Indian Kanoon - Search engine for Indian Law

Gauhati High Court

Pallabh Bhowmick vs The Ombudsman on 30 September, 2022

Author: Suman Shyam

Bench: Suman Shyam

                                                                  Page No.# 1/19

GAHC010051612022




                         THE GAUHATI HIGH COURT
  (HIGH COURT OF ASSAM, NAGALAND, MIZORAM AND ARUNACHAL PRADESH)

                         Case No. : WP(C)/1900/2022

         PALLABH BHOWMICK
         S/O LATE P.R. BHOWMICK, R/O HOUSE NO. 2, HILL SIDE COLONY, GATE
         NO. 1, MALIGAON, GUWAHATI, P.O.-MALIGAON RAILWAY
         HEADQUARTER, P.S.-JALUKBARI, PIN-781011



         VERSUS

         THE OMBUDSMAN, RESERVE BANK OF INDIA AND 3 ORS
         STATION ROAD, GUWAHATI-781001

         2:THE BRANCH MANAGER
          STATE BANK OF INDIA
          PANBAZAR
          MG ROAD
          KAMRUP(M)
          PIN-781001

         3:LOUIS PHILIPPE
         A DIVISION OF ADITYA BIRLA FASHION AND RETAIL LIMITED
          REPRESENTED BY ITS VICE PRESIDENT AND SALES DIRECTOR
          HAVING ITS REGISTERED OFFICE AT DIVYASHREE 77 TOWN CENTRE
          KH NO. 118/110/1
          BUILDING 2
         YEMALUR POST
          BENGALURU-560037

         4:PAPENDER KUMAR
          C/O BHAGIRATH SINGH
          R/O BIJNOR
          UTTAR PRADESH-246764

         5:DCP (CRIME)
                                                                                     Page No.# 2/19

             KAMRUP(M)

For the Petitioner:          Mr. Pallabh Bhowmick (petitioner in person).

For the Respondent:        Mr. A. Parvez, SC, SBI.

THE HON'BLE MR. JUSTICE SUMAN SHYAM Date of hearing : 13/09/2022.

Date of judgement          : 30/09/2022.

                             JUDGEMENT AND ORDER (CAV)

1. Heard Mr. Pallab Bhowmick, the writ petitioner appearing in person. I have also heard Mr. A. Parvez, learned Standing Counsel, State Bank of India (SBI), appearing on behalf of the respondent no. 2 and Mr. D. Nath, learned Senior Government Advocate, Assam, appearing on behalf of the respondent no. 5. None has appeared for the other respondents.

2. By filing this writ petition, the petitioner, who is an Advocate practicing before this court, has primarily assailed the order dated 07/03/2022 (Annexure-11) issued by the respondent no.1 i.e. the Ombudsman, Reserve Bank of India, Guwahati, rejecting the complaint made by the petitioner pertaining to the claim of refund of the fraudulent transactions of Rs. 94,204/- made from his bank account on 18/10/2021.

3. The brief facts of the case, as projected through the pleadings, are that the petitioner is holding a Savings Bank (SB) Account bearing No. 10823993373 with the State Bank of India(SBI), Guwahati Branch. The petitioner had made a online purchase of some garment from the "Louis Philippe" store which he wanted to return and get the money back. On 18/10/2021, the petitioner had received a call from a fraudster, who was later identified as the respondent no. 4 viz Papendra Kumar from the State of Uttar Pradesh. Posing himself to Page No.# 3/19 be the customer care manager of the famous brand "Louis Philippe" i.e. the respondent no. 3, the fraudster had asked the petitioner to download a 'mobile app' for the purpose of making a refund of Rs 4000/- in lieu of return of a garment earlier purchased by him. Bonafide believing that the call was from the customer care department of "Louis Philippe" the petitioner had downloaded the 'mobile app'. Soon thereafter, a sum of Rs. 94,204/- was siphoned off from the bank account of the petitioner by three separate online transactions. An amount of Rs. 64,017/- was transferred from the bank account of the petitioner by Payment Gateway (PG) transactions. Immediately thereafter, two other transactions took place for the amounts of Rs. 15,093/- each. As per the averments made in the writ petition, the aforesaid fraudulent transactions took place on 18/10/2021 through mobile phones bearing numbers +91 7789956974 and +91 9188762299. The amounts were initially transferred to the beneficiary account in the Federal Bank and thereafter, shifted to other bank accounts.

4. The petitioner claims that on 18/10/2021 itself, he had informed the customer care centre of the SBI with a request to cancel the three transactions. Based on his information the SBI customer care cell complaint bearing numbers 69889484 and 69689706 were registered and the SBI debit card of the petitioner was also blocked. On 18/10/2021, the petitioner had lodged an FIR with the Jalukbari Police Station reporting the incident, based on which, Jalukbari PS Case No. 1229/2021 was registered under Sections 417/420 of the IPC. On 19/10/2021, the petitioner had made a complaint before the Branch Manager, Panbazar Branch of the SBI informing him about the fraudulent transactions from his bank account made on 18/10/2021.The petitioner had also lodged three complaints with the Cyber Crime Cell of Criminal Investigation Department (CID), Assam Police vide acknowledgement Page No.# 4/19 numbers 30410210067207, 30410210067210 and 30410210067509 pertaining to the three transactions. It also appears that the petitioner had reported the matter to the National Cyber Crime Reporting Portal (NCCRP) of the Ministry of Home Affairs, which was also received vide acknowledgement No. 20410210143122. According to the petitioner, even after receipt of the complaint dated 19/10/2021, the respondent no. 2 bank did not take any action so as to prevent the fraudulent transactions or to recover the amount from the recipient bank.

5. On 16/01/2022, the petitioner had received an e-mail from the respondent no. 3 informing that there has been illegal breach of their customer database whereby, information regarding some of the customers were released in some cyber community and the same happened during the period from 26/03/2021 to 01/12/2021. According to the respondent No.3, the website of " Louis Philippe" was hacked when the petitioner had made online purchases on 05/10/2021.

6. The petitioner had also made an online complaint before the respondent no. 1 as per the Reserve Bank of India - Integrated Ombudsman Scheme, 2021. The petitioner's complaint was received vide acknowledgement No. 202122008004685 dated 15/02/2022.After the complaint lodged by the petitioner was registered before the respondent No1, the respondent No. 2 had sent an e-mail reply dated 24/02/2022, which was forwarded by the respondent no. 1 to the petitioner on 25/02/2022. In the said e-mail, it was mentioned that the complaint made by the petitioner had been received pertaining to the unauthorized transactions of Rs. 94,204/- done on 18/10/2021. On 04/03/2022, the petitioner was also forwarded with a copy of the response received from the Federal Bank, wherein it was mentioned that the fraudster i.e. the respondent no. 4 had his account bearing No. 77770101374417, wherefrom one UPI transaction of Rs. 64,017/- was initiated from the Page No.# 5/19 account of the petitioner lying with the SBI and the amount was credited in the Neo Bank Jupitar Savings Account operated in the name of the respondent no. 4. Thereafter, the respondent no. 4 had transferred the above amounts to other bank accounts by means of UPI transaction and as of now, there was no balance lying in the beneficiary account of the respondent no. 4.

7. On 25/03/2022, the petitioner had submitted his response to the e-mail dated 24/02/2022. On 07/03/2022, the Central Receipt and Processing Centre (CRPC) of the RBI had sent the verdict of the respondent no. 1 with regard to the complaint of the petitioner holding that the Bank was not liable to compensate as the fraud took place due to the negligence of the petitioner. The findings and observations at paragraph 2 of the order dated 07/03/2022 would be relevant for the purpose of this case and, therefore, is being reproduced herein below for ready reference :-

"2. The bank has submitted their version dated 24/02/2022 stating "the complaint pertains to the unauthorized transaction of Rs. 94204/- done on 18/10/2021. The amount of Rs. 64017/- was withdrawn via UPI and transferred to a Federal Bank beneficiary (attached). Amount of Rs. 30,186.8 was withdrawn via PG transaction. OTP logs are attached for the PG transactions. The UPI transaction cannot be executed without the registered mobile number and secret MPIN. The PG transactions cannot be executed without the card details and validation of OTP. We have to submit that the transactions were executed due to the customer's negligence. As per circular No. RBI/2017-18/15 DBR No.Leg.BC.78/09.07.005/2017-18 dated July 6, 2017 Section 7(i): In cases where the loss to the customer is due to negligence by the customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transactions to the Bank."

The query was raised with the SBI and they have replied now stating "The transactions were successful and authorized via OTP and MPIN. Hence, the CRM complaint was closed as successful transactions. The bank is not liable to pay any compensation as it was the customer's negligence due to which the transaction took place. The bank would have been liable to pay had there been any further monetary loss after reporting by the customer. There was no monetary loss after the customer reported to the bank. Therefore, the customer's claim is not acceptable."

Hence, no deficiency could be attributed to the service of the bank under Clause 10 of the Reserve Page No.# 6/19 Bank- Integrated Ombudsman Schejme,2021."

8. The respondent No. 2 has filed counter-affidavit in this case inter- alia contending that after receiving the complaint of fraud on 19/10/2021, the bank had taken necessary action. It has also been stated that the amount of Rs 64,017/- was withdrawn via UPI and transferred to Federal Bank beneficiary. The amount of Rs 30,186/- was withdrawn via Payment Gateway (PG) transaction. The respondent No 2 has stated in the affidavit that UPI transaction cannot be executed without registered mobile number and secret MPIN whereas, transaction through PG cannot be completed without card details and validation through One Time Password (OTP). According to the respondent No.2 all the transactions were successful and authorized through OTP and MPIN. As such, the CRM complaint of the petitioner was closed as successful transaction. The respondent number No. 2 has further contended that the loss, if any, suffered by the petitioner was due to his own negligence in operation of UPI and PG transaction and therefore, the bank was not liable to compensate the petitioner.

9. Referring to the order dated 07/03/2022 passed by the respondent no.1, Mr. Bhowmick has argued that although he had downloaded the 'mobile app' under the circumstances narrated in the writ petition,yet, he had never shared any OPT, password, MPIN or other credentials of his bank account with the fraudster. The money was transferred on-line with the help of technology which was beyond his comprehension. Therefore, it is a case of fraud and not case of negligence on his part. Mr. Bhowmick has also submitted that the basis of the order dated 07/03/2022 is clearly erroneous. By referring to the Standing Circular of the Reserve Bank of India (RBI) pertaining to the liability of the Bank in such matters, the petitioner has contended that since it is a clear case of fraud, hence, the bank Page No.# 7/19 would be liable to refund the amount.

10. Mr. Parvez, learned counsel for the respondent no. 2, on the other hand, has argued that in case of UPI transactions, the Bank does not have any responsibility and the said position would be established from the terms and conditions of UPI transactions, which is signed by every customer. In so far as the subsequent two transactions involving a total amount of Rs. 30,186.8 is concerned, Mr. Parvez submits that those were withdrawn via Payment Gateway (PG) transactions with the help of MPIN furnished by the petitioner. According to Mr. Parvez, the fraud took place due to the negligence of the petitioner inasmuch as he had shared the credentials of his account with the fraudster. Therefore, the Bank did not have any liability in this case.

11. I have considered the rival submissions and have also gone through the materials available on record.

12. It is the admitted position of fact that the petitioner was enjoying net banking facility provided by the SBI in respect of his savings account. It is not in dispute that on 18/10/2021, an amount of Rs. 94,204.80 was un-authorizedly transferred from the SBI account of the petitioner through internet banking. There is also no dispute about the fact that the three transactions, which took place on 18/10/2021, were all fraudulent transactions and the petitioner never intended to transfer any amount to the fraudster. The only issue that would arise for decision of this Court in this case is as to whether the respondent no. 2 Bank would be liable to compensate the petitioner for the loss of a sum of Rs. 94,204.80/- owing to the fraudulent transaction or is it a case of negligence on the part of the petitioner.

13. Both the sides have placed heavy reliance on the Standing Circular of the RBI dated 06/07/2017 in support of their respective claims. The petitioner has relied upon Clauses 9 and Page No.# 8/19 10 of the RBI Circular to submit that it was the Bank's responsibility to resolve the controversy in a time bound manner and having failed to do so, they would now have to compensate the petitioner. The learned counsel for the respondent no. 2, on the other hand, has relied upon clause-7 of the Circular to submit that the incident took place due to the negligence of the customer and, therefore, the bank has no liability in the matter.

