The Delhi High Court held that a customer who clicks suspicious links despite repeated warnings cannot hold the bank liable for losses caused by cyber fraud. The Court also rejected the argument that the customer was not negligent merely because no OTP was shared, emphasizing the duty to exercise reasonable caution online.
The Delhi High Court has held that bank customers who ignore repeated warnings and click on suspicious links circulated by cyber fraudsters may also be considered negligent when they suffer financial losses.
The Court clarified that negligence in online banking fraud cases is not limited to situations where a customer explicitly shares One-Time Passwords (OTPs) or login credentials. A customer may equally be held responsible if they compromise the security of their banking account by interacting with suspicious links despite repeated advisories issued by banks and regulators.
The judgment was delivered by a Division Bench comprising Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia in a dispute between the State Bank of India (SBI) and one of its customers, who had lost money in a cyber fraud incident.
Background: RBI Framework on Customer Liability
The case was examined in the context of the Reserve Bank of India’s 2017 circular governing customer liability in unauthorised electronic banking transactions.
The RBI framework provides varying levels of protection depending on who is responsible for the fraud. Where a customer is found to have contributed to the loss through negligence, including by sharing payment credentials, the customer is required to bear the entire loss until the fraudulent transaction is reported to the bank.
The dispute before the Court revolved around the interpretation of this provision and whether customer negligence can be restricted only to instances involving the sharing of OTPs or passwords.
Addressing this issue, the High Court observed:
“The expression ‘such as where he has shared the payment credentials’ occurring in Clause 7(i) of the 2017 RBI Circular is plainly illustrative and not exhaustive; it does not confine customer negligence only to cases of express disclosure of payment credentials (or sharing of OTP/ login details). In the context of digital banking and cyber fraud, negligence may equally arise where a customer, despite repeated advisories and security warnings, accesses suspicious or unknown links, thereby compromising the security of the banking credentials.”
The case arose after an academic lost Rs 2.60 lakh from his SBI savings account in what is commonly known as a “vishing” or voice-phishing scam. According to the facts placed before the Court, the customer first received a message warning that certain banking services could be disrupted unless immediate action was taken. The message contained a link and urged him to click it. Soon thereafter, he allegedly received a phone call reinforcing the same message and asking him to follow the instructions.
Believing the communication to be genuine, the customer clicked on the link. Shortly afterwards, two unauthorised transactions were executed from his account, resulting in the loss of Rs 2.60 lakh. Realising that he had become a victim of fraud, he contacted SBI and requested that his account be blocked.
Following the incident, the customer sought reimbursement from SBI. The bank declined the request, stating that the transactions had been carried out through valid internet banking credentials and that OTP alerts had been generated during the transaction process.
SBI maintained that there was no evidence of any failure in its security infrastructure and that the loss resulted from the customer interacting with fraudulent communications. The dispute subsequently reached the RBI Banking Ombudsman.
The Banking Ombudsman partially agreed with SBI’s position but nevertheless directed the bank to compensate the customer to the extent of one-third of the amount lost. Unsatisfied with the limited relief, the customer approached the Delhi High Court seeking a complete refund.
A Single Judge Bench initially ruled in favour of the customer. The Court accepted the customer’s assertion that although OTP messages may have been generated, he had never shared any OTP with another person.
Based on this argument, the customer contended that the fraud must have occurred without requiring OTP verification, suggesting the existence of a security vulnerability within the bank’s system. Finding merit in these submissions, the Single Judge directed SBI to refund the entire amount along with interest.
Observations of the Division Bench:
SBI challenged the order before a Division Bench of the High Court. The bank argued that the findings of the Single Judge were unsupported by technical evidence and ignored the possibility that the customer’s own actions may have compromised the security of the account. After examining the matter, the Division Bench disagreed with the conclusions reached by the Single Judge.
The Division Bench emphasised that issues involving cyber fraud, malware, OTP interception, compromised credentials and system vulnerabilities require specialised technical investigation and cannot be conclusively determined in writ proceedings.
The Court observed:
“The issues considered by the learned Single Judge, particularly whether the user ID and password of the INB profile linked to the Bank Account or the OTPs were compromised following interaction with a suspicious link received from an unknown source; whether negligence was attributable to (the customer); whether security protocols such as 2FA or OTP verification had been breached by malware deployed by cyber fraudsters; and whether the security apparatus of the Appellant-Bank failed to detect unusual login activity from a different Internet Protocol Address allegedly used by the fraudsters, are matters that necessarily require technical and forensic examination and adjudication on evidence and could not have been conclusively determined in exercise of writ jurisdiction.”
The Court held that such factual and technical disputes require evidence and expert examination before any definitive conclusion can be drawn regarding responsibility. A central aspect of the judgment was the Court’s interpretation of customer negligence under the RBI framework.
The Bench clarified that negligence is not confined to sharing OTPs or passwords. A customer who clicks suspicious links despite repeated warnings from the bank and regulatory authorities may also be regarded as negligent.
The Court noted that cyber fraud methods have evolved significantly, and criminals increasingly exploit links, malware and fake websites to gain access to banking credentials without directly obtaining OTPs from customers. Therefore, customers have a duty to exercise reasonable caution while using digital banking services.
The Court further observed that there was no material on record establishing any failure by SBI to comply with RBI-mandated security protocols. Before holding a bank liable in such cases, there must be evidence demonstrating that the bank failed to implement or maintain the security measures prescribed by the regulator.
The Division Bench noted that no such breach had been established in the present case. Consequently, it found fault with the Single Judge’s conclusion that the bank alone was responsible for the loss.
In this regard, the Court observed:
“The observations in the Impugned Judgment to the effect that (the customer) ‘cannot be said to be negligent in any manner’ and that the Subject Transactions occurred solely on account of deficiency attributable to the Appellant-Bank are, in our opinion, ordinarily could not have been returned in the absence of any technical or forensic examination and are, moreover, not in consonance with the framework contemplated under the 2017 RBI Circular.”
After considering the facts and legal framework, the Division Bench allowed SBI’s appeal and set aside the judgment of the Single Judge. The ruling reinforces the principle that customer vigilance forms an essential component of digital banking security and that liability in cyber fraud cases cannot automatically be shifted to banks unless there is evidence of a security lapse on their part.
The judgment also serves as a reminder that customers must remain cautious while responding to unsolicited messages, calls and links, particularly when such communications seek access to banking information or account-related actions. As cyber fraud incidents continue to rise across the country, the decision highlights the shared responsibility of both banks and customers in maintaining the security of digital financial transactions.
Case Title: SBI v Hare Ram Singh & Anr
FOLLOW US FOR MORE LEGAL UPDATES ON YOUTUBE
