Introduction
The present case, Hare Ram Singh v. Reserve Bank of India[i], adjudicated by the Delhi High Court on 18.11.2024, addresses critical issues of cyber fraud liability, consumer protection, and banking security obligations. The case revolves around the petitioner, an academician, who became a victim of a ‘vishing attack’ (voice phishing), resulting in the unauthorized withdrawal of Rs.2.60 lakhs from his SBI savings account. The Court examined the extent of the bank’s liability under s.35A of the Banking Regulation Act, 1949, and s.2(11) of the Consumer Protection Act, 2019 (‘Act’), particularly in light of the RBI’s Master Directions on Digital Payment Security Controls, 2021[ii] and the Customer Protection Circular, 2017[iii] limiting customer liability in unauthorized banking transactions. The judgment clarifies the standards for proving customer negligence and the scope of the bank’s duties in safeguarding customer funds from cyber threats.
Facts of the case
The petitioner, an academician, fell victim to a ‘vishing attack,’ a type of cyber fraud where the victim is misled into sharing sensitive banking information over a voice call.
On 18.04.2021, the petitioner received an SMS containing a malicious link, shortly followed by a call from an unknown number. The caller deceitfully informed the petitioner that his SMS services would be deactivated unless he clicked on the link.
Deceived by the fraudulent call, the petitioner clicked on the link, which deployed malware on his device, leading to the unauthorized transmission of One Time Passwords (‘OTPs’) to the fraudsters.
Immediately thereafter, two unauthorized transactions occurred, totalling Rs.2.60 lakhs, comprising (i) Rs.1 lakh transferred to an account with IDFC Bank and (ii) Rs.1.60 lakhs transferred to One97 Communications Ltd. (Paytm).
The petitioner immediately contacted SBI Customer Care and requested a hold on the transactions, but the bank failed to act promptly.
The petitioner filed successive complaints:
18.04.2021: Online complaint on the Cyber Crime Portal.
19.04.2021: Complaint with SBI, Greater Noida Branch.
20.04.2021: FIR with the Police.
SBI rejected the petitioner’s claim, asserting that the loss resulted from the petitioner’s negligence, as the transactions were 2FA (Two-Factor Authenticated) using OTPs received on the petitioner’s mobile.
The petitioner escalated the matter to the Banking Ombudsman (‘BO’), who ruled that the petitioner was indeed a victim of vishing but limited SBI’s liability to one-third of the disputed amount (Rs.33,334) for the first transaction. The second transaction was excluded from the BO’s purview as it involved a non-bank entity (Paytm).
Dissatisfied, the petitioner approached the Delhi High Court under a. 226 of the Constitution of India, seeking a writ of mandamus directing SBI to refund the entire disputed amount with interest and legal costs.
Legal Issues
i) Whether the petitioner’s actions constituted negligence, absolving the bank of liability?
ii) Whether SBI’s response to the reported fraud constituted a deficiency in service?
iii) Whether the petitioner was entitled to compensation under the RBI’s consumer protection guidelines for unauthorised transactions?
Decision of the High Court
The Court ruled that the petitioner was not negligent, emphasizing that the petitioner had never shared OTPs or payment credentials. The fraudulent transactions occurred because the petitioner’s mobile device was hacked via malware embedded in the malicious link, leading to the automatic transmission of OTPs to the fraudsters.
It was further held that the breach of 2FA, a critical security protocol, indicated a failure of SBI’s security systems, constituting a ‘deficiency in service’ under s.2(11) of the Act.
The Court found SBI’s response patently deficient, noting that despite the petitioner’s immediate reporting, SBI failed to initiate a chargeback, recover the funds, or freeze the recipient accounts at IDFC Bank and Paytm. SBI’s argument that Paytm was outside its regulatory scope was rejected, citing the RBI Circular on prepaid payment instruments (‘PPIs’)[iv], which mandated banks to act promptly in cases of fraudulent PPI transactions.
The Court also criticized SBI for failing to follow its obligations under the RBI’s Master Direction on Digital Payment Security Controls (18.02.2021), which requires banks to:
Implement systems to detect unusual login activities.
Facilitate immediate customer reporting of fraudulent transactions.
Establish an inter-bank fraud reporting mechanism for seamless coordination with other regulated entities (‘REs’).
