[Cites 41, Cited by 0]
Bombay High Court
Subodh C Korde vs Union Of India Thr Ministry Of Finance ... on 6 April, 2026
Author: Bharati Dangre
Bench: Bharati Dangre
2026:BHC-AS:16973-DB
1/100 WP-11990-23.odt
Ashish/Salgaonkar
MANDIRA MILIND
SALGAONKAR
Digitally signed by MANDIRA
MILIND SALGAONKAR
Date: 2026.04.09 21:11:36 +0530
IN THE HIGH COURT OF JUDICATURE AT BOMBAY
CIVIL APPELLATE JURISDICTION
WRIT PETITION NO.11990 OF 2023
Subodh C. Korde
Row House 59,
Woods Condominium,
Kalewadi Phata,
Wakad, Pune 411 057 .. Petitioner
Versus
1. Union of India
Through Ministry of Finance, Aaykar
Bhava, Maharshi Karve Road,
Churchgate, Mumbai
And
Ministry of Communications
Department of Telecommunications
12th Floor, Sanchar Bhawan, 20
Ashoka Road, New Delhi 110001 ..
2. Governor
Reserve Bank of India
Central Office Building,
Shaheed Bhagat Singh Marg,
Mumbai - 400 001 ..
3. Managing Director,
HDFC Bank Limited
Address : HDFC Bank House,
Senapati Bapat Marg,
Lower Parel (W), Mumbai,
Maharashtra - 400013 ..
4. Managing Director,
ICICI Bank Ltd.
Address : Landmark, Racecourse
Circle, Vadodara 390 007 ..
::: Uploaded on - 09/04/2026 ::: Downloaded on - 10/04/2026 22:06:02 :::
2/100 WP-11990-23.odt
5. Bharat Sanchar Nigam Limited
2 Mahatma Gandhi Road, Azad
Maidan, Fort, Mumbai,
Maharashtra 400001 ..
6. State of Maharashtra
Through Wakad Police Station, Pune
Address : Datta Mandir Rd.,
Pratham Bungalow Society,
Wakad, Pimpri-Chinchwad,
Maharashtra 411057 .. Respondents
...
Mr.Sharan Jagtiani, Senior Advocate with Mr.Priyank
Kapadia, Ms.Sapna Pande i/by Mr.Akshay Pansare for the
Petitioner.
Mr. Prateek Seksaria, Senior Advocate with Mr. Ishwar
Nankani, Mr. Huzefa Khokhawala, Mr. Karan Parmar, Mr.
Kartik Gupta i/b M/s.Nankani & Associates for Respondent
No.3.
Mr.Mayur Khandeparkar with Mr.Mayur Bhojwani, Mr. Ulrik
Jehangir, Ms.Dhamini Nagpal, i/b M/s. Manilal Kher Ambalal
& Co. for Respondent No.4.
Adv. Prasad Shenoy with Ms. Aditi Phatak and Ms. P. Zaiwalla
i/b BLAC Co for Respondent No.2 and 7.
Mr. Ashutosh Mishra with Mr. Vinit Jain, Mr. Ashok R. Varma
and Mr.Gaurav Mhatre for Respondent No. 1 - UOI.
Mr.M.M. Pable, A.G.P. for the State/Respondent.
Adv. Aparna Shrivastava i/b Reliable Legal Partners for
Respondent No.5.
Mr. Prakash Shitole, Representative of Respondent No.5,
present.
CORAM: BHARATI DANGRE &
MANJUSHA DESHPANDE, JJ.
RESERVED ON : 9th FEBRUARY, 2026
PRONOUNCED ON : 6th APRIL, 2026
::: Uploaded on - 09/04/2026 ::: Downloaded on - 10/04/2026 22:06:02 :::
3/100 WP-11990-23.odt
JUDGMENT ( Per Bharati Dangre, J.)
1. The Petitioner, a freelancer in Business Consultancy, has
approached this Court stating that he is a victim of Cyber
fraud and a sum of Rs. 38,04,000/- was unauthorizedly
withdrawn from his two bank accounts maintained with HDFC
Bank Ltd., in a time gap of 41 minutes. According to the
Petitioner, he was defrauded by the online unauthorized
withdrawals, the transactions being permitted by the Bank
and his grievance is, the HDFC Bank has refused to reverse the
amount to his account, which according to him is in complete
breach of applicable directions /guidelines issued by the
Reserve Bank of India ("RBI"). According to the Petitioner, his
monies were unauthorizedly transferred to the account/s held
by the fraudsters in ICICI Bank, who despite timely intimation
in that behalf refused to take steps for preventing
withdrawal/further transfer.
2. The Petition has impleaded the Union of India through
the Ministry of Finance, and Ministry of Communications as
Respondent No.1, with the Reserve Bank of India through the
Governor, being impleaded as Respondent No.2, whereas the
HDFC Bank Limited and ICICI Bank Ltd through their
4/100 WP-11990-23.odt
Managing Directors are impleaded as Respondent Nos.3 and 4
respectively, Bharat Sanchar Nigam Limited ("BSNL") is the
Respondent No.5, in the Petition along with the State of
Maharashtra through Wakad Police Station Pune, as
Respondent No.6.
The Writ Petition seeks the following reliefs:-
"a. issue a writ of mandamus or a writ in the nature of mandamus or
any other writ, order or direction under Article 226 of the Constitution
of India to direct Respondent No. 2 to initiate appropriate action
against Respondent Nos. 3 and 4 for violation of I-Banking Guidelines
dated 14th June 2001 (Exhibit "O"), the said Notification dated 6 th July
2017 (Exhibit "R") and the Master Directions dated 18 th February
2021 (Exhibit "S") issued by Respondent No. 2;
(a-i) That this Hon'ble Court be pleased to issue a Writ of Certiorari or
any other appropriate Writ, order or direction under Article 226 of the
Constitution of India to quash and set aside the decision dated 28
March 2022 (Ex. L Pg. 208 of the Petition) communicated by the
Reserve Bank of India (Centralised Receipt and Processing Centre)
issued with the approval of Respondent No. 7 whereby the Ombudsman
has rejected the complaint bearing no. N202122021018946 filed by the
Petitioner.
(a-2) That this Hon'ble Court be pleased to direct Respondent No. 3
and 4 to refund the amount fraudulently transferred from the bank
account of the Petitioner and also issue directions to Respondent No. 3
and 4 to extend cooperation to investigating agency by providing
necessary KYCs and other related documents;
b. issue a writ of mandamus or a writ in the nature of mandamus or
any other writ, order or direction under Article 226 of the Constitution
of India to direct Respondent No. 1 to initiate appropriate action
against Respondent No.5 for violation of Department of Telecom's
Instruction dated 01.08.2016 bearing File no. 800-09/2010-VAS (part)
(Exhibit "V");
c. issue a writ of mandamus or a writ in the nature of mandamus or
any other writ, order or direction under Article 226 of the
Constitution of India to direct Respondent No. 2 to appoint an
independent IS Auditor (Government and/or private agency) to
conduct an exhaustive IS Audit of Respondent No. 3 in terms of the
said Guidelines dated 29" April 2011 issued by Respondent No. 2
(Exhibit "Q");
d. issue a writ of mandamus or a writ in the nature of mandamus or
any other writ, order or direction under Article 226 of the Constitution
of India to direct Respondent No. 2 to initiate appropriate action
5/100 WP-11990-23.odt
against Respondent Nos. 3 and 4 for non - compliance with their
obligations under Master Circular dated 1st July 2008 (Exhibit "U");"
3. We have heard learned Senior Counsel Mr. Sharan
Jagtiani for the Petitioner, learned Senior Counsel Mr. Pratik
Seksaria for Respondent No.3, Mr. Mayur Khandeparkar for
Respondent No.4, and Mr. Prasad Shenoy for Respondent
Nos.2 and 7, Reserve Bank of India.
On the pleadings being completed, by consent of parties,
we have taken up the Petition for hearing at the stage of
admission and hence, we deem it appropriate to issue 'Rule',
which is made returnable forthwith.
4. In order to pronounce upon the reliefs prayed in the
Petition with the reliefs being opposed by the counsel
representing the Respondents, we deem it appropriate to refer
to the facts involved leading to the aforesaid Petition placed
before us.
The Petitioner, maintained a saving and current bank
account with the HDFC Bank since 2011 and 2016 respectively.
As per the pleaded case of the Petitioner, on 14/07/2021, three
unknown persons namely Samir Tamang, Aloke Pal,
Subhomoy Biswas, were added as beneficiaries in the
Petitioner's account for the purpose of enabling net-banking
6/100 WP-11990-23.odt
transaction and the permissible net banking limit qua his
account of Rs. 4,00,000/- (Rupees Four Lakh Only) was
enhanced to Rs. 40,00,000/- (Rupees Forty Lakh Only). It is
the specific case of the Petitioner that no OTPs was received by
him from HDFC Bank for both the activities i.e. addition of
beneficiaries or enhancement of transfer limit. Although the
security system of the HDFC Bank flagged and alerted, the
addition of these beneficiaries and the alert recommended
'Decline add payee' and also alerted "Transaction IP does not
match with genuine transaction IP of customer" the addition of
beneficiaries was manually approved by the Bank.
Upon the aforesaid activity being permitted by the Bank,
on 15/07/2021, the Petitioner lost a sum of Rs. 38,04,000/-
through eight unauthorized bank transfers, which took place
within a span of 41 minutes and the money was transferred to
the accounts of the beneficiaries added on the previous day as
the transaction limit of the account was enhanced.
The Petitioner received intimation of one such transfer
of Rs. 2,14,000/- at 17:55 hours on 15/07/2021 i.e. after two
hours of the last transaction. No sooner, the Petitioner
received an SMS alert from the bank about the transfer of Rs.
2,14,000/- , he logged on the net-banking facility to check
7/100 WP-11990-23.odt
status of his account. At this time, he realised that a sum of Rs.
38,04,000/- has been transferred through eight transactions
between 15:06 hours and 15:47 hours.
According to the Petitioner he has never added the three
individuals as beneficiaries as they are not known to him and
no OPT was received by him on his Mobile Number or Email Id
for confirming the addition of the beneficiaries.
The Petitioner addressed an email to the relationship
manager, Mr. Prashant Patil, informing him about the
unauthorized transactions and he even tried to connect to
HDFC toll-free number, but was unable to do so. He also called
the Official from the Bank asking him to block the account and
issued instructions in writing in that regard at 6:58 hours, and
on the next date, he lodged an FIR with the local police station.
5. On 28/07/2021, the HDFC Bank addressed an email to
the Petitioner denying its liability and alleging breach of
confidential information at the Petitioner's end by stating as
below:-
"Dear Mr. /Ms. Korde,
This is with reference to your complaint regarding fraudulent
transactions in your Account done through NetBanking Third Party
Fund transfer amounting to Rs. 38,04,000.00/-.
We wish to inform you that any such debits happening to the
customer's account using NetBanking is valid transaction for the Bank
since the same has been done using the Customer Id, NetBanking
8/100 WP-11990-23.odt
password (IPIN) & other account sensitive information which is known
only to the customer.
The IPIN is privy to the customer and as such the NetBanking transfer
is not possible without customer compromising his/her IPIN, Customer
ID & other account sensitive information knowingly or unknowingly.
The Third Party Fund Transfer transactions, done in your account post
inputting of Customer ID and IPIN (NetBanking Password) and the
same was duly authenticated with One Time Passwords (OTPs) which
was sent on your registered Mobile number/ E-Mail Id.
Beneficiary addition was done in your account and funds were
transferred. In order to add a beneficiary, besides inputting customer
sensitive details like Customer ID and IPIN, an OTP is also generated
and sent to the registered mobile number /Email ID (Only in case of NR
customer) of the customer which needs to be inputted as an additional
authentication mechanism.
In the above case, OTP has been generated and sent to your registered
mobile number, post inputting of the correct OTP, the beneficiary was
successfully added into the account.
As part of security control at the Bank, a beneficiary is activated only
post cooling period of 30 minutes of addition and for new beneficiary
addition all transactions are mandatorily to be authenticated with
OTP.
As part of the extant process, transaction alerts were sent for
beneficiary Addition and also for the subsequent transaction done.
In effect, there has been breach of confidential information, without
which none of the above transaction could have been taken place.
We would request you to kindly lodge a FIR/Police Complaint and
submit the copy of the same to the Branch."
6. On receipt of the above, on 29/07/2021, Petitioner
addressed an email to the Grievance Redressal Officer, Branch
Manager and Chief Executive Officer, specifically stating that
no alerts were received by him and the accusation against him
was unfounded. On 14/09/2021, the Customer Service
Manager of the HDFC Bank by his email communicated to the
Petitioner that there was no deficiency in service by the HDFC
Bank, which constrained the Petitioner to address a detail
9/100 WP-11990-23.odt
representation to the Respondent Nos.3 and 4, with reference
to his earlier complaints and he also revealed the information
that was available with the police. His grievance was
specifically worded as below:-
"3. As per information available with Police, the entire amount of Rs.
38,04,000/-, has gone to three new beneficiaries created in my
Account. It appears that the beneficiaries were added on 14 th July 2021
and Third Party Transaction Limit was increased from Rs. 4,00,000/-
per day to Rs. 40,00,0000/- per day which is not within my knowledge.
History of my Account will show that nowhere, right from the opening
of the accounts, Credit Limit was enhanced so high and such
beneficiaries were added in one go and such large no. of transactions
were effected on my account and of such quantum within such a short
span of time. I am a senior citizen. The fact that I am a senior citizen is
known to the Bank from the record. The moment there is addition of 4
beneficiaries along with increasing Transaction Limit to Rs.
40,00,000/- from 4,00,000/-, HDFC Bank/ Relationship Manager or the
Branch or IT based security system should have raised the alarm and
the Bank ought to have got in touch with me on phone or by email and
should not have allowed transfers.
6. However, after the aforesaid alert, no other alert seems to have
been raised. No efforts were made by HDFC Bank to examine the
reasons for transactions not been alerted .The Bank has claimed that
SMS was sent to my registered mobile. However, as per data received
from BSNL, no such SMS is received on my registered mobile.
Therefore, certainly, there is a deficiency of service on the part of
HDFC Bank and therefore, HDFC Bank is responsible for the
consequences However, based on incident report, which itself shows
that there was an error in judgment and looking at number of frauds
occurring on a regular basis and without examining important aspect
such as addition of large number of beneficiaries a/w sudden increase
in limit in Rs. 4 lakhs per day to Rs. 40 lakhs per day, Bank should
have applied breakers on all the transactions. The system of the Bank
is also defective and is unable to pinpoint peculiarities such additions
of 4 beneficiaries in a short span of time and transaction limit was
increased by 10 times, the IT enabled security system should have
quickly examined authenticity of beneficiaries, their credentials, their
risk profile and ought to have rejected the transaction."
7. In the report submitted by Wakad Police Station on
23/12/2021, the Police Inspector, addressed a communication
to Branch Manager, HDFC Bank, where he specifically stated
10/100 WP-11990-23.odt
that no error or negligence was found against Mr. Subodh
Korde and the communication read thus:-
"To,
The Branch Manager
HDFC Bank.
Subject:- Refund the amount to the complainant (Mr. Subodh Korde,)
Upon complaint of Mr. Subodh Chandrakant Korde, age 61 years,
resident at- Duplex Woods, Condominium Society, Kalewadi Fata, Pune
an offence wide Cr. No. 578/2021 Under Section 420,467, 468, 471 of
Indian Penal Code, and Section 66(C), 66(D) of Information
Technology Act is registered at Wakad Police Station.
It is revealed that Complainant did not share any type of
information and no error or negligence was found against him in the
investigation carried out till date. So please Refund the amont of Rs.
38,04,000.00 to the complainant Mr. Subodh Korde. (1. Subodh
Chandrakant Korde-HDFC Bank- A/C- 00521000116116, 2. Ekam
Consultant- HDFC Bank- A/C- 0200022189551) as per RBI rules and
regulations."
Further the Police Inspector, Wakad Police Station, also
addressed a communication to the Branch Manager, ICICI
Bank, directing it to refund the amount debited from account
of the Petitioner due to fraudulent transactions of the accused
Subhomay Biswas, and Aloke Pal.
