Delhi High Court Orders SBI to Compensate Cyber Fraud Loss

November 21, 2024 | Cybersecurity
By Ashwani Mishra, Editor-Technology, CyberWIRE

In a landmark judgment, the Delhi High Court has directed the State Bank of India (SBI) to compensate a victim of cyber fraud, highlighting systemic lapses in the bank’s response to such incidents.

 The case, Hare Ram Singh vs. Reserve Bank of India & Ors., underscores the critical responsibilities of banks in protecting customers against cybercrime.

The Incident: Phishing Scam and a Lukewarm Response

Hare Ram Singh, a savings account holder at SBI, became a victim of a phishing attack, leading to an unauthorized withdrawal of ₹2.6 lakhs. Singh promptly reported the breach to SBI’s customer care and branch manager, but the response was anything but reassuring.

Months later, his claim was rejected on two grounds: that transactions were authenticated with OTPs and that Singh had clicked on a malicious link. Singh, however, vehemently denied sharing any OTPs.

Court’s Observations: Deficiency in Service

Justice Dharmesh Sharma found a “glaring service deficiency” on SBI’s part. Despite Singh’s immediate notification, the bank failed to act swiftly to block the fraudulent transactions. The Court also noted SBI’s non-compliance with the Reserve Bank of India’s (RBI) Master Direction on Digital Payment Security Controls, which mandates robust protocols to mitigate cyber risks.

The Court remarked,

“It has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, that the petitioner suffered monetary losses.”

Verdict: Compensation and Accountability

The High Court directed SBI to compensate Singh for the entire amount of ₹2.6 lakhs, with 9% interest from the date of the incident in April 2021. Additionally, SBI was ordered to pay ₹25,000 as costs. This judgment emphasized the principle of “zero liability” for customers in cases of bank negligence.

The Court also criticized SBI for its reliance on two-factor authentication (2FA) and OTP protocols, which were easily bypassed by malware. It reiterated that customers, particularly those who promptly report breaches, cannot be held accountable for advanced cyberattacks.

Systemic Implications: Banks’ Duty of Care

Justice Sharma reminded banks of their “implied duty of care” towards customers, stating:

“Funds in a bank account belong to the bank, but the bank acts as an agent for the principal (the customer). Upon detecting fraud, the bank has an implied duty to exercise reasonable care and take prompt action.”

A Lesson for All

The judgment not only provides relief to Singh but also sets a precedent for accountability in the banking sector amidst rising cyber frauds.

The High Court’s decision is a wake-up call for financial institutions to prioritize customer protection and comply with RBI’s guidelines, ensuring robust responses to cyber threats.

For victims, it highlights the importance of persistence in seeking justice.