Madras High Court
Dr.R.Pavithra vs The Commissioner Of Police on 28 April, 2023
WP(Cri).No.6789 of 2021
IN THE HIGH COURT OF JUDICATURE AT MADRAS
Reserved on 27.02.2023
Pronounced on 28.04.2023
CORAM
THE HON'BLE Ms. JUSTICE R.N.MANJULA
WP(Cri).No.6789 of 2021
and
WMP.Nos.7343 & 7345 of 2021
Dr.R.Pavithra .... Petitioner
Vs.
1.The Commissioner of Police,
Office of the Commissioner of Police,
Vepery,
Chennai-600 007.
2.The Additional Director General of Police,
CB-CID,
CID Headquarters,
24, Pantheon Road,
Egmore,
Chennai-600 008.
3. The Deputy Superintendent of Police,
CB-CID Cyber Crime Branch,
CID Headquarters,
24, Pantheon Road,
Egmore, Chennai-600 008.
[ R2 and R3 deleted vide order dated 17.03.2021]
1/44
https://www.mhc.tn.gov.in/judis
WP(Cri).No.6789 of 2021
4.The Deputy Commissioner,
K-4 Anna Nagar Police Station,
Anna Nagar,
Chennai.
5. The Inspector of Police,
K-8 Police Station,
Arumbakkam,
Chennai.
6.The Reserve Bank of India,
16, Rajaji Salai,
Fort Glacis,
Chennai.
7.The City Union Bank,
Vigilance Department,
703, Anna Salai,
Chennai.
8. The Assistant General Manager,
City Union Bank,
Vigilance Department,
24-B, Gandhi Nagar,
Kumbakonam 612 001.
9.The Manager,
City Union Bank,
Irungalur Branch,
Opposite SRM Campus,
Irungalur, Trichy.
10. PayTM Mobil Solutions Private Limited,
B-121, Sector 5,
Noida-201301, India.
2/44
https://www.mhc.tn.gov.in/judis
WP(Cri).No.6789 of 2021
11.State Bank of India,
Rajaji Road,
Mannadi, Chennai Port Trust,
Chennai 600 001.
12.Fincare Small Finance Bank,
292, New No.116, Z Block II Avenue,
Beside Tower Metro Station,
Anna Nagar,
Chennai 600 040.
[R11 and R12 suo motu
impleaded vide order dated 02.11.2022] .... Respondents
Prayer :- This Writ Petition is filed under Article 226 of the Constitution of
India for issuance of Writ of Certiorari Mandamus, praying to call for the
records of the proceedings in CO/VIG/1365/2020-21 dated 01.03.2021 on
the file of the 7th respondent, and to quash the same as illegal and without
jurisdiction, and consequently to direct the 3rd and 4th respondents to
conduct a free and fair investigation into the cyber crime complaint given by
the petitioner dated 15.02.2021.
Prayer in WMP.No.7343 of 2021: This Writ Miscellaneous Petition is
filed under Article 226 of the Constitution of India, praying to issue an
Advocate-Interim Direction directing the respondents 7-9 to immediately
credit a sum of Rs.3 lakhs, being the sum unlawfully and authorizedly
siphoned off from the account of the petitioner in accordance with the
circular of the 6th respondent dated 06.07.2017 and bearing No.RBI/2017-
18/15, pending disposal of this Writ petition.
3/44
https://www.mhc.tn.gov.in/judis
WP(Cri).No.6789 of 2021
Prayer in WMP.No.7345 of 2021: This Writ Miscellaneous Petition is
filed under Article 226 of the Constitution of India, praying to issue an
Advocate-Interim Direction directing the respondents 4 & 5 to file a status
report on the status of the investigation conducted by them in connection
with the complaint of the petitioner dated 15.02.2021.
For Petitioner : Mr. Sharath Chandran
For Respondents : Mr.A.Gopinath,
Government Advocate (crl.side) for RR1,4 & 5
: RR2 & 3 deleted vide order dated 17.03.2021
: Mr.V.S.Rishwanth for Mr.T.Poornam for R6 CRBI
: Mr.S.R.Sundar for RR7 to 9
: Mr.Shivakumar and Suresh for R10
: Mr.B.Sivakollapan for R11
: Mr.D.Sathiyaraj for R12
ORDER
This Writ Petition has been filed to issue a Writ of Certiorari Mandamus to call for the records of the proceedings in CO/VIG/1365/2020- 21 dated 01.03.2021 on the file of the 7th respondent, and to quash the same as illegal and without jurisdiction and consequently to direct the 3 rd and 4th respondents to conduct a free and fair investigation into the cyber crime complaint given by the petitioner dated 15.02.2021. 4/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021
2.The brief facts of the case is as under:
The petitioner was a post graduate at the SRM Medical College at Trichy. During her post-graduation, the petitioner was serving as a resident doctor to attend the patients affected with COVID-19. She was being paid with a stipend of Rs.25,000/- per month by SRM Medical College, Trichy and the amount would be credited to her bank account with the 8th respondent. Out of the said earnings, she had saved a sum of Rs. 3,20,000/-
and was planning to utilise the same to meet her final year fees during April-
2021. On 10.02.2021 the petitioner returned to Chennai as she was not well. On 09.02.2021 an attempt was made by some miscreant to hack into her savings account, bearing No.500101011835967 with the 7th respondent bank.
