- The judgment on OTP-secured transaction fraud can be accessed here.
The Delhi High Court has held that a customer’s mere denial of sharing a One Time Password (OTP) cannot automatically fasten liability on a bank for an unauthorised transaction. A division bench of Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia set aside a single judge order that had directed the State Bank of India (SBI) to refund Rs 2.60 lakh to a customer whom fraudsters had defrauded through internet banking.
What this means for defrauded customers:
- If a customer clicks a suspicious link and loses money, a bare denial of sharing the OTP will likely not help them recover it from the bank. The court treated the act of clicking the link as negligence, which, under RBI rules, places the full loss on the customer.
- To shift liability back to the bank, the customer must forensically prove that the breach occurred in the bank’s systems, which means producing technical evidence like transaction logs, IP records, or proof of malware, the very material a customer rarely holds.
How liability falls across different fraud types: The outcome shifts sharply depending on how the fraudster compromised the credentials:
- Phishing and vishing: A customer clicks a fake link, or a scammer talks them into revealing details. This case fell here, and the court placed such victims in the full-liability bucket, holding the customer liable even when they never explicitly disclosed an OTP.
- Malware: Software steals credentials without the customer sharing anything. The court left this open as a possible route to bank liability, but only if the customer can prove the breach, a high bar.
- SIM swap and impersonation: A fraudster procures a duplicate SIM or assumes the customer’s identity to intercept OTPs. In Tony Enterprises v. RBI (2019), a police investigation established SIM swapping, and the loss fell on the bank under the zero-liability category. Such fraud can attract bank liability, but again, only when investigators prove it.
The framework that decides who pays: RBI’s 2017 circular on limiting customer liability sorts every unauthorised transaction into three categories, turning on who is at fault rather than how much the customer lost:
- Zero liability: The customer pays nothing. This applies when the bank is at fault or when the fault lies elsewhere in the system and the customer reports the fraud within three working days.
- Limited liability: The customer pays a capped amount, between Rs 5,000 and Rs 25,000, for most savings accounts. This applies when the fault lies elsewhere in the system but the customer delays reporting by 4-7 working days.
- Full liability: The customer bears the entire loss. This applies when the customer’s own negligence causes the loss, such as sharing credentials. The customer carries it until they report the fraud, after which the bank absorbs any further loss.
Reporting time is the hinge. The faster a customer reports, the more the liability shifts away from them. SBI argued that the customer reported the fraud immediately, the bank then blocked the account, and no further loss occurred, so even the limited-liability cap would have capped the maximum at Rs 25,000, not the full Rs 2.60 lakh the single judge awarded.
The burden-of-proof problem: RBI’s framework puts the burden of proof for customer negligence on the bank. But this ruling effectively requires the customer to prove a system breach to escape liability, flipping the practical burden onto the party that holds the least evidence. The court held that establishing how the fraudster compromised the credentials needs forensic examination, and that a writ court cannot conduct this. As a result, the ruling pushes a defrauded customer toward slower forums after the money has already gone:
- The consumer courts
- The adjudicating officer under the Information Technology Act, 2000, the official who decides cyber fraud complaints and awards compensation
- A civil suit against the bank or the fraudster
The court also pointed to RBI’s 2021 Master Direction on Digital Payment Security Controls, which sets the minimum security standards banks must meet, as the benchmark a customer must show the bank breached before liability attaches.
Astha Srivastava, Principal Associate at Ikigai Law, pushed back on the idea that this ruling reverses the burden of proof in practice. “The court didn’t shift the formal burden,” she said. “It assessed the facts of this specific case and concluded that the customer’s bare denial wasn’t enough to establish bank liability on those facts. That’s a fact-specific finding, not a doctrinal reversal. Banks still need to affirmatively demonstrate customer negligence. One ruling shouldn’t be read as a systemic shift.”
The court’s key interpretive move: The bench held that the phrase “such as where he has shared the payment credentials” in Clause 7(i) of the circular illustrates rather than exhausts, meaning it offers only an example and does not limit negligence to that single act. Negligence, the court held, also covers clicking a suspicious link or unknown application that compromises credentials.
The customer admittedly clicked such a link immediately before the transactions, and no material showed that the fraudster bypassed the bank’s two-factor authentication (2FA), the security layer that requires a second verification step like an OTP, so the court found that it could not presume deficiency on the bank’s part.
Srivastava said the court’s reading of the phrase as illustrative rather than exhaustive is “legally sound” but cautioned against applying it too broadly. “Fraudsters are getting increasingly sophisticated, and even alert, tech-savvy customers can fall for well-crafted attacks. Calling that negligence seems harsh.”
The customer’s core argument: The customer, a computer science professor, argued that the bank delivered the OTPs to his phone, but he never shared them. His strongest point ran as follows: if he had shared the OTP for the first Rs 1 lakh transaction and then received a debit alert, he would not have gone on to share a second OTP for the Rs 1.60 lakh transaction. On that basis, he argued that the transactions went through without any sharing on his part, which pointed to a system breach rather than his own negligence. The bench held that he could not establish this without forensic examination.
How the case moved through the system: On April 18, 2021, fraudsters withdrew Rs 2.60 lakh from the customer’s SBI savings account through two internet banking (INB) transactions of Rs 1 lakh and Rs 1.60 lakh. He had clicked a link in an SMS that warned his account services would shut down otherwise. The transactions followed within minutes.
- The RBI Banking Ombudsman (the official who resolves customer complaints against banks) found him a vishing (voice phishing) victim but, because the OTP-secured transactions used 2FA, directed SBI to pay only about Rs 33,340, one-third of the first transaction. The second transaction to a Paytm merchant account fell outside its purview.
- The customer accepted this Rs 33,340 without protest. SBI later argued that his acceptance of the settlement barred him from claiming more, invoking the principle of estoppel, that taking partial compensation can forfeit the right to litigate further.
- A single judge set the Ombudsman order aside and directed SBI to refund the full Rs 2.60 lakh with 9% interest, reasoning that his denial of sharing OTPs meant the fraudster had breached the 2FA system.
- The division bench has now reversed that and restored the Ombudsman’s order.
Where the rules are heading: RBI’s March 2026 draft amendments to its Responsible Business Conduct Directions define a “fraudulent electronic banking transaction” to cover transactions where a third party uses credentials obtained fraudulently from the customer and transactions the customer carries out under pressure or threat. That language speaks directly to phishing, vishing, and coercion and suggests the RBI wants to bring such cases within a clearer customer-protection net. The draft also proposes compensation up to Rs 25,000 for small-value fraud and tighter complaint timelines.
Srivastava flagged that the regulatory direction is toward more customer protection, not less. “RBI has acknowledged exactly this concern. It’s proposed Responsible Business Conduct Directions move toward a compensation model that awards customers some relief even where they are partly at fault, funded by banks and the RBI.”
On the 2021 Master Direction, she said it is a powerful but currently underused tool. “A bank that fails to comply with those controls is in a much harder position to argue it bears no liability for a fraud that those controls were designed to prevent. And the proposed Responsible Business Conduct Directions go further still: non-compliance with digital payment security controls is expressly classified as bank negligence.”
What the court did not decide: The judgment does not pin down who was ultimately at fault. It holds only that the single judge could not presume the bank’s liability without a forensic examination. The customer retains the liberty to pursue other remedies, including action against the actual fraudsters.
Also read:
