Bank’s Liability for Unauthorized Electronic Transactions: Analysis of Roopam Kumar v. SBI Cards & Payment Services

Introduction

The District Consumer Disputes Redressal Commission, Chandigarh, recently delivered a significant judgment in the matter of Roopam Kumar versus SBI Cards & Payment Services Private Limited, reinforcing the stringent obligations placed upon banking institutions to protect customers from unauthorized electronic transactions. This landmark decision, pronounced on February 6, 2026, serves as a crucial reminder to financial institutions regarding their statutory duties under the Reserve Bank of India’s regulatory framework and their accountability in cases involving fraudulent banking transactions.

The case involved a consumer who fell victim to unauthorized transactions on her credit card and subsequently faced years of negligence and apathy from the banking institution. The Commission’s comprehensive analysis of the applicable regulatory provisions and precedent case law provides valuable insights into consumer protection in the digital banking era. This article examines the factual matrix, legal principles, and judicial reasoning that culminated in the Commission’s decision to award relief to the aggrieved consumer.

Factual Background and Genesis of the Dispute

The genesis of the present dispute traces back to December 2017 when Roopam Kumar, a resident of Mohali, was approached by an agent of SBI Cards & Payment Services Private Limited. The agent, employing persuasive tactics, induced the complainant to obtain a credit card and obtained her signature on certain blank forms. Subsequently, the banking institution issued a credit card bearing the number ending in 6048 to the complainant.

The tranquility of ordinary financial dealings was disrupted in 2017, when the complainant received two suspicious one-time password messages on her mobile device. The first message at 11:02 AM, indicated a transaction of Rs. 10,000 at Airtel-Money using her SBI Card. Within a minute, at 11:03 AM, another message arrived notifying a second transaction of Rs. 999 at the same merchant. Both messages explicitly warned the recipient not to share the OTP with anyone, raising immediate red flags regarding the legitimacy of these transactions.

The complainant was shocked by these notifications for transactions and thus immediately contacted the opposite party to report the suspicious activity. Her swift action resulted in the banking institution blocking the credit card on the same day, merely minutes after the fraudulent transactions occurred. The bank registered her complaint, formally acknowledging receipt of her grievance.

Procedural Journey and Administrative Remedies

Following the initial report, the complainant diligently pursued multiple channels to seek redressal of her grievance. On December 28, 2017, in compliance with the bank’s directions, she submitted a comprehensive transaction dispute form detailing the unauthorized transactions. She filed a complaint with the Station House Officer of the Police State Cyber Crime unit in Mohali on January 30, 2018. Simultaneously, the complainant escalated the matter to the Banking Ombudsman at the Reserve Bank of India’s Chandigarh office, invoking the alternate dispute resolution mechanism established for banking grievances. Demonstrating good faith, she paid a sum of Rs. 17,050 to the bank on February 26, 2018, representing undisputed charges while specifically excluding the fraudulent transaction amounts.

Despite these earnest efforts and her cooperation with the bank’s investigation process, the complainant encountered persistent indifference from the banking institution. The opposite party failed to initiate meaningful action on her complaint and instead compounded her distress by reporting her name to the Credit Information Bureau (India) Limited, effectively branding her as a defaulter in the financial system. The complainant’s attempts to resolve the matter through correspondence continued into 2020. She sent an email requesting action on her long-pending complaint. While the bank’s response failed to provide any substantive resolution to her grievance. The situation deteriorated further when the banking institution issued a statement demanding payment of Rs. 35,594 on April 12, 2021 for the very transactions that the complainant had consistently disputed as unauthorized.

Under protest and to avoid further damage to her credit rating, the complainant paid the demanded amount simultaneously communicating her objection to this coerced payment through email. The bank acknowledged receipt of this payment and her accompanying protest. Left with no alternative avenue for relief, the complainant approached the Consumer Disputes Redressal Commission in 2021, seeking justice for the deficiency in service and unfair trade practice.

Legal Framework and Regulatory Provisions

The Commission’s analysis extensively relied upon the Reserve Bank of India’s Circular No. RBI/2017-18/15 DBR.No.Leg.BC.78/09.07.005/2017-18 titled “Customer Protection – Limiting Liability of Customers in Unauthorized Electronic Banking Transactions.” This comprehensive regulatory framework establishes clear guidelines for determining customer liability in cases of unauthorized electronic banking transactions.