2.1.The said fact was known to her through an alert SMS. She noticed the said message only on 11.02.2021, on which date she received another SMS alert at 14:15 hrs and 22:15 hrs. She immediately sent a message at 22.59 hours to the Bank asking them to block the account. She was under
the impression that the account had been blocked pursuant to her request. 5/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 Once again, on 13.02.2021, she received another SMS informing her that there had been an attempt to break into her savings account. The petitioner sent another message to the bank along with her registered mobile number, requesting the bank to block her account.
2.2. In fact, she had issued messages to block her account only as she had been instructed through the alert messages. Again, on 15.02.2021 at 12.33 p.m., she received an SMS informing her that someone had hacked her account. Within a few minutes, there was an unauthorised debit from her account for a sum of Rs.50,000/- followed by another sum of Rs.1,00,000/- at 12.43 pm and yet another sum of Rs.50,000/- at 12.44 pm and one more Rs.1,00,000/- at 12.45 pm. The miscreants had hacked her account and stolen her money. The petitioner called the 7th respondent bank at 12.43 pm itself and asked them to block her account. However, her money had been illegally siphoned off; no OTP for withdrawal has been received on her mobile phone and she has not shared her bank details or personal details with anyone. Thereafter, she rushed to the City Union Bank at Aminjikarai branch and lodged a written complaint. This was 6/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 acknowledged by the bank at 2 p.m. on the very same day, and she had also given a police complaint to the 4th respondent at 3 p.m. on the same day.
She received the information from the City Union Bank at Aminjikarai branch that her money had been transferred fraudulently to the PayTM account. Immediately, she called PayTM and registered a complaint. The money was taken away from her account and transferred to the accounts of some unknown accused. PayTM had shared the customer ID, bank account details, etc. of the accused through P2P wallet transfers. The money appeared to have been illegally transferred from her account to six accounts in the State Bank of India and Fincare Small Finance Bank, Bangalore and the accounts are said to be belonging to one Uthham Kumar and one Balram Kumar of Mathiya Pradesh and Uttar Pradesh, respectively. On 15.02.2021 the accused person attempted once again to hack the account and an SMS alert was received by her at 18.30 hours. Immediately, she had called the City Union Bank at the Aminjikarai branch and they advised her to reset her mobile PIN and to enable BIOMETRIC authorization. She received another SMS message at 21.26 hours that the reset was successful. However, on 16.02.2021 the accused once again illegally logged onto the petitioner's 7/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 account; since the transfer of funds had been blocked, he was not able to transfer the funds. So it traces a suspicion about the security system of the 7th respondent bank, and there is also a possibility that any insider of the banker also has got a connivance.
2.3. On 16.02.2021, at about 15.10 pm, she received a message stating that the accused had once again logged onto her account. So the petitioner called the bank and informed them, and thereafter her account was completely blocked. The City Union Bank at Aminjikarai branch has been utterly careless during the entire process. However, the 7th respondent has sent a letter dated 01.03.2021 denying its liability to refund the loss sustained by the petitioner. The bank was fully aware of the request made by the petitioner to block her account on 11.02.2021 itself, and now they are shifting the blame upon the petitioner. The petitioner has enclosed the messages she has received. The City Union Bank at Aminjikarai branch now seeks to fulfill its responsibility under the RBI's circular dated 06.07.2017. If the complaint is given within 3 days, there is zero liability on the part of the customer. Hence, the petitioner is entitled to get the reversal 8/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 of Rs.3,00,000/- loss suffered due to the fraud committed on her account. Instead of honouring the application, the City Union Bank at Aminjikarai branch has attempted to shift the blame on the petitioner, and this raises a suspicion whether the branch officials themselves have any complicity in the mischief. In view of the stress and shock suffered due to the above incident, the petitioner suffered a miscarriage on 22.02.2021. The petitioner has filed this petition seeking a Writ of Certiorarified Mandamus to quash the impugned proceedings of the 7th respondent and further directions.
3. The 6th respondent is the Reserve Bank of India (hereinafter referred to as the RBI), the 7th respondent is the City Union Bank and the 10th respondent is PayTM. Even though the petition was filed only against the 10th respondent, the State Bank of India and Fincare Small Finance Bank have also been suo moto impleaded as parties to the proceedings by virtue of the orders of this Court dated 02.11.2022. However, the existing respondents 2 and 3, who are the Additional Director General of Police, CBCID, and the Deputy Superintendent of Police, CBCID, have been deleted by order dated 17.03.2021.
9/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021
4. The RBI has filed the counter by stating that the responsibility of the RBI is to regulate and supervise the banking sector to the benefit of the economy in the country under the provisions of the Banking Regulation Act 1949. Various directions and guidelines have been issued by the Reserve Bank of India to regulate the functions of banking entities. In the matter of transactions between the regulated entities and their customers, the RBI does not interfere. Only in the event that the regulated entity violates or contravenes the directions issued by the RBI, the latter would take cognizance of the matter. However, if the customer approaches the RBI Ombudsman under the Ombudsman Scheme, the same will be examined within the ambit of the scheme and appropriate redressal will be given within the scheme.
