Are Banks Liable To Refund Account Holders For Unauthorised Transactions Made By A Third Party?
A company through its director approached the Hon’ble Bombay High Court (“HC”) challenging the order passed by the Banking Ombudsman, rejecting the complaint preferred by the account holder under the Reserve Bank – Integrated Ombudsman Scheme, 2021[1] (“scheme”).
A Writ Petition was filed by Pharma Search Ayurveda Private Limited and its director (“Petitioners”) to quash the order passed by the Banking Ombudsman, against an unauthorized transaction made by a third party that, defrauded Rs. 76 Lakh from their account through cyber fraud.
The Petitioners submitted that a series of unauthorized transactions were noticed, as enlisted below:
- On 1st October 2022, certain companies/persons were added as beneficiaries to the concerned account of the Petitioners, however, the Petitioners did not receive any OTP (One Time Password) on its registered mobile number/emails.
- On 2nd October 2022, at approximately 7.45 am, the accountant of the Petitioner Company informed the Petitioners that Rs.76,90,017/- had been debited from the Petitioner Company’s bank account in several tranches to multiple individuals via online transactions.
- As 2nd October was a public holiday, the Petitioner Company was certain that no request for any transaction had been made by them. Thus, insinuating that there had been an unauthorized transaction made by a third party.
- The following day, the Petitioners approached the concerned bank and the Cyber Crime Police Station to report the aforesaid fraudulent transaction for offences under Section 379 of the Indian Penal Code, 1860 and Sections 43A and 66 of the Information Technology Act, 2000.
Thereafter, the Petitioner approached the Banking Ombudsman and filed a complaint as per the scheme for the illegal and unauthorized electronic transfers from the concerned bank account. Apart from the merits of the allegations, the Banking Ombudsman rejected the complaint stating that the aforesaid, transactions were made only after inputting the valid credentials/Two Factor Authentication (“2FA”) known only to such account holder. As a consequence, no lapse on the part of the concerned bank.
A division bench of Justice GS Kulkarni and Justice Firdosh P. Pooniwalla relied upon July 2017 of Reserve Bank of India (RBI) called Customer Protection – Limiting Liability of Customers in unauthorised Electronic Banking Transactions[2] (“circular”) along with the Bank’s policy named ‘Consumer Protection Policy (Unauthorised Electronic Banking Transactions) (“policy”). Per the circular, the HC put reliance on paragraphs 6, 9, and 12 are set out hereunder:
“(a) Zero Liability of a Customer
6. A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events: (i) Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer). (ii) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction. Reversal Timeline for
Zero Liability/ Limited Liability of customer
9. On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence. The credit shall be value dated to be as of the date of the unauthorised transaction.
Burden of Proof
12. The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.”
The Hon’ble HC noted that as per the RBI circular and the concerned bank’s policy, when there lies no deficiency on the part of the bank or the account holder but with the system, the same would accord to a zero liability if such an unauthorised transaction has been notified by the account holder to the concerned bank.
The Hon’ble HC observed that in the present case, the Petitioners have zero liability as the tranches of money debited from the concerned bank accounts were due to a third-party breach leading to an unauthorized transaction. Thus, making the Petitioners entitled to a refund from the concerned bank.
In the authors’ opinion, the present case acts as a relief as well as a cautionary note for account holders to stay vigilant and report any unauthorized transaction within a stipulated time frame to the concerned bank.
[1] The Reserve Bank – Integrated Ombudsman Scheme, 2021. https://www.rbi.org.in/commonperson/english/scripts/FAQs.aspx?Id=3407
[2] https://www.rbi.org.in/commonman/English/Scripts/Notification.aspx?Id=2336.