Bharati Dangre, J.
1. The Petitioner, a freelancer in Business Consultancy, has approached this Court stating that he is a victim of Cyber fraud and a sum of Rs. 38,04,000/- was unauthorizedly withdrawn from his two bank accounts maintained with HDFC Bank Ltd., in a time gap of 41 minutes. According to the Petitioner, he was defrauded by the online unauthorized withdrawals, the transactions being permitted by the Bank and his grievance is, the HDFC Bank has refused to reverse the amount to his account, which according to him is in complete breach of applicable directions /guidelines issued by the Reserve Bank of India (“RBI”). According to the Petitioner, his monies were unauthorizedly transferred to the account/s held by the fraudsters in ICICI Bank, who despite timely intimation in that behalf refused to take steps for preventing withdrawal/further transfer.
2. The Petition has impleaded the Union of India through the Ministry of Finance, and Ministry of Communications as Respondent No.1, with the Reserve Bank of India through the Governor, being impleaded as Respondent No.2, whereas the HDFC Bank Limited and ICICI Bank Ltd through their Managing Directors are impleaded as Respondent Nos.3 and 4 respectively, Bharat Sanchar Nigam Limited (“BSNL”) is the Respondent No.5, in the Petition along with the State of Maharashtra through Wakad Police Station Pune, as Respondent No.6.
The Writ Petition seeks the following reliefs:-
“a. issue a writ of mandamus or a writ in the nature of mandamus or any other writ, order or direction under Article 226 of the Constitution of India to direct Respondent No. 2 to initiate appropriate action against Respondent Nos. 3 and 4 for violation of I-Banking Guidelines dated 14th June 2001 (Exhibit “O”), the said Notification dated 6th July 2017 (Exhibit “R”) and the Master Directions dated 18th February 2021 (Exhibit “S”) issued by Respondent No. 2;
(a-i) That this Hon'ble Court be pleased to issue a Writ of Certiorari or any other appropriate Writ, order or direction under Article 226 of the Constitution of India to quash and set aside the decision dated 28 March 2022 (Ex. L Pg. 208 of the Petition) communicated by the Reserve Bank of India (Centralised Receipt and Processing Centre) issued with the approval of Respondent No. 7 whereby the Ombudsman has rejected the complaint bearing no. N202122021018946 filed by the Petitioner.
(a-2) That this Hon'ble Court be pleased to direct Respondent No. 3 and 4 to refund the amount fraudulently transferred from the bank account of the Petitioner and also issue directions to Respondent No. 3 and 4 to extend cooperation to investigating agency by providing necessary KYCs and other related documents;
b. issue a writ of mandamus or a writ in the nature of mandamus or any other writ, order or direction under Article 226 of the Constitution of India to direct Respondent No. 1 to initiate appropriate action against Respondent No.5 for violation of Department of Telecom’s Instruction dated 01.08.2016 bearing File no. 800-09/2010-VAS (part) (Exhibit “V”);
c. issue a writ of mandamus or a writ in the nature of mandamus or any other writ, order or direction under Article 226 of the Constitution of India to direct Respondent No. 2 to appoint an independent IS Auditor (Government and/or private agency) to conduct an exhaustive IS Audit of Respondent No. 3 in terms of the said Guidelines dated 29" April 2011 issued by Respondent No. 2 (Exhibit “Q”);
d. issue a writ of mandamus or a writ in the nature of mandamus or any other writ, order or direction under Article 226 of the Constitution of India to direct Respondent No. 2 to initiate appropriate action against Respondent Nos. 3 and 4 for non - compliance with their obligations under Master Circular dated 1st July 2008 (Exhibit “U”);”
3. We have heard learned Senior Counsel Mr. Sharan Jagtiani for the Petitioner, learned Senior Counsel Mr. Pratik Seksaria for Respondent No.3, Mr. Mayur Khandeparkar for Respondent No.4, and Mr. Prasad Shenoy for Respondent Nos.2 and 7, Reserve Bank of India.
On the pleadings being completed, by consent of parties, we have taken up the Petition for hearing at the stage of admission and hence, we deem it appropriate to issue ‘Rule’, which is made returnable forthwith.
4. In order to pronounce upon the reliefs prayed in the Petition with the reliefs being opposed by the counsel representing the Respondents, we deem it appropriate to refer to the facts involved leading to the aforesaid Petition placed before us.
The Petitioner, maintained a saving and current bank account with the HDFC Bank since 2011 and 2016 respectively. As per the pleaded case of the Petitioner, on 14/07/2021, three unknown persons namely Samir Tamang, Aloke Pal, Subhomoy Biswas, were added as beneficiaries in the Petitioner’s account for the purpose of enabling net-banking transaction and the permissible net banking limit qua his account of Rs. 4,00,000/- (Rupees Four Lakh Only) was enhanced to Rs. 40,00,000/- (Rupees Forty Lakh Only). It is the specific case of the Petitioner that no OTPs was received by him from HDFC Bank for both the activities i.e. addition of beneficiaries or enhancement of transfer limit. Although the security system of the HDFC Bank flagged and alerted, the addition of these beneficiaries and the alert recommended ‘Decline add payee’ and also alerted “Transaction IP does not match with genuine transaction IP of customer” the addition of beneficiaries was manually approved by the Bank.
Upon the aforesaid activity being permitted by the Bank, on 15/07/2021, the Petitioner lost a sum of Rs. 38,04,000/- through eight unauthorized bank transfers, which took place within a span of 41 minutes and the money was transferred to the accounts of the beneficiaries added on the previous day as the transaction limit of the account was enhanced.
The Petitioner received intimation of one such transfer of Rs. 2,14,000/- at 17:55 hours on 15/07/2021 i.e. after two hours of the last transaction. No sooner, the Petitioner received an SMS alert from the bank about the transfer of Rs. 2,14,000/- , he logged on the net-banking facility to check status of his account. At this time, he realised that a sum of Rs. 38,04,000/- has been transferred through eight transactions between 15:06 hours and 15:47 hours.
According to the Petitioner he has never added the three individuals as beneficiaries as they are not known to him and no OPT was received by him on his Mobile Number or Email Id for confirming the addition of the beneficiaries.
The Petitioner addressed an email to the relationship manager, Mr. Prashant Patil, informing him about the unauthorized transactions and he even tried to connect to HDFC toll-free number, but was unable to do so. He also called the Official from the Bank asking him to block the account and issued instructions in writing in that regard at 6:58 hours, and on the next date, he lodged an FIR with the local police station.
5. On 28/07/2021, the HDFC Bank addressed an email to the Petitioner denying its liability and alleging breach of confidential information at the Petitioner’s end by stating as below:-
“Dear Mr. /Ms. Korde,
This is with reference to your complaint regarding fraudulent transactions in your Account done through NetBanking Third Party Fund transfer amounting to Rs. 38,04,000.00/-.
We wish to inform you that any such debits happening to the customer’s account using NetBanking is valid transaction for the Bank since the same has been done using the Customer Id, NetBanking password (IPIN) & other account sensitive information which is known only to the customer.
The IPIN is privy to the customer and as such the NetBanking transfer is not possible without customer compromising his/her IPIN, Customer ID & other account sensitive information knowingly or unknowingly.
The Third Party Fund Transfer transactions, done in your account post inputting of Customer ID and IPIN (NetBanking Password) and the same was duly authenticated with One Time Passwords (OTPs) which was sent on your registered Mobile number/ E-Mail Id.
Beneficiary addition was done in your account and funds were transferred. In order to add a beneficiary, besides inputting customer sensitive details like Customer ID and IPIN, an OTP is also generated and sent to the registered mobile number /Email ID (Only in case of NR customer) of the customer which needs to be inputted as an additional authentication mechanism.
In the above case, OTP has been generated and sent to your registered mobile number, post inputting of the correct OTP, the beneficiary was successfully added into the account.
As part of security control at the Bank, a beneficiary is activated only post cooling period of 30 minutes of addition and for new beneficiary addition all transactions are mandatorily to be authenticated with OTP.
As part of the extant process, transaction alerts were sent for beneficiary Addition and also for the subsequent transaction done.
In effect, there has been breach of confidential information, without which none of the above transaction could have been taken place.
We would request you to kindly lodge a FIR/Police Complaint and submit the copy of the same to the Branch.”
6. On receipt of the above, on 29/07/2021, Petitioner addressed an email to the Grievance Redressal Officer, Branch Manager and Chief Executive Officer, specifically stating that no alerts were received by him and the accusation against him was unfounded. On 14/09/2021, the Customer Service Manager of the HDFC Bank by his email communicated to the Petitioner that there was no deficiency in service by the HDFC Bank, which constrained the Petitioner to address a detail representation to the Respondent Nos.3 and 4, with reference to his earlier complaints and he also revealed the information that was available with the police. His grievance was specifically worded as below:-
“3. As per information available with Police, the entire amount of Rs. 38,04,000/-, has gone to three new beneficiaries created in my Account. It appears that the beneficiaries were added on 14th July 2021 and Third Party Transaction Limit was increased from Rs. 4,00,000/- per day to Rs. 40,00,0000/- per day which is not within my knowledge. History of my Account will show that nowhere, right from the opening of the accounts, Credit Limit was enhanced so high and such beneficiaries were added in one go and such large no. of transactions were effected on my account and of such quantum within such a short span of time. I am a senior citizen. The fact that I am a senior citizen is known to the Bank from the record. The moment there is addition of 4 beneficiaries along with increasing Transaction Limit to Rs. 40,00,000/- from 4,00,000/-, HDFC Bank/ Relationship Manager or the Branch or IT based security system should have raised the alarm and the Bank ought to have got in touch with me on phone or by email and should not have allowed transfers.
6. However, after the aforesaid alert, no other alert seems to have been raised. No efforts were made by HDFC Bank to examine the reasons for transactions not been alerted .The Bank has claimed that SMS was sent to my registered mobile. However, as per data received from BSNL, no such SMS is received on my registered mobile. Therefore, certainly, there is a deficiency of service on the part of HDFC Bank and therefore, HDFC Bank is responsible for the consequences However, based on incident report, which itself shows that there was an error in judgment and looking at number of frauds occurring on a regular basis and without examining important aspect such as addition of large number of beneficiaries a/w sudden increase in limit in Rs. 4 lakhs per day to Rs. 40 lakhs per day, Bank should have applied breakers on all the transactions. The system of the Bank is also defective and is unable to pinpoint peculiarities such additions of 4 beneficiaries in a short span of time and transaction limit was increased by 10 times, the IT enabled security system should have quickly examined authenticity of beneficiaries, their credentials, their risk profile and ought to have rejected the transaction.”
7. In the report submitted by Wakad Police Station on 23/12/2021, the Police Inspector, addressed a communication to Branch Manager, HDFC Bank, where he specifically stated that no error or negligence was found against Mr. Subodh Korde and the communication read thus:-
“To,
The Branch Manager
HDFC Bank.
Subject:- Refund the amount to the complainant (Mr. Subodh Korde,)
Upon complaint of Mr. Subodh Chandrakant Korde, age 61 years, resident at- Duplex Woods, Condominium Society, Kalewadi Fata, Pune an offence wide Cr. No. 578/2021 Under Section 420,467, 468, 471 of Indian Penal Code, and Section 66(C), 66(D) of Information Technology Act is registered at Wakad Police Station.
