Banks’s Liability on Fraudulent Transactions | 07 Jan 2025
State Bank of India v. Pallabh Bhowmick & Ors
“Supreme Court directs SBI to refund the amount to a customer, stating that it’s a bank's remain vigilant against
fraudulent transactions.”
Justices JB Pardiwala and R Mahadevan
Source: Supreme Court
Why in News?
The Supreme Court recently held that banks are responsible for safeguarding customers from unauthorized transactions
and must use advanced technology to prevent fraud. It upheld SBI's liability for fraudulent transactions in a customer's
account, stating banks' vigilance as per RBI guidelines. The Court also advised customers to exercise caution and avoid
sharing OTPs.
Justices JB Pardiwala and R Mahadevan held in the matter of State Bank of India v. Pallabh Bhowmick & Ors.
What was the Background of State Bank of India v. Pallabh Bhowmick & Ors.?
A customer of State Bank of India (SBI) made an online shopping purchase and subsequently attempted to return the
item.
The customer received a call from someone who fraudulently posed as customer care representative for the retailer.
Following the fraudster's instructions, the customer downloaded a mobile application.
This led to unauthorized transactions being made from the customer's bank account, totaling ₹94,204.80.
State Bank of India denied liability for these transactions, arguing that they were authorized since they involved the
sharing of OTPs and M-PINs by the customer.
The customer contested this claim, maintaining that they never shared sensitive information like OTP or MPIN with
anyone.
The customer alleged that the fraud occurred due to a data breach on the retailer's website, which was beyond their
control.
The customer reported the unauthorized transactions to SBI within 24 hours of their occurrence.
The matter was initially brought before a Single Judge Bench, which held SBI liable for the unauthorized transactions.
SBI filed an Intra-Court appeal before the Division Bench of the High Court, which was dismissed.
Subsequently, SBI filed a Special Leave Petition before the Supreme Court challenging the High Court's decision.
What were the Court’s Observations?
The Supreme Court stated that banks cannot abdicate their responsibility to protect customers from unauthorized
transactions reported from their accounts, emphasizing the bank's duty of vigilance.
The Court held that banks must utilize the best available technology to detect and prevent unauthorized and
fraudulent transactions, placing this technological obligation squarely on the banking institutions.
The Court referenced Clauses 8 and 9 of the RBI Circular dated 6th July, 2017, which establish "zero liability" for
customers in cases of unauthorized transactions resulting from third-party data breaches, provided they are reported
promptly.
The Court noted the significance of the customer's prompt reporting, that the fraudulent transaction was brought to
the bank's notice within 24 hours of occurrence.
While upholding SBI's liability in this case, the Court simultaneously observed the reciprocal duty of account holders
to exercise extreme vigilance regarding OTPs and not share them with third parties.
The Court observed that in certain circumstances, customers could be held responsible for negligence, though no such
negligence was established in the present case.
The Court ultimately found no reason to interfere with the High Court's judgment, which had determined the
transactions to be unauthorized and fraudulent in nature, with no negligence attributable to the customer.
What are the Provisions of the RBI Notification on Customer Protection and Limiting Liability in
Unauthorized Electronic Banking Transactions?
The RBI issued this circular (RBI/2017-18/15) on 6th July, 2017, to address the increasing concerns about unauthorized
electronic banking transactions and to strengthen customer protection measures.
The circular was prompted by a surge in customer grievances related to unauthorized transactions resulting in debits
to their accounts/cards, necessitating a review of customer liability criteria.
The circular categorizes electronic banking transactions into two types:
Remote/online payment transactions (internet banking, mobile banking, card-not-present transactions) Face-to-face/proximity payment transactions (ATM, POS transactions requiring physical presence of payment
instrument)
The framework mandates banks to design systems and procedures that ensure customer safety in electronic banking
transactions, including robust fraud detection mechanisms and comprehensive risk assessment tools.
Notification states that a mandatory registration for SMS alerts and where available, email alerts, with a requirement
for banks to provide 24x7 access through multiple channels for reporting unauthorized transactions.
Limited Liability of a Customer
Zero Liability (Clause 6):
Customers have zero liability in two scenarios:
When there is contributory fraud/negligence by the bank (no reporting timeframe required)
In third-party breaches where neither bank nor customer is at fault, if reported within 3 working days
Limited Liability (Clause 7):
Customer Bears Full Liability:
When loss occurs due to customer negligence (e.g., sharing payment credentials)
Customer bears entire loss until reporting to bank
After reporting, bank bears all subsequent losses
Limited Liability Based on Account Type (4-7 working days delay):
BSBD Accounts: Maximum ₹5,000
Regular savings accounts/PPIs/MSMEs/Credit cards up to ₹5 lakh limit: Maximum ₹10,000
Other accounts/Credit cards above ₹5 lakh: Maximum ₹25,000
Overall Liability Structure (Clause 8):
Reporting Timeline Framework:
Within 3 working days: Zero customer liability
4-7 working days: Limited liability as per Table 1
Beyond 7 working days: As per bank's board-approved policy
Working Days Calculation:
Based on home branch schedule
Excludes date of communication receipt
Reversal Timeline (Clause 9):
Bank's Obligations:
Must credit disputed amount within 10 working days of notification
Credit must be value-dated to unauthorized transaction date
No need to wait for insurance claim settlement
Bank's Discretionary Powers:
Can waive customer liability even in negligence cases
Can provide relief beyond prescribed limits
Additional Requirements:
Banks must:
Display liability policy in public domain
Inform existing customers individually
Provide policy details at account opening