Gauhati High Court
State Bank Of India vs Pallabh Bhowmick And 4 Ors on 13 September, 2024
Page No.# 1/19
GAHC010232752022
THE GAUHATI HIGH COURT
(HIGH COURT OF ASSAM, NAGALAND, MIZORAM AND ARUNACHAL PRADESH)
Case No. : WA/364/2022
STATE BANK OF INDIA
REP. BY ASSTT. GENERAL MANAGER, STATE BANK OF INDIA, GUWAHATI
BRANCH, PANBAZAR, GUWAHATI- 781001 DIST.- KAMRUP (METRO),
ASSAM.
VERSUS
PALLABH BHOWMICK AND 4 ORS.
S/O LATE P.R. BHOWMICK,
R/O HOUSE NO. 2,
HILL SIDE COLONY, GATE NO. 1,
MALIGAON, GUWAHATI,
P.O.- MALIGAON RAILWAY HEADQUARTER,
P.S.- JALUKBARI, PIN- 781011.
2:THE OMBUDSMAN
RESERVE BANK OF INDIA
STATION ROAD
GUWAHATI- 781001.
3:LOUIS PHILIPPE
A DIVISION OF ADITYA BIRLA FASHION AND RETAIL LIMITED
REPRESENTED BY ITS VICE PRESIDENT AND SALES DIRECTOR
HAVING ITS REGISTERED OFFICE
AT DIVYASHREE 77 TOWN CENTRE
KH NO. 118/110/1
BUILDING 2
YEMALUR POST
BENGALURU- 560037.
4:PAPENDER KUMAR
S/O BHAGIRATH SINGH
R/O BIJNOR
UTTAR PRADESH- 246764.
Page No.# 2/19
5:DCP (CRIME)
KAMRUP (METRO)
GUWAHATI
Advocate for the Petitioner : MR. A PARVEZ, MR. B ROY
Advocate for the Respondent : GA, ASSAM, MR. D K SARMA,
MR. H S BORAH (r-2),
MR. P HAZARIKA (r-2),
RESPONDENT IN PERSON,FOR CAVEATOR
BEFORE
HONOURABLE MR. JUSTICE LANUSUNGKUM JAMIR
HONOURABLE MR. JUSTICE KARDAK ETE
JUDGMENT
Date : 13-09-2024 (Kardak Ete. J) Heard Mr. A. Parvez, learned counsel for the appellant. Also heard Mr. Pallabh Bhowmick/respondent No. 1, in person; Mr. P. Hazarika, learned counsel for the respondent No. 2 and Mr. D. K. Sarma, learned counsel for the respondent No. 5.
2. This intra-Court appeal is directed against the judgment and order dated 30.09.2022, passed by the learned Single Judge in WP(C) No. 1900/2022, whereby, the learned Single Judge, has set aside the order dated 07.03.2022, passed by the Ombudsman, Reserve Bank of India, and directed the appellant to deposit an amount of Rs. 94, 204.80/- (Rupees Ninety- four thousand two hundred four and Eighty Paisa) only, in the bank account of the petitioner with a liberty to recover the amount from the respondent No. 3.
3. The brief facts of the case, are that the respondent No. 1/petitioner is having a Savings Bank (SB) Account bearing No. 10823993373 with the State Bank of India (SBI), Guwahati Branch. He had made an online purchase of some garment from the Louis Philippe store which he wanted to return and get the money back. On 18.10.2021, the respondent No. 1/petitioner had received a call from a fraudster, who was later identified as the respondent No.4, namely Papendra Kumar, from the State of Uttar Pradesh. Posing himself as Customer Page No.# 3/19 Care Manager of the Louis Philippe, the respondent No. 3, the fraudster had asked the petitioner to download a 'mobile app' for the purpose of making a refund of Rs. 4,000/- (Rupees Four thousand) only in lieu of return of a garment earlier purchased by him. Believing bonafide that the call was from the customer care department 'Louis Philippe' the respondent No. 1/petitioner had downloaded the 'mobile app'. Soon thereafter, a sum of Rs. 94,204/- (Rupees Ninety-four thousand two hundred four) only was siphoned off from the bank account of the respondent no. 1/petitioner by three separate online transactions. An amount of Rs. 64,017/- (Rupees Sixty-four thousand seventeen) was transferred from the bank account of the respondent no. 1/petitioner by Payment Gateway (PG) transactions. Immediately, thereafter, two other transactions took place for the amounts of Rs. 30,186/- (Rupees thirty thousand one hundred eighty six). The said fraudulent transactions took place on 18.10.2021 through mobile phones bearing number +91 7789956974 and +91 9188762299. The amounts were initially transferred to the beneficiary account in the Federal Bank and thereafter, shifted to other bank accounts.