It is revealed that Complainant did not share any type of information and no error or negligence was found against him in the investigation carried out till date. So please Refund the amont of Rs. 38,04,000.00 to the complainant Mr. Subodh Korde. (1. Subodh Chandrakant Korde-HDFC Bank- A/C- 00521000116116, 2. Ekam Consultant- HDFC Bank- A/C- 0200022189551) as per RBI rules and regulations.”
Further the Police Inspector, Wakad Police Station, also addressed a communication to the Branch Manager, ICICI Bank, directing it to refund the amount debited from account of the Petitioner due to fraudulent transactions of the accused Subhomay Biswas, and Aloke Pal.
8. The complaint filed by the Petitioner was also closed by the Banking Ombudsman on 28/03/2022, when the Petitioner was communicated thus:-
“Closure Intimation for Complaint N202122021018946 against HDFC Bank Ltd
2. Complaint regarding disputed transactions in account. Bank response in brief is as under:
‘Device ID’ of the disputed transaction are matching with the other genuine transactions. As per complainant, he performs all his transactions through Desktop/ Laptop and not through mobile. All the disputed transactions were also performed through same Desktop/ Laptop beneficiary additions has happened only post the OTP authentication one day earlier. The TPT limit increase was authenticated through OTP’s which were sent on complainants registered. The TPT limit increase was authenticated through OTP’s which were sent on complainants registered mobile number and registered email id only. SMS & email alerts for beneficiary additions were very much sent and delivered to the registered mobile number. Transactionswere also authenticated through Net Banking ID, Password and OTPs. The above response is concerned with debits to the account, however, bank informed that they relooking at the case details with regard to funds transfer various beneficiaries with their analytical and business teams and would respond to your before 30 days with the additional clarifications. In view of the above, complaint is closed under 16.2.a of IOS-2021, since the transactions were performed through same device and secure credential and OTP. Complainant is advised that the Office would inform if there is any progress with regard to recovering funds from beneficiaries later.
3. Accordingly, the complaint has been closed under clause 16(2)(a) of the Reserve Bank Integrated Ombudsman Scheme 2021.”
9. In the backdrop of the aforesaid sequence of events, Mr. Jagtiani would place heavy reliance upon the Circular issued by RBI on the subject, ‘Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions’.
Mr. Jagtiani has urged that the circular dated 06/07/2017 has limited the liability of the customers, where unauthorized transaction result in debit of their accounts and his liability is zero in the following events :-
(i) Contributing fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
(ii) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.”
According to Mr. Jagtiani, the Petitioner is covered by the aforesaid clause of the circular. He would also place reliance upon the subsequent part of the said circular, which has provided for Reversal Timeline for Zero Liability/Limited Liability of customer and he would invoke Clause 9 and 10 of the said circular providing thus:-
“9. On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence. The credit shall be value dated to be as of the date of the unauthorised transaction.
10. Further, banks shall ensure that:
(i) a complaint is resolved and liability of the customer, if any, established within such time, as may be specified in the bank’s Board approved policy, but not exceeding 90 days from the date of receipt of the complaint, and the customer is compensated as per provisions of paragraphs 6 to 9 above;
(ii) where it is unable to resolve the complaint or determine the customer liability, if any, within 90 days, the compensation as prescribed in paragraphs 6 to 9 is paid to the customer; and
(iii) in case of debit card/ bank account, the customer does not suffer loss of interest, and in case of credit card, the customer does not bear any additional burden of interest.”
10. Specifically pointing out that the circular has cast a burden of proving the customer’s liability in case of unauthorized electronic banking transactions on the bank, Mr.Jagtiani would submit that the RBI has directed the banks to put in place a suitable mechanism and structure for the reporting of the customer liability cases to the Board and a mechanism has been clearly chalked out for reviewing the unauthorized electronic banking transactions reported by the customers or otherwise, as also the action taken thereon, alongwith the functioning of the Grievance Redressal Mechanism and steps taken to improve the systems and procedures.
According to Mr. Jagtiani, the said circular is addressed to all Scheduled Commercial Banks (including RRBs), All Small Finance Banks and Payments Banks and the same is binding on HDFC Bank also.
11. Relying upon the said circular, it is submitted that the Petitioner is entitled to be compensated by the Bank as his case would fall within the scope of ‘Limited Liability of a Customer’, and in particular, Clause 6, as the Petitioner has promptly reported the fraud to the bank and according to Mr. Jagtiani, is duped of the money, without any negligence on his part and if at all it is the claim of the bank that he was negligent, then the burden lies on the Bank to prove the same.
12. According to Mr. Jagtiani, the issue arising in the Petition is of grave public importance and the Court shall take judicial note of the fact that the RBI had encouraged internet banking and in fact it has set up a ‘Working Group on Internet Banking’ to examine different aspects of Internet Banking (I- Banking), which had focused on three main issues; (i) technology and security (ii) legal and (iii) regulatory and supervisory. The report submitted by the group was accepted by the RBI with a decision being taken to implement it in a phased manner and guidelines were issued for its implementation by issuing a communication to All Scheduled Commercial Banks on 14/06/2001.
According to him, the said guidelines clearly contemplated that the bank should designate a network and database administrator with clearly defined roles and it shall adopt a security policy duly approved by its Board of Directors. In addition, the circular also indicated that the bank should introduce logical access controls to data, from systems, application software, utilities, telecommunication lines, system software, etc., and also further directed that all computer access, including messages received, should be locked and security violations (suspected or attempted) should be reported and follow up action should be kept in mind while framing future policy. The said circular, directed all banks offering Internet Banking to take review of their systems and report to the Reserve Bank the type of services offered, extent of their compliance with their recommendations, deviations and their proposal indicating time frame for compliance.
13. Mr. Jagtiani has also placed on record several newspaper reporting, which according to him is indicative of large number of frauds being detected in online banking and that the amount involved running into several crores. Though, he is conscious of the fact that the newspaper reporting may not be accepted by the Court as it is, it is his submission that it is only indicative of the susceptibility of the online banking system to frauds and deserves a serious concern.
14. According to the learned senior counsel, it is not for the first time that such an issue is before the Court, as according to him, several High Courts have grappled with such type of transactions and on appreciation of the gamut of the fraud have directed the banks to reverse the fraudulent transactions, thereby enforcing the RBI Notification dated 6/07/2017 in exercise of power under Article 226 of the Constitution.
At the outset, Mr. Jagtiani has placed reliance upon the decision of Gauhati High Court in case of Pallabh Bhowmick Vs. Ombudsman, Reserve Bank of India & Ors.(2023 4 GAU LR 366), where the Single Judge of the Gauhati High Court, with reference to the circular of the RBI, arrived at a conclusion that the Bank had failed to establish any negligence on part of the Petitioner, who approached the Court, when three online transactions from the Petitioner’s account occurred, when he downloaded the ‘mobile app’, on being prompted by the fraudsters, though, under the impression that he would receive refund up his money from ‘Louis Philippe’. Recording that the three transactions were evidently unauthorized as the Petitioner never intended to transfer any amount by downloading the mobile app and with no denial from the bank that the transactions were unauthorized, merely because the Petitioner had downloaded the mobile app, it was held that it cannot by itself lead to the presumption of negligence on part of the Petitioner in assisting the unauthorized transactions. The Court rather observed that had the Bank installed effective cyber security system and online fraud control measures then in that event, even if a mobile app is downloaded by a customer, money could not have been transferred from the bank account without proper authorization.
With reference to the responsibility of the bank, as contemplated in RBI circular of 6/07/2017, the guidelines to be followed by the Banks for safety of their customers using online banking facility, it is highlighted that the guidelines include the necessity of putting in place a robust and dynamic fraud detection and prevention mechanism.
Mr. Jagtiani would submit that the said decision is upheld by the Division Bench of the Gauhati High Court, and subsequently by the Apex Court.
Reliance is alsoplaced upon the decision of Madras High Court in case of Dr. R. Pavithra Vs. Commissioner of Police & Ors(2023 SCC Online Mad 3165), once again granting relief in favour of the Petitioner based on the Notification of the RBI dated 6/07/2017.
Reliance is also placed upon the decision of Allahabad High Court in case of Awadhesh Singh Vs. RBI & Ors(2021 SCC Online All 301) and a decision of this Court in case of Jaiprakash Kulkarni & Anr Vs. Banking of Ombudsman & Orss in WP No. 1150 of 2023, where the Division Bench by relying upon the Cyber Cell reports revealing that unauthorized transactions have taken place without intimation to the Petitioners either on their mobile number registered with the bank or on their e-mail ID, directed the Bank in question to refund the amount illegally and unauthorizedly debited from the accounts to the Petitioners.
Apart from this, Mr. Jagtiani has also invited our attention to the suo motu cognizance taken by the Apex Court of the menace of Cyber fraud, digital arrest etc. and the directions issued to ensure that the public and specially vulnerable section of the public such as senior citizens are protected from such fraudulent activity. Laying his emphasis on lack of negligence on part of the Petitioner, Mr. Jagtiani would submit that the Petitioner is a victim of cyber fraud and he allege that the HDFC Bank has failed to take appropriate action despite an alert and when no OTPs were shared with him for enhancement of transfer limit, it is his submission that the negligence at the end of HDFC Bank, who has not even bothered to maintain proper KYC record in light of the circular of the RBI, it is his submission that the HDFC Bank is under obligation to reverse the fraudulent debit and therefore, a direction is sought against the HDFC Bank as well as to the RBI to enforce its own circular/guidelines.
15. Since the Petitioner was defrauded of a huge sum, and he had filed an FIR, according to him police investigation confirmed that there was no error or negligence on his part. It is the case of the Petitioner that there was no negligence on his part as he had not shared any password with any third party but according to him it is the HDFC bank which ignored its own security alerts marking the addition of payees as suspicious and nevertheless manually approved the addition of beneficiaries because the Petitioner’s ‘beep tone’ sounded suspicious.
16. Mr.Pratik Seksaria, the learned senior counsel, representing the HDFC Bank at the outset has raised an objection about the maintainability of the Petition against the HDFC Bank, a private entity, which is not discharging any public function/duty in relation to its banking business with the customer.
The learned Senior Counsel has invoked the principle laid down by the Apex Court in case of S. Shoba Vs. Muthoot Finance Ltd(2025 SCC Online SC 177), where the Apex Court, determined the issue as to whether the non-banking institution governed by the Rules and Regulations framed by RBI is amenable to writ jurisdiction and the said issue came to be answered in the negative, by holding that the Respondent cannot be termed as a ‘Public Body’, as it has no duty towards the public but its duty is towards its account holders, which may include the borrowers having availed the loan facility. Laying his emphasis on the test laid down by the Apex Court as to whether a body public or private shall be amenable or not amenable to the writ jurisdiction, he would submit that vital consideration for determination is held to be the ‘function’ test as regards the maintainability of the writ petition as it is held that if a public duty or public function is involved, any body, public or private, concerned with that duty or function and limited to that, would be subject to judicial scrutiny under extraordinary writ jurisdiction of Article 226 of the Constitution. He has also invoked the principle laid down by the Apex Court in case of Federal Bank Ltd. Vs. Sagar Thomas & Ors.((2003) 10 SCC 733), which was followed by the Division Benches of this Court in case of M/s. Ruchi Soya Industries Ltd. & Ors. Vs. IDFC Bank Limited & Ors.(2017 SCC Oline Bom 4252) and in case of VJ Jindal Cocoa Pvt. Ltd. & Anr. Vs. Union of India & Ors.in WP (L) No. 4051 of 2023.
