Online Banking Fraud and legal remedies in India

FEATURED

Rahul Narang

7/17/20232 min read

Electronic or online banking refers to conducting all the financial/non-financial transactions such as transferring/receiving money, making investments, viewing bank statements etc through electronic means. It is an extension of traditional banking wherein internet is used as medium of instructions and delivery of banking services.

Due to exponential growth of online banking, there has been increasing trend of online banking fraud cases in the recent past. Further, COVID-19 created a multiplier effect for adoption of online banking in view of lockdowns or contactless banking services. This has made a conducive environment for increase online frauds as fraudsters are leveraging social engineering and technology to dupe bank customers.

There is no specific section in the Information Technology Act 2008 which deals with the legal remedies available to the customers in case of online banking fraud.

The victim of online banking fraud has the following remedies available at his disposal:

a. The victim should report his complaint to the bank at the earliest (within 3 working days of the communication of fraudulent transaction by the bank) and should file an FIR with the local police station

b. If the victim is not satisfied with the bank response then he can file a complaint with Banking Ombudsman at https://cms.rbi.org.in/cms/IndexPage.aspx?aspxerrorpath=/cms/cms/indexpage.aspx Banking Ombudsman scheme is implemented by RBI to address customer complaints with respect to banking services.

c. If the victim is still not satisfied with the response of banking ombudsman, then he can file a complaint before a District Consumer Disputes Redressal Forum, a State Consumer Disputes Redressal Commission or the National Consumer Disputes Redressal Commission depending upon the value damages claimed.

However, before the above recourse is adopted, it is important to understand the liability of the customer in case of unauthorised transactions. Due to spike in the cases pertaining to unauthorised electronic banking transactions and corresponding surge in the customer grievances, RBI issued a circular limiting the liability of the customers in case of unauthorised electronic banking transactions.

As per the RBI circular RBI/2017-18/15 DBR.No. Leg.BC.78/09.07.005/2017-18 dated 6 July 2017, online banking frauds and its associated liability has been defined into the following categories :

a. Unauthorised transactions attributable to fraud/negligence by the banks irrespective of the fact that whether the customer has reported the transaction or not – No Customer liability

b. Unauthorised transaction attributable to negligence of customers. For eg sharing user credentials – Customer liability for transactions until it is reported to the bank

c. Unauthorised transactions attributable to third party breach where the fault neither lies on bank or customer but lies elsewhere in the system – No Customer liability if it is reported to bank within three working days or INR 5000 if it is reported between four to seven working days. If the delay in reporting is beyond seven working days, the customer liability shall be determined as per the bank’s Board approved policy

The term “Negligence” can be considered as the following behaviour:

  • Sharing your user credentials such as username, OTP etc on email or call

  • Acting upon a compromised email

  • Downloading malicious applications from unverified sources

  • Using a weak combination of passwords/not changing your passwords

  • Clicking on a malicious link provided by a phishing email or online websites

  • Not updating the security patch of mobile or operating system

Though the above acts can be considered as negligent behaviour on part of the customer. But there are certain frauds such as Phishing, malware attack, sim swap fraud, ATM card cloning which requires high level expertise to understand and should not be considered as baseline vigilant behaviour of a customer. Also, the bank employees may part away confidential information of the account holder which may be used by fraudsters in carrying out unauthorised transactions.

Hence the burden of “Negligence” should not be thrust on the customer in the case of phishing and installation of malware where the customer himself is a “Victim” of an identity theft crime.

In view of above, there are multiple legal cases wherein courts have given decision in favour of customers in cases of unauthorised electronic banking transactions. However, banks continue to file litigation against the customers. Please refer to the following legal cases:

  • ICICI Bank v. Umashankar Sivasubramanian and Ors

  • TONY ENTERPRISES v. RESERVE BANK OF INDIA

  • ICICI Bank v. Ramdas Pawar

  • DAV PUBLIC SCHOOL v. THE SENIOR MANAGER INDIAN BANK MIDNAPUR BRANCH

  • Thomas Raju v. ICICI Bank

RBI has issued directions on limiting the customer liability. However, it has not been followed by the Indian banks in the same spirit. Indian banks have always invoked the rationale of customer negligence to escape their liability from the unauthorised transactions. The banks always take a plea that they have robust authentication procedures and that it is not possible to access the customer account without user ID and password which is a secret only to the customer. It is high time that we should adopt the US model of customer protection wherein the customer liability in case of unauthorized transactions is not dependent upon determination of customer negligence but rather on the basis of customer promptness in reporting the transaction to the bank.

Also, the RBI should mandate all the banks to opt for cyber insurance in order to limit its loss in the event of unauthorised transactions which may have occurred beyond its control. This shall act has an important hedge against the liabilities arising out of unauthorised transactions.

Related Stories