The rise of digital banking has brought with it a sharp increase in cyber frauds. Every day, individuals across the country fall prey to sophisticated scams involving fraudulent phone calls, phishing messages, and deceptive social engineering tactics. While regulatory bodies like the Reserve Bank of India (RBI) have issued guidelines to protect customers from unauthorised electronic transactions, the current framework still falls short of addressing the real nature of cyber fraud as it exists today, leaving countless victims without effective recourse.
A particularly insidious example of modern cybercrime is the “digital arrest” fraud. In such recent case, people are subjected to a harrowing ordeals where fraudsters, impersonating FedEx officials and senior Police officers, accused them of being a prime suspect in a money laundering and drug trafficking case. They create an atmosphere of extreme fear, sending fabricated documents, and eventually coercing people into transferring lakhs of rupees – sometimes their entire life savings – to “prove her innocence.” This is not a simple case of sharing an OTP; it is a psychologically manipulative hostage situation conducted over the phone.
The Flawed “Authorisation” Defence
Under existing RBI directions, specifically the circular dated July 6, 2017, a customer is generally not held liable for unauthorised transactions if the fraud results from a third-party system failure or a breach beyond the control of both the bank and the customer, provided it is reported promptly. However, in practice, this protection is often denied. Victims are frequently informed that since they “authorised” the transaction, whether by entering an OTP or confirming a payment, they are solely responsible for the loss.
This approach fails to account for the complex and coercive nature of many modern frauds. Banks and redressal bodies often rely on a simplistic, binary view: either the bank’s system was breached, or the customer was negligent. There is little room for the grey area where a customer acts under extreme duress, intimidation, or sophisticated deception. In the “digital arrest” case, the bank’s response at time, while acknowledges that the victim transferred the money due to the fear of police and criminal proceedings, concludes that the loss being attributable to customer’s negligence cannot be covered by the bank. This contradictory stance – recognising fear but labelling it as negligence – is at the heart of the problem.
The distinction between genuine negligence and acting under coercion is rarely recognised. A person who unknowingly facilitates a transaction under the belief that they are complying with a legitimate authority to avoid arrest should not be treated the same way as someone who carelessly discloses their passwords for a trivial reason. This lack of differentiation has created a troubling trend where victims are blamed for their own losses, and the burden of proving their innocence falls entirely on them, often without a fair or thorough investigation into the facts.
Ambiguity in the Regulatory Framework
The RBI’s 2017 circular was a significant step towards customer protection, but its ambiguous terminology has become a loophole for banks to evade liability. Clause 6(ii) of the circular grants a customer “zero liability” in the event of a “third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system,” provided the customer reports it within three working days.
However, the terms “third party breach” and “elsewhere in the system” are not defined. As the Gauhati High Court noted in Pallabh Bhowmick v. Ombudsman, Reserve Bank of India, this lack of definition allows banks to interpret the clause narrowly to their own advantage. A “third party breach” should be interpreted liberally to include sophisticated social engineering scams where criminals exploit systemic vulnerabilities – not in the bank’s code, but in the trust that customers place in institutions like the police or courier services. The fraud is perpetrated by a third party, and the deficiency lies “elsewhere in the system” of public communication and identity verification.
Furthermore, the burden of proof is another critical issue. The RBI circular explicitly states in Clause 12 that “The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.” The judiciary has reinforced this. The Kerala High Court in Tony Enterprises v. Reserve Bank of India held that a bank can only recover funds from a customer if it can “unequivocally prove” the customer was responsible. Similarly, the Pallabh Bhowmick judgment stated that banks cannot absolve themselves based on “perceived negligence” and must establish it with “reliable materials on record.” Despite this clear mandate, the ground reality is often the reverse. Customers are required to run from pillar to post, gathering evidence and proving they were not negligent, while banks conduct perfunctory internal reviews.
The Delhi High Court’s judgment in Hare Ram Singh v. Reserve Bank of India marks an important step toward strengthening consumer protection in cases of cyber fraud. By holding that the victim of a vishing attack was not negligent and that SBI was liable for failing to safeguard his account, the Court reinforced the principle of ‘zero liability’ for customers under RBI’s 2017 guidelines. This progressive ruling underscores the judiciary’s recognition of evolving digital risks and highlights the urgent need for stronger, more proactive measures by banks and regulators to protect consumers from online financial frauds.
The Failure of Institutional Response
While the RBI guidelines impose obligations on banks to ensure safe digital banking environments and robust fraud detection systems, many banks appear more concerned with protecting themselves from liability than protecting their customers. Investigations into fraud complaints are often brief and superficial, focusing merely on whether the bank’s own technical systems functioned correctly. There is little regard for the psychological pressure or coercion faced by the victims.
This institutional apathy extends to the grievance redressal mechanism. In the “digital arrest” case, the RBI Ombudsman closed the complaint, stating that since the petitioner had “herself carried out the said transactions under influence of certain third party,” they could not be termed “unauthorised.” This decision is deeply problematic, as it ignores the very essence of coercion—that an act, though performed by the victim, is not a product of free will. If the highest grievance redressal body for banking in the country fails to appreciate this fundamental distinction, it leaves victims with virtually no hope for justice.
Moreover, banks often fail in their duty to report high-value frauds to law enforcement, as mandated by RBI circulars. This inaction not only violates regulatory directives but also hampers the broader effort to track and prosecute cybercriminals, allowing them to continue preying on other innocent customers.
The Path Forward
It is evident that the current guidelines, though well-intentioned, need urgent revision to reflect the changing landscape of cyber fraud.
- Clarify Definitions: The RBI must issue clear, unambiguous definitions for key terms like “third-party breach,” “negligence,” and “unauthorised transaction.” The definition of negligence must explicitly exclude actions taken under proven coercion, threat, or sophisticated impersonation.
- Enhance Inter-Agency Collaboration: A seamless framework for collaboration between banks, law enforcement (especially cyber cells), and telecom providers is essential for a swift response, including real-time fund blocking and investigation.
In today’s digital era, it is not enough to shift the blame to customers. A more empathetic, updated, and balanced framework is required—one that recognises the difference between genuine negligence and being misled, harassed, or coerced. Until then, cybercrime victims will continue to pay the price for systemic gaps not of their making, re-victimized by the very institutions that are meant to be their financial guardians.