According to Mr. Seksaria, the position of law as laid down in S Shobha (supra) by the Apex Court is a declaration of law, wherein the Supreme Court has categorically considered, the issue of maintainability of writ petitions in its extraordinary and prerogative jurisdiction against a public or private body. Drawing parallel from the said decision, it is the submission of Mr. Seksaria that the HDFC in relation to the Petitioner (account holder) cannot and does not discharge any public function or fulfill any public duty, merely because it is bound to follow the Reserve Bank of India Notification dated 6/07/2017.
17. In addition to the aforesaid submission, according to Mr. Seksaria, the Petition involves various disputed question of facts requiring evidence and based upon the pleadings in the Petition itself, it is the submission of Mr. Seksaria that when the Petitioner is disputing that he has received any alert on his registered email id with respect to (i) the addition/registration of new third-party beneficiaries; (ii) the Split-OTP sent by email on the registered Email Id of the Petitioner for increase of TPT limit; and (iii) the alert with respect to the increase of TPT limit and which is established by HDFC Bank by production of the Email logs maintained in ordinary and usual course of business coupled with a certificate confirming the same by a reputed third-party vendor, the matter require evidence, as it is for the petitioner to produce the best evidence in his possession.
18. Another objection raised by Mr.Seksaria is, the Petitioner is claiming his rights on the basis of the terms of contract or at the most based on the RBI Circular. According to him, the rights of the Petitioner are strictly governed by the terms of contract as a customer and the bank and any relief arising thereunder cannot be subject matter of writ nor can any order be issued to compel the authorities to remedy an alleged breach of contract.
Submitting that the Petition raises serious disputed questions of facts of complex nature which require evaluation of evidence, it is submitted that it would not be appropriate for this Court in exercise of its writ jurisdiction under Article 226 of Constitution of India to grant relief as prayed for as the power exercised by this Court deserve its exercise in extraordinary circumstances, which in the present case is non existent.
It is also urged by Mr.Seksaria that the Petitioner had filed a complaint against the Respondent with the Banking Ombudsman under the Integrated Ombudsman Scheme of 2021, which is constituted for redressal of complaints of customers on banking services provided by banks and to facilitate the settlement of those complaints. This complaint has also been closed by holding that there is no deficiency of service on part of the bank.
Apart from this, it is also urged that the RBI in its directions dated 06/07/2017 (RBI/2017-2018/15) on Customer Protection/Limiting Liability of Customers in Unauthorized Electronic Banking Transaction has clearly specified that the customer shall be liable for the loss occurred due to unauthorized transactions if the loss was due to negligence of the customer by sharing the payment credentials etc. and thus the Petitioner has an alternate efficacious remedy by approaching the adjudicating authority under the Information and Technology Act, and on this count also, the Petition deserve to be rejected.
19. On the factual aspect of the matter, relying upon the affidavit-in-reply, it is the submission of Mr.Seksaria that the Petitioner is having two accounts with the bank i.e. savings account as well as current account situated at Aundh Branch, Pune and the Petitioner is using the net banking after lockdown was declared on account of Covid-19 pandemic. It is pointed out to us that when on 14/07/2021, two persons were added as beneficiaries to the savings account of the Petitioner and one person was added as beneficiary to the current account of Ekam Consultants, and every time an SMS OTP was generated and sent to the registered mobile number of the Petitioner. Post the correct OTP generated and send, the new beneficiary was added to the account.
Apart from this, as a part of security control of the bank, the beneficiary was activated only post cooling period of 30 minutes. It is submitted that it is permissible for a customer to add/modify/delete to a maximum 7 beneficiaries in a day and it is only after the correct SMS OTP being entered by the Petitioner from his registered mobile number, the beneficiary was added to the accounts of the Petitioner.
Relying upon the affidavit, it is the categorical submission of Mr.Seksaria that 10 SMSs and 6 emails have been sent to the registered mobile number and registered email address of the Petitioner on 14/07/2021 and he has placed on record the copies of the OTP log, SMS log and email log evidencing OTP, SMS and emails being sent to the Petitioner.
Further, it is stated that on 14/07/2021 at about 3.10 p.m., third party transaction limit was increased from Rs.4 lakhs per day to Rs.40 lakhs per day and even for this increase, dual authentication is required in from of OTP+Debit Card details (ATM PIN and Card Expiry) or Split OTP (partial OTP on registered mobile number and partial OTP on registered email ID). It is the case of the Respondent that Split OTP was generated and sent to the registered Mobile number and the registered email address of the Petitioner and pursuant to this, the third party transaction limit was increased. According to the HDFC, as a part of security control, cooling period of 24 hours post third party transaction limit registration is in place to avoid any immediate fund transfers in case customer credentials have been compromised. This is so provided so as to give enough time to the customer to react and block his net banking to avoid unwarranted transactions. In this regard also, it is the stand of HDFC that two SMSes and 2 emails have been sent on 14/07/2021, when the third party transaction limit has been reset/increased.
20. As regards the actual transaction, which occurred on 15/07/2021, the affidavit states thus :-
“14. I say that on July 15, 2021, i.e. the day when the amounts were transferred from the aforesaid accounts of the Petitioner to the accounts of the beneficiary, OTP/s was/were generated and sent to the registered mobile number of the Petitioner. I say that only after putting the correct OTP/s, the amounts were transferred to the accounts of the beneficiaries. I say that in order to transfer funds through Immediate Payment Service ("IMPS") the customer needs to add the beneficiary and follow a six-step procedure, which procedure is described in Exhibit "H" hereto.”
21. Mr.Seksaria has relied upon the internal investigation carried out by the Bank immediately, when the Petitioner was called for questioning and it was informed that he was facing issue with BSNL network since many months and his network was fluctuating and he had visited BSNL office, Pimpri Chinchwad on afternoon of 13/07/2021 to upgrade his SIM and he received the new SIM immediately, however, the network issue still persisted. Hence, he visited the BSNL office on 15/07/2021 after 4.00 p.m., when a new SIM was again allotted to him, but he was still facing the network issue. According to the stand of HDFC, the Petitioner had informed the investigating team that (1) During the period from 13/07/2021 to 15/07/2021, he has received all messages/calls except transaction alerts from the Respondent and (2) He has not received any alerts on his registered mobile number as well as email ID.
22. The stand of the Respondent in its reply affidavit and through the arguments advanced by Mr.Seksaria, is very specific and it is so worded in the affidavit as below :
“22. I say that from the above it is clear that the login ID, password, telecom number are only known to the Petitioner and without latches on his part, no other person can operate his accounts. All transactions were initiated and completed upon proper validation of customer credentials. That OTP was generated through the registered mobile number linked with the accounts and that transaction was validated upon furnishing the OTP so generated through the system. All fund transfers were authenticated through OTP. To what extent the Petitioner can be made responsible for such negligence is a matter of probe and adjudication through a civil suit.
23. I say that as per the investigation the Device ID of the disputed transactions are matching with other genuine transactions. The Device ID of genuine transaction is "dd2f85a9-9eab-2011-2b76- 10509083a811” which matches exactly with the disputed transactions Device Id “dd2f85a9-9eab-2011-2b76-10509083a811”. As per the complaint of the Petitioner, the Petitioner performs all his transactions through desktop/laptop and not through mobile. All disputed transactions were performed through the same desktop/laptop.”
23. Mr.Seksaria would place heavy reliance upon the report of the internal investigation prepared by its officer in form of an Excel wordbook comprising of 19 distinct worksheets, including the checklist, disputed transactions accounts statement, RSA logs, staff investigation with the riders i.e. the observations of the bank on distinct issues, which were investigated.
On investigation, the conclusion reached based on the customer interaction, the report record that the customer was disputing eight transactions amounting to Rs.38.04 lakhs from his two HDFC accounts and he has received SMS alert in respect of one transaction of Rs.2.14 lakhs on 15/07/2021 at 15.48.18, but he has received SMS at 17.55 p.m. and when he checked his account statement and realised that the amount from his account has been diverted, and he raised a complaint with the bank.
It is urged that though the case of the Petitioner in the Petition is not about any issues faced by him with BSNL network, during the internal investigation, he disclosed that he was facing issued with BSNL network since many months, as the network was fluctuating and about his visit to the BSNL office on 13th as well as 15th July. His statement was categorically noted that he was present at his home between 3.00 to 4.00 p.m. on 15/07/2021, when the alleged transaction occurred.
24. The Report of internal investigation, on which the Bank has relied, has recorded thus :-
“System Review
Customer access his netbanking through his Personal Laptop and has never registered for Mobile Banking.
From both the accounts, total 4 transactions are of RTGS and the beneficiary additions has happened only post the OTP authentication one day earlier. SMS & email alerts for beneficiary additions were very much sent and delivered to the registered mobile number. Transactions were also authenticated through OTPs.
4 transactions are of TPT and the beneficiary additions has happened only post OTP authentication one day earlier. SMS & email alerts for beneficiary additions were very much sent and delivered. Transactions were also authenticated through OTPs. All the disputed transactions are on a single day of 15/July/2021 from both of his accounts.
There has been increase in TPT limit to 40 lakhs one day earlier to the disputed transaction date and Split OTP (SMS + Email) authentication has been used.
IP addresses of the disputed transactions does not match with the previous transactions of the customer.
However according to the RSA Logs. The Device ID of the all the disputed transactions are matching with the previous genuine transaction of the customer...
IPIN has not been changed prior and post to the disputed transactions in both the accounts.
On probing the customer regarding his previous transactions on 04th July 2021, 27th April 2021 and the password change on 04th July 2021. Customer states he himself has done the transactions and changed his password (for these genuine transactions the Device ID is matching with Disputed Transactions ID).
The Device ID of the above mentioned genuine transaction is "dd2f85a9-9eab-2011-2b76-10509083a811”.
25. In respect of the Monitoring Perspective, the internal investigation has revealed thus:-
“As confirmed by Saravanakumar.R (S30856) "Beneficiary addition attempt got alerted to monitoring for review.
Tried reaching the customer but unable to establish the contact".
Dialer report for the callout attempt initiated from monitoring is attached in the Disputed Tnx Sheet.
However None of the 8 transactions were Alerted.
Please find the analytics team comments for the transactions post the bene addition.
Bank has automated Risk based on authentication system where the risk score is calculated based on usage pattern of the customer nature of transaction and other factors and High risk transaction is declined but in this case the risk score was 691 hence it is not declined/alerted.”
26. From the report of investigation, it is noted that the total time taken for debit from the victim’s account is 40 minutes and it started from 3.07 p.m. and ended with last transaction at 3.48 p.m. and the total time taken for credits and debits in the first beneficiary account is approximately 1 hour and in case of second beneficiary account, it is about 55 minutes. In this regard, it is concluded thus :-
“ In totality, the entire movement of funds starting from victim accounts followed by transfers and withdrawals from beneficiary accounts happened within 1 hour 10 minutes with an end time of 4.17 PM dated 15/July/2021; which indicates this to be a pre- planned execution with involvement of supposedly multiple people at a time on field for ATM withdrawals and for on-line action.
