Bombay High Court
Nayna Bipin Vora And Anr vs Bank Of Baroda And 4 Ors on 20 April, 2026
Author: Bharati Dangre
Bench: Bharati Dangre
2026:BHC-OS:10142-DB
1/31 WP 3185-22.doc
IN THE HIGH COURT OF JUDICATURE AT BOMBAY
ORDINARY ORIGINAL CIVIL JURISDICTION
WRIT PETITION NO. 3185 OF 2022
Nayna Bipin Vora and anr. .. Petitioners
Versus
Bank of Baroda and ors. .. Respondents
...
Ms. Aneesa Cheema a/w Mr. Latif Pirani and Mr. Nikhil Waghmare
i/b Pirani and Company, for the Petitioners.
Ms. Ritika Yerra a/w Mr. Abhijit Ranjan i/b Mr. Chittranjan Shah and
Kay Legal Associates and LLP, Advocate for Respondent No.1.
Mr. Rahul Gaikwad a/w Ms. Komal Singh i/b Gravitas Legal,
Advocate for Respondent No.2.
Mr. Milind More, Addl GP for State.
CORAM: BHARATI DANGRE &
MANJUSHA DESHPANDE, JJ.
RESERVED ON : 21st JANUARY, 2026
PRONOUNCED ON : 20th APRIL, 2026
JUDGMENT (PER BHARATI DANGRE J)
1. The Petitioners Nayna Bipin Vora and Sheetal Shitanshu Vora have invoked writ jurisdiction of this Court praying for issuance of writ in the nature of mandamus against Bank of Baroda, Respondent No.1, for crediting an amount of Rs. 18,79,000/- along with the interest at the admissible bank rate in the saving bank account of the Petitioners maintained with Chandavarkar branch, Matunga, Mumbai.
The Petitioners also seek a declaration that they have zero liability in the matter of fraudulent and unauthorized deduction of the Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 2/31 WP 3185-22.doc amount from their saving account maintained with the Bank, in light of circular of the Reserve Bank of India dated 06/07/2017, and the bank shall make good the lose suffered by the Petitioners by 'shadow reversal'.
The Petition implead Bank of Baroda, a body Corporate constituted under the Banking Companies (Acquisition and Transfer of Undertakings) Act, 1970, as Respondent No.1. Bharti Airtel Limited, a service provider of mobile services is impleaded as Respondent No.2. The Commissioner of Police, Crawford Market, Mumbai and the Inspector in Charge, Worli Police Station, Cyber Crime Branch, Mumbai are impleaded as Respondent Nos. 3 and 4 along with the Secretary of Home Department being impleaded as Respondent No.5.
2. We have heard Ms. Aneesa Cheema for the Petitioners and Mr. Ritik Yeera for Respondent No.1. Respondent No.2 is represented by Mr. Rahul Gaikwad along with Ms. Komal Singh and the learned Additional Government Pleader, Mr. Milind More, has represented the State and its Authorities.
On the pleadings being completed, by consent, we have taken up the Writ Petition for hearing, and we issue 'Rule', which is made returnable forthwith.
3. Before we appreciate the rival contentions, it is imperative that we take note of the background facts, which we have collated from the pleadings in the Petition.
The Petitioner No.1, a widow and senior citizen and she along with Petitioner No.2 as the joint account holder are maintaining Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 3/31 WP 3185-22.doc saving bank account no. 04060100000728, with Bank of Baroda.
Since the demise of the husband of Nayna, in the year 2019, she is depositing in the account the dividends and other income received from the investments made by her deceased husband and she has availed the facility of withdrawal of the amounts by cheques as well as by use of Internet Banking. For the purpose of availing Internet Banking facility, she is provided with Customer ID, for which the password is set by Nayna herself and she has provided the mobile number and email address for receiving communication for availing the facility.
4. On 04/12/2021, the saving bank account of Nayna had credit balance of Rs. 18,79,395.92/-, but on 05/12/2021, an amount of Rs. 18,79,000/- was withdrawn through Internet Banking and the Petitioners became aware of the same after its withdrawal.
On 05/12/2021, at about 17:30 hours it was noticed that Nayna's mobile became inoperative and she lodged a complaint with the service provider, Respondent No.2 to be informed that the number was made unoperational, on request of some person, claiming that SIM of the mobile number was stolen and the service provider would reissue new SIM after carrying out certain verification procedure.
Nayna Vora informed the service provider that her SIM was never stolen and therefore there was no question of issuance of new SIM card. The mobile number was made operational on 05/12/2021, at about 21:30 hours, and she realized that her mobile was inoperative since Saturday itself and it is during this period, the Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 4/31 WP 3185-22.doc amount in her saving account was fraudulently withdrawn between 19:01:42 hours on 04/12/2021, and 19:36:47 hours on 05/12/2021.
The Petitioner, thereafter, gained information that four beneficiaries were added to her saving bank account and the logging report of the bank would reveal that fraudsters logged into the account at 19:00:42 and logged out at 19:01:51. On every attempt to add beneficiaries, OTP appears to have been sent to the mobile number, but Nayna never received the OTP, as her mobile number was inoperative.
The response to the SMS sent by the bank sending OTP reflected thus:-
"the SMS Service to the Mobile Number has been barred at customer's service provider end or Mobile Number is either absent (switched off), not existing, or out of service".
5. From the information furnished by the Bank in relation to the transactions, the Petition has extracted the transactions as below:-
"Time Activity
19:01:42 Account Logged in.
19:05:46 OTP attempted to be sent by SMS. Not delivered
for the reason services barred.
19:06:29 Sekh Sabir Ali added as beneficiary
19:08:30 OTP attempted to be sent by SMS. Not delivered
for the reason services barred.
19:09:28 Bika Das added as beneficiary
49:11:43 OTP attempted to be sent by SMS. Not delivered
for the reason services barred.
