New Delhi: The Delhi High Court has held that banks cannot automatically be held responsible for losses suffered by customers who click on suspicious links despite repeated security warnings, while allowing an appeal filed by the State Bank of India in a ₹2.6 lakh phishing-related cyber fraud dispute. The Court said digital banking safety is a shared responsibility and customers must exercise reasonable caution while using online banking services.
SBI Challenges Refund Order
The case involved a customer who allegedly lost ₹2.6 lakh after receiving messages and phone calls warning that his banking services could be disrupted unless he clicked on a provided link. Believing the communication to be genuine, he accessed the link, after which two unauthorised transactions were carried out from his SBI account.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
The customer argued that he had not shared his One-Time Password or banking credentials with anyone and therefore the bank should compensate him for the loss. A single-judge bench had earlier ruled in his favour and directed SBI to refund the amount with applicable interest.
SBI challenged the decision before a Division Bench, arguing that there was no evidence of any failure in the bank’s security infrastructure and that the customer’s own conduct required closer examination.
Court Flags Customer Negligence
The Division Bench of Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia observed that the Reserve Bank of India’s 2017 framework on unauthorised electronic banking transactions does not limit customer negligence only to cases involving disclosure of passwords, OTPs or login credentials.
The Court noted that repeatedly ignoring security advisories and opening unknown or suspicious links may also amount to negligence by the customer. It said cyber fraud cases often involve complex technical issues, including malware infection, credential theft, OTP interception, device compromise and system vulnerabilities.
The judges observed that such matters generally require detailed technical and forensic examination. The Court said it would be inappropriate to conclusively determine liability through writ proceedings alone without a comprehensive assessment of technical evidence.
Digital Banking Safety Seen as Shared Responsibility
During the proceedings, the Court found that no material evidence had been presented to show that SBI had violated any RBI-mandated cybersecurity protocols or banking security standards. In the absence of proof of failure by the bank, the Court said the entire responsibility for the loss could not be shifted to the institution.
The Division Bench set aside the earlier ruling and allowed SBI’s appeal, offering clarity on how customer responsibility may be assessed in cyber fraud disputes involving digital banking transactions.
Cybercrime expert and former IPS officer Prof. Triveni Singh said modern cybercriminals increasingly rely on social engineering rather than purely technical attacks. He said fake banking alerts, fraudulent KYC update requests, phishing emails and deceptive links are commonly used to manipulate victims.
Experts said the judgment reinforces that while banks must maintain strong security systems, customers also need to verify communications claiming to come from banks and avoid clicking links received through unsolicited messages, emails or calls. The ruling is expected to influence future disputes involving phishing attacks, unauthorised transactions and customer accountability in digital banking.
