The Hon’ble Supreme Court of India, bench of Justice JB Pardiwala and Justice R. Mahadevan, dismissed SBI’s appeal against the Gauhati High Court’s decision, wherein the bank was directed to refund Rs. 94,204.80 to the customer who had fallen victim to fraud.

The customer had made an online purchase of a garment from the Louis Philippe store, which he wanted to return and get a refund for. On 18.10.2021, the customer received a call from a fraudster, posing as the Customer Care Manager of Louis Philippe. The fraudster asked the customer to download a ‘mobile app’ to process a refund of Rs. 4,000 for the garment he had previously purchased. Believing, in good faith, that the call was from the customer care department of Louis Philippe, the customer downloaded the mobile app. Soon thereafter, a sum of Rs. 94,204.80 was siphoned off from the bank account through three separate online transactions.

The Hon’ble Supreme Court agreed with the High Court’s reliance on Clauses 8 and 9 [iii]of the Reserve Bank of India’s (RBI) Circular dated July 6, 2017. These provisions impose “zero liability” on customers for unauthorized transactions resulting from third-party data breaches if reported promptly. The Court noted that the customer had reported the fraud within 24 hours, satisfying the criteria for zero liability.

The Hon’ble Supreme Court emphasized that customers (account holders) need to be very careful and ensure they do not share their One-Time Passwords (OTPs) with anyone else. In certain situations, the customer might be held responsible if they are found to be careless or negligent in handling their OTPs.

Cyber Saathi Pointers

1. Reporting to Bank:
   1. If you notice a fraudulent transaction in your bank account, notify your bank immediately to limit your loss or
2. give a missed call on 14440.
   • Reporting via Interactive Voice Response System (IVRS) :

• • If funds have been fraudulently withdrawn from your account, inform your bank through their IVRS.
  • Ensure you obtain an acknowledgment from the bank after reporting the fraudulent transaction.
  • The bank is obligated to resolve your complaint within 90 days from the date of receipt of your report

3. Customer Liability
   • If the fraudulent transaction occurs due to your negligence—such as sharing your password, PIN, OTP, or other sensitive information—you will bear the loss until the time you report the incident to the bank.
   • If fraudulent transactions continue even after you have reported them, your bank is required to reimburse those amounts.
   • Delayed reporting may increase your liability, and the extent of your loss will be determined in accordance with RBI guidelines and the policy approved by your bank’s board.

[i] State Bank of India v. Pallabh Bhowmik and Ors. SLP (C) No. 30677/2024

[ii] para. 3 of State Bank of India v. Pallabh Bhowmik and Ors. (Case No. WA/364/2022

[iii] RBI’s circular on  Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions dated 06/07/2017