19:12:44 Madauda added as beneficiary
19:14:33 OTP attempted to be sent by SMS. Not delivered
for the reason services barred.
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
5/31 WP 3185-22.doc
19:15:31 Chandan Nama Das added as beneficiary
19:15:58 Log out from the Account"
6. Four persons were added as beneficiaries in the account of Nayna Vora and since her SIM card was inoperative, there can be no doubt that the OTP sent by the bank for adding the beneficiaries was received by the fraudsters and the holders of the account were unaware of such activity. The bank was conscious that the OTP sent to the Petitioner's mobile was not delivered and still the saving bank account was operated using the OTP generated by the bank to add beneficiaries.
It is the specific claim of the Petitioners, Nayna Vora as well as Sheetal Vora, the beneficiary no.2 in the account that they did not received OTP on the mobile phone nor at the registered email address for addition of the beneficiaries and for the confirmation of transaction of the withdrawals made from the saving bank account.
On 05/12/2021, between 19:25:31 and 19:31:10, by use of internet banking, an aggregate sum of Rs. 18,79,000/- was swapped from the saving bank account and out of this amount an amount of Rs. 4,00,000/- and Rs. 5,00,000/- were transferred to the bank account of one Makauda and a sum of Rs. 5.29 Lakhs and a sum of Rs. 4.50 Lakhs was transferred to the bank account of one Bikas Das.
7. The bank provided the details of logging into the bank account of the Petitioners and transfer of the amount to the newly added beneficiaries and this information is set out in the Petition to the following effect:-
Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 6/31 WP 3185-22.doc Time Activity Mode of Transfer 19:19:13 OTP by SMS sent to the mobile not delivered as services were barred 19:22:27 OTP by SMS sent to the mobile note delivered as services were barred 19:25:31 Rs 5 lakhs transferred to the Account Funds Transfer Third of Makauda. SMS intimation of Party Account.
transfer not delivered for the reason 'mobile number is either absent (switched off), not existing or out of service.
19:26:44 Rs 4 lakhs transferred to the Account Funds Transfer Third Party
of Makauda. SMS intimation of Account.
transfer not delivered for the reason
'mobile number is either absent
(switched off), not existing or out of
service.
19:28:52 Rs 4.50 lakhs transferred to the Funds Transfer Other Bank
Account of Bika Das. SMS Account.
intimation of transfer not delivered
for the reason 'mobile number is
either absent (switched off), not
existing or out of service.
19:31:10 Rs. 5.29 lakhs transferred to the Funds Transfer Other Bank
Account of Bika Das. SMS Account. RTGS Transfer intimation of transfer not delivered for the reason 'mobile number is either absent (switched off), not existing or out of service.
8. The Petitioners allege that the fraudulent transfers of the sum of Rs.5 lakhs and Rs. 4 lakhs in the name of Makauda, were internal transfers within the Respondent No.1 bank itself as the other transfer was to Bangalore Gennext Bellandur branch.
The grievance of the Petitioners is that since the amount was transferred into one of the account in Bank of Baroda itself, it has Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 7/31 WP 3185-22.doc well within its power to forthwith reverse the illegal, unauthorized and fraudulent transfer of the amount into the Petitioner's account by way of shadow reversal.
The other two transfers in the sum of Rs. 9,79,000/- was in ICICI Bank (New Alipore, Kolkata Branch) in the name of one Bikas Das.
The Petition is accompanied with the statement of the saving bank account of Mrs. Nayna Vora, which reflect the completed transactions as funds transfer to the third party account namely Makauda and Bikas Das.
9. On 07/12/2021, the Petitioner No.2, Sheetal Vora, reported the fraudulent transfers to the Branch Manager as well as to the Managing Director of Bank of Baroda, Matunga Police Station, Cyber Crime Branch, Worli, as well as RBI Headquarters, attaching the history of the entire transaction of the bank transfers and net banking. Sheetal Vora, being a joint holder of the account also addressed an email to the Branch Manager of Bank of Baroda on 07/12/2021, at 3:00 P.M. The Petitioners also filed an FIR with the Inspector Incharge, Worli Police Station, which was registered as FIR No. 26 of 2021.
10. Pursuant to the steps taken, the Petitioners received e-mail response on 17/12/2021, from the bank denying any lapse on their part and stating thus:-
"a. Systems has properly identified the user credentials provided and has returned a success response which denote the user id and the login password credentials used are as available in the system. b. OTP generated for all users' related activities were was sent to the Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 8/31 WP 3185-22.doc Petitioners registered mobile number and email id and the response ha been successfully validated / authenticated by the system. c. There is no lapse on the part of the bank or its system."
11. By email addressed on 21/12/2021, the Petitioner No.1 requested the service provider Bharati Airtel to provide the following information :-
"a. the Respondent No. 2 had received any message or e-mail for issue of new SIM card;
b. any new SIM Card was issued in respect of the mobile number of the Petitioner No. 1 and if issued then to provide the address of the Airtel Gallery and the documents on which the new SIM Card was issued. Hereto annexed and marked as 'Exhibit G' is a copy of the said e-mail sent on 21st December 2021."
12. Despite exchange of communication since the Bank of Baroda refused to admit its flaw, a letter was addressed through their Advocate on 29/12/2021, which received a response from the Advocate of the Bank, where it adopted a stand that the bank had not permitted any transaction, which exceed maximum transaction limit and the Petitioners account was high risk account and three tier security was provided. It was also stated that, while carrying out a transaction through net banking, the person must know the user ID and the password and he must insert the OTP sent by the bank through email and mobile and after insertion of OTP the transaction password is required and not only this, the security check contemplate answer of security questions and only then the transaction is affected. A stand was specifically adopted that there was no lapse or negligence on part of the bank.
