Delhi High Court: Bank Not Automatically Liable if Customer Denies Sharing OTP in Cyber Fraud Case
The Delhi High Court has held that merely because a customer denies sharing One-Time Passwords (OTPs), a bank cannot automatically be held responsible for losses arising from unauthorized online banking transactions.
The Court observed that under the Reserve Bank of India’s (RBI) 2017 guidelines, customers may also be considered negligent if they click suspicious links or use unknown applications that compromise their banking credentials.
What Was the Case?
The case involved a customer of the State Bank of India (SBI) whose savings account was allegedly subjected to cyber fraud.
According to court records, ₹2.60 lakh was withdrawn from the customer’s SBI account through two internet banking transactions on 18 April 2021.
SBI stated that the transactions were carried out using valid internet banking credentials and OTP-based two-factor authentication. The OTPs were successfully delivered to the mobile number registered with the customer’s account.
Customer’s Claim
The customer claimed that he received an SMS containing a suspicious link warning that his banking services would be discontinued if he did not click on it.
After clicking the link, he allegedly received alerts regarding unauthorized transactions from his account.
The customer argued that he never shared any OTP with anyone and therefore the bank should be held liable for the loss.
Banking Ombudsman’s Decision
The customer first approached the Banking Ombudsman.
The Ombudsman partly allowed the complaint and directed SBI to pay one-third of one disputed transaction amounting to ₹33,340.
The Ombudsman observed that the customer appeared to have become a victim of vishing fraud after clicking an unknown link.
Single Judge Ordered SBI to Refund Entire Amount
The matter later reached the Delhi High Court.
A Single Judge held SBI liable and directed the bank to refund the entire amount of ₹2.60 lakh along with interest.
The Single Judge concluded that the customer was not negligent and that the bank was responsible for the fraudulent transactions.
SBI Challenged the Order
SBI challenged the Single Judge’s decision before a Division Bench of the Delhi High Court.
The appeal was heard by Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia.
SBI argued that the Single Judge had wrongly assumed that since the customer denied sharing OTPs, the bank must be held liable.
What RBI’s 2017 Circular Says
While hearing the appeal, the Court examined the RBI Circular dated 6 July 2017 titled “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions.”
The Court noted that:
- Customers enjoy “zero liability” when the fraud occurs due to a deficiency in the bank’s systems.
- Customers may be held liable when the loss results from their own negligence.
- Customer negligence is not limited only to sharing OTPs or passwords.
High Court’s Observations
The Court observed that customer negligence can occur in several ways.
According to the Bench, customers may compromise their banking credentials by:
- Clicking suspicious links,
- Downloading unknown applications,
- Ignoring security warnings, or
- Exposing banking information to cyber criminals.
The Court clarified that the RBI circular uses sharing of payment credentials only as an example and not as the only form of negligence.
Therefore, merely denying that OTPs were shared cannot automatically make the bank liable.
Need for Technical Investigation
The Court further noted that important issues in the case required technical and forensic examination, including:
- Whether the customer’s internet banking credentials were compromised after clicking the suspicious link,
- Whether the customer was negligent,
- Whether malware bypassed the bank’s security systems, and
- Whether there was any breach in SBI’s banking infrastructure.
The Bench observed that these questions could not be conclusively decided in writ proceedings without proper technical evidence.
No Evidence of Failure in SBI’s Security Systems
The High Court noted that:
- The customer admitted clicking the suspicious link shortly before the disputed transactions.
- The transactions were completed using internet banking protected by two-factor authentication.
- There was no evidence showing that SBI’s security systems had been compromised or bypassed.
The Court also distinguished the Kerala High Court judgment in Tony Enterprises v. RBI (2019), noting that the Kerala case involved clear findings of SIM swapping and identity theft, whereas no such findings existed in the present matter.
Delhi High Court’s Final Decision
The Division Bench disagreed with the findings of the Single Judge that the customer was not negligent and that the fraud occurred solely because of a deficiency on SBI’s part.
The Court held that such conclusions could not be reached without technical or forensic investigation.
Accordingly, the Delhi High Court allowed SBI’s appeal and set aside the earlier order directing the bank to refund ₹2.60 lakh to the customer.
Key Takeaway
The Delhi High Court has clarified that a customer’s simple denial of sharing OTPs does not automatically make a bank liable for unauthorized online transactions. Customer negligence may also include clicking suspicious links or engaging with unknown applications that compromise banking credentials.
- Download Court Order PDF (This PDF is available for Premium Users Only. Click here to join premium)
