The Delhi High Court has ruled that bank customers may also bear responsibility for cyber fraud losses if they ignore security advisories and click suspicious links. The judgment came in a dispute involving State Bank of India and a customer who lost ₹2.60 lakh in a vishing scam. A Division Bench comprising Devendra Kumar Upadhyaya and Tejas Karia interpreted the RBI’s 2017 cyber fraud circular, clarifying that negligence extends beyond sharing OTPs and may include unsafe digital behaviour.
Delhi High Court Cyber Fraud Ruling: Customers May Share Responsibility for Losses After Clicking Suspicious Links
The Delhi High Court has ruled that bank customers who ignore security warnings and click suspicious links may also be held responsible for losses arising from cyber fraud, even if they do not share OTPs.
The Delhi High Court cyber fraud ruling has clarified that customer negligence in online banking scams is not limited to sharing One-Time Passwords (OTPs) or login credentials with fraudsters.
In a significant judgment involving the State Bank of India (SBI), a Division Bench of the Delhi High Court observed that customers who click suspicious links despite repeated security advisories from banks and regulators may also bear responsibility for financial losses resulting from cybercrime.
The case arose after an academic lost ₹2.60 lakh from his SBI savings account in a voice phishing, commonly known as vishing, scam. The Court ultimately ruled in favour of SBI and set aside an earlier order directing the bank to refund the entire amount with interest.
The judgment was delivered by Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia, who examined the scope of customer negligence under the Reserve Bank of India’s 2017 circular governing unauthorised electronic banking transactions.
Delhi High Court Interprets RBI Cyber Fraud Guidelines
The dispute centred on Clause 7(i) of the RBI circular issued in 2017, which provides that customers must bear losses arising from cyber fraud where negligence on their part contributes to the incident.
The customer argued that although OTPs may have been generated during the disputed transactions, he had never shared them with anyone. Based on this contention, it was argued that the fraud occurred due to a security lapse attributable to the bank rather than any fault of the customer.
However, the Division Bench rejected the argument that negligence can only be established when a customer shares OTPs, passwords, or other payment credentials directly with fraudsters.
According to the Court, the RBI circular uses illustrative language rather than an exhaustive definition of negligence. Therefore, negligence may also arise when customers ignore repeated warnings and access suspicious or unknown links that compromise banking credentials.
The Bench observed that digital banking users are expected to exercise reasonable caution, particularly when dealing with unsolicited messages, links, or communications claiming to originate from financial institutions.
Background of the SBI Customer Fraud Dispute
According to court records, the customer initially received a message directing him to click a link to avoid disruption of certain banking services. A subsequent phone call reportedly conveyed a similar message.
After interacting with the links, two unauthorised transactions took place, resulting in a loss of ₹2.60 lakh before the customer contacted SBI and blocked the account.
SBI declined to reimburse the full amount, maintaining that the transactions had been processed through valid login credentials and supported by OTP-based verification mechanisms.
The matter was subsequently examined by an RBI Banking Ombudsman, who partially accepted the bank’s position but directed SBI to compensate the customer with one-third of the disputed amount.
Unsatisfied with the outcome, the customer approached the Delhi High Court seeking a complete refund.
A Single Judge Bench ruled in the customer’s favour, accepting the argument that OTPs had allegedly not been shared and concluding that the bank should bear responsibility for the loss.
Also Read: Fr Barthol Machado Faces Questions Over AOCC Complaint.
Division Bench Sets Aside Earlier Refund Order
SBI challenged the decision before a Division Bench, arguing that the Single Judge had reached conclusions requiring specialised technical examination without sufficient evidence.
The Division Bench agreed, observing that issues involving compromised credentials, malware attacks, OTP interception, two-factor authentication systems, login records, and cyber forensic analysis require detailed examination beyond the scope of writ jurisdiction.
The Court noted that no material had been produced demonstrating any failure by SBI to comply with RBI-mandated cybersecurity safeguards or regulatory obligations.
Consequently, the Bench held that attributing sole responsibility to the bank without technical evidence was inconsistent with the framework established under the RBI’s 2017 circular.
The Court therefore allowed SBI’s appeal and set aside the earlier judgment, reinforcing that both customer conduct and institutional compliance must be examined before liability is determined in cyber fraud cases.
SBI was represented by Senior Advocate Harin P. Raval along with Advocates Rajiv Kapur, Akshit Kapur, Riya Sood, and Shreya Bansal. Chief Manager Karnik Pandya and Chief Manager (Law) H.K. Kataria also assisted the bank.
The customer was represented by Advocates Ravi Chandra Prakash and Purushottam S. Tripathi.
The Reserve Bank of India was represented by Advocates Atul Sharma, Abhinav Sharma, Ayush Srivastava, and Snehashish.
The ruling is expected to influence future cyber fraud litigation by reinforcing the importance of customer vigilance alongside banking security obligations in India’s rapidly expanding digital banking ecosystem.
Editorial Note:
This article is based on publicly available FIR records, court case references, and reports published by multiple media organisations. The information is presented in the context of ongoing investigations and public interest reporting. Sprouts News does not make any judicial determination regarding the individuals mentioned and does not intend to defame any person or organisation. Any individual seeking clarification or wishing to provide an official response may contact the editorial team with verifiable documentation. The information is presented for journalistic and informational purposes.
