BOMBAY HIGH COURT HOLDS CUSTOMER NOT LIABLE IN CYBER FRAUD WHERE BANK IS NEGLIGENT
INTRODUCTION
A two- Judge Bench of the High Court of Bombay comprising of Justice Firdosh P. Pooniwalla and Justice G. S Kulkarni passed an Order dated 13.06.2024 in Jaiprakash Kulkarni and Pharma Search Ayurveda Private Limited (Petitioners) Vs. The Banking Ombudsman, Bank Of Baroda (Worli Branch), Reserve Bank of India and State of Maharashtra, through Cyber Cell in Writ Petition No.1150 Of 2023 and held that the Bank was liable for the shortcomings in the security and customer protection measures, mandating a refund of the debited amount along with interest and compensation to the Petitioners.
FACTS
i) That on 01.10.2022, when the Petitioners, Jaiprakash Kulkarni (Petitioner No. 1), the Director of his closely held family company, Pharma Search Ayurveda Pvt. Ltd. (Petitioner No. 2), discovered that unauthorized beneficiaries were added to their bank account with the Bank of Baroda’s Worli Branch wherein the Petitioners had a Bank account in the name of the Petitioner No. 2 for more than 15-20 years. This was done without any One-Time Password (OTP) being sent to their registered mobile number or Email address. The following day, a series of fraudulent transactions totalling Rs. 76,90,017/- were executed, debiting significant funds from their account.
ii) Upon noticing the fraudulent activity, the Petitioners quickly informed the Cyber Cell at Worli Police Station and the bank manager of the Worli Branch. They were advised to block the SIM card linked to the registered mobile number associated with their bank account. On 03.10.2022, the petitioners formally documented the incident in a letter to the bank and lodged a First Information Report (FIR) with the Cyber Crime Police Station.
iii) Despite promptly reporting the fraud and following up with the bank, the Petitioners did not receive a refund. They also did not receive adequate updates on the status of their Complaint, which led them to approach the Banking Ombudsman. However, their Complaint was dismissed vide Order dated 10.01.2023, on the grounds that the transactions were completed with valid credentials and two-factor authentication (2FA), implying no fault on the Bank’s part.
iv) Aggrieved by the Order dated 10.01.2023, the Petitioners filed Writ Petition No.1150 Of 2023 before the High Court of Bombay challenging the decision of the Banking Ombudsman and sought refund of the debited amount along with the interest and compensation.
HIGH COURT ANALYSIS
1) The High Court vide Order dated 26.04.2023 Ordered the Cyber Cell as follows:
“1. The Petitioners complain that their corporate current bank account with the Bank of Baroda, Worli Branch was unauthorizedly accessed and an amount of Rs.76,90,107/- was illicitly transferred. The Banking Ombudsman held that there was no deficiency in service. Hence, this Petition.
2. Paragraphs 4(b), (c) & (d) prima-facie indicate that far more information is necessary before we can proceed with the matter.
The Petitioners have made a complaint to the Cyber Crime Cell. We will require the logs of the cell phone company that issued the mobile number/SIM used by the Petitioner’s accountant Vishwanathan Shetty during the relevant period to see what messages were received on his mobile number. This is necessary because Mr Shetty says that the transactions were without receipt of any OTP to his mobile number, although that was the only number registered with the bank for net banking purposes. There are some details available at pages 36 to 38. It is unclear how third party transfer or online remittance beneficiaries could have been added without an OTP being received by Mr Shetty.
3.There is additionally other information that we will require which we have indicated to Mr Sakhardande and his attorney, including how Mr Shetty learnt of the insertion of fraudulent entities or persons as beneficiaries and whether the Petitioners are aware of the names of these persons.
4. These details are to be furnished on an Affidavit. We do not require an amendment.
5. The Cyber Crime Cell is requested to make available to the Petitioners and their Advocates access to the Cell Company logs for the purposes of this Affidavit.
6. List the matter on 19th June 2023.”
2) As evidenced by the Order, the Court requested specific information from the Cyber Cell. This information was provided by the Cyber Police Station, Worli, through a letter dated 27.05.2023. The Petitioner filed an Affidavit in June 2023 to put the Cyber Cell’s report on record. Page 4 of that report indicated that on 01.10.2022 when beneficiaries were added to the bank account in question, no messages were received from Respondent No.2 on Mobile No. 9324265837, which was linked to the bank account. Consequently, beneficiaries were added on 01.10.2022, without any message being received on the mobile number registered with Respondent No.2, which belonged to the Petitioners’ accountant.
3) The Court further observed that the Bank failed to send the OTPs to the registered Mobile number, which is a critical step in authorizing transactions.
4) Further, the Bank did not adhere to the Reserve Bank of India’s (RBI) circular dated 06.07.2017 on customer protection against unauthorized electronic banking transactions.
5) The Court also observed that the Banking Ombudsman did not thoroughly investigate the Petitioners’ Claims, which resulted in an unjust dismissal of their Complaint.
6) Further, the RBI filed an Affidavit dated 13.03.2024 where it had annexed in the Circular dated06.07.2017 in respect of Limiting Liability of Customers in Unauthorized Electronic Banking Transactions said as follows:
“(a) Zero Liability of a Customer
6. A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:
(i) Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
(ii) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.
Reversal Timeline for Zero Liability/ Limited Liability of customer
9. On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence. The credit shall be value dated to be as of the date of the unauthorised transaction.
Burden of Proof
12. The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.”
CONCLUSION
After perusing all the facts and circumstances of the case, the High Court of Bombay quashed and set aside the Order dated 10.01.2023 passed by the Banking Ombudsman. The Court directed the Bank to refund to the Petitioner an amount of Rs. 76,90,017/- within a period of six weeks from the date of pronouncement of the Order, i.e., from 13.06.2024 with interest at the rate of 6% per annum from 02.10.2022 till the date of payment.
Kartik Khandekar
Senior Associate
The Indian Lawyer & Allied Services
Leave a Reply