In a path-breaking judgement the Gondia District Consumer Disputes Redressal Commission has directed the State Bank of India (SBI) to reverse the disputed transaction of Rs18.36 lakh into the customer's bank account.
The Commission even directed SBI to recover the money from the salary of its concerned officers and staff.
In an order on 10 August 2021, a bench led by Bhaskar Yogi, president and Sarita Raipure, member, says, "The opposite party (SBI) is hereby declared liable for the loss caused to the complainants. Opposite party is directed to reverse the disputed transaction of Rs18,36,400 along with simple interest at 6% per annum from 22 November 2019 till realisation to the complainants."
SBI has also been asked to pay Rs25,000 as compensation for causing mental agony and suffering to the complainants, both of whom are senior citizens.
The Commission further says, "Opposite party (SBI) may recover the above amount from the concerned officers or staff after conducting their internal enquiry from the salary of the staff who has committed dereliction in duty for the loss caused to the public institute (bank)."
Advocate Dr Mahendra Limaye, who represented the complainants in this case, says, "This judgement establishes that even if police have not fully investigated in the matter of cyber-crime, victims should not feel remediless and can avail option of civil remedy to fight for their rights in cyberspace and can get the lost amount back."
Gondia-based Dr Suresh Bholeshwar Katre and his wife Minakshi are both senior citizens and had filed a complaint against SBI alleging that the Bank had failed to protect and to take due care in the capacity of the trustee of money deposited in their savings account, resulting in an online fraudulent transaction of Rs12,86,800 and Rs5,49,600, respectively, from their savings account.
On 20 November 2019, both the senior citizens received an SMS on their mobile number saying "Your SBI account will be suspended today 20/11/19 due to wrong date of birth verified in your bank account. For reactive upgrade Fully KYC, immediately by online visiting click link below."
However, earlier the same day, Dr Katre had submitted his documents for know-your-customer (KYC) verification to SBI. After receiving the SMS, he thought the link in the SMS is sent by the Bank since only the Bank has his KYC verification information.
Dr Katre, using the link given in the SMS, updated his date of birth and mentioned the mobile number of his wife that was linked with their two bank accounts. After that Minakshi Katre, the wife of Dr Katre, received a message saying that account activation is successful. She also received an SMS for one-time passcode (OTP), which she shared with a person who called her from the number 9840997056.
On the same day, at around 2.10, both the Katres received messages about change in their net banking login and password from 20 November 2019.
On the night of 20 November 2019, Ms Katre received three SMSs and early morning of 21 November 2019 there were three more SMSs. In total, she received six SMSs informing her about the withdrawal of Rs1,99,800 in each transaction. Again at 5.02am on 22 November 2019, she received an SMS informing her of a withdrawal of Rs88,000 from her account. In total, Rs12.87 lakh vanished from her account in three days.
She also received similar SMS for her other account informing her of the withdrawal of Rs5,49,600 in three transactions at 5.02am on 22 November 2019.
After realising something is wrong with her accounts, Ms Katre reported the matter to SBI while requesting for a debit freeze of the beneficiary account. The Katres also registered a first information report (FIR) with the Gondia police station.
In their plea, the Katres contended that the SBI was unable to provide any information of the beneficiary and this "not-providing beneficiary account’s information as well as not initiating quick action of recalling the amount from the beneficiary bank by opposite party amounts to deficiency in service."
As per the Reserve Bank of India (RBI) master circular on customer services in India dated 1 July 2015 at point no. 5.17 page 31, guidelines are provided for securing electronic payment transactions. These guidelines at (i) say that customer induced options may be provided for fixing a cap on value/mode of transactions/beneficiaries. "In the present case the Opposite party failed to fix the cap on such activities," they said.
The same circular at (iv) mandates that banks may put in place a mechanism for velocity check on the number of transactions effected per day or per beneficiary and any suspicious operations should be subjected to alert within the bank and to the customer.