4. The respondent No. 1/petitioner contends that on 18.10.2021, he had informed the Customer Care Centre of the SBI with a request to cancel the three transactions. Based on his information the SBI customer care cell compliant bearing numbers 69889484 and 69689706 were registered and the SBI debit card of the respondent no. 1/petitioner was also blocked. On the same day i.e. 18.10.2021, he also had lodged an FIR with the Jalukbari Police Station reporting the incident, based on which, Jalukbari PS Case No. 1229/2021 was registered under Sections 417/420 of the IPC. Thereafter, on 19.10.2021, the respondent No. 1/petitioner had made a complaint before the appellant informing him about the said fraudulent transactions. He had also lodged three complaints with the Cybercrime Cell of Criminal Investigation Department (CID), Assam Police vide acknowledgment numbers 30410210067207, 30410210067210 and 30410210067509. The respondent no. 1/petitioner had reported the matter to the National Cyber Crime Reporting Portal (NCCRP) of the Ministry of Home affairs, which was also received vide acknowledgement No. 20410210143122. According to him, even after receipt of the complaint dated 19.10.2021, the appellant bank did not take any action so as to prevent the fraudulent transactions or to recover the amount Page No.# 4/19 from the recipient bank.
5. On 16.01.2022, the respondent No. 1/petitioner had received an e-mail from the respondent No. 3 informing that there has been illegal breach of their customer database whereby, information regarding some of the customers were released in some cyber community and the same happened during the period from 26.03.2021 to 01.12.2021. According to the respondent No. 3, the website of "Louis Philippe" was hacked when the petitioner had made online purchases on 05.10.2021.
6. The respondent No. 1/petitioner had also made an online complaint before the appellant as per the Reserve Bank of India - Integrated Ombudsman Scheme, 2021. The respondent No.1/petitioner's complaint was received vide acknowledgment No. 202122008004685 dated 15.02.2022. After the complaint lodged by the respondent No. 1/petitioner was registered before the appellant, the respondent No. 3 had sent an e-mail reply dated 24.02.2022, which was forwarded by the appellant to the respondent No. 1/petitioner on 25.02.2022. In the said e-mail, it was mentioned that the complaint made by the respondent No.1/petitioner had been received pertaining to the unauthorized transactions of Rs. 94,204/- (Rupees Ninety- four thousand two hundred four) only done on 18.10.2021. On 04.03.2022, the respondent No. 1/petitioner was also forwarded with a copy of the response received from the Federal Bank, wherein, it was mentioned that the fraudster i.e., the respondent No. 4 had his account bearing No. 77770101374417, wherefrom one UPI transaction of Rs. 64,017/- (Rupees Sixty- four thousand seventeen) was initiated from the account of the respondent no. 1/petitioner lying with the SBI and the amount was credit in the Neo Bank Jupitar Savings Account operated in the name of the respondent No. 4. Thereafter, the respondent No. 4 had transferred the above amounts to other bank accounts by means of UPI transaction and as of now, there was no balance lying in the beneficiary account of the respondent No. 4.
7. On 25.03.2022, the respondent No. 1/petitioner had submitted his response to the e- mail dated 24.02.2022. On 07.03.2022, the Central Receipt and Processing Centre (CRPC) of the RBI had sent the verdict of the respondent No. 2, with regard to the complaint of the Page No.# 5/19 respondent no. 1/petitioner holding that the Bank was not liable to compensate as the fraud took place due to the negligence of the petitioner.
8. The appellant contended that after receiving the complaint of fraud on 19.10.2021, the bank had taken necessary action. It has also been stated that the amount of Rs. 64,017/- (Rupees Sixty-four thousand seventeen) was withdrawn via UPI and transferred to Federal Bank beneficiary. The amount of Rs. 30,186/- (Rupees Thirty thousand one hundred eighty- six) was withdrawn via Payment Gateway (PG) transaction. It is stated that UPI transaction cannot be executed without registered mobile number and secret MPIN whereas, transaction through PG cannot be completed without card details and validation through One Time Password (OTP). According to the appellant all the transactions were successful and authorized through OTP and MPIN. As such, the CRM complaint of the respondent No. 1/petitioner was closed as successful transaction. The appellant has further contended that the loss, if any, suffered by the respondent No. 1/petitioner was due to his own negligence in operation of UPI and PG transaction and therefore, the bank was not liable to compensate the respondent No. 1/petitioner.