8. The complaint filed by the Petitioner was also closed by
the Banking Ombudsman on 28/03/2022, when the Petitioner
was communicated thus:-
"Closure Intimation for Complaint N202122021018946 against HDFC
Bank Ltd
2. Complaint regarding disputed transactions in account. Bank
response in brief is as under:
'Device ID' of the disputed transaction are matching with the other
genuine transactions. As per complainant, he performs all his
transactions through Desktop/ Laptop and not through mobile. All the
11/100 WP-11990-23.odt
disputed transactions were also performed through same Desktop/
Laptop beneficiary additions has happened only post the OTP
authentication one day earlier. The TPT limit increase was
authenticated through OTP's which were sent on complainants
registered. The TPT limit increase was authenticated through OTP's
which were sent on complainants registered mobile number and
registered email id only. SMS & email alerts for beneficiary additions
were very much sent and delivered to the registered mobile number.
Transactionswere also authenticated through Net Banking ID,
Password and OTPs. The above response is concerned with debits to
the account, however, bank informed that they relooking at the case
details with regard to funds transfer various beneficiaries with their
analytical and business teams and would respond to your before 30
days with the additional clarifications. In view of the above, complaint
is closed under 16.2.a of IOS-2021, since the transactions were
performed through same device and secure credential and OTP.
Complainant is advised that the Office would inform if there is any
progress with regard to recovering funds from beneficiaries later.
3. Accordingly, the complaint has been closed under clause 16(2)(a) of
the Reserve Bank Integrated Ombudsman Scheme 2021."
9. In the backdrop of the aforesaid sequence of events, Mr.
Jagtiani would place heavy reliance upon the Circular issued
by RBI on the subject, 'Customer Protection - Limiting Liability
of Customers in Unauthorised Electronic Banking
Transactions'.
Mr. Jagtiani has urged that the circular dated
06/07/2017 has limited the liability of the customers, where
unauthorized transaction result in debit of their accounts and
his liability is zero in the following events :-
(i) Contributing fraud/ negligence/ deficiency on the part of the
bank (irrespective of whether or not the transaction is reported by
the customer).
(ii) Third party breach where the deficiency lies neither with the
bank nor with the customer but lies elsewhere in the system, and
the customer notifies the bank within three working days of
receiving the communication from the bank regarding the
unauthorised transaction."
12/100 WP-11990-23.odt
According to Mr. Jagtiani, the Petitioner is covered by
the aforesaid clause of the circular. He would also place
reliance upon the subsequent part of the said circular, which
has provided for Reversal Timeline for Zero Liability/Limited
Liability of customer and he would invoke Clause 9 and 10 of
the said circular providing thus:-
"9. On being notified by the customer, the bank shall credit (shadow
reversal) the amount involved in the unauthorised electronic
transaction to the customer's account within 10 working days from the
date of such notification by the customer (without waiting for
settlement of insurance claim, if any). Banks may also at their
discretion decide to waive off any customer liability in case of
unauthorised electronic banking transactions even in cases of
customer negligence. The credit shall be value dated to be as of the
date of the unauthorised transaction.
10. Further, banks shall ensure that:
(i) a complaint is resolved and liability of the customer, if any,
established within such time, as may be specified in the bank's Board
approved policy, but not exceeding 90 days from the date of receipt of
the complaint, and the customer is compensated as per provisions of
paragraphs 6 to 9 above;
(ii) where it is unable to resolve the complaint or determine the
customer liability, if any, within 90 days, the compensation as
prescribed in paragraphs 6 to 9 is paid to the customer; and
(iii) in case of debit card/ bank account, the customer does not suffer
loss of interest, and in case of credit card, the customer does not bear
any additional burden of interest."
10. Specifically pointing out that the circular has cast a
burden of proving the customer's liability in case of
unauthorized electronic banking transactions on the bank,
Mr.Jagtiani would submit that the RBI has directed the banks
to put in place a suitable mechanism and structure for the
13/100 WP-11990-23.odt
reporting of the customer liability cases to the Board and a
mechanism has been clearly chalked out for reviewing the
unauthorized electronic banking transactions reported by the
customers or otherwise, as also the action taken thereon,
alongwith the functioning of the Grievance Redressal
Mechanism and steps taken to improve the systems and
procedures.
According to Mr. Jagtiani, the said circular is addressed
to all Scheduled Commercial Banks (including RRBs), All
Small Finance Banks and Payments Banks and the same is
binding on HDFC Bank also.
11. Relying upon the said circular, it is submitted that the
Petitioner is entitled to be compensated by the Bank as his
case would fall within the scope of 'Limited Liability of a
Customer', and in particular, Clause 6, as the Petitioner has
promptly reported the fraud to the bank and according to Mr.
Jagtiani, is duped of the money, without any negligence on his
part and if at all it is the claim of the bank that he was
negligent, then the burden lies on the Bank to prove the same.
12. According to Mr. Jagtiani, the issue arising in the
Petition is of grave public importance and the Court shall take
judicial note of the fact that the RBI had encouraged internet
14/100 WP-11990-23.odt
banking and in fact it has set up a 'Working Group on Internet
Banking' to examine different aspects of Internet Banking (I-
Banking), which had focused on three main issues; (i)
technology and security (ii) legal and (iii) regulatory and
supervisory. The report submitted by the group was accepted
by the RBI with a decision being taken to implement it in a
phased manner and guidelines were issued for its
implementation by issuing a communication to All Scheduled
Commercial Banks on 14/06/2001.
According to him, the said guidelines clearly
contemplated that the bank should designate a network and
database administrator with clearly defined roles and it shall
adopt a security policy duly approved by its Board of Directors.
In addition, the circular also indicated that the bank should
introduce logical access controls to data, from systems,
application software, utilities, telecommunication lines,
system software, etc., and also further directed that all
computer access, including messages received, should be
locked and security violations (suspected or attempted) should
be reported and follow up action should be kept in mind while
framing future policy. The said circular, directed all banks
offering Internet Banking to take review of their systems and
15/100 WP-11990-23.odt
report to the Reserve Bank the type of services offered, extent
of their compliance with their recommendations, deviations
and their proposal indicating time frame for compliance.
13. Mr. Jagtiani has also placed on record several newspaper
reporting, which according to him is indicative of large number
of frauds being detected in online banking and that the amount
involved running into several crores. Though, he is conscious
of the fact that the newspaper reporting may not be accepted
by the Court as it is, it is his submission that it is only
indicative of the susceptibility of the online banking system to
frauds and deserves a serious concern.
14. According to the learned senior counsel, it is not for the
first time that such an issue is before the Court, as according to
him, several High Courts have grappled with such type of
transactions and on appreciation of the gamut of the fraud
have directed the banks to reverse the fraudulent
transactions, thereby enforcing the RBI Notification dated
6/07/2017 in exercise of power under Article 226 of the
Constitution.
At the outset, Mr. Jagtiani has placed reliance upon the
decision of Gauhati High Court in case of Pallabh Bhowmick Vs.
16/100 WP-11990-23.odt
Ombudsman, Reserve Bank of India & Ors. 1, where the Single
Judge of the Gauhati High Court, with reference to the circular
of the RBI, arrived at a conclusion that the Bank had failed to
establish any negligence on part of the Petitioner, who
approached the Court, when three online transactions from
the Petitioner's account occurred, when he downloaded the
'mobile app', on being prompted by the fraudsters, though,
under the impression that he would receive refund up his
money from 'Louis Philippe'. Recording that the three
transactions were evidently unauthorized as the Petitioner
never intended to transfer any amount by downloading the
mobile app and with no denial from the bank that the
transactions were unauthorized, merely because the Petitioner
had downloaded the mobile app, it was held that it cannot by
itself lead to the presumption of negligence on part of the
Petitioner in assisting the unauthorized transactions. The
Court rather observed that had the Bank installed effective
cyber security system and online fraud control measures then
in that event, even if a mobile app is downloaded by a
customer, money could not have been transferred from the
bank account without proper authorization.
1 2023 4 GAU LR 366
17/100 WP-11990-23.odt
With reference to the responsibility of the bank, as
contemplated in RBI circular of 6/07/2017, the guidelines to be
followed by the Banks for safety of their customers using
online banking facility, it is highlighted that the guidelines
include the necessity of putting in place a robust and dynamic
fraud detection and prevention mechanism.
Mr. Jagtiani would submit that the said decision is
upheld by the Division Bench of the Gauhati High Court, and
subsequently by the Apex Court.
Reliance is alsoplaced upon the decision of Madras High
Court in case of Dr. R. Pavithra Vs. Commissioner of Police &
Ors2, once again granting relief in favour of the Petitioner
based on the Notification of the RBI dated 6/07/2017.
Reliance is also placed upon the decision of Allahabad
High Court in case of Awadhesh Singh Vs. RBI & Ors 3 and a
decision of this Court in case of Jaiprakash Kulkarni & Anr Vs.
Banking of Ombudsman & Orss in WP No. 1150 of 2023 , where
the Division Bench by relying upon the Cyber Cell reports
revealing that unauthorized transactions have taken place
without intimation to the Petitioners either on their mobile
number registered with the bank or on their e-mail ID,
2 2023 SCC Online Mad 3165
3 2021 SCC Online All 301
18/100 WP-11990-23.odt
directed the Bank in question to refund the amount illegally
and unauthorizedly debited from the accounts to the
Petitioners.
Apart from this, Mr. Jagtiani has also invited our
attention to the suo motu cognizance taken by the Apex Court
of the menace of Cyber fraud, digital arrest etc. and the
directions issued to ensure that the public and specially
vulnerable section of the public such as senior citizens are
protected from such fraudulent activity. Laying his emphasis
on lack of negligence on part of the Petitioner, Mr. Jagtiani
would submit that the Petitioner is a victim of cyber fraud and
he allege that the HDFC Bank has failed to take appropriate
action despite an alert and when no OTPs were shared with
him for enhancement of transfer limit, it is his submission that
the negligence at the end of HDFC Bank, who has not even
bothered to maintain proper KYC record in light of the circular
of the RBI, it is his submission that the HDFC Bank is under
obligation to reverse the fraudulent debit and therefore, a
direction is sought against the HDFC Bank as well as to the RBI
to enforce its own circular/guidelines.
15. Since the Petitioner was defrauded of a huge sum, and he
had filed an FIR, according to him police investigation
19/100 WP-11990-23.odt
confirmed that there was no error or negligence on his part. It
is the case of the Petitioner that there was no negligence on his
part as he had not shared any password with any third party
but according to him it is the HDFC bank which ignored its own
security alerts marking the addition of payees as suspicious
and nevertheless manually approved the addition of
beneficiaries because the Petitioner's 'beep tone' sounded
suspicious.
16. Mr.Pratik Seksaria, the learned senior counsel,
representing the HDFC Bank at the outset has raised an
objection about the maintainability of the Petition against the
HDFC Bank, a private entity, which is not discharging any
public function/duty in relation to its banking business with
the customer.
The learned Senior Counsel has invoked the principle
laid down by the Apex Court in case of S. Shoba Vs. Muthoot
Finance Ltd4, where the Apex Court, determined the issue as
to whether the non-banking institution governed by the Rules
and Regulations framed by RBI is amenable to writ jurisdiction
and the said issue came to be answered in the negative, by
holding that the Respondent cannot be termed as a 'Public
4 2025 SCC Online SC 177
20/100 WP-11990-23.odt
Body', as it has no duty towards the public but its duty is
towards its account holders, which may include the borrowers
having availed the loan facility. Laying his emphasis on the
test laid down by the Apex Court as to whether a body public
or private shall be amenable or not amenable to the writ
jurisdiction, he would submit that vital consideration for
determination is held to be the 'function' test as regards the
maintainability of the writ petition as it is held that if a public
duty or public function is involved, any body, public or private,
concerned with that duty or function and limited to that,
would be subject to judicial scrutiny under extraordinary writ
jurisdiction of Article 226 of the Constitution. He has also
invoked the principle laid down by the Apex Court in case of
Federal Bank Ltd. Vs. Sagar Thomas & Ors. 5 , which was
followed by the Division Benches of this Court in case of M/s.
Ruchi Soya Industries Ltd. & Ors. Vs. IDFC Bank Limited &
Ors.6 and in case of VJ Jindal Cocoa Pvt. Ltd. & Anr. Vs. Union
of India & Ors.in WP (L) No. 4051 of 2023.
According to Mr. Seksaria, the position of law as laid
down in S Shobha (supra) by the Apex Court is a declaration of
law, wherein the Supreme Court has categorically considered,
5 (2003) 10 SCC 733
6 2017 SCC Oline Bom 4252
21/100 WP-11990-23.odt
the issue of maintainability of writ petitions in its
extraordinary and prerogative jurisdiction against a public or
private body. Drawing parallel from the said decision, it is the
submission of Mr. Seksaria that the HDFC in relation to the
Petitioner (account holder) cannot and does not discharge any
public function or fulfill any public duty, merely because it is
bound to follow the Reserve Bank of India Notification dated
6/07/2017.
17. In addition to the aforesaid submission, according to Mr.
Seksaria, the Petition involves various disputed question of
facts requiring evidence and based upon the pleadings in the
Petition itself, it is the submission of Mr. Seksaria that when
the Petitioner is disputing that he has received any alert on his
registered email id with respect to (i) the addition/registration
of new third-party beneficiaries; (ii) the Split-OTP sent by
email on the registered Email Id of the Petitioner for increase
of TPT limit; and (iii) the alert with respect to the increase of
TPT limit and which is established by HDFC Bank by
production of the Email logs maintained in ordinary and usual
course of business coupled with a certificate confirming the
same by a reputed third-party vendor, the matter require
22/100 WP-11990-23.odt
evidence, as it is for the petitioner to produce the best evidence
in his possession.
18. Another objection raised by Mr.Seksaria is, the
Petitioner is claiming his rights on the basis of the terms of
contract or at the most based on the RBI Circular. According
to him, the rights of the Petitioner are strictly governed by the
terms of contract as a customer and the bank and any relief
arising thereunder cannot be subject matter of writ nor can
any order be issued to compel the authorities to remedy an
alleged breach of contract.
Submitting that the Petition raises serious disputed
questions of facts of complex nature which require evaluation
of evidence, it is submitted that it would not be appropriate for
this Court in exercise of its writ jurisdiction under Article 226
of Constitution of India to grant relief as prayed for as the
power exercised by this Court deserve its exercise in
extraordinary circumstances, which in the present case is non
existent.
It is also urged by Mr.Seksaria that the Petitioner had
filed a complaint against the Respondent with the Banking
Ombudsman under the Integrated Ombudsman Scheme of
2021, which is constituted for redressal of complaints of
23/100 WP-11990-23.odt
customers on banking services provided by banks and to
facilitate the settlement of those complaints. This complaint
has also been closed by holding that there is no deficiency of
service on part of the bank.
Apart from this, it is also urged that the RBI in its
directions dated 06/07/2017 (RBI/2017-2018/15) on Customer
Protection/Limiting Liability of Customers in Unauthorized
Electronic Banking Transaction has clearly specified that the
customer shall be liable for the loss occurred due to
unauthorized transactions if the loss was due to negligence of
the customer by sharing the payment credentials etc. and thus
the Petitioner has an alternate efficacious remedy by
approaching the adjudicating authority under the Information
and Technology Act, and on this count also, the Petition
deserve to be rejected.
19. On the factual aspect of the matter, relying upon the
affidavit-in-reply, it is the submission of Mr.Seksaria that the
Petitioner is having two accounts with the bank i.e. savings
account as well as current account situated at Aundh Branch,
Pune and the Petitioner is using the net banking after
lockdown was declared on account of Covid-19 pandemic. It is
pointed out to us that when on 14/07/2021, two persons were
24/100 WP-11990-23.odt
added as beneficiaries to the savings account of the Petitioner
and one person was added as beneficiary to the current
account of Ekam Consultants, and every time an SMS OTP was
generated and sent to the registered mobile number of the
Petitioner. Post the correct OTP generated and send, the new
beneficiary was added to the account.
Apart from this, as a part of security control of the bank,
the beneficiary was activated only post cooling period of 30
minutes. It is submitted that it is permissible for a customer to
add/modify/delete to a maximum 7 beneficiaries in a day and
it is only after the correct SMS OTP being entered by the
Petitioner from his registered mobile number, the beneficiary
was added to the accounts of the Petitioner.
Relying upon the affidavit, it is the categorical
submission of Mr.Seksaria that 10 SMSs and 6 emails have
been sent to the registered mobile number and registered
email address of the Petitioner on 14/07/2021 and he has
placed on record the copies of the OTP log, SMS log and email
log evidencing OTP, SMS and emails being sent to the
Petitioner.
