DISTRICT CONSUMER DISPUTES REDRESSAL COMMISSION ERNAKULAM
Dated this the 25th day of November, 2023.
Filed on: 18/11/2020
PRESENT
Shri.D.B.Binu President
Shri.V.Ramachandran Member Smt.Sreevidhia.T.N Member
C. C. No. 380/2020
COMPLAINANT
Aliyar T .M., S/o. Muhammed Thadathikudiyil House, Puthuppady P.O Perumattonm, Muvattupuzha-686673.
(Rep. by Adv. Tom Joseph, Court Road, Muvattupuzha 686661)
VS
OPPOSITE PARTIY
M/s SBI Cards & Payment Services Ltd., DLF Infinity Towers, Tower C, 12th Floor, Block 2, Building 3, DLF Cyber City, Gurgaon-122002. Rep. by its Managing Director.
(Rep. by Adv. Jithesh Menon & Mahesh kumar P.G., No. 79, DD Oceano Mall, Marine Drive, Ernakulam 682011)
F I N A L O R D E R
D.B. Binu, President:
1. A brief statement of facts of this complaint is as stated below:
The complaint was filed under Section 35 of the Consumer Protection Act, 2019. According to the complaint's stated facts, the complaint holds an SBI credit card with the number 4377487814278350 and a credit limit of Rs.1,32,000/-. However, despite having a balance of Rs.39,000/- in the credit card account on October 17, 2020, an unauthorized withdrawal of Rs.39,507/- occurred from the complainant's credit card account. It's worth noting that the complainant did not opt for an over-limit transaction, and therefore, the opposite party had an obligation to reject the transaction. On the same day, the complainant received three phone calls from the following mobile numbers: +9178730994153, +911243501012, and 18601801295. Since one of these calls appeared to be from SBI, the complainant provided his card number. Subsequently, an amount exceeding the credit limit was fraudulently withdrawn from his account. The opposite party had a responsibility to establish a secure electronic banking system to prevent any unauthorized activities causing financial loss to customers. Their failure to safeguard the complainant from the unauthorized withdrawal of funds beyond the credit limit constitutes a service deficiency on their part. The complainant is entitled to recover the sum of Rs. 39,507/- that was fraudulently withdrawn from his account, along with interest from the date of the loss until recovery. Additionally, he is eligible for compensation of Rs. 20,000/- to address the mental distress, hardships, and financial losses he endured as a result of the deliberate omission on the part of the opposite party.
2). Notice
The Commission issued a notice to the opposite party, which was duly received by them. The opposite party submitted their version.
3). VERSION OF THE OPPOSITE PARTY.
The alleged transaction of Rs.39,507/- occurred because the complainant himself shared his card number and OTP, and he cannot now deny liability. The negligence lies solely with the complainant, and there is no deficiency in service or negligence on the part of the opposite party that justifies this complaint.
The opposite party acknowledges that the complainant was issued a credit card on 11-08-2018 and was using it regularly. The complainant admits to receiving phone calls and providing his card number to the caller. An amount of Rs.39,507/- was withdrawn from the complainant's credit card, and this withdrawal was clearly a result of the complainant sharing his card details and OTP with an unknown caller. The claim that one of the calls was from the opposite party is incorrect and misleading. In fact, the opposite party had informed its customers through various channels not to share personal information, including OTP, with anyone, even when received on their registered mobile number. Despite this warning, the complainant shared his card information with an anonymous caller, leading to the misuse of his card. This is a clear case of negligence on the part of the cardholder.
The opposite party cites the Reserve Bank of India's master circular dated 06/07/2017, which states that customers are liable for losses due to unauthorized transactions resulting from their negligence, such as sharing payment credentials. According to this circular, the customer is responsible for the entire loss until reporting the unauthorized transaction to the bank. Any loss occurring after reporting the unauthorized transaction is the bank's responsibility.
Therefore, the complainant is not entitled to challenge the charge of Rs.39,507/- on his card after willingly sharing his card information and aiding in the completion of the transaction. The circular from the Reserve Bank of India clearly places the liability on the customer in cases of negligence involving payment credentials. As there is no deficiency in service on the part of the opposite party, this complaint should not be entertained and should be dismissed with costs.