14. The RBI circular dated 06/07/2017 lays down certain guidelines for Customer protection- limiting liability of the customers in case of Un-authorized Electronic Banking Transactions. The said circular is made applicable to all Commercial Banks, Small Finance Banks and Payments Banks. Clauses 7 to 10 of the circular dated 06/07/2017 would be relevant for the purpose of this case and therefore, those are being reproduced here-in below for ready reference :-

15. Clause -7 of the Circular dated 06/07/2017 reads as follows :-

"7. A customer shall be liable for the loss occurring due to unathorised transactions in the following cases:

(i) In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after the report of the unauthorized transaction shall be borne by the bank.

(ii) In case where the responsibility for the unauthorized electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table 1, whichever is lower.

Table 1 Maximum Liability of a Customer under Paragraph 7(ii) Type of Account Maximum liability (Rs) · BSBD Accounts 5,000 · All other SB Accounts Page No.# 9/19 · Pre-paid Payment Instruments and Gift Cards.

    ·        Current/Cash Credit/Overdraft Accounts of MSMEs 10,000
    ·        Current Accounts/Cash Credit/Overdraft Accounts
    of Individuals with annual average balance (during 365
    days preceding the incidence of fraud)/limit up to Rs. 25
    lakhs.
    ·        Credit cards with limit up to Rs. 5 lakhs
    ·        All other Current/Cash Credit/Overdraft Accounts.    25,000
    ·        Credit cards with limit above Rs. 5 lakhs

Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per the Bank's Board approved policy. Banks shall provide the details of their policy in regard to customers' liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall also display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank's policy. "

16. Clause 8 reads as follows:-

"8. Overall liability of the customer in third party breaches, as detailed in paragraph 6(ii) and paragraph 7(ii) above, where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, is summarized in the Table 2 :

Table 2 Summary of Customer's Liability Time taken to report the fraudulent transaction Customer's Liability (Rs) from the date of receiving the communication Within 3 working days Zero liability Within 4 to 7 working days The transaction value or the amount mentioned in Table 1, whichever is lower.

Beyond 7 working days As per bank's Board approved policy.

The number of working days mentioned in Table 2 shall be counted as per the working schedule of the home branch of the customer excluding the date of receiving the communication .

17. Clause 9 lays down as follows :-

Reversal Timeline for Zero Liability/Limited Liability of customer Page No.# 10/19

9. On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorized electronic transaction to the customer's account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). Banks may also at their discretion decided to waive off any customer liability in case of unauthorized electronic bank transaction even in cases of customer negligence. The credit shall be value dated to be as of the date of the unauthorized transaction."

18. Clause -10 of the RBI circular casts certain duties upon the bank, which are as follows :-

"10. Further, banks shall ensure that :

(i) A complaint is resolved and liability of the customer, if any, established within such time, as may be specified in the bank's Board approved policy, but not exceeding 90 days from the date of receipt of the complaint, and the customer is compensated as per provisions of paragraphs 6 to 9 above;

(ii) Where it is unable to resolve the complaint or determine the customer liability, if any, within 90 days, the compensation as prescribed in paragraphs 6 to 9 is paid to the customer; and

(iii) In case of debit card/bank account, the customer does not suffer loss of interest, and in case of credit card, the customer does not bear any additional burden of interest."

19. From a reading of the relevant provisions of the RBI circular what can be seen is that clause 8 deals with third party breaches where the deficiency lies neither with the Bank nor with the customer but lies elsewhere in the system. As per Clause 6(ii), the liability of the customer in such cases would be zero when the customer notifies the bank within three working days of receiving the communication from the bank regarding un-authorized transaction.

20. "Third party breach" is not a defined expression under the RBI circular dated 06/07/2017. Yet, it appears from the plain language employed in clause-8 that in case of un- Page No.# 11/19 authorized electronic banking transaction occurring due to third party breaches i.e where the deficiency neither lies with the customer or the bank, the customer liability will be "zero" if the fraudulent transaction is reported within three working days from the date on which the customer receives the communication. In the present case, even if it is assumed that the fraudulent transaction had taken place due to "third party breach" i.e. breach in the customer data base of the respondent No 3, even then, the fraud/ un-auhtoriozed transaction was reported to the Bank on 19/10/2021 i.e within one working day. Therefore, as per clause -8 of the RBI circular, the liability of the customer/ writ petitioner in this case ought to be "zero".

