Customer notifying bank in time has zero liability due to third party breach through cyber fraud: Bombay HC

A division bench of Justices Girish S Kulkarni and Firdosh P Pooniwalla also quashed and set aside an order passed by the Banking Ombudsman on January 10, 2023. The said order had rejected a complaint filed by the petitioner firm on the ground that transactions were completed after addition of beneficiaries and input of valid credentials were known only to the account holder and therefore, there was no deficiency or lapse on the part of respondent bank.

The court passed a judgement in a plea by one Jaiprakash Kulkarni and Pharma Search Ayurveda Private Limited against an order passed by the Banking Ombudsman that refused to direct the bank to refund an amount of over Rs. 76 lakh allegedly defrauded from their account through cyber fraud. “This Petition deals with cyber fraud and is an example of how increasingly the innocent are becoming victims of cyber fraud,” the bench noted.

As per the plea, on October 1, 2022 certain entities or individuals were added as beneficiaries to the petitioner company’s bank account without any One Time Password (OTP) being sent to the petitioner on the registered mobile number.

The next day, on October 2, 2022, which was a Sunday and public holiday, Rs. 76.9 lakh was transferred from the petitioner’s account in Bank of Baroda to unknown  individuals through online transactions. After an accountant of the firm informed the petitioner that he received messages that the said amount was being debited in several tranches, they approached the police within a period of 30 minutes to one hour of the said transactions and informed the Cyber Cell at Worli Police station and concerned bank manager about the same.

The petitioners submitted that since October 2 was a Sunday and a public holiday, they were certain that no transfer requests were initiated by them and the amount was illegally siphoned from the said bank account. They also approached the bank seeking refund of the said amount.  As they did not receive the refund, they filed a complaint with the Bank Ombudsman, who rejected their plea, prompting them to approach the HC.

The bench referred to July 2017 of Reserve Bank of India (RBI) called ‘Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions’ along with Bank of Baroda’s policy named ‘Consumer Protection Policy (Unauthorised Electronic Banking Transactions).

It noted, “A customer has zero liability when the unauthorised transactions occur due to a third party breach where the deficiency lies neither with the bank nor with the customer but elsewhere in the system and the customer notifies the bank regarding the unauthorised transactions within a certain time frame.”

Therefore, granting relief to the petitioners, the bench held that the “liability of the petitioners in respect of concerned unauthorised transactions would be zero as they have taken place due to  a third party breach where the deficiency lies neither with the bank nor with the petitioners, as already held on the basis of the three Cyber Cell reports (which held that beneficiaries were added to the bank account without any message or OTP received by petitioners).”