The Delhi High Court has ruled that customers who disregard security warnings and click on suspicious links cannot hold banks accountable for financial losses incurred through cyber fraud. This decision came in the case of State Bank of India v. Hare Ram Singh & Anr., where the Court emphasized the role of customer negligence in such situations.
RBI Guidelines on Customer Negligence
According to a 2017 circular by the Reserve Bank of India (RBI), banks are exempt from liability for losses through cyber fraud if the customer is found negligent in handling their payment credentials. The High Court bench, comprising Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia, clarified that such negligence is not limited to sharing OTPs or login details but extends to actions such as clicking on suspicious links, despite repeated warnings.
The Case at Hand
The case involved an academic who lost ₹2,60,000 from his State Bank of India (SBI) account after falling victim to a vishing scam. He received a message and a call urging him to click a link to avoid service disruption. After doing so, unauthorized transactions occurred, leading to financial loss.
SBI denied refunding the full amount, citing that the transactions used valid login credentials and OTPs were sent during the process. An RBI ombudsman partially sided with SBI, ordering a one-third refund to the customer, who then sought full reimbursement through the High Court.
Judicial Proceedings and Rulings
A single-judge bench initially ruled in favor of the customer, arguing that the absence of shared OTPs indicated a bank security flaw. However, SBI appealed to a Division Bench, which overturned this decision. The Division Bench questioned the single judge’s reliance on the customer’s claims and noted that such claims require thorough forensic investigation, which is beyond the purview of the High Court’s writ jurisdiction.
The Court emphasized that customer negligence in digital banking is broader than sharing OTPs. It includes actions like accessing suspicious links against bank and RBI advisories. The Court also highlighted the necessity for evidence of a bank’s non-compliance with RBI security protocols to establish liability, which was not present in this case.
Conclusion
The Division Bench, therefore, set aside the single judge’s decision, exonerating SBI from full liability. The legal representation included Senior Advocate Harin P. Raval for SBI and Advocates Ravi Chandra Prakash and Purushottam S. Tripathi for the customer. The RBI was represented by Advocates Atul Sharma and team.
This ruling underscores the importance of customer vigilance in digital banking and delineates the boundaries of bank liability in cases of cyber fraud.
