Deputy Registrar Of Chits Competent To Act As Arbitrator And Issue Recovery Certificates; Not Limited To Registrar Alone: Telangana High Court Custody With Biological Mother Presumed Lawful; Writ Of Habeas Corpus Not A Remedy To Enforce Foreign Court’s Return Orders: Bombay High Court Ocular Testimony Of Victim Prevails Over Medical Evidence In Rape Cases If Found Credible: Allahabad High Court Condonation Of Delay Should Follow Justice-Oriented Liberal Approach, Unintentional Delay Shouldn't Block Justice: Calcutta High Court Digital Banking Fraud: Clicking Suspicious Links Constitutes Customer Negligence; Liability Cannot Be Fastened On Bank Without Forensic Evidence: Delhi High Court Vexatious Matrimonial Complaints Filed As Counterblast To Divorce Is Abuse Of Process; Allegations Against In-Laws Must Be Specific: Gujarat High Court Sale Deed Executed By Son During Father's Lifetime Based On Manipulated Records Is Void Ab Initio: Karnataka High Court Charge Sheet E-Filed After Court Hours Deemed Filed Next Day; Accused Entitled To Default Bail: Kerala High Court Landowners Can't Use Antedated Stamp Papers To Defeat Ceiling Limits; Section 22 Land Reforms Act Prevails Over Registration Act: Madras High Court Rajasthan High Court Orders Tehsildar To Personally Pay ₹2 Lakh Compensation For 53-Day Illegal Detention Despite Suspension Of Sentence Mere Existence Of Dargah Doesn't Grant Jurisdiction To Waqf Board; Statutory Survey Under Sections 4 & 5 Is Mandatory: Madras High Court Delhi High Court Sets Aside Interim Stay On Delhi Race Club Eviction; Says Courts Can't Halt Statutory Proceedings Without Recording Finding On Prima Facie Case

Digital Banking Fraud: Clicking Suspicious Links Constitutes Customer Negligence; Liability Cannot Be Fastened On Bank Without Forensic Evidence: Delhi High Court

18 June 2026 11:07 AM

By: sayum

"In matters involving digital banking fraud, customer negligence cannot be confined solely to cases of express disclosure of OTPs or passwords. Compromise of such credentials may also occur where a customer interacts with suspicious links or unknown applications, thereby exposing the banking credentials to misuse," Delhi High Court, in a significant ruling dated May 29, 2026, held that a bank cannot be held liable for unauthorized electronic transactions where the loss is attributable to a customer's own negligence in interacting with suspicious links.

A division bench of Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia observed that the scope of customer negligence under the 2017 RBI Circular is illustrative and not confined to the express disclosure of credentials. The court emphasized that complex questions of cyber fraud involving Two-Factor Authentication (2FA) breaches require technical and forensic examination which cannot be conclusively determined in a writ petition.

The matter originated from a Letters Patent Appeal (LPA) filed by the State Bank of India (SBI) against a Single Judge order which had directed the bank to refund ₹2,60,000 to a customer, Respondent No. 1. The customer, a Professor of Computer Science, had clicked on a suspicious SMS link allegedly to prevent his account from being closed, leading to two unauthorized transactions. While the Banking Ombudsman had earlier ordered a partial refund of one-third of the disputed amount, the Single Judge had set aside that order and fastened full liability on the bank, citing a failure of banking security mechanisms.

The primary question before the court was whether clicking a suspicious link constitutes customer negligence under the RBI Circular dated July 6, 2017. The court was also called upon to determine whether a Writ Court, in exercise of jurisdiction under Article 226 of the Constitution of India, is the appropriate forum to adjudicate liability in cyber fraud cases involving disputed questions of fact and technical security protocols.

Broad Interpretation of Customer Negligence under RBI Guidelines

The court analyzed the "Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions" circular issued by the RBI in 2017. The bench observed that the circular draws a clear distinction between cases of contributory fraud by the bank and loss attributable to the negligence of the customer. It noted that the expression "such as where he has shared the payment credentials" used in Clause 7(i) of the Circular is merely illustrative and not exhaustive.

"The expression 'such as where he has shared the payment credentials' occurring in Clause 7(i) of the 2017 RBI Circular is plainly illustrative and not exhaustive; it does not confine customer negligence only to cases of express disclosure of payment credentials."

Compromise of Credentials Through Suspicious Links

The bench further reasoned that in the contemporary landscape of digital banking and cyber fraud, negligence arises even when a customer ignores repeated advisories and accesses unknown links. The court found that such actions compromise the security of banking credentials just as effectively as direct disclosure. Since Respondent No. 1 admittedly clicked a suspicious link received from an unknown person immediately prior to the unauthorized transactions, the court held that his actions fell within the ambit of customer negligence.

"In the context of digital banking and cyber fraud, negligence may equally arise where a customer, despite repeated advisories and security warnings, accesses suspicious or unknown links, thereby compromising the security of the banking credentials."

Limitations of Writ Jurisdiction in Cyber Fraud Cases

Critiquing the approach of the Single Judge, the Division Bench held that the High Court, while exercising writ jurisdiction under Article 226, must confine its inquiry to manifest arbitrariness or non-compliance with frameworks. It observed that whether 2FA protocols were breached by malware or whether the bank failed to detect unusual login activity are matters that necessarily require technical and forensic examination. Such issues, involving detailed evidence and identification of perpetrators, cannot be summarily decided by a writ court.

"The issues considered by the learned Single Judge... are matters that necessarily require technical and forensic examination and adjudication on evidence and could not have been conclusively determined in exercise of writ jurisdiction."

Fastening Liability Without Evidence of Systemic Failure

The court noted that there was no material on record to indicate that the transactions had bypassed the authentication process or that SBI’s systems were compromised. Since the transactions were secured through 2FA and the account was blocked immediately upon the fraud being reported, the court found no deficiency in the bank's service. The bench highlighted that a bank, acting as an agent for its customer, cannot ordinarily refuse to process a transfer that appears to be duly authorized through valid credentials.

"There is no material presently on record to indicate that the Subject Transactions bypassed the authentication process prescribed by the Appellant-Bank or that there was any established compromise of the banking system."

Distinguishing Precedents on SIM Swapping and Identity Theft

The court also addressed the reliance placed on the Kerala High Court's decision in Tony Enterprises v. RBI. It distinguished the case by noting that the Kerala ruling involved a police investigation that had established SIM swapping and identity theft through fraudulently procured duplicate SIM cards. In the present case, where no such investigative finding established a breach of the bank's system, the court held that the principle of zero liability could not be automatically extended.

The Division Bench concluded that the Single Judge was not justified in presuming a deficiency on the part of the bank and fastening liability upon it without a forensic inquiry. Holding that the customer's interaction with the malicious link constituted negligence under the RBI framework, the court allowed the appeal and set aside the judgment of the Single Judge.

Date of Decision: 29 May 2026

 

Latest Legal News

  • by sayum
    18 June 2026 5:36 AM
Condonation Of Delay Should Follow Justice-Oriented Liberal Approach, Unintentional Delay Shouldn't Block Justice: Calcutta High Court
  • by sayum
    18 June 2026 5:36 AM
Ocular Testimony Of Victim Prevails Over Medical Evidence In Rape Cases If Found Credible: Allahabad High Court
  • by sayum
    18 June 2026 5:36 AM
Custody With Biological Mother Presumed Lawful; Writ Of Habeas Corpus Not A Remedy To Enforce Foreign Court’s Return Orders: Bombay High Court
  • by sayum
    18 June 2026 5:36 AM
Deputy Registrar Of Chits Competent To Act As Arbitrator And Issue Recovery Certificates; Not Limited To Registrar Alone: Telangana High Court
  • by sayum
    18 June 2026 5:30 AM
Delhi High Court Sets Aside Interim Stay On Delhi Race Club Eviction; Says Courts Can't Halt Statutory Proceedings Without Recording Finding On Prima Facie Case
  • by sayum
    18 June 2026 5:30 AM
Mere Existence Of Dargah Doesn't Grant Jurisdiction To Waqf Board; Statutory Survey Under Sections 4 & 5 Is Mandatory: Madras High Court