In recent years, the alarming rise in cyber fraud has become a significant concern for both financial institutions and their customers. Banks have implemented various technical safeguards, such as two-factor authentication (2FA), encrypted communications, and various alerts, to protect their clients from cyber fraud. Security measures like 2FA add an extra layer of protection by requiring a second form of verification. However, despite the presence of these measures, cyber criminals continue to bypass them, leaving customers vulnerable.

While security measures provide customers and financial institutions a sense of security over their money and data, fraudsters are always a step ahead. A recent ruling by the Delhi High Court, in Hare Ram Singh v. Reserve Bank of India (2024:DHC:8816), highlighted the limitations of 2FA and the pressing need to enhance their security measures.

Facts of the Case

The case involved a 55-year-old petitioner who received an SMS containing a malicious link on April 18, 2021. Subsequently, he received a call urging him to click the link to maintain his SMS service. Upon clicking the link, two unauthorised transactions drained ₹2.6 lakhs from his SBI savings account. The petitioner immediately contacted the bank’s customer care and filed complaints with various authorities, including the Banking Ombudsman. Initially, the petitioner only received a partial reimbursement.

SBI rejected the petitioner’s claim by stating that the loss resulted from his negligence as transactions were 2FA authenticated using OTPs received on his mobile phone. When he escalated the matter to the Banking Ombudsman (BO), the BO noted that the petitioner was a victim of vishing. However, the bank’s liability was limited to one-third of the total amount for the first transaction, amounting to ₹1 lakh. The second transaction, amounting to ₹1.6 lakhs, was made to Paytm, a non-bank entity, and hence, outside the purview of BO.

Dissatisfied with this outcome, the petitioner approached the Delhi High Court under Article 226 of the Constitution of India. He filed a writ of mandamus directing SBI to refund the entire disputed amount with interest and legal costs.

 The Court’s Ruling

The court ruled that the petitioner was not negligent as he had never shared his OTPs or payment credentials. It found that despite his immediate reporting, the bank failed to either initiate a chargeback, recover the funds, or freeze the recipient accounts at IDFC Bank and Paytm. The bank’s counsel argued that Paytm was outside its regulatory scope; however, the court referred to RBI’s circular on prepaid payment instruments (PPI) which requires banks to act promptly in case of fraudulent PPI transactions.

The court further ruled that as per the 2017 RBI Guidelines on unauthorised transactions, the petitioner is entitled to “zero liability” protection. The malicious file downloaded on the petitioner’s phone was considered a third-party breach. Hence, the transactions did not take place because of the petitioner’s negligence.

Factors Influencing the Court’s Decision

• The petitioner vehemently denied sharing any OTPs with the fraudsters. SBI failed to furnish any documentary evidence to substantiate their claim that the petitioner shared the OTPs. This lack of proof raised concerns about the bank’s attempts to shift the blame onto the customer.

• The court acknowledged that clicking a malicious link without divulging sensitive information like OTPs or passwords does not constitute negligence. It recognised that the petitioner was a victim of a sophisticated cyber fraud scheme rather than someone who acted carelessly.

• The court also highlighted that SBI’s hyped 2FA was compromised in this case. This, coupled with the bank’s failure to prevent fraudulent withdrawals, exposed the inadequacy of the bank’s security protocols. The court asserted that the bank’s failure to implement robust security measures directly contributed to the petitioner’s financial loss.

• The court criticised the bank’s repose to the petitioner’s complaint as “lukewarm, defective, and not prompt”, signifying an apparent deficiency in service. Despite the petitioner reporting the fraud within minutes of its occurrence, the bank failed to initiate timely actions like a chargeback or blocking the transferred funds. This delay further aggravated the situation and hindered the recovery process.

What does this mean for us?

The Delhi High Court’s verdict has far-reaching implications. It reinforces bank’s accountability and sets a precedent for holding banks accountable for security lapses that lead to financial losses for customers. Moreover, it empowers victims of cyber fraud to seek redressal and compensation from banks that fail to provide adequate security and support. The banks must proactively bolster their security infrastructure, implement robust fraud detection systems, and ensure prompt response mechanisms for addressing cyber crime incidents. This decision is a powerful reminder for banks to prioritise customer safety in the digital age. As technology evolves, financial institutions must remain vigilant and invest in measures to protect their customers from the ever-present threat of cyber fraud.