4.1. The petitioner had filed a complaint before the RBI Ombudsman in Chennai under the Banking Ombudsman Scheme -2006 [herein after referred as the BOS-2006], inter alia, alleging that the money in her savings bank account, maintained by the 7th respondent, was siphoned off through multiple unauthorised debits on February 15, 2021. After perusing the 10/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 documents and comments from the bank, i.e., City Union Bank, the Ombudsman closed the complaint under clause 13(a) of the BOS-2006 by observing that there is no deficiency observed against the bank on the services as mentioned in clause 8 of the Ombudsman Scheme. Clause 8 of the Ombudsman Scheme enumerates various grounds in which a person can file a complaint against the bank. The RBI has issued directions and guidelines to both Prepaid Payment Providers and banks for customer protection and has defined the extent of the liability of the customers and the relevant regulated entity. The RBI had issued a circular dated 04.01.2019 vide No. DPSS.CO.PD.No.1417/02.14.006/2018-19 and it is applicable to all Authorized Non Bank Prepaid Payments Instrument Issuers for Customer Protection/limiting the liability of customers in unauthorised Electronic Payment Transactions through Prepaid Payment Instruments (PPIs) issued by Authorized Non-banks.
4.2. Paragraph 6(b) of the below mentioned circular, states about the customer's liability in cases where the deficiency lies neither with the PPI issuer nor with the customer but elsewhere in the system and the customer 11/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 notifies the PPI issuer or the customer regarding the unauthorised payment transaction. For the sake of argument, the said paragraph is extracted as follows:
“6.A customer’s liability arising out of an unauthorized payment transaction will be limited to:
Customer Liability in case of Unauthorized Electronic Payment Transactions through Paypointz Wallet S. Particulars Maximum Liability of No. Customer
(a) Contributory fraud / negligence / deficiency on the part of Zero the PPI issuer, including PPI-MTS issuer (irrespective of whether or not the transaction is reported by the customer)
(b) Third party breach where the deficiency lies neither with the PPI issuer nor with the customer but lies elsewhere in the system, and the customer notifies the PPI issuer regarding the unauthorized payment transaction. The per transaction customer liability in such cases will depend on the number of days lapsed between the receipt of transaction communication by the customer from the PPI issuer and the reporting of unauthorized transaction by the customer to the PPI issuer -
i. Within three days# Zero
ii. Within four to seven days# Transaction value or
Rs.10,000/- per transaction,
whichever is lower
iii. Beyond seven days# Full liability of the customer
(c) In cases where the loss is due to negligence by a customer, such as where he / she has shared
the payment credentials, the customer will bear the entire loss until he / she reports the unauthorized transaction to the PPI issuer. Any loss occurring after the reporting of the unauthorized transaction shall be borne by the PPI issuer.
(d) PPI issuers may also, at their discretion, decide to waive off any customer liability in case of unauthorized electronic payment transactions even in cases of customer negligence.
# The number of days mentioned above shall be counted excluding the date of receiving the communication from the PPI issuer. The above shall be clearly communicated to all PPI holders” 4.3. In the same circular, it is stated that the burden of proving customer liability in cases of unauthorised electronic payment transactions 12/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 shall lie on the PPI issuer.
4.4. The 6threspondent, RBI, had also issued a circular dated 06.07.2017 bearing circular number DBR.No.Leg.BC.78/09.07.005/2017-18 applicable to All Scheduled Commercial Banks (including RPBs), All Small Finance Banks and Payments for Customer Protection/ Limiting Liability of Customers in unauthorised Electronic Banking Transactions. Under paragraphs Nos. 6 and 7 of the above circular dated July 6, 2017, the bank is liable in cases where the responsibility for the unauthorised electronic banking transactions lies neither with the bank nor with the customer but elsewhere in the system. The relevant portion of the circular is also extracted hereunder:
“Limited Liability of a Customer
(a) Zero Liability of a Customer
6. A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:
(i) Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
(ii) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction.
(b) Limited Liability of a Customer
7. A customer shall be liable for the loss occurring due to unauthorized transactions in the following cases:
i.In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after the 13/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 reporting of the unauthorized transaction shall be borne by the bank. ii.In cases where the responsibility for the unauthorized electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table 1, whichever is lower.
Table 1 Maximum Liability of a Customer under paragraph 7 (ii) Type of Account Maximum liability (Rs.) • BSBD Accounts 5,000 • All other SB accounts 10,000 • Pre-paid Payment Instruments and Gift Cards • Current/ Cash Credit/ Overdraft Accounts of MSMEs • Current Accounts/ Cash Credit/ Overdraft Accounts of Individuals with annual average balance (during 365 days preceding the incidence of fraud)/ limit up to Rs.25 lakh • Credit cards with limit up to Rs.5 lakh • All other Current/ Cash Credit/ Overdraft 25,000 Accounts • Credit cards with limit above Rs.5 lakh Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per the bank’s Board approved policy. Banks shall provide the details of their policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall also display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.
8. Overall liability of the customer in third party breaches, as detailed in paragraph 6 (ii) and paragraph 7 (ii) above, where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, is summarized in the Table 2:
14/44
https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 Table 2 Summary of Customer’s Liability Time taken to report the Customer’s liability (Rs.) fraudulent transaction from the date of receiving the communication Within 3 working days Zero liability Within 4 to 7 working days The transaction value or the amount mentioned in Table 1, whichever is lower Beyond 7 working days As per bank’s Board approved policy The number of working days mentioned in Table 2 shall be counted as per the working schedule of the home branch of the customer excluding the date of receiving the communication ” 4.5. Paragraph No.12 of the circular dated 06.07.2013 is similar to that of paragraph No.10 of the circular dated 04.01.2019 issued to all authorized non bank, Pre Paid payment issuers. According to Paragraph No.12 of the circular dated 06.07.2017 also the burden of proving the customer’s liability in case of unauthorized electronic banking transactions shall lie on the bank.
