STATE CONSUMER DISPUTES REDRESSAL COMMISSION,

U.T., CHANDIGARH

Punjab National Bank, a Banking Company registered under the Banking Companies (Acquisition and Transfer of Undertakings) Act, 1970, having its Head Office at 7 Bhikha Ji Cama Place, New Delhi and Branch Office amongst others at Sector 28-C, Chandigarh, through Sh. Sushil Kumar Chawla, Branch Manager, Power of Attorney Holder of the Bank.

……Appellant

V e r s u s

Amit Kumar Sharma s/o Sh. Mehar Chand Sharma, R/o H.No. 3450, Sector 27-D, Chandigarh.

Present Address:-H.No.327, Sector 8, Panchkula, Haryana

              ....Respondent

Appeal under Section 15 of the Consumer Protection Act, 1986.

BEFORE:          JUSTICE SHAM SUNDER (RETD.), PRESIDENT.

                    MRS. NEENA SANDHU, MEMBER.

Argued by:          Sh. R.S. Bhatia, Advocate for the appellant.

              None for the respondent.

PER  JUSTICE SHAM SUNDER (RETD.), PRESIDENT

1.               This appeal is directed against the order dated 09.01.2012, rendered by the District Consumer Disputes Redressal Forum-II, U.T., Chandigarh (hereinafter to be called as the District Forum only), vide which, it accepted the complaint, and directed the Opposite Party, as under:-

“In the light of the above observations, we feel that the present complaint succeeds against the opposite party and we direct the Opposite Party to credit an amount of Rs.25,400/- in the account of the Complainant, along with simple interest as applicable to the saving’s account since its withdrawal till it is actually paid. We further saddle the Opposite Party with a consolidated amount of compensation to the tune of Rs.10,000/- on account of deficiency in service, mental agony and harassment. The Complainant is also awarded costs of litigation to the tune of Rs.5,000/-.

The above said order shall be complied within 30 days of its receipt; thereafter, the Opposite Party shall be liable for an interest @18% per annum on the aforesaid amount of compensation and the amount of Rs.25,400/- instead of savings interest from the date of its debit till it is paid, except for the cost of litigation”.

2.               The facts, in brief, are that the complainant (now respondent), being  a bonafide holder of Saving Bank Account no. 0574001300007072, of the Opposite Party (now appellant),  had also subscribed for the Internet Banking facility, with it. It was stated that he has been using the said internet banking facility, as per the instructions, issued by the Opposite Party. The complainant, when got his passbook of the said account updated, he was surprised to see two debit entries of Rs.25,000/- and Rs.400/- on  8.8.2009 and 10.8.2009 respectively. According to the complainant, these two transactions were debited to his account, without his knowledge, through internet banking. The complainant made an oral request, to the Opposite Party, to look into the matter. Thereafter, a written complaint was submitted to the Manager of the Opposite Party on 2.9.2009, regarding the two fraudulent transactions, from his account. Not only this, the complainant also filed two complaints dated 5.9.2009 and 7.9.2009, in respect of aforesaid fraudulent transactions, but the Opposite Party failed to give any satisfactory reply, as to in which manner, these transactions had taken place. It was further stated that the complainant, on his own, reported the matter to the Chandigarh Police, regarding these fraudulent transactions on 8.9.2009 and 10.08.2009. He also made representation to the Banking Ombudsman, Sector 17, Chandigarh, through registered letter dated 30.9.2009, which was replied by its office, through communication dated 6.1.2010. It was further stated that the complainant also filed various other complaints, against the fraudulent transactions, to the Higher Authorities of the Opposite Party, but to no avail. It was further stated that, thereafter, the complainant, in order to inquire about the status of the investigation, moved an application  dated 03.11.2009, under Right to Information Act, 2005, to the Chandigarh Police, which was replied through communication dated 02.12.2009, by the Deputy Superintendent of Police-cum-Central Public Information Officer, Sub Division East, Sector 26, U.T., Chandigarh, mentioning therein that as the matter related to cyber crime,  the same had been sent to I/C Cyber Crime Cell, Crime Branch, Sector 11, Chandigarh. It was further stated that a letter dated 05.11.2009, was received by the complainant, in response to his communication dated 13.8.2009, from the Information Technology Department, C.B.B. Cell, Circle Office, Chandigarh, which revealed that the account, to which the amounts of Rs.25,000/- and Rs.400/- were transferred,  belonged to one Heeral Kishore Kapdi, and bore a/c no. 4792000100009415. It was further stated in the said communication, that apart from these, many other transactions had taken place, through which, he had received credit. It was further stated that the Opposite Party, being the  custodian of Savings Bank Account of the complainant, which was either hacked because of less stringent safety measures taken by it, or with connivance of its Staff Member(s), as no other person could have disclosed the PIN number,  and other relevant information regarding the status of account of the complainant. It was further stated that the aforesaid acts of the Opposite Party amounted to deficiency, in rendering service, as also indulgence into unfair trade. When the grievance of the complainant, was not redressed, left with no alternative, a complaint under Section 12 of the Consumer Protection Act, 1986 (hereinafter to be called as the Act only), was filed.

3.               The Opposite Party, in its written version, pleaded that that the present complaint pertained to cyber crime i.e. fraudulent transactions, through internet banking system, hence the Consumer Forum, had no jurisdiction, to entertain and decide the same. It was stated that an FIR had been lodged against the culprit,  and the matter was under investigation. It was further stated that all the documents had been submitted to the Cyber Crime Cell, Crime Branch, Sector 11, Chandigarh. It was further stated that another FIR had been lodged at Vasai Police Station, Mumbai. It was further stated that, in the Information Technology Act, 2000, the liability of a network service provider was excluded, if he proved that the offence or contravention was committed without its knowledge, or that it had exercised all due diligence to prevent the commission of offence or contravention. It was admitted that the complainant was having Savings Bank Account no. 0574001300007072, with the Opposite Party. It was also admitted that the complainant, applied for the use of internet banking facility service, and he was granted that facility. It was further stated that nobody else could have accessed the password of the complainant, under any circumstances, until and unless he had disclosed the same to somebody or he had not protected the same, by taking reasonable care and precautions. It was further stated that the aforesaid transactions, no doubt, took place from the account of the complainant, but it was not on account of the negligence of the Opposite Party.  It was further stated that neither there was any deficiency, in rendering service, on the part of the Opposite Party, nor it indulged into unfair trade practice. The remaining averments, were denied, being wrong.

4.               The Parties led evidence, in support of their case.

5.               After hearing the Counsel for the parties, and, on going through the evidence, and record of the case, the District Forum, accepted the complaint, in the manner, referred to, in the opening para of the instant order. 

6.               Feeling aggrieved, the instant appeal, has been filed by the appellant/Opposite Party.

7.               Notice of the appeal, was issued to the respondent. The Counsel for the respondent, in the first instance, put in appearance, but on 31.07.2012, none put in appearance, on behalf of the respondent. Accordingly, the respondent was proceeded against ex-parte.

8.               We have heard the Counsel for the appellant, and, have gone through the evidence, and record of the case, carefully. 

9.               The Counsel for the appellant, submitted that, no doubt, the complainant was having Savings Bank Account no. 0574001300007072, with the Opposite Party. He further submitted that he subscribed for the internet banking facility, and has been using the same. He further submitted that at the time of provision of the said facility, the complainant was made aware of its terms and conditions. He further submitted that Annexure R-1, are the terms and conditions, relating to the user of the said facility.  He further submitted that, as per the terms and conditions, the complainant was required to take necessary care and precautions, for the use of the internet banking facility. He further submitted that even he was advised to change his password, after every transaction or frequently, so as to avoid its misuse, on account of hacking of the same. He further submitted that, the complainant, in the complaint, as also in his affidavit, by way of evidence, did not state even a single word that he took all necessary precautions, mentioned in the terms and conditions contained in Annexure R-1. He further submitted that the complainant apparently either disclosed his password, or failed to delete the same, after using the internet banking facility, at a particular point of time, as a result whereof, the same might have been hacked by somebody, resulting into two transactions, referred to above, from his account. He further submitted that there was no connivance of any Official(s) of the Opposite Party, nor it was responsible for such transfer entries of the amount, from the savings bank account of the complainant, as per the terms and conditions referred to above. He further submitted that the District Forum did not appreciate the terms and conditions of Annexure R-1, in its proper perspective, as a result whereof, it fell into a grave error, in accepting the complaint. He further submitted that the order of the District Forum, being illegal, and invalid, is liable to be set aside.