The Court thereafter ruled that the petitioner was entitled to ‘zero liability’ protection, citing cl. 6 of the RBI Circular, as the transaction resulted from a ‘third-party breach’ (malware attack) and not due to the petitioner’s negligence. The petitioner reported the fraud immediately (within the mandated three working days). Under the RBI framework, the burden of proving customer negligence lies on the bank, which SBI failed to discharge.
Consequently, the High Court set aside the BO’s order, observing that:
The BO failed to address SBI’s violations of the RBI Master Directions.
The BO misinterpreted the RBI Customer Protection Circular, limiting liability contrary to the ‘zero liability’ principle.
The exclusion of the second transaction (Rs.1.60 lakhs to Paytm) from the order on technical grounds was legally unsustainable, as the 2021 Master Directions cover transactions via PPIs (e.g., Paytm).
Our Analysis
The judgment delivered in this case is a landmark ruling that significantly clarifies the scope of customer liability in cyber fraud cases, particularly under the RBI’s ‘zero liability’ framework. It provides essential guidance on the standard of care expected from both banks and customers in an era increasingly plagued by sophisticated digital payment frauds. The Court’s findings underscore that ‘negligence’ under the Act requires a standard of gross recklessness, which was absent in the petitioner’s conduct. The Court rightly held that falling victim to malware-based cyber fraud does not constitute contributory negligence, as modern phishing techniques can compromise devices without the customer’s direct involvement. The burden of proving negligence lay on SBI, which failed to establish any lapse on the petitioner’s part. By making this distinction, the judgment protects victims of cyberattacks from being unfairly burdened with liability for sophisticated frauds beyond their reasonable control.
The ruling also reaffirms the fiduciary duty banks owe to their customers, especially in the realm of digital transactions. The Court was correct in its view that the bank’s obligations extend beyond mere transaction processing to include implementing robust security mechanisms to detect and prevent fraudulent activities. In this case, the breach of 2FA was a critical security lapse, highlighting the inadequacies in SBI’s digital security infrastructure. Further, the bank’s failure to act promptly, despite immediate reporting by the petitioner, amounted to a clear dereliction of duty. The judgment highlights that prompt actions, such as inter-bank chargebacks and freezing beneficiary accounts, are integral to mitigating losses in cyber fraud cases. The failure to initiate these measures not only violated the RBI Master Directions on Digital Payment Security Controls (2021) but also amounted to a deficiency in service under the Act.
Moreover, the judgment strengthens the authority of the RBI’s regulatory frameworks, particularly the Customer Protection Circular (2017) and the Master Directions on Digital Payment Security (2021). The Court made it unequivocally clear that RBI’s guidelines are binding on regulated entities, and their violation constitutes an actionable deficiency in service. The ruling further extends the reach of RBI’s PPI guidelines to non-bank entities, such as Paytm, emphasizing that banks cannot escape liability by arguing jurisdictional limitations when transactions involve third-party payment providers. This interpretation upholds the integrity of the digital payments ecosystem and ensures that customers are protected regardless of the payment channel involved.
The judgment also exposes the limitations of the BO framework, highlighting its failure to adjudicate the dispute in line with the RBI’s policies. The Court found that the BO had erred in misinterpreting the zero-liability principle under the RBI Customer Protection Circular and in excluding the second fraudulent transaction involving Paytm from its consideration. This ruling thus calls for reviewing and strengthening the BO mechanism to ensure that decisions are aligned with RBI’s regulatory frameworks and consistently uphold consumer rights.
Overall, the Delhi High Court’s decision achieves a balanced approach by protecting consumers from liability for advanced cyber frauds while holding banks accountable for lapses in security and timely response protocols. It sets a robust precedent for future disputes involving digital payment frauds, ensuring that consumers remain protected under the zero-liability framework if they act responsibly and report fraud promptly. Additionally, the ruling reinforces the need for banks to continuously evolve their security measures in line with RBI’s guidelines and mandates swift remedial action upon reporting fraudulent activities. This judgment is likely to shape future jurisprudence on digital payment security and consumer protection in India, strengthening consumer rights and reinforcing the principles of fairness, accountability, and trust in digital financial systems.
End Notes
[i] 2024 SCC OnLine Del 8039 dated 18.11.2024.
[ii] RBI/2020-21/74 DoS.CO.CSITE.SEC.No.1852/31.01.015/2020-21 dated 18.02.2021.
[iii] “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions” dated 06.07.2017.
[iv] DPSS.CO.PD.No.1417/02.14.006/2018-19 dated 04.01.2019.
Authored by Vanshika, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinions.