Recently, the Delhi High Court emphasised that victims of cyber fraud cannot automatically shift the blame to banks where their own actions contribute to the breach. Holding that clicking suspicious links despite repeated security warnings may amount to customer negligence, the Court clarified the circumstances in which banks can be protected from liability under the RBI's framework governing unauthorised digital transactions.
The dispute arose after an academic lost ₹2.6 lakh from his State Bank of India savings account in a vishing scam. He received messages and calls directing him to click on a link purportedly to avoid disruption of banking services. Shortly after accessing the link, money was transferred from his account through two transactions. While SBI declined to reimburse the loss, maintaining that the transactions were carried out using valid credentials and OTP-based authentication, a Single Judge of the High Court accepted the customer's argument that he had never shared any OTPs and directed the bank to refund the entire amount with interest. Challenging that finding, SBI argued before the Division Bench that the issue involved technical questions regarding how the fraud occurred and whether customer conduct contributed to the loss.
The Division Bench of Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia held that customer negligence in cyber fraud cases cannot be confined only to instances where OTPs or passwords are shared. The Court observed that a customer may also be negligent if he accesses suspicious links despite repeated warnings issued by banks and regulators. Rejecting a narrow interpretation of the RBI's 2017 Circular, the Bench stated, “The expression 'such as where he has shared the payment credentials' ... is plainly illustrative and not exhaustive.”
The Court further held that questions relating to compromised credentials, security breaches, malware attacks and compliance with banking safeguards require detailed technical and forensic examination and cannot ordinarily be conclusively determined in writ proceedings.
Finding no material to establish any failure by SBI to comply with RBI-mandated security protocols, the Court set aside the Single Judge's order and allowed the bank's appeal.
Disclaimer: This news/ article includes information received via a syndicated news feed. The original rights remain with the respective publisher.
Picture Source :