Bharatkumar Pandya, Member

1. Heard Mr. Vipin Jai, Advocate, learned counsel for the Bank/Appellant and Prof. K.P. Sreenath Complainant In-Person. The Appellant/OP initially filed the present matter as a Revision Petition before this Commission. However, on 23.04.2025, the learned counsel for the Appellant specifically requested to this Commission to permit conversion of the Revision Petition into a Second Appeal under Section 51(2) of the Consumer Protection Act, 2019, on the basis of substantial questions of law. This Commission, vide its order dated 23.04.2025, granted liberty to file an appropriate application for such conversion. Thereafter, pursuant to the said liberty, the Appellant filed an application bearing Diary No. 12622 dated 05.05.2025, and the same was subsequently allowed by this Commission vide order dated 10.10.2025, whereby the matter was formally converted and registered as a Second Appeal under Section 51(2) of the Act. Further, since there was a delay in filing the present Appeal, the Appellant also filed IA No. 4369 of 2025 seeking condonation of delay, which was ultimately allowed by this Commission vide order dated 24.02.2026, thereby condoning the delay. The Appellant has, thereafter, raised substantial questions of law, inter alia, as to whether the Bank can be held liable for fraud allegedly committed by a third party and whether such liability is governed by the RBI Circular dated 06.07.2017.

2. The facts of the Complainant case is that, the complainant, a retired Professor of Botany from Bangalore University, filed a consumer complaint no. 329 of 2021 at District Commission, Shanthinagar, Bangalore against State Bank of India, Nagarabhavi Branch, alleging deficiency in banking service and negligence that resulted in financial loss. After his retirement in November 2017, the complainant received retirement benefits including gratuity and other terminal benefits amounting to approximately Rs.25 lakhs, which were credited to his savings account maintained with the bank. On 11.03.2019, he requested the bank to transfer this amount to another bank account and paid the required RTGS transfer charges. However, the bank neither completed the transfer nor informed him about the failure of the transaction. According to the complainant, due to poor communication facilities in his native village, he could not immediately monitor his account transactions. When he later visited the bank personally on 30.04.2019, he discovered that a large sum of Rs. 12,93,922/- had been fraudulently withdrawn from his account between 12.04.2019 and 30.04.2019 by unknown hackers. Following this discovery, the complainant immediately approached the bank authorities and lodged complaints with the local police and the Cyber Crime Police Station, leading to the registration of a criminal case. He also filed a complaint before the Banking Ombudsman of the Reserve Bank of India and submitted representations to higher police authorities requesting speedy investigation and recovery of the money. Despite these efforts, no effective action was taken to restore the lost funds, and the bank allegedly failed to provide a satisfactory explanation or remedy. The complainant contended that the fraud occurred due to weak banking software, inadequate firewall protection, and failure of the bank to maintain proper security systems necessary to safeguard customer accounts. He further argues that the bank's negligence in not executing the transfer request after collecting charges and its failure to alert him about suspicious transactions directly contributed to the loss of his retirement savings, causing severe financial hardship, stress, and mental agony. The complainant therefore filed the Consumer complaint on 22.07.2021 claiming that the bank's conduct amounted to deficiency in service and unfair treatment of a consumer. He asserted that the cause of action arose when the bank issued an endorsement stating that his complaint was still under process even after a prolonged period without resolution. Complainant prayed before District Forum to direct the bank to refund Rs. 12,93,922/- with interest at 18% per annum from the date of loss, and also pay Rs.1 lakh as compensation for mental agony.

3. The OP/State Bank of India filed its detailed reply on 22.10.2021, denying all the allegations. The bank admitted that the disputed transactions had indeed taken place from the complainant's account, but it strongly argued that these were not due to any lapse in its banking system but the complainant himself was negligent in handling his banking details. According to SBI, the complainant had allegedly shared sensitive information such as OTP or Aadhaar-related details with unknown persons, which enabled the fraudulent withdrawals. The bank further stated that SMS alerts regarding the transactions were sent to the complainant's registered mobile number, but he failed to take immediate action upon receiving them. Additionally, the opposite party argued that there was a delay on the part of the complainant in reporting the unauthorized transactions to the bank, and such delay contributed to the loss. SBI maintained that once a customer compromises confidential information or does not promptly report suspicious activity, the bank cannot be held responsible for the resulting fraud. On this basis, the bank claimed that there was no deficiency in service and that the entire liability should fall on the complainant due to his own carelessness. Therefore, the opposite party prayed for dismissal of the complaint.

