The Delhi High Court has ordered the State Bank of India (SBI) to compensate a 55-year-old academician for failing to detect the unusual logging activity of a fraudster who duped the victim by withdrawing ₹2.6 lakh from his account.

“It is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals that the petitioner suffered monetary losses,” Justice Dharmesh Sharma stated in his November 18 order. He noted that despite prompt intimation by the victim, Hare Ram Singh, about the account breach, the SBI customer service showed no urgency.

Mr. Singh alleged that on April 18, 2021, he received an SMS with a link, followed by a call from an unknown number asking him to click on the link to keep his SMS service operational.

The victim said that once he clicked the link, ₹2.6 lakh was unauthorisedly withdrawn through two transactions from his savings account.

Upon realising that he had been duped, Mr. Singh said he immediately reached out to the SBI customer care to register a complaint and hold the transactions, but to no avail.

Later, he filed a complaint with the SBI branch in Greater Noida and with the area police.

When the bank did not redress his grievance, Mr. Singh said he filed a complaint before the banking ombudsman, which, on October 20, 2021, asked the SBI to credit one-third of the disputed amount — ₹ 33,334.

The cyberfraud victim subsequently moved the court, relying on the Reserve Bank of India (RBI) guidelines on a framework for the reversal of erroneous debits arising from fraudulent or other transactions.

However, the reserve bank and the SBI contested the plea, arguing that negligence on the part of Mr. Singh could not be ruled out, as the transactions were two-factor authenticated (2FA). They were carried out using internet banking credentials and an OTP, suggesting that Mr. Singh had shared the OTP with the unknown caller, they claimed.

The court, however, rejected the argument, stating that the security protocols such as ‘2FA’ or OTP verification had been breached by a simple ‘malware’ deployed by the fraudsters.

“Evidently, the online banking service of the petitioner (Mr. Singh) was linked with his mobile number, which was being used to authenticate his banking transactions, and the security apparatus of the respondent bank failed to detect any unusual logging activity from a different Internet Protocol Address that was being used by the fraudsters,” Justice Sharma stated in his order.

“It has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals that the petitioner suffered monetary losses,” the court stated.

“The petitioner was a victim of cyberfraud, and he cannot be said to be negligent in any manner,” it added.

