In a significant ruling strengthening consumer rights in cases of banking fraud, the National Consumer Disputes Redressal Commission (NCDRC) has held that banks must refund money fraudulently withdrawn from a customer’s account within 10 working days if the account holder is not found negligent.
The apex consumer body clarified that where unauthorised transactions occur without any fault on the part of the customer, and there is no evidence of sensitive information such as OTPs being shared, the financial liability rests entirely with the bank. The ruling is based on the Reserve Bank of India’s 2017 circular governing customer liability in cases of digital and electronic banking fraud.
The Commission observed that in such situations, the account holder’s liability is treated as “zero liability”, and the bank is duty-bound to restore the entire amount within the prescribed timeframe.
The order was passed by a Bench headed by the Commission’s President along with a member, while dismissing a bank’s appeal against an earlier ruling of the State Consumer Disputes Redressal Commission. The Bench upheld the findings of both the State and District Consumer Commissions in favour of the account holder.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
No proof of OTP sharing
In its detailed order, the Commission noted that the appellant bank failed to produce any credible evidence to establish that the customer had shared her one-time password (OTP) or other confidential banking credentials with any unknown person.
“In the absence of proof of customer negligence, the present case squarely falls under Clause 6(a) of the RBI circular, which mandates zero liability on the part of the account holder,” the Commission observed.
It further held that banks are custodians of customers’ funds and are expected to maintain robust systems to prevent unauthorised access. Any failure arising from system flaws, technical lapses or cyber intrusion cannot be passed on to the customer.
Timing of transactions raised red flags
The Commission also took note of the timing and pattern of the disputed transactions. According to the order, the withdrawals took place around 7 pm and later between midnight and 1 am—hours considered unusual for normal banking activity.
The Bench said the timing itself strengthened the inference that the transactions were not initiated by the account holder and were more likely the result of a systemic failure or cyber breach.
It was also observed that the customer had promptly informed the bank upon noticing irregularities in her account. Despite this, the bank failed to safeguard the funds, which amounted to a serious lapse in service.
Case background
The case involved a Bengaluru-based account holder of IndusInd Bank, who approached the consumer forum alleging that a total of ₹9.52 lakh had been fraudulently withdrawn from her savings account and fixed deposit.
The complainant stated that the withdrawals were made without her knowledge or consent. She maintained that she had not shared her OTP, clicked on any suspicious link, or responded to fraudulent calls seeking personal information.
Following her complaint, the District Consumer Forum ruled in her favour, directing the bank to refund the amount. The decision was subsequently upheld by the State Consumer Disputes Redressal Commission.
Challenging these orders, the bank moved the National Commission, arguing that the withdrawals were the result of customer negligence. However, the NCDRC found no material to support this claim.
Deficiency in banking service
Dismissing the bank’s appeal, the Commission ruled that the evidence on record clearly established that the account holder was not negligent. As a result, the bank could not escape liability by making unsubstantiated allegations against the customer.
The Commission concurred with the findings of the lower forums that the matter constituted a clear case of deficiency in banking service.
Important precedent for customers
Legal experts said the ruling sets an important precedent in an era of increasing digital banking fraud. It reinforces the principle that customers who adhere to prescribed security protocols cannot be penalised for systemic or technological failures within banking institutions.
The Commission underlined that maintaining public trust in the banking system requires swift, fair and effective redressal in cases of unauthorised transactions.
The ruling is expected to have far-reaching implications for banks, compelling them to strengthen fraud detection mechanisms and ensure timely compensation to affected customers, in line with regulatory guidelines.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