5. The main contesting respondents are 6th and 10th respondents and the counter of the 7th respondent is in brief:
The 7th respondent /the City Union Bank submitted that the petitioner has suppressed and misinterpreted several material facts. The present cash 15/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 transactions have taken place by using the mobile payment application through a Unified Payment Interface (UPI). The petitioner has been using one such UPI ie. Pay TM app, who is impleaded as 10th respondent in this case. As per the guidelines laid down by the RBI vide master directions dated 18.02.2021, the use of the mobile application is fortified by multilayer protection. Any user using the UPI through its applications, such as Google Pay, Amazon Pay, PayTM etc., has to first complete the KYC [Know Your Customer] formality and only then he is allowed to use the UPI. The UPI is registered with the mobile number. The UPI can be used only if the user is using the same mobile number that has been registered in the bank with which he accedes his bank account. After registering the UPI with the mobile numbers only, the user can use the mobile applications for transferring money, making payments, or doing any kind of shopping, both physically and on-line.
5.1.The payments are secured by " Two Factor Authentication" [2FA] or Dual Factor Authentication. It is a security process in which users are provided with two different authentication factors to verify themselves. The 16/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 UPI typically has a 4 to 6 digit numeric pin (MPIN). In some cases, it is also a fingerprint, followed by an One Time Password (OTP). It is sent directly to the registered mobile number of the user. The MPIN, ATM PIN are set by the user and known only to the user, and the OTP is accessed only through the registered mobile number. The authentication process is only under the control of the user and no one else, unless it has been accessed by an unauthorised third party. All these processes are totally automated, and there is no human intervention at any level. The only way that could be compromised is if the details in the UPI are accessed by a third party by way of hacking.
5.2. In the case in hand, the petitioner had lost her money through PayTM i.e. 10th respondent herein, and not from the seventh respondent's system. The perpetrators had gained access to the petitioner's bank account through PayTM and not through the 7th respondent's bank system. The petitioner's bank statement would show that the petitioner has been regularly using PayTM for on-line shopping as well. On 09.02.2021 there was a login from an unauthorized third party. Immediately an SMS was sent at15:17:19 17/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 hours to the petitioners registered mobile number. The Message is as under:
“ You have logged into your CUB Mobile Banking on
09.02.2021 15:17:19 IST. If not, send SMS as : BLOCK XXXX to 9281056789 from your regd mobile to block Mobile Banking.-CUB” 5.3. The multiple Short Messaging Service (SMS) messages were sent every time there was an attempt to log into the petitioner's account. The generation and communication of the SMS are automated by the systems in real time, with no human intervention. The SMS Log report would show that multiple attempts have been made since 09.02.2021 and every time an attempt has been made, a message has been sent to the petitioner's registered mobile number. The number of SMS sent from the bank with dates is tabulated under:
Sl# Date No of SMS 1 09.02.2021 5 2 10.02.2021 1 3 11.02.2021 3 4 13.02.2021 4 5 14.02.2021 1 6 15.02.2021 20 (for every action)
5.4. The petitioner never took cognizance of the SMS that was sent on 09.02.2021. However, she saw these messages only on 11.02.2021. 18/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 When repeated messages are sent on February 11th, 13th, 14th, and 15th, 2021, the petitioner ought to have called the bank's customer care number and escalated the issue immediately by blocking her account. But the same was not done by her. The RBI's circular dated 06.07.2021 referred to by the petitioner will not be applicable to the present case because the entire issue is with the UPI service provider, i.e., PayTM, the 10th respondent herein. Moreover, it has to be ascertained if the petitioner's phone has been hacked. Without asserting these facts, the 7th respondent cannot be held liable.
5.5. It is seen from the reports that the petitioner's phone has been hacked by some third party. Every time the petitioner tried to change the MPIN, the hackers managed to access her account. If the phone is hacked, it is beyond the control of the bank to protect the account. The perpetrators had gained access to the petitioner's account through the 10th respondent and not this respondent's banking system on both occasions, i.e., 09.02.2021 and 11.02.2021. With regard to the mobile banking block request sent by the petitioner on 11.02.2021, nothing could be done. Since SMS request sent by the petitioner was in an incorrect format it was rejected. In fact the 19/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 petitioner was alerted immediately by the system by sending SMS to use correct format as under:
11-02-2021 Send block request with your netbanking user id 22:29:21:923 11-02-2021 Send block request with your netbanking user id 22:29:21:945 5.6. The SMS alert sent by the petitioner was not received by the bankers system since it was not correct. The following four unauthorized transactions had happened on 15.02.2021:
Amount Time Biller reference number Journal PG Applica Number tion 50000 15-02- 20210215145660900000 202357804 Paytm MB 2021,12:39:50 100000 15-02- 20210215146219000000 202365270 Paytm MB 2021,12:42:56 50000 15-02-2021, 20210215146232600000 202328578 Paytm MB 12:44:20 100000 15-02- 20210215145580800000 202425495 Paytm MB 2021,12:50:43 5.7 All these transactions were done through a third-party app (PayTM) by using mobile banking login and second factor authentication as Card & PIN. The reported fraudulent transactions are PayTM transactions done using Mobile Banking (MB) ID and authorised with MB PIN for login, and Card PIN was used for second factor authentication for the transaction.
