Introduction:

In a landmark decision addressing the growing menace of SIM swap fraud and the responsibilities of telecom service providers within India’s digital banking ecosystem, the Karnataka High Court has emphatically held that a telecom company can be held vicariously liable for losses caused by the negligent and unauthorized issuance of a duplicate SIM card. The judgment was delivered by Justice Suraj Govindaraj in a batch of writ petitions arising out of a dispute between Basaveshwara Pattana Sahakara Bank Niyamitha, a century-old co-operative bank, Bharat Sanchar Nigam Limited (BSNL), and Canara Bank.

The case arose from a sophisticated financial fraud committed in February 2019, wherein fraudsters obtained a duplicate SIM card corresponding to the mobile number registered by the co-operative bank for receiving One-Time Passwords (OTPs) linked to internet banking transactions. Once the duplicate SIM was activated, OTPs intended for the bank were diverted to unauthorized persons, enabling them to execute seven fraudulent RTGS and NEFT transactions amounting to Rs. 87.70 lakhs.

Although Rs. 30 lakhs was subsequently reverse-credited and approximately Rs. 7.12 lakhs was recovered through police intervention, the bank suffered a substantial net loss of Rs. 50.5 lakhs. Investigations revealed that the duplicate SIM had been issued from a BSNL office without the authorization or knowledge of the bank. A BSNL employee was alleged to have issued the duplicate SIM without undertaking the mandatory verification procedures required before replacing a subscriber’s SIM card.

Aggrieved by the loss, the bank approached the Permanent Lok Adalat seeking compensation. The Lok Adalat awarded Rs. 5 lakhs with interest against BSNL while absolving Canara Bank of liability. Dissatisfied with the award, BSNL challenged the decision before the Karnataka High Court. Simultaneously, the co-operative bank filed a separate petition seeking enhancement of compensation on the ground that the award failed to adequately compensate the actual loss suffered by it.

The case presented significant legal questions concerning negligence, vicarious liability, proximate causation, SIM swap fraud, the duty of care owed by telecom companies, and the evolving responsibilities of institutions operating within India’s digital financial infrastructure. The judgment is likely to become an important precedent in cyber fraud litigation and digital banking disputes.

Arguments of the Parties:

BSNL challenged the award of the Permanent Lok Adalat and contended that it could not be saddled with liability for the entire financial loss suffered by the bank. The telecom company argued that the fraudulent transfers were ultimately executed through banking channels and involved the criminal acts of third parties. According to BSNL, the losses claimed by the bank were too remote and could not be directly attributed to the issuance of a duplicate SIM card.

The company further contended that the award passed by the Permanent Lok Adalat was excessive and unsupported by sufficient legal evidence establishing direct negligence on the part of BSNL. It was argued that mere allegations against an employee could not automatically translate into corporate liability. BSNL maintained that the fraud involved multiple intervening acts committed by unknown criminals and therefore the chain of causation was broken.

BSNL also questioned the extent of damages claimed by the bank and submitted that the compensation awarded should remain limited. It sought interference by the High Court with the findings recorded by the Permanent Lok Adalat and requested that the award be set aside.

On the other hand, Basaveshwara Pattana Sahakara Bank Niyamitha contended that the entire fraud was made possible only because BSNL’s employee illegally and negligently issued a duplicate SIM card to unauthorized individuals. The bank argued that its registered mobile number functioned as the primary authentication mechanism for internet banking transactions. Once control over the mobile number was transferred to fraudsters, the OTP security framework collapsed entirely.

The bank submitted that mandatory verification procedures were either ignored or carried out in such a superficial manner that they became meaningless. According to the bank, no genuine subscriber would voluntarily authorize a duplicate SIM request that would expose its banking infrastructure to fraud. The very fact that a duplicate SIM reached unknown third parties demonstrated gross negligence on the part of the telecom provider.

The bank further argued that BSNL’s liability could not be restricted merely because the fraudsters subsequently utilized banking systems to complete the transactions. The duplicate SIM was the gateway through which unauthorized access was obtained. Without access to the OTPs, the fraudulent transfers could never have been completed.

The bank also challenged the adequacy of the compensation awarded by the Permanent Lok Adalat. It argued that the actual net financial loss suffered by it amounted to Rs. 50.5 lakhs after accounting for recoveries. Consequently, the award of only Rs. 5 lakhs failed to provide meaningful compensation for the damages caused by BSNL’s negligence.

Canara Bank, which maintained the account from which the fraudulent transfers were made, defended the findings of the Permanent Lok Adalat that had exonerated it from liability. It maintained that the transactions were authenticated through valid OTP mechanisms and that the immediate cause of the fraud was the unauthorized diversion of OTPs resulting from the duplicate SIM issuance.

The dispute thus required the High Court to determine whether BSNL’s conduct constituted negligence, whether the telecom company could be held vicariously liable for the actions of its employee, and whether the losses suffered by the co-operative bank were a direct and foreseeable consequence of the SIM swap fraud.

Court’s Judgment:

Justice Suraj Govindaraj delivered a comprehensive judgment that examined the role of telecom service providers in modern digital transactions and established important legal principles regarding accountability for SIM swap fraud.

