Last Updated:
The bank also contended that Singh himself had clicked on a phishing link, enabling the attack.
The Court further held that the breach resulted from SBI’s failure.
The Delhi High Court has ruled in favour of a customer, directing the State Bank of India (SBI) to compensate Rs 2.6 lakh following a cyber fraud incident. The court found that the bank failed to adequately address the complaint of Hare Ram Singh, who was defrauded of the amount. SBI was found negligent in its duty to prevent fraudulent transactions, despite the customer’s attempts to seek redress.
Singh approached the Court after SBI refused to reimburse him, arguing that the disputed transactions were authorised through its internet banking system, which required One-Time Passwords (OTPs) for authentication. The bank also contended that Singh himself had clicked on a phishing link, enabling the attack. Singh, however, firmly denied sharing any OTPs and accused SBI of failing to act promptly despite his immediate notification of the breach.
Justice Dharmesh Sharma criticised SBI for its “glaring service deficiency,” highlighting the bank’s lack of urgency in addressing Singh’s complaint. The Court said that even after being alerted about the fraudulent activity, the bank failed to block the suspicious transactions, thereby neglecting its duty to protect the customer’s account.
The Court further held that the breach resulted from SBI’s failure to implement robust security measures as mandated by the Reserve Bank of India’s (RBI) Master Direction on Digital Payment Security Controls.
“It must be presumed that the monetary loss suffered by the petitioner is due to the bank’s inability to establish a system capable of preventing such unauthorized withdrawals,” the Court said.
The Court ruled that the disputed transactions fell under the “zero liability” framework outlined in RBI circulars. Consequently, SBI was ordered to compensate Singh with the full amount of Rs 2.6 lakh, along with 9% interest from April 18, 2021—the date Singh reported the fraud. Additionally, the bank was directed to pay Rs 25,000 in litigation costs.
This decision comes after Singh had initially filed complaints with both the Banking Ombudsman and the RBI. While the Ombudsman directed SBI to refund a partial amount of ₹33,000, Singh remained dissatisfied and escalated the matter to the High Court.
The Court reiterated that banks have an inherent duty to safeguard their customers’ funds and act with reasonable care upon detecting fraudulent activity. It criticised SBI for its inability to prevent the attack, which exploited vulnerabilities in its two-factor authentication (2FA) system through malware.
