An interesting question. Well, one that I’ve been asked several times about Internet Banking. However, I’ve never had a simple reply. Generally speaking, “who is responsible” for anything is a question that a judicial body answers. Advocates, Academicians, and Experts have opinions. We have seen cases wherein lakhs of rupees have been transferred from one bank account to another with the victim pondering over this one question, “Who is responsible for an Internet Banking fraud?”
This position was recently cleared by the IT Adjudicator of Gujarat, Dhananjay Dwivedi, IAS while adjudicating in an important case of Shri Parimal Manharlal Patel v. The Brach Manager, Dena Bank & Ors.
Consider this situation:
- Somebody gets to know your Internet Banking Username and Password. (This could be because you logged in on an insecure or public WiFi, your device has been compromised via a malware/keylogger etc. or if somebody was a very good social engineer, meaning your password was extremely guessable.)
- They get a duplicate SIM card made. It is very easy and is being done across the entire country on a very large scale.
- They log into your Internet Banking account and initiate a transfer request. Upon this, the OTP that would otherwise be sent to you would be received by the criminal and your SIM would be deactivated.
- Before you realize, your bank account would be emptied.
The Adjudicator, in this case, held that the bank had adopted necessary safety measures and also cooperated with the police during the investigation. But this was the position because the complainant could not bring out the reason as to why and how exactly the perpetrator knew the login credentials of the victim. I believe, that would be true in all the cases. Generally, the victim will never be able to know how he lost his credentials because of the fact that probably he is not technically sound enough to understand it.
Anyhow, in this case, the money was actually still sitting in the bank accounts that it was transferred to. The accounts were seized and the money was returned to the victim. Idea Cellular, the company that gave away a duplicate SIM to the criminal was however held as negligent and liable for breaching a crucial chain in the Internet Banking Security process. It was ordered to pay compensation to the victim along with the adjudication fee as fine. The Adjudicator in a proactive step also wrote in his order that since Internet Banking frauds are on the rise, customers should be aware of how to get their money back. They get involved in criminal actions and do not look at the civil remedy of adjudication that they have. We highly appreciate this fact being acknowledged by the Adjudicator here. We have already discussed this matter earlier here.
In this regard, it becomes imperative to share a provision of the Code of Bank’s Commitment to Customers. Provision 8.17 mentions that the maximum liability of a customer in case of an unauthorized transaction shall be a maximum of INR 10,000. This means that only in case the customer is committing the fraud himself, is he liable to not receive the money. In all other cases, for all purposes, if this code is followed, the banks shall be liable for any unauthorized transaction. This is just an interpretation of how things can be. Any legal arguments are welcome.