New Delhi | In a significant ruling amid the growing number of cyber banking fraud cases in India, a Delhi court has made it clear that banks cannot evade responsibility if customers promptly report fraudulent transactions to both the bank and cyber police authorities. The Saket Court directed Indian Bank to permanently refund ₹77,000 to a pensioner who fell victim to online fraud and upheld the Reserve Bank of India’s “Zero Liability” framework as legally binding.
Additional Sessions Judge Hargurvarinder Singh Jaggi set aside an earlier trial court order that had denied relief to the victim. In its judgment, the court extensively referred to the RBI’s customer protection framework issued on July 6, 2017, stating that the guidelines were specifically designed to safeguard victims of cyber fraud and unauthorised electronic transactions.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
The case involved pensioner Yogendra Kumar Singh, who alleged that ₹77,000 was fraudulently withdrawn from his bank account on May 3, 2025, through three unauthorised transactions of ₹32,000, ₹30,000 and ₹15,000 routed via the “PAYU” payment platform. According to records presented before the court, the victim informed the bank and lodged a complaint with the cyber police on the very same day.
Although the bank initially reflected the amount back into the account as a “shadow credit”, the funds were later withheld, forcing the victim to approach the court for relief. The trial court had earlier dismissed his plea on the basis of a police status report stating that no hold or lien amount was reflected on the National Cybercrime Reporting Portal (NCRP).
However, the Sessions Court criticised that approach and observed that the lower court had overlooked the RBI’s mandatory customer-protection guidelines. The court remarked that the victim had shown “utmost vigilance” by informing both the bank and law enforcement authorities immediately after discovering the fraud.
Referring to the RBI’s “Zero Liability” framework, the court stated that customers are entitled to complete protection if unauthorised transactions are reported within three working days. The court further clarified that even if a customer’s negligence is alleged at some stage, any loss occurring after the fraud has been reported must be borne by the bank.
Indian Bank argued before the court that the fraud had occurred due to the customer’s negligence and that the bank’s internal committee had categorised the matter as “Not Fraud on Bank”. The court, however, rejected this defence and held that an internal banking assessment could not override statutory RBI safeguards designed to protect customers.
The court also observed that the bank failed to provide conclusive evidence showing that the customer had deliberately shared OTPs, passwords or other sensitive banking credentials. In one of its strongest remarks, the court stated that “a unilateral internal classification by the bank cannot supersede statutory safeguards created for victims of cyber fraud.”
Renowned cybercrime expert and former IPS officer Prof. Triveni Singh said the ruling could become a major legal precedent for cyber fraud victims across the country. According to him, “In many cyber fraud cases, victims report incidents on time, but banks often delay or withhold refunds citing procedural or technical reasons. This judgment sends a clear message that customer protection is not merely a policy formality but a legal responsibility of financial institutions.”
The court also described the investigation process as “slipshod” and remarked that the lower court’s approach had resulted in a miscarriage of justice against a vigilant citizen. Finally, the court directed Indian Bank to immediately and permanently release the withheld ₹77,000 to the customer while ensuring full compliance with the RBI’s “Zero Liability Mandate”.
