Customer Negligence Bars Claim of Cyber Fraud Loss

1. Factual Background and Procedural History

The case arose from a writ petition filed under Article 226 of the Constitution of India by Suresh Chandra Singh Negi and his son, proprietors of two firms engaged in transformer fabrication. Both maintained cash credit accounts with the Bank of Baroda, with limits of ₹1.20 crore and ₹1.30 crore respectively, and active internet banking facilities.

On 19 June 2022, petitioner no.1 transferred ₹37.85 lakh from his account to that of petitioner no.2. Shortly thereafter, the same amount was allegedly transferred from petitioner no.2’s account to unknown beneficiaries. Claiming that the funds had been illicitly embezzled, the petitioners:

• Lodged an FIR (No. 0012/2022) at the Cyber Crime Police Station, Civil Lines on 21 June 2022.
  
  
• Submitted complaints to the Bank of Baroda seeking restoration of the amount.
  

Alleging inaction by both the Bank and the authorities, the petitioners approached the Allahabad High Court, seeking a writ of mandamus directing the Bank and the Reserve Bank of India (RBI) to restore the embezzled sum of ₹38.78 lakh with 24% penal interest.

The case was heard on 11 July 2025 and judgment was pronounced on 17 July 2025.

2. Identification of Legal Issues

The Court identified the following key questions:

1. Whether the petitioners were victims of a cyber fraud or had themselves executed the disputed transactions.
   
   
2. Whether the RBI Circular dated 6 July 2017 — “Customer Protection: Limiting Liability of Customers in Unauthorised Electronic Banking Transactions” — entitled the petitioners to reimbursement.
   
   
3. Whether the Bank discharged its burden of proof under paragraph 12 of the said RBI Circular.
   

3. Arguments of the Parties

Petitioners’ Contentions

• The petitioners argued that despite exercising due diligence, unsolicited transactions had occurred.
  
  
• Their SIM card was allegedly blocked post-transfer, preventing SMS alerts.
  
  
• The complaint and FIR were filed promptly, fulfilling the three-day reporting condition under the RBI Circular of 2017.
  
  
• They claimed “zero liability” protection under Clause 6(ii) of the circular, which mandates restitution where fraud arises from third-party breach.
  
  
• They relied on:
  
  
  • State Bank of India v. Pallabh Bhowmick (SLP No. 30677/2024), and
    
    
  • Jaiprakash Kulkarni v. Banking Ombudsman (2024 SCC OnLine Bom 1666),
    both of which directed restitution of funds in cases of proven cyber fraud.
    

Respondents’ Contentions

• The Bank contended that the transactions were self-initiated and authorized by the petitioners.
  
  
• The beneficiary accounts had been added by petitioner no.2 one day prior (18 June 2022).
  
  
• The transactions were executed using the petitioners’ registered device, with proper OTP verification and password changes made by petitioner no.2 himself.
  
  
• IP address logs and system records demonstrated no third-party breach.
  
  
• Hence, the incident was not cyber fraud but an afterthought to recover self-transferred funds.
  

4. Court’s Analysis and Reasoning

(a) Verification of Records

The Court examined the transaction logs, IP details, and timing of transfers, observing:

• ₹30,00,000 was transferred at 19:08:00 and ₹7,85,000 at 19:11:28 on 19 June 2022.
  
  
• OTPs were generated and passwords changed by the petitioners themselves.
  
  
• Beneficiary accounts were previously added by petitioner no.2.
  

Thus, the Court found no evidence of unauthorized access or hacking.

(b) Delay and Conduct

The petitioners received transaction SMS alerts at 12:44 PM on 19 June 2022 but only reported the matter on 20 June 2022 (online complaint) and 21 June 2022 (FIR).
This delay, the Court held, suggested afterthought and weakened their claim of immediate reporting under the RBI Circular.

(c) RBI Circular Interpretation

The Court reproduced Clauses 6 and 7 of the RBI Circular, emphasizing that:

• “Zero liability” arises only where no negligence can be attributed to the customer.
  
  
• If the loss results from negligence—such as sharing credentials—the customer bears the liability until the transaction is reported.
  

While the burden of proof rests on the bank, the Bank of Baroda had discharged it by producing:

• IP logs,
  
  
• beneficiary addition records,
  
  
• OTP authentication data, and
  
  
• proof of password modification by the petitioners.
  

Accordingly, the Court concluded that the transactions were deliberate and not fraudulent.

(d) Distinguishing Precedents

The Bench distinguished the judgments cited by the petitioners:

• In Pallabh Bhowmick, the Supreme Court held banks liable where fraud occurred without customer negligence.
  
  
• In Jaiprakash Kulkarni, the customer had no SMS/email alerts of beneficiary addition.
  Neither situation applied here.
  

(e) Principle and Policy Reasoning

Justice Saraf observed that the RBI Circular is a shield, not a sword.
Its purpose is to protect innocent customers from genuine cyber fraud, not to aid individuals seeking to “recast personal transactions as cyber theft.”

The Court noted that using the Circular in this way would undermine banking discipline and encourage speculative claims.

5. Final Conclusion and Holding

• The Court held that the petitioners were not victims of cyber fraud; rather, the disputed transactions were self-executed.
  
  
• The RBI Circular of 2017 could not be invoked to claim reimbursement in such circumstances.
  
  
• The bank had discharged its evidentiary burden, proving no deficiency in service.
  
  
• The writ petition was dismissed, and no relief was granted.
  

Key Principle:
“The RBI’s Customer Protection Circular is designed to safeguard innocent victims of unauthorized transactions—not to serve as a tool for redressing negligent or self-authorized transfers.”

FAQs:

1. Can customers claim compensation for online fraud under RBI rules?

Yes, but only if the transaction was unauthorized and reported promptly without any negligence by the customer.

2. What is the RBI Circular on customer protection against cyber fraud?

The 2017 circular limits customer liability in unauthorized electronic transactions, offering zero liability if reported within three working days and without customer fault.

3. Who bears the burden of proof in cyber fraud disputes?

The bank must prove that the customer was negligent or authorized the transaction, as per paragraph 12 of the 2017 RBI Circular.

4. What happens if a customer delays reporting a cyber fraud?

Delayed reporting (beyond three days) may result in loss of protection and customer liability, depending on the bank’s internal policy.

5. What did the Allahabad High Court decide in Suresh Chandra Singh Negi v. Bank of Baroda?

The Court held that the customers themselves conducted the disputed transactions and could not invoke RBI protection for self-induced transfers.

Stay informed with insights that matter. Follow us for more updates on key legal developments.

Disclaimer

The content provided here is for general information only; it does not constitute legal advice. Reading them does not create a lawyer-client relationship, and Mahendra Bhavsar & Co. disclaims all liability for actions taken or omitted based on this content. Always obtain advice from qualified counsel for your specific circumstances. © Mahendra Bhavsar & Co.