21. As per clause 9, which deals with reversal timeline of zero liability/ limited liability of customers in case of unauthorized electronic banking transaction, it would be the discretion of the bank to waive off any customer liability even in case of negligence of the customer. From a conjoint reading of the aforementioned clauses of the circular, it can be inferred that in case of un-authorized electronic transactions the Bank would have a duty to reverse the payment and credit the amount involved in the un-authorized transaction within a time frame, provided the fraudulent transaction is reported by the Customer within the time frame provided in the Circular. In an appropriate case, even the negligence, if any, on the part of the customer, can be waived by the Bank.

22. From the pleadings available on record it is evident that the three online transactions from the petitioners account took place on 18/10/2021 when he had downloaded the 'mobile app' on being prompted by the fraudster. The petitioner had done so in order to get refund of his money from " Louis Philippe". The aforesaid three transactions were evidently unauthorized as the petitioner never intended to transfer any amount to the respondent No. 4 by downloading the mobile app. The respondent No. 2 has also not denied Page No.# 12/19 that the transaction was unauthorized. Therefore, merely because the petitioner had downloaded the mobile app, that cannot by itself lead to the presumption of negligence on the part of the petitioner in assisting the unauthorized transaction. Had the Bank installed effective cyber security system and online fraud control measures then in that event, even if a mobile app is downloaded by a customer, money could not have been transferred from the bank account without proper authorization. Regardless of whether it was a UPI or PG transaction, it is not believable that the petitioner would deliberately share his OTP, password and MPIN so as to allow his hard earned money to be siphoned off from the bank account by a fraudster, that too, on three consecutive occasions, in quick successions. Rather, the incident appears to be pure and simple case of cyber crime whereby, the fraudster had hacked the database of respondent No. 3 and thereafter, got access to sensitive information pertaining to various customers of "Louis Philippe" including the petitioner which information was used for completing the fraudulent transactions. The participation on the part of the petitioner appears to be only to the extent of downloading the mobile app. Although the respondent No. 2 has contended that the petitioner had shared OTP, password and MPIN with the fraudster, yet, the said claim could not be substantiated by the Bank. Nothing has been stated in the counter-affidavit filed by the respondent No. 2 to indicate as to when, how and in what manner the OTP, MPIN and password was shared by the petitioner with the fraudster. No material particulars of the complicity on the part of the petitioner have been furnished in the affidavit. Therefore, this court is of the view that the respondent No. 2 Bank has completely failed to establish any negligence on the part of the writ petitioner.

23. In the affidavit filed by the respondent No 2 it has been stated that on receipt of the complaint dated 19/10/2021, the Bank had taken necessary action. However, there is nothing Page No.# 13/19 on record to substantiate the above stand of the Bank. It is surprising that even after receipt of written complaint of fraudulent electronic transaction from the account of the petitioner, not even an FIR was lodged by the Bank with the police. It is also the admitted position of fact that the Bank did not make any 'charge back' request to the beneficiary bank soon after receipt of the intimation about the fraud from the petitioner on 18/10/2021 or even on receipt of the complaint dated 19/10/2021. As a matter of fact, it appears that after receipt of the complaint from the petitioner on 19/10/2021 the respondent No. 2 has not taken any action in the matter to protect the interest of its customer i.e. the petitioner here-in. Not even a complaint was lodged by the Bank with the cyber crime cell. Notwithstanding the same, in its reply to the respondent No.1, the Bank has alleged negligence on the part of the customer thereby denying any liability in the matter.

24. It is to be noted herein that online banking facility is a relatively new phenomenon in India. By providing online banking facility to the customers, the Banks have not only made it much easier for the customers to access their accounts and to carry out online transactions but the same has also given a boost to banking business as a whole due to substantial increase in the volume of online transactions. As such, the Banks are also the direct beneficiary of the internet banking system. Due to the online banking facility, incidents of cyber crime involving fraudulent banking transactions are also increasing at an alarming rate. While the majority of the individual customers using online banking are still to come to terms with the various facets of internet banking related frauds, the fraudsters and the cyber criminals, who are technologically far more advanced, are having a field day. The cyber criminals are employing new methodologies every day to dupe the gullible internet users. Under the circumstances, the primary responsibility to provide adequate cyber security so as Page No.# 14/19 to protect the interest of the customers using online banking facility would always be with the Bank. Recognizing the above responsibility of the Banks, clause- 4 of the RBI circular dated 06/07/2017 has laid down certain guidelines to be followed by the Banks for the safety of the customers using online banking facility. Such guidelines include the necessity of putting in place a robust and dynamic fraud detection and prevention mechanism. There is no mention in the affidavit filed by the respondent No 2 as to what cyber security measures have been put in place by the Bank to prevent cyber crime.