13. The Petitioners however attempted to refute the said claim by adopting the following stand:-
Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 9/31 WP 3185-22.doc "a. OTP claimed to have been sent by the Respondent No. 1 was not received since her mobile number was not operative during the period when the beneficiaries got themselves added to, and the sums were fraudulently withdrawn from, the said Bank Account. b. the claim of the Respondent No. 1 that OTP was also sent on email was equally false and the Respondent No. 1 was called upon to provide the copy of the e-mails sending OTP to the Petitioners as the Petitioners had not received any e-mails of sending of OTP as claimed by the Respondent No. 1;
c. the Respondent No. 1 had exceeded the maximum transaction limit for carrying out internet transactions prescribed by the Respondent No. 1 as set out in the Tabulation in the said letter as also herein in paragraph 4(ii).
d. the Respondent No. 1 was aware, at the time of processing the fraudulent transaction, that the 'Risk Score' of the transaction as registered by the System of the Respondent No. 1 was between 55 and 75, well above the threshold of 30 which ought to have put the Respondent No.1 on alert and prevented the transaction, yet it failed to do so; e. The burden of proving customer liability in case of unauthorised electronic banking transaction is cast upon the Respondent No.1 in paragraph 6 of the said Circular of 6th July 2017.
14. With the grievance, the Petitioners also approached the banking Ombudsman under The Reserve Bank - Integrated Ombudsman Scheme, 2021, by filing a complaint on 29/12/2021 and the Ombudsman had refused to entertain the same by classifying it as non-maintainable and closed it under Section 10 (2) (f) of the Ombudsman Scheme, 2021.
15. It is the case of the Petitioners that in the whole episode, the negligence of the bank was evident, as it permitted the fraudulent transactions depriving the Petitioners of an amount of Rs.18,79, 000/- and the bank had permitted the transaction in excess of the maximum limit of Rs. 2 lakhs and it is also the case of the Petitioner that the Bank failed to follow the Two Factor Authentication (2FA) prescribed by RBI Banking Norms, for the internet transaction.
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
10/31 WP 3185-22.doc
According to the counsel for the Petitioner, for addition/ registration of beneficiary, the bank is required to sent an OTP to the account holder but the logging record of the bank reveal that OTP sent to the mobile number of the Petitioners by SMS was 'not delivered or failed'. Non delivery of SMS, therefore, according to her, means 'no delivery of OTP' and it is therefore pleaded by her that the bank ought to have decline the transaction of adding the beneficiary as well as that of third party transfer, but despite receiving an alert, it permitted addition of beneficiary and further permitted transfer for the very same OTP, which the Petitioners never received. No OTP was received on the registered email address and the learned counsel would submit that when the bank suspected that the disputed transaction was suspicious and this could be seen from the logs where the system had assessed the Risk Score of 55 and 75, which exceeded threshold limit of 30, but despite this the transactions were permitted knowing very well that the OTP sent by SMS and email was not getting delivered and the transaction was not getting through.
16. Ms. Cheema, the counsel for the Petitioners vehemently assert that the fraudulent transactions took place on 4th and 5th December, 2021 and the Petitioners had not shared any payment credentials to any person. The Petitioner No.1 had asked her son on 06/12/2021 to check the bank account as she was expecting to receive sale proceeds of shares and she discovered about the fraudulent withdrawals. As per the Petitioners, the burden of proving the liability of the Petitioners in case of unauthorized electronic banking transactions is of the bank.
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
11/31 WP 3185-22.doc
17. Reliance is placed by the Petitioners upon the circular dated 06/07/2017, issued by the RBI and the pleaded case of the Petitioners is, that the lapses on part of the bank or its System are responsible for unauthorized and fraudulent withdrawals from the saving bank account of the Petitioners and the emphasis is laid on fastening of zero liability on the customer in terms of the circular dated 06/07/2017, which prescribe as below:-
"Zero Liability of a Customer"
A customer's entitlement to zero liability shall arise where the unauthorised occurs in the following events:
(i) Contributory fraud / negligence / deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer)
(ii) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working day of receiving the communication from the bank regarding the unauthorised transaction."
18. As per the Petitioners, when they took immediate steps to inform the bank about the fraudulent transaction, the bank ought to have reversed the amount debited from the saving bank account within 10 working days, that is on or before 17/12/2021, without waiting for settlement of insurance claim and in any case, the burden to prove the liability of the customer in case of unauthorized electronic transactions is on the bank, which the bank has failed to discharge and therefore, it must remit the amount of which the Petitioners are deprived by depositing it in the saving bank account.
It is also the case of the Petitioners that, the FIR registered on the complaint of fraudulent withdrawal from the saving bank account also did not progress. A communication was also addressed by the Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 12/31 WP 3185-22.doc Petitioners to the service provider calling for details of the SMS transmitted to the mobile number between 04/12/2021 and 05/12/2021, but a response was received to the effect that the information sought was confidential and it can be disclosed only upon the directions of the designated security agencies/law enforcement agency and the information can only be shared with the police.
It is in these aforesaid circumstances, the Petitioners have approached this Court, seeking benefit of the circular of Reserve Bank of India dated 06/07/2017 and by submitting that the liability of the Petitioners is zero, as their case fall within the four corners of the circular of RBI, the Bank of Baroda shall be directed to forthwith credit the amount of Rs. 18,79,000/- into the Petitioners' saving bank account by way of 'shadow reversal' in accordance with Para 9 of the circular of the RBI.
19. Responding to the Petition, the authoritative representative of Respondent No.1, Samir Shah has filed an affidavit on 17/02/2023, and the affidavit proceed to state that in the FIR, it is the claim of the complainants that certain funds were expected to be credited into the account and therefore, the son of Petitioner No.1 logged in the net banking by using her credentials and this was in gross violation of the norms and guidelines for availing and operating net banking facility. As regards the internal investigation carried out, the affidavit state thus:-
"ii. In spite of the above mentioned situation on receipt of complaint, mail department called for all related logs and on investigation of the said log it is evident from the Authentication logs that system has properly identified the user credentials provided and has returned a success Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 13/31 WP 3185-22.doc response which denotes that the user id and the login password credentials which were used are as available in the system. The logs do not display any change in user credentials. Further the logs also provide details of OTP generated for all user related activities and the same has been delivered to the Petitioner's registered mobile number as well as to Petitioner's registered E-mail-id and the response has been successfully validated/ authenticated by the system.
iii. For initiating and completing the transaction through net banking the following steps are required:-
a. User ID of the User;
b. If logging in from new system for first time One Time Password (OTP) is always sent to the registered mobile number for confirmation; c. His/Her sign on password is needed;
d. Security Questions and Answers are set by users; e. Access of his/her registered mobile number and email- id is required for accessing and transaction, f. Beneficiary registration is also mandatory. One Time Password (OTP) is sent to registered mobile for beneficiary registration; g. There is a 4 hours cooling period before the added beneficiary gets activated for the first time to transaction and; h. His/Her transaction password is also required for each transaction."
20. The bank has also stated that on receipt of the complaint through mail, all related logs from the concerned departments were called for analysis and the following conclusion was reached:-
"a. All customers credentials have been used. No change in any user credentials and security questions was observed. b. OTP was sent to customer's registered mobile number only."
21. It is also categorically stated that the Two Factor Authentication (2FA) is capable of carrying out velocity checks and to add a beneficiary into account holder, one needs to log into the account which is done by use of login password and thereafter the account holder needs to add a payee and for this purpose the account holder must enter a transaction password and a new payee is added.
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
14/31 WP 3185-22.doc
The specific stand adopted by the Bank is, that there is no lapse on its part and the relief as prayed in the Petition cannot be granted.
22. Responding to the Petition, the Head-legal & Regulatory, Bharti Airtel Limited (Mr. Ram Kumar), has also filed an affidavit , based on the record maintained by it in respect of Mobile No. 9820732940 subscribed by the Petitioner No.1 in the year 2020 and which continued to be in her name. A specific statement is made in the affidavit that after the mobile number was activated on a SIM card, it is still active on the same SIM that was allotted to Nayna Vora and there is no SIM swapping.
As regards the details of the CDR, the affidavit states thus:-
"9. I say that the CDR being a confidential document has already been shared with Investigation Officer and the Investigation Officer has in its report dated March 01,2023 has observed that NO OTP message was delivered on the aforesaid mobile number of Petitioner No.1 during March 04, 2021 and March 05, 2021 i.e. period during which alleged fraudulent transactions took place. Further, in case of non-delivery of OTP on the said number of the Petitioner, it is not possible for Respondent No.2 to ascertain whether the OTP was delivered by the Bank through any other means of communication to the Petitioner No.1 and same can only be ascertained by the Police. In humble submission of Respondent No.2, it has no role to play in the alleged transaction."
10. I say that on the basis of records of the Respondent No.2 a call was received by the call-centre of Respondent No.2 from a mobile number -91 7439162855 on 05.12.2021 at 19:11 Hours wherein the caller requested to bar the outgoing and incoming services of the said number, belonging to the Petitioner No.1, stating that the mobile handset of the Petitioner No.1 has been lost."
23. The affidavit also proceed to state that before barring the services, as per procedure, the call-center shall verify all credentials of the caller and on carrying out tele-verification, the request is considered. It is further stated that, the Respondent No.2 barred the services associated with the number of Petitioner No.1, but on Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 15/31 WP 3185-22.doc 05/03/2021, at about 19:43 hours, the services on the said number were restored.
24. A sur-rejoinder is filed by the Head Legal & Regulatory, Bharti Airtel Ltd., where a specific stand is adopted that it had extended its assistance and support to cyber cell and has provided all requisite details including the CDR.
The affidavit also proceed to state that pursuant to the investigation a Report is filed on 01/03/2023 in the Court, reporting about the investigation being carried out, which confirmed that there is no OTP message delivered on the mobile number of Nayna Vora between 04/12/2021 and 05/12/2021 i.e. the period during which alleged transaction took place.
25. With regards to the investigation of the mobile number of Nayna, the report has stated thus:-
"When the CDR/SDR/CAF was received from the service provider company AIRTEL regarding the mobile number 9820732940 attached to the complainant's account, it was seen that the said transactions were made on the mobile number 9820732940 attached to the complainant's bank account on 05/12/2021 and 06/12/2021 without receiving any OTP messages from the bank regarding bank transactions. Based on this, an unknown person had sent a request to the service provider company Airtel to stop the incoming messages from the bank on the complainant's mobile number or to divert it to another number. To seek information regarding this, the AIRTEL service provider company was again contacted. Why were the bank messages coming on the SIM card blocked or did someone send a request to block them? E-MAIL has repeatedly sent to Nodal Officer AIRTEL to obtain information about this, but no information has been received from them. Since the said information is also important and necessary in terms of the crime, keeping in mind the gravity of the crime, a reminder has been sent to the Airtel Nodal on 28/02/2023 to appear at the police station for investigation under Section 160 of the CRPC. When the complainant's mobile number is analyzed, it is seen that the OTP of the above 4 fraud transactions were not received on the mobile number but the OTP was generated based on the information received from the bank. Therefore, the said transactions were made without the Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 16/31 WP 3185-22.doc OTP of the relevant transaction being received on the complainant's mobile number. From this, it is evident that someone or someone had sent a request to the service provider company Airtel to stop the incoming messages from the bank on the complainant's mobile number or to divert it to another number or how information has been sought. We are trying to uncover the said crime after receiving the said information."
26. In regards to the investigation carried out in regard to the persons who received the money through four transactions and on examining the bank statement, it was noted that a transaction in the amount of Rs. 9,89,000/- was transferred to the account in ICICI Bank by RTGS method and the account is in the name of one Vikas Das, and the branch of bank is New Alipore, Kolkata.
