Restore siphoned amount to account of cyber fraud victim: Delhi HC to SBI

New Delhi | The Delhi High Court has directed a public sector bank to restore an amount of Rs 2.6 lakh illegally siphoned from the account of a 55-year-old victim of cyber fraud.

Justice Dharmesh Sharma observed that the State Bank of India (SBI) was guilty of "glaring service deficiency" as its response was "lukewarm, defective, and not prompt" when the fraud was reported to it and asked it to also pay an interest of nine per cent per annum on the amount along with Rs 25,000 as costs to the petitioner.

The petitioner became a victim of 'phishing' and 'vishing' in 2021 after he clicked on an unknown link sent to his mobile number, under the threat that his SMS services would be closed.

The petitioner claimed that while he never shared any OTPs received on his mobile number with the offenders, Rs 1,00,000 and Rs 1,60,000 were deducted from his account.

The court observed that customer care services play a crucial role in supporting bank customers with various concerns, including suspicious account activity, but in the present case the response of the bank was "lukewarm" and "not prompt".

It emphasised that a bank acts as an agent for its customer and upon detecting fraud, the bank has an implied duty to exercise reasonable care and take prompt action.

"In the instant case, respondents No. 2 and 3 (SBI) demonstrated a glaring service deficiency. Despite prompt intimation from the petitioner about the account breach, they showed no urgency.

"Respondents No. 2 and 3 failed to exercise due care, neglecting their duty to act swiftly upon notification of the fraudulent withdrawal. Consequently, they took no steps towards chargeback, retrieval, or freezing the suspicious accounts maintained with IDFC Bank and One97 Communication," said Justice Sharma in the judgement passed on November 18.

"A writ of mandamus is issued against the respondents No. 2 and 3/ State Bank of India, to make payment of Rs. 2,60,000/- to the petitioner with interest @ 9% per annum from the date the fraud was reported i.e. 18.04.2021 within four weeks from today along with costs for legal proceedings, which is quantified as Rs.25,000," the court ordered.

In its judgement, the court said that in terms of RBI's 2017 circular on “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”, the burden of proving the customer's liability in case of unauthorised electronic banking lay upon the bank, and in the instant case, the record showed that the petitioner had never shared any payment credentials.

The court held that the petitioner was not negligent but a victim of cyber fraud, and the security protocols had been breached by "malware" deployed by the cyber fraudsters.

"In the present case, the petitioner had taken care not to share the OTPs, in fact, he had no occasion to do so, and if that is the case, it would imply that even the most hyped 2-factor authentication was breached as the same was not secure, which is directly attributable to deficiency in service provided by the respondent no. 2 & 3/ SBI," it stated.

"Be that as it may, what turns the table against respondents No. 2 and 3 is that.. they acknowledged that on internal inquiries conducted by them, they immediately were able to track that Rs. 1,00,000/- had been credited in an account maintained with IDFC Bank whereas Rs. 1,60,000/- had been credited to One97 Communications Limited.

"Respondents No. 2 and 3 fail to provide a satisfactory explanation for their inability to initiate a chargeback, reclaim, or block the amount despite the petitioner's prompt complaint to SBI Customer Care Service on the same day, within a few minutes from the transaction," said the court.

The court therefore set aside an order passed by the Banking Ombudsman closing the petitioner's complaint with payment of one-third of the disputed amount to him and said the bank was liable to compensate the petitioner for his loss.

"Unhesitatingly, there was patent deficiency in services on the part of the bank, in as much as the response of the bank was lukewarm, defective, and not prompt. The respondent No. 2 i.e., SBI failed to take immediate measures to take up the issue with the other regulated entities to whom the online payment had been remitted," the court said.