Going with the SMS/Email alert logs, the fraud could have been stopped/minimized with nil exposure if instant action would have been taken by the customer at the time of beneficiary addition alert one day earlier to the disputed transactions day or at least blocking of his account at the time of the very first debit alert SMS.”
27. In the Check List, it is important to note the following :-
The report also state the reason for transaction not being alerted and this comes from the Risk Intelligence and Control Unit as below :-
Dear Venkatesh,
As discussed, for the mentioned customer id the beneficiary addition transaction has been alerted in RSA for the Rule “Decline Add Payee-Blacklisted Accounts.”
Also, please find the analytics team comments for the transactions post the bene addition.
Bank has automated Risk based on authentication system where the risk score is calculated based on usage pattern of the customer nature of transaction and other factors and High risks transaction is declined but in this case the risk score was 691 hence is not declined/alerted.
Thanks & Regards
Vignesh Vaidhyanathan
Risk Intelligence & Control Unit.”
28. In Rider 3, which is placed on record, when the Petitioner made a complaint, the messages generated demanding urgent attention are also placed before us and it is necessary for us to reproduce the relevant portion.
“date: 16-07-2021 18:26 Subject: Re: Fw:TRNX ALERT-- Fraud Transaction of 35 Lakhs SUBODH CHANDRAKANT KORDE Account number - 00521000116116 Very Very Urgent attention ******** Case Number - 15596609 Hi All, PFB Case facts as requested, Beneficiary addition attempt got alerted to monitoring for review. Tried reaching the customer but unable to establish the contact. PFB Alert action details, Txn Date Description Amount Alerted / Not Alerted Remarks 14-07-2021 15:07 Beneficiary Addition - Alerted Tried reaching the customer but unable to establish the contact 14-07-2021 15:11 Beneficiary Addition - Alerted 15-07-2021 15:07 50100408968780-TPT-SELF-SAMIR TAMANG 500,000.00 Not Alerted Not Alerted 15-07-2021 15:09 RTGS DR-ICIC0004177-ALOKE PAL-NETBANK, MUM- HDFCR52021071553132261-SELF 700,000.00 Not Alerted Not Alerted 15-07-2021 15:13 50100408968780-TPT-SELF-SAMIR TAMANG 600,000.00 NotAlerted Not Alerted 15-07-2021 15:22 50100408968780-TPT-SELF-SAMIR TAMANG 600,000.00 Not Alerted Not Alerted 15-07-2021 15:24 RTGS DR-ICIC0003314- SUBHOMOY BISWAS-NETBANK, MUM- HDFCR52021071553133257- SELF 550,000.00 Not Alerted Not Alerted 15-07-2021 15:27 RTGS DR-ICIC0003314-SUBHOMOY BISWAS-NETBANK, MUM- HDFCR52021071553140357-SELF 400,000.00 Not Alerted Not Alerted 15-07-2021 15:48 50100408968780-TPT-SELF-SAMIR TAMANG 214,000.00 Not Alerted Not Alerted PFB Dialer report for the callout attempt initiated from monitoring. Regards, Saravanakumar.R Risk Intelligence & Control …..”
The further correspondence alerting the banking system also record thus :-
“----Prashant Patil/Retail Branch Banking/Boat Club/HBL wrote :----
To : Viral Kothari/Digital
Banking/Peninsula/HBL@HDFCBANK
From : Prashant Patil/Retail Branch Banking/Boat CLUB/hbl
Date : 07/15/2021 06:29 pm
Subject : Fraud Transaction of 35 Lakhs_SUBODH CHANDRAKANT KORDE_Account number- 00521000116116
Very Very Urgent attention ******_Case Number – 15596609
Dear Sir
One of out customer informed that his account is been debited with total amount of 35 Lakhs fraudulently. Kindly help to get if detected and reversed Account number – 00521000116116 Customer id-42263358
Regards,
Prashant Patil
Imperia Relationship Manager
9021070594
prashant.patil@hdfcbank.com”
“SUBODH CHANDRAKANT KORDE _ Account number – 00521000116116_Very Very Urgent attention ******_Case Number -15596609 Dear John, The funds from the customer a/c has been credited to beneficiary who is from your branch. Beneficiary name Samir Tamang Cust ID 162969236. Dear Milind, Further funds have been transferred from Samit Tamang to Rijohn Tamang who has an account in your branch. Cust ID 162969449 Dear RTGS Cell team/Kasim, please assist in recalling the funds from ICICI Bank.”
29. The Account Statement of the Petitioner also forms part of the internal report which reflect the transactions.
The IP investigation reveal that the transactions on 14/07/2021, are done from IP 45.137.126.18 and the IP location is Chennai. The disputed transactions, on 15/07/2021 right from 03:06:57 PM IST to 3:18:18 PM IST is reflected to be done from WEB with same IP 45.137.126.18 and the IP location is shown to be once again Chennai. As far as the genuine transaction of the Petitioner is concerned, the IP is 103.198.166.221 and the IP location is Pune. The IP of the user activity of modifying the limit on 14/07/2021 at 3:09:14 PM IST is again from the same IP 45.137.126.18 and the IP location is Chennai.
The email logs are also produced by Mr.Seksaria to establish that the emails were sent to the Petitioner, but admittedly there is no proof of its receipt.
30. In light of the aforesaid investigation report, it is the submission of Mr.Seksaria that the bank is not at all at fault, as for every transaction an email alert was sent and delivered on the registered email ID of the Petitioner and in case of addition/registration of third party beneficiary, which took place on 14/07/2021 at 03:01:09 PM IST and the transaction payment took place only on next day i.e. 15/07/2021 on 03:06:57 (IST) i.e. after lapse of more than 24 hours. Thus, according to the HDFC Bank, all the necessary protocols were followed by the bank, both at the time of enhancement of the TPT limit which require the account holder to enter a Split OTP, which involve two different OTPs sent to (i) registered mobile number and (ii) registered Email ID and only upon successful completion of such Split Verification, the TPT limit was increased. Further more, once the TRP limit is increased, once again an alert is sent both as an SMS to the registered mobile number and also to the registered email ID and based upon this, it is the contention of Mr.Seksaria that the Petitioner was every time alerted about the transaction, which he carried out and, therefore, the bank cannot be said to have acted in breach of any protocol and liable for reverting the amount.
31. Dealing with the objection raised by Mr.Seksaria about the maintainability of the Writ Petition under Article 226 of the Constitution, we have given our thoughtful consideration to the objection as well as the response to the same by Mr.Jagtiani, as the respective senior counsel have placed reliance upon various authoritative pronouncements.
The power of High Court to issue writs, as contained in Article 226, clearly provide that every High Court shall have power, throughout the territories in relation to which it exercises jurisdiction, to issue to any person or authority, including in appropriate cases, any Government within those territories, orders or writs for the enforcement of any of the rights conferred by Part III and for any other purpose.
32. As early as in 1989 in Andi Mukta Sadguru Shree Muktajee Vandas Swami Suvarna Jayanti Mahotsav Smarak Trust & Ors. Vs. V.R.Rudani & Ors.((1989)2 SCC 691), the Hon’ble Apex Court, expounded the scope of Article 226 by declaring that the power conferred on the High Court under Article 226 to issue writs in the nature of prerogative writs is a striking departure from the English Law, as under Article 226, the writ can be issued to any person or authority and the term ‘authority’ used in the context must receive a liberal meaning unlike the term in Article 12, which is relevant only for the purpose of enforcement of fundamental rights. Further, it is held that the words ‘Any person or authority’ used in Article 226 are not confined only to statutory authorities and instrumentalities of the State and they may cover any other person or body performing public duty, the form of such body being not of much relevance, but what is relevant is the nature of duty imposed on the body.
The observation of the Apex Court in paragraph 22 is of great significance and we reproduce the same.
”22. Here again we may point out that mandamus cannot be denied on the ground that the duty to be enforced is not imposed by the statute. Commenting on the development of this law, Professor de Smith states: "To be enforceable by mandamus a public duty does not necessarily have to be one imposed by statute. It may be sufficient for the duty to have been imposed by charter, common law, custom or even contract." We share this view. The judicial control over the fast expanding maze of bodies affecting the rights of the people should not be put into watertight compartment. It should remain flexible to meet the requirements of variable circumstances. Mandamus is a very wide remedy which must be easily available 'to reach injustice wherever it is found'. Technicalities should not come in the way of granting that relief under Article 226. We, therefore, reject the contention urged for the appellants on the maintainability of the writ petition.”
33. In Praga Tools Corporation Vs. C.A.Imanual((1969) 1 SCC 585), the Hon’ble Apex Court held that a mandamus can be issued to an official of a society to compel him to carry out the terms of the statute under or by which the society was constituted or governed and also to companies or corporations to carry out duties placed on them by the statutes authorising their undertakings. Reliance was placed upon Halsbury’s Laws of England, third Edition, Vol.II Page 52, which held thus :
“A mandamus would also lie against a company constituted by a statute for the purpose of fulfilling public responsibilities.”
34. A decision on which reliance is placed by the respective senior counsels representing the opposing parties is the decision in case of Federal Bank (supra)
The pronouncement of the Apex Court revolved around a Branch Manager, Respondent No.1, working in Federal Bank, who was awarded punishment of dismissal pursuant to an enquiry being carried out and when he filed the writ petition in the Court, preliminary objection was raised to its maintainability, by canvassing that, it is a private bank and not a State or its agency or instrumentality, within the meaning of Article 12 of the Constitution of India, hence a writ petition under Article 226 of the Constitution is not maintainable.
The Single Judge of the High Court found that the Federal Bank is performing public duty and, therefore, it would be covered with the definition of ‘other authority’ within the meaning of Article 12 of the Constitution of India and as such, the writ petition is maintainable. An appeal was preferred against the said decision, which was dismissed by directing the Single Judge to decide the matter on merit.
In this background the question which fell for consideration before the Apex Court was, whether the appellant Bank is a private body or falls within the definition of the State or local or other authorities under the control of the Government within the meaning of Article 12.
35. Referring to the decision of seven-Judge Bench in Pradeep Kumar Biswas Vs. Indian Institution of Chemical Biology & Ors.((2002) 5 SCC 111) and also to the decision in case of Ajay Hasis Vs. Khalid Mujib Sehravardi((1981) 1 SCC 722), it was noted that concept of instrumentality or agency of the Government is not limited to a corporation created by a statute but is equally applicable to a company or society and in a given case it would have to be decided, on a consideration of the relevant factors, whether the company or society is an instrumentality or agency of the Government so as to fall within the meaning of the expression 'authority' under Article 12. The submission advanced on behalf of the Bank, in specific, is that it is a ‘company’ incorporated under the Indian Companies Act, 1913 and its activities are regulated by the provisions of the Banking Regulation Act, 1949, with its entire shareholding held by private individuals, and that it does not perform any sovereign function nor does it exercise any authority over the third person. The nature of the activity of the Bank was argued to be a commercial as it received deposits from individuals and advance loans and performs other ancillary monetary transactions. It was, therefore, urged that it is neither a “State” nor any “authority” within the meaning of Article 12 of the Constitution, and, hence not amenable to writ jurisdiction of the High Court.