10.            After giving our thoughtful consideration, to the contentions, advanced by the Counsel for the appellant, and the evidence, on record, we are of the considered opinion, that the appeal is liable to be accepted, for the reasons to be recorded hereinafter. Admittedly, the complainant was having Saving Bank Account no. 0574001300007072 with the Opposite Party. There is also, no dispute, about the factum, that the complainant subscribed for  the internet banking facility. At the time of subscribing for the internet banking facility, he went through the terms and conditions thereof, which are contained in Annexure R-1. The complainant, in the complaint, has also admitted,  that he started using the internet banking facility, as per the instructions. Conditions number 5, 6 and 13, of the terms and conditions contained in Annexure R-1, read as under:-

5.   Internet Banking Services Access

The USER would be allotted a User-id and a secret password (to be used at the time of login) by the BANK in the first instance. The USER will be required to change the password assigned by the BANK on accessing Internet Banking Services for the first time. For authentication of the transactions a separate transaction password will be allotted. As a safety measure the USER shall change the password as frequently thereafter as possible.

In addition to User-id and Password the BANK may, at its discretion, advise the USER to adopt such other means of authentication including but not limited to digital certification and/or smart cards.

The USER shall not attempt or permit others to attempt accessing the account information stored in the computers of the BANK through any means other than the Internet Banking Services.

6. Password

The USER must:

a. keep the User-id and password totally confidential and not reveal the password to any third party

b. choose a password which shall be at least 6 characters long and shall consist of a mix of alphabets, numbers and special characters which must not relate to any readily accessible personal data such as the USER’s name, address, telephone number, vehicle number, driving licence etc. or easily guessable combination of letters and/or numbers

c. commit the user-id and password to memory and not record them in a written or electronic form

d. not let any unauthorized person have access to his computer or leave the computer unattended while using Internet Banking Services.

In the event of forgetting of user-id and/or password or expiry/ disability of password(s) USER can request for change of the password by sending a written request to the BANK. The selection of a new password and/ or the replacement of User-id shall not be construed as the commencement of a new contract

13.          Liability of the USER and the BANK

If the USER has complied with the TERMS and advises the BANK in writing under acknowledgment of an authorized person of the Bank, immediately after he/she suspects that his/her User-id or password is known to another person and/ or notices an unauthorised transaction(s) in his account, he/she shall not be liable for losses arising out of the unauthorized transaction(s) occurring in the accounts after the receipt of such advice by the BANK.

The USER shall be liable for some or all loss from unauthorised transactions in the account(s) if he/she has breached the Terms and conditions or contributed or caused the loss by negligent actions such as the following:

In disclosing or failing to take all reasonable steps to prevent disclosure of the User-id and/or password to anyone including BANK staff and/ or failing to advise the BANK of such disclosure within a reasonable time

Not advising the BANK in a reasonable time about unauthorised access to or erroneous transactions in the account(s) through the Internet Banking Services.

The BANK shall not be liable for any unauthorised transaction(s) occurring through the use of Internet Banking Services which can be attributed to the fraudulent or negligent conduct of the USER.

The BANK shall not be liable to the account holder(s) for any damages whatsoever whether such damages are direct, indirect, incidental, consequential and irrespective of whether any claim is based on loss of revenue, investment, production, goodwill, profit, interruption of business or any other loss of any character or nature whatsoever and whether sustained by the account holder(s) or any other person, if Internet Banking Services access is not available in the desired manner for reasons including but not limited to natural calamity, floods, fire and other natural disasters, legal restraints, faults in the telecommunication network or Internet or network failure, software or hardware error or any other reason(s) beyond the control of the BANK.

The Bank shall endeavor to take all possible steps to maintain secrecy and confidentiality of its customers’ account(s) but shall not be liable to the account holder(s) for any damages whatsoever caused on account of breach of secrecy/ confidentiality due to hacking or technological lapses in the system.

The bank shall not be liable for any loss due to unauthorized transfer of funds through hacking etc.”

11.            From the afore-extracted conditions of Annexure R-1, it is crystal clear, that the user was to be allotted a User-id and a secret password (to be used at the time of login), by the Bank, in the first instance. He was required to change the password, assigned by the Bank, on accessing Internet Banking Services, for the first time. For authentication of the transactions, a separate transaction password was to be allotted to him.  It was, however, made clear in condition no.5 extracted above, that as a safety measure, the user was required to change the password, thereafter, as frequently, as possible. According to condition no.6 extracted above, the complainant was required to keep the User-id and password totally confidential, and not reveal the same, to any third party. According to condition no. 13, extracted above, when the user complied with the terms and advises the Bank, in writing, under acknowledgment of an authorized person of the Bank, immediately after he/she suspects that his/her User-id or password is known to another person, and/ or notices an unauthorised transaction(s) in his account, he/she shall not be liable for losses,  arising out of the unauthorized transaction(s) occurring in the accounts, after the receipt of such advice by the Bank. It was, however, made clear, in condition no.13 that the user shall be liable for some or all loss, from unauthorised transactions, in the account(s), if he/she had breached the Terms and conditions, or contributed or caused the loss, by negligent actions, as extracted above in condition no. 13. In the complaint, it was not at all stated by the complainant, that he kept his ID and password completely confidential, and did not disclose the same to anybody else. He also did not state even a single word, in his complaint, that he changed the password frequently. He also did not state in his complaint, that he chose the password, which was atleast 6 characters long, consisting of a mixture of alphabets, numbers and special characters, which did not relate to any readily accessible personal data. By not taking such pleas, in his complaint, and in the affidavit, filed by him, alongwith the complaint, by way of evidence, he failed to prove that he did not disclose his ID and password, to anybody else, and that he did not fail to delete the password from the internet after, making the transactions through internet banking. Had the password been not disclosed by the complainant to anybody else, or had the same been kept completely secret/confidential, and changed frequently, as per the terms and conditions, contained in Annexure R-1, there would have been no possibility of hacking of his account, through internet banking. The complainant failed to prove that any Official(s) of the bank connived with the hacker(s) or passed on the password and ID to him/them [(hacker(s)]. Since, the complainant failed to take necessary precautions, as per the terms and conditions contained, in Annexure R-1, he could not blame the Opposite Party. No evidence, was produced by the complainant, that the Opposite Party did not take reasonable care and caution, in protecting his User-id and password, in proper manner. No doubt, in paragraph no.10 of the impugned order, the District Forum observed that the Opposite Party did not mention that it had gone through its records to confirm that none of its official(s) or employee(s) was/were involved or connected, with the leakage of information or data of the internet banking account of the complainant. It was the duty of the complainant, to prove this factum, by summoning whatever record, he wanted to, from the Opposite Party. The onus of proof of a fact, which lay on the shoulders of the complainant, could not be shifted on to the shoulders of the Opposite Party. Without having access to the secret password of the complainant, which he possibly disclosed to somebody, nobody could hack his account. In State Bank of India Vs. K.K. Bhalla, II (2011)CPJ 106 NC, a case relating to the misuse of ATM, it was held by the National Consumer Disputes Redressal Commission, New Delhi, that the ATM was issued to the respondent/complainant, and that he had kept the card in his self-custody/knowledge. Thus, no one had access to it, nor was it ever missing. It was further observed that only the respondent/complainant was aware of the special four digit PIN number of the ATM card, which was essential to operate the ATM. It was further observed that, in view of the elaborate procedure, evolved by the Bank, to ensure that without the ATM card, and knowledge of PIN number, it was not possible for money to be withdrawn by an unauthorized person from the ATM,  it was difficult to accept the contentions of the complainant/respondent that the transactions were fraudulent. The principle of law, laid down, in State Bank of India`s case (supra) is fully applicable to the facts of the instant case. The District Forum was wrong, in coming to the conclusion, that the Opposite Party, failed to produce any evidence, on record, that they took all safety measures, to prevent the hacking of the account of the complainant, through internet banking, and, as such, it was deficient, in rendering service to him. In our considered opinion, the Opposite Party was not deficient, in rendering service, to the complainant. The order of the District Forum, being illegal and invalid, is liable to be set aside.

12.            No other point, was urged, by the Counsel for the appellant.

13.            In view of the above discussion, it is held that the order passed by the District Forum, being not based on the correct appreciation of evidence, and law, on the point, suffers from illegality and perversity, warranting the interference of this Commission.

14.            For the reasons recorded above, the appeal is accepted, with no order as to costs. The order of the District Forum is set aside.

15.            Certified Copies of this order, be sent to the parties, free of charge.

16.            The file be consigned to Record Room, after completion

Pronounced.

August 3, 2012

Sd/-

[JUSTICE SHAM SUNDER]

PRESIDENT

Sd/-

[NEENA SANDHU]

MEMBER

Rg