The Delhi High Court ruled that customers are liable for losses from OTP-secured transactions if fraud occurs due to their negligence, such as clicking on phishing links. The bench set aside a previous order that had directed State Bank of India (SBI) to refund Rs 2.60 lakh to a customer defrauded via internet banking. The judgment clarifies liability in OTP fraud cases, emphasizing customer responsibility unless technical evidence proves bank system breaches, according to medianama.com.
The division bench led by Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia held that a customer's mere denial of sharing the One Time Password (OTP) does not automatically make the bank liable for unauthorized transactions. The court treated clicking a suspicious link as negligence under Reserve Bank of India (RBI) rules, placing the full loss on the customer. To shift liability to the bank, customers must provide forensic proof such as transaction logs or IP records, which are rarely accessible to them, medianama.com reported.
This ruling distinguishes liability based on how fraudsters compromise credentials. In phishing and vishing cases, where customers reveal details or click fake links, the court places full liability on customers even if OTPs were not explicitly shared. However, if malware compromises credentials, the liability may shift differently. The judgment aligns with RBI guidelines that assign losses from customer negligence to the customer, impacting how banks and customers handle fraud disputes in India.
The judgment is a significant precedent for banks and customers dealing with OTP fraud, emphasizing the need for technical evidence to claim bank liability. The full judgment is available on medianama.com, providing detailed legal reasoning and implications for future cases involving unauthorized transactions secured by OTPs.