In a significant ruling, the Delhi High Court directed the State Bank of India (SBI) to fully compensate a customer who lost ₹2.6 lakhs due to a phishing attack, citing “patent deficiency” in the bank’s response. Justice Dharmesh Sharma underscored that SBI’s failure to act swiftly and adequately after being alerted to the fraudulent activity demonstrated glaring negligence.
The case involved Hare Ram Singh, who reported the cyber fraud to SBI customer care and the branch manager immediately after the incident. Despite Singh’s timely action, the bank failed to assist effectively. Months later, SBI rejected Singh’s claim, arguing that the withdrawal had been completed using internet banking credentials, including OTPs, and that Singh had clicked a phishing link. However, Singh categorically denied sharing any OTPs.
The Court rejected SBI’s arguments, emphasizing that the bank had failed to fulfill its duty of care towards its customer. “It has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, that the petitioner suffered monetary losses,” the Court observed.
Justice Sharma further highlighted SBI’s non-compliance with the Reserve Bank of India’s (RBI) Master Direction on Digital Payment Security Controls, which mandates robust safeguards against cyber risks. “The transactions in question would resultantly fall within the sweep of ‘zero liability’ as referred to in the aforesaid RBI Circulars. Therefore, respondents No. 2 and 3/SBI are liable to compensate the petitioner for the incurred loss, along with interest, and pay token compensation,” the Court stated.
SBI was ordered to repay Singh ₹2.6 lakhs with 9% interest from April 2021, when the fraud was reported, along with ₹25,000 as legal costs.
The judgment also addressed the broader responsibility of banks in protecting their customers from cyber fraud. “It is well established under the Common Law that funds in a bank account belong to the bank, but the bank acts as an agent for the principal (the customer). Consequently, the bank cannot refuse to process an online transfer if it appears to be authorized by the customer. However, upon detecting fraud, the bank has an implied duty to exercise reasonable care and take prompt action,” the Court noted.
Criticizing SBI’s lax security measures, Justice Sharma remarked that the breach of “2FA” or OTP verification by simple malware exposed serious flaws in the bank’s system. The Court also rejected attempts to blame Singh, acknowledging the sophistication of modern cyber-attacks. “Anyone, regardless of age, education, or experience, can fall victim to the sophisticated cyber-attacks prevalent today,” the Court emphasized.
Singh had initially approached the Banking Ombudsman, which ordered a partial refund of ₹33,000 but closed his complaint without addressing the full amount. Dissatisfied, Singh moved the High Court, ultimately securing a favorable verdict.