The respondent, on the other hand, urged that RBI exercises control over the banking companies and on taking into consideration the provisions of the Banking Regulation Act, 1949, which indicated deep and pervasive statutory control of the Central Government over the scheduled banks, an argument was advanced that the banks discharge functions of a public nature and own statutory responsibilities, and, hence, there is an element of public law involved in its activities. It was also canvassed that the Banking Regulation Act provide of licensing of banking companies and unless and until a bank holds license issued by Reserve Bank, it is not permissible to carry out the banking activity.
36. In the wake of the contra submissions advanced, the Apex Court held as below :-
“32. Merely because the Reserve Bank of India lays the banking policy in the interest of the banking system or in the interest of monetary stability or sound economic growth having due regard to the interests of the depositors etc. as provided under Section 5(c)(a) of the Banking Regulation Act does not mean that the private companies carrying on the business of or commercial activity of banking, discharge any public function or public duty. These are all regulatory measures applicable to those carrying on commercial activity in banking and these companies are to act according to these provisions failing which certain consequences follow as indicated in the Act itself. As to the provision regarding acquisition of a banking company by the Government, it may be pointed out that any private property can be acquired by the Government in public interest. It is now a judicially accepted norm that private interest has to give way to the public interest. If a private property is acquired in public interest it does not mean that the party whose property is acquired is performing or discharging any function or duty of public character though it would be so for acquiring authority.”
In regards to the decision in the case of Andi Mukta (supra), it was observed that though a mandamus can be issued to any person or authority performing public duty, owing positive obligation to the affected party and, therefore, the writ petition was held maintainable since the teacher whose services were terminated by the institution was affiliated to the University and was governed by the ordinances casting obligations which it owed to the petitioner. The said decision was, therefore, distinguished, but confirmed the finding that no writ would lie against the private body unless it has some obligation to discharge which is either statutory or of public character.
In conclusion, it was held thus :-
“33. ….a private company carrying on banking business as a scheduled bank, cannot be termed as an institution or company carrying on any statutory or public duty. A private body or a person may be amenable to writ jurisdiction only where it may become necessary to compel such body or association to enforce any statutory obligations or such obligations of public nature casting positive obligation upon it. We don't find such conditions are fulfilled in respect of a private company carrying on a commercial activity of banking. Merely regulatory provisions to ensure such activity carried on by private bodies work within a discipline, do not confer any such status upon the company nor puts any such obligation upon it which may be enforced through issue of a writ under Article 226 of the Constitution. Present is a case of disciplinary action being taken against its employee by the appellant Bank. The respondent's service with the bank stands terminated. The action of the Bank was challenged by the respondent by filing a writ petition under Article 226 of the Constitution of India. The respondent is not trying to enforce any statutory duty on the part of the Bank. That being the position, the appeal deserves to be allowed.”
37. The aforesaid decision provide the guiding principle for the proposition that a private body or person may be amenable to writ jurisdiction, where is becomes necessary to control such body or association to enforce any statutory obligations or obligations of public nature casting a positive obligation upon it and merely because the appellant bank was under the control of RBI, by itself do not amount to exercise of any statutory function or it being recognised as an institution having State protection as no Government agency or officer was connected with the affairs of the bank and there is no participation or interference of the State or its authorities.
38. The aforesaid decision is followed by another decision of the Apex Court in Binny Ltd. & Anr. Vs. V. Sadasivan & Ors.((2005) 6 SCC 657), where the Apex Court pronounced upon the ‘public function’, discharged by a private party and with reference to the power of the High Court under Article 226 of Constitution to exercise judicial review and issuance of any direction or order or writ for enforcement of any of the rights conferred by Part III or for any other purpose, it was noted that the jurisdiction is very wide, but it remained an accepted principle that it is public law remedy and is available against a body or person performing public function. Following the proposition set out in the Administrative Law (9th Edn) by Sir William Wade and Christopher Forsyth, it was categorically noted thus :-
"A distinction which needs to be clarified is that between public duties enforceable by mandamus, which are usually statutory, and duties arising merely from contract. Contractual duties are enforceable as matters of private law by the ordinary contractual remedies, such as damages, injunction, specific performance and declaration. They are not enforceable by mandamus, which in the first place is confined to public duties and secondly is not granted where there are other adequate remedies. This difference is brought out by the relief granted in cases of ultra vires. If for example a minister or a licensing authority acts contrary to the principles of natural justice, certiorari and mandamus are standard remedies. But if a trade union disciplinary committee acts in the same way, these remedies are inapplicable: the rights of its members depend upon their contract of membership, and are to be protected by declaration and injunction, which accordingly are the remedies employed in such cases."
By placing reliance upon the earlier observations in VST Industries Limited Vs. VST Industries Workers’ Union & Anr.((2001) 1 SCC 298), where reliance was placed upon de Smith, Woolf and Jowell’s Judicial Review of Administrative Action (5th Edn.), noting that all the activities of the private bodies are subject to private law, for example, the activities by private bodies may be governed by the standards of public law when its decisions are subject to duties conferred by statute or when, by virtue of the function it is performing or possibly its dominant position in the market, it is under an implied duty to act in public interest. An illustration was cited and based on it, the proposition was laid as below :-
“19. ….By way of illustration, it is noticed that a private company selected to run a prison although motivated by commercial profit should be regarded, at least in relation to some of its activities, as subject to public law because of the nature of the function it is performing. This is because the prisoners, for whose custody and care it is responsible, are in the prison in consequence of an order of the court, and the purpose and nature of their detention is a matter of public concern and interest. After detailed discussion, the learned authors have summarized the position with the following propositions :
(1) The test of whether a body is performing a public function, and is hence amenable to judicial review, may not depend upon the source of its power or whether the body is ostensibly a "public" or a "private" body.
(2) The principles of judicial review prima facie govern the activities of bodies performing public functions.
(3) However, not all decisions taken by bodies in the course of their public functions are the subject-matter of judicial review. In the following two situations judicial review will not normally be appropriate even though the body may be performing a public function:...”
38. The decision in case of Federal Bank (supra) when cited, it was noted that, a private company carrying on business as scheduled bank cannot be termed as carrying on statutory or public duty and it was held that any business or commercial activity cannot be classified as the one falling within the category of discharging duties or functions of public nature. As regards the exercise of power under Article 226, it is held as below :-
“29. Thus, it can be seen that a writ of mandamus or the remedy under Article 226 is pre-eminently a public law remedy and is not generally available as a remedy against private wrongs. It is used for enforcement of various rights of the public or to compel the public/statutory authorities to discharge their duties and to act within their bounds. It may be used to do justice when there is wrongful exercise of power or a refusal to perform duties. This writ is admirably equipped to serve as a judicial control over administrative actions. This writ could also be issued against any private body or person, specially in view of the words used in Article 226 of the Constitution. However, the scope of mandamus is limited to enforcement of public duty. The scope of mandamus is determined by the nature of the duty to be enforced, rather than the identity of the authority against whom it is sought. If the private body is discharging a public function and the denial of any right is in connection with the public duty imposed on such body, the public law remedy can be enforced. The duty cast on the public body may be either statutory or otherwise and the source of such power is immaterial, but, nevertheless, there must be the public law element in such action. Sometimes, it is difficult to distinguish between public law and private law remedies. According to Halsbury's Laws of England 3rd Edn., Vol.30, p.682
“1317. A public authority is a body, not necessarily a county council, municipal corporation or other local authority, which has public or statutory duties to perform and which perform those duties and carries out its transactions for the benefit of the public and not for private profit."
There cannot be any general definition of public authority or public action. The facts of each case decide the point.”
Conclusively in para 32, the Apex Court held thus :-
“32. Applying these principles, it can very well be said that a writ of mandamus can be issued against a private body which is not “State” within the meaning of Article 12 of the Constitution and such body is amenable to the jurisdiction under Article 226 of the Constitution and the High Court under Article 226 of the Constitution can exercise judicial review of the action challenged by a party, But there must be a public law element and it cannot be exercised to enforce purely private contracts entered into between the parties.”
39. The aforesaid authoritative pronouncements from the Apex Court continued to be the guiding principle for various High Courts and one such decision cited before us is of the Bombay High Court in M/s Ruchi Soya Industries Ltd. & Ors. (supra), when by applying the ratio of Federal Bank’s case, it is held that a petition filed by petitioner No.1, when faced an objection about its maintainability under Article 226 on behalf of IDFC Bank Ltd., with regards to the “Master Circular” on Willful Defaulters, the question that arose for consideration was formulated as, “Whether a private party is amenable to the writ jurisdiction of the Court”. With reference to the decision of the Federal Bank (supra), it is held that the respondent bank, being a subsidiary of IDFC Bank Ltd., which is a holding company with the Government having 60% shareholding, and noting that the company is not under any control, financial or otherwise of the State Government nor it is the instrumentality of the State, but the bank was carrying on its private business and was not under any public duty or obligation imposed by any statute, it was held that no mandamus shall lie and the petition filed under Article 226 of the Constitution was held to be not maintainable.
40. In yet another decision in VJ Jindal Cocoa Pvt. Ltd. (supra), which had the involvement of the HDFC Bank, and objection was raised that any dispute between the HDFC Bank and VJ Jindal Cocoa cannot possibly the subject matter of the writ proceedings, the Division Bench of this Court, on 10/03/2023, relied upon the principle of law laid down by the Apex Court in Federal Bank Ltd. (supra), which had held that merely because the RBI prescribe the banking policy and control various banks under the Banking Regulation Act would not necessarily convey that private entities that carry on the business of commercial activities of banking discharge any public function or duty. Reliance was also placed on the decision in the case of Chanda Deepak Kochhar Vs. ICICI Bank Ltd. Mumbai & Anr.(2020(5) MhLJ 219) where the Division Bench had held that no writ would lie against the ICICI Bank, being a private body , since it is not an instrumentality of the State.
Dealing with the contention that the HDFC Bank provide banking facilities and, therefore, discharge public functions, and, therefore, an application under Article 226 was maintainable against a person or body, who discharge public duties or public functions, the Division Bench arrived at a conclusion that there is no public duty or public function shown to be discharged by the HDFC Bank and holding that it is no sense doing it for collective benefit of the public nor is it appointed by RBI, it was held that it was purely in invocation in the context of private contractual dispute.
41. The decision of the Apex Court in S.Shobha (supra) is relied upon by Mr.Seksaria and according to him, the ratio flowing therefrom has foreclosed the issue, as the Apex Court had pronounced upon the ‘function’ test as regards the maintainability of writ application.
Dealing with Muthoot Finance Ltd., a company registered under the Companies Act, the High Court had held that it did not answer the definition of ‘State’ within the meaning of Article 12, nor the transaction of loan by pledging gold between the petitioner and the respondent could be said to be in public realm. Apart from this, the High Court also recorded a clear finding that the company is not discharging any function, which has trapping of a sovereign function, but it is a private company registered under the law and, therefore, it is not a ‘State’ and the remedy open for the petitioner would be to institute a civil suit to seek appropriate relief.