The circular introduces the concept of zero liability for customers in specific circumstances. A customer becomes entitled to zero liability when unauthorized transactions occur due to contributory fraud, negligence, or deficiency on the part of the bank. Additionally, zero liability applies in cases of third-party breaches where the deficiency lies neither with the bank nor with the customer, provided the customer notifies the bank within three working days of receiving communication regarding the unauthorized transaction. The regulatory framework imposes stringent obligations upon banking institutions. Upon notification by the customer, the bank must credit the amount involved in the unauthorized transaction to the customer’s account within ten working days through a shadow reversal mechanism. This obligation exists independent of any insurance claim settlement and does not require the bank to await such proceedings.

Furthermore, the circular mandates that complaints must be resolved within a timeframe specified in the bank’s board-approved policy, not exceeding ninety days from the date of receipt of the complaint. If the bank fails to resolve the complaint within this ninety-day period, compensation as prescribed in the circular must be paid to the customer. Critically, the circular places the burden of proving customer liability squarely upon the banking institution. This reversal of the traditional burden of proof reflects the regulatory recognition of the superior position of banks in electronic transaction ecosystems and their corresponding responsibility to maintain robust security systems.

Submissions and Contentions

The complainant’s case rested upon several fundamental contentions. She argued that she had never authorized or conducted the disputed transactions and had promptly reported the matter to the bank on the same day the suspicious OTP messages were received. She emphasized her cooperation with all investigative procedures, including submission of dispute forms and lodging of criminal complaints. The complainant asserted that despite her timely reporting and cooperation, the bank failed to investigate the matter properly and instead unjustly demanded payment for fraudulent transactions.

She further contended that the bank’s action in reporting her name to CIBIL as a defaulter constituted harassment and unfair trade practice. The complainant characterized the bank’s conduct as demonstrating malafide intention and clear deficiency in service, warranting not only refund of the disputed amount but also compensation for the mental agony and harassment she endured over several years.

Judicial Precedents and Legal Reasoning

The Commission fortified its decision by relying upon several authoritative precedents that addressed similar issues. The Bombay High Court’s Division Bench, comprising Justice Girish Kulkarni and Justice Firdosh Pooniwalla, in the matter of Jaiprakash Kulkarni and Pharma Search Ayurveda Pvt. Ltd., had applied the 2017 RBI Circular and held that customers bear zero liability when unauthorized transactions occur due to third-party breaches where the deficiency lies not with the bank or customer but somewhere in the system. In that case, the High Court directed Bank of Baroda to refund Rs. 76 lakh that had been fraudulently debited from a company’s bank account.

Final Determination and Relief Granted

Based on its comprehensive analysis, the Commission partly allowed the consumer complaint and issued specific directions to the opposite party. The bank was directed to refund the amount of Rs. 35,594 to the complainant, along with interest at the rate of nine percent per annum calculated from the date of its deposit until the date of actual realization.

The Commission directed the banking institution to remove the complainant’s name from the defaulter list maintained by CIBIL and other credit information bureaus. This direction was crucial for restoring the complainant’s creditworthiness and preventing future financial disabilities arising from the wrongful reporting.

Recognizing the prolonged harassment, mental agony, and litigation expenses borne by the complainant over nearly five years of pursuing her rightful claim, the Commission awarded compensation of Rs. 10,000. It served as both recognition of the complainant’s suffering and a deterrent against similar conduct by banking institutions. The Commission stipulated that compliance with its order must be completed within forty-five days from the date of receipt of the certified copy of the order, ensuring timely relief to the aggrieved consumer.

Implications and Conclusions

This judgment carries significant implications for the banking sector and consumer protection jurisprudence. It reaffirms that banking institutions cannot adopt a cavalier attitude toward customer grievances, particularly concerning unauthorized electronic transactions. The strict liability imposed upon banks reflects their superior position in the financial ecosystem and their corresponding duty to maintain robust security systems and grievance redressal mechanisms.

The decision reinforces that regulatory circulars issued by the Reserve Bank of India are not merely advisory but constitute binding obligations upon banking institutions. Non-compliance with such regulatory frameworks constitutes deficiency in service actionable under consumer protection laws. The reversal of the burden of proof, placing it upon banks rather than customers, recognizes the inherent information asymmetry and technical complexities involved in electronic banking fraud.

The case also highlights the importance of documentary evidence in consumer disputes. Ultimately, this decision represents the consumer forum’s commitment to protecting vulnerable consumers against institutional high-handedness and ensuring that banking institutions honor both their regulatory obligations and their duties toward customers who repose faith in their services.

For more details, write to us at: contact@indialaw.in

Reference

Roopam Kumar v. SBI Cards & Payment Services Pvt. Ltd., Consumer Complaint No. DC/AB1/44/CC/255/2021, District Consumer Disputes Redressal Commission-II, U.T. Chandigarh (decided on 06.02.2026)