ORDER

Hon’ble Mr. Dinesh Singh, Presiding Member

1.     This Appeal has been filed under Section 19 of The Consumer Protection  Act, 1986, hereinafter referred to as the ‘Act’, impugning the Order dated 19.12.2014 in C.C. No. 45 of 2010 passed by The State Consumer Disputes Redressal Commission, Punjab, hereinafter referred to as the ‘State Commission’.

The Appellants herein, Punjab National Bank, were the Opposite Parties before the State Commission, and are hereinafter being referred to as the ‘Bank’.

The Respondent herein, Leader Valves Ltd., was the Complainant before the State Commission, and is hereinafter being referred to as the ‘Complainant’.

2.     Heard learned Counsel for the Bank and the Complainant, and perused the material on record including inter alia the impugned Order dated 19.12.2014 of the State Commission and the Memorandum of Appeal.

3.     The short point for consideration is whether the Bank is liable for unauthorized transactions made in the Complainant’s accounts when the Complainant / account-holder was not at fault and when the Complainant / account-holder brought the unauthorized transactions to the Bank’s notice without undue delay.

4.     The facts have been succinctly articulated by the State Commission in paras 1 to 3 of its Order of 19.12.2014. The same are reproduced below:

The complainant has availed the following cash credit facilities from the OP bank for the below mentioned accounts:-

2.       Out of the three accounts, he was entitled to operate only hypothecation account and for this he was issued I.D. and Password. Whereas the other two accounts were for strict operation of the opposite parties alone upon which the complainant had no functional control. In the ABC account, the limit was Rs. 1 crore to be used against bill sent for collection. The complainant has been using the facility of e-banking and immediately after receiving the password, he had changed his accounts’ password and had been changing it almost every month.

3.       It was further alleged that on 25.1.2010, the complainant was astonished to discover that someone had made an unauthorized transfer of a sum of Rs. 40 lacs by debiting to C/c Book Debt Account No. 3513008700036013 for which the complainant had no functional control and was credited in some other account of the opposite parties.  This was immediately intimated to the opposite party and due to timely action on behalf of the complainant, the amount was traced. He further discovered that another amount of Rs. 26,48,500/- was illegally mis-appropriated from ABC Account No. 3513008700032345 of the complainant over which he had no functional control.  The Ops gave reply to the complainant stating that the mis-appropriation was a result of mis-use of password provided for which they were not responsible. On the advice of the Ops, FIR was got lodged with the concerned Police Station. After this incident, they were intimated that same password was used for the operation of these two accounts. The complainant was further informed that these accounts have been frozen. On that date a sum of Rs.10,87,737/- was outstanding but withdrawls continued till 5.3.2010 by use of ATM and these withdrawls were not possible except with the tacit connivance of the opposite party and its officials. Then opposite party apprised the complainant of the IP Addresses, which were traced back to US from which the amount has been mis-appropriated.  The complainant also intimated the Ops of the attempted withdrawls of Rs. 20 lacs from Delhi Branch and similar attempt was made from Bareily Branch. Then the complainant wrote a letter dated 25.2.2010 to Regional Director of the Reserve Bank of India intimating about the inaction on behalf of the Ops. The complainant had also engaged a private net security agency to assist in locating the culprits and the same net security agency had already intimated to the Ops about the presence of malware in their website. Inspite of warning, the opposite parties had failed to take any effective steps, which was entirely the responsibility of the bank. Then vide letter dated 11.3.2010, the complainant asked for CCTV footage and addresses of various ATM locations from where the withdrawals were made. However, the opposite parties vide their letter dated 12.3.2010 expressed its inability. Although the complainant received a mail from US Company from which IP addresses had been traced and the Company advised the complainant to pursue domestic legal resources. He lodged a complaint against the opposite party before Banking Ombudsman Scheme, 2006 of the RBI. However, the said authority refused to entertain the complaint under Section 13(C) of the scheme on 28.4.2010 as it was a complex complaint. The Ops have failed to secure their internet banking to follow the National Electronic Fund Transfer (NEFT) procedural guidelines issued by the RBI under Payment and Settlement System Act, 2007. They also failed to observe and fulfill its obligation under the Internet Banking Guidelines, 2001 of RBI. They also failed to comply with the procedural guidelines issued by its own IT Audit Cell at New Delhi vide Circular No. 6/2010 dated 18.1.2010. Out of the mis-appropriated amount of Rs.26,48,500/- only a sum of Rs.2,79,018/- was recovered. Hence, the complaint has been filed for refunding a sum of Rs.23,69,482/- alongwith interest @12% for harassment and agony caused to the complainant, compensation of Rs. 10 lacs and cost of litigation of Rs. 1 lac, total Rs. 34,69,432/- on account of deficiency in services on the part of the Ops.

5.     The State Commission vide its Order dated 19.12.2014 allowed the Complaint on contest.

Extracts of the appraisal made by the State Commission are reproduced below for ready appreciation:    

17.     The persons in whose accounts the amount has been transferred are all account holders of the Ops. Its intimation was given by the complainant to the Op Bank in his first letter dated 25.1.2010, out of which a sum of Rs. 2,79,018/- has been received whereas the Ops in para No. 20 of their reply on merits have stated that a sum of Rs. 3,23,461/- was recovered.  However, no specific document has been filed by the Ops to corroborate that a sum of Rs.3,23,461/- has been got recovered by the bank. Whereas one document has been placed on the record as Ex. R-2, it is an appeal against the decision of the Banking Ombudsman, Ahmedabad by Sh. Asbhishek Jain vide complaint No. 1045/AT/2009-2010 and recovered a sum of Rs. 83,000/, therefore, in the absence of any specific evidence, which will be treated that only a sum of Rs. 2,79,018/- as alleged by the complainant was got recovered back.

18.     Another point has been taken by the complainant that withdrawls were made from his account even after 25.1.2010 after freezing of the account.  Whereas plea of the Op is that the transactions were affected upto 25.1.2010 but due to system failure these were reflected in the month of March. It seems to be correct because on 25.1.2010, he had made a report that a sum of Rs. 26,48,500/- was withdrawn from his ABC A/c No. 3513008700032345 and it is the same amount which he is alleged to be taken away from his account, which shows that after 25.1.2010 no amount was taken away from this account, although entries in his statement of account have been reflected after that date.

19.     The next question arises what is the role of the Bank to protect the money of his account holders? In case the Internet account of the complainant has been hacked, the complainant as referred above had given the intimation on 25.1.2010 at 6.30 p.m. and immediately thereafter, the Bank was able to recover Rs. 40 lacs as referred above, which shows that the complaint filed by the complainant was genuine and out of the remaining amount of Rs. 26,48,500/- a sum of Rs. 2,79,018/- was also recovered.

20.     Now we have to see whether the bank was quite serious for the recovery of the remaining amount and had utilized all his resources to recover that amount or whether the accounts of the beneficiaries in which the amount was transferred from the account of the complainant were freezed or orders were passed to recover the said amount from those accounts. List of accounts to which the amount has been transferred are at Serial No. 1 to 95 and it gives the details of entire amount of Rs.26,48,500/-. The perusal of the list will further reveal that all the account holders are of Punjab National Bank having their account in various branches throughout India. The OP bank had checked the accounts of the complainant on 25.1.2010, therefore, they were able to get back a sum of Rs. 40 lacs, which was a major amount from two account holders. Similarly on the same day, they had come to know where the money was transferred and in case all the persons in whose name money was transferred were the account holders of the OP Bank then certainly, their accounts could be freezed on the same day so that they were unable to withdraw the money from their respective accounts.

21.     Now we have to see whether any such effort has been made by the Bank? The abovesaid data reveals that various transfers have been made by the account holders to which the money was transferred from the account of the complainant after 25.1.2010. In case proper inquiry would have made through their Branch Offices and immediately those accounts were freezed then account holders would not have been able to withdraw this amount and this amount could be again transferred to the account of the complainant. Amount has not been recovered by the Ops on account of their own deficiency in not freezing the accounts of the account holders to which the amount of the complainant was transferred. Then there is report of Inspection Audit Division IT Audit Cell, Head Office New Delhi Ex. C-21 wherein it has been observed that recently spurt in fraudulent transactions has been observed through Internet Banking Channel by way of phishing attacks and role of the branch where the fraudulent credit had gone has been referred as under:-

i. Verify if the account is debit frozen and ATM/Debit Card issued in the account is hot listed. If not, get it immediately frozen/hot listed.

ii. Verify that the accounts are KYC compliant/duly introduced and the operations in the account are satisfactory. Even if the account is KYC compliant, the branch to examine as to whether the a/c is being used as a mule a/c for fraudulent transactions. Contact the customer/introducer and impress upon for recovery of amount withdrawn.

iii. If the branch is unable to contact the customer/introducer within three days, issue registered notices (draft of the notice at Annexure B) to the customer(s) as to why the amount so transferred and subsequently debit frozen, if any in the account be not refunded to its true owner and if it is not contended within a week’s time, the amount should be credited back to the true owner’s account after obtaining approval from TBD HO.

iv. If the amount has been withdrawn by the customer and no response is received from the beneficiary customer in one week, lodge FIR against the beneficiary (draft FIR as Annexure C) with local police office (cyber crime cell of local police, if available) within 10 days of report of such incident and follow up the case for recovery of the amount fraudulently withdrawn.

v. Obtain a copy of the FIR so lodged by the complainant along with copy of his complaint from the concerned branch on basis thereof, FIR be filed.

vi. Submit the details of action taken so far to FPIS HO, Customer Care Division HO, Transaction Banking Division HO and Cyber Crime Cell, ITD HO latest by 10^th day of reporting of this fraud by FAX/email.

vii. Copy of FIR also be sent to respective Circle Office and Cyber Crime Cell at ITD: HO and it is to be ensured that FIR is lodged within 10 days of the suspected fraudulent transactions.”

22.     However, the Ops have not placed on the record any report of the Branch Offices where the fraudulent credit had gone because their accounts/ATM have not been freezed and they continue to withdraw the amount, their identity on the basis of KYC forms have not been examined and the role of the person, who identified the account holder. No efforts were made to recover the amount from the account holders, who had withdrawn the money before 25.1.2010. In case efforts would have been taken to a great extent the amount transferred in the account of the various account holders in a fraudulent manner could have been recovered.

23.     Whether there was malware in the website of the opposite party. For that a reference can be made to the letter Ex. C-11 wherein one Saumil Shah had addressed to the OP Bank that PNB website serving malware and rootkits and it was observed that their Computer was infected with a rootkit and Trojan. After this information some efforts were made by the Ops bank to check the malware. They have placed on the record the report of the Paladion, who was the service provider of Internet Banking Website of the Op Bank, who has given a certificate that during the scanning of the above mentioned websites i.e. (1) www.pnbindia.in (2) www.pnbindia.com (3) www.internetbanking.netpnb (4) www.netpnbcom from 17.1.2010 to 31.1.2010. They did not observe the presence of the malware. Moreover this Saumil Shah had no locus-standi to write any letter. Merely on the letter written by Saumil Shah Ex. C-11 we cannot give definite findings that the website of the Ops were having malware but certainly, they were on the target i.e. the reason that a huge amount has been transferred from this account and then there is phishing report, abusive IP addresses attention stating that the Paladion Internet services, which have committed crime and have made fraudulent transactions from Indian Bank Accounts by hacking into net banking accounts of the PNB and transferred about 1,45,000 US$ value from the accounts and logs of the account. Then a reference has also been made to the judgment dated 12.4.2010 in Petition No. 2462 of 2008 before Adjudicating Officers of Judicature at Chennai wherein it was observed that in case, if any person without permission of the owner or any other person, who is incharge of the Computer had access to such Computer, if attracts the offence under Section 43 & 85 of the IT Act. It was further observed that the Banking Code and Standard Mode of India which had set the minimum standard for banking practices with customers to be followed has incorporated in its model code that clearly implies that a bank may wish to investigate transactions and Police Involvement and Customer’s Involvement are anticipated in such a situation and CCTV clippings and video clipping that contained images of the individuals, who had committed a fraud could be helpful. Here also the complainant had asked for CCTV footage from the branches from where the amount was withdrawn but no such information was provided by the OP bank to the complainant, therefore, whatever help the Op Bank can provide to get back the amount from the concerned un-authorised persons has not been provided by the Op Bank. Therefore, the website of the Op Banks was vulnerable. Even if for the sake of arguments, it is taken that the OP Bank cannot anticipate the hacking of the accounts of the complainant but its role as discussed above after the incident and timely information about the hacking of the complainant’s account is under question and is not upto the mark. As stated above in case adequate steps would have been taken the matter would have been investigated then a major amount could have been received back in the account of the complainant, therefore, we are of the opinion that certainly, there was deficiency in services on the part of the Ops.

24.     In view of the above discussion, we accept the complaint with a direction to the Ops to refund Rs.23,69,482/- alongwith interest @9% per annum from the date of withdrawal till the date of payment; compensation of Rs. 1 lac and Rs. 21,000/- as litigation expenses.

