The Delhi High Court recently directed the State Bank of India (SBI) to compensate a bank customer who was a victim of a cyber attack that had led to the withdrawal of ₹2.6 lakhs from this savings account [Hare Ram Singh vs. Reserve Bank of India & Ors.].
The customer, Hare Ram Singh told the Court that he had immediately reached out to the SBI customer care and its branch manager after falling victim to a phishing attack, but did not get any assistance.
A few months after the incident, SBI rejected Singh’s claim on two grounds. Firstly, SBI cited the withdrawal having occurred through the internet banking system, which required one time passwords (OTPs) from Singh for transactions to go through. Secondly, the SBI noted that Singh himself had clicked a link which led to the cyber attack. Singh, however, denied having shared any OTPs, contrary to SBI's stance.
Justice Dharmesh Sharma of the High Court found that there was “glaring service deficiency” on part of the SBI in responding to Singh's complaint.
Justice Sharma noted that even though Singh had promptly notified SBI about his account breach, the bank showed no urgency in responding to the complaint and failed to exercise due care. SBI neglected in its duty to act swiftly and block the suspicious transactions from going through, the Court observed.
“It has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, that the petitioner suffered monetary losses,” the Court said.
The Court added that SBI failed to comply with the Reserve Bank of India's (RBI) Master Direction on Digital Payment Security Controls which lays down certain guidelines with regards to security risks.
“The transactions in question would resultantly fall within the sweep of 'zero liability' as referred to in the aforesaid RBI Circulars. Therefore, respondents No. 2 and 3/SBI are liable to compensate the petitioner for the incurred loss, along with interest, and pay token compensation,” the Court held.
The Court proceeded to order SBI to pay Singh the lost ₹2.6 lakhs along with 9 per cent as interest from April 18, 2021, when the cyber fraud was reported. SBI was also ordered to pay ₹25,000 as costs.
Singh had earlier filed a complaint with the Banking Ombudsman, apart from notifying the RBI after the SBI failed to assist him with his complaint.
The Banking Ombudsman eventually ordered SBI to credit a part of the amount (about ₹33,000) to Singh's account and closed his complaint. Aggrieved by the failure to pay the remaining amount, Singh moved the High Court for relief.
The High Court, while granting him relief, also emphasised that banks have an implied duty of care towards its customers.
“it is well established under the Common Law, that funds in a bank account belong to the bank, but the bank acts as an agent for the principal (the customer). Consequently, the bank cannot refuse to process an online transfer if it appears to be authorized by the customer, however, upon detecting fraud, the bank has an implied duty to exercise reasonable care and take prompt action," the Court said.
It also took critical note that that SBI’s security protocols such as “2FA” or OTP verification had been breached by a simple “malware” deployed by the cyber fraudsters.
It added that Singh could not be blamed for the cyber attack, more so since he was categorical in stating that he never shared any OTPs.
"Anyone, regardless of age, education, or experience, can fall victim to the sophisticated cyber-attacks prevalent today. At the same time, it is also an admitted fact that the petitioner promptly dialed SBI Customer Care Service and lodged a report, but unfortunately, the transaction had already been processed," the Court added.
Advocate Ravi Chandra appeared for Singh. Advocate Abhinav Sharma represented the RBI. Advocates Rajiv Kapur, Akshit Kapur, and Riya appeared for the SBI.
[Read Judgment]