9. The Appellant filed affidavit-in-Opposition and denied his liability in terms of Section 7(i) of the Reserve Bank of India contained in RBI/2017-18/15, DBR.No.Leg.BC.78/09.07.005/2017-18 dated 06.07.2017 by taking the plea that the Respondent No. 1/writ petitioner himself has admitted that he was the victim of fraud perpetuated by respondent No. 4. The Respondent No. 1/writ petitioner after knowing the fraud had filed FIR before the Jalukbari P.S. After receiving the Complant of fraud on 19.10.2021, the appellant had taken necessary action. From perusal of record, the respondent Bank found that the amount of Rs.64,017/- was withdrawn via UPI and transferred to a Federal Bank Beneficiary. An amount of Rs. 30,186.8/- was withdrawn via PG Transaction. The UPI transaction cannot be executed without the registered mobile number and secret MPIN. The PG transactions cannot be executed without the Card details and validation of OTP. All the transactions were successful and authorized via OTP and MPIN. Further, for the sake of submission but without admitting the same even if the Respondent Page No.# 6/19 No. 1/writ petitioner has suffered any loss due to his negligence in operation of UPI and PG transaction, the Bank is not liable to pay any compensation as it was Respondent No. 1/writ petitioner's negligence due to which the transaction took place. There was no monetary loss suffered by the respondent no. 1/Petitioner after reporting the fraud i.e. on 19.10.2021. As such, there was no deficiency in service on the part of the answappellant. It is contended that admittedly, respondent No 1/writ petitioner has filed FIR before the Jalukbari Police Station and and as such the writ petitioner should wait for the result of investigation by the police.
10. It is contended that the appellant had taken prompt action after receipt of complaint from the respondent No 1/writ petitioner and there is no report of fraudulent transfer in the account of the respondent No 1/writ petitioner after lodging of complaint on 19.10.2021. The learned Banking Ombudsman has rightly found that no deficiency could be attributed to the service of the Appellant Bank under clause 10 of the Reserve Bank of India- Intergrated Ombudsman Scheme-2021.
11. The DCP (Crime) Sri Mrinal Talukdar had appeared before the learned Single Judge on 13.09.2022 and reported the stage of the Investigation. He informed the learned Single Judge that personal details of the fraudster including his Photographs has been identified.
12. After careful consideration of the materials available on record, the learned Single Judge, vide impugned judgment and order dated 30.09.2022, has set aside the impugned order dated 07.03.2022, passed by the Ombudsman, Reserve Bank of India and directed the appellant to deposit the amount of Rs.94,204.80/- in the bank account of the respondent No 1/writ petitioner within (30) thirty days from the date of received of a certified copying of the order, with the liberty to recover the amount from the respondent No.3.
13. Mr. A. Parvez, learned counsel for the appellant, submits that without calling the records from the office of the Banking Ombudsman, the learned Single Judge has set aside the order dated 07.03.2022 passed by the Banking Ombudsman vide impugned judgment and order dated 30.09.2022 which is bad in law.
14. Mr. A. Parvez, learned counsel, submits that the learned Single Judge has observed that Page No.# 7/19 nothing has been stated in the Counter Affidavit filed by the appellant to indicate as to when, how, and in what manner the OTP, MPIN and Password was shared by the petitioner with the fraudster, whereas in Annexure-8 to the Writ Petition details of OTP sent to the respondent No. 1/writ petitioner is fully narrated which has been filed by the respondent No. 1/ writ petitioner himself and he has not denied the contents of the Annexure-8 and as such under Section 58 of the Evidence Act, respondent No. 1/writ petitioner was not required to give further evidence. Had the learned Single Judge called the record from the office of the Ombudsman it could have found the OTP logs evidencing that OTP has been delivered to the customer's registered mobile number which submitted by the appellant to RBI. As per RBI directive the online PG transactions will not be settled without validation through OTP. Bank's responsibility is to ensure the OTP is delivered to the customer's registered mobile number in a secure way. Once the OTP is delivered to the customer's mobile it is his responsibility to ensure secrecy and sanctity of the OTP. Bank cannot be responsible for any mistake committed by the customer deliberately or inadvertently. If Bank is made responsible for all mistakes committed by the customer, even if out of ignorance or oversight, then no online transactions will be possible and the entire mechanism of online transactions would be put to halt because then the customer's responsibility of due diligence will be shifted to the Bank and nobody will exercise any caution while doing online transactions.
15. Mr. A. Parvez, learned counsel, submits that the learned Single Judge has failed to consider the pleadings in the Writ Petition that the respondent no. 1/writ petitioner himself stated that he had already filed FIR in the Jalukbari Police Station being Jalukbari P.S Case No. 1229/2021 u/s 417/420 of the IPC and had already made (3) three numbers of complaint bearing acknowledgement nos. 30410210067207, 30410210067210 and 30410210067509 as regards the three transactions with the Cyber Crime Cell of the Criminal Investigation Department of the Assam Police. As the settled law is that there cannot be second FIR on the same subject or occurrence, the Hon'ble Single Judge should not have made observation that Bank was required to file Second FIR on the same subject.