3) . Evidence
The complainant had filed the proof affidavit and 1 document that was marked as Exhibit-A-1 series.
Exhibit-A-1 series.: True copies of the communications received from the opposite party.
The opposite party had filed the proof affidavit and 2 documents that was marked as Exhibit-A-1 to A-2.
Exhibit-B-1: True copy of the mail communication sent to the complainant by the opposite party.
Exhibit-B-2: True copy of the Master Circular dated 06.07.2017 issued by The Reserve Bank of India.
4) The main points to be analysed in this case are as follows:
i) Whether there is any deficiency in service or unfair trade practice from the side of the opposite party to the complainant?
ii) If so, whether the complainant is entitled to get any relief from the side of the opposite party?
iii) Costs of the proceedings if any?
5) The issues mentioned above are considered together and are answered as follows:
The complainant has submitted this complaint with the aim of obtaining a declaration that he is entitled to Rs.39,507/-, along with interest, which he contends was illicitly withdrawn from his account. Additionally, he is seeking compensation for the mental distress he has endured and the expenses incurred during the legal proceedings.
We have heard from Sri. Tom Joseph, the counsel representing the complainant. The complaint is grounded in a violation of the Consumer Protection Act. It involves a complainant who is an SBI credit card holder with a specified credit limit. On a particular date, a sum greater than the available balance was fraudulently withdrawn from their account. The complainant had not opted for an over-the-credit limit, which typically obligates the bank to decline transactions exceeding this limit. On the day of the incident, the complainant received several phone calls, one purportedly from SBI, which led to the disclosure of the card number. Subsequently, a withdrawal exceeding the credit limit occurred. The core of the argument is that the bank's failure to ensure a secure banking environment, resulting in unauthorized transactions, constitutes a service deficiency. The complainant seeks compensation for the amount wrongfully withdrawn, including interest from the loss date, and additional compensation for mental anguish, hardship, and financial loss caused by the bank's negligence.
The State Bank of India Vs P.V.George (Kerala High Court, 9th January 2019, RSA 1087 of 2018) will be a landmark judgement on determining liabilities in Digital Banking frauds. In a highly significant verdict, Kerala High Court has ruled that even when the Customer does not respond to the SMS alerts related to a fraudulent withdrawal, the Bank cannot deny the liability on a fraudulent transaction, despite the limited liability circular of RBI.
“9. Question (i): The relationship between a bank and its customers arises out of the contracts entered into between them. Such contracts consist of general terms applicable to all transactions and also special terms applicable to the special services, if any, provided by the bank to its customers. The relationship between a bank and its customer, RSA No. 1087 of 2018 6 in so far as it relates to the money deposited in the account of a customer, is that of debtor and creditor. The contractual relationship exists between a bank and its customers are founded on customs and usages. Many of these customs and usages have been recognized by courts and it is now an accepted principle that to the extent that they have been so recognized, they are implied terms of the contracts between banks and their customers. Duties of care is an accepted implied term in the contractual relationship that exists between a bank and its customer. It is impossible to define exhaustively the duties of care owed by a bank to its customer. It depends on the nature of services extended by the bank to its customers. But one thing is certain that where a bank is providing service to its customer, it owes a duty to exercise reasonable care to protect the interests of the customer. Needless to say, that a bank owes a duty to its customers to take necessary steps to prevent unauthorised withdrawals from their accounts. As a corollary, there is no difficulty in holding that if a customer suffers loss on account of the transactions not authorised by him, the bank is liable to the customer for the said loss.”
Sri. Jithesh Menon, representing the opposite party, submitted that the transaction occurred because the complainant shared his card number and OTP, indicating negligence on his part and not a deficiency in service by the opposite party.
The opposite party acknowledges issuing a credit card to the complainant, who was a regular user. It's noted that the complainant received phone calls and shared his card details, which led to the withdrawal. The party refutes the claim that they called the complainant, highlighting their policy against asking for card details over the phone.
Regarding transactions exceeding the credit limit, it's mentioned that these are not automatically declined but incur additional charges. The specific transaction was conducted using the complainant's card at a particular website. Despite warnings against sharing card details and OTPs, the complainant ignored this advice.
