TaxTMI 
TaxTMI 
2025 (4) TMI 944
X X X X Extracts X X X X
X X X X Extracts X X X X
....ing to Rs 2,27,000/- with interest and; (iii) Pass any other necessary/appropriate directions in the matter as the Hon'ble Court may deem fit and proper in the interest of justice." BRIEF FACTS: 2. Shorn of unnecessary details, the petitioner who is an academician aged about 55 years, became a victim of cyber fraud perpetrated through a 'vishing attack' i.e., a voice-phishing attack wherein innocent people are enticed over voice-call to divulge sensitive information pertaining to their bank accounts, which information is then misused by the unscrupulous attacker so as to wrongfully enrich himself monetarily. 3. Shorn of unnecessary details, the petitioner on 18.04.2021 at about 05.15 PM, received an SMS (Short Message Service) containing a link, upon receipt of which SMS he got a call from an unknown caller who convinced him to click on the said link contained in the SMS so as to keep the SMS service on his mobile number open and operational, and as soon as the unsuspecting petitioner clicked on the SMS link upon being prompted by the unknown caller/fraudster, an aggregate amount of Rs. 2,60,000/- was unauthorisedly withdrawn by way of two transactions in the sum of Rs. 1,....
X X X X Extracts X X X X
X X X X Extracts X X X X
....y point in time. 7. Pursuant thereof, the BO, New Delhi-II passed an order dated 20.10.2021, the relevant portion of which is reproduced herein under: "2......It seems that the customer is a victim of vishing, he got defrauded when clicked an unknown link (copy of FIR attached). though the transaction are secured with 2 FA that is OTP, It has been observed that the customer is familiar with the INB application and POS transactions as he has been doing it earlier. The transaction of Rs. 160,000/- was made to One 97 communication which is not under BO purview... Sbi was advised to pay 1/3 of the amount of the disputed amount of Rs 100,000 /- i.e.33340/- 3. As the grievance raised by the complainant has been resolved by the bank or the concerned subsidiary of a bank with the intervention of the Banking Ombudsman, accordingly your complaint was closed under Clause 11(3)(a) of BOS-2006 as 'settled by the bank'. Please note that complaints closed under the aforesaid Clause are not appealable before the Appellate Authority in Reserve Bank of India. Details of BOS-2006 are available at our website www.rbi.org.in/commonman. 4. You may note that despite the rejection of your com....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ed in the unauthorised transactions and to recover it from the person responsible. 11. Learned counsel for the respondent no.1/RBI challenged the maintainability of the present petition qua the RBI in as much as neither any cause of action nor any relief as against the RBI has been pleaded in the present petition. On merits, it is submitted that though the petitioner was indeed held to be a victim of 'vishing' by the 'BO', his case falls under clause (7)(b)(i) of the RBI circular dated 06.07.2017 as negligence on the part of the petitioner cannot be ruled out, considering that the disputed transactions were 2FA (Two Factor Authenticated) transactions i.e., they were carried out using the INB credentials and an OTP, thereby suggesting that the petitioner must have shared the OTP with the unknown caller. Alternatively, it is submitted that the BO is willing to reconsider and decide the present matter afresh if so directed by this Court. 12. Learned counsel for the respondent Nos. 2 and 3/SBI have challenged the maintainability of the present petition for lack of territorial jurisdiction. On merits, it is contended that the present matter involves disputed questions of facts pertain....
X X X X Extracts X X X X
X X X X Extracts X X X X
....0/- from his bank account, and while he was in the process of making a complaint to the SBI Customer Care vide reference No. 1800111109, a sum of Rs. 1,60,000/- was further withdrawn from his bank account as per another SMS received on his mobile. 16. In the said backdrop, it is significant to note that the petitioner categorically submits that he had never shared the OTPs, of which fact there is no specific denial by the respondents. In other words, although he did receive the OTPs, but the same were not shared with a third party. As the phishing/vishing phenomena in cyber attacks implies, the moment the link was clicked, the mobile phone of the petitioner got hacked and the OTPs passed on to the cyber fraudster, who then managed to withdraw aforesaid amount. At this juncture, it is pertinent to mention that respondent No.1 in its written submissions elaborates that based on the documentary evidence produced by the SBI, the 'BO' observed that INB was successfully logged in at 17:09:55 hours and 17:28:03 hours on 18.04.2021 and the OTPs were delivered to the petitioner's registered mobile No. 98XXXXXX78 on three occasions at 17:10:18, 17:28:15 and 17:29:42 on 18.04.2021 for approv....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table 1, whichever is lower. Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per the bank's Board approved policy. Banks shall provide the details of their policy in regard to customers' liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall also display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank's policy. Burden of Proof 12. The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank." 19. A careful perusal of the aforesaid instructions would show that the burden of proving the customer's liability in case of unauthorized electronic banking, li....
X X X X Extracts X X X X
X X X X Extracts X X X X
....il to provide a satisfactory explanation for their inability to initiate a chargeback, reclaim, or block the amount despite the petitioner's prompt complaint to SBI Customer Care Service on the same day, within a few minutes from the transaction. Instead, they offer a weak justification, claiming that the relevant rules only apply to commercial banks, regional rural banks, and scheduled primary cooperative banks, and thus do not cover OCL. 23. The said defence is not fathomable and is belied from the subsequent RBI Circular dated 04.01.2019 vide No. DPSS.CO.PD.No.1417/02.14.006/2018-19 titled "Customer Protection- Limiting Liability of Customers in Unauthorised Electronic Payment Transactions in Prepaid Payment Instruments (PPIs) issued by Authorised Non-Banks", the relevant provision of which reads as under: 24. As for the case law referred to by the learned counsels for the respondents, the decision in the case of Raghabendra Nath Sen v. Punjab National Bank ([I(2015) CPJ 254]) was one where the ATM (Automatic Teller Machine) had been used by the customer, and therefore, it was held that there was no possibility of anyone withdrawing any cash through ATM even if one is able....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... while the customer using online transaction, by the hackers, cannot be overruled in banking transaction. The bank can identify fraud risk and also devise mechanisms to protect customers. There are counter technologies to identify location behaviour of operators also. It is for the bank to secure the safety of online banking transactions." 26. It was further held that: "20. Thus, it is clear that the bank cannot claim any amount from the customer when a transaction is shown to be a 'disputed transaction'. The bank can recover from the customers only when it can unequivocally prove that the customer was responsible for such transaction, independently through the civil court. The RBI guidelines is a clear mandate to exonerate a customer in such 'disputed transaction'. RBI circular presumes the innocence of the customer in such given circumstances. However, this innocence can be controverted. The onus falls on the bank to prove otherwise." 27. Reverting back to the instant matter, it is undeniable that customer care services play a crucial role in supporting bank customers with various concerns, including suspicious account activity, compromised debit/credit card security, and iss....
X X X X Extracts X X X X
X X X X Extracts X X X X
....curity and Performance (FSP) angles such as: a) Necessary controls to protect the confidentiality of customer data and integrity of data and processes associated with the digital product/ services offered; b) Availability of requisite infrastructure e.g. human resources, technology, etc. with necessary back up; c) Assurance that the payment product is built in a secure manner offering robust performance ensuring safety, consistency and rolled out after necessary testing for achieving desired FSP; d) Capacity building and expansion with scalability (to meet the growth for efficient transaction processing); e) Minimal customer service disruption with high availability of systems/ channels (to have minimal technical declines); f) Efficient and effective dispute resolution mechanism and handling of customer grievance; and g) Adequate and appropriate review mechanism followed by swift corrective action, in case any one of the above requirements is hampered or having high potential to get hampered. {bold portions emphasized} 31. The aforesaid Master guidelines under the title "Customer Protection, Awareness and Grievance Redressal Mechanism" inter alia vide Regulation (50)....