A division bench of Justice GS Kulkarni and Justice Firdosh P. Pooniwalla allowed a writ petition seeking refund of the amount observing –
“both as per the RBI Circular and the said Policy of Respondent No.2 (bank), the liability of the Petitioners in respect of the said unauthorized transactions would be zero as the unauthorized transactions have taken place due to a third party breach where the deficiency lies neither with Respondent No.2 nor with the Petitioners...In these circumstances, as per the RBI Circular and as per the Policy of Respondent No.2, the Petitioner is entitled to refund of the said amount from Respondent No.2.”
The petitioners, Pharma Search Ayurveda Private Ltd and its director Jaiprakash Kulkarni had maintained a bank account with Bank of Baroda's Worli Branch for the past 15-20 years. On October 1, 2022, beneficiaries were added to their account without any One-Time Password (OTP) being sent to the petitioners' registered mobile number or email. The next day, October 2, 2022, the company's accountant discovered that Rs. 76,90,017 had been debited from their account in multiple transactions.
Upon realizing the fraud, the reported the transactions to the Cyber Cell at Worli Police Station and the bank manager within 30 minutes to an hour. They lodged a formal complaint with the Cyber Crime Police Station under Section 379 of the IPC, 1860, and Sections 43A and 66 of the Information Technology Act, 2000. They also requested the bank to investigate the matter and refund the debited amount as per the RBI Circular dated July 6, 2017, titled "Customer Protection-Limiting Liability of Customers in Unauthorized Electronic Banking Transactions."
The Petitioners did not receive the refund. A complaint filed with the Bank Ombudsman was rejected on January 10, 2023, on the grounds that the transactions were authenticated using valid credentials known to the account holder.
The petitioners approached the high court contending that there was no negligence on their part, and the bank failed to follow the procedures outlined in the RBI Circular, resulting in the unauthorized transactions.
Bank of Baroda argued that there was no deficiency in its service, a stance initially supported by the Banking Ombudsman. It argued that the transactions were completed after proper authentication, including the input of an OTP and credentials known only to the account holder. It contended that the petitioners or their personnel had compromised these credentials, leading to the fraud.
The court ordered an investigation by the Cyber Cell, which revealed that no SMS notifications were received on the registered mobile number when the beneficiaries were added on October 1, 2022. The OTPs necessary for adding beneficiaries were not delivered. Further investigation by the Cyber Cell showed that emails purportedly sent by the bank about these transactions were also not received by the Petitioners. The three reports also confirmed no collusion between the petitioners and the fraudsters.
The Cyber Cell's reports, corroborated by mobile service provider Airtel and email provider Rediffmail, established that no SMS or email notifications were received by the Petitioners regarding the addition of beneficiaries.
The court found that the bank, along with the petitioners, had been victims of fraud by third-party fraudsters. “This Petition deals with a Cyber Fraud and is an example of how increasingly the innocent persons are becoming victims of Cyber Fraud”, the court remarked.
The court referred to the Reserve Bank of India's (RBI) Circular dated July 6, 2017, which outlines the conditions for zero liability of customers in unauthorized electronic banking transactions. The circular stipulates that customers are entitled to zero liability if the unauthorized transaction occurs due to contributory fraud, negligence, or a third-party breach where neither the bank nor the customer is at fault, provided the customer reports the transaction within three working days.
The court noted that the bank has its Consumer Protection Policy, which aligns with the RBI Circular. This policy stipulates that customers have zero liability if unauthorized transactions from third-party breaches are reported within seven working days.
The court noted that the petitioners reported the unauthorized transactions within the stipulated time. The court found that Banking Ombudsman had not adequately investigated whether the transactions were authorized by the petitioners.
Thus, the court quashed the decision of the Banking Ombudsman dated January 10, 2023, and directed the bank to refund the amount of Rs. 76,90,017/- to the Petitioners' bank account, along with interest and compensation as per the RBI Circular.