The Bombay High Court has directed the Bank of Baroda (BoB) to refund Rs 76 lakh amount debited from a company’s bank account fraudulently while observing that a customer has “zero liability” in a third party unauthorised transaction where the deficiency lies not with the bank or customer but somewhere in the system.
The court noted that the Reserve Bank of India’s circular of July 2017 specifies that a customer has zero liability in such cases. Even the BoB has a policy called the ‘Consumer Protection Policy (Unauthorised Electronic Banking Transactions)’ which reiterates the same.
The HC was hearing a petition filed by one Jaiprakash Kulkarni and Pharma Search Ayurveda Private Limited challenging an order passed by the Banking Ombudsman refusing to direct the BoB to refund an amount of Rs 76 lakh allegedly defrauded from their account by way of cyber fraud.
The court said this was an example of how “increasingly innocent persons are becoming victims of cyber fraud”.
“Both as per the RBI Circular and the policy of the bank, a customer has zero liability when the unauthorized transactions occur due to a third party breach where the deficiency lies neither with the bank nor with the customer but elsewhere in the system and the customer notifies the bank regarding the unauthorized transactions within a certain time frame,” a bench of Justices Girish Kulkarni and Firdosh Pooniwalla said.
On October 1, 2022 certain entities / individuals were added as beneficiaries to the petitioner company’s bank account without any one time password (OTP) sent to the petitioner on the registered mobile number or on registered email id. The next day, Rs76,90,017 was transferred from the petitioner’s bank account to various unknown individuals by way of online transactions.
The petitioners immediately lodged a complaint with the Mumbai police Cyber Cell and informed the bank manager of the alleged fraud. It asked BoB whether it was taking any steps to refund the amount as per the RBI’s July 2017 circular. When they did not receive the refund, they filed a complaint with the Banking Ombudsman.
The ombudsman rejected their complaint in January 2023 noting that the transactions were done post addition of beneficiaries and input of valid credentials known only to the bank account holders and therefore there was no deficiency/ lapse on the part of the bank.
The judges relied on three reports submitted by the cyber cell police which said that the beneficiaries were added to the bank account without any message or OTP received on the registered mobile number and email to the registered email account.
“Thus, there was no intimation to the petitioners about adding of beneficiaries and the petitioners only received messages on the registered mobile number when the amount from the bank account was actually debited,” the bench said.
The bank contended that beneficiaries could be added to a bank account only by those who have access to the bank account holders’ confidential credentials. It claimed that the petitioners’ credentials were compromised from the petitioners’ end itself and hence it could not be held liable or at fault.
However, the bench said that it was satisfied with the cyber cell’s reports that the petitioners have not been negligent and there is no collusion of the petitioners with the alleged fraudsters.
Both, the bank and the petitioners, have been victims of fraud by third party fraudsters, the bench said. However, as per the RBI circular, the petitioners were entitled to a refund and directed BoB to refund the Rs 76 lakh amount to the petitioner’s bank account within six weeks.
Also, the bench took note that the banking ombudsman did not conduct a proper inquiry and had merely stated that the transactions were done post addition of beneficiaries.
