indicating security lapses on Yes Bank's part, Dr Limaye contended.
After an internal audit and forensic investigation, it was found that multiple login attempts were made from unauthorised IP addresses. The forensic report, submitted by E&Y on behalf of Yes Bank, highlighted significant security vulnerabilities. Notably, parallel login sessions were detected from different locations which should have triggered fraud detection protocols.
Despite being the sponsor bank for Wardha Nagari Sahakari Bank's RTGS transactions, Yes Bank failed to prevent unauthorised access or take proactive steps to recover the misappropriated funds. Yes Bank also delayed providing crucial beneficiary details to the complainant, hampering efforts to trace and reclaim the stolen amount, Dr Limaye stated.
Yes Bank, in its defence, claimed that the cyber breach originated from Wardha Nagari Sahakari Bank's internal IT infrastructure and denied liability for the fraud. Yes Bank asserted that it had adhered to the cybersecurity guidelines of the Reserve Bank of India (RBI) and had taken necessary precautions. However, the AO rejected these arguments, citing Yes Bank's failure to comply with reasonable security practices under Section 43A of the IT Act.
Further, Yes Bank's legal representatives failed to appear for the final hearing which was a crucial factor in the ruling against them. The absence of documentation proving that SMS alerts were sent to Wardha Nagari Sahakari Bank's registered mobile number further weakened Yes Bank's case.
In his order, Mr Nainutia, the AO, ruled that Yes Bank was liable for the financial loss due to its failure to implement robust cybersecurity measures. The order mandates:
Reimbursement of Rs1,21,16,004 to the complainant, with 18% compound interest from the date of the fraudulent transactions until full payment is made.
Compensation of Rs29,83,996 to Wardha Nagari Sahakari Bank for reputational damage, mental distress, and litigation expenses.
Compliance within one month, with a formal report on the execution of the order, to be submitted to the adjudicating authority.
Wardha Nagari Sahakari Bank has expressed relief at the ruling, stating that it will help restore customer confidence and financial stability. The Bank has also confirmed that it will not pursue further legal action following this order.
With cybercrimes on the rise in India's banking sector, this landmark judgement reinforces the need for stringent regulatory compliance and proactive fraud prevention strategies among financial institutions.