When the CDR and CAF of the Mobile number attached to the account were obtained, it was found that the mobile number is in the name of one Saurav Ajay Das, Alipore, with an alternative number. Out of this amount, an amount of Rs. 4,79,000/- were withdrawn through ATM and remaining amount of 5,00,000/- were transferred to ICICI bank in the account of Surendra Nagabapu, which was also withdrawn through ATM.
When the investigation was carried out, it was noted that there was no person by name Bikas/Vikas Das living in the said area and the investigation reveal that the account was opened online and the address of the person given was fake. The same was the case in respect of address of Saurav Ajay Das, who had given fake address by giving only building number. Investigation revealed that the address given by the accused persons was fake.
27. It is in the background of the aforesaid pleadings, we are called upon to determine whether the Petitioners are entitled for reversal of Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 17/31 WP 3185-22.doc the amount to their account, by taking recourse to the circular of RBI dated 06/07/2017.
28. The Petitioner has relied upon the guidelines/circular issued by the Reserve Bank of India on 06/07/2017, which comprise of direction issued to All Scheduled Commercial Banks as well as All Small Finance Banks, with respect to the subject of 'Customer Protection - Limiting Liability of Customers in Unauthorised Electronic Banking Transactions'. In order to satisfy the grievances of the customers, relating to unauthorized transactions resulting in debits to their accounts/cards, the RBI deemed it appropriate to review the criteria for determining a customer's liability as its earlier circular dated 8/04/2002 focused on the subject of reversal of erroneous debits arising from fraudulent or other transactions.
With reference to the electronic banking transactions, involving remote/online payment transactions and face-to-face/ proximity payment transactions, it was directed that the systems and procedures in the banks must be designed to make customers feel safe about carrying out electronic banking transactions and to achieve this, it was directed that the banks must have in place, appropriate systems and procedures to ensure safety and security of electronic banking transactions and a robust and dynamic fraud detection and prevention mechanism. It also contemplated a mechanism to assess the risks resulting from unauthorized transactions and measure the liabilities arising out of such events along with appropriate measures to mitigate the risk and protect themselves against the liabilities arising therefrom.
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
18/31 WP 3185-22.doc
29. It is worth to note that the circular of the RBI intend to protect the Customer/(s), who have fallen prey to unauthorized transactions resulting in debit to his account/card, when the transaction is effected through electronic banking. The Reserve Bank of India has issued directions to all scheduled commercial banks for strengthening their system and procedure, by introducing various mechanisms, with an expectation that the system and procedure in the bank must be designed to make customers feel safe about carrying out electronic banking transactions and the RBI expected the Banks to adopt robust and dynamic fraud detection system.
One of the mode prescribed is, the Bank asking their customers to mandatorily register for SMS alerts and wherever available register for e-mail alerts for electronic banking transactions.
The RBI has made it mandatory that SMS alerts shall be sent to the customers, while e-mail alerts may be sent, wherever registered and simultaneously the customer must be advised to notify their bank of any unauthorized electronic banking transaction at the earliest after the occurrence of such transaction, as longer time taken to notify the bank will pose high risk to the customer.
The banks are directed to provide customers with 24x7 access through multiple channels for reporting unauthorized transactions that had taken place and/or loss or theft of payment through instrument like card, etc. and the bank shall also enable, the customers to instantly respond by 'Reply' to the SMS and e-mail alerts so that the customers are not required to search for a web page or an e-mail address to notify the objection. The swift action on part of the customers as well as the bank is specifically underscored by Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 19/31 WP 3185-22.doc RBI, since it is most important in determining the extent of the customer's liability.
Keeping this aspect in view, the Reserve Bank has fastened zero liability on a customer, in case of third party breach when the deficiency lies neither with the bank nor with the customer, but lies elsewhere in the system and the customer notify the bank within three working days of receipt of communication from the bank regarding unauthorized transactions.
30. In our view, the circular of the RBI dated 06/07/2017 is independent of any criminal investigation to be conducted to establish any cyber crime, as the RBI intended to protect the customer who has suffered financial loss on account of fraudulent or unauthorized electronic banking transactions.
Without even a semblance of reference to any cyber investigation, the RBI deemed it appropriate to issue directions for limiting the liability of the customers in unauthorized electronic banking transactions and particularly, when the customer is not at fault.
The burden to establish that the customer is at fault is on the Bank and once a customer intimated to the bank about the fraudulent transaction, from the date when he received communication from the bank, it is imperative for the bank to credit the amount involved in the unauthorized electronic banking transaction to the customer's account and if the reporting is within three days, then the liability of the customer is zero.
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
20/31 WP 3185-22.doc
Since the burden of proving the customer's liability in respect of unauthorized electronic banking transaction is on the bank, we have to ascertain whether the bank has discharged its burden.
31. The customers entitlement to zero liability as per the circular of RBI occurs, where the unauthorized transaction has taken place and where there is contributory fraud/ negligence/ deficiency on part of the bank and in case of third party breach, where a deficiency lies neither with the bank nor with the customer, but lies elsewhere in the system and the customer has notified the bank within three working days of receiving the communication from the bank regarding unauthorized transaction.
32. It is in the wake of these guidelines issued by the RBI, the Petitioners claim reversal of the amount into the saving bank account maintained with Bank of Baroda.
The fraudulent transactions from the saving account of Petitioner No.1 with the Petitioner No.2 being the joint account holder took place on two dates i.e. on 04/12/2021 and 05/12/2021. Between 19:06 to 19:15 hours four beneficiaries were added in the account and on 05/12/2021, an amount of Rs. 18,79,000/- was transferred from the account in favour of the beneficiaries added in the account; Rs. 9 lakhs was transferred to the account of Makauda, Bank of Baroda Branch, Bangalore and Rs. 9.79 lakhs was transferred to the account of Bikas Das, ICICI Bank, Kolkata.