The senior citizens submitted, "SBI has miserably failed on this count also as they failed to detect the suspicious transaction within the bank, occurring at odd hours of the day and the uncharacteristic velocity of the transactions. Also, though the e-mail ID of the complainant was registered with SBI, it failed to initiate emails for the huge volume of transactions. Failure of SBI to follow the RBI mandated guidelines also amounts to deficiency in service reasonably expected by the bank for the online transactions."
"RBI through KYC guidelines has mandated the opposite party to identify the clients as per their transactions pattern and provide security according to their classification but the opposite party also failed to provide reasonable security to the client’s account and hence again liable for deficiency in service," they added.
The Katres also contended that SBI failed to provide robust and dynamic fraud detection and prevention mechanism as this led to happening of fraud and the complainant losing the huge amount of Rs18.36 lakh.
"These acts of omission and commission of SBI, which is one of the leading banks in India, having all the technological innovations at its discretion, of not responding to the enquiry by the complainant regarding detailed transaction information of our accounts and not initiating any proactive measures on its own after the receipt of the report about suspected activities happening on our account, and not protecting our confidential information, amounts to most severe deficiency in service as per banking industry guidelines and norms," the senior citizen couple contended.
In its submission, SBI contended that the Katres committed negligence and were not careful. "And on loss or injury, now the complainant cannot equate it with inadvertence and shift the burden of care on SBI, beneath the effect of instructions and circular of RBI, which even otherwise do not assure for the negligent act of complainant. It is well settled that once the things, which are declared not to follow or commit, if someone commits it, he is bound to suffer."
The Commission visited the website of SBI and took screenshots to understand the requirements of creating the user ID and login password.
It says, "From the screenshots for user-driven registration–new user, it seems that the account number, customer identification file (CIF) number, branch code are mandatory fields and from pleadings, the complainant has only shared the birth date and the OTP. Thus the question as to who shared the account number and CIF number is to be seen."
"Only two persons, the complainant and the bank know the above details and if the complainant has received phone calls and the link on the same day and the number submitted in the KYC application when he had submitted the KYC documents, it is obvious that the confidential information is parted by the employees of the bank only," the bench noted.
Further it observed, "Unless the bank is able to satisfy the Court of either an express condition in the contract with its customer or an unequivocal ratification, it will not be possible to save the bank from its liability. Banks do business for their benefit. Customers also get some benefits. If banks are to insist upon extreme care by the customers in minutely looking into the passbook and the statements sent by them, no bank perhaps can do a profitable business. It is common knowledge that the entries in the passbooks and the statements of account sent by the bank are either not readable, decipherable or legible.
"There is always an element of trust between the bank and its customer. The bank’s business depends upon this trust."
Coming down heavily on SBI, the district commission observed that details of miscreants can be traced but the bank does not help poor consumers.
"Even the employees of the bank share details of customers to fraudsters, which can be taken note of, for the simple reason that a person's bank details are only with the bank or the consumer. Then how come anyone knows that a particular person has such and such a bank account in such and such a bank at such and such place."
"Thus, it is a burden on the part of the bank and its employees to discharge their burden first then only can the complainant be held responsible for any alleged negligence. Hence looking from any angle the opposite parties miserably failed to discharge their burden that the complainant was negligent.
"In view of the above ruling and facts of the present complaint, the complaint must be allowed with cost and compensation," the commission says.
It then directed SBI to reverse the transaction for Rs18.36 lakh to the bank accounts of the Katres and "recover the public amount from the salary of the public servant, who has performed their duty capriciously and caused harassment and mental agony to the complainants after conducting their internal enquiry from the staff, who has committed dereliction in duty, resulting in the loss, and cost to the public authority as per Supreme Court Judgment in case of Lucknow Development Authority vs. M. K Gupta 1994 AIR 787."
Here is the copy of the judgement from the Gondia District Consumer Disputes Redressal Commission: