The Delhi High Court has ruled that customer negligence in online financial fraud cannot be restricted solely to instances where a customer actively shares their credentials or one-time passwords (OTPs). A Division Bench, comprising Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia, held that interacting with unverified links or applications received from unknown sources can compromise device security and amount to customer negligence under the Reserve Bank of India (RBI) guidelines.
With this ruling, the Bench set aside a Single Judge’s order that had directed the State Bank of India (SBI) to refund a cyber fraud victim the entire siphoned-off amount of ₹2,60,000, emphasizing that disputed issues requiring technical and forensic examination cannot be conclusively determined under writ jurisdiction.
Background of the Case
The dispute originated from an incident on April 18, 2021, involving Respondent No. 1, Hare Ram Singh, a Professor of Computer Science at GNIOT, Greater Noida, who maintained a savings account with SBI. At around 5:15 PM, Singh received an SMS warning him that his account services would be blocked if he did not click a provided link. To prevent any disruption of services, he clicked the link.
Within five minutes, Singh received an SMS showing that ₹1,00,000 had been debited from his account and transferred to an IDFC Bank account. He immediately contacted SBI’s customer care to block his account. However, while he was still on the call with the customer care representative, a second debit transaction of ₹1,60,000 was executed, transferring the funds to a merchant account of One 97 Communications Ltd. (Paytm).
Singh subsequently lodged complaints on the Online Cyber Crime Portal, registered an FIR at Police Station Hajipur in Bihar, and filed a complaint with the Banking Ombudsman of the RBI (BO-RBI) on April 26, 2021.
Following an internal investigation, SBI’s Competent Authority rejected Singh’s claim on July 14, 2021, noting that the transactions were executed through Internet Banking (INB) credentials and secured by Two-Factor Authentication (2FA) with OTPs sent to Singh’s registered mobile number.
The Banking Ombudsman, on October 20, 2021, observed that Singh was a victim of a vishing scam and had clicked an unknown link. It held that the transaction of ₹1,60,000 to Paytm was outside its purview under the Banking Ombudsman Scheme, 2006. However, because SBI had failed to initiate chargeback proceedings with IDFC Bank for the first transaction of ₹1,00,000, the Ombudsman directed SBI to pay one-third of that disputed amount (₹33,340) to Singh. SBI complied and credited the amount on October 6, 2021.
Singh thereafter approached the High Court via a writ petition. On November 18, 2024, a Single Judge allowed the petition, setting aside the Ombudsman’s order and directing SBI to refund the remaining sum of ₹2,60,000 with 9% annual interest. The Single Judge reasoned that because Singh denied sharing his OTPs, the 2FA security system itself had been breached, indicating a deficiency in service by the bank under the “zero liability” clause of the 2017 RBI Circular. SBI challenged this decision before the Division Bench.
Arguments of the Parties
Submissions on Behalf of the Appellant (SBI)
Represented by Senior Advocate Harin P. Raval, SBI contended that the transactions were secure 2FA transactions completed using the customer’s unique user ID, password, and system-generated OTPs. The bank argued that the fraud occurred entirely due to Singh’s negligence in clicking a malicious link, which compromised his device and allowed cyber fraudsters to access the OTPs.
SBI submitted that this case falls under Clause 7(b)(i) of the 2017 RBI Circular, which states that where the loss is due to customer negligence, the customer must bear the entire loss. The bank also argued that Singh had accepted the Ombudsman’s settlement of ₹33,340 without demur, creating a legal estoppel against further claims. Finally, SBI argued that Singh had an alternative statutory remedy under the Information Technology Act, 2000, and that a writ court is not the appropriate forum to decide complex, disputed technical and forensic questions of cyber fraud.
Submissions on Behalf of Respondent No. 1 (Hare Ram Singh)
Counsel for Singh argued that he had acted with due diligence and immediately contacted customer care. He asserted that he never shared the OTPs with anyone. Singh’s counsel contended that modern cyber frauds utilize sophisticated malware capable of retrieving data without voluntary user disclosure.
Singh argued that since banks possess superior technological infrastructure, they should bear the risk of system vulnerabilities rather than shifting the burden to innocent customers. He maintained that accepting the partial compensation ordered by the Ombudsman did not extinguish his legal right to seek full restitution. He relied on the Kerala High Court judgment in Tony Enterprises v. RBI and the House of Lords ruling in London Joint Stock Bank Limited v. Macmillan and Arthur to support his claims.
Submissions on Behalf of Respondent No. 2 (RBI)
The RBI supported the findings of the Banking Ombudsman’s order, stating that Singh was defrauded after clicking an unknown link and that negligence on his part could not be ruled out. It confirmed that Paytm was not covered under the Banking Ombudsman Scheme, 2006, at the time, which is why that portion of the complaint was closed.
The Court’s Analysis and Findings
The Division Bench focused on whether the Single Judge was correct in applying the “zero liability” framework of the 2017 RBI Circular simply because the customer denied sharing his OTPs.
First, the Bench clarified the scope of customer negligence in digital transactions. Justice Tejas Karia, writing the judgment, observed:
“In matters involving digital banking fraud, customer negligence cannot be confined solely to cases of express disclosure of OTPs or passwords. Compromise of such credentials may also occur where a customer interacts with suspicious links or unknown applications, thereby exposing the banking credentials to misuse.”
The Court closely analyzed Clause 7(i) of the 2017 RBI Circular, which governs the limited liability of a customer. It noted that the Single Judge had interpreted the clause too narrowly by restricting negligence only to the active sharing of credentials. The Bench clarified:
“The expression ‘such as where he has shared the payment credentials’ occurring in Clause 7(i) of the 2017 RBI Circular is plainly illustrative and not exhaustive; it does not confine customer negligence only to cases of express disclosure of payment credentials. In the context of digital banking and cyber fraud, negligence may equally arise where a customer, despite repeated advisories and security warnings, accesses suspicious or unknown links, thereby compromising the security of the banking credentials.”
The Court noted that Singh had admittedly clicked on a suspicious link just before the unauthorized debits occurred, and the transactions were completed after a successful login using his specific INB user ID and password.
Furthermore, the Bench emphasized the limitations of exercising writ jurisdiction under Article 226 of the Constitution in cases involving complex cybercrimes. It held that determining how the security protocols were bypassed requires factual, technical, and forensic investigation. The Court observed:
“The issues considered by the learned Single Judge, particularly whether the user ID and password of the INB profile linked to the Bank Account or the OTPs were compromised following interaction with a suspicious link received from an unknown source; whether negligence was attributable to Respondent No. 1; whether security protocols such as 2FA or OTP verification had been breached by malware deployed by cyber fraudsters; and whether the security apparatus of the Appellant-Bank failed to detect unusual login activity from a different Internet Protocol Address allegedly used by the fraudsters, are matters that necessarily require technical and forensic examination and adjudication on evidence and could not have been conclusively determined in exercise of writ jurisdiction.”
Addressing the precedent of Tony Enterprises v. RBI, the Court distinguished it from the present case. In Tony Enterprises, a police investigation had established active SIM-swapping and identity theft, providing clear proof of third-party system compromise. In contrast, the Court found no such investigative finding in Singh’s case to prove that SBI’s systems had been breached.
Decision
The Division Bench concluded that the Single Judge was not justified in assuming service deficiency on the part of SBI or in completely absolving the customer of negligence. Consequently, the Delhi High Court allowed the appeal filed by the State Bank of India and set aside the impugned judgment dated November 18, 2024.
Case Details
Case Title: State Bank of India versus Hare Ram Singh & Anr.
Case No.: LPA 52/2025 & CM APPL. 4159/2025
Bench: Justice Devendra Kumar Upadhyaya and Justice Tejas Karia
Date: May 29, 2026