It is the case of the Petitioners that though OTP was generated for the transaction for adding the beneficiaries, the same was never received on the mobile number of Petitioner No.1, as the SMS Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 21/31 WP 3185-22.doc services were barred and this could be discerned from the SMS activity report and the bank itself has provided the details of the logging into the bank account of the Petitioners, which are annexed with the Petition at Annexure- B-1.
33. The bank also provided, the details of OTPs sent for addition of beneficiaries and transactions in the bank account, which is also a part of the Petition in form of Annexure B-2. The beneficiaries which were added on 04/12/2021 between 19:06:29 and 19:15:31, did not result into an SMS being received by the Petitioner No.1, and the SMS activity report would reveal that from 19:11:10 of 04/12/2021 the SMS service to the mobile number was barred at customers end and the SMS activity report for all those transactions which took place on 04/12/2021 as well as the transfer of the amount on 05/12/2021, did not result into an SMS being received as the SMS service to the mobile number has been barred at customer's service provider end.
It is therefore crystal clear that though an SMS for sharing OTP was created at the end of the bank, with the following message 'XXXXXXXX is OTP. DO NOT disclose it to anyone. Bank never asks for OTP. Ref No. XXXXXXXX. Call Bank of Baroda.' As per the SMS activity report annexed at Exhibit- B-2, it is only on 06/12/2021 at 11:25:32, the SMS activity report reflected thus: "Your Acct XX728 debited with INR 500000.0 on Dec05, 2021 & A/C XX120 credited. TXN ID- 1264723840. Call 18002584455/18001024455 for dispute- Bank of Baroda." Against this SMS being created, the SMS activity report reflected thus:
"Mobile number is either absent (Switched Off), not existing or Out Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 22/31 WP 3185-22.doc of service".
Similar messages are created in respect of other transaction of Rs.400000/-, Rs.450000/- and Rs.529000, indicating that the account was debited for the aforesaid amount on 05/12/2021 by a specific transaction ID but admittedly, this message is shown to be not delivered and on the other hand, the remark in the SMS log reported 'failed Mob. Abst. _nt ext_'
34. What is pertinent to note is the message of debit from the account is shown to have failed, by reflecting mobile absent, but the message in respect of charges for POR and available balance is shown to be delivered. It is thus clear from the SMS log record that though the message of debiting the account of Nayna was created, it could not be delivered as the mobile number was either absent (Switched off), not existing or out of service.
35. The service provider Bharti Airtel Ltd, have also clearly stated in the affidavit that on 05/12/2021, a call was received from mobile number 7439162855 on 5/12/2021, at 19:11 hours, wherein the caller requested to debar the outgoing and incoming services of the said number, on the ground that the mobile handset was lost.
Upon completion of the validation check, the services associated with the said number were barred and on March 5, 2021 at around 19:43 hours the services were restored presumably at the request of Petitioner No.1.
From the pleadings in the Petition, the Petitioner No.1 was using mobile number 9820732940 and it is thus obvious that the request to debar the mobile number was never received from the Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 23/31 WP 3185-22.doc mobile number of the Petitioner No.1.
In the report of cyber cell, which is also produced before the Court, on the complaint filed by Nayna Vora, it is reported that when the CDR/SDR/CAF was received from service provider regarding mobile number 9820732940 which was attached to her account, the transactions were made on the said mobile on 05/12/2021 and 06/12/2021 without receiving any OTP messages from the bank. The investigation also reveal that an unknown person had sent a request to the service provider company Airtel to stop incoming messages from the bank on the complainant's mobile number or to divert it to another number.
The report from cyber cell clearly reveal that the OTP of the four fraudulent transactions were never received on mobile number of Nayna though the OTP was generated which lead to an inference that the transactions were made without the OTP of the relevant transaction being received by her on her mobile number and some third party had sent a request to the service provider to stop the incoming messages from the bank on the mobile number used by Nayna.
36. Bank of Baroda has adopted a stand that on receipt of the complaint, its IT department conducted a comprehensive system audit which established that, all the logging credentials match those on record and OTP generation and transmission protocols were correctly executed and all transactions were processed only after proper authentication and there was no security breach in banking infrastructure.
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
24/31 WP 3185-22.doc
Though, we find that upon the affidavit in reply filed by the service provider Bharti Airtel, making a categorical statement that it had no role to play in the alleged fraudulent transaction and all relevant information in connection thereof is already furnished to the investigation officer, a rejoinder is filed by the Bank, with reference to the contention that the call center of Bharti Airtel received a request for blocking the incoming and outgoing services on the Petitioner's number on the basis that the handset was blocked and doubt is raised upon the said contention by submitting that there is no proof thereof. It is however, relevant to note that the bank itself has provided the logging details of the account and the SMS activity report which also reported that the SMS service to the mobile number of the account holder has been barred at customers service provider end and the customer should approach the service provider for removing such restriction.
37. It is the specific case of Petitioner No.1 that her mobile became inoperative on 05/12/2021 and it is during this period the amount has been transferred from her saving account and the messages were blocked on the request made by someone to the service provider, but as per the Petitioner No.1, she never received any OTP either for the transactions effected on 04/12/2021 or on 05/12/2021 and she never made any request to the service provider about barring the services on her mobile phone.
In fact, even for adding the beneficiaries, the OTP sent to the mobile number of the Petitioner No.1 was not delivered, though it is the case of the Bank that it was generated, it was obvious that it was either diverted or received by someone else and definitely there is no Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 25/31 WP 3185-22.doc negligence on part of Nayna Vora, because she did not share the OTP with anyone.
38. Such a situation is taken care by the circular of the RBI dated 06/07/2017, where in case of third party breach, where deficiency lie neither with the bank nor the customer but it lie somewhere in the system, and if the customer notify the bank within a period of three working days in respect of the unauthorized transaction, then the customer has no liability.
This is precisely what has happened in the case of Petitioner No.1 as her account was debited in the sum of Rs. 18,79,000/- fraudulently by manipulating her mobile number and though it is evident that from the reply filed by the bank that the account of the Nayna was at risk score of 55 and 75, despite this it had permitted the transaction.
