Legal
Delhi HC Slams SBI for Lapses, Orders Rs 2.6 Lakh Compensation to Cyber Fraud Victim
In a significant ruling, the Delhi High Court has ordered the State Bank of India (SBI) to compensate a customer, Hare Ram Singh, who lost Rs 2.6 lakhs in a cyber fraud incident.
The Court found SBI guilty of failing to respond adequately to the customer’s complaint and neglecting its duty to prevent fraudulent transactions.
This decision emphasizes the critical obligation of banks to ensure robust cybersecurity measures and timely action to protect their customers from financial losses.
ALSO READ: Nominations Open for ‘Women in Cyber’ Honors at FutureCrime Summit 2025
Case Overview
Singh approached the Court after SBI denied his claim for reimbursement, arguing that the transactions were authorized via the bank’s internet banking system, which required OTPs.
The bank also contended that Singh himself had clicked on a phishing link, enabling the attack. Singh, however, firmly denied sharing any OTPs and accused SBI of failing to act promptly despite his immediate notification of the breach.
Court’s Observations
Justice Dharmesh Sharma criticized SBI for its “glaring service deficiency,” highlighting the bank’s lack of urgency in addressing Singh’s complaint. The Court emphasized that even after being alerted about the fraudulent activity, the bank failed to block the suspicious transactions, thereby neglecting its duty to protect the customer’s account.
The Court further held that the breach resulted from SBI’s failure to implement robust security measures as mandated by the Reserve Bank of India’s (RBI) Master Direction on Digital Payment Security Controls.
“It must be presumed that the monetary loss suffered by the petitioner is due to the bank’s inability to establish a system capable of preventing such unauthorized withdrawals,” the Court stated.
Bank’s Liability and Court’s Decision
The Court ruled that the disputed transactions fell under the “zero liability” framework outlined in RBI circulars. Consequently, SBI was ordered to compensate Singh with the full amount of Rs 2.6 lakhs, along with 9% interest from April 18, 2021—the date Singh reported the fraud. Additionally, the bank was directed to pay Rs 25,000 in litigation costs.
ALSO READ: FutureCrime Summit: Biggest Conference on Cyber Crimes Set to Return on February 13-14, 2025, in New Delhi
This decision comes after Singh had initially filed complaints with both the Banking Ombudsman and the RBI. While the Ombudsman directed SBI to refund a partial amount of ₹33,000, Singh remained dissatisfied and escalated the matter to the High Court.
Court’s Guidance on Banks’ Duty of Care
The Court reiterated that banks have an inherent duty to safeguard their customers’ funds and act with reasonable care upon detecting fraudulent activity. It criticized SBI for its inability to prevent the attack, which exploited vulnerabilities in its two-factor authentication (2FA) system through malware.
“Anyone—irrespective of age, education, or expertise—can fall prey to today’s sophisticated cyberattacks. However, when a fraud is reported, the bank must act swiftly to mitigate losses,” the Court remarked.
This verdict underscores the growing responsibility of banks to enhance cybersecurity measures and protect customers from evolving digital threats.