16. Mr. A. Parvez, learned counsel, submits that the learned Single Judge has failed to consider the statements made by the respondent no. 1/writ petitioner in the FIR dated Page No.# 8/19 18.10.2021 that he was expecting a refund for return of a blazer he had purchased from Louis Phillippe site. The respondent no. 1/petitioner has admitted that he downloaded a mobile app on his phone and the fraudster had manipulated the transactions in question with the help of the downloaded unverified app from an unknown source at the behest of a stranger over phone, while he was only expecting to receive a credit in his account and was not supposed to make any payment. And all this while he was electronically connected to the fraudster on his mobile phone. This is where the customer failed to exercise due diligence and this clearly amounts to negligence. As such, the finding of the learned Single Judge that the appellant Bank has failed to prove negligence on the part of the respondent no. 1/writ Petitioner is contrary to the record and as such impugned judgment and order dated 30.09.2022 is bad in law and is liable to be set aside.
17. Mr. A. Parvez, learned counsel, submits that the learned Single Judge has failed to consider the admission by the respondent no/ 1/writ petitioner in the FIR dated 18/10/2021 that the first transaction of Rs.64,017.00/- was done through Google Pay. As Google Pay is a third-Party App, appellant Bank is not responsible for a transaction that has been done through a third-party app which is in no way connected to the Bank. Bank never recommends any third-party app for online transactions.
18. Mr. A. Parvez, learned counsel, submits that the learned Single judge has failed to consider that UPI (Unified Payment Interface) is a third-Party App developed by National Payments Corporation of India (NCPI) and one can enjoy the App only after accepting Terms and Conditions of the App. As per Clause 3.6 of the Terms and Conditions of the App the App does not provide warranty that the App will be free from defects or that operation of the App will be uninterrupted. Use of the App by the User is at the User's own discretion and risk and the User is solely responsible for any damage resulting from the use of the App.
19. Mr. A. Parvez, learned counsel, submits that the learned Single Judge has failed to consider that the fraudster has already been identified and the details including photograph of the account holder in Federal Bank where the petitioner's money was transferred has been provided to the police. It is the job of the police to trace out the fraudster with the given details and recover the money.
Page No.# 9/19
20. Mr. A. Parvez, learned counsel, submits that the respondent No.3 has admitted that there was a breach of customers' database. If such breach of customers' database has given access to the fraudster to the petitioner's account, then in that event, there can be no doubt about the fact that the respondent No.3 would also be liable to compensate the petitioner or the Bank, as the case may be. However, the police report indicating the manner in which the fraud has been committed is not yet available nor is there any report from the beneficiary bank indicating the manner in which the respondent no.4 had siphoned money from the Bank to the other accounts. These are matter of investigation by the competent authority. A clear picture in these matters would emerge only when a proper investigation is carried out and the report is made available. On completion of investigation if it is established that act took place purely due to the negligence or deficiency of service on the part of the respondent No.3, then in that event the entire liability may be on the respondent No.3. As such, when the learned Single Judge is aware that investigation by the Police is not completed without getting report from the investigating Authority casting liability to the appellant for the wrong committed by the respondent no.3, is bad in law.
21. Mr. A. Parvez, learned counsel, submits that the learned Single Judge has failed to consider Annexure-9 filed by the respondent no. 1/petitioner himself which states that amount transferred through UPI transaction by the Petitioner is of high security nature, the transaction could be completed only by entering the valid UPI credentials and the credentials are confidential and known only to the account holder and as such loss occurred to the respondent no. 1/petitioner is due to his gross negligence. The Banking Ombudsman clearly held that no report is available from the beneficiary bank indicating the manner in which the respondent no.4 had siphoned off the money from the Bank to the other account. In the report the beneficiary Bank has in unequivocal language had stated that the Banks, regulators, etc. are cautioning all customers through several platforms not to share any of the credentials of their account to anybody and requesting not to click on any link, QR code, etc. Despite all these, the customers are doing all sort of things and afterwards making complaint, the loss has occurred to the complainant due to his gross negligence only. Soon after receipt of complaint from the respondent no. 1/petitioner, the appellant Bank had immediately blocked UPI transactions from customer's account and has also blocked his ATM Card Page No.# 10/19 preventing any further loss to the client. The fact that Federal bank has made it clear that after the money was transferred to the federal bank account, it was immediately shifted to other bank accounts and there was no balance lying in the fraudster's (respondent No.4) account to be refunded and as such the question of Appellant not making a 'chargeback' request to Federal Bank is irrelevant as the money was already gone from Federal Bank by the time the complaint was lodged in SBI.
22. Mr. A. Parvez, learned counsel, submits that OTP (One Time Password) is a cyber- security measure adopted by the Bank for every online transaction initiated by the customer. An OTP (One Time Password) will be generated and delivered to the registered mobile number of a client. The transaction will be successful only if the OTP is put in the relevant site/ payment gateway (PG). This is a secure way of conducting online transactions unless the recipient of OTP compromises with the sanctity of the OTP in any manner. Besides this the Bank is continuously sending SMS/fillers to all its clients not to click on any link from unknown source/not to download any app from any unknown source/not to share password/MPIN/OTP etc. Such publicity is also being made through electronic/print media, awareness programs etc. The RBI circular with regard to the 'Customer Protection- Limiting Liability of Customers in Unauthorized Electronic Banking Transactions' is clear that in cases where the loss is due to negligence by a customer, the customer will bear the entire loss he suffers. And the appellant bank will not be responsible for those unauthorized transactions, which occur after reporting the issue to the bank by the customer.
23. Mr. Parvez, learned counsel, finally submits that the learned Single Judge has observed that the investigation is pending before the competent authority and on completion of investigation if it is established that then fraud took place purely due to the negligence on the part of the respondent No.3, then in that case entire liability may be on the respondent No.3. After reaching such conclusion, direction to appellant Bank to refund the amount of Rs.94,204/- to the respondent no.1/petitioner is bad in law and as such the impugned judgment and order may be set aside and quashed.
24. Mr. P. Bhowmick, the Respondent No.1/petitioner-in-person, submits that he has made a complaint on 19.10.2021 before the appellant to the effect hat he has been defrauded by the Page No.# 11/19 respondent No. 4 on 18.10.2021 using phone no. +917789956974 and +919198762299 portraying himself to be the customer care executive of respondent No. 3, in the process of giving the petitioner a refund of Rs. 4,000.00 for a garment which he wished to return pursuant to an online purchase. The petitioner was instructed to download a mobile phone application by the respondent No. 4 and in the said process an amount of Rs. 94,204.80 (Rupees Ninety Four Lakhs Two Hundred Four and Eighty Paisa) only has been deducted in three transactions from the SBI Account Number 10823993373 through SBI Debit Card No. 4591150424526960 on 18.10.2021. He requested the Appellant to take necessary action and help the him in retrieving the amount. He has also lodged an FIR at Jalukbari Police Station on 18.10.2021 pursuant to which Jalukbari PS Case No. 1229/2021 u/s 417/420 of the IPC has been registered. Three numbers of complaints bearing acknowledgement Nos. 30410210067207, 30410210067210 and 30410210067509 have been made as regards the three transactions with the Cyber Crime Cell of the Criminal Investigation Department of the Assam Police. He has also reported the matter at the National Cyber Crime Reporting Portal of the Ministry of Home Affairs vide acknowledgment No. 20410210143122. That apart, soon after the transactions had taken place on 18.10.2021, he has requested the Customer Care Centre of the Appellant to cancel the said three transactions pursuant to which complaint Nos. 69889484 and 69689706 were registered on 18.10.2021. Pursuant to the aforesaid written complaint dated 19.10.2021 addressed to the appellant as regards the three fraudulent transactions, he was issued with complaint Nos. 69843778 by SMS on his registered mobile phone number.
25. Mr. Bhowmick, while referring to the the instruction of Reserve Bank of India contained in RBI/2017-18/15 DBR .No.Leg.BC.78/09 .07.005/2017-18 dated 06.07.2017, submits that at clause 7(i), it is provided that a customer shall be liable for the loss occurring due to unauthorized transactions in cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he report the unauthorized transaction to the bank. Any loss occurring after the reporting of the authorized transaction shall be borne by the bank. Clause-9 provides that on being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the Page No.# 12/19 unauthorized electronic transaction to the customer's account within 10 (ten) working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). Banks may also at their discretion decide to waive off any customer liability in case of unauthorized electronic banking transactions even in cases of customer negligence. The credit shall be value dated to be as of the date of the unauthorized transaction. He has also referred to clause-10 to project that the the appellant is duty bound to refund the amount. 9. Referring to the order dated 07.03.2022, passed by the respondent No. 2. Mr. Bhowmick has argued that although he had downloaded the 'mobile app' under the circumstances narrated in the writ petition, yet, he had never shared any OTP, password, MPIN or other credentials of his bank account with the fraudster. The money was transferred on-line with the help of technology with was beyond his comprehension. Therefore, it is a case of fraud and not case of negligence on his part. Mr. Bhowmick has also submitted that the basis of the other dated 07.03.2022, is clearly erroneous. By referring to the Standing Circular of the Reserve Bank of India (RBI) pertaining to the liability of the Bank in such matters, the respondent No. 1/petitioner had contended that since it is a clear case of fraud, hence, the bank would be liable to refund the amount.
