SBI’s Failure To Implement Secure System Led To Customer’s Monetary Losses: Delhi HC Orders Compensation Of ₹2.6 Lakhs To Cyber Fraud Victim
The Delhi High Court recently ruled in favor of a bank customer directing the State Bank of India (SBI) to compensate him for a cyberattack that led to a fraudulent withdrawal of ₹2.6 lakhs from his savings account.
He had fallen victim to a phishing attack, which led to unauthorized transactions from his account. Upon discovering the fraud, he immediately contacted SBI’s customer care and its branch manager, seeking help. However, he claimed that the bank failed to provide timely assistance or take necessary action to prevent further damage.
SBI rejected his claim a few months later, citing two main reasons. First, the bank argued that the withdrawals had been made using its internet banking system, which required the use of One-Time Passwords (OTPs) for transaction authorization. Second, SBI stated that he himself had clicked on a link that led to the cyber attack. He, however, denied sharing any OTPs and contested the bank’s stance.
A Bench of Justice Dharmesh Sharma found SBI’s response to his complaint severely lacking. The Court observed that there was “glaring service deficiency” on SBI’s part, emphasizing that despite his promptly notifying the bank about the breach, it did not act swiftly or diligently. The bank’s failure to block suspicious transactions and prevent further withdrawals from the account was deemed a critical oversight.
The Court concluded that the loss suffered by him could be attributed to SBI’s negligence in implementing effective security measures to prevent such frauds. “It has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, that the petitioner suffered monetary losses,” the Court stated.
Advocate Ravi Chandra appeared for the petitioner, while Advocate Abhinav Sharma appeared for the Respondents.
The Court further pointed out that SBI had violated the guidelines set by the Reserve Bank of India (RBI) in its Master Direction on Digital Payment Security Controls, which provides security protocols for preventing digital fraud. The Court added, “The transactions in question would resultantly fall within the sweep of 'zero liability' as referred to in the aforesaid RBI Circulars. Therefore, respondents No. 2 and 3/SBI are liable to compensate the petitioner for the incurred loss, along with interest, and pay token compensation,”
The Court said, “it is well established under the Common Law, that funds in a bank account belong to the bank, but the bank acts as an agent for the principal (the customer). Consequently, the bank cannot refuse to process an online transfer if it appears to be authorized by the customer, however, upon detecting fraud, the bank has an implied duty to exercise reasonable care and take prompt action,"
Before approaching the High Court, he had already filed a complaint with the Banking Ombudsman, after which SBI credited a partial sum of ₹33,000 to his account. However, the bank failed to return the remaining amount, prompting him to seek further relief in court.
The Court also pointed out that SBI’s security protocols, including Two-Factor Authentication (2FA) and OTP verification, had been compromised by a simple malware attack deployed by the fraudsters. He could not be blamed for the cyberattack, as he had never shared any OTPs, and the bank had failed to respond to his immediate report.
The Court noted "Anyone, regardless of age, education, or experience, can fall victim to the sophisticated cyber-attacks prevalent today. At the same time, it is also an admitted fact that the petitioner promptly dialed SBI Customer Care Service and lodged a report, but unfortunately, the transaction had already been processed,"
As a result, the Delhi High Court ordered SBI to compensate the full amount of ₹2.6 lakhs along with 9% interest, starting from April 18, 2021, the date when the fraud was reported. Additionally, the bank was instructed to pay ₹25,000 as costs for his legal expenses.
Cause Title: Hare Ram Singh v. Reserve Bank of India & Ors., [2024:DHC:8816]
Appearance:
Respondents: Advocates Abhinav Sharma, Rajiv Kapur, Akshit Kapur, and Riya