(emphasis supplied)

(paras 17,18,19,20,21,22,23 and 24 of the State Commission’s Order)

6.     It is an admitted fact that the Complainant was availing cash credit limit on three accounts, c/c ABC account, c/c Hypothecation account and c/c Book Debt account.

7.     It is well evinced that on 25.01.2010 unauthorized transfer of a sum of Rs. 40 lakh was made by debiting the Complainant’s c/c Book Debt account. The said sum of Rs. 40 lakh was credited in some other accounts maintained with the same Bank. On timely intimation by the Complainant, the unauthorized transfer was detected, the accounts to which the said sum of Rs. 40 lakh was wrongly credited were identified, the erroneous entries were reversed, and, as such, except for time and trouble, the Complainant was not put to pecuniary loss or injury.

8.     It is also well evinced that on 25.01.2010 another sum of Rs. 26,48,500/- was unauthorizedly transferred from the Complainant’s c/c ABC account. The said sum was credited in some other accounts maintained with the same Bank. Again on timely intimation by the Complainant, the unauthorized transfer was detected, the accounts to which the said sum of Rs. 26,48,500/- were  wrongly credited were identified.

The erroneous entries in respect of Rs. 2,79,018/- were reversed, and, as such, except for time and trouble, the Complainant was not put to pecuniary loss or injury in respect of the said sum of Rs. 2,79,018/-.

The residual sum of Rs.26,48,500 (-) Rs.2,79,018 = Rs.23,69,482/- could not be recovered, the erroneous entries in respect of the said Rs. 23,69,482/- were not reversed, and, as such, in addition to time and trouble, the Complainant was put to pecuniary loss and injury in respect of the said sum of Rs. 23,69,482/-.

9.     In such proven facts, the State Commission ordered that an amount of Rs.23,69,482/- be refunded with interest at the rate of 9% per annum from the date of withdrawal till the date of payment along with compensation of Rs. 1 lakh and cost of litigation of Rs. 21,000/-.

10.   The State Commission has passed a well-appraised and well-reasoned Order. Extracts of its appraisal, quoted in para 5 above, are, in particular, noteworthy. Its Award, quoted in para 9 above, is just and equitable.

11.   The first fundamental question that arises is whether the Bank is responsible for an unauthorized transfer occasioned by an act of malfeasance on the part of functionaries of the Bank or by an act of malfeasance by any other person (except the Complainant / account-holder). The answer, straightaway, is in the affirmative. If an account is maintained by the Bank, the Bank itself is responsible for its safety and security. Any systemic failure, whether by malfeasance on the part of its functionaries or by any other person (except the consumer / account-holder), is its responsibility, and not of the consumer.

12.   The second fundamental question that arises is whether the Bank is responsible for an unauthorized transfer due to any virus or hacking in the Bank’s computerized system. The answer, straightaway, to this question also is in the affirmative. If an account is maintained by the Bank, the Bank itself is responsible for its safety and security. Any systemic failure, due to any virus or hacking in its computerized system, is its responsibility, and not of the consumer.

13.   It is seen that the Complainant, on his part, had been diligent and dutiful in bringing the unauthorized transfers to the notice of the Bank without undue delay, he brought the unauthorized transactions to the Bank’s notice the same day, in the evening, on checking his accounts. His responsibility ended there, and the Bank’s responsibility started, it was the Bank’s responsibility to identify the systemic failure, remedy the pecuniary loss and injury to the Complainant.

14.   It is seen that the Complainant (i) had to register an FIR with the Police, (ii) was not provided CCTV footage by the Bank, (iii) had to engage the services of a private net security agency, etc. That is to say, the Complainant was put to unwarranted and undue trouble and prejudice, in effect, the burden was put on him to either resolve the Bank’s deficient act, or, if not being so successful, to live with it.

15.   There is nothing on record to show that inquiry was conducted by the Bank to identify the man-made or systems’ failure, or to fix responsibility, etc., when, Rs. 40 lakh + Rs. 2,79,018/- were unauthorizedly transferred and then recovered, and, when Rs. 23,69,482/- were unauthorizedly transferred and could not be recovered.

16.   There is nothing on record to show that the Complainant had himself made the concerned transfers, and that his averments of unauthorized transfers were malafide, an attempt at fraud, etc. Had it been so, the account-holders, in whose accounts the said sum of Rs. 40 lakh + Rs. 26,48,500/- had been transferred, and from whose accounts it was then recovered, would have come forth to agitate / object. None came forth. The Complainant lodged an FIR with the Police. The Police did not (repeat not) file any report under Section 177 of the I.P.C. (Furnishing false information) etc. The bonafide of the Complainant does not come under question.