4. After hearing the learned counsel for both the parties and upon careful consideration of the pleadings, evidence and material available on record, the Ld. District Commission, vide order dated 27.05.2022, held that mere sharing of Aadhaar Card details by the complainant could not have enabled the fraudster to access the complainant's bank account or carry out the fraudulent transactions. The District Commission observed that for setting the MPIN, an OTP was required, which was sent to the registered mobile number of the complainant, and the Bank failed to establish by any cogent evidence that the said OTP was ever shared by the complainant with any third party. On the contrary, even the Bank's own record indicated that it was a clear case of fraud committed by an unknown third party. The District Commission further held that as per the RBI Circular dated 06.07.2017, the burden to prove negligence or sharing of sensitive information such as OTP, ATM PIN or bank details lies upon the Bank, which the Bank failed to discharge. The District Commission also rejected the contention of the Bank that the complainant had delayed reporting the fraud, noting that although SMS alerts were claimed to have been sent, only one such SMS was placed on record, and the complainant became aware of the fraudulent withdrawals only on 30.04.2019, upon visiting the bank. It was found that the complainant reported the matter to the Bank on 02.05.2019, i.e., within three days of gaining knowledge of the fraud. Accordingly, in terms of the RBI guidelines, the complainant was entitled to zero liability, and the entire loss was required to be borne by the Bank. The District Commission thus concluded that non-reversal of the fraudulent amount within the prescribed time amounted to clear deficiency in service on the part of the Opposite Parties. Consequently, the complaint was partly allowed, and the Opposite Party Bank was directed to refund the amount of Rs. 12,93,922/- along with applicable savings bank interest from the date of each unauthorized debit till realization, and further to pay ?25,000/- as compensation for mental agony and ?10,000/- towards litigation expenses. The said order is reproduced herein below, for ready reference:

ORDER

22. We are of the opinion that mere providing the Aadhar card under the circumstance could not have rendered the fraudster to have the account details of the complainant. As mentioned above, to set MPIN one OTP was issued to the registered mobile of the complainant in respect of the account he was with the 0P1. According to Ex. R6 that might have been misused by the fraudster without complainant revealing the same. Bank has failed to show the commission that in fact the complainant has revealed the one OTP to set MPIN shared to fraudster.

Further in the said letter itself the bank has come to the conclusion that it is a clear case of fraud committed by the fraudster. Further as per the circular issued by the RBI that the burden of proving negligence or sharing the OTP number, bank details, ATM pin number by the holder of the account is on the bank. Which has failed to prove the same.

23. Further OP1 has taken the contention that the complainant is fully liable for the loss which he has suffered as the fraud through electronic media has not been intimated to the bank within three working days and the same was done seven days after the incident. It is also the case that SMS was sent to the complainant as and when the transaction had taken place. Only one SMS hard copy is produced regarding withdrawal of rupees 19,999/- from the account of the complainant dated 30.04.2019. Complainant has admitted having received the SMS but he ignored the same. Even then, it is to be held that the complainant came to know the fraud and cheating by the fraudster in respect of withdrawing an amount of rupees 12,93,922/- from his account only when he visited the bank on 30-04-2019 and immediately within three days i.e.., on 02.05.2019 he made a complaint to 0P1, the home branch in which he was having S.B. Account. In the view of this contention taken by 0P1 that the complaint is lodged in respect of the fraud committed after seven days of the incident cannot be held proper and it's only taken to avoid its liability and make the complainant fully liable for the losses he has suffered as per the RBI guidelines. When the complainant has reported the matter to OP1 on 02.05.2019 that is within three days from the date of knowledge of fraudulent withdrawal of the amount of rupees 12,93,922/- from his account, as per the RBI guidelines, the liability on the part the complainant is nil. That means the entire liability and the loss has to be made up by the bank, as, asper the said guidelines , when there is third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and when the customer notifies the bank within three working days of receiving communication from the bank regarding the unauthorized transactions the customer is entitled to zero liability shall arise when there is unauthorized transaction in the account. In the view of this not paying the amount within the time prescribed under rule 9 of the circular DBR. No. Leg. B C. 78/09.07.005/2017-18 amounts deficiency in service on the part of OP1 ,2 and 3, wherein 0P1 is the branch which deals with the account of the complainant, whereas OP2 and 3 are the higher officers of OP1. Hence we answer point no. 1 partly in the affirmative.

