The Bombay High Court recently directed HDFC Bank to refund ₹38.04 lakh to a Pune-based businessman who lost the amount in a cyber fraud involving SIM swapping and cloned mobile identity, reinforcing the principle of ‘zero liability’ for customers under the Reserve Bank of India guidelines.
A division bench comprising Justice Bharati Dangre and Justice Manjusha Deshpande rejected the bank’s argument that SMS alerts and OTP-based authentication were sufficient safeguards, noting that the fraudsters used a SIM-swapping/cloning technique that rendered such alerts ineffective.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
The court observed that on September 14, 2021, three unknown individuals were added as beneficiaries to the petitioner’s account through net banking, followed by multiple unauthorised transactions within a span of 41 minutes, resulting in the siphoning of ₹38.04 lakh from both savings and current accounts.
It was argued by the bank that SMS alerts and OTP communications were duly sent, but the court found no conclusive evidence that the customer actually received them, and noted that the burden of proving negligence lay on the bank, which failed to discharge it.
Relying on the RBI circular dated July 6, 2017, the bench held that since the petitioner was not negligent and promptly reported the fraud, he was entitled to ‘zero liability’ protection and full reimbursement of the stolen funds.
The judges further noted that the bank’s internal investigation showed mismatched IP addresses and suspicious transaction patterns, indicating that the transactions were not initiated by the account holder.
According to the court, the bank also failed to act promptly despite recognising the account as a high-risk or ‘blacklisted’ account, and did not effectively prevent unauthorised access during the fraudulent transfers.
The court emphasised that the purpose of the RBI’s zero liability framework is to protect diligent customers who are not responsible for sharing passwords or OTPs, and criticised the bank for attempting to shift responsibility onto the victim.
Following the judgment, the High Court ordered HDFC Bank to remit the ₹38.04 lakh within eight weeks, failing which it would attract an interest rate of 8 per cent per annum until payment is completed.
The judgment comes amid a rising number of cyber fraud cases across India, particularly involving SIM swapping, phishing, and OTP interception techniques. Courts have increasingly been called upon to determine liability between banks and customers, especially in cases where fraudsters exploit telecom vulnerabilities rather than customer negligence.
Experts note that SIM swapping fraud typically involves criminals obtaining duplicate SIM cards by manipulating telecom verification systems, allowing them to intercept calls and messages, including one-time passwords used for banking transactions.
The Reserve Bank of India’s ‘zero liability’ framework, referenced by the court, provides protection to customers who promptly report unauthorized transactions and are not found to have contributed to the fraud through negligence or sharing of confidential credentials.
Legal observers say the ruling reinforces judicial recognition of evolving digital fraud risks and places a stronger evidentiary burden on banks to prove customer negligence before denying compensation in cyber fraud disputes.
This ruling is expected to have wider implications for banking operations and consumer protection standards in India, particularly in cases involving advanced cyber fraud techniques. By reaffirming the principle of zero liability, the court has strengthened the position of customers who act promptly and responsibly after detecting suspicious transactions. At the same time, the judgment places increased responsibility on banks to ensure robust authentication systems and real-time fraud monitoring mechanisms.
Legal experts believe such decisions may push financial institutions to upgrade their cybersecurity infrastructure and improve coordination with telecom service providers to prevent SIM-based frauds. The ruling also underlines the need for stronger internal controls, quicker fraud response systems and more reliable verification processes.
The decision further highlights the importance of timely investigation and clear documentation in cyber fraud disputes. Courts are increasingly relying on technical evidence such as IP logs, transaction trails and telecom records to determine liability, making digital forensics and record-keeping central to future banking fraud cases.
