The Delhi State Consumer Disputes Redressal Commission has ruled that banks cannot escape liability in cyber fraud cases unless they can prove a customer acted with negligence. The decision came as the commission dismissed an appeal by the State Bank of India and upheld an order directing the lender to pay 55,000 rupees to a senior citizen who lost funds to a phishing scam.
The state commission, led by President Justice Sangita Dhingra Sehgal and member Bimla Kumari, affirmed that the burden of proving customer liability in unauthorized electronic transactions rests entirely on the financial institution. The ruling noted that the bank failed to provide any documentary evidence showing that the account holder had shared passwords, PINs, or one-time security codes.
The Cyber Fraud Incident
The dispute began after G Natarajan, a Delhi resident and senior citizen who had maintained a savings account with the bank since 2011, fell victim to a phishing scam on July 12, 2021. After clicking a fraudulent link sent via a text message requesting updates to his customer profile, 20,000 rupees was withdrawn from an ATM in Jamshedpur, and an additional 25,000 rupees was transferred from his account within minutes.
Natarajan stated that he was physically in Delhi when the ATM withdrawal took place and noted that he had never been issued an ATM card for that specific account.
Delayed Response And District Ruling
Although Natarajan reported the incident to the bank on the day it occurred and received a formal complaint acknowledgement, the institution did not resolve the matter. More than seven months later, the bank requested him to present physical documents at his local branch.
Despite submitting a formal claim form on April 7, 2022, and issuing a legal notice, the bank did not refund the stolen money or establish liability. Natarajan subsequently filed a complaint with the district consumer disputes forum.
On December 5, 2023, the district commission found the bank guilty of service deficiency. It ordered the lender to refund the 45,000 rupees with seven percent annual interest starting from the date of the theft, along with 10,000 rupees for mental distress and litigation costs. The district commission also set a nine percent interest penalty if the payment was not settled within 30 days.
Appeal Dismissed Under Regulatory Guidelines
On appeal before the state commission, the bank argued that the district commission had misinterpreted the Reserve Bank of India guidelines from July 6, 2017, regarding unauthorized electronic banking. The bank contended that the customer, who is an advocate, should have exercised higher caution and asserted that the unauthorized transfers occurred due to his own negligence in sharing credentials.
The state commission rejected this defense on July 9, characterizing the bank’s claims as unsupported assertions lacking concrete proof. Pointing to Clause 12 of the regulatory circular, the bench reiterated that the burden of proof remains on the bank in such disputes.
The bench observed that because the customer reported the theft on the same day, he was eligible for protection under the regulatory zero-liability framework. It also criticized the bank for failing to investigate the complaint or determine liability within the mandated 90-day window, concluding that the lack of action constituted a clear deficiency in service under consumer protection laws.
Consumer Assistance Resources
Individuals facing similar consumer grievances can contact their respective state consumer helplines, or reach out to the National Consumer Helpline by dialing 1915 or calling 1800-11-4000.

