Bank liable for unauthorised online transaction

Leader Valves had three accounts with Punjab National Bank. Of these, only one was authorised for e-banking. The password was changed every month for security.

On January 25, 2010, the company found that Rs 40 lakh had been transferred from its account which did not have e-banking facility. This amount was credited to a thirty party's account with the same bank. The company immediately brought this to the bank's notice, so it was recovered.

Subsequently, an online transfer of Rs 26,48,500 was also made from another account which too did not have e-banking facility. On taking up the issue with the bank, the company was told that it was due to misuse of the password for which the bank could was not responsible. 

The bank froze the accounts contending that the same password had been used for both the online transfers. Then, the fraudster attempted to withdraw Rs 20 lakh from the bank's Delhi Branch and after that, the Bareily Branch, but did not succeed as the amount in the account was only Rs 10,87,737. Thereafter, the fraudster withdrew money via ATMs. The company alleged that withdrawal of amount from a frozen account could have happened only with the connivance of bank officials.

The bank refused to furnish CCTV footage of the ATM withdrawals. So, the company engaged private agencies to investigate the fraud. Investigations revealed that the transactions were made from an IP address in USA.

The Banking Ombudsman refused to entertain the grievance as it involved complex issues. The company then filed a consumer complaint before the Punjab State Commission alleging that the bank had been negligent in securing its net banking system and had failed to follow the procedural guidelines framed under the Payment and Settlement System Act, 2007 and by the IT Audit Cell.

The State Commission noted that even though a part of the amount had been recovered, the loss was to the tune of over Rs 20 lakh, involving 95 other accounts. So, the Commission concluded that the account had been hacked. It also observed that since the transfers were to other accounts within the same bank, it could have frozen those accounts and blocked the use of debit/credit cards, but did not do. Due to this, the fraudsters could siphon off the money. It indicted the bank for opening accounts without proper KYC and for failing to retain the CCTV footage which could have helped in nabbing the fraudsters.

The State Commission held this to be a deficiency in service. After adjusting the recovered amount, it ordered the bank to reimburse the loss of Rs 23,69,482, along with 9 per cent interest from the date of withdrawal. Additionally, Rs 1 lakh was awarded as compensation and Rs 21,000 towards litigation costs.

The bank challenged the order. While upholding the order, the National Commission observed that there was malfeasance on the part of the bank officials in respect of breach of security of its net banking system. Accordingly, by its order of March 13, 2020, delivered by Dinesh Singh, the  Commission dismissed the appeal with further costs of Rs 1 lakh payable to legal aid.
The author is a consumer activist

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel