Introduction:
The case of Subodh C. Korde v. Union of India & Ors. came before the Bombay High Court as a significant dispute involving cyber fraud, banking liability, and the protection afforded to customers under regulatory guidelines issued by the Reserve Bank of India (RBI). The petitioner, Subodh Korde, a Pune-based businessman, approached the Court after losing a substantial amount of ₹38.04 lakhs from his bank accounts due to fraudulent transactions carried out through a sophisticated SIM swapping/cloning technique. The respondent bank, HDFC Bank, denied liability, asserting that it had discharged its duty by sending SMS alerts and One-Time Passwords (OTPs) to the petitioner’s registered mobile number. The case raised crucial questions about the extent of a bank’s responsibility in preventing unauthorized transactions, the evidentiary burden required to establish customer negligence, and the applicability of the RBI’s circular dated July 6, 2017, which provides for “zero liability” of customers in cases of unauthorized electronic banking transactions under specific conditions. The matter was heard by a Division Bench comprising Justice Bharati Dangre and Justice Manjusha Deshpande, who ultimately ruled in favour of the petitioner and directed the bank to refund the lost amount, thereby reinforcing the protective framework designed for victims of cyber fraud.
Arguments by the Petitioner:
The petitioner, Subodh Korde, contended that he was a victim of a well-orchestrated cyber fraud executed through SIM swapping or cloning, a method increasingly being used by fraudsters to gain unauthorized access to bank accounts. He submitted that he had not, at any point, shared his banking credentials, passwords, or OTPs with any third party, and therefore could not be held responsible for the fraudulent transactions. The petitioner explained that on September 14, 2021, unknown individuals had added beneficiaries to his bank account through net banking without his knowledge or consent. He further pointed out that he did not receive any alerts regarding the addition of these beneficiaries, which itself indicated a serious lapse in the bank’s communication and security mechanisms. On the following day, within a span of just 41 minutes, multiple unauthorized transactions were carried out, resulting in the siphoning off of ₹38.04 lakhs from his savings and current accounts. The petitioner emphasized that he became aware of the fraudulent transactions only after the amounts had already been debited. Upon discovering the fraud, he acted promptly by contacting his relationship manager via email and attempting to reach the bank’s helpline, which, according to him, was not operational at the time. He also lodged a complaint with the local police station on the very next day, demonstrating his diligence and prompt response to the incident. The petitioner relied heavily on the RBI circular dated July 6, 2017, which provides that a customer shall have zero liability in cases where the unauthorized transaction occurs due to contributory fraud or negligence on the part of the bank or a third party, provided the customer has not been negligent and has reported the incident promptly. He argued that his case squarely fell within the ambit of this provision, as he had neither contributed to the fraud nor delayed in reporting it. The petitioner also highlighted the findings of the investigation, which revealed that the fraudulent transactions were carried out from IP addresses located in Chennai, which did not match his usual transaction locations. This, he argued, clearly established that the transactions were not carried out by him. Additionally, the petitioner pointed to the involvement of BSNL, which confirmed that his SIM card had been swapped or cloned, thereby enabling the fraudsters to receive OTPs and carry out the transactions. He contended that this further absolved him of any responsibility, as the entire fraud was executed without his knowledge or participation. The petitioner thus urged the Court to hold the bank liable for the loss and to direct it to refund the amount, along with appropriate relief, in accordance with the RBI guidelines.
Arguments by the Respondent Bank (HDFC Bank):
HDFC Bank, on the other hand, sought to defend its position by asserting that it had complied with all necessary security protocols and had discharged its obligations in relation to the petitioner’s account. The bank contended that it had sent SMS alerts and OTPs to the petitioner’s registered mobile number for the transactions in question, and therefore, any unauthorized use of these credentials must have been due to the petitioner’s own negligence. The bank argued that the integrity of its systems had not been compromised and that the transactions were authenticated through valid OTPs, which could only have been accessed through the registered mobile number. On this basis, the bank attempted to shift the responsibility onto the petitioner, suggesting that he may have inadvertently shared his credentials or failed to secure his mobile device. The bank further argued that the petitioner had not taken adequate precautions to safeguard his personal and financial information, and that this lack of vigilance contributed to the occurrence of the fraud. It was also contended that the petitioner’s claim of not receiving alerts was not credible, as the bank’s records indicated that notifications had been sent. The bank relied on log sheets and internal records to support its claim that the required alerts were generated and transmitted. Additionally, the bank argued that it had acted in accordance with the standard operating procedures upon detecting suspicious activity, including initiating an investigation and attempting to contact the petitioner. It was submitted that the bank had even taken steps to request reversal of the fraudulent transactions from the beneficiary banks, which demonstrated its proactive approach in handling the situation. The bank also sought to argue that the RBI circular on zero liability was not applicable in the present case, as the transactions had been authenticated through OTPs, and therefore, the possibility of customer negligence could not be ruled out. It contended that the burden of proving absence of negligence lay on the petitioner, and that he had failed to discharge this burden. The bank thus urged the Court to dismiss the petition, maintaining that it could not be held liable for losses arising from unauthorized transactions that were duly authenticated through its systems.
Court’s Judgment:
The Bombay High Court, after carefully examining the facts and submissions, ruled decisively in favour of the petitioner, holding that he was entitled to the benefit of “zero liability” under the RBI circular dated July 6, 2017. The Division Bench comprising Justice Bharati Dangre and Justice Manjusha Deshpande observed that there was no evidence to suggest that the petitioner had been careless or negligent in safeguarding his banking credentials. The Court emphasized that the burden of proving negligence lay on the bank, and in the absence of such proof, the petitioner could not be held liable for the fraudulent transactions. The Court took note of the modus operandi employed by the fraudsters, namely SIM swapping or cloning, and explained how this technique allows unauthorized individuals to gain control over a customer’s mobile number, thereby enabling them to receive OTPs and carry out transactions without the customer’s knowledge. The Court observed that this method effectively renders the customer’s mobile phone inoperative, placing it in a “no network” state, while the fraudsters exploit the cloned SIM to execute their scheme. The Court found that this was precisely what had occurred in the present case, as confirmed by the records and the involvement of BSNL. The Court also examined the sequence of events and noted that beneficiaries were added to the petitioner’s account without his knowledge, and that multiple high-value transactions were carried out within a short span of time. It observed that the petitioner did not receive any alerts regarding these activities, and that the bank had failed to produce conclusive evidence to establish that such alerts were indeed delivered. The Court expressed skepticism regarding the bank’s reliance on log sheets from private agencies, noting that these did not constitute reliable proof of actual delivery of SMS alerts. The Court further highlighted the findings of the bank’s own investigation, which revealed that the IP addresses associated with the fraudulent transactions were different from those typically used by the petitioner. This, the Court held, was a strong indicator that the transactions were not carried out by the petitioner and that the bank’s attempt to attribute the fraud to customer negligence was unfounded. The Court also noted that the bank was aware of the suspicious nature of the transactions, as evidenced by the alerts generated internally and the attempts made to contact the petitioner, which were unsuccessful due to the SIM swap. Despite this, the bank failed to take effective steps to prevent the transactions or to immediately block the account. The Court observed that while it could not conclusively hold the bank to be deficient in its services, it was evident that the bank had adopted a casual approach in dealing with the situation and had hastily sought to shift the blame onto the petitioner. In applying the RBI circular, the Court held that since the petitioner had not contributed to the fraud and had acted promptly upon discovering it, he was entitled to full protection under the “zero liability” clause. The Court emphasized that the purpose of the RBI guidelines is to provide a safety net for diligent customers who fall victim to cyber fraud, and that this objective would be defeated if banks were allowed to evade liability without proving customer negligence. Accordingly, the Court directed HDFC Bank to remit the amount of ₹38.04 lakhs to the petitioner within a period of eight weeks, failing which the amount would carry interest at the rate of 8% per annum. The judgment thus serves as a landmark reaffirmation of consumer protection in the digital banking era and underscores the responsibility of banks to ensure robust security mechanisms and fair treatment of customers.