In a significant ruling on liability in digital banking fraud cases, the Delhi High Court (HC) has held that a bank customer who clicks on suspicious links, despite repeated warnings from banks and regulators can be considered negligent and may have to bear the financial loss arising from cyber fraud.
In
an order last week, a division bench comprising chief justice Devendra Kumar Upadhyaya and justice Tejas Karia allowed an appeal filed by State Bank of India (SBI) against an earlier single-judge order that had directed the bank to refund ₹2.6 lakh, along with interest, to Greater Noida-based academic Hare Ram Singh, who lost money in a cyber fraud incident in April 2021.
The bench says, "The single judge, however, held that, since respondent no1 had denied sharing the one-time passcodes (OTPs), the liability would necessarily fall upon the bank. Such an interpretation dilutes the operation of Clause 7(i) of the 2017 circular from Reserve Bank of India (RBI) and the distinction contemplated therein between different categories of unauthorised transactions."
Terming the reliance placed on the Tony Enterprises (supra) case, the bench noted that it was not helpful to the respondent. "In Tony Enterprises (supra), the transactions in question were treated as 'prima facie tainted by fraud' on the basis of a police investigation establishing SIM swapping and identity theft through fraudulently procured duplicate SIM cards, which were used to access the bank account of the petitioner therein and to effect unauthorised transfers by generating OTPs through such duplicate SIM cards, thereby bringing the transactions within the category of 'disputed transactions' falling within the sweep of zero liability under the 2017 RBI Circular. In the present case, no such investigative finding has, till date, emerged to establish that the subject transactions were carried out through any breach of the bank’s system."
The Court clarified that negligence in cyber fraud cases is not limited to situations where a customer explicitly shares OTPs or banking credentials. It observed that customer negligence may also arise when a person accesses suspicious links or unknown applications despite repeated security advisories, thereby exposing banking credentials to misuse.
According to Court records, Hare Ram Singh, a professor of computer science at a Greater Noida educational institution, received a text message on 18 April 2021 containing a link warning that certain services could be discontinued if the link was not opened. After clicking on the link, he found that ₹2.6 lakh had been withdrawn from his savings account in SBI through two separate transactions. He subsequently reported the matter to the bank, lodged a cybercrime complaint and approached the banking ombudsman (BO).
SBI maintained that the transactions were executed through internet banking after successful login using valid credentials and were authenticated through OTP-based two-factor authentication (2FA). The bank argued that the customer had received OTPs and transaction alerts on his registered mobile number, and that the fraud occurred after he clicked on an unknown link. It further contended that it had immediately blocked the account and internet banking facility after the fraud was reported.
The bench noted that the RBI framework distinguishes between cases involving deficiencies on the part of banks and those arising from customer negligence. While customers are entitled to 'zero liability' where the fault lies with the bank or elsewhere in the system and the fraud is promptly reported, losses resulting from customer negligence must generally be borne by the customer until the unauthorised transaction is reported.
Rejecting the argument that negligence can only be established if a customer shares OTPs or login credentials, the court held that the phrase in the RBI circular referring to customers who have 'shared payment credentials' is illustrative rather than exhaustive.
The judges observed that in the context of modern cyber fraud, banking credentials can be compromised through interactions with malicious links or applications, even without direct disclosure of passwords or OTPs.
The HC also found that there was no material on record showing that SBI's authentication process had been bypassed or that the Bank's systems had been compromised.
The judgement noted that the BO had earlier examined transaction records, internet banking logs, OTP delivery details, merchant information and other technical data before concluding that the transactions were completed through successful login to the account using valid credentials.
According to the bench, questions such as whether malware had captured credentials, whether OTPs were compromised after the customer clicked the suspicious link, or whether the Bank's security systems failed to detect unusual login activity would require detailed technical and forensic examination. Such issues, it said, could not be conclusively determined in writ proceedings.
The Court disagreed with the earlier single-judge finding that the customer could not be considered negligent merely because he claimed not to have shared OTPs. It held that attributing the entire loss to the bank without technical evidence was inconsistent with RBI's customer liability framework.
Following Mr Singh's complaint, BO had observed that he appeared to have fallen victim to a vishing scam after clicking on an unknown link. While the ombudsman concluded that customer negligence could not be ruled out, it also found that SBI had not initiated chargeback proceedings for one of the disputed transactions and directed the bank to pay one-third of the ₹1 lakh transferred to an IDFC Bank account, amounting to ₹33,340. SBI complied with that direction.
However, Mr Singh later challenged the ombudsman's order before the High Court. A single judge ruled in his favour in November 2024, directing SBI to refund the entire disputed amount with 9% interest. SBI subsequently appealed that decision before the division bench.
Allowing SBI's appeal, the division bench set aside the single-judge ruling and held that the findings fixing complete responsibility on the Bank could not have been reached without a forensic investigation and technical evidence. The Court concluded that no breach of SBI's banking systems had been established and that customer negligence could not be confined solely to sharing OTPs or passwords.
(Case NoLPA 52/2025 & CM APPL4159/2025 Date: 29 May 2026)
