All e-transactions done through banks must be done with OTP

Daniyal Qureshi | Symbiosis Law School Pune | 26th March 2020

ICICI Bank Ltd. v. Ramdas Pawar. The Telecom Dispute Settlement and Appellate Tribunal (TDSAT) Decided on 10.10.2019

FACTS

his appeal has been filed by ICICI Bank Ltd. (ICICI) challenging the order dated 23.11.2011 passed by Learned Adjudicating Officer (AO) in respect of a complaint filed by complainant/respondent Shri Ramdas Pawar. The complainant/respondent had a savings bank account with ICICI Bank and suffered alleged net banking fraud between 27.9.2010 to 1.10.2010 during which Rs. 3,39,950/- had been fraudulently transferred from his savings account to two other accounts held by the alleged fraudsters/beneficiaries with the appellant. Complainant had lodged a complaint with the Customer Care Centre of ICICI on 1.10.2010. Complainant had also filed a police complaint on 4.10.2010 against unknown persons and the ICICI Bank and the police filed its report in the present case on 05.03.2012. According to the police report, the amount was transferred to two ICICI bank accounts and these two account holders could not be traced as the addresses available with the bank were incomplete.

ISSUE

Whether the learned AO was justified in his order for awarding complete liability to the appellant even in the presence of negligent actions of the respondent. 

JUDGEMENT 

The learned counsel for appellant argues that the negligent actions of the respondent were contributory to the consequences of losing money from their account. The counsel for appellant argues that the ICICI has a robust and advance IT system for security that powers their net banking system and millions of transactions. He also submits that the respondent during the course of investigation admitted that he responded to a phishing email and revealed his login credentials to a fraudulent email. That the consequences of loss of money were due to actions of the respondent. 

The appellant submits the observation of the Learned AO which records that the fraudster not only knew the password for the account but also had 2 accounts ready with the appellate bank through which the fraudulent transactions were completed. That there is clearly a nexus between the phishing mail and fraudulent transfers. It cannot be said that the phishing mail sent by someone who ultimately did not want to be the beneficiary of the funds that are involved in this case. 

However, the tribunal records that both the parties are relying upon conjectures to in blaming the other party in negligence. Therefore, there is need for examining the security systems of the appellant. 

Thus, under Section 43A of the Information Technology Act 2000, the appellant is under obligation to have secure system and processes. Such secure system and processes would enable it to at least produce logs of the transaction bearing necessary information in case of a reported fraud. Appellant has failed to produce such logs, despite having many opportunities. We have therefore no difficulty in saying that on this count, appellant is deficient in terms of its obligations under section 43A of IT Act.

It is clear that as per RBI guidelines there has to be two layers of security system at work. The first layer of security is generally the password held by the owner of the account. The second layer of security generally the OTP (one-time password) that is generally transmitted to the registered mobile number of the account holder. The appellant has failed to show that there was any such second layer in action for the protection of the consumers. Learned counsel for the appellant submits that it is the declared policy of the appellant bank that it strictly follows RBI security guidelines as experienced by thousands of customers and therefore poor quality of pleading or evidence may not be held against it. However, the tribunal opines that mere professing to the commitment to IT security requirements is no enough. Adherence to IT security should be demonstrable, traceable, verifiable and consistent. In this context, pleadings and evidence (or lack of It) only reflect the laxity in meeting the obligations cast upon the appellant bank under section 43A of the IT Act. 

Therefore the appeal got dismissed.