The Delhi High Court has ordered the State Bank of India (SBI) to compensate a customer, Hare Ram Singh, for the loss of ₹2.6 lakhs following a cyber attack on his savings account. The decision came after Singh challenged SBI’s failure to address his complaint adequately and sought full restitution for the financial loss caused by the phishing attack.
The Incident and SBI’s Response
Singh reported the cyber fraud to SBI’s customer care and his branch manager immediately after it occurred but received no assistance. SBI later rejected his claim on two grounds: that the transactions involved OTP verification, which Singh allegedly authorized, and that Singh clicked on a fraudulent link, leading to the attack. Singh denied sharing OTPs, asserting he was a victim of sophisticated cyber fraud.
Justice Dharmesh Sharma of the Delhi High Court found SBI’s response lacking, citing a “glaring deficiency in service.” Despite Singh’s prompt reporting, the bank failed to act swiftly to block the transactions or provide any meaningful resolution. The Court noted that SBI’s inability to prevent the fraud indicated a failure in its digital security systems.
Court’s Observations
The Court underscored that SBI violated the Reserve Bank of India’s (RBI) Master Directions on Digital Payment Security Controls, which mandate banks to implement robust measures against security breaches. It ruled that the transactions in question fell under the RBI’s “zero liability” policy for customers who promptly report unauthorized transactions.
“It is presumed that the petitioner suffered monetary losses due to the failure of the bank’s systems to prevent such fraudulent withdrawals,” the Court stated. It emphasized that banks have an implied duty of care to their customers, including acting promptly and taking reasonable precautions to prevent fraud.
The Court also criticized SBI’s claim that Singh authorized the transactions, noting that the bank’s security protocols, including two-factor authentication (2FA) and OTP verification, were bypassed by malware in the cyber attack. The Court further remarked that blaming Singh for the incident was unwarranted, as he took all necessary steps to report the fraud immediately.
Compensation Ordered
The High Court directed SBI to pay Singh ₹2.6 lakhs along with 9% interest from April 18, 2021, when the fraud was reported. Additionally, SBI was ordered to pay ₹25,000 as compensation for the inconvenience caused. The judgment highlighted the bank’s failure to act responsibly and protect its customer’s funds.
Earlier Attempts for Resolution
Before approaching the High Court, Singh filed a complaint with the Banking Ombudsman and notified the RBI. The Ombudsman directed SBI to credit ₹33,000 to Singh’s account but did not address the full extent of his loss. Dissatisfied, Singh filed a petition in the High Court seeking comprehensive relief.
Implications of the Judgment
The Court emphasized that banks have a fiduciary duty to safeguard customer accounts and act diligently upon detecting fraudulent activity. It also highlighted that cyber fraud can victimize anyone, irrespective of their education or experience, reinforcing the need for robust digital security measures.
The ruling serves as a potent reminder for banks to prioritize customer security and comply with regulatory guidelines. Advocates Ravi Chandra represented Singh, while Advocates Rajiv Kapur, Akshit Kapur, and Riya appeared for SBI. Advocate Abhinav Sharma represented the RBI in the proceedings.