The process for executing transactions in a third-party application is as 20/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 below:
a) Login to the third-party application
b) Choose the product like load wallet / recharge / purchase goods & services
c) Payment option would be displayed like Third party Wallet account (if money already loaded / Debit Card / Credit Card / BHIM UPI / Netbanking 5.8. Despite the efforts of the bank to secure the account of the petitioner by helping her to change the MPIN number, the perpetrators managed to get access. Even after the MPIN was changed by the petitioner, the hackers still managed to gain access to her account. On 15.02.2021 the hackers again attempted to access the petitioner's account; the petitioner ought to have sent her mobile for forensic examination. The petitioner could have immediately called the customer care number to block her account by reporting the unauthorised transactions. The petitioner has not reported the matter to PayTM, which is the main gateway from where the unauthorised transactions had taken place. There is no lapse on the part of the 7th respondent. The petitioner had also raised a complaint with the Banking Ombudsman. The hacking has actually taken place on 16.02.2021 and not 21/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 on 16.03.2021. The 6th respondent had issued a press release dated 11.03.2022 debarring the 10th respondent from adding any further customers until RBI completes its IT audit of the 10th respondent. There are issues with the 10th respondent, i.e., PayTM's mobile application, that could have led to this incident. The petitioner ought to have given a complaint to the 10th respondent, PayTM.
6. The 10th respondent PayTM has filed his counter and the 10 th respondent's counter in brief is as under:
PayTM Payments Bank Limited, a company incorporated under the provisions of the Companies Act, 2013. It is a payment bank and is part of the new set of differentiated banks introduced by the Reserve Bank of India with the aim of extending deposit and payment services to millions of unbanked and under banked Indians. It has been granted with a licence by the Reserve Bank of India to carry on payment bank business under the Banking Regulation Act, 1949. This is also in line with the government of India in digitalizing payments and facilitating banking operations. So far as the PayTM payment bank is concerned, the petitioner has been impleaded 22/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 only as a proforma party and no specific allegations or grounds have been raised by the petitioner against the PayTM payment bank.
6.1. The 10th respondent is not a bank or other authority under Article 12 and hence it is not amenable to any writ jurisdiction. There is no privity of contract between the respondent No.10 PayTM payments bank. The 10th respondent is a mere facilitator and an on-line conduit provider for payments, having no technical or otherwise controlling control over the secured transactions. The transactions through on respondent No.10 is on a web based platform and mobile application have been verified by the CVV and the One-Time Password (OTP) of the credit and debit cards of the holders. The OTP has been delivered to the mobile number registered with such credit and debit card service providers and once the same is verified by the issuing bank and subsequent to the receipt of information from such a bank regarding the validity of the mode of payment, the technical server of respondent No. 10 automatically allows the order / transaction to be done.
It is within the purview of respondent No. 10 to monitor or control any authorization or non-authorization of the on-line payments, which happen 23/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 through the server automatically.
6.2. All transactions carried out on the PayTM Platform are secured and require authentication of the OTP / PIN, before initiation, which is generated by the respective card /Bank service provider and known only to the individual customer / card holder / petitioner. If there had been any discrepancy in the execution of said transaction, such as a wrong card number / Account No., OTP/UPI PIN etc, the said transaction could never have been successful and the amount in question in said transaction could have never been transferred to any account. PayTM bank is a conduit service provider, and hence, in case any customer is willing to perform any transaction through the PayTM platform, he has to select the mode of payment, i.e., Debit/Credit card, net banking, UPI and upon entering correct and genuine banking credentials along with OTP / PIN etc., the said transaction takes place automatically without any manual intervention.
6.3. The RBI in its directions dated 06.07.2017(RBI/2017-18/15) on Customer Protection/Limiting Liability of Customers in Unauthorised 24/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 Electronic Banking Transaction has clearly specified that the customer shall be liable for the loss occurred due to unauthorised transactions if the loss was due to the negligence of the customer by sharing the payment credentials, etc., Neither in the petition nor in the legal notice, no grievance has been made against the respondent No.10 and hence the 10th respondent is not a necessary or proper party to these proceedings. The petitioner has an alternate efficacious remedy by approaching the adjudicatory authority under the Information Technology Act and the writ petition is barred in view of the alternate remedy. The 10th respondent has already provided the necessary information sought from him.
6.4. As per the ratio laid down by the Hon'ble Supreme Court in State of Rajasthan V. Bhawani Singh & Ors, AIR 1992 SC 1018, if there are disputed and mixed questions of fact that cannot be adjudicated in writ proceedings; the petitioner ought to approach the Information Technology, Adjudicatory Authority which is a designated authority for such on-line frauds.
25/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021
7. Mr.Sarath Chandran, learned senior counsel for the petitioner submitted that there are materials to show that the impugned transactions were fraudulent and it was not done by the petitioner; even though the RBI guidelines have made it clear that if a complaint about fraudulent transactions is done within three days, the customer does not have any liability and it is the liability of the bank or Prepaid Payment Instructions (PPI) to make good the loss suffered by the customers; the unfortunate petitioner who held her account with the 7th respondent, City Union Bank, was defrauded by some fraudsters to withdraw money from her account by using PayTM applications.