24. Point No.2;

In the result complainant is entitle for refund of Rs.12,93,922/- along with the S.B. interest prevailing between 12.04.2019 to 30.04.2019 till payment of the entire amount calculating interest from each day of debit from the account of the complainant by 0P1, along with damages of Rs.25,000/- and litigation expenses of Rs.10,000/- and answer point No.2 partly in the affirmative and pass the following;

ORDER

1. Complaint is allowed in part with cost.

2. 0P1 is directed to reverse the amount of Rs. 12,93,922/- along with the S.B. interest prevailing between 12.04.2019 to 30.04.2019 till payment of the entire amount calculating from each day of debit from the account of the complainant.

3. OP1 is further directed to pay the damages of Rs.25,000/- to the complainant.

4. 0P1 is also directed to pay a sum of Rs.10,000/- towards litigation expenses.

5. 0P1 is further directed comply the above order within 30 days from the date of receipt of this order and submit the compliance report to this forum within 15 days thereafter.

6. sent a copy of this order to both parties free of cost.

5. Thereafter, OP Bank aggrieved from the order dated 27.05.2022 of District Forum, filed the First Appeal No.1333 of 2022 before the State commission, Bengaluru. The Appeal filed by the Bank was dismissed and the Order of the District Commission was upheld, finding no grounds to interfere. The Order of the State Commission is reproduced herein below:

"ORDER

8. In our view, as the enquiry reveals that the complainant being senior citizen and a costumer of OP1 Bank, since long ago, had always used cheque leaves to withdraw money and transfer money from his account to others could not be said had shared OTP to transfer money from his account to the account of fraudsters. One has to expect SBI has to discharge its banking functions as per RBI guidelines and in particular as per the circular referred by the District Commission while passing the impugned order and in such circumstances, when the complainant had lodged complaint with the OP bank about fraudulent transfer and had also lodged complaint with the Gnana Bharathi Police Station as well with Cyber Crime Police Station, Bengaluru, Ops are bound to follow the guidelines of the RBI to reverse the transfer of such money from the account of the complainant to the account of the fraudsters. It has come in the enquiry that fraudulent transfers were occasioned from the account of the complainant through UP! and PAYTM Payment Bank and Airtel Payment Bank which were forwarded to the complainant, as such in circumstances in our view it may not be difficulty for the bank like SBI to assist the cybercrime police and Gnana Bharathi Police in investigating the case of fraudulent transfer of money of Rs. 12,93,922/- from the account of complainant and to trace the fraudsters to send them behind bar to give message to similar such fraudsters not to indulge in such matters. In other words, it may not be difficult for the Bank, PAYTM Bank and Airtel Bank to locate, where such transactions of money were taken place from the account of complainant to the account of fraudsters.

9. We have to found from the enquiry, it is al! being done through online or internal or in the banking system itself, since investigation is still pending, in such circumstances OP banker cannot wash their hands on any of the technical reason to throw the liability on the complainant contending that their liability in the case is zero, since the fraudulent transfer of complainant had brought to their notice 07 days after such transfer. In such considered view we did not find any grounds to interfere in the impugned order passed by the District Commission. Hence, Commission proceed to dismiss the appeal with no order as to costs.

10. The Amount in deposit is directed to be transferred to District Commission for needful.

11. Send a copy of this Order to the District Commission and parties to the appeal for their information. "

6. Aggrieved by the Order of State Commission the Bank filed this present Appeal before this commission on 24.03.2025. Substantial questions of law raised by the Appellant/Bank are reproduced herein below:

I. Whether the Appellant Bank can be held liable for the loss caused due to the alleged negligence of the Respondent/Complainant?

II. Whether the Bank is liable for fraudulent transactions committed by a third party allegedly due to the negligence of the Respondent?

III. Whether the Fora below failed to properly appreciate the findings of the Banking Ombudsman dated 18.05.2019, which rejected the claim of the Respondent? IV. Whether the Banking Ombudsman correctly held that the fraud occurred because the Respondent allegedly shared Aadhaar details and OTP with the fraudster? V. Whether the impugned order failed to consider and correctly apply the RBI Circular dated 06.07.2017 bearing No. DBR.No.Leg.BC.78/09.07.005/2017-18?

VI. Whether the State Commission erred in relying only upon Regulation 7(ii) of the RBI Circular while ignoring Regulation 7(i)?