Further, it is stated that on 14/07/2021 at about 3.10
p.m., third party transaction limit was increased from Rs.4
25/100 WP-11990-23.odt
lakhs per day to Rs.40 lakhs per day and even for this
increase, dual authentication is required in from of OTP+Debit
Card details (ATM PIN and Card Expiry) or Split OTP (partial
OTP on registered mobile number and partial OTP on
registered email ID). It is the case of the Respondent that Split
OTP was generated and sent to the registered Mobile number
and the registered email address of the Petitioner and
pursuant to this, the third party transaction limit was
increased. According to the HDFC, as a part of security
control, cooling period of 24 hours post third party transaction
limit registration is in place to avoid any immediate fund
transfers in case customer credentials have been
compromised. This is so provided so as to give enough time to
the customer to react and block his net banking to avoid
unwarranted transactions. In this regard also, it is the stand
of HDFC that two SMSes and 2 emails have been sent on
14/07/2021, when the third party transaction limit has been
reset/increased.
20. As regards the actual transaction, which occurred on
15/07/2021, the affidavit states thus :-
"14. I say that on July 15, 2021, i.e. the day when the amounts
were transferred from the aforesaid accounts of the Petitioner to
the accounts of the beneficiary, OTP/s was/were generated and sent
to the registered mobile number of the Petitioner. I say that only
after putting the correct OTP/s, the amounts were transferred to
26/100 WP-11990-23.odt
the accounts of the beneficiaries. I say that in order to transfer
funds through Immediate Payment Service ("IMPS") the customer
needs to add the beneficiary and follow a six-step procedure, which
procedure is described in Exhibit "H" hereto."
21. Mr.Seksaria has relied upon the internal investigation
carried out by the Bank immediately, when the Petitioner was
called for questioning and it was informed that he was facing
issue with BSNL network since many months and his network
was fluctuating and he had visited BSNL office, Pimpri
Chinchwad on afternoon of 13/07/2021 to upgrade his SIM
and he received the new SIM immediately, however, the
network issue still persisted. Hence, he visited the BSNL office
on 15/07/2021 after 4.00 p.m., when a new SIM was again
allotted to him, but he was still facing the network issue.
According to the stand of HDFC, the Petitioner had informed
the investigating team that (1) During the period from
13/07/2021 to 15/07/2021, he has received all messages/calls
except transaction alerts from the Respondent and (2) He has
not received any alerts on his registered mobile number as
well as email ID.
22. The stand of the Respondent in its reply affidavit and
through the arguments advanced by Mr.Seksaria, is very
specific and it is so worded in the affidavit as below :
"22. I say that from the above it is clear that the login ID, password,
telecom number are only known to the Petitioner and without
27/100 WP-11990-23.odt
latches on his part, no other person can operate his accounts. All
transactions were initiated and completed upon proper validation
of customer credentials. That OTP was generated through the
registered mobile number linked with the accounts and that
transaction was validated upon furnishing the OTP so generated
through the system. All fund transfers were authenticated through
OTP. To what extent the Petitioner can be made responsible for such
negligence is a matter of probe and adjudication through a civil suit.
23. I say that as per the investigation the Device ID of the disputed
transactions are matching with other genuine transactions. The
Device ID of genuine transaction is "dd2f85a9-9eab-2011-2b76-
10509083a811" which matches exactly with the disputed
transactions Device Id "dd2f85a9-9eab-2011-2b76-10509083a811".
As per the complaint of the Petitioner, the Petitioner performs all
his transactions through desktop/laptop and not through mobile.
All disputed transactions were performed through the same
desktop/laptop."
23. Mr.Seksaria would place heavy reliance upon the report
of the internal investigation prepared by its officer in form of
an Excel wordbook comprising of 19 distinct worksheets,
including the checklist, disputed transactions accounts
statement, RSA logs, staff investigation with the riders i.e. the
observations of the bank on distinct issues, which were
investigated.
On investigation, the conclusion reached based on the
customer interaction, the report record that the customer was
disputing eight transactions amounting to Rs.38.04 lakhs from
his two HDFC accounts and he has received SMS alert in
respect of one transaction of Rs.2.14 lakhs on 15/07/2021 at
15.48.18, but he has received SMS at 17.55 p.m. and when he
checked his account statement and realised that the amount
28/100 WP-11990-23.odt
from his account has been diverted, and he raised a complaint
with the bank.
It is urged that though the case of the Petitioner in the
Petition is not about any issues faced by him with BSNL
network, during the internal investigation, he disclosed that
he was facing issued with BSNL network since many months,
as the network was fluctuating and about his visit to the BSNL
office on 13th as well as 15th July. His statement was
categorically noted that he was present at his home between
3.00 to 4.00 p.m. on 15/07/2021, when the alleged transaction
occurred.
24. The Report of internal investigation, on which the Bank
has relied, has recorded thus :-
"System Review
Customer access his netbanking through his Personal Laptop and
has never registered for Mobile Banking.
From both the accounts, total 4 transactions are of RTGS and the
beneficiary additions has happened only post the OTP
authentication one day earlier. SMS & email alerts for beneficiary
additions were very much sent and delivered to the registered
mobile number. Transactions were also authenticated through
OTPs.
4 transactions are of TPT and the beneficiary additions has
happened only post OTP authentication one day earlier. SMS &
email alerts for beneficiary additions were very much sent and
delivered. Transactions were also authenticated through OTPs. All
the disputed transactions are on a single day of 15/July/2021 from
both of his accounts.
There has been increase in TPT limit to 40 lakhs one day earlier to
the disputed transaction date and Split OTP (SMS + Email)
authentication has been used.
29/100 WP-11990-23.odt
IP addresses of the disputed transactions does not match with the
previous transactions of the customer.
However according to the RSA Logs. The Device ID of the all the
disputed transactions are matching with the previous genuine
transaction of the customer...
IPIN has not been changed prior and post to the disputed
transactions in both the accounts.
On probing the customer regarding his previous transactions on
04th July 2021, 27th April 2021 and the password change on 04th
July 2021. Customer states he himself has done the transactions
and changed his password (for these genuine transactions the
Device ID is matching with Disputed Transactions ID).
The Device ID of the above mentioned genuine transaction is
"dd2f85a9-9eab-2011-2b76-10509083a811".
25. In respect of the Monitoring Perspective, the internal
investigation has revealed thus :-
"As confirmed by Saravanakumar.R (S30856) "Beneficiary addition
attempt got alerted to monitoring for review.
Tried reaching the customer but unable to establish the contact".
Dialer report for the callout attempt initiated from monitoring is
attached in the Disputed Tnx Sheet.
However None of the 8 transactions were Alerted.
Please find the analytics team comments for the transactions post
the bene addition.
Bank has automated Risk based on authentication system where
the risk score is calculated based on usage pattern of the customer
nature of transaction and other factors and High risk transaction is
declined but in this case the risk score was 691 hence it is not
declined/alerted."
26. From the report of investigation, it is noted that the total
time taken for debit from the victim's account is 40 minutes
and it started from 3.07 p.m. and ended with last transaction
30/100 WP-11990-23.odt
at 3.48 p.m. and the total time taken for credits and debits in
the first beneficiary account is approximately 1 hour and in
case of second beneficiary account, it is about 55 minutes. In
this regard, it is concluded thus :-
" In totality, the entire movement of funds starting from victim
accounts followed by transfers and withdrawals from beneficiary
accounts happened within 1 hour 10 minutes with an end time of
4.17 PM dated 15/July/2021; which indicates this to be a pre-
planned execution with involvement of supposedly multiple people
at a time on field for ATM withdrawals and for on-line action.
Going with the SMS/Email alert logs, the fraud could have been
stopped/minimized with nil exposure if instant action would have
been taken by the customer at the time of beneficiary addition alert
one day earlier to the disputed transactions day or at least blocking
of his account at the time of the very first debit alert SMS."
27. In the Check List, it is important to note the following :-
Txn Description Txn D Amount Running Total Account Number Alert in Monitoring Action Date &
Date and Literal r/ RSA Action Taken Time of
Time C Alert
r
15-7-21 50100408968780- TPD D 5,00,000.00 30,64.779.96 521000116116 N N
15:07 TPT-SELF-SAMIR
TAMANG
15-7-21 RTGS DR- RTD D 7,00,000.00 23,64,779.96 521000116116 N N
15:09 ICIC0004177-
ALOKE PAL-
NETBANK, MUM-
HDFCR5202107155
3132261-SELF
15-7-21 50100408968780- TPD D 6,00,000.00 17,64,779.96 521000116116 N N
15:13 TPT-SELF-SAMIR
TAMANG
15-7-21 50100408968780- TPD D 6,00,000.00 11,64,779.96 521000116116 N N
15:22 TPT-SELF-SAMIR
TAMANG
15-7-21 RTGS DR- RTD D 5,50,000.00 6,14,779.96 521000116116 N N
15:24 ICIC0003314-
SUBHOMOY
BISWAS-NETBANK,
MUM-
HDFCR5202107155
3133257-SELF
15-7-21 RTGS DR- RTD D 4,00,000.00 2,14,779.96 521000116116 N N
15:27 ICIC0003314-
SUBHOMOY
BISWAS-NETBANK,
MUM-
HDFCR5202107155
3140357-SELF
15-7-21 50100408968780- TPD D 2,14,000.00 779.96 521000116116 N N
15:48 TPT-SELF-SAMIR
TAMANG
15-7-21 RTGS DR- RTD D 2,40,000.00 5,139.34 5210002218955 N N
SUBHOMOY
BISWAS-NETBANK,
31/100 WP-11990-23.odt
MUM-
HDFCR5202107155
3134869-SELF
Reason for
Transaction not
being alerted
The report also state the reason for transaction not being
alerted and this comes from the Risk Intelligence and Control
Unit as below :-
Dear Venkatesh,
As discussed, for the mentioned customer id the beneficiary addition transaction has been alerted
in RSA for the Rule "Decline Add Payee-Blacklisted Accounts."
Also, please find the analytics team comments for the transactions post the bene addition.
Bank has automated Risk based on authentication system where the risk score is calculated
based on usage pattern of the customer nature of transaction and other factors and High risks
transaction is declined but in this case the risk score was 691 hence is not declined/alerted.
Thanks & Regards
Vignesh Vaidhyanathan
Risk Intelligence & Control Unit."
28. In Rider 3, which is placed on record, when the
Petitioner made a complaint, the messages generated
demanding urgent attention are also placed before us and it is
necessary for us to reproduce the relevant portion.
"date: 16-07-2021 18:26 Subject: Re: Fw:TRNX ALERT-- Fraud
Transaction of 35 Lakhs __ SUBODH CHANDRAKANT
KORDE__Account number - 00521000116116__ Very Very Urgent
attention ********__Case Number - 15596609 Hi All, PFB Case
facts as requested, Beneficiary addition attempt got alerted to
monitoring for review. Tried reaching the customer but unable to
establish the contact. PFB Alert action details, Txn Date Description
Amount Alerted / Not Alerted Remarks 14-07-2021 15:07
Beneficiary Addition - Alerted Tried reaching the customer but
unable to establish the contact 14-07-2021 15:11 Beneficiary
Addition - Alerted 15-07-2021 15:07 50100408968780-TPT-SELF-
SAMIR TAMANG 500,000.00 Not Alerted Not Alerted 15-07-2021
15:09 RTGS DR-ICIC0004177-ALOKE PAL-NETBANK, MUM-
HDFCR52021071553132261-SELF 700,000.00 Not Alerted Not
32/100 WP-11990-23.odt
Alerted 15-07-2021 15:13 50100408968780-TPT-SELF-SAMIR
TAMANG 600,000.00 NotAlerted Not Alerted 15-07-2021 15:22
50100408968780-TPT-SELF-SAMIR TAMANG 600,000.00 Not
Alerted Not Alerted 15-07-2021 15:24 RTGS DR-ICIC0003314-
SUBHOMOY BISWAS-NETBANK, MUM-
HDFCR52021071553133257- SELF 550,000.00 Not Alerted Not
Alerted 15-07-2021 15:27 RTGS DR-ICIC0003314-SUBHOMOY
BISWAS-NETBANK, MUM- HDFCR52021071553140357-SELF
400,000.00 Not Alerted Not Alerted 15-07-2021 15:48
50100408968780-TPT-SELF-SAMIR TAMANG 214,000.00 Not
Alerted Not Alerted PFB Dialer report for the callout attempt
initiated from monitoring. Regards, Saravanakumar.R Risk
Intelligence & Control ....."
The further correspondence alerting the banking system also
record thus :-
"----Prashant Patil/Retail Branch Banking/Boat Club/HBL wrote :----
To : Viral Kothari/Digital
Banking/Peninsula/HBL@HDFCBANK
From : Prashant Patil/Retail Branch Banking/Boat CLUB/hbl
Date : 07/15/2021 06:29 pm
Subject : Fraud Transaction of 35 Lakhs_SUBODH CHANDRAKANT
KORDE_Account number- 00521000116116___
Very Very Urgent attention ******_Case Number - 15596609
Dear Sir
One of out customer informed that his account is been debited with
total amount of 35 Lakhs fraudulently. Kindly help to get if
detected and reversed Account number - 00521000116116
Customer id-42263358
Regards,
Prashant Patil
Imperia Relationship Manager
9021070594
[email protected]"
"SUBODH CHANDRAKANT KORDE _ Account number -
00521000116116_Very Very Urgent attention ******_Case
Number -15596609 Dear John, The funds from the customer a/c
has been credited to beneficiary who is from your branch.
Beneficiary name Samir Tamang Cust ID 162969236. Dear Milind,
Further funds have been transferred from Samit Tamang to Rijohn
Tamang who has an account in your branch. Cust ID 162969449
Dear RTGS Cell team/Kasim, please assist in recalling the funds
from ICICI Bank."
29. The Account Statement of the Petitioner also forms part
of the internal report which reflect the transactions.
33/100 WP-11990-23.odt
The IP investigation reveal that the transactions on
14/07/2021, are done from IP 45.137.126.18 and the IP
location is Chennai. The disputed transactions, on 15/07/2021
right from 03:06:57 PM IST to 3:18:18 PM IST is reflected to be
done from WEB with same IP 45.137.126.18 and the IP
location is shown to be once again Chennai. As far as the
genuine transaction of the Petitioner is concerned, the IP is
103.198.166.221 and the IP location is Pune. The IP of the
user activity of modifying the limit on 14/07/2021 at 3:09:14
PM IST is again from the same IP 45.137.126.18 and the IP
location is Chennai.
The email logs are also produced by Mr.Seksaria to
establish that the emails were sent to the Petitioner, but
admittedly there is no proof of its receipt.
30. In light of the aforesaid investigation report, it is the
submission of Mr.Seksaria that the bank is not at all at fault, as
for every transaction an email alert was sent and delivered on
the registered email ID of the Petitioner and in case of
addition/registration of third party beneficiary, which took
place on 14/07/2021 at 03:01:09 PM IST and the transaction
payment took place only on next day i.e. 15/07/2021 on
03:06:57 (IST) i.e. after lapse of more than 24 hours. Thus,
34/100 WP-11990-23.odt
according to the HDFC Bank, all the necessary protocols were
followed by the bank, both at the time of enhancement of the
TPT limit which require the account holder to enter a Split
OTP, which involve two different OTPs sent to (i) registered
mobile number and (ii) registered Email ID and only upon
successful completion of such Split Verification, the TPT limit
was increased. Further more, once the TRP limit is increased,
once again an alert is sent both as an SMS to the registered
mobile number and also to the registered email ID and based
upon this, it is the contention of Mr.Seksaria that the
Petitioner was every time alerted about the transaction, which
he carried out and, therefore, the bank cannot be said to have
acted in breach of any protocol and liable for reverting the
amount.
31. Dealing with the objection raised by Mr.Seksaria about
the maintainability of the Writ Petition under Article 226 of
the Constitution, we have given our thoughtful consideration
to the objection as well as the response to the same by
Mr.Jagtiani, as the respective senior counsel have placed
reliance upon various authoritative pronouncements.
The power of High Court to issue writs, as contained in
Article 226, clearly provide that every High Court shall have
35/100 WP-11990-23.odt
power, throughout the territories in relation to which it
exercises jurisdiction, to issue to any person or authority,
including in appropriate cases, any Government within those
territories, orders or writs for the enforcement of any of the
rights conferred by Part III and for any other purpose.