The Court began by recognizing the critical position occupied by telecom companies within the digital financial ecosystem. It observed that mobile numbers have become indispensable authentication tools in modern banking systems, particularly in relation to OTP-based verification. According to the Court, telecom service providers function as custodians of mobile numbers that form the backbone of digital transaction security.

Drawing an analogy from traditional banking systems, the Court observed that telecom providers are structurally comparable to vault keepers. Just as a vault keeper who carelessly grants access to unauthorized persons can be held liable for the resulting theft, a telecom provider that negligently issues a duplicate SIM card must bear responsibility for the fraud that such issuance enables.

The Court identified the present dispute as a classic example of SIM swap fraud. It noted that a registered banking mobile number had been compromised through unauthorized issuance of a duplicate SIM card, resulting in the diversion of OTPs and the rapid depletion of funds from the bank’s account. Such fraud, the Court observed, was not an isolated occurrence but reflected a pattern witnessed in thousands of cases across India.

Applying the established principles of negligence, the Court held that BSNL satisfied all components of the three-pronged negligence test. First, BSNL owed a clear duty of care to its subscriber. Second, that duty was breached through the issuance of a duplicate SIM card without proper verification. Third, the breach directly resulted in substantial financial loss to the bank.

The Court emphasized that the duty of care owed by telecom service providers assumes a heightened character when the subscriber is a financial institution. In such situations, the potential consequences of unauthorized SIM issuance are enormous and entirely foreseeable. Since OTPs constitute a primary security mechanism for high-value financial transactions, telecom providers are expected to exercise exceptional caution before approving requests for duplicate SIM cards.

The judgment further examined the issue of causation. BSNL argued that subsequent acts of fraudsters constituted intervening causes that severed the chain of liability. Rejecting this contention, the Court held that the issuance of the duplicate SIM card was the proximate cause of the loss. The Court reasoned that but for the issuance of the duplicate SIM, OTPs would not have been diverted and the fraudulent transactions would not have succeeded. The fraudulent transfers were therefore a direct and foreseeable consequence of BSNL’s negligence.

An important aspect of the judgment was the Court’s reliance on the doctrine of res ipsa loquitur, meaning “the thing speaks for itself.” The Court observed that under ordinary circumstances, a subscriber’s mobile number does not become reassigned to an unknown third party without the subscriber’s knowledge. Therefore, the mere fact that a duplicate SIM reached unauthorized individuals constituted compelling evidence that verification procedures had either not been followed or had been carried out so negligently as to be worthless.

The Court also addressed the question of vicarious liability. BSNL attempted to distance itself from the conduct of the employee who allegedly issued the duplicate SIM without proper verification. The Court rejected this argument and held that the issuance of SIM cards falls squarely within the scope of duties entrusted to subscriber management officials. While the employee may have performed the task improperly or even in collusion with fraudsters, the wrongful manner in which an authorized function was performed did not remove the act from the course of employment.

The judgment clarified that vicarious liability arises not because the employer personally commits the wrongful act, but because the act was committed by an employee while carrying out functions entrusted to him. The nature of the act remained within the scope of employment even though the manner of performance was unlawful.

The Court also examined the issue of recoveries and insurance proceeds. It laid down an important principle for future digital fraud litigation by holding that direct recoveries of stolen funds must be deducted from the total loss while calculating compensation. However, collateral benefits such as insurance proceeds should not reduce the liability of the wrongdoer. Such an approach preserves the rights of insurers through subrogation and encourages institutions to obtain cyber-risk insurance coverage.

After evaluating the evidence, the Court concluded that the compensation awarded by the Permanent Lok Adalat was grossly inadequate. The actual net loss suffered by the co-operative bank stood at Rs. 50.5 lakhs after accounting for recoveries. Since the loss was directly attributable to BSNL’s negligence, the Court enhanced the compensation from Rs. 5 lakhs to Rs. 50.5 lakhs.

In addition, the Court awarded consequential damages of Rs. 5 lakhs for reputational injury, liquidity constraints, operational disruption, and other adverse consequences suffered by the bank. The Court held that these damages were a foreseeable result of the fraud and deserved separate compensation.

BSNL was directed to pay the enhanced compensation together with interest at the rate of 9 percent per annum. The Court further ordered that if payment was not made within three months, the amount would thereafter carry default interest at the rate of 12 percent per annum.

Beyond the immediate dispute, the Court issued important observations concerning preventive measures against SIM swap fraud. It stressed that verification of subscriber identity before issuing duplicate SIM cards is not a mere procedural formality but a critical safeguard protecting millions of digital transactions. Telecom providers must carefully scrutinize documentation, conduct thorough verification, and reject requests whenever doubts arise regarding the applicant’s identity or authority.

The Court also encouraged banking institutions to adopt additional protective mechanisms such as multiple OTP delivery channels, delayed processing of high-value transactions following SIM swap requests, alternative transaction alerts, and customer awareness initiatives. While these measures do not dilute the duty of care owed by telecom providers, they provide an additional layer of security against emerging cyber threats.

The judgment ultimately establishes a powerful precedent affirming that telecom companies occupy a central position in India’s digital payment architecture and must bear legal responsibility when negligence in SIM management facilitates financial fraud. By imposing substantial liability upon BSNL and articulating clear principles governing SIM swap fraud, the Karnataka High Court has significantly strengthened consumer protection and accountability within the digital financial ecosystem.