We in no case, conclude that the bank is at fault as the OTPs were generated but neither the account holder can be said to be at fault as the OTP generated was not delivered to the Petitioner and this is because, the service provider has clearly revealed that the SIM number was blocked, and therefore, no messages were received including the OTP that was shared and this is even evident from the SMS activity report placed at Annexure B-2.
It is in this scenario that the Petitioners are entitled for availing the benefit of the circular, which has fastened zero liability on the customer and has provided for shadow reversal by crediting the amount in the bank of the customer, if the customer is a victim of unauthorized electronic transaction and is not at fault. This reversal Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 26/31 WP 3185-22.doc as per the circular ought to have been done within 10 working days from the date of notification by the customer though the bank is entitled to waive any customer liability in case of unauthorized electronic banking transaction, even when the customer is found to be negligent.
39. Recently, we were confronted with the similar situation, when one Subodh C. Korde, resident of Pune, had approached us through Writ Petition No. 11990 of 2023, and as he was a victim of cyber fraud, as an amount of Rs. 38,04,000/- was unauthorizedly withdrawn from his two bank accounts maintained with HDFC bank in a time gap of 41 minutes. Since, the Bank refused to reverse the amount to his account, and he pleaded that it was in complete breach of the applicable directions /guidelines issued by the Reserve Bank of India, we had exhaustively dealt with the said issue with reference to the precedents cited before us, and we had also pronounced upon the issue of maintainability of writ petition in respect of a Private schedule bank.
As far as the present case is concerned, since the Bank of Baroda is an Indian public sector bank and not a private bank, and it also being a Bank which was nationalized on 19/07/1969 and designated as public sector undertaking, we are not called upon to deal with the said objection.
In the said Petition, we relied upon the decision of learned Single Judge, of Gauhati High Court, which was upheld by the Division Bench and subsequently by the Apex Court in case of Pallabh Bhowmick vs. Ombudsman, Reserve Bank of India & Ors. 1.
1 2023 4 GAU LR 366
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
27/31 WP 3185-22.doc
We also placed reliance upon decision of this Court in case of Jaiprakash Kulkarni & Anr vs. Banking of Ombudsman & Ors in WP No. 1150 of 2023, and examined the facts in the backdrop of the ratio flowing from the said decision, which is observed thus:-
"37. Both as per the said RBI Circular and the said Policy of Respondent No.2, a customer has zero liability when the unauthorized transactions occur due to a third party breach where the deficiency lies neither with the bank nor with the customer but elswhere in the system and the customer notifies the bank regarding the unauthorized transactions within a certain time frame. Therefore, both as per the RBI Circular and the said Policy of Respondent No.2, the liability of the Petitioners in respect of the said unauthorized transactions would be zero as the unauthorized transactions have taken place due to a third party breach where the deficiency lies neither with Respondent No.2 nor with the Petitioners, as already held hereinabove on the basis of the said three Cyber Cell reports. In these circumstances, as per the RBI Circular and as per the Policy of Respondent No.2, the Petitioner is entitled to refund of the said amount from Respondent No.2. In this context, it is also important to note that, as per paragraph 12 of the RBI Circular, the burden of proving customer liability in case of unauthorized electronic bank transactions lies on the bank. In the present case, Respondent No.2 has no acceptable material to fasten any such liability on the part of the Petitioners. On the contrary, the three Cyber Cell Reports clearly show that the unauthorized transactions have taken place without any intimation to the Petitioners either on their mobile number registered with Respondent No.2 or on their email ID registered with Respondent No.2. For all the aforesaid reasons, Respondent No.2 will have to be directed to refund the amount illegally and unauthorizedly debited from the bank account of the Petitioners, to the Petitioners."
In a very similar fashion, when the Petitioner before us was defrauded by adding beneficiaries without he being notified, who to be followed by enhancing the transaction limit and subsequently by transfer of the amount from his account to different beneficiaries, reliance was placed upon the OTP log by the HDFC bank being generated through private vendors.
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
28/31 WP 3185-22.doc
The service provider BSNL by filing an affidavit, brought to our notice that there was tampering with the SIM card as on four occasions request was made to the service provider for substitution of the SIM card on the basis that it was lost and this being done by placing on record fraudulent documents. All these documents along with the SIM swapping details being furnished before us, we held thus:-
"76. From the affidavit filed by BSNL, it is, therefore, clear that it is the case of SIM swapping.
SIM swapping is a technique used by criminals to obtain a duplicate or clone of a SIM card linked with a phone number to impersonate identity of line holders and gain access to their bank account by sending an SMS (OTP Code) used as two factors authentication. BSNL has stated in its affidavit that since an application was made for SIM replacement on the count that the mobile phone was lost, a new SIM is provided with the same number and from the affidavit of BSNL, it is evident that the SIM was replaced on four occasions, right from 12/07/2021 to 15/07/2021. As far as the Petitioner is concerned, he admitted that there was some issue with his SIM card and he had approached the service provider on 15th i.e. on one occasion.
The Indian Cyber Crime Coordination Centre (I4C), which is operated through Ministry of Home Affairs, has floated national cyber crime helpline 1930 (Call Immediately To Report Fraud and Freeze Bank Accounts) and Sanchar Saathi Portal. The precautionary and safety tips and advisory from the Coordination Centre is, 'act on 'no signal'....if your phone suddenly loses signal unexpectedly, immediately contact your service provider'.
SIM swapping has received attention from the Ministry of Home Affairs as a sophisticated form of identity theft, where fraudsters take over a victim's phone number and this has been expressed to be a rising concern in India. The fraudsters collect personal details via phishing social media or previous data licks and they adopt procedure of impersonation. The fraudsters tricks the mobile operator claiming the SIM is lost/damaged and request for a new one and in such a scenario, the victim's actual SIM loses connectivity (no network). The fraudsters then receive OTPs and banking alerts on the new SIM enabling them to drain bank accounts, often by bypassing two fold authentication. The net- banking frauds involve access to the bank account basic details and the mobile number and then approaching the service provider, impersonating the owner of the number with fake papers and a request to swap the SIM.
