Guwahati | The State Bank of India (SBI) must refund ₹94,204.80 to a savings account holder who fell victim to a cyber-fraud scam, the Guwahati High Court has ruled. Dismissing the bank’s appeal, a division bench held that SBI failed to establish any negligence on the part of its customer, Pallabh Bhowmik, and did not take timely measures to stop the fraudulent transactions.
The judgment, delivered on 13 September 2024, affirmed an earlier order directing the refund. SBI then approached the Supreme Court with a Special Leave Petition (SLP), which was dismissed on 3 January 2025, rendering the High Court’s order final.
Phishing call led to three fraudulent transactions; customer acted swiftly
The incident dates back to October 2021, when Bhowmik received a call from a person posing as a Louis Philippe customer care executive. Under the pretext of issuing a ₹4,000 refund, the caller persuaded him to download a mobile application. Shortly thereafter, three unauthorized electronic transactions were carried out, draining a total of ₹94,204.80 from his SBI savings account.
Bhowmik reported the fraud the same day to:
- SBI customer care
- The local police and cybercrime cell
- The National Cybercrime Reporting Portal (NCRP)
Despite the timely alert, the High Court noted that SBI’s response was limited to blocking the customer’s debit card. The bank did not raise a chargeback request, contact the beneficiary bank, or involve cybercrime authorities for swift recovery.
“Bank’s first duty is to prevent and halt unauthorized transactions” Justices Lanusungkum Jamir and Kardak Ete observed that all withdrawals were evidently fraudulent and unauthorized.
“The bank has access to the best available technology, yet no prompt action was taken. When the customer reports fraud immediately, the bank must act to protect their account.”
The bench relied on RBI’s 6 July 2017 circular, which states that where fraud is reported within three working days, the customer’s liability is zero.
OTP argument rejected—transactions not voluntary
SBI contended that the transactions were authenticated using the customer’s OTP and MPIN, implying authorized access. The court disagreed: “The customer was following instructions for a refund, not initiating payments. It is unreasonable to assume that he knowingly shared his sensitive credentials.”
Data breach confirmation at Louis Philippe turned the case
The court also referred to an email from Louis Philippe, confirming a data breach in its customer database between March and December 2021. The bench treated this as strong evidence of:
- A third-party breach
- No contributory negligence by the customer
- Clear establishment of cyber-fraud
Supreme Court precedents reinforce customer protection
Relying on rulings in DAV Public School vs Indian Bank (2019) and Basudev Agarwal vs SBI, the bench reiterated: “Installing or downloading an application cannot, by itself, amount to negligence.” The court emphasized that responsibility can be shifted to the customer only when banks prove deliberate and negligent sharing of confidential credentials—something SBI failed to demonstrate.
Refund within 30 days; bank free to recover from fraudsters later
SBI has been directed to credit the full disputed amount within 30 days. The order allows the bank to pursue recovery:
- From Louis Philippe, if found culpable, or
- From the fraud beneficiary or account holder
once traced.
Strong message to banks: customer rights come first
The ruling reinforces key principles of cyber-fraud governance:
- Customer protection is paramount
- Banks must act quickly and decisively after fraud reports
- RBI guidelines are binding and enforceable
- Zero-liability norms cannot be diluted
With the Supreme Court refusing to intervene, the High Court’s decision now stands as a significant nationwide precedent in the evolving landscape of digital banking safety and accountability.