8. Mr.S.R.Sundar, learned counsel for the respondents 7 to 9, denied their liability by stating that there was no deficiency of service on the part of the 7th respondent bank and hence the 7th respondent is not liable to compensate the loss suffered by the petitioner due to the fraudulent transactions. Apart from the branches of the banks through which a customer normally operates money transactions, now-a-days many payment banks have been introduced by the RBI. The aim of such a promotion of 26/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 payment banks is to extend deposit and payment services to unbanked and under banked Indians.
9. The above submissions adduced by the learned counsels of either side heard and the materials perused.
10. Even though the public is encouraged to use payment banks such as PayTM, Google Pay, Amazan Pay, etc., the customer is made to run from pillar to post, in case he is affected due to any 3rd party violations or fraudulent intervention. What is surprising is that even when the RBI has issued detailed master directions for both banks and Prepaid Payment Instruments [PPI], every institution shifts the blame upon the other and no one has come up with a concrete idea as to who has to bear the loss suffered by the petitioner, for none of her mistakes.
11. There were certain attempts made by some miscreants to access the petitioner's account with the City Union Bank through the PayTM app from 09.02.2021. The City Union Bank had alerted her by sending an SMS 27/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 that her account was accessed by someone. The petitioner happened to notice the message on 11.02.2021 and she had sent an SMS to block her account. But it was unsuccessful. The fraudulent attempts were continuing, and things went beyond the control of the petitioners and the bankers.
12. On 15.02.2021 the fraudsters had siphoned off nearly Rs.3,00,000/- from her account by making successive transactions using the PayTM application. It is the contention of the 7th respondent that their liability ends with alerting the customer and they were not able to block her account because the SMS was not sent in a proper manner. The petitioner omitted to call the branch directly to see that her account is blocked. After the advent of on-line transactions, the life style of the individuals has changed to a greater extent. The practice of establishing physical meetings with the branch has become obsolete. In view of the various online mechanisms provided by the banks for almost all banking services, no one goes to the branch physically in order to make any complaint. So it is not a surprise that the petitioner did not make any direct contact with the bank and that she followed scrupulously how she was instructed in the alert SMS. 28/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021
13. A police complaint was given by the petitioner and it was registered with much difficulty. As per the status report submitted by the 4th respondent, the fraudsters were identified by their names and they have accounts with SBI. The fraudsters had acted smartly by transferring the amounts to the various accounts after doing the fraudulent transaction in order to prevent the reversal. After the complaint was made to the 7th respondent, he contacted the 10th respondent, PayTM, by stating that the fraudsters had used the PayTM mobile app and managed to access the PayTM account of the petitioner from some other mobiles.
14. In order to register as a PayTM user, one has to have a bank account and mobile number. After installing the PPI applications, the customer has to link his registered mobile number with his bank account and the application. By opening the app, either by using a biometric method or a PIN number, the app will be accessed and transactions will be done by typing the PPI-PIN numbers and the money can be transferred within moments. No doubt such applications are time saving and convenient, but 29/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 the user does not know how to address his grievance if anyone tampers with the accounts by fraudulent means and siphons off the money lying in his account.
15. The fradulent transactions were not done by the petitioner. It is neither the case of the 7th respondent bank nor the 10th respondent PayTM that the transactions were done by the petitioner herself, and she is making fraudulent claims. In fact, the investigation has revealed information about the persons involved and in the status report it is stated that the fraudsters have managed to access the app by being in some other states, like Bihar. Whatever might be the modus operandi adopted by the fraudsters, the fact remains that it was not the petitioner who had revealed the details of her PIN Number or other details to the fraudsters either knowingly or unknowingly. The fraudsters had used PayTM application and not the net banking/mobile banking of the 7th respondent bank to swindle money from the petitioner’s account. So it is claimed by the 7th respondent that there is no security compromise at their end, and hence, the banker is not liable to compensate the petitioner.
30/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021
16. The records would make it clear that the access was done through a payment bank named PayTM. In fact, with the details furnished by the 7th respondent and the 10th respondent as to the transactions, the investigation officer could know the persons who transacted and who made the fraudulent transactions and to whose accounts the money was so transacted and transferred. Fortunately, a sum of Rs.70,000/- was withheld by Fincare India, and after a series of court orders, Fincare India was obliged to reverse the said sum to the petitioner's account. Since the City Union Bank and PayTM shifted the blame upon each other and did not come forward to take up the responsibility of compensating the petitioner, the 6th respondent, RBI, has been asked to come out with their stand and to clarify who is liable to compensate the petitioner, as per their guidelines.
17. The 6th respondent, RBI, has filed his counter affidavit and stated about the various guidelines issued by the Reserve Bank of India in the interest of customer protection. The counter affidavit of the RBI was also diplomatic to the extent that the RBI did not pinpoint either the 7th respondent or the 10th respondent as a person who is liable to compensate 31/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 the petitioner. The above exercise of fixing the liability was left to the court in light of the guidelines of the RBI, which the 6th respondent reiterated in his counter. In fact, the RBI guidelines are customer-friendly, and if the customer happens to report about the fraudulent transactions within three days of the occurrence, as per the guidelines, there is 'ZERO LIABILITY' fixed on the customer. The above position is similar for both banks and Prepaid Payment Instruments, except for the fact that they were through different circulars. Since the transaction was not done through any `Net Banking sites but through a payment bank application by name ‘ PayTM’, it has to be seen whether the banker or the payment banker is liable.