32. As early as in 1989 in Andi Mukta Sadguru Shree
Muktajee Vandas Swami Suvarna Jayanti Mahotsav Smarak
Trust & Ors. Vs. V.R.Rudani & Ors.7, the Hon'ble Apex Court,
expounded the scope of Article 226 by declaring that the
power conferred on the High Court under Article 226 to issue
writs in the nature of prerogative writs is a striking departure
from the English Law, as under Article 226, the writ can be
issued to any person or authority and the term 'authority'
used in the context must receive a liberal meaning unlike the
term in Article 12, which is relevant only for the purpose of
enforcement of fundamental rights. Further, it is held that the
words 'Any person or authority' used in Article 226 are not
confined only to statutory authorities and instrumentalities of
the State and they may cover any other person or body
performing public duty, the form of such body being not of
much relevance, but what is relevant is the nature of duty
imposed on the body.
7 (1989)2 SCC 691
36/100 WP-11990-23.odt
The observation of the Apex Court in paragraph 22 is of
great significance and we reproduce the same.
"22. Here again we may point out that mandamus cannot be
denied on the ground that the duty to be enforced is not imposed by
the statute. Commenting on the development of this law, Professor
de Smith states: "To be enforceable by mandamus a public duty does
not necessarily have to be one imposed by statute. It may be
sufficient for the duty to have been imposed by charter, common
law, custom or even contract." We share this view. The judicial
control over the fast expanding maze of bodies affecting the rights
of the people should not be put into watertight compartment. It
should remain flexible to meet the requirements of variable
circumstances. Mandamus is a very wide remedy which must be
easily available 'to reach injustice wherever it is found'.
Technicalities should not come in the way of granting that relief
under Article 226. We, therefore, reject the contention urged for the
appellants on the maintainability of the writ petition."
33. In Praga Tools Corporation Vs. C.A.Imanual8, the Hon'ble
Apex Court held that a mandamus can be issued to an official
of a society to compel him to carry out the terms of the statute
under or by which the society was constituted or governed and
also to companies or corporations to carry out duties placed on
them by the statutes authorising their undertakings. Reliance
was placed upon Halsbury's Laws of England, third Edition,
Vol.II Page 52, which held thus :
"A mandamus would also lie against a company
constituted by a statute for the purpose of fulfilling public
responsibilities."
34. A decision on which reliance is placed by the respective
senior counsels representing the opposing parties is the
decision in case of Federal Bank (supra)
8 (1969) 1 SCC 585
37/100 WP-11990-23.odt
The pronouncement of the Apex Court revolved around a
Branch Manager, Respondent No.1, working in Federal Bank,
who was awarded punishment of dismissal pursuant to an
enquiry being carried out and when he filed the writ petition in
the Court, preliminary objection was raised to its
maintainability, by canvassing that, it is a private bank and
not a State or its agency or instrumentality, within the
meaning of Article 12 of the Constitution of India, hence a writ
petition under Article 226 of the Constitution is not
maintainable.
The Single Judge of the High Court found that the
Federal Bank is performing public duty and, therefore, it would
be covered with the definition of 'other authority' within the
meaning of Article 12 of the Constitution of India and as such,
the writ petition is maintainable. An appeal was preferred
against the said decision, which was dismissed by directing the
Single Judge to decide the matter on merit.
In this background the question which fell for
consideration before the Apex Court was, whether the
appellant Bank is a private body or falls within the definition of
the State or local or other authorities under the control of the
Government within the meaning of Article 12.
38/100 WP-11990-23.odt
35. Referring to the decision of seven-Judge Bench in
Pradeep Kumar Biswas Vs. Indian Institution of Chemical
Biology & Ors.9 and also to the decision in case of Ajay Hasis
Vs. Khalid Mujib Sehravardi10, it was noted that concept of
instrumentality or agency of the Government is not limited to
a corporation created by a statute but is equally applicable to a
company or society and in a given case it would have to be
decided, on a consideration of the relevant factors, whether
the company or society is an instrumentality or agency of the
Government so as to fall within the meaning of the expression
'authority' under Article 12. The submission advanced on
behalf of the Bank, in specific, is that it is a 'company'
incorporated under the Indian Companies Act, 1913 and its
activities are regulated by the provisions of the Banking
Regulation Act, 1949, with its entire shareholding held by
private individuals, and that it does not perform any sovereign
function nor does it exercise any authority over the third
person. The nature of the activity of the Bank was argued to
be a commercial as it received deposits from individuals and
advance loans and performs other ancillary monetary
transactions. It was, therefore, urged that it is neither a
9 (2002) 5 SCC 111
10 (1981) 1 SCC 722
39/100 WP-11990-23.odt
"State" nor any "authority" within the meaning of Article 12 of
the Constitution, and, hence not amenable to writ jurisdiction
of the High Court.
The respondent, on the other hand, urged that RBI
exercises control over the banking companies and on taking
into consideration the provisions of the Banking Regulation
Act, 1949, which indicated deep and pervasive statutory
control of the Central Government over the scheduled banks,
an argument was advanced that the banks discharge functions
of a public nature and own statutory responsibilities, and,
hence, there is an element of public law involved in its
activities. It was also canvassed that the Banking Regulation
Act provide of licensing of banking companies and unless and
until a bank holds license issued by Reserve Bank, it is not
permissible to carry out the banking activity.
36. In the wake of the contra submissions advanced, the
Apex Court held as below :-
"32. Merely because the Reserve Bank of India lays the
banking policy in the interest of the banking system or in the
interest of monetary stability or sound economic growth having due
regard to the interests of the depositors etc. as provided under
Section 5(c)(a) of the Banking Regulation Act does not mean that
the private companies carrying on the business of or commercial
activity of banking, discharge any public function or public duty.
These are all regulatory measures applicable to those carrying on
commercial activity in banking and these companies are to act
according to these provisions failing which certain consequences
follow as indicated in the Act itself. As to the provision regarding
acquisition of a banking company by the Government, it may be
40/100 WP-11990-23.odt
pointed out that any private property can be acquired by the
Government in public interest. It is now a judicially accepted norm
that private interest has to give way to the public interest. If a
private property is acquired in public interest it does not mean that
the party whose property is acquired is performing or discharging
any function or duty of public character though it would be so for
acquiring authority."
In regards to the decision in the case of Andi Mukta
(supra), it was observed that though a mandamus can be
issued to any person or authority performing public duty,
owing positive obligation to the affected party and, therefore,
the writ petition was held maintainable since the teacher
whose services were terminated by the institution was
affiliated to the University and was governed by the
ordinances casting obligations which it owed to the petitioner.
The said decision was, therefore, distinguished, but confirmed
the finding that no writ would lie against the private body
unless it has some obligation to discharge which is either
statutory or of public character.
In conclusion, it was held thus :-
"33. ....a private company carrying on banking business as a
scheduled bank, cannot be termed as an institution or company
carrying on any statutory or public duty. A private body or a person
may be amenable to writ jurisdiction only where it may become
necessary to compel such body or association to enforce any
statutory obligations or such obligations of public nature casting
positive obligation upon it. We don't find such conditions are fulfilled
in respect of a private company carrying on a commercial activity
of banking. Merely regulatory provisions to ensure such activity
carried on by private bodies work within a discipline, do not confer
any such status upon the company nor puts any such obligation
upon it which may be enforced through issue of a writ under Article
226 of the Constitution. Present is a case of disciplinary action
41/100 WP-11990-23.odt
being taken against its employee by the appellant Bank. The
respondent's service with the bank stands terminated. The action of
the Bank was challenged by the respondent by filing a writ petition
under Article 226 of the Constitution of India. The respondent is not
trying to enforce any statutory duty on the part of the Bank. That
being the position, the appeal deserves to be allowed."
37. The aforesaid decision provide the guiding principle for
the proposition that a private body or person may be amenable
to writ jurisdiction, where is becomes necessary to control
such body or association to enforce any statutory obligations
or obligations of public nature casting a positive obligation
upon it and merely because the appellant bank was under the
control of RBI, by itself do not amount to exercise of any
statutory function or it being recognised as an institution
having State protection as no Government agency or officer
was connected with the affairs of the bank and there is no
participation or interference of the State or its authorities.
38. The aforesaid decision is followed by another decision of
the Apex Court in Binny Ltd. & Anr. Vs. V. Sadasivan & Ors.11,
where the Apex Court pronounced upon the 'public function',
discharged by a private party and with reference to the power
of the High Court under Article 226 of Constitution to exercise
judicial review and issuance of any direction or order or writ
for enforcement of any of the rights conferred by Part III or for
any other purpose, it was noted that the jurisdiction is very
11 (2005) 6 SCC 657
42/100 WP-11990-23.odt
wide, but it remained an accepted principle that it is public law
remedy and is available against a body or person performing
public function. Following the proposition set out in the
Administrative Law (9th Edn) by Sir William Wade and
Christopher Forsyth, it was categorically noted thus :-
"A distinction which needs to be clarified is that between public
duties enforceable by mandamus, which are usually statutory, and
duties arising merely from contract. Contractual duties are
enforceable as matters of private law by the ordinary contractual
remedies, such as damages, injunction, specific performance and
declaration. They are not enforceable by mandamus, which in the
first place is confined to public duties and secondly is not granted
where there are other adequate remedies. This difference is brought
out by the relief granted in cases of ultra vires. If for example a
minister or a licensing authority acts contrary to the principles of
natural justice, certiorari and mandamus are standard remedies.
But if a trade union disciplinary committee acts in the same way,
these remedies are inapplicable: the rights of its members depend
upon their contract of membership, and are to be protected by
declaration and injunction, which accordingly are the remedies
employed in such cases."
By placing reliance upon the earlier observations in VST
Industries Limited Vs. VST Industries Workers' Union & Anr. 12,
where reliance was placed upon de Smith, Woolf and Jowell's
Judicial Review of Administrative Action (5th Edn.), noting
that all the activities of the private bodies are subject to
private law, for example, the activities by private bodies may
be governed by the standards of public law when its decisions
are subject to duties conferred by statute or when, by virtue of
the function it is performing or possibly its dominant position
in the market, it is under an implied duty to act in public
12 (2001) 1 SCC 298
43/100 WP-11990-23.odt
interest. An illustration was cited and based on it, the
proposition was laid as below :-
"19. ....By way of illustration, it is noticed that a private
company selected to run a prison although motivated by
commercial profit should be regarded, at least in relation to some of
its activities, as subject to public law because of the nature of the
function it is performing. This is because the prisoners, for whose
custody and care it is responsible, are in the prison in consequence
of an order of the court, and the purpose and nature of their
detention is a matter of public concern and interest. After detailed
discussion, the learned authors have summarized the position with
the following propositions :
(1) The test of whether a body is performing a public function,
and is hence amenable to judicial review, may not depend upon
the source of its power or whether the body is ostensibly a "public"
or a "private" body.
(2) The principles of judicial review prima facie govern the
activities of bodies performing public functions.
(3) However, not all decisions taken by bodies in the course of
their public functions are the subject-matter of judicial review. In
the following two situations judicial review will not normally be
appropriate even though the body may be performing a public
function:..."
38. The decision in case of Federal Bank (supra) when cited,
it was noted that, a private company carrying on business as
scheduled bank cannot be termed as carrying on statutory or
public duty and it was held that any business or commercial
activity cannot be classified as the one falling within the
category of discharging duties or functions of public nature.
As regards the exercise of power under Article 226, it is held
as below :-
"29. Thus, it can be seen that a writ of mandamus or the
remedy under Article 226 is pre-eminently a public law remedy and
is not generally available as a remedy against private wrongs. It is
44/100 WP-11990-23.odt
used for enforcement of various rights of the public or to compel the
public/statutory authorities to discharge their duties and to act
within their bounds. It may be used to do justice when there is
wrongful exercise of power or a refusal to perform duties. This writ
is admirably equipped to serve as a judicial control over
administrative actions. This writ could also be issued against any
private body or person, specially in view of the words used in
Article 226 of the Constitution. However, the scope of mandamus is
limited to enforcement of public duty. The scope of mandamus is
determined by the nature of the duty to be enforced, rather than
the identity of the authority against whom it is sought. If the
private body is discharging a public function and the denial of any
right is in connection with the public duty imposed on such body,
the public law remedy can be enforced. The duty cast on the public
body may be either statutory or otherwise and the source of such
power is immaterial, but, nevertheless, there must be the public law
element in such action. Sometimes, it is difficult to distinguish
between public law and private law remedies. According to
Halsbury's Laws of England 3rd Edn., Vol.30, p.682
"1317. A public authority is a body, not necessarily a
county council, municipal corporation or other local authority,
which has public or statutory duties to perform and which
perform those duties and carries out its transactions for the
benefit of the public and not for private profit."
There cannot be any general definition of public authority or public
action. The facts of each case decide the point."
Conclusively in para 32, the Apex Court held thus :-
"32. Applying these principles, it can very well be said that a
writ of mandamus can be issued against a private body which is not
"State" within the meaning of Article 12 of the Constitution and
such body is amenable to the jurisdiction under Article 226 of the
Constitution and the High Court under Article 226 of the
Constitution can exercise judicial review of the action challenged by
a party, But there must be a public law element and it cannot be
exercised to enforce purely private contracts entered into between
the parties."
39. The aforesaid authoritative pronouncements from the
Apex Court continued to be the guiding principle for various
High Courts and one such decision cited before us is of the
Bombay High Court in M/s Ruchi Soya Industries Ltd. & Ors.
(supra), when by applying the ratio of Federal Bank's case, it
45/100 WP-11990-23.odt
is held that a petition filed by petitioner No.1, when faced an
objection about its maintainability under Article 226 on behalf
of IDFC Bank Ltd., with regards to the "Master Circular" on
Willful Defaulters, the question that arose for consideration
was formulated as, "Whether a private party is amenable to
the writ jurisdiction of the Court ". With reference to the
decision of the Federal Bank (supra), it is held that the
respondent bank, being a subsidiary of IDFC Bank Ltd., which
is a holding company with the Government having 60%
shareholding, and noting that the company is not under any
control, financial or otherwise of the State Government nor it
is the instrumentality of the State, but the bank was carrying
on its private business and was not under any public duty or
obligation imposed by any statute, it was held that no
mandamus shall lie and the petition filed under Article 226 of
the Constitution was held to be not maintainable.
40. In yet another decision in VJ Jindal Cocoa Pvt. Ltd.
(supra), which had the involvement of the HDFC Bank, and
objection was raised that any dispute between the HDFC Bank
and VJ Jindal Cocoa cannot possibly the subject matter of the
writ proceedings, the Division Bench of this Court, on
10/03/2023, relied upon the principle of law laid down by the
46/100 WP-11990-23.odt
Apex Court in Federal Bank Ltd. (supra), which had held that
merely because the RBI prescribe the banking policy and
control various banks under the Banking Regulation Act would
not necessarily convey that private entities that carry on the
business of commercial activities of banking discharge any
public function or duty. Reliance was also placed on the
decision in the case of Chanda Deepak Kochhar Vs. ICICI Bank
Ltd. Mumbai & Anr.13 where the Division Bench had held that
no writ would lie against the ICICI Bank, being a private body ,
since it is not an instrumentality of the State.
Dealing with the contention that the HDFC Bank provide
banking facilities and, therefore, discharge public functions,
and, therefore, an application under Article 226 was
maintainable against a person or body, who discharge public
duties or public functions, the Division Bench arrived at a
conclusion that there is no public duty or public function
shown to be discharged by the HDFC Bank and holding that it
is no sense doing it for collective benefit of the public nor is it
appointed by RBI, it was held that it was purely in invocation
in the context of private contractual dispute.
41. The decision of the Apex Court in S.Shobha (supra) is
relied upon by Mr.Seksaria and according to him, the ratio
13 2020(5) MhLJ 219
47/100 WP-11990-23.odt
flowing therefrom has foreclosed the issue, as the Apex Court
had pronounced upon the 'function' test as regards the
maintainability of writ application.
Dealing with Muthoot Finance Ltd., a company
registered under the Companies Act, the High Court had held
that it did not answer the definition of 'State' within the
meaning of Article 12, nor the transaction of loan by pledging
gold between the petitioner and the respondent could be said
to be in public realm. Apart from this, the High Court also
recorded a clear finding that the company is not discharging
any function, which has trapping of a sovereign function, but it
is a private company registered under the law and, therefore,
it is not a 'State' and the remedy open for the petitioner would
be to institute a civil suit to seek appropriate relief.