26. He submits that on 16.01.2022, he received an electronic mail from the respondent no. 3, to the effect that there has been an information security incident that entailed illegal and unauthorized access to a part of their customer database. Earlier that week, it was discovered that profile information of some of their customers has been released in some cyber communities.
27. Mr. Bhowmick, submits that since there was total inaction on the part of the appellant to initiate any action as regards the complaint dated 19.10.2021, the petitioner was constrained to approach the respondent authority by way of an online complaint as per the Reserve Bank of India - Integrated Ombudsman Scheme, 2021 pursuant to which the aforesaid complaint was registered vide acknowledgment No. N202122008004685 dated 15.02.2022.
28. Mr. Bhowmick, submits that the office of the Appellant sent an electronic mail dated Page No.# 13/19 24.02.2022 which was forwarded to the petitioner by the office of the respondent No. 2 on 25.02.2022, wherein it has been mentioned that the complaint pertains to unauthorized transaction of Rs. 94,204/- done on 18.10.2021, an amount of Rs. 64,017/- was withdrawn via UPI and transferred to a Federal Bank Beneficiary (attached) and an amount of Rs. 30,186.8 was withdrawn via PG transaction. OTP logs attached for the PG transactions. On 04.03.2022, the petitioner-in-person was forwarded with a copy of the response received by the office of the respondent No. 2 through electronic mail from Federal Bank, wherein the respondent No. 4 had his account bearing no. 77770101374417, wherefrom, it appeared that one UPI transaction of Rs. 64,107/- initiated from the account of the petitioner with SBI on 18.10.2021 was credited to Neo Banking-Jupiter Savings Bank account bearing no. 77770101374417 in the name of the respondent No. 4, Shri Papender Kumar with the Federal Bank. The respondent No. 4 had transferred the above amount to other bank account vide UPI transaction as of now no balance is outstanding in the beneficiary account. A copy of the account opening log and account opening form of respondent No. 4 was attached to the said electronic mail wherefrom, it appears that the said account was opened on 14.10.2021. The statement of account for the period 14.10.2021 to 28.02.2022 of the respondent No. 4 was also attached to the said electronic mail received from the Federal Bank wherefrom, it appears that the said account was operational for the period 14.10.2021 to 29.12.2021. On 18.10.2021, an amount of Rs. 64,017.00 was transferred from the account of the petitioner to the account of the respondent No. 4. It also appears that on 18.10.2021, the respondent No. 4 had sought to transfer an amount of Rs. 4000.00 to the petitioner. The petitioner had no reason to transfer the aforesaid amount of Rs. 64,017.00 to the respondent No. 4. Therefore, it is apparent from the face of the record that the respondent No. 4 had electronically manipulated the said transaction with the help of the mobile application which the petitioner had downloaded on his phone. It also appears from the electronic mail dated 04.03.2022 that the appellant had not made any charge back request against the three fraudulent transactions to the Federal Bank. Therefore, he submits that he is entitled to get credit of unauthorized transaction of Rs. 94,204/- done on 18.10.2021 in his Saving Account.
29. He submits that the respondent No. 2 and the appellant have rejected his rightful claim Page No.# 14/19 illegally and arbitrarily by holding that on 18.10.2021, the amount of Rs. 64,017/- was withdrawn via UPI and transferred to a Federal Bank Beneficiary (attached). An amount of Rs. 30,186.8 was withdrawn via PG transaction. OTP logs are attached for the PG transactions. The UPI transactions cannot be executed without the registered mobile number and secret MPIN. The PG transactions cannot be executed without the card details and validation of OTP and a such the transactions were executed due to the petitioner's negligence. As per notification No. RBI/2017-18/15, DBR.No.Leg.BC.78 /09.07.005/2017-18 dated July 6, 2017 Section 7(i): In cases where the loss to the customer is due to the negligence by the customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transactions to the bank. The query was raised with SBI and they have replied now stating "The transactions were successful and authorized via OTP and MPIN. Hence, the CRM complaint was closed as successful transactions. The bank is not liable to pay any compensation as it was the customer's negligence due to which the transaction took place. The bank would have been liable to pay had there been any further monetary loss after reporting by the customer. There was no monetary loss after the customer reported to the bank. Therefore, the customer's claim is not acceptable." Hence, no deficiency could be attributed to the service of the bank under clause 10 of the Reserve Bank- Integrated Ombudsman Scheme, 2021.
30. Mr. Bhowmick, submits that he is a victim of the fraud perpetuated by the respondent No. 4 because the respondent No. 4 had hacked the customer care website of the respondent No. 3 when the petitioner called up the customer care number of the respondent No. 3 to return the garment purchased by him and had received the phone call of the petitioner portraying himself to be a representative of the respondent No. 3 and had undertaken to return the cost of the garment amounting to Rs. 4000/- as is reflected from the transaction dated 18.10.2021 in the statement of account bearing No. 77770101374417 of the respondent No. 4 maintained in the Federal Bank. The fact that the website of the respondent No. 3 had been hacked is apparent from their mail dated 16.01.2022 and financial data pertaining to transactions between 23.06.2021 and 01.12.2021 may have been leaked. This aspect of the matter ought to have been considered by the respondent No. 1 before rejecting Page No.# 15/19 the complaint of the petitioner vide electronic mail dated 07.03.2022. Therefore, he submits that the learned Single Judge has rightly directed the appellant to deposit the amount in his account after due consideration of the matter and as such no interference is called for and the writ appeal may be dismissed.
31. We have considered the submissions of learned counsel for the parties and the materials available on record and perused the impugned judgement and order dated 30.09.2022.
32. As held by the learned Single Judge, the issue that has arisen for decision of the Court is as to whether the Appellant Bank would be liable to compensate the petitioner for the loss of a sum of Rs. 94,204.80/- owing to the fraudulent transaction or is it a case of negligence on the part of the petitioner.
33. It is noticed that the respondent No. 1/petitioner was enjoying net banking facility provided by the appellant/SBI in respect of his savings account. On 18.10.2021, an amount of Rs. 94,204.80 was unauthorizedly transferred from the SBI account of the respondent No. 1/petitioner through internet banking and the three transactions, which took place on 18.10.2021, were all fraudulent transactions.
34. The appellant and the respondent No. 1/petitioner have placed reliance on the Standing Circular of the RBI dated 06.07.2017 in support of their respective claims which lays down certain guidelines for Customer protection- limiting liability of the customers in case of Un- authorized Electronic Banking Transactions. The said circular is made applicable to all Commercial Banks, Small Finance Banks and Payments Banks. The respondent no. 1/petitioner has relied upon Clauses 9 and 10 of the RBI Circular to project that it was the Appellant's responsibility to resolve the controversy in a time bound manner and having failed to do so, they would now have to compensate the respondent no. 1/petitioner. On the other hand, the appellant has relied upon clause-7 of the Circular to submit that the incident took place due to the negligence of the customer and, therefore, the appellant Bank has no liability.
Page No.# 16/19
35. In view of the above, we would examine the relevant Clauses 7 to 10 of the RBI Circular dated 06.07.2017. On perusal of the provisions of the RBI circular, we find that Clause 8 deals with third party breaches where the deficiency lies neither with the Bank nor with the customer but lies elsewhere in the system. As held by the learned Single Judge to which we are in agreement with that "Third party breach" is not a defined expression under the RBI circular dated 06.07.2017. However, on reading of Chapter-8 it appears that in case of un- authorized electronic banking transaction occurring due to third party breaches i.e., where the deficiency neither lies with the customer or the bank, the customer liability will be "zero" if the fraudulent transaction is reported within 3 (three) working days from the date on which the customer receives the communication. In the present case, even if it is assumed that the fraudulent transaction had taken place due to "third party breach" i.e. breach in the customer data base of the respondent No 3, even then, the fraud/un-authorized transaction was reported to the Bank on 19.10.2021 i.e., within one working day. Therefore, as per clause -8 of the RBI circular, the liability of the customer/writ petitioner in this case ought to be "zero".
36. Clause 9 deals with reversal timeline of zero liability/ limited liability of customers in case of unauthorized electronic banking transaction, it would be the discretion of the bank to waive off any customer liability even in case of negligence of the customer. On a reading of the above clauses, it can be inferred that in case of un-authorized electronic transactions the Bank would have a duty to reverse the payment and credit the amount involved in the un- authorized transaction within a time frame, provided the fraudulent transaction is reported by the Customer within the time frame provided in the Circular. In an appropriate case, even the negligence, if any, on the part of the customer, can be waived by the Bank.