VII. Whether Regulation 7(i) of the RBI Circular, relating to customer negligence in sharing payment credentials and consequent customer liability, is squarely applicable to the facts of the present case?

VIII. Whether the Respondent is liable for the loss suffered till the reporting of unauthorized transactions to the Bank, in view of the provisions of the RBI Circular governing electronic banking frauds?

7. This Commission order dated 24.02.2026, wherein only two questions are admitted for consideration, is reproduced herein below:

ORDER Heard Mr. Vipin Jai, learned counsel for the Bank, on the questions raised. We are satisfied that keeping in the view the cause shown for condoning the delay, the same is sufficient and we therefore allow the delay condonation application IA No. 4369 of 2025 and condone the delay in the filing of this appeal. The appeal shall be given a regular number by the office and shall be registered as such. The prayer to convert this compilation, which has been filed as a revision petition, is also allowed and the application praying for treating it as an appeal under Section 51(2) of the Consumer Protection Act, 2019 also stands allowed. The substantial question of law as proposed by the Learned Counsel for the appellant Bank are 'Whether the appellant Bank was liable for any such alleged fraud committed by a third party', and, 'as to whether the liability is covered under the RBI Circular dated 06.07.2017'.

Learned Counsel then urged that another question of law which deserves to be treated as a substantial question is in the wake of the conclusions drawn by the banking Ombudsman in its order dated 18.05.2019 where reliance has been placed on the said circular and it has been observed that such a transaction of the amounts in question could not have happened unless the OTP had been shared by the complainant himself. He therefore submits that these issues on the basis of the facts do give rise to the aforesaid substantial questions and therefore the appeal maybe entertained on the said grounds. Other questions have also been framed and have been referred to in paragraph-8 of the application moved on 05-05-2025 vide Dy. No. 12622.

Controverting the said submissions, the complainant, who has appeared in person, urges that so far as the sharing of Aadhar Card is concerned, the same by itself cannot in any way amount to a negligence on the part of the complainant in as much as Aadhar card has to be placed for verification at several platforms but he on his own has not shared his OTP with any person whatsoever nor is there any evidence to that effect. He therefore submits that in the absence of any such evidence regarding sharing of OTP either prima facie or even clinching evidence, the question of assuming that the transaction was on account of the negligence of the complainant, is incorrect. He therefore submits that no substantial question of law arises and the matter stands concluded by findings of fact recorded by the Fora below, hence the appeal does not deserve either admission or being entertained for any further hearing.

8. Before us Mr. Vipin Jai, on behalf of OP/Bank contended that there was no deficiency in service and that the fraud occurred due to respondent's negligence in sharing sensitive information. It was argued that SMS alerts were sent for each transaction, but the respondent failed to act in time and also delayed reporting the fraud. Mr. Vipin Jai also drew our attention to the order of the Banking Ombudsman reproduced in para 19 of the DCDRC order wherein the complainant's complaint was dismissed. It is emphasised that as observed by the ombudsman, there was negligence on the part of the complainant in sharing the MPIN OTP sent on registered mobile which enabled all the transactions by the fraudster. The Ombudsman further observed that as per the RBI circular (para 7(i) and (ii)), the not only there is negligence under para 7(i) but there is also delay beyond 7 days in intimating the loss and therefore, the entire loss needs to be borne by the customer/complainant. Mr. Vipin Jai strongly contended that the case in that or full customer liability under RBI circular dated 06.07.2017. The Bank/Appellant further raised substantial questions of law, inter alia, (i) as to whether a Bank can be held liable for unauthorized transactions when the account holder himself had allegedly compromised confidential banking credentials and failed to report the transactions promptly despite receiving SMS alerts; (ii) whether the State Commission erred in fastening liability upon the Bank in the absence of any evidence establishing deficiency in service or negligence on the part of the Bank officials; and (iii) whether contributory negligence on the part of the consumer disentitles him from claiming compensation under the Consumer Protection Act. Accordingly, the Bank/Appellant prayed for setting aside the impugned order passed by the State Commission and for dismissing the complaint.

9. The Complainant/Respondent argued in person that the fraudulent transactions occurred due to lapses in the bank's system and not due to any negligence on his part. He contended that being a senior citizen, he did not engage in digital transactions and had not shared any confidential details. The sharing of or disclosing of Aadhar Card details could not at all be termed as sharing of any "payment credentials" and no OTP or other bank account details were ever shared by him. No such facts are cogently established on record. It is admitted fact that the huge transfers from the account of the complainant is due to third party breach which is not due to any negligence of the complainant and the intimation of which was given to the bank within two days of his knowledge. He further submitted that he reported the fraud promptly upon gaining knowledge, thereby attracting zero liability under RBI guidelines. Hence, there is no question of law involved and the concurrent orders of the District and State Commissions require no interference.

10. After hearing the learned counsel for the Appellant/Bank and the Complainant appearing in person, and upon a comprehensive perusal of the entire record, t is seen that the complainant, a retired professor, had deposited his retirement benefits amounting to approximately ?25,00,000/- in his savings account maintained with the Appellant Bank. Further perusal of the account statement and transaction details annexed with the complaint, particularly reflected at Pg. No. 146 and corresponding annexures showing debit entries between 12.04.2019 to 30.04.2019 reflected at Pg. No. 147-152, reveals that a substantial amount of Rs. 12,93,922/- was fraudulently withdrawn from the complainant's account through multiple unauthorized transactions. The Appellant Bank has not disputed the occurrence of these transactions or the fraudulent nature thereof but has attempted to shift the liability upon the complainant by alleging that he shared sensitive information such as OTP or Aadhaar details. However, no documentary evidence, system log, or technical record has been placed on record by the Bank to substantiate such allegation. On the contrary, the documents placed on record and findings of the District Commission (Para 22) indicate that even as per the Bank's own internal communication, the case was treated as a fraud committed by an unknown third party. In such circumstances, and in light of the RBI Circular dated 06.07.2017, the burden to prove negligence or sharing of confidential information lies squarely upon the Bank, which it has failed to discharge.

11. There are concurrent finding of facts arrived at by the Fora below to the effect that there is no involvement of the respondent-complainant in the surreptitious and fraudulent transfer of money from his account and also that there is no negligence of the complainant in such transfer of amounts from his account. There is also a concurrent finding of fact that after the respondent-complainant learnt about the unauthorized and fraudulent withdrawals from his account on 30.04.2019, he has immediately, within three days i.e., on 02.05.2019, contacted the home branch and also lodged police complaint with respective authorities and duly followed up the matter. It is also a concurrent finding that the amounts have in fact been unauthorizedly transferred from the account of the respondent-complainant which is a loss to the complainant-respondent There is also no finding with regard to any contributory fraud or negligence on the part of the bank, and there is positive finding that the transfers from the complainant's bank account are on account of third party breach where the deficiency or involvement lies neither with the complainant nor with the bank.

12. In the background of these concurrent finding of facts, the substantial questions of law which really need to be considered and answered are, as noted in the order dated 24.02.2026 whether the bank incurs any liability for the loss indisputably suffered by the respondent-complainant on account of fraudulent transfers from his account due to third party breach/hacking. The RBI has issued circular no. RBI/2017-18/15 on 06.07.2017 which is titled as "Customer Protection - Limiting Liability of Customers in Unauthorised Electronic Banking Transactions". As the subject of the circular itself would suggest, the circular is primarily intended to. protect the customers against the fraudulent or other such transfers and to provide for reversal of erroneous/fraudulent debits so as to save him from such losses. Para 4 of the circular prescribes and mandates the Bank for robust and dynamic fraud detection and prevention mechanism and for ensuring security and safety of electronic banking transactions carried out by the customers. Para 5 provides for reporting of unauthorized transactions by the customers. Para 12 categorically places the burden of proving the customer liability, if any, on the bank. Para 9 of the circular imposes a duty on the bank to credit the customer's account within 10 working days from the date of notification by the customer of any amount involved in any unauthorized electronic transaction with a rider that the bank shall also have the discretion to waive off any customer liability even in the cases of customer negligence. Paras 6 to 8, reproduced below, provide for "limited liability of a customer":

                          "Limited Liability of a Customer

                          (a) Zero Liability of a Customer

                          6. A customer's entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:

                          0) Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).

                          (H) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.

                          (b) Limited Liability of a Customer

                          7. A customer shall be liable for the loss occurring due to unauthorised transactions in the following cases:

                          (i) In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

                          (ii) In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies, elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table 1, whichever is lower.

                          Table 1 _____ Maximum Liability of a Customer under paragraph 7 (ii)_________ Type of Account Maximum liability (Rs.) • BSBD Accounts_______________________ 5,000 • All other SB accounts 10,000 • Pre-paid Payment Instruments and Gift Cards • Current Cash Credit/ Overdraft MSMES Accounts of • Current Accounts/ Cash Credit/ Overdraft Accounts of Individuals with annual average balance (during 365 days preceding the incidence of fraud)/limit up to Rs. 25 lakh • 10,000 • Credit cards with limit up to Rs. 5 lakh All other Current/Cash Credit/ Overdraft 25,000 Accounts Credit cards with limit above Rs. 5 lakh Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per the bank's Board approved policy. Banks shall provide the details of their policy in regard to customers' liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall also display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank's policy.

                          8. Overall liability of the customer in third party breaches, as detailed in paragraph 6 (ii) and paragraph 7 (ii) above, where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, is summarised in the Table 2:

                          Table 2 _________________ Summary of Customer's Liability Time taken to report the Customer's liability (*) fraudulent transaction from the date of receiving the communication____________ Within 3 working day_________ Zero liability______________________ Within 4 to 7 working days. The transaction value or the amount mentioned in Table 1, whichever is lower_____ ______________________ Beyond 7 working days As per bank's Board approved policy The number of working days mentioned in Table 2 shall be counted as per the working schedule of the home branch of the customer excluding the date of receiving the communication."

13. Having perused the orders of the fora below in the light of RBI circular para 6 to 8 as reproduced above, we have no doubt in our mind that the fora below have committed no error in concluding that the respondent-complainant 's liability, if any, is governed by para 6(ii) of the said circular and that the same does not fall under para 7 at all. It is the concurrent factual finding of the fora below that mere sharing of Aadhar card details cannot be equated with "sharing of payment credentials" so as to bring the liability of fraudulent loss on to the customer within para 7(i) of the circular. Similarly, not seeing or being alarmed by the sole SMS of withdrawal of amount on 30.04.2019 can have no consequence because the intimation was given immediately thereafter on 02.05.2019. The fora below, therefore, cannot be faulted for concluding that the case of the complainant falls under para 6(ii) on the basis of the factual findings arrived at by them. Also, the Bank has not been able to prove "the customer liability", i.e. the fact that the loss is due to any negligence by the complainant, by any cogent and conclusive evidence, as is required under para 12 of the circular. The District Forum in para 19 has noted the order of the Banking Ombudsman wherein the Ombudsman has recorded a finding that the loss to the complainant is "a fraudulent transaction which has happened through UPI". In para 22, the District Forum has come to a factual finding that the bank has failed to establish that the complainant has revealed the OTP or MPIN to any fraudster. In para 23, the District Forum further observes that the complainant learnt about the fraudulent transfers from his account only on 30.04.2019 and within two days the formal complaint/intimation was tendered to the bank, and therefore, the Ombudsman's finding that the customer is fully liable because the intimation is given after 7 days, in terms of last sub-para of para 7 of the circular, is faculty incorrect. Thus, it is held that under the circular, the entire liability is required to be made up by the bank and the equivalent amount needed to be credited to the customer's account within 10 days of intimation, the failure in which is a deficiency in service. The State Commission, after duly considering the contentions of the Bank, has fully endorsed the veracity of factual findings, the view and conclusion of the District Forum. We are unable to get persuaded by the contention of Mr. Jai that there is enough cogent material on record to hold that the complainant is negligent in sharing any critical payment credentials or any OTP or MPIN or that the intimation of the fraud is given after a gap of 7 days.

14. In our opinion, therefore, the conclusions arrived at by the fora below are essentially on the basis of the facts as established on record and, the fora below are absolutely right in their conclusion that the entire liability for the loss lies with the bank in view of para 6(ii) of the RBI circular. As such, no question of law, much less any substantial question of law, arises from the orders of the fora below. However, in view of the discussion as above, we, specifically to the questions incorporated in order dated 24.02.2026, reply that (i) the appellant bank is indeed fully liable for third party fraud in terms of para 6(ii) of the circular because the bank is unable to establish any negligence of the complainant and because intimation of the fraud or f loss is given by the customer within three days of he having come to know about the loss, and (ii) yes, the bank is fully liable, in the facts of the present case, within the RBI circular dated 06.07.2017, because para 6(ii) of the circular providing for "zero liability of the customer", and not para 7(i) of the RBI circular providing for full customer liability, applies to the facts of the case and governs the respective "zero liability of the customer".

15. The appeal therefore lacks merits and is accordingly consigned.