The aforesaid finding by the High Court received approval, as the Apex Court observed that the Muthoot Finance Ltd. is not a ‘State’ within the meaning of Article 12 of the Constitution and therefore not amenable to writ jurisdiction of the High Court under Article 226 of the Constitution. The contention that being a non-banking financial institution, it is governed by the Rules and Regulations framed by the RBI and if there is a breach thereof, the finance company is amenable to the writ jurisdiction did not find favour, when the Apex Court held that, the finance company has no duty towards the public, but its duty is only towards the account holders, which may include the borrowers having availed the loan facility and it has no power to take any action, or pass any order affecting the rights of the members of the public and the binding nature of its orders and actions is confined to the account holders and borrowers and its employees.
Laying its emphasis on whether a body, public or private, is amenable or not amenable to writ jurisdiction, the test laid down in paragraph 8 of the law report read thus :-
“8. A body, public or private, should not be categorized as “amenable” or “not amenable” to writ jurisdiction. The most important and vital consideration should be the “function” test as regards the maintainability of a writ application. If a public duty or public function is involved, any body, public or private, concerned or connection with that duty or function, and limited to that, would be subject to judicial scrutiny under the extraordinary writ jurisdiction of Article 226 of the Constitution of India.”
42. Mr.Seksaria has strongly relied upon the summation of the position of law emerging in peculiar facts, while entertaining a writ petition and he has asseverated that issuance of writ, the body or authority ought to be an instrumentality or agency of a State or it should have been entrusted with the functions as are Governmental or closely associated therewith, being of public importance or being fundamental to the life of the people and hence Governmental and though RBI for smooth conduct of its affairs in carrying on its business have formulated the regulatory measures to keep a check and provided guidelines, that itself is not sufficient for discharge of public function, so as to satisfy the criteria, whether the body is amenable to writ jurisdiction.
43. We have carefully perused the authoritative pronouncement of the Apex Court, which had the involvement of a company registered under the Companies Act and there can be no doubt about the legal proposition that writ jurisdiction would not lie against the company, as it does not enjoy the status of ‘State’ under Article 12 of the Constitution. In the facts of the case, where the loan was granted and the financier had acted contrary to the interim order, the Single Judge had held that the loan was granted under the statutory requirement as enunciated by the RBI but the Division Bench overruled the aforesaid observation and its view received approval from the Apex Court.
Reliance is placed upon the decision in the case of LIC of India Vs. Escorts Ltd.((1986) 1 SCC 264), where the Apex Court observed thus :-
“...Broadly speaking, the Court will examine actions of State if they pertain to the public law domain and refrain from examining them if they pertain to the private law field. The difficulty will lie in demarcating the frontier between the public law domain and the private law field. It is impossible to draw the line with precision and we do not want to attempt it. The question must be decided in each case with reference to the particular action, the activity in which the State or the instrumentality of the State is engaged when performing the action, the public law or private law character of then action and a host of other relevant circumstances.”
As regards the applicability of ‘function’ test, prescribing that if a public duty or public function is involved, any body, public or private, concerned or connected with that duty or function would be subject to judicial scrutiny in exercise of writ jurisdiction under Article 226 of the Constitution of India. The above pronouncement arises in the backdrop of the fact when the petitioner had secured loan from the respondent, a private company, by pledging gold and some dispute arose from the said transaction and in this peculiar fact, it was pleaded that while granting the loan, the statutory requirements ought to have been observed and particularly, it was also pointed out that the agreement between the company and the petitioner contained an arbitration clause, which was the part of the loan agreement. The Apex Court in S.Shobha was dealing with Muthoot Finance, a non-banking finance company and not a scheduled bank and, therefore, the restrictions and obligations imposed on a scheduled bank were held to be not applicable to the entity.
The emphasis of the Apex Court in laying down the ‘function’ test is the nature of obligation imposed upon the scheduled bank and there cannot be any quarrel about the proposition that when a private scheduled bank indulges in any commercial transaction like providing for a loan, accepting term deposits etc., a writ may not lie unless the action involves a statutory violation, but with the guidelines of the Reserve Bank of India in force, issued in larger public interest, and when the bank, though private, is acting in a capacity that involves public interest or performing the duties analogous to that of public body, which may include enforcement of RBI regulations, in such a case, a writ petition would be definitely entertained. If a private body is discharging a public function and the denial of any rights is in connection with the public duty imposed on such body, public law remedy is available for its enforcement. The duty cast on the public body may be either statutory or otherwise and the source of such power is immaterial but nevertheless there must be public law element in such action.
A public authority is not necessarily an authority established under the statute, but if it is the authority which performs duties and carries out transactions for the benefit of public, it would fall within the purview of ‘public authority’, as there is no general definition of a ‘public authority’ or ‘public action’ and facts of each case would decide whether the authority is a public authority.
44. Considering it from the point of view of scheduled bank, covered under the Reserve Bank of India Act, 1934, which has authorised the Reserve Bank to exercise supervisory jurisdiction over it. As per Section 42 it is imperative for the bank (scheduled bank) to maintain with the bank an average daily balance, the amount of which shall not be less than such percentage as may be prescribed, having regard to the needs of securing the monetary stability in the country.
The decision in S.Shobha (supra) involves a private company in contrast to a scheduled bank, which is duty bound to abide by the instructions/directions issued by the Reserve Bank of India, the apex body and it is imperative for the bank to follow the mandate of maintaining Cash Reserve Ratio (CRR) as directed, as the Reserve Bank considers it appropriate to direct the scheduled bank to maintain the reserve in the larger interest of economy of the country.
It is well within the power of the Reserve Bank to direct that every scheduled bank shall maintain in addition to the balance prescribed under sub-section (1), an additional average daily balance of the amount which shall not be less than the rate specified by it in the Notification being calculated with the reference to the excess of the total of the demand and time liabilities of the bank at the close of the business on the date specified in the Notification.
In addition, by virtue of sub-section (2) of Section 42, every scheduled bank is under an obligation to send to Reserve Bank of India a return signed by two responsible officers of such banks showing (a) to (g) at the close of business on the last day of each fortnight and every return shall be sent not later than five days after the date to which it relates.
Under sub-section (4), a scheduled bank, which fails to comply with provision of sub-section (2) is liable to pay a penalty of one hundred rupees for each day during which the failure continues.
45. Since the whole object underlying constitution of the Reserve Bank of India, being to regulate the issue of bank notes and keeping reserves with a view of securing monetary stability and to operate the currency and credit system of country to its advantage, the RBI exercises supervisory control over the scheduled banks with an imperative mandate that the weekly returns by the scheduled banks showing the time and demand liabilities shall be furnished to it. Power is also conferred upon the Reserve Bank to exempt the scheduled bank in difficulties, due to circumstances beyond its control in discharge of the obligations imposed under the statute. Thus, the scheduled bank definitely stands on a different footing from the company which is engaged in disbursement of financial assistance.
46. In exercise of the power conferred by clause (o) of sub- section (2) of Section 58 of the RBI Act, 1934, the Central Government has formulated “The Reserve Bank of India Scheduled Bank Regulations, 1951” to ensure compliance of the obligations cast under the Reserve Bank of India Act, 1934 and under the Regulations, it is imperative for the scheduled bank, not later than 14 days of its inclusion in the Schedule or if it is already included in the Schedule, when Regulations came into force to submit to the principal office of the bank, a written statement containing the information in Regulation 5(i). It is also mandatory to forward the list of the names, the official designations and specimen signatures of the officers of the Bank who are authorized to sign its returns and no change is allowed in regards the same without prior intimation to the RBI and in regards to matters specified in clause (b) of Regulation 5(i), no change shall be effected unless the Reserve Bank is satisfied that there is adequate reason for such change. By virtue of Regulation 7, it is imperative for the scheduled bank having savings bank department to submit a copy of the Regulations governing that department to the principal office of the bank within the period prescribed by 5(i) and any changes in such regulations shall also be intimated without delay to that office and every scheduled bank shall calculate the proportion, as at the close of business on the 30th September and 31st March of each year, of its demand/liabilities on the prescribed basis and the proportion so calculated, until the date of the next calculation , to be used in determining the demand and time liabilities. As per the said Regulation, scheduled bank is liable for imposition of penalty under Section 42 of the Act, when the Regulation become applicable.
47. In addition of the above scheme involving RBI, one another statute which comes into play is the Banking Regulation Act, 1949.
Section 35-A of the Act is the power of the Reserve Bank to give directions, if it is satisfied in the ‘public interest’ or in the interest of banking policy, it is necessary to issue directions to banking companies generally or to any banking company in particular, from time to time, and the banking companies/ company shall be duty bound to comply with such directions.
Reserve Bank of India, with its emphasis on customer protection and the recent surge in customer grievances relating to unauthorised transactions resulting in debits to the accounts/cards, had issued a Circular as early as in 2002 for reversal of erroneous debits arising from fraudulent or other transactions and on 06/07/2017, issued a fresh Circular, which is in consonance with the international standards, realising that with the introduction of electronic banking transactions, it is necessary to strengthen the systems and procedure so that the customers feel safe about carrying e-banking transactions. The RBI directed the banks to put in place appropriate systems and procedure to ensure safety and security of the electronic banking transactions and to have a robust and dynamic fraud detection and prevention mechanism.
In addition, the RBI has also prescribed the mechanism to assess the risk, resulting from the unauthorized transactions and measure the liabilities arising out of such events. It also directed appropriate measures to be taken by all scheduled Commercial Banks as well as Small Finance Banks and Payment Banks to mitigate the risk and protect themselves against the liability arising therefrom.
48. A reading of the Circular under which the Petitioner is seeking reversal of the amount debited to his account, has clearly set out the mechanism for reporting of unauthorised transaction by the customers, by prescribing thus :-
“Reporting of unauthorised transactions by customers to banks
5. Banks must ask their customers to mandatorily register for SMS alerts and wherever available register for e-mail alerts, for electronic banking transactions. The SMS alerts shall mandatorily be sent to the customers, while email alerts may be sent, wherever registered. The customers must be advised to notify their bank of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction, and informed that the longer the time taken to notify the bank, the higher will be the risk of loss to the bank/ customer. To facilitate this, banks must provide customers with 24x7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting unauthorised transactions that have taken place and/ or loss or theft of payment instrument such as card, etc. Banks shall also enable customers to instantly respond by "Reply" to the SMS and e-mail alerts and the customers should not be required to search for a web page or an e-mail address to notify the objection, if any. Further, a direct link for lodging the complaints, with specific option to report unauthorised electronic transactions shall be provided by banks on home page of their website. The loss/ fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer's response,if any, to them. This shall be important in determining the extent of a customer’s liability. The banks may not offer facility of electronic transactions, other than ATM cash withdrawals, to customers who do not provide mobile numbers to the bank. On receipt of report of an unauthorised transaction from the customer, banks must take immediate steps to prevent further unauthorised transactions in the account.”
49. In fixing the liability on the customer, in case of unauthorised transaction, the Reserve Bank has bifurcated liability into two types; ‘zero liability’ and ‘limited liability’.
A customer’s entitlement to zero liability is said to arise when the unauthorised transaction involving third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.