37. On consideration of the materials on record, we find that three online transactions from the respondent no. 1/petitioner's account took place on 18.10.2021 when he had downloaded the 'mobile app' on being prompted by the fraudster. The respondent no. 1/petitioner appears to have done so in order to get refund of his money from respondent No.3. The three transactions were evidently unauthorized as the respondent no. 1/petitioner would never intend to transfer any amount to the respondent No. 4 by downloading the mobile app. The appellant has also not denied that the transaction was unauthorized. In such circumstances, Page No.# 17/19 we are in agreement with the learned Single Judge that merely because the respondent no. 1/petitioner had downloaded the mobile app, that cannot by itself lead to the presumption of negligence on the part of the respondent no. 1/petitioner in contributing the unauthorized transaction.
38. Learned single Judge has rightly observed that regardless of whether it was a UPI or PG transaction, it is not believable that the respondent no. 1/petitioner would deliberately share his OTP, password and MPIN so as to allow his hard-earned money to be siphoned off from the bank account by a fraudster, that too, on three consecutive occasions, in quick successions. Rather, the incident appears to be pure and simple case of cybercrime whereby, the fraudster had hacked the database of respondent No. 3 and thereafter, got access to sensitive information pertaining to various customers of Respondent No. 3 including the respondent no. 1/petitioner which information was used for completing the fraudulent transactions. The participation on the part of the petitioner appears to be only to the extent of downloading the mobile app. Although the appellant has contended that the petitioner had shared OTP, password and MPIN with the fraudster, yet, the said claim could not be substantiated by the Bank. No material particulars of the complicity on the part of the respondent no. 1/petitioner have been placed on record. Therefore, we are of the view that the appellant has failed to establish any negligence on the part of the respondent no. 1/petitioner.
39. It is the contention of the appellant that on receipt of the complaint dated 19.10.2021, the appellant Bank had taken necessary action. However, there is nothing on record to substantiate the same. Even after receipt of written complaint of fraudulent electronic transaction from the account of the respondent no. 1/petitioner, no complaint was lodged by the appellant Bank before the appropriate authority. It is noticed that the appellant Bank did not make any 'charge back' request to the beneficiary bank soon after receipt of the intimation about the fraud from the respondent no. 1/petitioner on 18.10.2021 or even on receipt of the complaint dated 19.10.2021. It appears that after receipt of the complaint from the respondent no. 1/petitioner on 19.10.2021 the appellant has not taken any action in the matter to protect the interest of its customer. Not even a complaint was lodged by the Page No.# 18/19 appellant Bank with the cybercrime cell. However, bald claim has been made by the appellant alleging negligence against the respondent no. 1/petitioner by denying any liability.
40. Undoubtedly, it is correct that if a customer is negligent in handling his or her account and discloses sensitive information such as, password, OTP, MPIN, Card Number etc., resulting into fraudulent transaction, the Bank cannot be held liable for loss, if any suffered by the customer. However, in such cases, negligence on the part of the customers must be cogently established by the Bank by bringing reliable materials on record. The Banks cannot absolve themselves of the liability towards losses suffered by the customers on account of unauthorized electronic transactions based on perceived negligence of the customers. In the present case, having considered the facts and circumstances of case and the materials available on record, we concur with the view of the learned Single Judge, that the appellant has failed to establish negligence on the part of the respondent no. 1/petitioner leading to the fraudulent transactions. Thus, the learned Single Judge has rightly directed the appellant to deposit an amount of Rs. 94, 204.80/- (Rupees Ninety-four thousand two hundred four and Eighty Paisa) only, in the bank account of the respondent no.1/petitioner.
41. We have perused the case laws referred and relied on by the learned Single Judge. We are of the view that the learned Single Judge has correctly applied the ratio of DAV Public School Vs. The Senior Manager, Indian Bank, Midnapore Branch and others reported in (2019) 20 SCC 31 and Justice (Retired) Basudev Agarwal Vs. State Bank of India [WP(C) 3474/2022] as, though, factual matrix of those cases are slightly different, the ratio would be applicable in the present case.
42. Having heard and considered the submissions of the learned counsel for the parties and after going though the materials available on record, we are in full agreement with the learned Single Judge that the online transactions that took place on 18.10.2021 from the respondent No. 1/petitioner's Bank account were unauthorized and fraudulent in nature. No negligence on the part of respondent No. 1/petitioner could be established by the Appellant. Clauses 8, 9 and of the RBI Circular dated 06.07.2017 would apply. The respondent No. 1/petitioner will not have any liability.
Page No.# 19/19
43. In view of the discussions made herein above, we are of the firm view that impugned judgment and order dated 30.09.2022 passed by the learned Single Judge in WP(C) No. 1900/2022, does not suffer from any infirmity warranting interference in this writ appeal. The writ appeal, thus, fails and is dismissed as being devoid of merit.
JUDGE JUDGE Comparing Assistant