Introduction
In the realm of technological progress that has propelled society to unprecedented heights, the banking sector has seamlessly integrated technological innovations.However, this very technology has also become a tool for various cybercrimes, including fraud, hacking, and identity theft. Instances can be found where funds are illicitly debited from an individual’s bank accounts without their consent, perpetrated by malicious third parties with fraudulent intentions.
In addressing such fraudulent activities, the Kerala High Court, as exemplified in the cases of Tony Enterprises v. Reserve Bank of India (referred to as “Tony Enterprises”) and Cherian C. Karippaparampil v. Reserve Bank of India (referred to as “Cherian”), has diligently worked to shield consumers from undue liability. The court has asserted that customers should not bear the burden of reimbursing the bank in cases where funds are lost due to online fraud. These legal decisions have effectively reinforced the image of customers as well-protected entities in the face of such unfortunate incidents.
Brief Facts of the case(s)
Both the cases propose a similar factual matrix wherein a sum of money has been unauthorizedly transferred from the accounts of the petitioners through online mode. Mr. Tony, petitioner in the Tony Enterprises case, and Mr. Cherian, petitioner in Cherian’s case, were enjoying the online banking facility and expecting transaction alerts on their respective registered phones. Both the petitioners found that a certain amount of money had been debited from their respective bank accounts for which they had not provided their authorization.
Issue
Whether any proceedings related to unauthorized transaction can be initiated against the borrower in case of online fraud?
Judgement
The court found that the unauthorized transaction made is prima facie, a fraud. The police investigation also revealed that duplicate SIM cards, in the name of petitioners, were issued by using fake identities committing an offence of identity theft. Considering the factual circumstances of the case, the Kerala High Court opined that the present case falls under the gamut of “disputed transactions”. Disputed transactions, in simple terms, are related to such transactions which are tainted by fraud.[1]
The court further delved into remedies available to the banks in case of fraudulent transactions. In the light of the circular issued by the Reserve Bank of India[2], the court believed that in case of unauthorized transaction from the borrower’s account, the banks are not authorized to recover the lost amount by the customer on the ground that the customer was negligent in securing his personal details. The court further held that a bank can recover money from all the parties involved in such a transaction through a civil suit.[3] Therefore, in order to recover money from the customer, it needs to be proved that the customer is responsible for the transaction and such a recovery can only be done through civil suit.[4]
Indian legal framework on ‘Fraud transactions’
-
- Information Technology Act, 2000 –
Under section 43 of the Act[5], it is provided that if any person extracts any data or any information from a computer device without the prior permission of the owner, then such person would be liable to pay damage by the way of compensation to the affected party. Again, section 66C[6] confirms that if anyone, with a fraudulent intention, makes use of others’ unique identification features, such person shall be punished according to the provision. Therefore, section 43 read with section 66C provides that if any identity theft is committed with a fraudulent intention, such is considered as an offence punishable under the Information Technology Act, 2000.
-
- Indian Penal Code, 1860 –
Indian Penal Code, 1860 nowhere defines the term “fraud”. However, data theft as provided under sec. 43(b) read with section 66 of the IT Act, 2000 is related to section 379 and section 420 of the Indian Penal Code, 1860. Association of IT act with the Indian Penal Code 1860 doesn’t exhaust here. Section 43(a) read with 66C of the IT Act further relates itself to section 379 of the Indian Penal Code, 1860. Therefore, there appear many instances wherein a person can also be prosecuted against offences related to unauthorized online banking transactions under the Indian Penal Code 1860 as well.
Liability of bank in case of unauthorized fraudulent transaction
Position before Tony Enterprises case:
National Consumers Disputes Resolution Commission has often attempted to clarify the liability of banks in case of any online fraudulent transaction. The tribunal, while dealing with a revision petition filed in the case of Vidyawanti v. State Bank of India[7], held that in case of an unauthorized transaction where a sum of amount has been debited from the borrower’s account, the body corporate who has been enjoying the profit out of that account is liable for that unauthorized transaction. In light of the aforementioned judgement, the doors for holding banks liable for any unauthorized transaction have been opened up.
The Kerala High Court, in the case of State Bank of India v. P.V. George[8], provided that banks are liable for every unauthorized online transaction. Liability on customers is limited to informing banks about the unauthorized transaction taken place. Therefore, it can easily be assumed that if any unauthorized transaction has taken place, the bank will be held accountable for such transaction provided that the bank has been informed about such transaction.
Developments after Tony Enterprises case:
In Punjab National Bank v. Leader Valves[9], the National Consumer Disputes Redressal Commission made an observation on the issue related to the liability of the bank for any unauthorized transaction done by any of the bank employees or anybody else. The commission held that by virtue of the fact that an account is maintained by the bank, then the bank has the responsibility to maintain account’s security also. The bank will directly be held accountable for any failure in performing such duty.
Further on December 21, 2020, the National Consumer Disputes Redressal Commission, in the case of HDFC v. Jesna Jose[10], while referring to the Punjab National Bank case[11], held that even if the bank is not at fault, the bank will be held accountable for the unauthorized transaction. Court took the RBI circular into account wherein it has clearly been mentioned that “A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:
-
- Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
- Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working daysof receiving the communication from the bank regarding the unauthorised transaction.”[12]
Therefore, it is clarified that if deficiency doesn’t lie with the customer, the same would never be held liable for an unauthorized transaction. Thus, aforementioned cases prima facie clarifies that legal position regarding liability has continued to be the same as it was in Tony Enterprises case. Hence, it can be concluded that a bank must be held liable for any unauthorized transaction and by virtue of which a bank cannot claim the lost money from the customer.
Conclusion
Undoubtedly, the RBI circular and courts have always tried to protect the interest of the customers and exonerate customers from any liability. However, the author does believe that the banks have been left helpless in case of an unauthorized transaction. Although banks can claim the lost money from customers through civil suit but in order to claim, the bank needs to prove that the customer was involved in such transaction. There is no RBI circular or any legislation which provides an option to banks to proceed against fraudsters or those customers involved in such fraud.
In an era of escalating technical prowess, probability of commission of any fraud has also increased and perhaps, it has now become a necessity for the customers to act diligently in order to securing their personal information. Even if any customer acts negligently in protecting its personal details and provides such information to fraudsters unintentionally but out of its own negligently, even in such cases the bank has no remedy available. Therefore, the author is of opinion that it is prudent to consider amending laws in order to provide remedies to the banks and protect its interest.
Footnotes
[1] WP(C). No. 28823 of 2017(C) ¶14.
[2] RBI/2018-19/101 dated 04.01.2019.
[3] WP(C). No. 28823 of 2017(C) ¶21.
[4] WP(C). No. 28823 of 2017(C) ¶20.
[5] The Information Technology Act, 2000 §43.
[6] The Information Technology Act, 2000 §66C.
[7] Vidyawanti v. State Bank of India, Revision Petition No. 4868 of 2012.
[8] State Bank of India v. P.V. George, 2019 SCC Online Ker 447 ¶10.
[9] Punjab National Bank v. Leader Valves II, 2020 CPJ 92 (NC)
[10] HDFC Bank Ltd. & Anr. versus Jesna Jose R.P. N. 3333 of 2013.
[11] Punjab National Bank v. Leader Valves II, 2020 CPJ 92 (NC).
[12] RBI Circular, DBR.No.Leg.BC.78/09.07.005/2017-18 dated 06/07/2017.