However, a customer will also be liable for the loss occurring due to unauthorised transaction, where the loss is due to negligence by a customer like where he has shared the payment credential. Even when there is a delay of making a complaint to the bank by the customer, despite the fact that the responsibility of the unauthorised electronic banking transaction lies neither with the bank nor with the customer but somewhere in the system, the customer will be fastened with the liability.
The bare perusal of the aforesaid guidelines/Circular by the Reserve Bank is evidently in larger public interest, as the RBI is conscious of the risk involved while adopting the electronic platform and it expected the Banks to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services.
50. The Reserve Bank of India, on 18/02/2021,has issued the Master Direction on Digital Payment Security Controls, by formulating it in form of the Reserve Bank of India (Digital Payment Security Controls) Directions, 2021, which are specifically made applicable to the Scheduled Commercial Banks, Small Finance Banks, Payment Banks and Credit card issued NBFCs. The regulated entities to whom the Circular apply are also directed to formulate a policy for digital payments products and services with the approval of their Board, which shall ensure minimal customer service disruption with high availability of system/channels and adequate and appropriate review mechanism followed by swift corrective action.
We will be dealing with the Circulars and the policy of the Reserve Bank formulated for the safety and security of the customer a little while later, but for determining the present point for maintainability of Writ Petition, we have noted that the Circular/policy issued by the Reserve Bank is exercise of the power under Section 35A of the Banking Regulation Act, when the Reserve Bank thought it appropriate in the public interest and also in the interest of banking policy to issue directions which bind the Banks, and in specific, the scheduled bank like the HDFC.
With the aforesaid preface, we are of the specific opinion that the HDFC Bank may not be a ‘State’ or its instrumentality and even when it comes to the discharge of ‘public function’, in the wake of the test laid down in Federal Bank (supra) as well as in S.Shobha (supra), it may not be strictly discharging a public function, but when it comes to the protection of the customers with whom the Banks have dealing and if the Reserve Bank, in exercise of powers under Section 35A, has formulated certain guidelines for minimising the risk faced by the customers and if a customer alleges its breach, in our opinion, the Petition cannot be refused to be entertained on the ground that no writ can be issued to HDFC Bank for implementing or acting in consonance with the directions issued by RBI, while encouraging e-banking and being conscious of the fact that the Banks are expected to have a robust and dynamic fraud detection and prevention mechanism and also a redressal mechanism in case a customer falls prey to such fraud.
51. The Calcutta High Court in Society for Welfare of the Handicapped Persons & Anr. Vs. Union of India & Ors.(2025 SCC OnLine Cal 4056), in determining the issue, whether the petitioners are entitled for adequate compensation from the Axis Bank for causing loss to them on account of alleged diversion of funds as donated by different donors in its name, noted that the petitioner No.1 maintained its accounts in the Bank and were informed that some donations were made in the name of the society, but the account statement of the bank did not had any positive reflection to their credit. A written complaint was therefore filed with the jurisdictional police station and the investigation was taken up and the charge-sheet was filed.
The petition was filed seeking compensation from the bank where an objection was raised about its maintainability, which faced opposition and the learned Single Judge had an opportunity to appreciate the law laid down through the various authoritative pronouncements objecting to the entertainment of the writ petition against the bank.
With reference to the power of the High Court to issue writs under Article 226 of the Constitution, it was noted that Axis bank, being a private limited company, is a scheduled bank as per Section 2(e) read with second Schedule of the Act of 1934 and hence, it was governed by Act of 1949.
With reference to the provisions of Sections 45(b), 45(d) and 42 of the Reserve Bank of India Act, 1934, the learned Single Judge of the Calcutta High Court pronounced that the RBI authorities are empowered to collect the credit information from the Axis Bank and Section 42 of the Act of 1934 postulate that it being a scheduled bank, is duty bound to keep cash reserve with the RBI authority. Apart from this, it also took note of the fact that the scheduled banking company had to obtain license from the RBI authority, which is also empowered to cancel license on account of failure to comply with the conditions of license.
Exhaustive reference is made to Section 35A of the Act of 1949 empowering the Reserve Bank to give directions in public interest and the power to impose restrictions under Sections 46, 49 and 49A.
It is in light of the scheme of the enactment, the learned Single Judge has held thus :-
“35. On careful consideration of the aforementioned Sections of the said Act of 1934 as well as of the said Act of 1949 it thus appears to this Court that the respondent no.11 being a scheduled bank is duty bound to carry on its banking business within the periphery of the statutory provisions of the said two Acts as well as under the control and surveillance of the RBI Authority.
36. In view of such, this Court has got no hesitation to hold that the respondent no.11/Axis Bank is duty bound to carry out the directions issued time to time by the RBI Authority under cover of its different circulars.”
With reference to the decision in the case of Andi Mukta and Binny Ltd. (supra), which was cited, the Single Judge observed thus :-
“39. In the reported decision of Andi Mukta (supra) the Hon'ble Supreme Court also considered the proposition of law as decided in the case of Praga Tools (supra) and in the said judgment it has been held that Article 226 of the Constitution confers power on the High Courts to issue writs for enforcement of the fundamental rights as well as nonfundamental rights. It has been held further that the words "any person or authority" used in Article 226 of the Constitution are therefore, not to be confined only to statutory instruments of the State. The form of the body concerned is not much relevant. What is relevant is the nature of the duty imposed on the body and the duty must be judged in the light of positive obligation owed by the person or authority to the affected party. It has been held further that no matter by what means the duty is imposed, if a positive obligation exists mandamus cannot be denied.
In the reported decision of Andi Mukta (supra) it has also been held that the judicial control over the fast expanding maze of bodies affecting the rights of people should not be put into watertight compartment and on the contrary it should remain flexible to meet the requirements of variable circumstances. It has been further stated that mandamus is a very wide remedy which must be easily available to meet injustice wherever it is found.
40. In the reported decisions of Binny Ltd. (supra) it has been held by the Hon'ble Supreme Court that the scope of mandamus is limited to enforcement of public duty and such scope is determined by the nature of the duty to be enforced rather than the identity of the authority against whom it is sought. It has also been held that in the event a private body is discharging public function and the denial of any right is in connection with the public duty imposed on such body, the public law remedy can be enforced.
52. The decisions in case of Federal Bank Limited and S. Shobha (supra), were also referred to, but in the wake of the legislative scheme of Act of 1934 and Act of 1949, the Court observed thus :-
“50. In view of such, this Court has got no hesitation to hold that respondent nos. 11 l.e. the Axis Bank cannot avoid its liability in the process of opening of a fake bank account at its Prince Anwar Shah Road Branch in the name of the writ petitioner no. 1/society. It further appears to this Court that though an attempt has been made on behalf of the respondent nos. 11 to 13 to substantiate that the writ petitioner no. 2 was actively involved in the opening of the said bank account at its Prince Anwar Shah Road Branch however, such claim is found to be futile inasmuch as sufficient materials have been placed before this Court that in course of investigation in connection with the aforementioned P.S. case the involvement of the writ petitioner no. 2 was not at all found. It has also been noticed by this Court that the allegation of the respondent no. 11 that the said fake bank account at its Prince Anwar Shah Road was opened by using a cheque by the writ petitioners' banker i.e. Corporation Bank is found to be contrary to the truth.
51. … …. ...
53. From the reported decisions as cited from the Bar it appears that it is the consistent view of the Supreme Court as well as of different High Courts including our High Court that such plenary power under Article 226 can be issued against any person or body of persons and even against a company or a corporation in the event such persons or body of persons or company or corporation discharge public duties or responsibilities imposed upon it by a statute. It thus appear to this Court that in order to ascertain the maintainability of a writ petition against a person or body of persons or company or corporation the identity of the said person or body of persons or company or corporation need not be looked into however, it has to be ascertained as to whether the said private body is at all discharging any public function that is to say that there must be a public law element in the action of the said person or body of persons, etc.”
In view of the aforesaid, the writ petition was held to be maintainable and on merits, it was held that there was no difficulty to assess the loss suffered by the petitioner no.1-society and direction was issued to Axis Bank and its functionary to constitute a high level committee to determine the loss.
53. This decision was subjected to challenge before the Division Bench and on factual matrix, the Division Bench refused to return a finding that the writ petition, as it stands, is not maintainable as against the Axis Bank, as the writ petition also sought relief against the RBI and the cause of action of the writ petitioners against the RBI and Axis Bank were inseparably intertwined.
However, Mr. Jagtiani pointed out to us that the reliance placed upon the Circulars of the RBI are based on a footing of the bank acknowledging its responsibility and wrong doing, but the Axis Bank was failed to acknowledge the alleged wrong doing, as it was contesting the proceedings and it made a claim that it was not liable or responsible for the alleged loss at this stage. Though the Court refused to grant relief by observing that since the writ petition involved disputed questions of fact and the criminal case was yet to attain finality, and it would not be prudent to quantify any loss or damage in proceedings under Article 226 of the Constitution, however, as regards the maintainability of the petition, the Division Bench observed that it was not proposing to enter into an elaborate discussion on the aspect of the maintainability of the writ petition.
The judgment of the Division Bench was carried to the Apex Court and on 16/10/2025, the Apex Court directed that the report of the Three Member Committee directed to be constituted by the Single Judge, to be placed before it.
54. When the question that falls for consideration, whether a writ petition is maintainable against a private party/body, which is definitely not covered within the meaning of ‘State’ for the purposes of Article 12 of the Constitution, when we turned our attention to Article 226 of the Constitution, which is a power of the High Court to issue writs to “anyperson or authority” for enforcement of any of the rights conferred by Part III or for any other purpose, it can be discerned that the remedy of Article 226, being a public law remedy is available against a private party or person, if such private body is discharging a public function. As observed by the Apex Court in Binny Ltd. (supra), a public function may not be susceptible of a precise definition, but a private body discharges a public function when it seeks to achieve collective benefit for the public or section thereof and is accepted by the public or section thereof as having authority to do so. The entities which participate in social or economic affairs in the public interest, definitely discharge public function.
55. Board of Control for Cricket in India Vs. Cricket Association of Bihar & Ors.((2015) 3 SCC 251) is an authority which has pronounced upon the functions discharged by BCCI (Board of Control for Cricket in India) and while holding that it is not ‘State’ within the meaning of Article 12, the Court pronounced upon its amenability to judicial review in the wake of exercise of power under Article 226 of the Constitution. Applying the test laid down in Pradeep Kumar Biswas (supra), BCCI, an autonomous, non-governmental private body formed under T.N. Registration of Societies Act, 1975 was held to be not financially, functionally or administratively dominated or under the control of the Government so as to being it within the expression of ‘State’ in Article 12. However, since BCCI regulated and controlled all aspects of game of cricket in India, including conduct of matches, maintaining cricket amenities and infrastructure and even choosing players and umpires and in short, it held monopoly over the game of cricket in India, it is held that the body was discharging public functions and, hence, amenable to judicial review, dispute it not being ‘State’. The Apex Court pronounced that even if BCCI is not ‘State’ within the meaning of Article 12, it may not make any material difference in view of the admitted position that BCCI does discharge several important public functions, which make it amenable to the writ jurisdiction of the High Court under Article 226 of the Constitution, as it enjoyed monopoly status in the field of cricket though with no pervasive control and despite the fact that all its functions were not public functions, though they were not closely related to Government functions, it was held to be amenable to writ jurisdiction in the wake of the following observations.