The Reserve Bank of India in its master circular dated 06/07/2017 states that about the liabilities. The relevant portion is extracted below:
“Limited Liability of a Customer 7. A customer shall be liable for the loss occurring due to unauthorized transactions in the following cases: (i) In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.”
Citing the Reserve Bank of India's guidelines, the opposite party points out that customers are liable for losses due to their negligence, such as sharing payment credentials. Thus, they argue that the complainant's actions disqualify him from challenging the charge and maintain there is no service deficiency on their part. Therefore, the complaint lacks merit and should be dismissed with costs, according to the opposite party.
Honorable Justice Mr. P.B. Suresh Kumar, in his judgment, determined that the Bank is responsible for reimbursing the sum involved in the fraudulent ATM withdrawals. He dismissed all the defenses presented by the Bank and further concluded that:
“In short, there is also no difficulty in holding that if a customer suffers loss in connection with the transactions made without his junction by fraudsters, it has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, and the banks are, therefore, liable for the loss caused to their customers. All over the world, the courts are adopting the aforesaid approach to protect the interests of the customers of electronic banking.”
The above judgment highlighted several important aspects pertinent to banking, which have been consistently emphasized to various judicial authorities:
- In digital banking, the relationship between a banker and a customer remains that of a debtor and creditor, governed by their contractual agreement.
- The duty of care forms an integral, though not exhaustively defined, part of the contractual relationship between the banker and customer. This includes banks having the responsibility to exercise reasonable care in safeguarding customer interests, particularly in preventing unauthorized transactions.
- Banks are obligated to establish a secure electronic banking environment to prevent any forms of malicious activities that could lead to customer losses.
- The liability of the customer cannot be determined solely based on SMS alerts.
- Consequently, the Court upheld the decree, mandating the bank to compensate the customer, including interest and costs.
In the context of electronic banking, banks offering such services are obligated to establish a secure electronic banking environment to prevent any malicious activities that could harm their customers. This obligation arises from an implied term in the contracts between banks and their customers, requiring the banks to safeguard their customers' funds against unauthorized transactions.
In developed countries, specific statutes are in place to define the liabilities and provide enforcement mechanisms to protect bank customers. For instance, in the United States, the Electronic Funds Transfer Act governs such situations, stipulating conditions under which a consumer is liable for unauthorized electronic fund transfers. Similarly, in Canada, the Canadian Code of Practice for Consumer Debit Card Services protects consumers from liabilities arising from unauthorized card use.
In India, although there is no specific statutory provision, the Reserve Bank of India (RBI) exercises control over banks and has issued various directives. These directives instruct banks to implement systems and procedures ensuring the safety and security of electronic banking transactions, establish mechanisms for fraud detection and prevention, assess risks from unauthorized transactions, and take appropriate measures to mitigate these risks.
The RBI's circular specifically states that customers bear no liability in cases of third-party breaches where the fault does not lie with the bank or the customer, but elsewhere in the system. The only requirement for customers, as per the circular, is to promptly report any unauthorized transactions to their bank to enable account blocking. The circular serves as a reminder of the banks' responsibilities and does not create new rights or obligations.
It's important to highlight that the complainant did not choose to engage in an over-limit transaction, which places the onus on the opposite party to decline the transaction. The bank should not have approved these transactions, as they exceeded the established limit. This underscores a flaw in the technical system of the opposite party and represents a clear violation on their part.
This case was brought before the Commission under Section 35 of the Consumer Protection Act, 2019, concerning an unauthorized withdrawal from the complainant's SBI credit card account. The complainant held SBI credit card with a credit limit of Rs.1,32,000/-. On October 17, 2020, despite having a balance of Rs.39,000/- in the credit card account, an unauthorized withdrawal of Rs.39,507/- occurred. Importantly, the complainant did not initiate an over-limit transaction, making it the responsibility of the opposite party, in this case, the bank, to reject the transaction. The complainant also received phone calls from various numbers, including one that appeared to be from SBI, leading him to disclose his card number. Subsequently, an amount exceeding the credit limit was fraudulently withdrawn from his account.
