1.         The present Revision Petition (RP) has been filed by the Petitioner against Respondent as detailed above, under section 58 (1) (b) of Consumer Protection Act 2019, against the order dated 23.11.2021 of the State Consumer Disputes Redressal Commission, Haryana (hereinafter referred to as the ‘State Commission’), in First Appeal (FA) No. 304 of 2020 in which order dated 22.05.2019 of District Consumer Disputes Redressal Forum, Gurgaon (hereinafter referred to as District Forum) in Consumer Complaint (CC) No. 130 of 2018 was challenged, inter alia praying for setting aside the order 23.11.2021 of the State Commission.

2.         While the Revision Petitioner (hereinafter also referred to as Opposite Party) was Appellant before the State Commission and Opposite Party before the District Forum and the Respondent (hereinafter also referred to as Complainant) was Respondent before the State Commission and Complainant before the District Forum. Notice was issued to the Respondent on 06.04.2022.  Parties filed Written Arguments on 06.12.2023 (Petitioner) and 20.11.2023 (Respondent) respectively. 

3.         Brief facts of the case, as emerged from the RP, Order of the State Commission, Order of the District Commission and other case records are that:

(i)        The Petitioner is a subsidiary of SBI and issued a credit card bearing no. 5172526727659943 to the Respondent. On 04.10.2017, an international transaction of USD 700 (Rs.47,946.55/-) was done using the credit card at "Paypal Keanneswart" and received an SMS on her registered mobile no. later on. The Respondent did not receive an OTP for this transaction and reported it as fraudulent. She got the card blocked and subsequently raised the dispute regarding the said transaction. The Petitioner raised a chargeback issue with the merchant and issue temporary credit as per RBI guidelines, but after receiving valid documentation from the Merchant confirming the transaction, the Petitioner reversed the temporary credit and sought payment from the Respondent. The Respondent, however, did not settle the outstanding dues of Rs.67,689.12/-. Hence, the Respondent filed a Consumer Complaint before the District Commission

4.         Vide Order dated 22.05.2019, in the CC no. 130 of 2018 the District Commission has allowed the complaint and directed the OP to credit the amount of Rs.47,946.55/- in the account of the Complainant. Aggrieved by the said Order dated 22.05.2019 of District Commission, Petitioner appealed in State Commission and the State Commission vide order dated 23.11.2021 in FA No. 304 of 2020 has dismissed the appeal.

5.         Petitioner has challenged the said Order dated 23.11.2021 of the State Commission mainly on following grounds:

1. The State Commission and the District Commission failed to acknowledge the fact that the subject transaction/disputed transaction is being contended as fraudulent transaction by the Complainant, which required detailed cyber police investigation and verification of the IP address of the Complainant and as communicated in the chargeback validating document.

2. The State Commission and the District Commission erred in not appreciating the Chargeback validating document being ID:246686461 provided on 04.01.2018 issued by the Merchant, which validated the Disputed Transaction to have been done by the Complainant.

3. The State Commission failed to appreciate the fact that the Respondent with the malafide intent to evade her liability to repay the credit card dues was falsely alleging that the disputed transaction was a fraudulent transaction.

4. The Complainant/Respondent is not entitled to any relief in equity against the Petitioner, as she has presented a distorted and incorrect version of the facts before the District Commission and is guilty of concealing correct fact that the disputed transaction was carried out by her only.      

5. The State Commission and District Commission both failed to consider that the direction to disburse in favour of the Respondent, the statutory amount of Rs.25,000/- which was deposited by the Petitioner while filing the appeal is unjustifiable as Complainant had not paid the outstanding dues against the credit card availed from the Petitioner. It is the Petitioner Company who suffered the loss due to the Complainant/Respondent. 

6.         Heard learned counsels of both sides.  Contentions/pleas of the parties, on various issues raised in the RP, Written Arguments, and Oral Arguments advanced during the hearing, are summed up below:

            6.1       In addition to the averments made under the grounds (para 5), the petitioner contended that State Commission and District Commission failed to appreciate the fact that the disputed transaction was an online International transaction wherein OTP is not mandated by the RBI Guidelines. Further, it is submitted that RBI Guidelines on Security and Risk Mitigation Measures for Electronic Payment Transactions, provides for second factor authentication (OTP) is a mandate in India and same is being followed by Indian Merchant/website. The lower foras erred in not acknowledging the fact that upon AVS check of the Disputed Transaction, it was found out that the shipping and the Address Verification Service (AVS) matched billing address which prima facie shows that the authentication was obtained prior to the transaction and was performed by the Respondent herself.

            6.2       On the other hand Respondent contended that the she had been regularly and continuously speaking to the customer care of the Petitioner via telephone regarding redressal of her grievance regarding the fraudulent transaction and it was time and again assured to her that the said transaction would not be charged to her account/card. On a bare perusal of the transaction as supplied by the merchant would reveal that the said transaction could not have been done by her as the said transaction pertains to some donation to “Kerrie Anne Swartz” with whom the Respondent has no relation whatsoever, and is clear that the card has been misused in some online transaction which is on account of a security lapse on behalf of the Petitioner which has compromised the security of the credit card resulting in the misuse of her card. Respondent further contended that the investigation or enquiry done on the part of the Petitioner is a mere eyewash as they have not provided any minutes or details of the said sham investigation and have just done the same to avoid their liability for their said illegal and negligent act. Further, Respondent contended that the RBI guidelines on Security and Risk Mitigation Measures for Electronic Payment Transactions is mandate in India, which the Respondent never received. Petitioner also violated the RBI guidelines and has not adhered to the specific instructions to be performed by the banks in case of fraud and has wrongfully fastened the fraud amount as liability upon the Respondent.

7.         In this case, there are concurrent findings of both the fora below against the Petitioner herein. State Commission while dismissing the appeal filed by the Petitioner has observed as follows:

8.         Having heard counsel for the appellant/opposite party, it is made out that on 04.10.2017 the complainant had received an SMS on her mobile about the alleged transaction was made by her via her credit card No. 5172 5267 2765 9943 at Paypal Keanneswart for USD 700.00 amounting to INR 47,946.55. According to the complainant, she had not received the one time password (OTP) as required before every transaction. The complainant immediately informed the customer care of opposite party regarding misuse of her credit card and blocked the credit card. When the complainant asked to confirm in writing about the transaction being valid or not she replied vide email dated 16.12.2017 that it was a fraudulent transaction carried out on her credit card as shown in Annexure-C2. Vide email dated 24.01.2018, the complainant had re-confirmed that she had not made the disputed transaction. Vide email dated 25.01.2018, the opposite party asked the complainant to fill the transaction dispute form regarding the disputed transaction so as to pursue the investigation as required by Visa/Master Card. To this, she replied that the Transaction Dispute Form for verification of her disputed transaction was shown in Annexure C-3 and when the opposite party received the valid documents from the acquiring bank (Global payments Asia-Pacific Hong Kong Holding Ltd. Singapore), temporary credit posted over the card account was rolled back from the card account of the complainant which meant that there was deficiency in service on the part of the opposite party as any transaction which was being done without following the mandatory process of receiving One Time Password was a default on the part of the opposite party and therefore, the complainant was not liable to credit the amount of Rs.47,946.55.

9.         In view of the above, the State Commission finds that no case is made out for any interference in the impugned order. The appeal is devoid of any merit and resultantly dismissed.

10.       The statutory amount of Rs.25,000/- deposited by the appellant while filing the appeal be disbursed in favour of the complainant-Ms. Durga Chauhan against proper receipt and identification in accordance with rules, subject to appeal/revision, if any.”

8.         District Forum, while allowing the complaint, has observed as follows:

“6.       After going through the facts and circumstances of the case, it is evident that on 04.10.2017, the complainant received a SMS on her mobile No.09650286203 about a transaction made via her credit card No. 5172526727659943 at Paypal Keanneswart for USD 700.00 amounting to INR 47,946.55. As per pleadings of the complainant, he has not receiving any OTP (one-time password) as required before every transaction and she had immediately informed the customer care of OP of misuse of her credit card on the same day and blocked her credit card. The complainant (on asking by the OP that to confirm in writing whether the said transaction was valid or not) vide her email dated 16.12.2017 informed the OP about the fraudulent transaction carried out on her credit card as shown in Annexure-C2 and vide email dated 24.01.2018, the complainant had re-confirmed that she had not made the disputed transaction and vide email dated 25.01.2018, the OP asked the complainant to fill the Transaction Dispute Form regarding the disputed transaction to further pursue the investigation as required by Visa/Master Card and accordingly the complainant had submitted the said Transaction Dispute Form for verification of her disputed transaction as shown in Annexure C-3 and when the OP received the valid documents from the acquiring bank (Global payments Asia-Pacific Hong Kong Holding Ltd. Singapore), temporary credit posted over the card account was roll back from the card account of the complainant which tantamount to deficiency in service on the part of the opposite party as any transaction which is being done without following the mandatory process of receiving One Time Password is a default on the part of the OP and therefore, the complainant cannot be forced to pay.

7.         Keeping in view the above circumstances of the case, we are of the view that the ends of justice would be met if the opposite party is directed to return the amount of Rs.47,946.55 which has been charged by the OP from the complainant's account. Resultantly, the complaint is allowed directing the opposite party to credit the amount of Rs.47,946.55 in the account of the complainant. The opposite party shall make the compliance of the order within 30 days from the date of receipt of the copy of this order. The parties be communicated of the order accordingly and the file be consigned to the records after due compliance.”

9.         It is the case of the Petitioner that disputed transaction being an Online International Transaction, OTP was not mandated as per RBI guidelines. However, Petitioner has not placed on record any such guidelines of RBI or its own policy, which would state that for International Transactions OTP is not mandatory. We have had a look at following guidelines of RBI on the subject of Unauthorised Electronic Banking Transactions, extract of relevant paras of the same are reproduced below:

(i)        RBI Circular No. DBR.No.Leg.BC/78/09.07.005/2017-18 dated 06.07.2017 on the subject “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”

“Limited Liability of a Customer

(a) Zero Liability of a Customer

6. A customer's entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:

i. Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).

ii. Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.

(b) Limited Liability of a Customer

7. A customer shall be liable for the loss occurring due to unauthorised transactions in the following cases:

i. In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

ii. In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table 1, whichever is lower.

xxx

Reversal Timeline for Zero Liability/ Limited Liability of customer

9. On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer's account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence. The credit shall be value dated to be as of the date of the unauthorised transaction.

10. Further, banks shall ensure that:

i. a complaint is resolved and liability of the customer, if any, established within such time, as may be specified in the bank's Board approved policy, but not exceeding 90 days from the date of receipt of the complaint, and the customer is compensated as per provisions of paragraphs 6 to 9 above;

ii. where it is unable to resolve the complaint or determine the customer liability, if any, within 90 days, the compensation as prescribed in paragraphs 6 to 9 is paid to the customer; and

iii, in case of debit card/ bank account, the customer does not suffer loss of interest, and in case of credit card, the customer does not bear any additional burden of interest.

xxx

Burden of Proof

12. The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.”

(ii)       Circular No. DBR. No. FSD. BC.18/24.01.009/2015-16 dated 01.07.2015 on “Master Circular on Credit Card, Debit Card and Rupee Denominated Co-branded Pre-paid Card Operations of Banks and Credit Card issuing NBFCs”

“I. Credit Card Operations of Banks

1. Introduction

This circular is aimed at providing general guidance to banks/NBFCs on their credit card operations, and the systems and controls expected of them in managing their credit card business. It also sets out the best practices that they should aim to achieve.

Experience has shown that the quality of banks' credit cant portfolios mirrors the economic environment in which they operate, and there is a strong correlation between an economic downturn and deterioration in the quality of such portfolios. The deterioration may become even more serious if banks have relaxed their credit underwriting criteria and risk management standards as a result of intense competition in the market. It is therefore important for banks to maintain prudent policies and practices for managing the risks of their credit card business which are relevant to the market environment that they operate in.

2. Issue of cards

2.1 Banks in India can undertake credit card business either departmentally or through a subsidiary company set up for the purpose. They can also undertake domestic credit card business by entering into tie-up arrangement with one of the banks already having arrangements for issue of credit cards.

2.2 Prior approval of the Reserve Bank is not necessary for banks desirous of undertaking credit card business either independently or in tie-up arrangement with

other card issuing banks. Banks can do so with the approval of their Boards. However, only banks with networth of 100 crore and above should undertake credit card business. Banks desirous of setting up separate subsidiaries for undertaking credit card business would, however, require prior approval of the Reserve Bank.

2.3 Each bank must have a well documented policy and a Fair Practices Code for credit card operations. The Fair Practices Code should incorporate the various guidelines on the subject issued by RBI from time to time, as well as the relevant Guidelines contained in this Master Circular. Banks which have adopted the "Code of Bank's Commitment to Customers'' (Code) )of The Banking Codes and Standards Board of India (BCSBI) may also incorporate the principles enunciated therein, as amended from time to time, in their Fair Practices Code. The Fair Practices Code should be available on the website of the Bank/NBFC.

2.4 Banks/NBFCs should ensure prudence while issuing credit cards and independently assess the credit risk while issuing cards to persons, especially to students and others with no independent financial means.

2.5 In terms of the instructions contained in the circular DBOD.No.Leg.BC.65/09.07.005/2006-07 dated March 6, 2007, banks have been advised that in case of all categories of loans irrespective of any threshold limits, including credit card applications, banks should convey in writing the main reason/reasons which in the opinion of the bank have led to the rejection of the loan applications. It is reiterated that banks should convey in writing the main reason/reasons which have led to the rejection of the credit card applications.

2.6 As holding several credit cards enhances the total credit available to any consumer, banks/NBFCs should assess the credit limit for a credit card customer having regard to the limits enjoyed by the cardholder from other banks on the basis of self-declaration/ credit information obtained from a CIC.

2.7. While issuing cards, the terms and conditions for issue and usage of a credit card should be mentioned in clear and simple language (preferably in English, Hindi and the local language) comprehensible to a card user. The Most Important Terms and Conditions (MITCs) termed as standard set of conditions, as given in the Annex, should be highlighted and advertised/sent separately to the prospective customer/customers at all the stages i.e. during marketing, at the time of application, at the acceptance stage (welcome kit) and in important subsequent communications.

xxx

6. Wrongful billing

The card issuing bank/NBFC should ensure that wrong bills are not raised and issued to customers. In case, a customer protests any bill, the bank/ NBFC should provide explanation and, if necessary, documentary evidence may also be provided to the customer within a maximum period of sixty days with a spirit to amicably redress the grievances.

xxx

12. Redressal of grievances

12.1 Generally, a time limit of 60 (sixty) days may be given to the customers for referring their complaints/grievances.

12.2 The card issuing bank/NBFC should constitute Grievance Redressal machinery within the bank/NBFC and give wide publicity about it through electronic and print media. The name and contact number of designated grievance redressal officer of the bank/NBFC should be mentioned on the credit card bills. The designated officer should ensure that genuine grievances of credit card subscribers are redressed promptly without involving delay.

12.3 Banks/NBFCs should ensure that their call centre staff is trained adequately to competently handle all customer complaints.

12.4 Banks/NBFCs should also have a mechanism to escalate automatically unresolved complaints from a call center to higher authorities and the details of such mechanism should be put in public domain through their website.

12.5 The grievance redressal procedure of the bank/NBFC and the time frame fixed for responding to the complaints should be placed on the bank's website. The name, designation, address and contact number of important executives as well as the Grievance Redressal Officer of the bank/NBFC may be displayed on the website. There should be a system of acknowledging customers' complaints for follow up, such as complaint number/docket number, even if the complaints are received on phone.

12.6 If a complainant does not get satisfactory response from the bank/NBFC which is a subsidiary of a bank within a maximum period of thirty (30) days from the date of his lodging the complaint, he will have the option to approach the Office of the concerned Banking Ombudsman for redressal of his grievance/s. The bank/NBFC, which is a subsidiary of a bank, shall be liable to compensate the complainant for the loss of his time, expenses, financial loss as well as for the harassment and mental anguish suffered by him for the fault of the bank and where the grievance has not been redressed in time.

13. Internal control and monitoring systems

With a view to ensuring that the quality of customer service is ensured on an on-going basis in banks/NBFCs, the Standing Committee on Customer Service in each bank/NBFC should review the credit card operations including reports of defaulters to a Credit Information Company which has obtained Certificate of Registration from RBI and of which the bank/NBFC is a member and credit card related complaints on a monthly basis and take measures to improve the services and ensure the orderly growth in the credit card operations. Banks should put up detailed quarterly analysis of credit card related complaints to their Top Management. Card issuing banks should have in place a suitable monitoring mechanism to randomly check the genuineness of merchant transactions. Banks should prepare and place before their Boards/Management Committee a comprehensive Review Report on credit card business on half-yearly basis as at the end of September and March of each accounting year, which should cover essential data on credit card business, such as category and number of cards issued and outstanding, number of active cards, average turnover per card, number of establishments covered, average time taken for recovery of dues from the card holders, debts classified as NPAs and provisions held there-against or amounts written off, details of frauds on credit cards, steps taken to recover the dues, profitability analysis of the business, etc.

14. Fraud control-security and other measures

14.1 Banks/NBFCs should set up internal control systems to combat frauds and actively participate in fraud prevention committees/ task forces which formulate laws to prevent frauds and take proactive fraud control and enforcement measures.

14.2 With a view to reducing the instances of misuse of lost/stolen cards, it is recommended to banks/NBFCs that they may consider issuing (i) cards with photographs of the cardholder; (ii) cards with PIN; and (iii) signature laminated cards or any other advanced methods that may evolve from time to time.

14.3 Banks may ensure that they put in place the various security and risk mitigation measures for usage of cards and electronic payment transactions, issued by Department of Payment and Settlement Systems, Reserve Bank of India from time to time.

14.4 Banks are advised to block a lost card immediately on being informed by the customer and formalities, if any, including lodging of FIR can follow within a reasonable period.

14.5 Banks may consider introducing, at the option of the customers, an insurance cover to take care of the liabilities arising out of lost cards. In other words, only those cardholders who are ready to bear the cost of the premium should be provided an appropriate insurance cover in respect of lost cards.”

10.       The Respondent-Complainant on the other hand has categorically denied having done such a transaction, stating that said transaction pertains to some donation to ‘Kerrie Anne Swartz’, with whom the Respondent has no relation, whatsoever, and that his card has been misused in some online transaction which is on account of some security lapse on part of Petitioner. After careful consideration of all the facts and circumstances of the case, we do not see any reason to disbelieve the contentions of the Respondent-Complainant. Even if there is no specific security lapse or contributory negligence on the part of Petitioner, there is no negligence/contributory negligence on the part of Respondent-Complainant too. Hence, in our view, no liability can be fastened on to the Respondent-Complainant for the transaction in question and the Petitioner has to bear the liability with respect to transaction in question. Even the RBI guidelines referred to above state that even when there is a third party breach where deficiency lies neither with the Bank nor with the customer but lies elsewhere in the system, and the customer notifies the Bank within three working days of receiving the communication from the Bank regarding the unauthorised transaction, there will be a zero liability of the customer. In the present case, the Respondent-Complainant, immediately on getting the SMS about the transaction, reported it to the Bank as fraudulent transaction and raised a dispute regarding the said transaction. In view of the foregoing, we are in agreement with the concurrent findings of the fora(s) below and find no reason to interfere with the orders of the State Commission, except with the orders of the State Commission in para 10 of its orders regarding disbursement of statutory deposit of Rs.25,000/- by the Petitioner herein to the Respondent-Complainant, as once the order of the District Forum is upheld and appeal is dismissed, what the Respondent-Complainant is entitled to is only the amount awarded by the District Forum. There is no justification in allowing Rs.25,000/- to Respondent-Complainant over and above the amount granted by the District Forum. Hence, to this extent, order of the State Commission is modified and its order in para 10 is set aside. Order of the District Forum is upheld as it is. If the decretal amount as per District Forum’s order has already been paid by the Petitioner herein to Respondent herein, statutory deposit of Rs.25,000/- shall be refunded to the Petitioner herein. If amount has not been paid yet, the statutory deposit of Rs.25,000/- shall be adjusted towards decretal amount. Accordingly, RP is disposed off subject to above stated modification to the orders of the State Commission.

11.       The pending IAs in the case, if any, also stand disposed off.