OTP scam: SBI directed to undo Rs 18 lakh unauthorised transaction from couple’s account 

In its order, the commission held SBI liable for the loss caused to the complainants while also allowing the bank to recover the lost amount from the salaries of the staff responsible. 

A sexagenarian couple won a case against the State Bank of India (SBI) in the Gondia District Consumer Disputes Redressal Commission setting a precedent granting civil remedies for victims of unauthorised banking transactions even if the police investigation is not complete. The consumer commission, in its order dated August 10, 2021, directed SBI’s Gondia branch to undo the contested transaction of Rs 18.36 lakh into the couple’s account.

Online scams and ATM frauds constitute a major chunk of cyber crimes as digital banking makes swift inroads in our lives. The Parliament in February this year said that over 2.9 lakh cyber security incidents related to digital banking were reported in 2020. Many of these cases involve unsuspecting consumers, not well-versed with technology incidentally, being duped by criminals into revealing their confidential information like OTP and bank account details. The redressal mechanism available to victims has not kept up with the sophisticated nature of these crimes leaving them with very few options to seek remedy and recover their losses.   

What was the complaint about? 

The order (a copy of which MediaNama has seen) in laying out the facts of the case explained that the problem began when Dr. Suresh Katre, 65, received an SMS on his phone stating: “Your SBI account will be suspended today 20/11/19 due to wrong date of birth verified in your bank account. For reactive upgrade Fully KYC (Know Your Customer), immediately by online visiting click link below”

• Dr Katre believed the link to be genuine because he had submitted his KYC documents for verification earlier in the day and thought the bank had sent the text.  
• He clicked on the link and proceeded to update his date of birth and shared the details of the savings accounts held by his wife Minakshi Katre who was 61 years old then. 
• She then received a message about successful account activation and a text with an OTP from an unknown number
• They were then notified that their net banking passwords were changed in the afternoon. 
• Minakshi received three texts at 11:35 pm. 11:36 pm, 11:37 pm in the night, and three messages at 12:02 am, 12:04 am. and 12:07 am. These messages informed her of withdrawals of Rs 1,99,800 in each of these six transactions. 
• On November 22, 2019, she came to know of withdrawals amounting to Rs 88,000, Rs. 1,99,800, Rs.1,99,800, and Rs.1,50,000 from another account in a span of few minutes. The total amount withdrawn now stood at Rs 18, 36, 400. 
• The couple realized something was wrong and reported the matter to the branch in order to request a freeze on the debit of the beneficiary account. 
• They filed an FIR (First Information Report) with the Gondia Police Station stating that the bank did not provide information of the beneficiary and this lack of cooperation amounted to “deficiency in service”.
• They said that the bank failed to detect the suspicious transactions which occurred at odd hours of the day at “the uncharacteristic velocity”.
• They contended then that confidential information about Dr. Katre’s effort to update KYC documents was compromised from the bank’s end. 
• They concluded that the bank failed to provide dynamic fraud detection and prevention mechanisms which caused the loss.

“These acts of omission and commission of the SBI, which is one of the leading Banks in India, who has all the technological innovations at its discretion, of not responding to the enquiry by complainant regarding detailed transaction information of the complainant’s accounts and not initiating any proactive measures on its own after receipt of report about suspected activities happening on complainants account, amounts to most severe deficiency in service as per Banking industry guidelines and norms.”  — the complaint said. 

Orders of the commission

The quorum of the commission consisted of Bhaskar B. Yogi (President) and Sarita B. Raipure (Member).

• The Court held SBI liable for the loss caused to the complainants.
• Accordingly, it instructed the bank to reverse the disputed transaction of Rs. 18,36,400 with simple interest of six percent from November 22, 2019 to plaintiffs
• It ordered compensation of Rs 25,000 to complainants by the bank “for causing mental agony and suffering” 
• It directed the bank to pay Rs 10,000 to cover the legal costs accrued by the couple
• It also permitted the bank to recover the lost amount from the salaries of officers and staff responsible for “dereliction of duty” resulting in the bank’s loss. It may do so after conducting an internal enquiry.

Advocate Mahendra Limaye, who represented the couple, informed MediaNama that people are not aware of the tools at their disposal if they are victims of cybercrimes. “They think that a police complaint is all they can do and even the police do not investigate complaints seriously.” 

He also added that most cybercrimes involve an element of negligence from victims either due to lack of knowledge or ignorance or circumstances which is then used against victims to blame them for their mistake.

“This judgement conveys to the victims that they do not have to worry about being blamed for their negligence. The victims did not ask to be thrusted with digitisation and fall into the trap of cyber criminals. There has to be a mechanism in place for banks to identify these frauds for safety of account holders apart from asking diligence from customers.” Advocate Limaye said. 

Findings & Observations of the commission

Negligence

The commission said that the bank in its argument relied heavily on RBI’s circular dated July 6, 2017, stating that the customer shall be liable for the loss arising due to negligence by a customer, such as where they share the payment credentials. 

The panel examined the definition of negligence and surmised that it was more of an accident than negligence on part of the complainant.

Deficiencies in the service of the bank

The commission also visited the SBI’s website and took screenshots which suggest that for new users, details like the Account Number, CIF Number, Branch Code are mandatory.  But the complainant only shared their birth date and OTP and not account and CIF number. 

“Only two persons the complainant and the Bank(institution) knows above details and if complainant has received phone call and link on same day and number submitted in KYC application when he had submitted KYC documents it is obvious that the confidential information are parted by the employees of the Bank only,” the panel observed. It went on to state:

“Unless the bank is able to satisfy the Court of either an express condition in the contract with its customer or an unequivocal ratification. It will not be possible to save the bank from its liability. Banks do business for their benefit. Customers also get some benefit. If banks are to insist upon extreme care by the customers in minutely looking into the pass book and the statements sent by them, no bank perhaps can do profitable business. It is common knowledge that the entries in the pass books and the statements of account sent by the bank are either not readable, decipherable or legible. There is always an element of trust between the bank and its customer. The bank’s business depends upon this trust.” emphasis supplied

It inferred: “Once the complaint was made citing specific incidents of unauthorised withdrawal, it was the duty of the bank to have carried out the necessary verification in the matter, rather than washing their hands off from the whole episode. Evidently, there has been deficiency in service on the part of the Bank, vis-à-vis, the consumer/complainant.”

Burden of proof 

“The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.” the commission declared. 

• The commission said that banks have a comprehensive network and can help customers in case of fraudulent online transactions. 
• It said that banks can stop payments to protect customer’s interests and identify fraudsters as one can open an account only after requirements of Aadhar Verification and PAN Card details. 
• It said that banks do not help customers even when they can trace miscreants. The commission deduced that employees share details of customers to criminals because the fraudsters are aware of details about customers’ accounts in various banks. 

Dr Suresh Katre, the complainant, told MediaNama that he was relieved after the order as the criminals had swindled a huge amount. 

“Banks should be more alert about unauthorized transactions taking place in customers’ accounts and inform them promptly if they notice suspicious activity. They should also keep track of where the money is going and compare it with the historical records of the customer to see if there are discrepancies,” Dr Katre said.  

Also read:

• Online banking and ATM frauds involving more than Rs 1 lakh increased 54% in FY19
• Government admits to some of the banking frauds through Aadhaar linkage
• SBI blocks wallets from using net banking to load money due to online fraud
• Government Sets Up Digital Intelligence Unit To Monitor Fraudulent Transactions
• FY20 saw over 50,000 cases of fraud usage of debit, credit cards

Have something to add? Post your comment and gift someone a MediaNama subscription.