Sometimes nightmares can come true. Natwar Sharma, 43, is a Delhi-based executive. One December morning last year, he woke up to nine SMSs from ICICI Bank Ltd, where he has a savings account. The messages were about various transactions from Sharma’s account while he was sleeping. All withdrawals were of about Rs2,000, and the total damage was about Rs18,000. As soon as he realized the fraud, Sharma informed ICICI Bank’s customer care. He also went to his branch and made a written application to freeze his account, giving details of the unauthenticated transactions. The bank’s staff told him that they would investigate and revert.

After a couple of days, the bank sent him an email: “All these online transactions were completed using second-factor authentication (ATM PIN). Therefore, we cannot provide refund in these cases.” When Mint contacted ICICI Bank about the complaint, the bank said, “The online transactions on the debit card being disputed by the customer went through a two-level authentication process. They were first authenticated by using the debit card number, card verification value (CVV) and expiry date on the customer’s debit card. The second leg of the process required the customer’s four digit ATM PIN. All of this information is known only to the customer and the customer is responsible for their safe-keeping. Without these information together, an online transaction cannot be completed. However, we are investigating.... We have temporarily credited the money to the customer’s account, pending investigation.” Sharma was lucky that his account was not emptied, and the bank agreed to return the amount (though temporarily). All are not so lucky.

Dr Ravi Kant Sinha, a surgeon from Dharbanga in Bihar, lost about Rs3.10 lakh. He got a phone call asking him to verify his Aadhaar number, which he had recently linked with various services. Sinha provided some of the information the caller asked. Soon after, Sinha’s cell number linked with his Aadhaar number as well as the linked bank accounts became inaccessible to him. He soon found out that unauthenticated transactions had been conducted from three of his savings accounts: Rs1 lakh each from accounts in State Bank of India and HDFC Bank Ltd and Rs1.1 lakh from his account in ICICI Bank. He also found that someone had got a duplicate SIM of Sinha’s now out-of-service mobile phone from Airtel. “I don’t know how Airtel can issue a duplicate SIM to anyone without verifying original documents,” said Sinha. He filed a complaint with respective banks and at the local police station. Mint has the details of the emails and police complaint.

In their response to Mint, all the banks and Airtel blamed customer for negligence. ICICI Bank and HDFC Bank said that it is a case of SIM-swap and customer had shared the details with an unauthorized person. HDFC Bank spokesperson said, “We believe he shared the CVV number because without sharing it, even if there is a SIM swap, OTP can’t be used.” SBI spokesperson said, “The beneficiary of this transaction is also named Mr. Ravi Kant Sinha along with Ms. Sweta Sinha. SBI has taken all the required measures and has written to competent authorities of the beneficiary’s bank to reverse the transaction. Airtel spokesperson said, “Prime facie, this appears to be a case of the customer sharing (being cajoled into) sensitive personal information with unknown people. Airtel will be happy to share all details with the investigating agencies and help the customer.”

These are not isolated cases. Many have become victims of online banking frauds. Let’s read more about banks’ accountability in such cases and what recourse is available to customers in such cases.

Liability and accountability
Safety of bank accounts and credit cards lies both with the account holder and concerned bank. However, considering the surge in complaints related to unauthorised transactions from bank account and credit cards, in July 2017, the Reserve Bank of India (RBI) reviewed the criteria for determining customer liability in these circumstances and issued some guidelines.

According to RBI’s guidelines, a customer has zero liability where the unauthorised transaction occurs because of two reasons: first; contributory fraud, negligence, deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer); second; third-party breach where the deficiency lies neither with bank nor the customer but lies elsewhere in the system, and the customer notifies the bank within 3 working days of receiving the communication from the bank regarding the unauthorised transaction.

“Banks have been held liable for frauds that have occurred either solely due to their negligence, or due to contributory negligence on their part,” said Jehangir Gai, a Mumbai-based consumer activist.

However, customer is liable if loss is due to her negligence, such as: because she shared payment credentials. In such cases, customer bears all the losses till the unauthorised transaction is reported to the bank. This is why “it is important for consumers to not share any account-related information over phone. Mostly, consumers are duped by fraudsters claiming to call from the bank. Fraudsters gain access to some information in advance and try to get the other details over phone,” said S. Saroja, director, consumer advisory and outreach, Citizen Consumer and Civic Action Group.

But any loss arising after reporting of the unauthorised transaction shall be borne by the bank. So “once you know that account details have been compromised, you should immediately inform the bank to block the card,” said Saroja. Also, where the responsibility for unauthorised electronic transaction lies neither with the bank nor the customer but elsewhere in the system, and when there is a delay (of 4 to 7 working days after receiving communication from bank) on part of the customer in notifying the bank, the per transaction liability of the customer shall be limited to the transaction value or up to Rs5,000 for Basic Savings Bank Deposit (BSBD) account; Rs10,000 for other savings bank accounts, prepaid payment instruments and gift cards, current accounts and credit cards with a limit of Rs5 lakh; and Rs25,000 for credit cards with a limit of more than Rs5 lakh. If the customer fails to report or reports after 7 working days, customer liability shall be determined as per the bank’s board-approved policy.

Further, RBI has advised banks that on being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from when the incident was reported. Banks may also, at its discretion, waive any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.

Whom to approach
In case of unauthorised electronic banking transactions, the burden is on the bank to prove that customer is liable. First, file a complaint with bank’s grievance redressal forum or customer care. Next, you can approach its internal banking ombudsman. If you are unsatisfied with the solution from these options, “You can either approach the Banking Ombudsman, or a consumer forum (in case of non-commercial disputes); or a regular civil court,” said Gai.

It is always better to avoid such scenarios. Therefore, account holders should take care while making online transactions and using bank cards at retail outlets. One should never share the financial and banking details, especially OTP and PIN, with others.