Delhi High Court orders SBI to pay Compensation to Customer who lost his money in phishing fraud
The Delhi High Court recently directed the State Bank of India (SBI) to compensate a customer, Hare Ram Singh, who lost ₹2.6 lakhs due to a phishing attack. The incident occurred when Singh’s savings account was fraudulently accessed, leading to the withdrawal of the said amount. Despite promptly notifying the bank, Singh did not receive the necessary assistance from SBI.
Customer’s Complaint and SBI’s Response
Singh reported the fraudulent activity immediately to SBI’s customer care and branch manager but received no help. Later, SBI rejected his claim on two grounds:
- The transactions were completed using the internet banking system, requiring one-time passwords (OTPs) that Singh allegedly provided.
- Singh had clicked on a phishing link, which compromised his account.
However, Singh denied sharing any OTPs, contradicting SBI’s claims.
Court’s Findings
Justice Dharmesh Sharma ruled in favor of Singh, highlighting SBI’s “glaring service deficiency.” The Court observed that:
- Singh had promptly reported the breach, but SBI failed to act swiftly to block the fraudulent transactions.
- SBI neglected its responsibility to exercise due care and urgency in responding to Singh’s complaint.
The Court emphasized that the bank’s inability to prevent such fraud reflected a failure in its system. It held SBI accountable for not adhering to the Reserve Bank of India’s (RBI) Master Direction on Digital Payment Security Controls, which outlines measures to safeguard against security risks.
‘Zero Liability’ Under RBI Guidelines
The Court stated that the fraudulent transactions fell under the “zero liability” clause outlined in the RBI guidelines. As a result, SBI was held liable to compensate Singh for the full amount lost, along with interest and token compensation.
Compensation Ordered
The Court directed SBI to:
- Pay Singh the lost ₹2.6 lakhs.
- Add 9% annual interest, calculated from April 18, 2021, the date the cyber fraud was reported.
- Pay an additional ₹25,000 as litigation costs.
Background of the Case
Before approaching the High Court, Singh had filed a complaint with the Banking Ombudsman and notified the RBI. The Ombudsman directed SBI to refund ₹33,000 to Singh but closed the case without addressing the full amount. Dissatisfied, Singh moved to the High Court for complete relief.
Implied Duty of Care by Banks
The Court underlined that banks have a legal duty of care towards their customers. It explained that while banks must process transactions authorized by customers, they are also obligated to act promptly upon detecting fraudulent activity.
“It is well established under Common Law that while funds in a bank account belong to the bank, the bank acts as an agent for the customer. Consequently, the bank must exercise reasonable care and act swiftly in cases of fraud,” the Court noted.
Security Failures Highlighted
The Court criticized SBI’s security systems, pointing out that the bank’s two-factor authentication (2FA) process, including OTP verification, was compromised by malware used by the cybercriminals. It also acknowledged that Singh could not be held responsible for the phishing attack, as he had categorically denied sharing any OTPs.
The Court further remarked that cyber fraud can happen to anyone, irrespective of their education or experience, and praised Singh for promptly reporting the incident, even though the transaction had already been processed. This ruling reinforces the responsibility of banks to prioritize customer protection and swiftly address fraudulent activities to prevent financial losses.