18. The case in hand does fall within the clause (b) of the following portion of the circular dated 04.01.2019 vide No. DPSS.CO.PD.No.1417/02.14.006/2018-19, which is applicable to all authorised non-bank Prepaid Payment Instrument issuers for customer protection/limiting the liability of customers in unauthorised electronic payment transactions in prepaid payment instruments (PPIs) issued by authorised non-banks. For the sake of clarity, paragraph No. 6 of the 32/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 circular reads as follows:
Customer Liability in case of Unauthorized Electronic Payment Transactions through Paypointz Wallet S. Particulars Maximum Liability of No. Customer
(a) Contributory fraud / negligence / deficiency on the part of Zero the PPI issuer, including PPI-MTS issuer (irrespective of whether or not the transaction is reported by the customer)
(b) Third party breach where the deficiency lies neither with the PPI issuer nor with the customer but lies elsewhere in the system, and the customer notifies the PPI issuer regarding the unauthorized payment transaction. The per transaction customer liability in such cases will depend on the number of days lapsed between the receipt of transaction communication by the customer from the PPI issuer and the reporting of unauthorized transaction by the customer to the PPI issuer -
i. Within three days# Zero
ii. Within four to seven days# Transaction value or
Rs.10,000/- per transaction,
whichever is lower
iii. Beyond seven days# Full liability of the customer
(c) In cases where the loss is due to negligence by a customer, such as where he / she has shared
the payment credentials, the customer will bear the entire loss until he / she reports the unauthorized transaction to the PPI issuer. Any loss occurring after the reporting of the unauthorized transaction shall be borne by the PPI issuer.
(d) PPI issuers may also, at their discretion, decide to waive off any customer liability in case of unauthorized electronic payment transactions even in cases of customer negligence.
# The number of days mentioned above shall be counted excluding the date of receiving the communication from the PPI issuer. The above shall be clearly communicated to all PPI holders”
19. The liability of the customer is fixed at Rs.10,000/- per transaction if the complaint has been made within 4 to 7 days and if beyond 7 days, it is as per the policy of the prepaid payment instrument issuer. In the case in hand, the petitioner had given her complaint to her banker immediately after the transaction. It cannot be claimed by the 10th respondent, PayTM, that 33/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 the petitioner ought to have given her complaint to the 10th respondent instead of the 7th respondent. Because even the petitioner was not able to know how the fraud was committed. The matter came to light after the initiative taken by the 7th respondent bank. In fact, the 7th respondent bank has been communicating with PayTM about the fraudsters’ activity. So it cannot be said that the 10th respondent is not aware of the fraud just because the customer gave her complaint to her bank directly.
20. Another convenient submission made by the 10th respondent is that the 10th respondent payment bank is a private corporation and not a government institution, and hence, it cannot be subjected to the jurisdiction of this Court. The 6th respondent RBI, has stated that the primary function of the RBI is to regulate and supervise the banking sector for the benefit of this country's economy under the provisions of the Banking Regulation Act 1949. It is further submitted that the RBI would not normally interfere with the transactions between the regulated entities and their customers. But that this would not preclude the RBI from taking cognizance of the matter when the regulated entity violates or contravenes the RBI guidelines. 34/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021
21. It is further submitted that the customer could approach the RBI Ombudsman under the Ombudsman Scheme and the same will be examined and appropriate actions would be taken for redressal of such grievances even if they fall within the ambit of the Scheme. Since a customer's savings habits or mode of money transactions could have an impact on the country's economy, it cannot be said that the customer's interest is alien to the interest of the economy of the country. If all the customers switch over to physical mode of money transactions and abstain from doing transactions through the banking sector, that would grossly affect the economy of the country and hence, the customer's interest is also paramount. So, the RBI has an obligation to safeguard the customer’s interest as well. This is especially true when it comes to the knowledge of the RBI that a payment bank like PayTM evades to comply RBI guidelines and shrieks away its liability to compensate the petitioner in tune with the guidelines of RBI.
22. Even though the petitioner has sought compensation from the 7th respondent banker, the facts and materials available on record as discussed 35/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 above would only fix the liability on the payment bank [the 10th respondent] and not upon the 7th respondent bank. Though a straight away directions can not be given against the 10th respondent, since it is a private body, this Court can mould the relief in such a way that directions should be given to the 6th respondent, RBI, to take action against the 10th respondent for violating its own guidelines. The RBI guidelines are issued not as a formality, but the entities subjected to the RBI regulations should comply with the conditions of the master circular in its true letter and spirit.
23. In fact, as per the guidelines No. 16.4.8, the non bank Prepaid Payment Instrument issuers shall ensure that a complaint is resolved and the liability of the customer is established within the said time not exceeding 90 days. But the 10th respondent has not come forward to take cognizance of the grievances suffered by the petitioner, who was the user of the PayTM banking services. It is further stated in the above guidelines that if the PPI issuer is unable to resolve the complaint and determine the customer's liability within 90 days, the amount as prescribed under guideline No. 16.4.8 shall be paid to the customer irrespective of whether the negligence is on the 36/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 part of the customer or otherwise.
