On 21st December, 2020 in National consumer Disputes Redressal Commission (NCDRC), the Hon’ble Presiding Member, Mr. C Viswanath dismissed the Revision Petition  filed under Section 21 (b) of the Consumer Protection Act, 1986 by HDFC Bank and held that the bank will be liable to pay to its customers in case of unauthorized transactions. Thus, the banks must compensate to its account holders in case of fraudulent transactions in the absence of any evidence to substantiate its stand that the fault was on the part of the account holder and in today's digital age, the possibility that the credit card was hacked or forged cannot be ruled out.
The respondent purchased a pre-paid Forex Plus Debit from the petitioner bank in 2007 and the fraud took place in 2008. The respondent’s father got a call from the Credit Card Division of petitioner for confirming the transaction attempted by the respondent’s card. After verifying the same from the respondent, it came to the attention of both the respondent and petitioner that no such transaction was done by the respondent and thereafter a complaint was registered in the police station, Los Angeles.
After receiving the charge slips for the disputed transactions, it was noticed by the respondent that the signatures on the charge slip didn’t match the respondent’s signatures and thereafter several representations were made by the respondent to the petitioners but got no resolution and finally the respondent filed a complaint before the Ld. District Forum.
Petitioner stated that they tried to contact the respondent after a large volume of transactions took place from the respondent's Forex Card but as they were unable to contact the respondent, they informed the respondent’s father about the same and further card of the Respondent was put on Hot List. Secondly, the petitioner claimed that the respondent didn’t opt for the SMS alert and therefore the messages of the transactions could not reach the respondent.
Thirdly, the petitioner contended that it was the duty of the respondent to keep the card safely and in case of suspicious or fraudulent activity, the petitioner was not liable to intimate the card holders. Further, it was contended that it is not the responsibility of the petitioner for tallying the signatures on the transaction slips as the entire process is automated without any human intervention.
The respondent stated that the credit card was in her possession when the transaction took place and thus there is a possibility that her card could have been hacked or forged by some third party for which the petitioner is liable or some other technical and/or security lapse in the electronic banking system through which the transactions had taken place as the transaction took place several miles away from the actual place of the respondent. Also, the petitioner, however, has produced no evidence to corroborate the averment that the credit card was stolen or that the respondent has resorted to any fraud/forgery.
Both the Ld. District Forum and State Commission ordered in favour of the respondent and hence the petitioner aggrieved by the order filed the Revision Petition before the Hon’ble NCDRC.
The Presiding Member C Viswanath held that since the petitioner bank has failed to produce any evidence to substantiate that the fraudulent transaction took place because of the account holder’s fault hence, the petitioner will be liable for the same and the bank cannot rely on arbitrary terms and conditions to wriggle out of its liability towards customers and any such terms and conditions must be in conformity with the directions issued by the RBI which is responsible for safekeeping of the banking systems and maintaining checks and balances in the same.
Reliance was placed by the Hon’ble NCDRC on RBI circular dated 6th July, 2017 dealing with Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions wherein it stated:-
“6. A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:
Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction.”
|Time taken to report the fraudulent transaction from the date of receiving the communication||Customer’s liability (₹)|
|Within three working days||Zero liability|
|Within four to seven working days||The transaction value or the amount or the maximum liability of the customer ranges from ₹ 5,000 to ₹ 25,000, depending on the type of account whichever is lower|
|Beyond seven working days||As per bank’s Board approved policy|
In the instant case, the first unauthorised transaction took place on 15.12.2008 and the said transaction was observed by the petitioner bank itself and the respondent’s father was contacted by the petitioner on 18.12.2008. The respondent’s father on receiving the information from the bank within 3 working days i.e., on 20.12.2008 notified the petitioner bank that the transactions were unauthorized. Thus, it was held that even if the deficiency was not with the bank, but elsewhere in the system, the bank will be held liable for all 29 unauthorized transactions which were effected from 15.12.2008 till the card was hotlisted, i.e. till 20.12.2008.
Hon’ble NCDRC also relied on the Punjab National Bank and Anr. V Leader Valves II. The Hon’ble NCDRC while addressing the question of liability of a bank in case of unauthorized and fraudulent electronic banking transactions has observed as under:
“11. The first fundamental question that arises is whether the Bank is responsible for an unauthorized transfer occasioned by an act of malfeasance on the part of functionaries of the Bank or by an act of malfeasance by any other person (except the Complainant/account-holder). The answer, straightaway, is in the affirmative. If an account is maintained by the Bank, the Bank itself is responsible for its safety and security. Any systemic failure, whether by malfeasance on the part of its functionaries or by any other person (except the consumer/account-holder), is its responsibility, and not of the consumer.”
The Reserve bank of India (RBI) on 6th July 2017 amid the national drive toward digital transactions and rising incidents of fraud, had notified the norms in order to fix the liability in cases if a person loses money through an unauthorized electronic banking transaction like cyber attack on the bank or hacking of account.
The order passed by the Hon’ble NCDRC is a welcome step and is in consonance with the RBI circular but on the other hand, it makes the banks helpless in case the transaction is disputed by the account holder. It is a clear mandate to exonerate an account holder as the circular presumes the innocence of the account holder and banks can only recover the amount when it can prove that the account holder himself was responsible for such transaction. Neither the circular passed by the RBI nor the order passed by the Hon’ble NCDRC foreclose the remedy of the bank to proceed against the fraudsters and also against customers or any other persons or entity involved.
In today’s time with an increase in digital and net-banking transactions, the threat of fraud in online transactions and hacking are also on the rise. Even in case of unlawful gain by few account holders by deceiving the banks or in case of negligence on the part of the customer in protecting their personal details with fraudsters or hackers, there are no remedies available to the banks. I think it is high time to think not only about the customers but also the banks otherwise in such a scenario where cyber crime is at its peak some guidelines or rules must be made to protect the banks also.