New Delhi | In a significant ruling strengthening consumer rights in digital banking fraud cases, the National Consumer Disputes Redressal Commission has directed the State Bank of India (SBI) to refund ₹1.99 lakh to a customer who fell victim to a cyber scam. The commission also ordered the bank to pay ₹25,000 as compensation, making it clear that banks cannot evade responsibility if unauthorised transactions are reported promptly.
The case dates back to July 2022, when a Bengaluru resident received a fraudulent SMS warning of electricity disconnection due to unpaid dues. Upon contacting the number mentioned in the message, he was instructed to download a mobile application that appeared to be an official electricity department platform. He was then asked to make a nominal payment of ₹20 to clear the bill.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
However, soon after completing the transaction, he received an alert that ₹25,000 had been debited from his account, followed by another unauthorised withdrawal of ₹1.99 lakh. Notably, there was no evidence of any OTP or sensitive banking credentials being shared. Shortly after, the victim’s mobile phone stopped functioning, raising suspicions of malware or remote access exploitation being used to execute the fraud.
Realising the scam, the victim immediately reported the matter to the cybercrime police and informed SBI through its helpline and email on the same day. While the bank reversed ₹25,000 and froze the account, it failed to take effective steps to recover the remaining ₹1.99 lakh, leading to a prolonged legal battle.
Initially, the district consumer forum dismissed the complaint, citing possible negligence on the part of the customer. However, in May 2025, the Karnataka State Consumer Commission overturned this decision and directed SBI to refund the full amount along with compensation. SBI challenged this order before the national commission, arguing that such fraud could not occur without the customer sharing confidential details like OTP and also claimed there was a delay in reporting the incident.
The national commission rejected these arguments, stating that records clearly showed the fraud was reported within the stipulated time and that SBI failed to establish any negligence on the part of the customer. It further observed that merely downloading a fraudulent application does not amount to negligence unless there is clear evidence of sharing sensitive information.
The ruling also relied on the Reserve Bank of India’s guidelines dated July 6, 2017, which provide that customers bear “zero liability” in cases of unauthorised electronic transactions caused by third-party breaches, provided the fraud is reported within three working days. The commission emphasised that banks are obligated to act swiftly to mitigate losses and cannot shift the burden onto customers without substantiated claims.
The bench also noted that SBI’s action of re-crediting ₹25,000 itself indicated that the fraud had been reported promptly. Despite this, the bank’s failure to refund the larger amount pointed to inadequate remedial action.
As per the final order, SBI has been directed to re-credit ₹1,99,000 to the complainant within four weeks and pay ₹25,000 as compensation. If the bank fails to comply within the stipulated time, it will have to pay interest at the rate of 8% per annum on the pending amount.
The ruling is being seen as a key precedent in strengthening consumer protection amid the rising wave of cyber frauds. With increasing reliance on digital transactions, incidents involving fake apps, phishing messages, and social engineering tactics have become more frequent.
Experts believe the judgment sends a strong message that banks must remain accountable for customer safety and cannot deny liability without concrete evidence. It also underlines the importance of timely reporting by customers, which activates regulatory safeguards and improves the chances of financial recovery.
As cybercrime methods continue to evolve, the decision highlights the need for both financial institutions and users to remain vigilant, while ensuring that victims are not left to bear losses caused by systemic lapses.