The aforesaid finding by the High Court received
approval, as the Apex Court observed that the Muthoot
Finance Ltd. is not a 'State' within the meaning of Article 12 of
the Constitution and therefore not amenable to writ
jurisdiction of the High Court under Article 226 of the
Constitution. The contention that being a non-banking
financial institution, it is governed by the Rules and
Regulations framed by the RBI and if there is a breach thereof,
48/100 WP-11990-23.odt
the finance company is amenable to the writ jurisdiction did
not find favour, when the Apex Court held that, the finance
company has no duty towards the public, but its duty is only
towards the account holders, which may include the borrowers
having availed the loan facility and it has no power to take any
action, or pass any order affecting the rights of the members of
the public and the binding nature of its orders and actions is
confined to the account holders and borrowers and its
employees.
Laying its emphasis on whether a body, public or private,
is amenable or not amenable to writ jurisdiction, the test laid
down in paragraph 8 of the law report read thus :-
"8. A body, public or private, should not be categorized as
"amenable" or "not amenable" to writ jurisdiction. The most
important and vital consideration should be the "function" test as
regards the maintainability of a writ application. If a public duty or
public function is involved, any body, public or private, concerned
or connection with that duty or function, and limited to that, would
be subject to judicial scrutiny under the extraordinary writ
jurisdiction of Article 226 of the Constitution of India."
42. Mr.Seksaria has strongly relied upon the summation of
the position of law emerging in peculiar facts, while
entertaining a writ petition and he has asseverated that
issuance of writ, the body or authority ought to be an
instrumentality or agency of a State or it should have been
entrusted with the functions as are Governmental or closely
49/100 WP-11990-23.odt
associated therewith, being of public importance or being
fundamental to the life of the people and hence Governmental
and though RBI for smooth conduct of its affairs in carrying on
its business have formulated the regulatory measures to keep
a check and provided guidelines, that itself is not sufficient for
discharge of public function, so as to satisfy the criteria,
whether the body is amenable to writ jurisdiction.
43. We have carefully perused the authoritative
pronouncement of the Apex Court, which had the involvement
of a company registered under the Companies Act and there
can be no doubt about the legal proposition that writ
jurisdiction would not lie against the company, as it does not
enjoy the status of 'State' under Article 12 of the Constitution.
In the facts of the case, where the loan was granted and the
financier had acted contrary to the interim order, the Single
Judge had held that the loan was granted under the statutory
requirement as enunciated by the RBI but the Division Bench
overruled the aforesaid observation and its view received
approval from the Apex Court.
Reliance is placed upon the decision in the case of LIC of
India Vs. Escorts Ltd.14, where the Apex Court observed thus :-
14 (1986) 1 SCC 264
50/100 WP-11990-23.odt
"...Broadly speaking, the Court will examine actions of State if they
pertain to the public law domain and refrain from examining them
if they pertain to the private law field. The difficulty will lie in
demarcating the frontier between the public law domain and the
private law field. It is impossible to draw the line with precision and
we do not want to attempt it. The question must be decided in each
case with reference to the particular action, the activity in which
the State or the instrumentality of the State is engaged when
performing the action, the public law or private law character of
then action and a host of other relevant circumstances."
As regards the applicability of 'function' test, prescribing
that if a public duty or public function is involved, any body,
public or private, concerned or connected with that duty or
function would be subject to judicial scrutiny in exercise of
writ jurisdiction under Article 226 of the Constitution of India.
The above pronouncement arises in the backdrop of the fact
when the petitioner had secured loan from the respondent, a
private company, by pledging gold and some dispute arose
from the said transaction and in this peculiar fact, it was
pleaded that while granting the loan, the statutory
requirements ought to have been observed and particularly, it
was also pointed out that the agreement between the company
and the petitioner contained an arbitration clause, which was
the part of the loan agreement. The Apex Court in S.Shobha
was dealing with Muthoot Finance, a non-banking finance
company and not a scheduled bank and, therefore, the
restrictions and obligations imposed on a scheduled bank were
held to be not applicable to the entity.
51/100 WP-11990-23.odt
The emphasis of the Apex Court in laying down the
'function' test is the nature of obligation imposed upon the
scheduled bank and there cannot be any quarrel about the
proposition that when a private scheduled bank indulges in
any commercial transaction like providing for a loan,
accepting term deposits etc., a writ may not lie unless the
action involves a statutory violation, but with the guidelines of
the Reserve Bank of India in force, issued in larger public
interest, and when the bank, though private, is acting in a
capacity that involves public interest or performing the duties
analogous to that of public body, which may include
enforcement of RBI regulations, in such a case, a writ petition
would be definitely entertained. If a private body is
discharging a public function and the denial of any rights is in
connection with the public duty imposed on such body, public
law remedy is available for its enforcement. The duty cast on
the public body may be either statutory or otherwise and the
source of such power is immaterial but nevertheless there
must be public law element in such action.
A public authority is not necessarily an authority
established under the statute, but if it is the authority which
performs duties and carries out transactions for the benefit of
52/100 WP-11990-23.odt
public, it would fall within the purview of 'public authority', as
there is no general definition of a 'public authority' or 'public
action' and facts of each case would decide whether the
authority is a public authority.
44. Considering it from the point of view of scheduled bank,
covered under the Reserve Bank of India Act, 1934, which has
authorised the Reserve Bank to exercise supervisory
jurisdiction over it. As per Section 42 it is imperative for the
bank (scheduled bank) to maintain with the bank an average
daily balance, the amount of which shall not be less than such
percentage as may be prescribed, having regard to the needs of
securing the monetary stability in the country.
The decision in S.Shobha (supra) involves a private
company in contrast to a scheduled bank, which is duty bound
to abide by the instructions/directions issued by the Reserve
Bank of India, the apex body and it is imperative for the bank
to follow the mandate of maintaining Cash Reserve Ratio
(CRR) as directed, as the Reserve Bank considers it
appropriate to direct the scheduled bank to maintain the
reserve in the larger interest of economy of the country.
It is well within the power of the Reserve Bank to direct
that every scheduled bank shall maintain in addition to the
53/100 WP-11990-23.odt
balance prescribed under sub-section (1), an additional
average daily balance of the amount which shall not be less
than the rate specified by it in the Notification being calculated
with the reference to the excess of the total of the demand and
time liabilities of the bank at the close of the business on the
date specified in the Notification.
In addition, by virtue of sub-section (2) of Section 42,
every scheduled bank is under an obligation to send to Reserve
Bank of India a return signed by two responsible officers of
such banks showing (a) to (g) at the close of business on the
last day of each fortnight and every return shall be sent not
later than five days after the date to which it relates.
Under sub-section (4), a scheduled bank, which fails to
comply with provision of sub-section (2) is liable to pay a
penalty of one hundred rupees for each day during which the
failure continues.
45. Since the whole object underlying constitution of the
Reserve Bank of India, being to regulate the issue of bank
notes and keeping reserves with a view of securing monetary
stability and to operate the currency and credit system of
country to its advantage, the RBI exercises supervisory
control over the scheduled banks with an imperative mandate
54/100 WP-11990-23.odt
that the weekly returns by the scheduled banks showing the
time and demand liabilities shall be furnished to it. Power is
also conferred upon the Reserve Bank to exempt the scheduled
bank in difficulties, due to circumstances beyond its control in
discharge of the obligations imposed under the statute. Thus,
the scheduled bank definitely stands on a different footing
from the company which is engaged in disbursement of
financial assistance.
46. In exercise of the power conferred by clause (o) of sub-
section (2) of Section 58 of the RBI Act, 1934, the Central
Government has formulated "The Reserve Bank of India
Scheduled Bank Regulations, 1951" to ensure compliance of
the obligations cast under the Reserve Bank of India Act, 1934
and under the Regulations, it is imperative for the scheduled
bank, not later than 14 days of its inclusion in the Schedule or
if it is already included in the Schedule, when Regulations
came into force to submit to the principal office of the bank, a
written statement containing the information in Regulation
5(i). It is also mandatory to forward the list of the names, the
official designations and specimen signatures of the officers of
the Bank who are authorized to sign its returns and no change
is allowed in regards the same without prior intimation to the
55/100 WP-11990-23.odt
RBI and in regards to matters specified in clause (b) of
Regulation 5(i), no change shall be effected unless the Reserve
Bank is satisfied that there is adequate reason for such change.
By virtue of Regulation 7, it is imperative for the
scheduled bank having savings bank department to submit a
copy of the Regulations governing that department to the
principal office of the bank within the period prescribed by
5(i) and any changes in such regulations shall also be
intimated without delay to that office and every scheduled
bank shall calculate the proportion, as at the close of business
on the 30th September and 31st March of each year, of its
demand/liabilities on the prescribed basis and the proportion
so calculated, until the date of the next calculation , to be used
in determining the demand and time liabilities. As per the said
Regulation, scheduled bank is liable for imposition of penalty
under Section 42 of the Act, when the Regulation become
applicable.
47. In addition of the above scheme involving RBI, one
another statute which comes into play is the Banking
Regulation Act, 1949.
Section 35-A of the Act is the power of the Reserve Bank
to give directions, if it is satisfied in the 'public interest' or in
56/100 WP-11990-23.odt
the interest of banking policy, it is necessary to issue
directions to banking companies generally or to any banking
company in particular, from time to time, and the banking
companies/ company shall be duty bound to comply with such
directions.
Reserve Bank of India, with its emphasis on customer
protection and the recent surge in customer grievances
relating to unauthorised transactions resulting in debits to the
accounts/cards, had issued a Circular as early as in 2002 for
reversal of erroneous debits arising from fraudulent or other
transactions and on 06/07/2017, issued a fresh Circular, which
is in consonance with the international standards, realising
that with the introduction of electronic banking transactions,
it is necessary to strengthen the systems and procedure so
that the customers feel safe about carrying e-banking
transactions. The RBI directed the banks to put in place
appropriate systems and procedure to ensure safety and
security of the electronic banking transactions and to have a
robust and dynamic fraud detection and prevention
mechanism.
In addition, the RBI has also prescribed the mechanism
to assess the risk, resulting from the unauthorized
57/100 WP-11990-23.odt
transactions and measure the liabilities arising out of such
events. It also directed appropriate measures to be taken by
all scheduled Commercial Banks as well as Small Finance
Banks and Payment Banks to mitigate the risk and protect
themselves against the liability arising therefrom.
48. A reading of the Circular under which the Petitioner is
seeking reversal of the amount debited to his account, has
clearly set out the mechanism for reporting of unauthorised
transaction by the customers, by prescribing thus :-
"Reporting of unauthorised transactions by customers to banks
5. Banks must ask their customers to mandatorily register for SMS
alerts and wherever available register for e-mail alerts, for
electronic banking transactions. The SMS alerts shall mandatorily
be sent to the customers, while email alerts may be sent, wherever
registered. The customers must be advised to notify their bank of
any unauthorised electronic banking transaction at the earliest
after the occurrence of such transaction, and informed that the
longer the time taken to notify the bank, the higher will be the risk
of loss to the bank/ customer. To facilitate this, banks must provide
customers with 24x7 access through multiple channels (at a
minimum, via website, phone banking, SMS, e-mail, IVR, a
dedicated toll-free helpline, reporting to home branch, etc.) for
reporting unauthorised transactions that have taken place and/ or
loss or theft of payment instrument such as card, etc. Banks shall
also enable customers to instantly respond by "Reply" to the SMS
and e-mail alerts and the customers should not be required to
search for a web page or an e-mail address to notify the objection, if
any. Further, a direct link for lodging the complaints, with specific
option to report unauthorised electronic transactions shall be
provided by banks on home page of their website. The loss/ fraud
reporting system shall also ensure that immediate response
(including auto response) is sent to the customers acknowledging
the complaint along with the registered complaint number. The
communication systems used by banks to send alerts and receive
their responses thereto must record the time and date of delivery of
the message and receipt of customer's response,if any, to them. This
shall be important in determining the extent of a customer's
liability. The banks may not offer facility of electronic transactions,
other than ATM cash withdrawals, to customers who do not provide
58/100 WP-11990-23.odt
mobile numbers to the bank. On receipt of report of an unauthorised
transaction from the customer, banks must take immediate steps to
prevent further unauthorised transactions in the account."
49. In fixing the liability on the customer, in case of
unauthorised transaction, the Reserve Bank has bifurcated
liability into two types; 'zero liability' and 'limited liability'.
A customer's entitlement to zero liability is said to arise
when the unauthorised transaction involving third party
breach where the deficiency lies neither with the bank nor
with the customer but lies elsewhere in the system, and the
customer notifies the bank within three working days of
receiving the communication from the bank regarding the
unauthorised transaction.
However, a customer will also be liable for the loss
occurring due to unauthorised transaction, where the loss is
due to negligence by a customer like where he has shared the
payment credential. Even when there is a delay of making a
complaint to the bank by the customer, despite the fact that
the responsibility of the unauthorised electronic banking
transaction lies neither with the bank nor with the customer
but somewhere in the system, the customer will be fastened
with the liability.
59/100 WP-11990-23.odt
The bare perusal of the aforesaid guidelines/Circular by
the Reserve Bank is evidently in larger public interest, as the
RBI is conscious of the risk involved while adopting the
electronic platform and it expected the Banks to set up a
robust governance structure and implement common
minimum standards of security controls for digital payment
products and services.
50. The Reserve Bank of India, on 18/02/2021,has issued the
Master Direction on Digital Payment Security Controls, by
formulating it in form of the Reserve Bank of India (Digital
Payment Security Controls) Directions, 2021, which are
specifically made applicable to the Scheduled Commercial
Banks, Small Finance Banks, Payment Banks and Credit card
issued NBFCs. The regulated entities to whom the Circular
apply are also directed to formulate a policy for digital
payments products and services with the approval of their
Board, which shall ensure minimal customer service
disruption with high availability of system/channels and
adequate and appropriate review mechanism followed by swift
corrective action.
We will be dealing with the Circulars and the policy of the
Reserve Bank formulated for the safety and security of the
60/100 WP-11990-23.odt
customer a little while later, but for determining the present
point for maintainability of Writ Petition, we have noted that
the Circular/policy issued by the Reserve Bank is exercise of
the power under Section 35A of the Banking Regulation Act,
when the Reserve Bank thought it appropriate in the public
interest and also in the interest of banking policy to issue
directions which bind the Banks, and in specific, the scheduled
bank like the HDFC.
With the aforesaid preface, we are of the specific opinion
that the HDFC Bank may not be a 'State' or its instrumentality
and even when it comes to the discharge of 'public function', in
the wake of the test laid down in Federal Bank (supra) as well
as in S.Shobha (supra), it may not be strictly discharging a
public function, but when it comes to the protection of the
customers with whom the Banks have dealing and if the
Reserve Bank, in exercise of powers under Section 35A, has
formulated certain guidelines for minimising the risk faced by
the customers and if a customer alleges its breach, in our
opinion, the Petition cannot be refused to be entertained on the
ground that no writ can be issued to HDFC Bank for
implementing or acting in consonance with the directions
issued by RBI, while encouraging e-banking and being
61/100 WP-11990-23.odt
conscious of the fact that the Banks are expected to have a
robust and dynamic fraud detection and prevention
mechanism and also a redressal mechanism in case a
customer falls prey to such fraud.
51. The Calcutta High Court in Society for Welfare of the
Handicapped Persons & Anr. Vs. Union of India & Ors. 15, in
determining the issue, whether the petitioners are entitled for
adequate compensation from the Axis Bank for causing loss to
them on account of alleged diversion of funds as donated by
different donors in its name, noted that the petitioner No.1
maintained its accounts in the Bank and were informed that
some donations were made in the name of the society, but the
account statement of the bank did not had any positive
reflection to their credit. A written complaint was therefore
filed with the jurisdictional police station and the investigation
was taken up and the charge-sheet was filed.
The petition was filed seeking compensation from the
bank where an objection was raised about its maintainability,
which faced opposition and the learned Single Judge had an
opportunity to appreciate the law laid down through the
various authoritative pronouncements objecting to the
entertainment of the writ petition against the bank.
15 2025 SCC OnLine Cal 4056
62/100 WP-11990-23.odt
With reference to the power of the High Court to issue
writs under Article 226 of the Constitution, it was noted that
Axis bank, being a private limited company, is a scheduled
bank as per Section 2(e) read with second Schedule of the Act
of 1934 and hence, it was governed by Act of 1949.