17.   It was not for the Complainant to show whether the Bank’s computerized system was affected by malware or any other virus, it was the Bank’s job to keep its system clean and functional.

It was not for the Complainant to show that hacking had been undertaken, it was the Bank’s job to keep its system safe and secure.

It was not for the Complainant to show malfeasance on the part of the Bank’s functionaries or of any other person, it was the Bank’s job to take the necessary action and to remedy the pecuniary loss and injury to the Complainant in case of malfeasance on the part of its functionaries or of any other person.

18.   The Bank’s contentions suffer from irrationalities and inner-inconsistencies.

It first argues that the Complainant himself had access to operate the concerned accounts, when, access or no access, it is not the Bank’s case that the Complainant had himself made or authorized the said transactions, nowhere does the Bank argue that the Complainant himself was indulging in malfeasance or attempting fraud etc.

It then argues that it recovered Rs. 40 lakh + Rs. 2,79,018/- and reversed the erroneous entries. That being so, the factum of the transactions being erroneous stands accepted by the Bank.

It then further argues that non-recovery of the residual Rs. 26,48,500 (-) Rs. 2,79,018 = Rs. 23,69,482/- is not its responsibility. This is an out-and-out erroneous contention, brazenly professed, an index of a misplaced notion of non-accountability.

It is not the Bank’s case that the Complainant committed fraud. The fraud being advocated by the Bank relates to its other account-holders in whose accounts the erroneous credits were made by the Bank and from whose accounts they could not be recovered.

Qua the Complainant, the case is simple and straight, the Bank did not keep his accounts safe and secure, did not remedy the erroneous transfers on being diligently and dutifully so intimated by the Complainant.

19.   Rather than immediate remedy and apology, the Bank preferred an illogical nebulous proposition that if it could trace the unauthorized transactions and reverse the entries, so far so good, else, it was the Complainant’s risk and cost, whether it was a man-made or systems’ failure is inconsequential, whether the Complainant was not at fault is inconsequential, whether the Bank was at fault is inconsequential, the Bank has no responsibility, no accountability, the Bank is under no obligation to remedy the Complainant’s pecuniary loss and injury.

The entire spectrum of the Bank’s acts, seen in the totality of the examination made by the State Commission and the critique made hereinabove by this Commission, in addition to being deficient within the meaning of Section 2(1)(g) & (o), is also unfair and deceptive as to unquestionably qualify to be ‘unfair trade practice’ within the meaning of Section 2(1)(r) of the Act.

In respect of ‘unfair trade practice’, it may be noted that it is a specific provision unique to The Consumer Protection Act, 1986.

Section 2(1)(r) says of “a trade practice which, for the purpose of promoting the sale, use or supply of any goods or for the provision of any service, adopts any unfair method or unfair or deceptive practice including any of the following practices, namely:-”.

The list provided in Section 2(1)(r) is illustrative and not comprehensive.

That is to say, an unfair method or unfair or deceptive practice, as is judiciously determined, on facts and reasons, on fair and objective appraisal of the evidence and material on record, would qualify as ‘unfair trade practice’ within the meaning of Section 2(1)(r).

20.   The Appeal, being patently bereft of merit, is dismissed.

The Award made by the State Commission in respect of ‘deficiency in service’ is confirmed.

21.   In respect of the ingredients of ‘unfair trade practice’, which are well and truly evinced, the Bank, through its Chief Executive, is put to stern advice of caution by imposition of cost of Rs. 1,00,000/- (rupees one lakh), to be deposited with the Consumer Legal Aid Account of the State Commission, within four weeks of the pronouncement of this Order.

Its Chief Executive is also advised to conduct inquiry to fix responsibility as also to imbibe systemic improvements to avert such deficiency and unfairness in future qua ‘consumers’ in general.

It will be open for the Bank to recover the amount of the Award made by the State Commission and the cost imposed herein by this Commission from its functionaries responsible and/or from the persons/account-holders etc. responsible.

22.   The amount deposited by the Bank with the State Commission in compliance of this Commission’s Order dated 19.02.2015, along with interest, if any, accrued thereon, shall be utilized by the State Commission, as per the due procedure, towards satisfaction of its Award and of the cost imposed herein (refer para 20 and 21 above).

23.   A copy each of this Order be sent by the Registry to the State Commission, to the Chief Executive of the Bank, the Appellant herein, and to the Complainant, the Respondent herein, within three days of its pronouncement.