24. In the case in hand the 10th respondent had failed to resolve the dispute within 90 days and he has not come out with any concrete structure as to how the loss suffered by the petitioner is going to be compensated. Within 90 days from the date of the complaint i.e. from 16.02.202,1 the 10 th respondent did not prove how the customer is liable. In fact with the informations furnished by the 7th respondent and the 10th respondent itself, it is made clear that there is no fraudulent actions on the part of the petitioner but the violations were done by the 3rd parties.
25. In fact, Mr.Sarath Chandran, learned counsel for the petitioner, has brought to the attention of this Court that it is at the discretion of the payment banks to waive the customers liability, if any, even if the customer had filed a complaint at a belated stage. It is further submitted that a Corporate Company by name One 97, which owns the consumer brand PayTM, along with PayTM Payments Bank Ltd have filed a writ petition before the Delhi High Court for seeking directions against the department of 37/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 telecommunications and the Telecoms Regulatory Authority of India to ensure complete and strict implementation of the provisions of telecom Commercial Communications Customers Preferences/Regulations 2018 and any other regulations issued from time to time to curb fraudulent unsolicited commercial communications sent over the respective their networks in order to prevent the customers of PayTM from suffering loss on account of fraudulent calls and messages containing either a link or phone number. Such frauds are committed thorough spying activities done by using the telecommunication services such as SMS and calls. It is conceded by PayTM before the Delhi High court that its customers alone have cumulatively lost nearly 10 Crores Rupees between the period from July 2019 to April 2020. It is further submitted by the PayTM that it is scrupulously following the guidelines issued by RBI in the interest of its customers.
26. The modus adopted by the fraudsters is like taking the customers to a malicious link or a phone number sent through SMS and when the 38/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 customer dials the number or clicks the link so given, that would lead to installation of some mirroring apps, malwares, and other modes which reveal sensitive information of the user. This enables the fraudsters to withdraw funds from the victim's bank account. Such kind of spying attacks have a deleterious effect upon the customers similar to the case in hand. It is also brought to the knowledge of the Court by the learned counsel for the petitioner that PayTM was banned from enrolling new customers. The RBI has taken action against PayTM under Sec.35-A of the Banking Regulation Act 1949 and directed PayTM to appoint an IT audit firm to conduct a comprehensive system audit of its IT system.
27. In fact, it is stated by the RBI that such an action has been taken based on certain materials connecting to supervising concerns observed by the bank itself. So the system audit is required for the IT system adopted by the 10th respondent, which is vulnerable to fraudulent activities. The petitioner is one among the several users and hence the 10th respondent is liable to make out the loss suffered by the petitioner. As it has been stated already that the complaint has been made by the customer to her banker, and 39/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 the banker has kept in touch with PayTM, PayTM can not disown its liability.
28. Since the RBI has been issuing directions to PayTM, as already cited, it is essential to issue one such direction to the 10th respondent to settle the loss suffered by the petitioner within the next two weeks. It is emphasised that the 10th respondent had failed to establish the liability on the part of the customer within 90 days as prescribed in the guidelines of the RBI, and hence the 10th respondent cannot state that the matter in issue involves a lot of facts to be gone into. The violations are crystal clear, and the 6th respondent has got the obligation to intervene when to the knowledge of the 6th respondent, the 10th respondent continues to violate the RBI guidelines and adopts an unfriendly attitude towards its users.
In the result, this Writ Petition is allowed. However, the relief is modified to the effect that the 6th respondent is directed to issue directions to the 10th respondent to make good the loss suffered by the petitioner without any other reduction, except the reduction of the amount, if any already reversed to the account of the petitioner in pursuant to the earlier 40/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 order of this Court, within a period of two weeks. No cost. Consequently, the miscellaneous petitions are closed.
28.04.2023 Index : Yes Internet : Yes Speaking:Yes Neutral : Yes jrs To
1.The Commissioner of Police, Office of the Commissioner of Police, Vepery, Chennai-600 007.
3.The Deputy Commissioner, K-4 Anna Nagar Police Station, Anna Nagar, Chennai.
4. The Inspector of Police, K-8 Police Station, Arumbakkam, Chennai.
5.The Reserve Bank of India, 16, Rajaji Salai, Fort Glacis, Chennai.
6.The City Union Bank, Vigilance Department, 703, Anna Salai, Chennai.
7. The Assistant General Manager, City Union Bank, 41/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 Vigilance Department, 24-B, Gandhi Nagar, Kumbakonam 612 001.
8.The Manager, City Union Bank, Irungalur Branch, Oppositte SRM Campus, Irungalur, Trichy.
9. PayTM Mobil Solutions Private Limited, B-121, Sector 5, Noida-201301 India.
10.State Bank of India, Rajaji Road, Mannadi, Chennai Port Trust, Chennai 600 001.
11.Fincare Small Finance Bank, 292, New No.116, Z Block II Avenue, Beside Tower Metro Station, Anna Nagar, Chennai 600 040.
42/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 43/44 https://www.mhc.tn.gov.in/judis WP(Cri).No.6789 of 2021 R.N.MANJULA, J.
jrs Pre-delivery Order in WP(Cri).No.6789 of 2021 and WMP.Nos.7343 & 7345 of 2021 28.04.2023 44/44 https://www.mhc.tn.gov.in/judis