Home / Current Affairs

Regulatory Body

Banks’s Liability on Fraudulent Transactions

    «
 07-Jan-2025

State Bank of India v. Pallabh Bhowmick & Ors

“Supreme Court directs SBI to refund the amount to a customer, stating that it’s a bank's remain vigilant against fraudulent transactions.”

Justices JB Pardiwala and R Mahadevan

Source: Supreme Court  

Why in News? 

The Supreme Court recently held that banks are responsible for safeguarding customers from unauthorized transactions and must use advanced technology to prevent fraud. It upheld SBI's liability for fraudulent transactions in a customer's account, stating banks' vigilance as per RBI guidelines. The Court also advised customers to exercise caution and avoid sharing OTPs. 

  • Justices JB Pardiwala and R Mahadevan held in the matter of State Bank of India v. Pallabh Bhowmick & Ors. 

What was the Background of State Bank of India v. Pallabh Bhowmick & Ors.? 

  • A customer of State Bank of India (SBI) made an online shopping purchase and subsequently attempted to return the item. 
  • The customer received a call from someone who fraudulently posed as customer care representative for the retailer. 
  • Following the fraudster's instructions, the customer downloaded a mobile application. 
  • This led to unauthorized transactions being made from the customer's bank account, totaling ₹94,204.80. 
  • State Bank of India denied liability for these transactions, arguing that they were authorized since they involved the sharing of OTPs and M-PINs by the customer. 
  • The customer contested this claim, maintaining that they never shared sensitive information like OTP or MPIN with anyone. 
  • The customer alleged that the fraud occurred due to a data breach on the retailer's website, which was beyond their control. 
  • The customer reported the unauthorized transactions to SBI within 24 hours of their occurrence. 
  • The matter was initially brought before a Single Judge Bench, which held SBI liable for the unauthorized transactions. 
  • SBI filed an Intra-Court appeal before the Division Bench of the High Court, which was dismissed. 
  • Subsequently, SBI filed a Special Leave Petition before the Supreme Court challenging the High Court's decision. 

What were the Court’s Observations? 

  • The Supreme Court stated that banks cannot abdicate their responsibility to protect customers from unauthorized transactions reported from their accounts, emphasizing the bank's duty of vigilance. 
  • The Court held that banks must utilize the best available technology to detect and prevent unauthorized and fraudulent transactions, placing this technological obligation squarely on the banking institutions. 
  • The Court referenced Clauses 8 and 9 of the RBI Circular dated 6th July, 2017, which establish "zero liability" for customers in cases of unauthorized transactions resulting from third-party data breaches, provided they are reported promptly. 
  • The Court noted the significance of the customer's prompt reporting, that the fraudulent transaction was brought to the bank's notice within 24 hours of occurrence. 
  • While upholding SBI's liability in this case, the Court simultaneously observed the reciprocal duty of account holders to exercise extreme vigilance regarding OTPs and not share them with third parties. 
  • The Court observed that in certain circumstances, customers could be held responsible for negligence, though no such negligence was established in the present case. 
  • The Court ultimately found no reason to interfere with the High Court's judgment, which had determined the transactions to be unauthorized and fraudulent in nature, with no negligence attributable to the customer. 

What are the Provisions of the RBI Notification on Customer Protection and Limiting Liability in Unauthorized Electronic Banking Transactions? 

  • The RBI issued this circular (RBI/2017-18/15) on 6th July, 2017, to address the increasing concerns about unauthorized electronic banking transactions and to strengthen customer protection measures. 
  • The circular was prompted by a surge in customer grievances related to unauthorized transactions resulting in debits to their accounts/cards, necessitating a review of customer liability criteria. 
  • The circular categorizes electronic banking transactions into two types:  
    • Remote/online payment transactions (internet banking, mobile banking, card-not-present transactions) 
    • Face-to-face/proximity payment transactions (ATM, POS transactions requiring physical presence of payment instrument) 
  • The framework mandates banks to design systems and procedures that ensure customer safety in electronic banking transactions, including robust fraud detection mechanisms and comprehensive risk assessment tools. 
  • Notification states that a mandatory registration for SMS alerts and where available, email alerts, with a requirement for banks to provide 24x7 access through multiple channels for reporting unauthorized transactions.

Limited Liability of a Customer

  • Zero Liability (Clause 6): 
    • Customers have zero liability in two scenarios:  
      • When there is contributory fraud/negligence by the bank (no reporting timeframe required) 
      • In third-party breaches where neither bank nor customer is at fault, if reported within 3 working days 
  • Limited Liability (Clause 7): 
    • Customer Bears Full Liability:  
      • When loss occurs due to customer negligence (e.g., sharing payment credentials) 
      • Customer bears entire loss until reporting to bank 
      • After reporting, bank bears all subsequent losses 
    • Limited Liability Based on Account Type (4-7 working days delay):  
      • BSBD Accounts: Maximum ₹5,000 
      • Regular savings accounts/PPIs/MSMEs/Credit cards up to ₹5 lakh limit: Maximum ₹10,000 
      • Other accounts/Credit cards above ₹5 lakh: Maximum ₹25,000 
  • Overall Liability Structure (Clause 8): 
    • Reporting Timeline Framework:  
      • Within 3 working days: Zero customer liability 
      • 4-7 working days: Limited liability as per Table 1 
      • Beyond 7 working days: As per bank's board-approved policy 
    • Working Days Calculation:  
      • Based on home branch schedule 
      • Excludes date of communication receipt 
  • Reversal Timeline (Clause 9): 
    • Bank's Obligations:  
      • Must credit disputed amount within 10 working days of notification 
      • Credit must be value-dated to unauthorized transaction date 
      • No need to wait for insurance claim settlement 
    • Bank's Discretionary Powers:  
      • Can waive customer liability even in negligence cases 
      • Can provide relief beyond prescribed limits 
  • Additional Requirements: 
  • Banks must:  
    • Display liability policy in public domain 
    • Inform existing customers individually 
    • Provide policy details at account opening