ICICI Bank Ltd. v. Saurabh Ravi Shankar Jain and Ors.
In the Telecom Disputes Settlement and Appellate Tribunal
Cyber Appeal 5/2013
Before Justice Shiva Kirti Singh, Chairperson and Mr A K Bhargava, Member
Decided on September 24, 2019

Relevancy of the case: Whether the bank and telecom service provider followed reasonable security practices in a financial fraud?

Statutes and Provisions Involved

• The Information Technology Act, 2000 (Section 43, 43A, 57, 58(2))

Relevant Facts of the Case

• The complainant has a savings account with the appellant bank. From his account, there were 15 fraudulent transactions. He lost ₹2.02 lakhs in total. The amount was transferred to three other accounts of ICICI Bank. From these accounts, the fraudsters withdrew the entire amount.
• The police investigation found that accounts were fictitious and non-traceable. A duplicate SIM card was issued by the telecom service provider, which was not backed by reasonable security practises and procedures. Because of this, the Adjudicating Officer made him bear a certain amount of damage himself.
• Later, it had come to attention that a fraudster cannot succeed in transferring money from the account holder of the bank unless it is able to find out a customer’s user ID and password. In the case, the appellant bank failed to show that, at the relevant time, it had adequate and reasonable security measures.
• Furthermore, the impugned order found the appellant to be lax and highly negligent under Sections 43 and 43A of the Information Technology Act, 2000. The AO directed the appellant to pay damages b

Prominent Arguments by the Advocates

• The respondent’s counsel argued that not only were the pleadings deficient and virtually absent, but also the bank did not provide any evidence, documentary or otherwise, to show that they applied any security measures in the case of the complainant.
• The appellant’s counsel highlighted that the fraudulent transaction could not have occurred without the complainant compromising the ID and password. Furthermore, the bank had a good security system which required OTPs for such transactions. Thus, the counsel mentioned that the fraud would not have taken place if the duplicate SIM card’s issuance was not approved.
• Various emails show that the complainant gave out his ID and password in a phishing email. However, this is only a presumption, and there is no proof for the same.

Opinion of the Bench

• It was in agreement that the appellant’s security system was deficient. Further, the bench decided not to interfere with the findings of the A.O. and his awarding of different compensation amounts payable by the appellant and the telecom service provider (Vodafone).
• With respect to the damages on account of contributory negligence, there is a lack of pleadings and case laws. Hence, the bench has left the issue open for consideration in any appropriate case.
• Considering all the discussions and findings, they did not find a good reason to interfere with the impugned order.

Final Decision

• The bench dismissed the appeal.