With reference to the provisions of Sections 45(b), 45(d)
and 42 of the Reserve Bank of India Act, 1934, the learned
Single Judge of the Calcutta High Court pronounced that the
RBI authorities are empowered to collect the credit
information from the Axis Bank and Section 42 of the Act of
1934 postulate that it being a scheduled bank, is duty bound to
keep cash reserve with the RBI authority. Apart from this, it
also took note of the fact that the scheduled banking company
had to obtain license from the RBI authority, which is also
empowered to cancel license on account of failure to comply
with the conditions of license.
Exhaustive reference is made to Section 35A of the Act
of 1949 empowering the Reserve Bank to give directions in
public interest and the power to impose restrictions under
Sections 46, 49 and 49A.
It is in light of the scheme of the enactment, the learned
Single Judge has held thus :-
63/100 WP-11990-23.odt
"35. On careful consideration of the aforementioned Sections
of the said Act of 1934 as well as of the said Act of 1949 it thus
appears to this Court that the respondent no.11 being a scheduled
bank is duty bound to carry on its banking business within the
periphery of the statutory provisions of the said two Acts as well as
under the control and surveillance of the RBI Authority.
36. In view of such, this Court has got no hesitation to hold
that the respondent no.11/Axis Bank is duty bound to carry out the
directions issued time to time by the RBI Authority under cover of
its different circulars."
With reference to the decision in the case of Andi Mukta and
Binny Ltd. (supra), which was cited, the Single Judge observed
thus :-
"39. In the reported decision of Andi Mukta (supra) the
Hon'ble Supreme Court also considered the proposition of law as
decided in the case of Praga Tools (supra) and in the said judgment
it has been held that Article 226 of the Constitution confers power
on the High Courts to issue writs for enforcement of the
fundamental rights as well as nonfundamental rights. It has been
held further that the words "any person or authority" used in
Article 226 of the Constitution are therefore, not to be confined only
to statutory instruments of the State. The form of the body
concerned is not much relevant. What is relevant is the nature of
the duty imposed on the body and the duty must be judged in the
light of positive obligation owed by the person or authority to the
affected party. It has been held further that no matter by what
means the duty is imposed, if a positive obligation exists mandamus
cannot be denied.
In the reported decision of Andi Mukta (supra) it has also been
held that the judicial control over the fast expanding maze of bodies
affecting the rights of people should not be put into watertight
compartment and on the contrary it should remain flexible to meet
the requirements of variable circumstances. It has been further
stated that mandamus is a very wide remedy which must be easily
available to meet injustice wherever it is found.
40. In the reported decisions of Binny Ltd. (supra) it has
been held by the Hon'ble Supreme Court that the scope of
mandamus is limited to enforcement of public duty and such scope
is determined by the nature of the duty to be enforced rather than
the identity of the authority against whom it is sought. It has also
been held that in the event a private body is discharging public
function and the denial of any right is in connection with the public
duty imposed on such body, the public law remedy can be enforced.
64/100 WP-11990-23.odt
52. The decisions in case of Federal Bank Limited and S.
Shobha (supra), were also referred to, but in the wake of the
legislative scheme of Act of 1934 and Act of 1949, the Court
observed thus :-
"50. In view of such, this Court has got no hesitation to hold that
respondent nos. 11 l.e. the Axis Bank cannot avoid its liability in the
process of opening of a fake bank account at its Prince Anwar Shah
Road Branch in the name of the writ petitioner no. 1/society. It
further appears to this Court that though an attempt has been
made on behalf of the respondent nos. 11 to 13 to substantiate that
the writ petitioner no. 2 was actively involved in the opening of the
said bank account at its Prince Anwar Shah Road Branch however,
such claim is found to be futile inasmuch as sufficient materials
have been placed before this Court that in course of investigation in
connection with the aforementioned P.S. case the involvement of
the writ petitioner no. 2 was not at all found. It has also been
noticed by this Court that the allegation of the respondent no. 11
that the said fake bank account at its Prince Anwar Shah Road was
opened by using a cheque by the writ petitioners' banker i.e.
Corporation Bank is found to be contrary to the truth.
51. ... .... ...
53. From the reported decisions as cited from the Bar it appears
that it is the consistent view of the Supreme Court as well as of
different High Courts including our High Court that such plenary
power under Article 226 can be issued against any person or body
of persons and even against a company or a corporation in the
event such persons or body of persons or company or corporation
discharge public duties or responsibilities imposed upon it by a
statute. It thus appear to this Court that in order to ascertain the
maintainability of a writ petition against a person or body of
persons or company or corporation the identity of the said person
or body of persons or company or corporation need not be looked
into however, it has to be ascertained as to whether the said private
body is at all discharging any public function that is to say that
there must be a public law element in the action of the said person
or body of persons, etc."
In view of the aforesaid, the writ petition was held to be
maintainable and on merits, it was held that there was no
difficulty to assess the loss suffered by the petitioner no.1-
65/100 WP-11990-23.odt
society and direction was issued to Axis Bank and its
functionary to constitute a high level committee to determine
the loss.
53. This decision was subjected to challenge before the
Division Bench and on factual matrix, the Division Bench
refused to return a finding that the writ petition, as it stands,
is not maintainable as against the Axis Bank, as the writ
petition also sought relief against the RBI and the cause of
action of the writ petitioners against the RBI and Axis Bank
were inseparably intertwined.
However, Mr. Jagtiani pointed out to us that the reliance
placed upon the Circulars of the RBI are based on a footing of
the bank acknowledging its responsibility and wrong doing,
but the Axis Bank was failed to acknowledge the alleged wrong
doing, as it was contesting the proceedings and it made a claim
that it was not liable or responsible for the alleged loss at this
stage. Though the Court refused to grant relief by observing
that since the writ petition involved disputed questions of fact
and the criminal case was yet to attain finality, and it would
not be prudent to quantify any loss or damage in proceedings
under Article 226 of the Constitution, however, as regards the
maintainability of the petition, the Division Bench observed
66/100 WP-11990-23.odt
that it was not proposing to enter into an elaborate discussion
on the aspect of the maintainability of the writ petition.
The judgment of the Division Bench was carried to the
Apex Court and on 16/10/2025, the Apex Court directed that
the report of the Three Member Committee directed to be
constituted by the Single Judge, to be placed before it.
54. When the question that falls for consideration, whether a
writ petition is maintainable against a private party/body,
which is definitely not covered within the meaning of 'State' for
the purposes of Article 12 of the Constitution, when we turned
our attention to Article 226 of the Constitution, which is a
power of the High Court to issue writs to "anyperson or
authority" for enforcement of any of the rights conferred by
Part III or for any other purpose, it can be discerned that the
remedy of Article 226, being a public law remedy is available
against a private party or person, if such private body is
discharging a public function. As observed by the Apex Court
in Binny Ltd. (supra), a public function may not be susceptible
of a precise definition, but a private body discharges a public
function when it seeks to achieve collective benefit for the
public or section thereof and is accepted by the public or
section thereof as having authority to do so. The entities which
67/100 WP-11990-23.odt
participate in social or economic affairs in the public interest,
definitely discharge public function.
55. Board of Control for Cricket in India Vs. Cricket
Association of Bihar & Ors.16 is an authority which has
pronounced upon the functions discharged by BCCI (Board of
Control for Cricket in India) and while holding that it is not
'State' within the meaning of Article 12, the Court pronounced
upon its amenability to judicial review in the wake of exercise
of power under Article 226 of the Constitution. Applying the
test laid down in Pradeep Kumar Biswas (supra), BCCI, an
autonomous, non-governmental private body formed under
T.N. Registration of Societies Act, 1975 was held to be not
financially, functionally or administratively dominated or
under the control of the Government so as to being it within
the expression of 'State' in Article 12. However, since BCCI
regulated and controlled all aspects of game of cricket in India,
including conduct of matches, maintaining cricket amenities
and infrastructure and even choosing players and umpires and
in short, it held monopoly over the game of cricket in India, it
is held that the body was discharging public functions and,
hence, amenable to judicial review, dispute it not being 'State'.
The Apex Court pronounced that even if BCCI is not 'State'
16 (2015) 3 SCC 251
68/100 WP-11990-23.odt
within the meaning of Article 12, it may not make any material
difference in view of the admitted position that BCCI does
discharge several important public functions, which make it
amenable to the writ jurisdiction of the High Court under
Article 226 of the Constitution, as it enjoyed monopoly status
in the field of cricket though with no pervasive control and
despite the fact that all its functions were not public functions,
though they were not closely related to Government functions,
it was held to be amenable to writ jurisdiction in the wake of
the following observations.
"34. The functions of the Board are clearly public functions,
which, till such time the State intervenes to takeover the same,
remain in the nature of public functions, no matter discharged by a
society registered under the Registration of Societies Act. Suffice it
to say that if the Government not only allows an
autonomous/private body to discharge functions which it could in
law take over or regulate but even lends its assistance to such a
non-government body to undertake such functions which by their
very nature are public functions, it cannot be said that the
functions are not public functions or that the entity discharging the
same is not answerable on the standards generally applicable to
judicial review of State action.
35. Our answer to Question (i), therefore, is in the negative,
qua, the first part and affirmative qua the second. BCCI may not be
"State" under Article 12 of the Constitution but is certainly
amenable to writ jurisdiction under Article 226 of the Constitution
of India."
56. The test of whether a body is performing a public
function and if it is amenable to judicial review would thus be
dependent upon the surrounding circumstances and the
nature of the function discharged by the private body.
69/100 WP-11990-23.odt
Undisputedly, if a private body discharges its functions which
are contractual and commercial in nature, a writ cannot lie for
its enforcement, but if a private body perform public duty, it is
amenable to writ jurisdiction though all its decisions may not
be subjected to judicial review and only those decisions which
have public element can be judicially reviewed under writ
jurisdiction.
In the modern era it is difficult to draw a clear line
between the public and private functions discharged by a
private body, as if an entity is performing in a public arena,
and it involves public interest, it must definitely subject itself
to the exercise of power of judicial review by a writ court, as it
would be justiciable to exercise the power to prevent such
bodies from acting in an arbitrary manner. It is different thing
to say that a body or entity is not a 'State' for the purposes of
Article 12, by applying the well determined test of the control
of the State, but when it comes to exercise of power of the writ
court to issue writ for enforcement of fundamental rights in
Part III of the Constitution or for any other purpose, it will be
necessary to see whether the discharge of the function by the
body/entity has any public element involved and in case,
where the bank like HDFC Bank, which conduct the banking
70/100 WP-11990-23.odt
business under the aegis and control of the Reserve Bank of
India, being a scheduled bank and when the Reserve Bank in
exercise of its power has framed guidelines/Master Circular
for protecting the interest of the customers, who are likely to
suffer on account of frauds, by prescribing certain guidelines,
we do not find merit in the submission of Mr.Seksaria that for
enforcement of the said guidelines, a writ petition is not
maintainable. We, therefore, reject the preliminary objection
raised.
57. It is not for the first time that the Circular issued by the
Reserve Bank of India and the benefit available to a
customer/account holder of the bank came up for
consideration before the higher Courts and we have before us
the decision of the learned Single Judge of Gauhati High Court
in Pallabh Bhowmick (supra), where the benefit of RBI
Circular dated 06/07/2017 was claimed, when the petitioner, a
practicing Advocate, holding a saving bank account in the
State Bank of India, Gauhati Branch was duped of Rs.94,204/-
by three separate on-line transactions.
The Petitioner had made a online purchase of some
garment from the 'Louis Philippe' store, which he wanted to
71/100 WP-11990-23.odt
return and get the money back. On 18/10/2021, he received a
call from a fraudster, who identified himself as Respondent
No.4 from State of Uttar Pradesh. Posing himself to be the
Customer Care Manager of the famous brand 'Louis Philippe',
HE asked the petitioner to download a 'mobile app' for the
purpose of refund of Rs.4,000/- in lieu of return of a garment
purchased by him and when the petitioner did so, Rs.94,204/-
was siphoned off from his bank account by three separate
online transactions. An amount of Rs.64,017/- was transferred
by Payment Gateway transactions and two other transactions
of Rs.15,903/- each followed. The amounts were initially
transferred to the beneficiary account in the Federal Bank and
thereafter, shifted to the other bank accounts.
The petitioner immediately informed to the customer
care centre of the SBI with request to cancel the three
transactions and on a complaint being registered, the SBI
Debit Card of the petitioner was also blocked. An FIR was also
filed with Jalukbari Police Station, which invoked Sections 417
and 420 of the Indian Penal Code. The petitioner made a
complaint to Branch Manager, Panbazar Branch of the SBI
informing him about the fraudulent transactions from his
bank account and he also lodged complaint with Cyber Crime
72/100 WP-11990-23.odt
Cell of Criminal Investigation Department, Assam pertaining
to three transactions.
The petitioner received an e-mail from the respondent
No.3 informing that there has been illegal breach of their
customer database whereby, information regarding some of
the customers were released in cyber community, and
according to respondent No.3, the website of 'Louis Philippe'
was hacked when the petitioner had made online purchases on
05/10/2021.
58. With reference to the RBI Circular dated 06/07/2017
laying down guidelines for Customer protection-limiting
liability of the customers in case of unauthorised electronic
banking transactions, reference was made to various clauses
and in specific, clause 9 dealing with 'Reversal Timeline for
Zero Liability/Limited Liability of customer' in case of
unauthorised electronic banking transactions. The said clause
was construed and the opinion expressed by the learned
Single Judge reflected as below :-
"21. As per clause 9, which deals with reversal timeline of
zero liability/limited liability of customers in case of unauthorized
electronic banking transaction, it would be the discretion of the
bank to waive off any customer liability even in case of negligence of
the customer. From a conjoint reading of the aforementioned
clauses of the circular, it can be inferred that in case of un-
authorized electronic transactions the Bank would have a duty to
reverse the payment and credit the amount involved in the un-
authorized transaction within a time frame, provided the
73/100 WP-11990-23.odt
fraudulent transaction is reported by the Customer within the time
frame provided in the Circular. In an appropriate case, even the
negligence, if any, on the part of the customer, can be waived by the
Bank.
22. ....Had the Bank installed effective cyber security system and
online fraud control measures then in that event, even if a mobile
app is downloaded by a customer, money could not have been
transferred from the bank account without proper authorization.
Regardless of whether it was a UPI or PG transaction, it is not
believable that the petitioner would deliberately share his OTP,
password and MPIN so as to allow his hard earned money to be
siphoned off from the bank account by a fraudster, that too, on
three consecutive occasions, in quick successions. Rather, the
incident appears to be pure and simple case of cyber crime whereby,
the fraudster had hacked the database of respondent No. 3 and
thereafter, got access to sensitive information pertaining to various
customers of "Louis Philippe" including the petitioner which
information was used for completing the fraudulent transactions.
The participation on the part of the petitioner appears to be only to
the extent of downloading the mobile app. Although the respondent
No. 2 has contended that the petitioner had shared OTP, password
and MPIN with the fraudster, yet, the said claim could not be
substantiated by the Bank. Nothing has been stated in the counter-
affidavit filed by the respondent No. 2 to indicate as to when, how
and in what manner the OTP, MPIN and password was shared by
the petitioner with the fraudster. No material particulars of the
complicity on the part of the petitioner have been furnished in the
affidavit. Therefore, this court is of the view that the respondent No.
2 Bank has completely failed to establish any negligence on the part
of the writ petitioner."
It was held that the online transactions that took place
from the petitioner's bank account were unauthorised and
fraudulent and no negligence on part of the petitioner could be
established by the bank and the case of the petitioner would
fall within the ambit clauses 8 and 9 read with clause 10 of RBI
Circular dated 06/07/2017 and, therefore, the petitioner will
not have any liability in the matter and the bank was directed
to reverse the payment in the savings bank account of the
74/100 WP-11990-23.odt
petitioner with liberty to recover the same from respondent
No.3, by initiating appropriate legal proceedings, if so advised.
59. The Division Bench of the Gauhati High Court upheld the
said decision, by recording that the incident appears to be pure
and simple case of cyber crime, whereby the fraudster has
hacked the database of respondent No.3 and got access to the
sensitive information pertaining to the customers of the bank,
which was used for completing the fraudulent transaction.
Recording that the participation of the petitioner appears to be
only to the extent of downloading the 'mobile app', it was held
that the bank had failed to establish any negligence on part of
the petitioner.
The observation of the Division Bench reads thus :-
"40. ...The Banks cannot absolve themselves of the liability
towards losses suffered by the customers on account of
unauthorized electronic transactions based on perceived negligence
of the customers. In the present case, having considered the facts
and circumstances of case and the materials available on record, we
concur with the view of the learned Single Judge, that the appellant
has failed to establish negligence on the part of the respondent
no.1/petitioner leading to the fraudulent transactions. Thus, the
learned Single Judge has rightly directed the appellant to deposit
an amount of Rs.94,204.80/- (Rupees Ninety-four thousand two
hundred four and Eighty Paisa) only, in the bank account of the
respondent no.1/petitioner."
Worth it to note that the Hon'ble Apex Court while dismissing
the Appeal made very pertinent observations and we deem it
appropriate to reproduce the same.
75/100 WP-11990-23.odt
"2. We are in complete agreement with the observations as
contained in Para 42 of the impugned judgment referred to above.
3. All that the High Court has said is that the original petitioner
who suffered the loss was not negligent in any manner. All
transactions relating to the account of the respondent No.1 -herein
maintained with the petitioner - Bank were found to be
unauthorized and fraudulent. It is the responsibility of the bank so
far as such unauthorized and fraudulent transactions are
concerned. The Bank should remain vigilant. The Bank has the best
of the technology available today to detect and prevent such
unauthorized and fraudulent transaction. Further, clauses 8 and 9
respectively of the RBI's Circular dated 6-7-2017 make the position
further clear.
4. We also take notice of the fact that within 24 hours of the
fraudulent transaction, the customer, i.e., the respondent No.1 -
herein brought it to the notice of the Bank.
5. We expect the customers, i.e., the account holders also to remain
extremely vigilant and see to it that the O.T.P.s generated are not
shared with any third party. In a given situation and in the facts
and circumstances of some case, it is the customer also who could
be held responsible for being negligent in some way or the other.
60. In yet another situation, the Delhi High Court in case of
Hare Ram Singh Vs. Reserve Bank of India & Ors. (W.P.(C)
13497/2022 decided on 18/11/2024), the issue raised, was
considered after pronouncing upon the objection regarding
maintainability of writ petition for implementing the
mandatory Master guidelines formulated by the RBI, the High
Court, in the background fact where the petitioner received an
SMS containing a link, and upon receipt of an SMS getting a
call convinced him to click on the link, so as to keep the SMS
service on his mobile number open and operational, was duped
of Rs.2,60,000/- by way of two transactions from his savings
bank account in the State Bank of India.
76/100 WP-11990-23.odt
Upon realizing that he has been defrauded, the petitioner
dialled the Customer Care Department of the SBI and
registered a complaint and asking it to hold on the
transactions, but it was of no avail. He approached the
Banking Ombudsman, who rejected the complaint and,
thereafter, the petitioner preferred the writ petition. Dealing
with the objection about maintainability, the Delhi High Court,
concluded thus :-
"34. ...... In view of the respondent No.2 and 3/SBI's violations
of the aforesaid mandatory Master Guidelines formulated by the
respondent No.1/RBI, the maintainability of the instant writ is
beyond any challenge. It must be indicated that the aforesaid
guidelines are by and large measures that the REs or the banks
have to undertake, and the said guidelines do not restrict an
affected party to take legal recourse for redressal of their
grievances. The transactions in question would resultantly fall
within the sweep of "zero liability" as referred to in the aforesaid
RBI Circulars. Therefore, respondents No. 2 and 3/SBI are liable to
compensate the petitioner for the incurred loss, along with interest,
and pay token compensation."
61. On merit, it is held that the petitioner was 'victim' of
cyber fraud and he was not negligent in any manner under the
notions of the civil law or for that matter under the criminal
law, the observation in para 21 is apposite to be reproduced,
which reads thus :-
"21. In my view, the petitioner was a 'victim' of cyber fraud
and he cannot be said to be 'negligent' in any manner under the
notions of the civil law or for that matter under the criminal law.
Negligence implies "the duty to take care" that would be expected
from a person of ordinary prudence. The negligent act on the part
of the customer should be such which is gross, utterly reckless and
unconscionable. In the present case, the petitioner had taken care
not to share the OTPs, in fact he had no occasion to do so, and if that
77/100 WP-11990-23.odt
is the case, it would imply that even the most hyped 2 Factor
Authentication ["2FA"] was breached as the same was not secure,
which is directly attributable to deficiency in service provided by
the respondent no.2 & 3 SBI."
62. Once again the RBI Circular on Digital Payment Security
Controls dated 18/02/2021 was invoked and the learned
Single Judge concluded thus :-
"33. Lastly, it is well established under the Common Law, that
funds in a bank account belong to the bank, but the bank acts as an
agent for the principal (the customer). Consequently, the bank
cannot refuse to process an online transfer if it appears to be
authorized by the customer, however, upon detecting fraud, the
bank has an implied duty to exercise reasonable care and take
prompt action. Unhesitatingly, there was patent deficiency in
services on the part of the bank, inasmuch as the response of the
bank was lukewarm, defective, and not prompt. The respondent No.
2 i.e., SBI failed to take immediate measures to take up the issue
with the other REs to whom the online payment had been remitted."
Resultantly, a writ of mandamus was issued against the State
Bank of India to make payment of Rs.2,60,000/- to the
petitioner with interest @ 9% p.a. from the date when the fraud
was reported within four weeks alongwith costs for legal
proceedings.
We are informed that upon the matter being taken to the
Apex Court, stay of the order passed by the learned Single
Judge is granted subject to it tendering an FDR to the Registry
of the amount involved, with direction for its renewal.
63. Another decision in this regard is in case of Jaiprakash
Kulkarni (supra), where the Bombay High Court adopted a
similar stance when the petitioner, who maintained the bank
78/100 WP-11990-23.odt
account, complained that on 01/10/2022 certain
entities/individuals were added as beneficiaries, without an
OTP being sent on registered mobile or registered e-mail IDs.
According to the petitioners, on 02/10/2022, the accountant of
the petitioner No.2-company informed the petitioners that he
had received several messages from respondent No.2
regarding total sum of Rs.76,90,017/- being debited in several
tranches to various unknown individuals by way of an online
transaction. Since 02/10/2022 was a Sunday and a public
holiday, the petitioners were certain that no transfer requests
were initiated by them or any authorised person, to realise
that money was illegally siphoned. Steps were taken by the
petitioners by addressing communication to the bank as well
as lodging of FIR. The petitioners even filed a complaint with
Ombudsman, which was rejected on the ground that the
transactions were completed post addition of the beneficiaries
and input of valid credentials/2FA was only known to the
account holder, and, therefore, there was no deficiency/lapse
on the part of the bank.
64. In light of the facts placed through the petition and the
counter submissions made by the bank, the Court held thus :-
"34. ....... In the light of these three categorical reports by the
Cyber Cell, which have been made after receiving information from
79/100 WP-11990-23.odt
the mobile service provider Airtel and the email service provider,
Rediff mail, we are unable to accept the submission of Respondent
No.2 that there was any negligence on the part of the Petitioners or
that they had colluded with the persons/fraudsters who had debited
the bank account of the Petitioners. In our view, from the said three
reports of the Cyber Cell it is clear that both the bank and the
Petitioners have been victims of fraud by third party fraudsters."
65. Relying upon the Circular dated 06/07/2017 issued by
the Reserve Bank of India, and in specific, clauses (9) and (12)
thereof, the Division Bench concluded thus :-
"37. Both as per the said RBI Circular and the said Policy of
Respondent No.2, a customer has zero liability when the
unauthorized transactions occur due to a third party breach where
the deficiency lies neither with the bank nor with the customer but
elsewhere in the system and the customer notifies the bank
regarding the unauthorized transactions within a certain time
frame. Therefore, both as per the RBI Circular and the said Policy of
Respondent No.2, the liability of the Petitioners in respect of the
said unauthorized transactions would be zero as the unauthorized
transactions have taken place due to a third party breach where the
deficiency lies neither with Respondent No.2 nor with the
Petitioners, as already held hereinabove on the basis of the said
three Cyber Cell reports. In these circumstances, as per the RBI
Circular and as per the Policy of Respondent No.2, the Petitioner is
entitled to refund of the said amount from Respondent No.2. In this
context, it is also important to note that, as per paragraph 12 of the
RBI Circular, the burden of proving customer liability in case of
unauthorized electronic bank transactions lies on the bank. In the
present case, Respondent No.2 has no acceptable material to fasten
any such liability on the part of the Petitioners. On the contrary, the
three Cyber Cell Reports clearly show that the unauthorized
transactions have taken place without any intimation to the
Petitioners either on their mobile number registered with
Respondent No.2 or on their email ID registered with Respondent
No.2. For all the aforesaid reasons, Respondent No.2 will have to be
directed to refund the amount illegally and unauthorizedly debited
from the bank account of the Petitioners, to the Petitioners."
As a result, the order passed by the Banking Ombudsman
was quashed and set aside and the Bank was directed to
refund to the petitioner an amount of Rs.76,90,017/- within a
period of six weeks from the date of pronouncement of the
80/100 WP-11990-23.odt
order with interest at the rate of 6% p.a. from 02/10/2022 till
date of its payment.
66. In light of the aforesaid decisions, which ensured the
implementation of the Circular issued by the RBI in form of
Consumer Protection Policy, clearly providing that the
customer's liability will be ascertained based on the time taken
by the customer to report the unauthorized electronic banking
transaction, and since the said circular has conferred certain
right on the customer and if a customer has suffered loss due
to third party breach where the deficiency lies neither with the
bank nor with the customer but lies elsewhere in the system
and the customer has notified the bank immediately, he is
entitled for reverting back the amount and share zero liability.
If, however, the complaint is made within four to seven
working days, the customer will share some responsibility and
may not be entitled for remittance of the entire amount of
which he is defrauded.
67. One significant feature of the RBI Circular is, that the
burden of proving the customer's liability in case of
unauthorized electronic banking transaction lies on the bank.
Mr.Seksaria has vehemently urged before us that in case
of Jaiprakash Kulkarni (supra), the three cyber cell reports
81/100 WP-11990-23.odt
made reference to the unauthorized transactions having taken
place, without any intimation to the petitioners, either on the
mobile number or e-mail ID and that was the prime
justification for the bank having been directed to refund the
amount, which was unauthorizedly debited from the bank
account of the petitioners. In the present case, according to
him, there is no cyber report so as to establish that there was a
cyber fraud and, therefore, no direction can be issued to the
bank.
As regards this submission, we must mention that the
whole object of the RBI issuing the circular/guidelines is to
protect the customer, who has fallen prey to unauthorized
transactions resulting in debit to his account/card, when the
transaction is effected through electronic banking. The
Reserve Bank of India has issued directions to all scheduled
commercial banks for strengthening their system and
procedure, by introducing various mechanisms, with an
expectation that the system and procedure in the bank must
be designed to make customers feel safe about carrying out
electronic banking transactions and the RBI expected the
Banks to adopt robust and dynamic fraud detection system.
82/100 WP-11990-23.odt
One of the mode prescribed is the bank asking their
customers to mandatorily registered for SMS alerts and
wherever available register for e-mail alerts for electronic
banking transactions. The RBI has made it mandatory that
SMS alerts shall be sent to the customers, while e-mail alerts
may be sent, wherever registered and simultaneously the
customer must be advised to notify their bank of any
unauthorized electronic banking transaction at the earliest
after the occurrence of such transaction, as longer time taken
to notify the bank will pose high risk to the customer.
The banks are directed to provide customers with 24x7
access through multiple channels for reporting unauthorized
transactions that had taken place and/or loss or theft of
payment instrument such as card, etc. and the bank shall also
enable the customers to instantly respond by 'Reply' to the
SMS and e-mail alerts so that the customers are not required
to search for a web page or an e-mail address to notify the
objection. The swift action on part of the customers as well as
the bank is specifically underscored by RBI, since it is most
important in determining the extent of the customer's liability.
Keeping this aspect in view, the Reserve Bank has
fastened zero liability on a customer, in case of third party
83/100 WP-11990-23.odt
breach when the deficiency lies neither with the bank nor with
the customer, but lies elsewhere in the system and the
customer notify the bank within three working days of receipt
of communication from the bank regarding unauthorized
transactions.
68. In our view, the circular of the RBI dated 06/07/2017 is
independent of any criminal investigation to be conducted to
establish any cyber crime, as the RBI intended to protect the
customer who has suffered financial loss on account of
fraudulent or unauthorized electronic banking transactions.
Without even a semblance of reference to any cyber
investigation, the RBI deemed it appropriate to issue
directions for limiting the liability of the customers in
unauthorized electronic banking transactions and
particularly, when the customer is not at fault. The burden to
establish that the customer is at fault is on the bank and once a
customer has notified the bank about the fraudulent
transaction, from the date when he received communication
from the bank, it is imperative for the bank to credit the
amount involved in the unauthorized electronic banking
transaction to the customer's account and if the reporting is
within three days, then the liability of the customer is zero.
84/100 WP-11990-23.odt
Since the burden of proving the customer's liability in
respect of unauthorized electronic banking transaction is on
the bank, we have to ascertain whether the HDFC Bank has
discharged its burden.
69. Referring to the transactions through which the
Petitioner had suffered a loss, it is the case of the Petitioner
that he was using mobile service of BSNL and his mobile
number and e-mail ID were registered with HDFC Bank for
alerts and OTP. According to the Petitioner, on 14/07/2021,
three beneficiaries were added to his savings and current
account in Aundh Branch of HDFC Bank, the beneficiary
account being maintained with HDFC Bank and ICICI Bank.
The Petitioner received no intimation or OTP to validate
addition of any of the beneficiaries. Wakad Police Station has
confirmed that no SMS was received by the Petitioner.
The HDFC Bank has produced before us a list of SMS/E-
mails containing OTPs sent to the Petitioner for addition of
beneficiaries.
The text of the OTP logs annexed to the reply, make a
reference to the message pushed by HDFC Bank through its
different vendors engaged for the said purpose and this include
the vendors, ACLOTP, GupshupOtp and also A2WHTTPS.
85/100 WP-11990-23.odt
The message pushed in respect of all the three
beneficiaries is followed by the addition of the beneficiaries and
the message pushed is, "------is your SECRET OTP to add payee
Samir tamang, A/c No. ending in --- for Funds Transfer. Do not
share it with anyone". Followed by this, within a few seconds
is another message, "You have added/modified Funds Transfer
Beneficiary samir tamang, A/c No. in HDFC Bank NetBanking
for queries contact Bank." In respect of Aloke Pal, the
transaction at 03:03:37.515000 PM through GupshupOtp is
the message shown is XXXXX. In fraction of seconds i.e.
03:04:08.940000 PM beneficiary Aloke Pal is added.
The aforesaid chart is only reflective of message being
pushed, but not a proof of the message being received.
Moreover, the record of the Full Text OTP logs is not produced
before us as primary record, but it is a log prepared by the
bank and in some cases, the message pushed is XXXXX.
It is the pleaded case of the Petitioner that he did not
receive any SMS or e-mail and in any event, it is evident from
the e-mail log, which is also produced alongwith the affidavit,
that the e-mails do not contain any OTPs. More pertinent to
note is the SMS and e-mails are alleged to be forwarded by
third party vendors and it is difficult for us to admit its
86/100 WP-11990-23.odt
credibility, as there is no indication of any full-proof system of
the vendor, and what is placed before us alongwith the reply
affidavit is the log of OTP and e-mail with the status 'delivered
(D) and sent (S)'.
Followed by the addition of beneficiaries, on 14/07/2021,
unknown to the Petitioner, the third party transfer limit of
Rs.4,00,000/- was increased to Rs.40,00,000/- and once again
it is the case of the Petitioner that no intimation or OTP was
received by him to validate the increase of transfer limit and
the screen shots of the flexible Third Party Transfer (TPT)
limits through net banking refer to the customer ID/user ID
with a password PIN, which then reflected the balance in the
savings account and increase in the amount of transfer limit.
Once again, it is the case of the bank that the message of third
party transfer limit being being set at Rs.40,00,000/- was also
intimated through OTP and the vendor has shown its status as
'delivered', with OTP being sent to increase the limit, and also
about the limit being increased to Rs.40,00,000/-. Even for
this transaction, we do not have the original message but only
the log prepared by the bank, based on the information by the
vendor, reflecting the status of the message as 'delivered'. The
case of the Petitioner is, he never received the OTP/intimation.
87/100 WP-11990-23.odt
70. Then comes 15/07/2021, when the Petitioner received an
SMS alert from the bank that there was a transfer of
Rs.2,14,000/- from his savings bank account and the Petitioner
received the alert and logged on to the net-banking facility to
check his account, as received the SMS alert at 17:55 hours to
find that a sum of Rs.38,04,000/- was transferred from his
two accounts by eight transactions between 15:06 hours and
15:47 hours i.e. within 41 minutes. Out of the eight
transactions, in four transactions Samir Tamang is the
beneficiary, in one transaction of amount of Rs.7,00,000/-
Aloke Pal is the beneficiary and one Subhomoy Biswas is the
beneficiary in three transactions. The Petitioner was debited
to the sum of Rs.38,04,000/- from the three accounts despite
his specific case that he never added the beneficiaries, and he
never enhanced the transaction limit and the amount was
never transferred by him in favour of the beneficiaries.
71. As soon as the Petitioner received an alert at 17:55 hours
on 15/07/2021, at 18:03 hours, he addressed an e-mail to his
Relationship Manager, Mr.Prashant Patil, apprising him of the
unauthorized transactions and he even attempted to connect
to HDFC's Toll Free Number, but was unable to do so. The
Petitioner also made a request to the bank to block his
88/100 WP-11990-23.odt
accounts and on the next day, approached Wakad Police
Station informing the police about the unauthorized
transactions.
72. We have already reproduced the communications and
the action taken by the bank immediately on the Petitioner
alerting it. We have recorded the submissions of Mr.Seksaria
and from reading of the same, it is evidently clear to us that
the bank attempted to take steps by treating the complaint as
urgent, but could do nothing as the amount was already
debited from the Petitioner's account. The HDFC Bank has not
produced before us any primary record of SMS/e-mail being
forwarded to the Petitioner, but its vendors have merely
prepared a log showing that every OTP was forwarded on the
Petitioner's mobile.
73. The mobile number used by the Petitioner is
9422247109 and fortunately for us, Respondent No.5-BSNL
has marked its appearance through a counsel and also filed an
affidavit-in-reply.
The authorized signatory of BSNL through his affidavit
dated 09/02/2026, has provided a clear clue as to what has
transpired and how the money got debited from the
Petitioner's account by manipulating the SIM card.
89/100 WP-11990-23.odt
Submitting that the alleged amount was transferred
from the two accounts of the Petitioner through eight different
on-line banking transactions and thereafter withdrawn
through ATMs. Respondent No.5, therefore, state that the
transactions establish that the alleged fraud was executed
through banking and ATM mechanism, and it categorically
state that, on 12/07/2021, the SIM card of the number used
by the Petitioner was replaced by its franchisee Sharma
Communications.
As per Respondent No.5, Petitioner's mobile phone was
stolen and that was the cause for replacement of the SIM card.
The affidavit also state that for replacement of the SIM, there
is manual verification of the photo ID with the subscriber and
the procedure require verification of self-attested documents
of POI/POA with original documents and it is admitted that the
certificate of verifying the same is signed by the franchisee
M/s Sharma Communications and the replacement was done
by manual verification.
When there was further replacement at Kalyan, once
again it was allowed on the basis of lost of SIM accompanied
with an application for replacement and it is categorically
stated that there are two methods of verifying the identity
90/100 WP-11990-23.odt
when the SIM card is replaced, namely, (a)DKYC : Live
photograph of subscriber and documents are uploaded and
CAF Documents, and (b) EKYC : Biometric of the subscribers
are captured and matched with Aadhaar Biometrics.
74. The document annexed with the affidavit of BSNL, in
relation to the mobile number 9422247109 with the
customer's name Subodh Chandrakant Korde has given the
permanent address at Nashik.
The reason for replacement of SIM, is cited as 'SIM Lost'
and the application is dated 14/07/2021. A perusal of the
photograph placed on the SIM Swap/Replacement/Up-
Gradation Form bear a photograph of a person Subodh
Chandrakant Korde, which according to the Petitioner, is not
his photograph, as the Aadhar Card at page No.10 reveal his
identity through the photograph and what was annexed
alongwith the application was a copy of the PAN card. It was
also accompanied with the police report at Mira-Bhayandar,
Vasai-Virar Police on 14/07/2021with the complaint of lost of
Samsung Phone bearing No.9422247109.
The affidavit has also annexed a SIM replacement
application dated 12/07/2021 at Nashik, where it is informed
that the handset is lost due to accident. By using the same
91/100 WP-11990-23.odt
PAN card and annexing the photograph of Sachin Subodh
Korde, which according to the Petitioner, is not of his son's
photograph.
While responding to the notice received from Wakad
Police Station, furnishing information with respect to the SIM
replacement of BSNL mobile number, it is indicated that the
SIM was replaced on four occasions through swap request
received on 12/07/2021, 13/07/2021, 14/07/2021 and
15/07/2021 and the swap was completed on all these dates.
In Nashik, the swap/replacement is undertaken through
franchisee Sharma Communication, and in Chinchwad Pune, it
is done through franchisee M/s Print Express and in Vasai
Kalyan, it is done through CSC Vasai Kalyan and once again in
Chinchwad, Pune when it was done on 15/07/2021 with the
swap completed at 16:26:26 through M/s Print Express, Pune.
In all the aforesaid transactions of SIM swap, the swap remark
reflect 'Defect with SIM'.
75. The affidavit is accompanied with a certificate issued by
JTO, Nashik stating that the first replacement happened on
12/07/2021 at Nashik CSC and subsequently it is restored in
Pune CSC on 13/07/2021. While responding to Wakad Police
Station, BSNL has furnished the information by stating that
92/100 WP-11990-23.odt
the SIM replacement was done as per customer request at
BSNL Customer Service Center Chinchwad Pune on
13/07/2021, but again the SIM got faulty and, therefore,
replacement was done on 15/07/2021 by M/s Print Express,
Pune in presence of Subodh Chandrakant Korde alongwith his
wife and the SIM replacement details are also offered. The
name of the official who approved the SIM replacement and
activated new SIM card is also offered to Wakad Police Station.
We have these SIM Swap details annexed and it would be
most apposite to reproduce the same:-
"SIM swap details of BSNL Postpaid Mobile number 9422247109
S.
SSA BSNL CSC GSM NO. OLD SIM NO. NEW SIM NO.
NO.
Canada Corner
1 NASIK 9422247109 8991667331212851959 8991660231411907666
Nashik
2 PUNE Chinchwad Pune 9422247109 8991660231411907666 8991669061412209680
3 KALYAN Vasai Kalyan 9422247109 8991669061412209680 8991669061411787253
4 PUNE Chinchwad Pune 9422247109 8991669061411787253 8991669061412210143
CUSTOMER NAME SWAP REQUESTEDDATE SWAP COMPLETEDDATE
SUBODH CHANDRAKANT KORDE 12.07.2021 12:50:20 12.07.2021 17:39:29
SUBODH CHANDRAKANT KORDE 13.07.2021 16:04:13 13.07.2021 17:09:00
SUBODH CHANDRAKANT KORDE 14.07.2021 12:44:22 14.07.2021 12:54:03
SUBODH CHANDRAKANT KORDE 15.07.2021 16.08.20 15.07.2021 16:26:26
POS CODE& DETAILS POS C TOP UP
MH19101 Franchisee Sharma Communications, Nashik 9405996100
MH22116 Franchisee M/s Print Express , Pune 9405090990
MH14400018 CSC Vasai Kalyan 9405093075
MH22116 Franchisee M/s Print Express , Pune 9405090990
APPROVED CSC APPROVED DATE SWAP REMARKS
60150187- Shri.Lokesh Kumar Sharma JAO(CSC) 12.07.2021 17:21:38 SIM SWAP
198105118-Mrs. Chimmalagi Rama V. OSG (CSC) 13.07.2021 16:54:27 DEFECT WITH SIM
200402816-Smt Suvarna Jadhav, OSG, (CSC) 14.07.2021 12:44:22 DEFECT WITH SIM
198105118-Mrs. Chimmalagi Rama V. OSG (CSC) 15.07.2021 16:09:45 DEFECT WITH SIM
93/100 WP-11990-23.odt
76. From the affidavit filed by BSNL, it is, therefore, clear that
it is the case of SIM swapping.
SIM swapping is a technique used by criminals to obtain a
duplicate or clone of a SIM card linked with a phone number to
impersonate identity of line holders and gain access to their bank
account by sending an SMS (OTP Code) used as two factors
authentication. BSNL has stated in its affidavit that since an
application was made for SIM replacement on the count that the
mobile phone was lost, a new SIM is provided with the same
number and from the affidavit of BSNL, it is evident that the SIM
was replaced on four occasions, right from 12/07/2021 to
15/07/2021.
As far as the Petitioner is concerned, he admitted that
there was some issue with his SIM card and he had approached
the service provider on 15th i.e. on one occasion.
The Indian Cyber Crime Coordination Centre (I4C), which
is operated through Ministry of Home Affairs, has floated
national cyber crime helpline 1930 (Call Immediately To Report
Fraud and Freeze Bank Accounts) and Sanchar Saathi Portal.
The precautionary and safety tips and advisory from the
Coordination Centre is, 'act on 'no signal'....if your phone
suddenly loses signal unexpectedly, immediately contact your
service provider'.
94/100 WP-11990-23.odt
SIM swapping has received attention from the Ministry
of Home Affairs as a sophisticated form of identity theft, where
fraudsters take over a victim's phone number and this has
been expressed to be a rising concern in India. The fraudsters
collect personal details via phishing social media or previous
data licks and they adopt procedure of impersonation. The
fraudsters tricks the mobile operator claiming the SIM is
lost/damaged and request for a new one and in such a scenario,
the victim's actual SIM loses connectivity (no network). The
fraudsters then receive OTPs and banking alerts on the new
SIM enabling them to drain bank accounts, often by bypassing
two fold authentication. The net-banking frauds involve access
to the bank account basic details and the mobile number and
then approaching the service provider, impersonating the
owner of the number with fake papers and a request to swap
the SIM. After verification, the service provider deactivate the
old SIM and the fraudsters get access to the new active mobile
SIM, when the original one fails to operate as a result all
financial SMS, OTP alerts as regards the transactions are
arrived on new active card, which is in the hands of the
fraudster.
95/100 WP-11990-23.odt
This is precisely the methodology, which has been
adopted here and this is evidently clear to us from the affidavit
of BSNL, as the Petitioner has pleaded that he faced trouble in
connectivity and even approached to his service provider and
his SIM was replaced. That is the specific reason why the
Petitioner did not receive any OTP on 14th or 15th when the
beneficiaries were added or the financial limit of transaction
was increased and the actual transaction took place on
15/07/2021 and it is obvious that the message must have been
received on a cloned/duplicate SIM and the Petitioner did not
receive any message/OTP.
In no case, we find that the Petitioner was careless or
that he had shared the password with anyone and ultimately
the burden is upon the bank to establish that he was careless
or negligent, which the bank in our view, has failed to
establish.
77. In consonance of the circular dated 06/07/2017, since
the Petitioner has not contributed to the fraud nor he was
negligent and he immediately reported about his accounts
being debited, or he receiving only one message and that too,
after a lapse of time and with the specific stand of the BSNL,
reflecting that there was swapping of his SIM card, according
96/100 WP-11990-23.odt
to us, the Petitioner is a victim of cyber fraud. The
transactions from his account, including addition of
beneficiaries, increase of TPT limit and the debit of the amount
from his two accounts through eight transactions were all
unauthorized. Surprisingly, the Bank, despite the alert
created, has not taken any serious steps and has adopted a
stand simplicitor that it had discharged its obligations, once it
sent OTPs. The Petitioner never received the OTPs nor did he
receive any e-mail communication in respect of the
unauthorized transactions.
The reason now is very clear, being that his SIM card was
cloned/swapped and, therefore, somebody else other than him,
has received the OTP and probably, shared the OTP so as to
authenticate the transaction. The Petitioner, however, acted
promptly, once he realised that some amount is debited to his
account and he reported the matter to the higher officer and
did whatever was possible to him to do. The Petitioner is,
therefore, entitled for the benefit of 'zero liability', as we do not
conclusively say that the Bank was deficient, but it appears
that the Bank was casual in stating that it had sent the OTP
and put the blame on the Petitioner, of being negligent in
sharing the password, which the Petitioner never did.
97/100 WP-11990-23.odt
78. We also note that not a single original log of sending
messages or e-mails and its receipt by the Petitioner is placed
before us on behalf of the Bank and merely some excerpts
from the Log Book of private agency are placed before us to
urge that the Bank has sent OTPs and e-mails, which are in fact
are never received by the Petitioner.
It is also pertinent to note that, as per the investigation
report of the HDFC Bank, IP location of four transactions
adding beneficiary and the transaction modifying the TPT limit
is Chennai and the same IP location is to be found in respect of
the transaction on 15/07/2021 right from 3:06:57 PM IST.
The IP of the aforesaid transaction is different from the IP of
the genuine transaction of the Petitioner, when it was
compared against the transaction of July 4, 2021, the IP
location being shown as Pune.
Therefore, the IP investigation of the Bank has clearly
inferred that the disputed transaction IP do not match with
the genuine transaction IP of the customer. Therefore, there is
no merit in the stand of the Bank that somebody messed up
with the device of the Petitoner or he shared the password as it
not uncommon for the fraudster to mimic devised ID, but for
all the unauthorized transactions, the IP is different than the
98/100 WP-11990-23.odt
genuine IP and the IP location is different than the genuine IP
and this is also a indicator that the Petitioner has not done the
transaction.
79. The internal investigation report, which has disclosed
the reason that transaction not being alerted is very specific,
namely, "Decline Add Payee-Blacklisted Accounts". The report
also state that the Bank has automated risk based on
authentication system, where the risk score is calculated
based on the usage pattern of the customer nature of
transaction and other factors and high risk transaction is
declined. But, in this case, the risk score was 691, hence it is
not declined/alerted. The Bank has, therefore, clearly
admitted that the transaction was not alerted and we find it
surprising that Bank blames the Petitioner.
In Rider 3 of the investigation report, for every
transaction, which according to the Petitioner is unauthorized,
there is a report of 'not alerted' and despite this, the Bank has
projected its case that in every situation, the OTP was sent. It
is also evident from the internal investigation report that since
the HDFC Bank was aware that no alert was created and has
also set out the reasons, why it was not alerted because the
account was described as "Blacklisted Account" and the
99/100 WP-11990-23.odt
customer could not be contacted, when the amount was
debited, HDFC Bank itself made a request to ICICI Bank for
reversal of the amount under the transactions.
It is, therefore, evident that the HDFC Bank attempted to
take necessary steps and was conscious that no alert was
created and when beneficiary addition attempt got alerted, the
report disclose "tried calling the customer, but unable to
establish contact". This is repeated in the transactions adding
beneficiary and also when the transaction limit was enhanced.
The alert was sounded since even according to the HDFC Bank,
it was a super high value case and thus the officers in helm of
affairs of the Bank immediately initiated the investigation.
80. In no case, we put the blame of the unauthorized
transactions on the Bank, but when the fault is neither with
the Bank nor with the customer/Petitioner, the RBI circular
dated 06/07/2017 and in particular, the clause fixing zero
liability on the customer gets triggered and the Petitioner is
entitled for its benefit.
Though it is a contention advanced on behalf of the Bank
that in absence of any investigation by the cyber cell or a
conclusion being derived that a cyber fraud has been
committed, the Bank cannot be fastened with the liability, but
100/100 WP-11990-23.odt
we refuse to accept the said contention. The whole purpose of
the circular/guidelines issued by the RBI is to provide a buffer
to a customer, who is diligent, and is not responsible for
negligence or contribute to the fraud by sharing OTP/password
and since, the Bank has failed to establish that the Petitioner
did so, in our view, the Petitioner is entitled for the benefit
under the circular of RBI dted 06/07/2017 and he deserve the
amount of which he is deprived back in his account.
Since the Bank had denied him the benefit, despite clear
directions from the RBI, we deem it appropriate to direct HDFC
bank to remit the amount of Rs.38,04,000/- to the Petitioner's
account within a period of eight weeks alongwith interest at
the rate of 6% p.a., as for no fault of his, the Petitioner was
deprived of his own money.
The HDFC Bank shall make the aforesaid remittance
within a period of eight weeks and if it failed to do so within the
aforesaid period, it shall carry interest at the rate of 8% p.a.
The Writ Petition is made absolute in the aforesaid terms.
(MANJUSHA DESHPANDE, J.) (BHARATI DANGRE, J.)