25. It is no doubt correct that if a customer is negligent in handling his or her account and discloses sensitive information such as, password, OTP, MPIN, Card Number etc. resulting into fraudulent transaction, the Bank cannot be held liable for loss, if any suffered by the customer. However, in such cases, negligence on the part of the customers must be cogently established by the Bank by bringing reliable materials on record. The Banks cannot absolve themselves of the liability towards losses suffered by the customers on account of unauthorized electronic transactions based on perceived negligence of the customers. Having regard to the facts and circumstances of this case as well as the materials available on record this court is of the opinion that the respondent No. 2 has failed to establish negligence on the part of the petitioner leading to the fraudulent transaction.

26. An issue of similar nature fell for consideration before the Hon'ble Supreme Court in the case of DAV Public School Vs. The Senior Manager, Indian Bank, Midnapore Branch and others reported in (2019) 20 SCC 31. That was also a case where the fraudster had siphoned of a sum of Rs. 30 lakhs from the bank account of the School. The Principal of the DAV Public School had lodged a complaint regarding deficiency of service against the respondent bank by alleging that the school's bank accounts without net-banking Page No.# 15/19 facility, were unauthorizedly linked with the personal Customer Information File(CIF) of the Principal of the School, facilitating online transaction, which had led to fraudulent siphoning of Rs. 30 lakhs from the school's account. The fraudulent transaction was detected when one of the school's employees went to the bank for updating the Passbook. Then, it was found that a sum of Rs. 25 lakhs was unauthorizedly transferred from the School's account. The said transaction was brought to the notice of the Branch Manager on 09/09/2014 itself but the Branch Manager advised the school staff to visit the bank again on the next morning but in the meantime, another amount of Rs. 5 lakhs was transferred from the School's account before the account could be blocked. A complaint was filed by the school authorities before the State Consumer Dispute Redressal Commission of West Bengal. The State Commission had held that School Principal of the School cannot escape his liability but the Bank was also liable. It was held that the Bank had failed to safeguard the money of the School. Accordingly, partial relief was granted to the School by ordering payment of compensation of Rs. 1,00,000/- with cost of Rs. 10,000/-. The National Consumer Dispute Redressal Forum had dismissed the appeal filed against the said order of the State Commission. The matter then went up to the Supreme Court. The petitioner took a plea before the Supreme Court that it had never opted for net banking facility in respect of the 3 (three) bank accounts of the School. Therefore, there was gross error on the part of the bank in linking the accounts which had led to the siphoning of the money from the School's account. A question arose as to whether, without linking the net-banking facility, any money from the account of the School could have been siphoned out by the miscreants. While answering the question, the Supreme Court has made the following observation in paragraph 13 of the judgement :-

"13. In the above backdrop, the key question to be considered here is whether, without the school's Page No.# 16/19 account being linked with net banking facility, any money from the bank account could have been siphoned out by the miscreants. The obvious answer to this question has to be in the negative. As concurrently found by the State Commission, the Banking Ombudsman and also by the NCDRC, the bank has rendered themselves liable by enabling net banking facility by linking the individual account of the school's Principal, to the school's account. The only reason why the State Commission as well as the NCDRC had limited the compensation sum to Rs. 1,00,000/-was because of the perceived complicity of the Principal. But the charge sheet filed by the police reveals how the fraudulent transaction was made by the two charge sheeted accused and more importantly the police did not find complicity of the Principal of the school, with those fraudulent transactions. The Banking Ombudsman too declared that the Bank was at fault which facilitated the loss to the School but declined to order refund as the demanded sum (Rs 30,00,000/-) was beyond the pecuniary jurisdiction of the Banking Ombudsman ."

Accordingly, the sum of Rs. 25 lakhs siphoned out from the bank account of the School was directed to be refunded to the School's Account.