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
29/31 WP 3185-22.doc
After verification, the service provider deactivate the old SIM and the fraudsters get access to the new active mobile SIM, when the original one fails to operate as a result all financial SMS, OTP alerts as regards the transactions are arrived on new active card, which is in the hands of the fraudster.
This is precisely the methodology, which has been adopted here and this is evidently clear to us from the affidavit of BSNL, as the Petitioner has pleaded that he faced trouble in connectivity and even approached to his service provider and his SIM was replaced. That is the specific reason why the Petitioner did not receive any OTP on 14 th or 15th when the beneficiaries were added or the financial limit of transaction was increased and the actual transaction took place on 15/07/2021 and it is obvious that the message must have been received on a cloned/duplicate SIM and the Petitioner did not receive any message/OTP. In no case, we find that the Petitioner was careless or that he had shared the password with anyone and ultimately the burden is upon the bank to establish that he was careless or negligent, which the bank in our view, has failed to establish."
40. It is in the above circumstances, by relying upon the investigation report produced by the HDFC Bank, the conclusion drawn by us was recorded to the following effect:-
"79. The internal investigation report, which has disclosed the reason that transaction not being alerted is very specific, namely, "Decline Add Payee-Blacklisted Accounts". The report also state that the Bank has automated risk based on authentication system, where the risk score is calculated based on the usage pattern of the customer nature of transaction and other factors and high risk transaction is declined. But, in this case, the risk score was 691, hence it is not declined/alerted. The Bank has, therefore, clearly admitted that the transaction was not alerted and we find it surprising that Bank blames the Petitioner. In Rider 3 of the investigation report, for every transaction, which according to the Petitioner is unauthorized, there is a report of 'not alerted' and despite this, the Bank has projected its case that in every situation, the OTP was sent. It is also evident from the internal investigation report that since the HDFC Bank was aware that no alert was created and has also set out the reasons, why it was not alerted because the account was described as "Blacklisted Account" and the customer could not be contacted, when the amount was debited, HDFC Bank itself made a request to ICICI Bank for reversal of the amount under the transactions.
It is, therefore, evident that the HDFC Bank attempted to take necessary steps and was conscious that no alert was created and when Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 ::: 30/31 WP 3185-22.doc beneficiary addition attempt got alerted, the report disclose "tried calling the customer, but unable to establish contact". This is repeated in the transactions adding beneficiary and also when the transaction limit was enhanced. The alert was sounded since even according to the HDFC Bank, it was a super high value case and thus the officers in helm of affairs of the Bank immediately initiated the investigation.
80. In no case, we put the blame of the unauthorized transactions on the Bank, but when the fault is neither with the Bank nor with the customer/Petitioner, the RBI circular dated 06/07/2017 and in particular, the clause fixing zero liability on the customer gets triggered and the Petitioner is entitled for its benefit.
Though it is a contention advanced on behalf of the Bank that in absence of any investigation by the cyber cell or a conclusion being derived that a cyber fraud has been committed, the Bank cannot be fastened with the liability, but we refuse to accept the said contention. The whole purpose of the circular/guidelines issued by the RBI is to provide a buffer to a customer, who is diligent, and is not responsible for negligence or contribute to the fraud by sharing OTP/password and since, the Bank has failed to establish that the Petitioner did so, in our view, the Petitioner is entitled for the benefit under the circular of RBI dated 06/07/2017 and he deserve the amount of which he is deprived back in his account. Since the Bank had denied him the benefit, despite clear directions from the RBI, we deem it appropriate to direct HDFC bank to remit the amount of Rs.38,04,000/- to the Petitioner's account within a period of eight weeks alongwith interest at the rate of 6% p.a., as for no fault of his, the Petitioner was deprived of his own money.
The HDFC Bank shall make the aforesaid remittance within a period of eight weeks and if it failed to do so within the aforesaid period, it shall carry interest at the rate of 8% p.a. The Writ Petition is made absolute in the aforesaid terms."
41. In the present case, we find the similar modus operandi, when no OTP was received by the Petitioner No.1 on her mobile, the reason being that the SIM card of the Petitioner was swapped and therefore, the Petitioner was not alerted though an SMS alert was created, but the transaction never received an authentication by the account holder.
Ashish
::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::
31/31 WP 3185-22.doc
We find the case of the Petitioners before us similarly situated as the Petitioner No.1 and Petitioner No.2 account holders are in no way found to be negligent nor is it established by the Bank that they are so, or that they shared the OTP with someone else.
As per the circular of RBI, Clause 12 has cast the burden of proving customer's liability in case of unauthorized electronic banking transactions on the bank, and since the bank has failed to discharge this burden, in our view, the Petitioners, on the basis of the limited liability (zero liability) as covered by Clause 6 of the circular, are entitled for the shadow reversal of the amount involved in the unauthorized electronic transaction within a period of 10 days, but since Bank of Baroda has failed to do so, we direct the Respondent No.1 to forthwith remit the amount of Rs. 18,79,000/- (Rupees Eighteen Lakhs Seventy Nine Thousand only) with interest at the rate of 6 % to be credited in the Petitioners' Savings Bank Account No. 04060100000728 maintained with the Chandavarkar, Branch of Bank of Baroda, within a period of 12 weeks from the date of uploading of the judgment.
If however, the bank fails to follow the said direction, the amount shall incur a further interest of 6% till its deposit in the Petitioners' saving bank account as mentioned above.
Writ Petition is made absolute in the aforesaid terms.
(MANJUSHA DESHPANDE, J.) (BHARATI DANGRE, J.) Ashish ::: Uploaded on - 21/04/2026 ::: Downloaded on - 22/04/2026 20:30:45 :::