While upholding an order directing State Bank of India (SBI) to re-credit ₹1.99 lakh to a cyber fraud victim, the national consumer disputes redressal commission (NCDRC) reiterated that banks cannot evade liability for unauthorised electronic transactions merely by alleging negligence on the part of customers.
In
an order last month, the NCDRC bench of air vice-marshal (AVM) J Rajendra (retd) and justice Anoop Kumar Mendiratta says, "The complainant had only initiated a payment of ₹20 from his account but resulted in fraudulent transactions of ₹25,000 and ₹199,000 without sharing of any further one-time passcodes (OTPs). The account stood debited since the online software was under control of a third party. However, admittedly, no OTP for said two transactions was received by the complainant. The complicity of the complainant cannot be presumed merely on account of downloading the application. In case of third-party fraud, the complainant cannot be held liable for allegedly sharing the OTP for the transaction of ₹199,000 and ₹25,000 when the transactions were not initiated by him. The bank apparently cannot be absolved of the liability towards the losses suffered by the complainant on account of unauthorised electronic transactions in view of RBI circular dated 6 July 2017, since the information of fraudulent transactions was shared with the bank within (the) stipulated period."
The commission also upheld a compensation of ₹25,000 in favour of the complainant and observed that merely downloading a mobile application cannot, in itself, amount to negligence on the part of the customer.
The case arose after Prodosh Kumar Banerjee, from Bengaluru, received an SMS on 19 July 2022 claiming that his electricity connection would be disconnected unless the pending dues were paid immediately. The message carried a mobile number for clarification, and when the complainant contacted it, he was allegedly asked to download an application displaying a Bangalore Electricity Supply Company Ltd (BESCOM)-like interface. He initially attempted to pay ₹20 online through the application but soon received a bank alert stating that the password had been entered incorrectly three times.
Shortly afterwards, he received SMS alerts that ₹25,000 and later ₹1.99 lakh had been debited from his SBI account, even though no OTP had been entered for the second transaction. His mobile phone reportedly stopped working thereafter, preventing him from contacting the bank immediately. Fearing further losses, he switched off the device and reported the matter through SBI’s unauthorised transaction email service and to the cybercrime police, which later registered a first information report (FIR) in Bengaluru.
Mr Banerjee formally informed SBI on 20 July 2022, after which the account was frozen and ₹25,000 was credited back to him. He later submitted a detailed complaint with supporting documents, but alleged that no satisfactory resolution was provided regarding the remaining amount. After the Bengaluru district consumer forum dismissed his complaint in 2023, the Karnataka state consumer disputes redressal commission ruled in his favour in 2025, directing SBI to re-credit ₹1.99 lakh.
SBI challenged the decision by filing a second appeal before NCDRC.
After hearing both sides, NCDRC observed that Mr Banerjee's account was debited because the online software had come under the control of a third party. It noted that no OTP was received by him for the fraudulent transactions of ₹25,000 and ₹1.99 lakh.
NCDRC observed that Mr Banerjee’s complicity could not be presumed simply because he had downloaded an application on the instructions of fraudsters.
Referring extensively to earlier judicial findings and the
Reserve Bank of India (RBI)’s 6 July 2017 notification on customer liability in unauthorised electronic banking transactions, the commission emphasised that customers have 'zero liability' if fraudulent transactions are reported within the prescribed time frame.
The commission cited findings that the bank had failed to establish any concrete negligence on the part of the customer.
The order noted that banks cannot rely on 'perceived negligence' to deny claims arising from cyber frauds and must place reliable material on record to prove that the customer deliberately shared sensitive details such as OTPs, passwords or mobile personal identification numbers (MPINs).
The commission also noted deficiencies in the bank’s response following the fraud report.
According to the order, despite receiving a written complaint regarding the fraudulent transactions, SBI failed to lodge any complaint with the cybercrime authorities or initiate a chargeback request with the beneficiary bank.
NCDRC referred to observations in the judgement that the Bank appeared to have taken no meaningful action to protect the customer’s interests after receiving information about the fraud.
The commission further observed that in modern cyber fraud cases, fraudsters often gain unauthorised access through malicious applications and compromised systems, while customers themselves may not even realise how transactions are being executed.
Citing findings from an earlier judgement discussed in the order, the commission noted that the incident appeared to be 'a pure and simple case of cybercrime' in which fraudsters allegedly hacked databases and misused customer information to complete fraudulent transactions.
NCDRC ultimately upheld the state commission’s direction ordering the bank to re-credit ₹1.99 lakh to Mr Banerjee's account, along with a compensation of ₹25,000.
The commission further directed that if the amount is not paid within four weeks, SBI would be liable to pay interest at 8%pa (per annum) from the date of default until realisation.
The ruling is expected to strengthen consumer protections in cases involving online banking frauds and reinforce the obligations of banks under RBI guidelines relating to unauthorised digital transactions.
(Second Appeal No540 of 2025 Date: 15 April 2026)
Housing Society Problems and Solutions: Transfers, Commercial Use and Financial Transparency
Shirish Shanbhag
14 May 2026
Questions relating to ownership rights, Society funds and transfer procedures continue to generate confusion among cooperative housing society (CHS/the Society) members. Whether it is the extent of the Society’s authority over...
In Delhi's Scorching Heat, Its Poorest Women Are Back to The Chulha
Shivam Bhardwaj (IndiaSpend)
13 May 2026
Parveena Khatun, 45, runs a tea stall on Baba Gangnath Marg in Delhi’s Munirka. The shortage of cooking gas cylinders has affected Parveena’s income.
When supplies fell in March, she kept her stall closed for a week but without...
I4C, RBI Innovation Hub Sign MoU To Use AI for Detecting Mule Accounts and Cyber Frauds
Moneylife Digital Team
12 May 2026
To combat cyber-enabled financial frauds, the Union government on Tuesday announced a major technology-driven initiative with the Indian cybercrime coordination centre (I4C) under the ministry of home affairs (MHA), signing a...
Fraud Alert: 100 Crore Passwords Were Stolen Last Year. Yours Is Probably among Them
More than one billion (100 crore) credentials were harvested by malware in the past 12 months alone. That figure does not include credentials stolen through phishing, data breaches or social engineering — only malware. If you have...
