2019 (10) TMI 1610 - HC - Indian Laws

Bank cannot recover SIM swap fraud losses from customers without proving liability in civil proceedings

Tony Enterprises; Tony Lites; Cherian C. Karippaparampil; Mindstrong HR Solutions Versus Reserve Bank of India; The Oriental Bank of Commerce; M/s. Vodafone Idea Limited; Union of India; Telecom Regulatory Authority of India; The South Indian Bank Limited; Housing Development Finance; Corporation HDFC Ltd; Bharat Sanchar Nigam Limited; Telecom Regulatory Authority of India

Kerala HC ruled that petitioners were not liable for unauthorized online banking transactions through SIM swap fraud. The court held banks cannot recover ... Liability of petitioners for unauthorized online banking transactions effected through SIM swap fraud - fraudulent transactions by the third parties to withdraw money from their accounts online - HELD THAT:- The bank cannot claim any amount from the customer when a transaction is shown to be a 'disputed transaction'. The bank can recover from the customers only when it can unequivocally prove that the customer was responsible for such transaction, independently through the civil court. The RBI guidelines is a clear mandate to exonerate a customer in such 'disputed transaction'. RBI circular presumes the innocence of the customer in such given circumstances. However, this innocence can be controverted. The onus falls on the bank to prove otherwise. In the present case, the police investigation prima facie established that fraud has been committed. The beneficiaries hail from West Bengal. There is nothing on record to establish any connivance on the part of the petitioners. The police investigation also would reveal that the accused obtained duplicate SIM cards by using fake identity cards. It was also brought out that the beneficiaries immediately withdrew the money from their bank accounts at West Bengal. In such circumstances, the transactions can be treated as 'disputed transactions'. These transactions would fall within the sweep of zero liability as referred to in RBI Circular. The remedy of the bank in such circumstances is to approach the civil court and recover the amount from the persons who were responsible for such transactions. The amounts have been debited from the loan account of the petitioners. The petitioners cannot be held responsible for such debit without establishing through the civil court that they are responsible for such withdrawal from the loan account. If any amount deposited by the petitioners also have been transferred, in the same manner, that shall be restored to the petitioners without any delay at any rate within two weeks from the date of receipt of a copy of this judgment. These directions are issued without prejudice to the bank to proceed against the persons who are responsible for these transactions through civil court. Conclusion - i) Petitioners are not liable for unauthorized online banking transactions effected through SIM swap fraud. ii) Banks cannot recover amounts from customers without independent proof of negligence or complicity. iii) Mobile service providers share responsibility for fraudulent issuance of duplicate SIM cards. iv) Banks' remedy lies in civil suits against fraudsters and service providers. Petition disposed off. 1. ISSUES PRESENTED and CONSIDEREDThe core legal questions considered by the Court are:Whether the petitioners bear any liability for unauthorized online banking transactions effected through SIM swap fraud.The extent of the bank's liability in cases where fraudulent transactions occur due to SIM swapping and identity theft.The applicability and interpretation of the Reserve Bank of India (RBI) circulars relating to zero liability of customers in unauthorized electronic banking transactions.The role and liability of mobile service providers in issuing duplicate SIM cards fraudulently.The scope of public law remedies under Article 226 of the Constitution in disputes involving fraudulent banking transactions.The rights and remedies available to banks and customers in cases of disputed transactions involving fraud.Whether the bank can recover amounts debited from the petitioners' accounts without independent adjudication when fraud is alleged.The definition and treatment of a 'disputed transaction' in the context of unauthorized electronic banking transactions.2. ISSUE-WISE DETAILED ANALYSISIssue 1: Liability of Customers for Unauthorized Transactions Due to SIM Swap FraudRelevant legal framework and precedents: The Court referred to the RBI master circular dated 6.7.2017 and subsequent circular dated 4.1.2019, which provide guidelines on customer liability in unauthorized electronic payment transactions. The Information Technology Act, Section 66, criminalizes identity theft involving fraudulent use of electronic signatures or passwords. The Court also relied on established principles from the House of Lords decision in London Joint Stock Bank Ltd. v. Macmillan and the Supreme Court decisions in Bihta Co-operative Development and Cane Marketing Union Ltd. vs. Bank of Bihar and Canara Bank vs. Canara Sales Corporation.Court's interpretation and reasoning: The Court recognized SIM swap fraud as a form of identity theft where fraudsters obtain duplicate SIM cards by fraudulent means to intercept OTPs and gain unauthorized access to bank accounts. The Court emphasized that customers linked their online banking alerts to their mobile numbers, which were compromised by issuance of duplicate SIM cards without their consent. The Court noted that the RBI circulars presume zero liability on the part of the customer in cases of fraud not caused by contributory negligence or deficiency on the customer's part.Key evidence and findings: Police investigations established that fraudsters obtained duplicate SIM cards by producing fake identity documents, accessed the petitioners' bank accounts via OTPs sent to the compromised mobile numbers, and transferred funds to multiple accounts in West Bengal and Maharashtra. The petitioners had no connivance in the fraud, and the amounts were immediately withdrawn by the fraudsters from beneficiary accounts.Application of law to facts: Given the police findings and the nature of SIM swap fraud, the Court treated the transactions as 'disputed transactions' prima facie tainted by fraud. The RBI circular's zero liability principle applied, exonerating the petitioners from liability for unauthorized transactions. The Court held that liability cannot be imposed on customers without independent proof of their responsibility.Treatment of competing arguments: The banks argued that transactions were authenticated by OTPs sent to the petitioners' registered mobile numbers and email addresses, implying customer authorization. The Court rejected this argument, noting that OTPs were intercepted due to fraudulent SIM swaps, and authentication by OTP alone does not establish customer consent or negate fraud.Conclusions: Customers bear zero liability for unauthorized transactions arising from SIM swap fraud where no contributory negligence is established. The burden is on the bank to prove customer responsibility, failing which the customer is exonerated.Issue 2: Liability and Role of Banks and Mobile Service ProvidersRelevant legal framework and precedents: The RBI circulars mandate banks to protect customers from unauthorized electronic transactions and provide guidelines on liability. The SARFAESI Act was discussed to delineate the bank's powers in enforcing security interests and the limits of such powers in fraud cases. The Court also referred to cybersecurity principles and the vulnerabilities inherent in online banking technology.Court's interpretation and reasoning: The Court observed that banks have a fiduciary duty to protect customers' interests and ensure secure online banking systems. While technology offers convenience, it also exposes customers to hacking and fraud risks. Banks must implement robust security measures and counter technologies to detect and prevent fraudulent transactions. Mobile service providers' role is crucial as they issue SIM cards; fraudulent issuance of duplicate SIM cards facilitates SIM swap fraud.Key evidence and findings: BSNL and Vodafone Idea Ltd., the mobile service providers, admitted issuance of duplicate SIM cards upon presentation of forged identity documents. The Court noted that the fraudulent SIM issuance was a key step enabling fraudsters to intercept OTPs and access bank accounts.Application of law to facts: The Court directed impleading the mobile service providers to investigate their role in the fraud. It held that banks cannot recover amounts from customers without proving negligence or complicity. The bank's remedy lies in civil suits against fraudsters and possibly against service providers for lapses.Treatment of competing arguments: Banks contended that transactions were properly authenticated and customers were responsible for safeguarding credentials. The Court held that authentication via OTPs compromised by SIM swap does not establish customer fault. The mobile service providers' failure to verify identity properly contributed to the fraud.Conclusions: Banks have a duty to secure online transactions and cannot shift liability to customers without proof of negligence. Mobile service providers share responsibility for preventing fraudulent SIM issuance.Issue 3: Scope of Public Law Remedies under Article 226 and the SARFAESI ActRelevant legal framework and precedents: The Court examined the scope of writ jurisdiction under Article 226 of the Constitution and the SARFAESI Act's provisions empowering banks to enforce security interests without court intervention. It distinguished contractual liability under SARFAESI from fraud allegations.Court's interpretation and reasoning: The Court held that public law remedies under Article 226 are limited and cannot be used to adjudicate complex disputes involving contractual liability and fraud beyond the bank's public law duties. The SARFAESI Act applies to enforcement of security interests when a borrower defaults under a contract; it does not cover disputed transactions involving fraud. Allegations of fraud take the matter beyond SARFAESI's scope, requiring independent adjudication.Key evidence and findings: The Court noted that amounts were debited from loan accounts of petitioners without their consent, and such debits cannot be presumed valid without civil court adjudication. The police investigation confirmed fraud, making the transactions disputed.Application of law to facts: The Court ruled that banks cannot proceed under SARFAESI to recover amounts where fraud is alleged and must resort to civil suits. Customers cannot be held liable under SARFAESI without proof of contractual default. The Court emphasized the need for independent adjudication of disputed transactions.Treatment of competing arguments: Banks sought to rely on SARFAESI powers to recover amounts. The Court rejected this in light of fraud allegations and investigation reports.Conclusions: SARFAESI powers are not applicable in cases of disputed transactions involving fraud. Public law remedies under Article 226 cannot substitute civil adjudication in such matters.Issue 4: Definition and Treatment of 'Disputed Transactions'Relevant legal framework and precedents: The Court referred to legal principles on fraud and contract, including the notion that transactions induced by fraud are voidable at the election of the defrauded party. It cited authoritative texts on fraud and relevant case law.Court's interpretation and reasoning: A 'disputed transaction' is one prima facie tainted by fraud, supported by credible investigation reports. Mere customer challenge is insufficient; independent police or agency reports establishing unauthorized access and fraudulent transfer qualify a transaction as disputed. Such transactions attract zero liability for customers under RBI guidelines.Key evidence and findings: Police reports confirmed unauthorized transfers via SIM swap fraud. No evidence of customer complicity was found. The transactions were therefore classified as disputed.Application of law to facts: The Court applied this definition to the facts, holding that the transactions in question were disputed and customers bore no liability.Treatment of competing arguments: Banks argued transactions were authenticated and valid. The Court found this insufficient given police findings and the nature of SIM swap fraud.Conclusions: Disputed transactions are those tainted by fraud and supported by independent investigation. Customers are exonerated from liability in such cases.Issue 5: Remedies Available to Banks and CustomersRelevant legal framework and precedents: The RBI circulars provide guidelines on customer liability and bank responsibilities. Common law treats fraud as a tort and civil wrong, with criminal sanctions under statutory provisions. The Court cited RBI circular RBI/2018-19/101 dated 4.1.2019 limiting customer liability and preserving bank's rights to recover from fraudsters.Court's interpretation and reasoning: The Court held that banks have remedies to recover losses from fraudsters through civil suits and criminal prosecution. Banks cannot recover amounts from customers unless negligence or complicity is proven. Customers may also sue banks for failure to secure systems. The RBI circulars do not extinguish civil rights or remedies but guide liability allocation.Key evidence and findings: The Court noted that petitioners had lodged police complaints and FIRs, and investigations pointed to third-party fraudsters. Banks had debited loan accounts without independent proof of customer liability.Application of law to facts: The Court directed banks to restore amounts debited from petitioners' accounts without delay and to pursue recovery from fraudsters through civil suits. Customers were protected under RBI guidelines with zero liability for disputed transactions.Treatment of competing arguments: Banks' contentions on customer responsibility were not accepted without proof. The Court balanced interests of banks and customers, emphasizing trust and fiduciary duty.Conclusions: Banks must restore amounts to customers in disputed transactions and pursue fraudsters separately. Customers enjoy zero liability unless negligence is proven.3. SIGNIFICANT HOLDINGS'No man is bound by a bargain into which he has been induced by fraud to enter, because assent is necessary to a valid contract.''If a customer suffers loss in connection with the transactions made without his junction by fraudsters, it has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, and the banks are, therefore, liable for the loss caused to their customers.''The bank cannot claim any amount from the customer when a transaction is shown to be a 'disputed transaction'. The bank can recover from the customers only when it can unequivocally prove that the customer was responsible for such transaction, independently through the civil court.''SARFAESI Act powers to enforce security interests do not extend to disputed transactions involving allegations of fraud; such matters require independent adjudication.''The RBI circulars provide for zero liability of customers in unauthorized electronic transactions except where contributory negligence is established, and do not preclude banks from pursuing civil remedies against fraudsters.''Banks owe a fiduciary duty to protect customers' interests in online banking and must implement adequate security measures to prevent fraud.''Mobile service providers are responsible for ensuring proper verification before issuing duplicate SIM cards; failure to do so facilitates SIM swap fraud.'p>Final determinations:Petitioners are not liable for unauthorized online banking transactions effected through SIM swap fraud.Banks must restore amounts debited without customer authorization in disputed transactions.Banks cannot recover amounts from customers without independent proof of negligence or complicity.Mobile service providers share responsibility for fraudulent issuance of duplicate SIM cards.SARFAESI Act enforcement is not applicable in fraud-disputed transactions.RBI circulars mandate zero liability for customers in unauthorized transactions absent contributory negligence.Banks' remedy lies in civil suits against fraudsters and service providers.