27. An issue of somewhat similar nature, came up for consideration before this Court in the case of Justice (Retired) Basudev Agarwal Vs. State Bank of India [WP(C) 3474/2022], which was disposed of by order dated 04/02/2022 passed by the learned Single Judge. In that case also, fraudulent transaction of Rs. 5,99,000/- had taken place from the SB Account of the petitioner. On receiving SMS in his Mobile Phone regarding the above transaction, the petitioner immediately made a complaint before the Branch Manager of the respondent no. 2 and had also lodged an FIR with the Dispur Police Station. But the bank had denied its liability by seeking refuge under clause-7 of the RBI Circular dated 06/07/2017 regarding limited liability of the customer. By rejecting the stand of the bank, the learned Single Judge had allowed the writ petition with a direction upon the respondent no. 2 to deposit the said amount on the account of the petitioner along with interest. The learned Single Judge has observed that the allegation made by the bank that the petitioner had shared user-ID, Pass-word etc. and did not report the fraud on receipt of the SMS, was not correct as the materials on record, more particularly, the information received by the Page No.# 17/19 petitioner under the RTI Act, 2005, which went to show that immediately after receipt of the complaint, the amount of Rs. 5,99,000/- was put on hold by the bank and, therefore, the transaction did not go through. It was held that under the circumstances, the petitioner could not have been penalized by withholding the said amount. The judgement and order dated 04/02/2022 has been upheld by the Division Bench by order dated 13/05/2022 passed in connection with WA No. 119/2022.

28. In order to ascertain as to what action has been taken by the Police in carrying out investigation in connection with Jalukbari P.S. Case No 1229/2021, this Court had directed the DCP(Crime), Guwahati to appear personally along with the relevant records. Accordingly, Sri Mrinal Talukdar, DCP (Crime) had appeared in the court on 13/09/2022. After interacting with the Police Officer, it transpired that save and except writing some letters, the Police has failed to achieve any worthwhile breakthrough in the investigation even after nearly a year since the FIR was registered. This is notwithstanding the fact that the fraudster has not only been identified but his personal details including the photograph has also been furnished by the Federal Bank. The above developments are clear pointers towards the sorry state of affairs prevailing in the department when it comes to investigating cyber crimes.

29. In the above context, it would be pertinent to note herein that the petitioner has stated in the writ petition that the respondent no. 3 has admitted that there was a breach of its customer database. If such breach of the customers' database has given access to the fraudster to the petitioner's account, then in that event, there can be no doubt about the fact that the respondent no. 3 would also be liable to compensate the petitioner or the Bank, as the case may be. However, as noted above, the police report indicating the manner in which the fraud has been committed is not yet available nor is there any report from the beneficiary Page No.# 18/19 bank indicating the manner in which the respondent no. 4 had siphoned off the money from the Bank to the other accounts. These are matters of investigation by the competent authority. A clear picture in these matters would emerge only when a proper investigation is carried out and the report is made available. On completion of investigation if it is established that the fraud took place purely due to the negligence or deficiency of service on the part of the respondent no. 3, than in that event the entire liability may be on the respondent No 3.

30. In the light of the discussion made above, it is, therefore, held that the online transactions that took place from the petitioner's bank account on 18/10/2021 were unauthorized and fraudulent in nature. Negligence on the part of petitioner could not be established by the respondent No. 2. Therefore, the conclusion drawn by the respondent No. 1 in its order dated 07/03/2022 was without any basis and hence, liable to be set-aside. This court is also of the opinion that the present case will come within the ambit of clauses 8 and 9 read with clause 10 of the RBI Circular dated 06/07/2017 referred to above. As such, the petitioner will not have any liability in the matter. Consequently, it will be for the respondent No. 2 Bank to reverse the payments in the saving bank account of the writ petitioner with liberty to recover the same from the respondent No. 3 by initiating appropriate legal proceedings, if so advised.

31. For the reasons stated above, the impugned order dated 07/03/2022 issued by the respondent No. 1 stands set aside.

32. The respondent No.2 is directed to deposit the amount of Rs. 94,204.80 in the bank account of the writ petitioner within 30 (thirty) days from the date of receipt of a certified copy of this order, with liberty to recover the amount from the respondent No 3. The prayer for grant of interest on the above amount made by the petitioner is declined. It is, however, Page No.# 19/19 made clear that if the amount, as directed by this court, is not deposited in the bank account of the petitioner by the respondent No 2 within the time specified above, then in that event, the amount would carry interest @ 9% per annum with effect from the date of this order until realization.

With the above observations and directions, this writ petition stands disposed of. There would be no order as to costs.

JUDGE Sukhamay Comparing Assistant