Customer Clicked A Suspicious Link: Can The Bank Be Held Liable?

Digital transactions are now the bedrock of the modern-day financial system. For many banking customers, the two-factor authentication (2FA) provides them with a sense of better security; however, the nature of fraud is also becoming more sophisticated.

In a recent case involving a customer and the State Bank of India (SBI), the Delhi High Court highlighted this aspect. The dispute highlights the gap between a financial institution’s reliance on technical protocols and a customer’s right to protection against unauthorised transactions. As banks are increasingly moving towards automated digital systems, questions are being asked on the onus of the liability in the event of a systems failure leading to a monetary loss for the accountholder, especially when the victim has also been prompt in reporting the crime, too.

Case Background

The matter arose when a series of unauthorised transactions occurred from a customer’s (Hare Ram Singh - Respondent No. 1) savings bank account in SBI. On April 18, 2021, his account was debited twice with Rs 1 lakh and Rs 1.60 lakh, totaling his loss of Rs 2.60 lakh. When he received the SMS regarding the unauthorised transaction, he immediately contacted the bank’s customer care department to report the fraud and blocked his account and Netbanking facilities. He then gave a formal written complaint to the branch manager on April 19 and April 20, 2021, asking for refund of the amount fraudulently transferred from his account.

On October 20, 2021, the Banking Ombudsman of the Reserve Bank of India (BO-RBI) acknowledged the loss and SBI’s argument, and advised the bank to pay only one-third of one of the disputed amounts (Rs 1 lakh), considering that the customer was familiar with Net Banking and POS transactions. The customer then filed a writ petition to the Delhi High Court against the order.

The Delhi High Court set aside the RBI Ombudsman’s decision on November 18, 2024, and ordered the bank to refund the customer the total amount of Rs 2.60 lakh along with 9 per cent interest and litigation costs.

The bank filed a writ against the order upon which the Division Bench gave the final judgment on May 29, 2026.

Arguments

The SBI (appellant) argued that the transactions were technically valid. They were secured by two-factor authentication (2FA). The counsel representing the bank submitted that the transfer transactions required both the correct Netbanking credentials (user ID and password) and one-time passwords (OTP) sent to the customer’s mobile number to authenticate the transactions.

The counsel argued that the internal audits by the bank’s Internet Banking Department confirmed that the account was accessed using the customer’s correct profile credentials. The bank also maintained that since all the security protocols were followed and the OTP was delivered to the registered device, the bank should not be held liable for the unauthorised transactions.

Conversely, the respondent’s counsel argued that both transactions totaling Rs 2.60 lakh were unauthorised and fraudulent, without the customer’s involvement. The counsel highlighted that the respondent took prompt action and immediately informed the bank to block his account, and further filed the written complaint with the bank. The counsel contended that because the fraud was reported without any delay, the bank remains liable for the losses and should refund the total amount with interest and costs.

Court Observation

The court observed that the previous order passed in the matter was flawed.

It noted, “In as much as the Subject Transactions were 2FA transactions effected using the INB credentials and OTPs transmitted to the mobile number registered with the Bank Account, the occurrence of the fraud is attributable to the negligence of Respondent No. 1 in clicking upon an unknown link received on his mobile phone, thereby compromising access to the device and facilitating misuse of the OTPs by the cyber fraudster. It is, therefore, submitted that the present case squarely falls within Clause 7(b)(i) of the RBI Circular dated 06.07.2017 titled Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions (“2017 RBI Circular”), and that the Appellant-Bank cannot be held liable for the loss allegedly suffered by Respondent No. 1 on account of his own negligence.”

Court Judgment

The Delhi High Court said that in such cases, a detailed technical and forensic examination and adjudication on evidence is necessary, which is not possible under the writ jurisdiction. The Division Bench noted that while the fraud was reported immediately, if the customer is negligent, the bank cannot solely be blamed for the fraudulent transaction.

The court allowed the appeal and set aside the impugned judgment.