Court upholds RBI guidelines on customer protection, finds bank liable for unauthorized electronic transactions due to SIM swap, directs refund with interest
In a landmark judgment delivered on April 6, 2026, the Bombay High Court (Division Bench comprising Justices Bharati Dangre and Manjusha Deshpande) ordered HDFC Bank Ltd. to refund Rs. 38,04,000 to Mr. Subodh C. Korde, a victim of a sophisticated cyber fraud involving SIM swapping. The Court held that the bank failed to prove any negligence on the part of the customer and violated the Reserve Bank of India's (RBI) mandatory circular on limiting customer liability in unauthorized electronic banking transactions.
The petitioner, a business consultant, maintained two accounts with HDFC Bank. In July 2021, unknown fraudsters added three beneficiaries to his accounts without his consent and enhanced his third-party transfer (TPT) limit from Rs. 4 lakh to Rs. 40 lakh. Subsequently, Rs. 38.04 lakh was transferred through eight unauthorized transactions within 41 minutes. The petitioner never received the OTPs or alerts due to SIM swapping, which was confirmed by Bharat Sanchar Nigam Limited (BSNL), his telecom service provider. BSNL’s investigation revealed multiple unauthorized SIM replacements on his mobile number shortly before the fraudulent transactions.
HDFC Bank’s internal investigation found that the disputed transactions originated from different IP addresses than those used by the petitioner and that the bank’s risk-based fraud detection system flagged but did not block suspicious activities. The bank denied liability alleging breach of confidential information by the petitioner and claimed that OTPs were duly sent, relying on logs prepared by third-party vendors. However, the petitioner contended that he never received the OTPs or SMS alerts and promptly reported the fraud to the bank and police.
The Court analyzed the RBI Circular dated July 6, 2017, which mandates banks to adopt robust fraud detection mechanisms, send timely alerts, and limits customer liability in unauthorized transactions unless negligence by the customer is proved. The Circular also requires banks to reverse unauthorized debits within 10 working days of complaint and compensate the customer.
Addressing the bank’s preliminary objection regarding maintainability of the writ petition against a private scheduled bank, the Court referred to Supreme Court precedents clarifying that writ jurisdiction under Article 226 of the Constitution extends to private bodies performing public functions or statutory duties. Since scheduled banks like HDFC are regulated by RBI and bound by its directions to protect customers, the Court held that writ jurisdiction is maintainable.
On merits, the Court found that the petitioner was not negligent as there was no evidence he shared OTPs or passwords. The SIM swapping technique used by criminals to impersonate the subscriber and intercept OTPs was recognized as a serious cybercrime by the Ministry of Home Affairs and telecom regulations require strict verification for SIM replacements. The Court observed that the bank failed to prove delivery of OTPs or alerts to the petitioner and that the bank’s risk system failed to prevent the fraud despite alerts.
The Court held that the petitioner falls under the “zero liability” category of the RBI circular since the fraud was due to third-party breach, the petitioner promptly reported it, and there was no negligence on his part. Accordingly, the bank was directed to refund Rs. 38.04 lakh with interest at 6% per annum within eight weeks. Failure to comply would attract interest at 8% per annum. The judgment underscores the responsibility of banks and telecom operators to safeguard customers and ensure timely redressal in cases of cyber fraud.
This ruling aligns with earlier decisions from various High Courts and the Supreme Court emphasizing customer protection under RBI guidelines and the liability of banks in unauthorized electronic transactions arising from cybercrimes like SIM swapping.
Bottom Line:
Cyber fraud - Unauthorized electronic banking transactions resulting in debit of customer's account - Liability of bank to reverse amount - Customer not negligent - SIM swapping leading to fraud - Bank failed to prove customer negligence - RBI Circular dated 06/07/2017 on customer protection and limiting liability binding on banks - Bank's deficiency in service - Writ petition maintainable against scheduled bank - Bank directed to refund amount with interest.
Statutory provision(s): Article 226 of the Constitution of India, Reserve Bank of India Act, 1934 (Section 42, Section 58(2)(o)), Banking Regulation Act, 1949 (Section 35A), Information Technology Act (Sections 66(C), 66(D)), RBI Circular dated 06/07/2017 on Customer Protection - Limiting Liability of Customers in Unauthorized Electronic Banking Transactions
Subodh C. Korde v. Union of India, (Bombay)(DB) : Law Finder Doc id # 2880754