The complainant asserted that the bank's failure to establish a secure electronic banking system, resulting in unauthorized withdrawals beyond the credit limit, constitutes a deficiency in service. He sought to recover the wrongfully withdrawn sum of Rs.39,507/- along with interest.
The opposite party contended that the transaction occurred because the complainant voluntarily shared his card number and OTP, indicating negligence on his part, absolving them of any service deficiency. They referenced the Reserve Bank of India's circular, which places liability on customers for losses resulting from their negligence, such as sharing payment credentials.
After a thorough examination of the facts, legal provisions, and case laws, this Commission is inclined to rule in favor of the complainant for the following reasons:
- Duty of Care: The unauthorized transaction exceeding the credit limit of the complainant's account without their consent constitutes a service deficiency on the part of the bank. The transaction should have been declined as the complainant did not opt for an over-the-limit transaction. As established in State Bank of India Vs P.V.George (Kerala High Court, 9th January 2019), banks have a duty of care towards their customers. They are obligated to exercise reasonable care to protect their customers' interests, including safeguarding them from unauthorized transactions. In this case, the bank failed in its duty to protect the complainant's interests.
- Negligence and Liability: While the opposite party argued that the complainant's negligence led to the unauthorized transaction, the Court has consistently ruled that customers should not be solely held responsible for such losses. As per the Reserve Bank of India's guidelines, customers are not liable if the fault lies elsewhere in the system. In this case, the bank's failure to prevent unauthorized transactions and secure the electronic banking environment constitutes a breach of its duty, and it cannot evade liability by shifting the blame entirely onto the customer.
In conclusion, the opposite party, the bank, failed to uphold its duty of care, resulting in unauthorized transactions beyond the credit limit. While the complainant did share his card details, this does not excuse the bank's failure to protect its customers. The complainant is eligible for significant compensation from the opposite party in this matter; however, due to their own contributory negligence, we are inclined to reduce the amount of compensation awarded. Banks must ensure secure systems to protect customers from unauthorized transactions, while customers must exercise due care in safeguarding their banking credentials. Both parties bear a measure of responsibility in preventing such incidents.
We find in favour of the complainant on Issues I to III, due to the serious service deficiency of the opposite party and unfair trade practices. The complainant has suffered considerable inconvenience, mental agony, hardship, and financial loss due to this negligence, mental agony, hardship, and financial loss.
In view of the above facts and circumstances of the case, we are of the opinion that the opposite party are liable to compensate the complainant.
Hence the prayer is allowed as follows:
- The Opposite Party shall refund Rs.39,507/- (Rupees thirty nine thousand five hundred seven only) to the complainant for the amount fraudulently withdrawn from his account due to the service deficiency and unfair trade practices of the opposite party.
- The Opposite Party shall pay Rs.20,000/- (Rupees twenty thousand only) to the complainant as compensation for the mental distress, hardships, and financial losses incurred by him due to the Opposite Party's negligence.
- The Opposite Party shall also pay Rs.15,000/- (Rupees fifteen thousand only) to the complainant towards the cost of the proceedings.
The Opposite Party shall be liable for the aforementioned directives and must adhere to them within 30 days of receiving this order. Failure to comply with the directives outlined in (i) and (ii) above will result in the accrual of interest at a rate of 9% per annum. Interest will be calculated from the date of payment until the directives are fully implemented, and from the date of the loss of the amount from the account on October 17, 2020, until recovery.
Pronounced in the Open Commission on this the 25th day of November, 2023
Sd/-
D.B.Binu, President
Sd/-
V.Ramachandran, Member
Sd/-
Sreevidhia.T.N, Member
Forwarded/By Order
Assistant Registrar
Appendix
Complainant’s Evidence
Exhibit-A-1 series.: True copies of the communications received from the opposite party.
Opposite party’s Exhibits
Exhibit-B-1: True copy of the mail communication sent to the complainant by the opposite party.
Exhibit-B-2: True copy of the Master Circular dated 06.07.2017 issued by The Reserve Bank of India.
Registrar
Despatch date:
By hand: By post
kp/
CC No. 380/2020
Order Date: 25/11/2023
