Context and adding unauthorized beneficiaries to the bank account
On 1 October 2022, unauthorized beneficiaries were added to the Petitioners' bank account without any OTP notification, and the following day, Rs. 76,90,017/- was debited through multiple transactions. The Petitioners promptly reported the incident to the Cyber Cell at Worli Police Station, Mumbai and blocked the associated SIM card. On 3 October 2022, they formally notified Respondent No.2 (the bank) and filed an FIR with the Cyber Crime Police Station. Subsequently, the Petitioners requested a Security Incident Report from the bank and sought an update on the refund process as per RBI’s Customer Protection Circular dated July 6, 2017. Despite follow-ups, the bank neither refunded the amount nor provided a satisfactory update. Consequently, the Petitioners filed a complaint with the Respondent No.1 on October 12, 2022, which was rejected on January 10, 2023, on the grounds that the transactions were completed with valid credentials known only to the account holder.
Issues involved
1) Unauthorized addition of beneficiaries and subsequent transactions from the Petitioners' bank account without any OTP being received, resulting in a financial loss of Rs. 76,90,017/-.
2) The Petitioners claimed that no OTP was received for adding the beneficiaries and that Respondent No.2 (the bank) failed to adhere to RBI guidelines on limiting customer liability in unauthorized electronic banking transactions.
3) Banking Ombudsman’s rejection of complaint, disregarding the absence of OTPs and the unauthorized beneficiary additions.
4) The Petitioners sought relief by quashing the Ombudsman’s decision and directing Respondent No.2 to refund the debited amount along with interest and compensation as per the RBI Circular.
RBI Regulations and Consumer Protection:
To address these issues, the Court relied on several important Rules and legal principles:
1) RBI Circular on Customer Protection (July 6, 2017): This circular is crucial in determining the liability of customers and banks in unauthorized electronic banking transactions. It mandates that banks must compensate customers for losses if the breach is due to third-party fraud and the customer has reported the fraud promptly without negligence on their part. The onus is on the banks to prove customer negligence or involvement.
2) Consumer Protection Policy (Unauthorized Electronic Banking Transactions): Under this policy, customers are not liable for losses due to third party breach, if they report unauthorized transactions promptly and there is no negligence on their part.
3) Two-Factor Authentication (2FA): This security measure requires two separate forms of identification (typically something the user knows and something the user has) to authorize a transaction. Failure to implement 2FA can be seen as a security lapse on the bank's part.
Analysis
Applying the above Rules to the facts, the Court scrutinized the actions and responses of both the petitioners and the bank:
1. Failure in Two-Factor Authentication: On 1 October 2022, unauthorized beneficiaries were added to Petitioner's account without any One-Time Password (OTP) or notification sent to his registered mobile or email. The next day, Rs. 76,90,017 was fraudulently debited through multiple transactions. The Cyber Cell’s investigation confirmed that no OTPs or transaction alerts were received by the petitioners, directly contradicting the bank’s claim that the transactions were authenticated through valid credentials and 2FA.
2. Petitioners’ Prompt Action: Upon discovering the fraudulent transactions, the petitioners promptly reported the incident to both the Cyber Crime Police and the bank on October 3, 2022. They lodged a First Information Report (FIR) and persistently sought redress from the bank, adhering to the RBI's guidelines for reporting unauthorized transactions. This quick reporting played a critical role in establishing their non-negligence and ensuring their claim for compensation.
3. Inadequate Inquiry by the Banking Ombudsman: The court highlighted the lacklustre approach of the Banking Ombudsman in investigating the fraud. The Ombudsman concluded there was no deficiency in the bank’s service without thoroughly examining whether the transactions were truly authorized by the petitioners. The ombudsman’s reliance on the bank’s assurance of 2FA being used, despite contrary evidence from the Cyber Cell, was deemed insufficient and negligent.
4. RBI’s Support on Zero Liability: The RBI’s affidavit supported the stance that in cases of unauthorized transactions due to third-party fraud, customers should have zero liability, provided they report the incidents promptly and have not contributed to the breach through their actions. The court found that the petitioners had acted diligently and there was no evidence of negligence or collusion with the fraudsters.
Our Observations:
The Bombay High Court’s decision in Jaiprakash Kulkarni vs Banking Ombudsman, Bank of Baroda & Others underscores the paramount importance of robust security measures and diligent customer protection practices in the banking sector. The Court quashed the Banking Ombudsman’s order and directed the Bank of Baroda to refund the fraudulently debited amount of Rs. 76,90,017 to the petitioners, with an interest of 6% per annum from 2 October 2022, until the payment date.
This ruling emphasizes several critical points:
1. Customer Protection: The judgment reaffirms the RBI’s guidelines on zero liability for customers in cases of unauthorized transactions due to third-party fraud. It is a strong reminder that customers must be shielded from losses incurred due to security lapses beyond their control.
2. Bank’s Accountability: The case highlights the necessity for banks to enforce stringent security protocols like 2FA effectively. Any lapses in these measures can expose banks to significant liabilities and damages.
3. Prompt Reporting and Vigilance: Customers are encouraged to report unauthorized transactions promptly. This timely action is crucial in limiting their liability and securing their rights to compensation under the RBI’s framework.
4. Need for thorough Investigation: The Court criticized the Banking Ombudsman’s inadequate investigation, stressing that thorough and diligent inquiries are essential when addressing claims of unauthorized transactions. This sets a precedent for more rigorous scrutiny in similar future cases.
We believe that this judgment is a crucial step in enhancing the protection of customers in the digital banking ecosystem. It sends a clear message to financial institutions about the importance of robust security measures and the necessity of transparent and thorough handling of fraud claims.
For customers, it reinforces the importance of vigilance in monitoring account activities and reporting suspicious transactions immediately. The court's decision serves as a significant precedent, potentially guiding future cases involving cyber fraud and unauthorized banking transactions.
As the digital landscape continues to evolve, the principles laid down in this case will be instrumental in shaping the policies and practices surrounding customer protection and cyber security in the banking industry.