“34. The functions of the Board are clearly public functions, which, till such time the State intervenes to takeover the same, remain in the nature of public functions, no matter discharged by a society registered under the Registration of Societies Act. Suffice it to say that if the Government not only allows an autonomous/private body to discharge functions which it could in law take over or regulate but even lends its assistance to such a non-government body to undertake such functions which by their very nature are public functions, it cannot be said that the functions are not public functions or that the entity discharging the same is not answerable on the standards generally applicable to judicial review of State action.
35. Our answer to Question (i), therefore, is in the negative, qua, the first part and affirmative qua the second. BCCI may not be “State” under Article 12 of the Constitution but is certainly amenable to writ jurisdiction under Article 226 of the Constitution of India.”
56. The test of whether a body is performing a public function and if it is amenable to judicial review would thus be dependent upon the surrounding circumstances and the nature of the function discharged by the private body. Undisputedly, if a private body discharges its functions which are contractual and commercial in nature, a writ cannot lie for its enforcement, but if a private body perform public duty, it is amenable to writ jurisdiction though all its decisions may not be subjected to judicial review and only those decisions which have public element can be judicially reviewed under writ jurisdiction.
In the modern era it is difficult to draw a clear line between the public and private functions discharged by a private body, as if an entity is performing in a public arena, and it involves public interest, it must definitely subject itself to the exercise of power of judicial review by a writ court, as it would be justiciable to exercise the power to prevent such bodies from acting in an arbitrary manner. It is different thing to say that a body or entity is not a ‘State’ for the purposes of Article 12, by applying the well determined test of the control of the State, but when it comes to exercise of power of the writ court to issue writ for enforcement of fundamental rights in Part III of the Constitution or for any other purpose, it will be necessary to see whether the discharge of the function by the body/entity has any public element involved and in case, where the bank like HDFC Bank, which conduct the banking business under the aegis and control of the Reserve Bank of India, being a scheduled bank and when the Reserve Bank in exercise of its power has framed guidelines/Master Circular for protecting the interest of the customers, who are likely to suffer on account of frauds, by prescribing certain guidelines, we do not find merit in the submission of Mr.Seksaria that for enforcement of the said guidelines, a writ petition is not maintainable. We, therefore, reject the preliminary objection raised.
57. It is not for the first time that the Circular issued by the Reserve Bank of India and the benefit available to a customer/account holder of the bank came up for consideration before the higher Courts and we have before us the decision of the learned Single Judge of Gauhati High Court in Pallabh Bhowmick (supra), where the benefit of RBI Circular dated 06/07/2017 was claimed, when the petitioner, a practicing Advocate, holding a saving bank account in the State Bank of India, Gauhati Branch was duped of Rs.94,204/- by three separate on-line transactions.
The Petitioner had made a online purchase of some garment from the ‘Louis Philippe’ store, which he wanted to return and get the money back. On 18/10/2021, he received a call from a fraudster, who identified himself as Respondent No.4 from State of Uttar Pradesh. Posing himself to be the Customer Care Manager of the famous brand ‘Louis Philippe’, HE asked the petitioner to download a ‘mobile app’ for the purpose of refund of Rs.4,000/- in lieu of return of a garment purchased by him and when the petitioner did so, Rs.94,204/- was siphoned off from his bank account by three separate online transactions. An amount of Rs.64,017/- was transferred by Payment Gateway transactions and two other transactions of Rs.15,903/- each followed. The amounts were initially transferred to the beneficiary account in the Federal Bank and thereafter, shifted to the other bank accounts.
The petitioner immediately informed to the customer care centre of the SBI with request to cancel the three transactions and on a complaint being registered, the SBI Debit Card of the petitioner was also blocked. An FIR was also filed with Jalukbari Police Station, which invoked Sections 417 and 420 of the Indian Penal Code. The petitioner made a complaint to Branch Manager, Panbazar Branch of the SBI informing him about the fraudulent transactions from his bank account and he also lodged complaint with Cyber Crime Cell of Criminal Investigation Department, Assam pertaining to three transactions.
The petitioner received an e-mail from the respondent No.3 informing that there has been illegal breach of their customer database whereby, information regarding some of the customers were released in cyber community, and according to respondent No.3, the website of ‘Louis Philippe’ was hacked when the petitioner had made online purchases on 05/10/2021.
58. With reference to the RBI Circular dated 06/07/2017 laying down guidelines for Customer protection-limiting liability of the customers in case of unauthorised electronic banking transactions, reference was made to various clauses and in specific, clause 9 dealing with ‘Reversal Timeline for Zero Liability/Limited Liability of customer’ in case of unauthorised electronic banking transactions. The said clause was construed and the opinion expressed by the learned Single Judge reflected as below :-
“21. As per clause 9, which deals with reversal timeline of zero liability/limited liability of customers in case of unauthorized electronic banking transaction, it would be the discretion of the bank to waive off any customer liability even in case of negligence of the customer. From a conjoint reading of the aforementioned clauses of the circular, it can be inferred that in case of un- authorized electronic transactions the Bank would have a duty to reverse the payment and credit the amount involved in the un- authorized transaction within a time frame, provided the fraudulent transaction is reported by the Customer within the time frame provided in the Circular. In an appropriate case, even the negligence, if any, on the part of the customer, can be waived by the Bank.
22. ….Had the Bank installed effective cyber security system and online fraud control measures then in that event, even if a mobile app is downloaded by a customer, money could not have been transferred from the bank account without proper authorization. Regardless of whether it was a UPI or PG transaction, it is not believable that the petitioner would deliberately share his OTP, password and MPIN so as to allow his hard earned money to be siphoned off from the bank account by a fraudster, that too, on three consecutive occasions, in quick successions. Rather, the incident appears to be pure and simple case of cyber crime whereby, the fraudster had hacked the database of respondent No. 3 and thereafter, got access to sensitive information pertaining to various customers of "Louis Philippe" including the petitioner which information was used for completing the fraudulent transactions. The participation on the part of the petitioner appears to be only to the extent of downloading the mobile app. Although the respondent No. 2 has contended that the petitioner had shared OTP, password and MPIN with the fraudster, yet, the said claim could not be substantiated by the Bank. Nothing has been stated in the counter- affidavit filed by the respondent No. 2 to indicate as to when, how and in what manner the OTP, MPIN and password was shared by the petitioner with the fraudster. No material particulars of the complicity on the part of the petitioner have been furnished in the affidavit. Therefore, this court is of the view that the respondent No. 2 Bank has completely failed to establish any negligence on the part of the writ petitioner.”
It was held that the online transactions that took place from the petitioner’s bank account were unauthorised and fraudulent and no negligence on part of the petitioner could be established by the bank and the case of the petitioner would fall within the ambit clauses 8 and 9 read with clause 10 of RBI Circular dated 06/07/2017 and, therefore, the petitioner will not have any liability in the matter and the bank was directed to reverse the payment in the savings bank account of the petitioner with liberty to recover the same from respondent No.3, by initiating appropriate legal proceedings, if so advised.
59. The Division Bench of the Gauhati High Court upheld the said decision, by recording that the incident appears to be pure and simple case of cyber crime, whereby the fraudster has hacked the database of respondent No.3 and got access to the sensitive information pertaining to the customers of the bank, which was used for completing the fraudulent transaction. Recording that the participation of the petitioner appears to be only to the extent of downloading the ‘mobile app’, it was held that the bank had failed to establish any negligence on part of the petitioner.
The observation of the Division Bench reads thus :-
“40. ...The Banks cannot absolve themselves of the liability towards losses suffered by the customers on account of unauthorized electronic transactions based on perceived negligence of the customers. In the present case, having considered the facts and circumstances of case and the materials available on record, we concur with the view of the learned Single Judge, that the appellant has failed to establish negligence on the part of the respondent no.1/petitioner leading to the fraudulent transactions. Thus, the learned Single Judge has rightly directed the appellant to deposit an amount of Rs.94,204.80/- (Rupees Ninety-four thousand two hundred four and Eighty Paisa) only, in the bank account of the respondent no.1/petitioner.”
Worth it to note that the Hon’ble Apex Court while dismissing the Appeal made very pertinent observations and we deem it appropriate to reproduce the same.
“2. We are in complete agreement with the observations as contained in Para 42 of the impugned judgment referred to above.
3. All that the High Court has said is that the original petitioner who suffered the loss was not negligent in any manner. All transactions relating to the account of the respondent No.1 -herein maintained with the petitioner - Bank were found to be unauthorized and fraudulent. It is the responsibility of the bank so far as such unauthorized and fraudulent transactions are concerned. The Bank should remain vigilant. The Bank has the best of the technology available today to detect and prevent such unauthorized and fraudulent transaction. Further, clauses 8 and 9 respectively of the RBI's Circular dated 6-7-2017 make the position further clear.
4. We also take notice of the fact that within 24 hours of the fraudulent transaction, the customer, i.e., the respondent No.1 - herein brought it to the notice of the Bank.
5. We expect the customers, i.e., the account holders also to remain extremely vigilant and see to it that the O.T.P.s generated are not shared with any third party. In a given situation and in the facts and circumstances of some case, it is the customer also who could be held responsible for being negligent in some way or the other.
60. In yet another situation, the Delhi High Court in case of Hare Ram Singh Vs. Reserve Bank of India & Ors. (W.P.(C) 13497/2022 decided on 18/11/2024), the issue raised, was considered after pronouncing upon the objection regarding maintainability of writ petition for implementing the mandatory Master guidelines formulated by the RBI, the High Court, in the background fact where the petitioner received an SMS containing a link, and upon receipt of an SMS getting a call convinced him to click on the link, so as to keep the SMS service on his mobile number open and operational, was duped of Rs.2,60,000/- by way of two transactions from his savings bank account in the State Bank of India.
Upon realizing that he has been defrauded, the petitioner dialled the Customer Care Department of the SBI and registered a complaint and asking it to hold on the transactions, but it was of no avail. He approached the Banking Ombudsman, who rejected the complaint and, thereafter, the petitioner preferred the writ petition. Dealing with the objection about maintainability, the Delhi High Court, concluded thus :-
“34 In view of the respondent No.2 and 3/SBI's violations of the aforesaid mandatory Master Guidelines formulated by the respondent No.1/RBI, the maintainability of the instant writ is beyond any challenge. It must be indicated that the aforesaid guidelines are by and large measures that the REs or the banks have to undertake, and the said guidelines do not restrict an affected party to take legal recourse for redressal of their grievances. The transactions in question would resultantly fall within the sweep of "zero liability" as referred to in the aforesaid RBI Circulars. Therefore, respondents No. 2 and 3/SBI are liable to compensate the petitioner for the incurred loss, along with interest, and pay token compensation.”
61. On merit, it is held that the petitioner was ‘victim’ of cyber fraud and he was not negligent in any manner under the notions of the civil law or for that matter under the criminal law, the observation in para 21 is apposite to be reproduced, which reads thus:-
“21. In my view, the petitioner was a ‘victim’ of cyber fraud and he cannot be said to be ‘negligent’ in any manner under the notions of the civil law or for that matter under the criminal law. Negligence implies “the duty to take care” that would be expected from a person of ordinary prudence. The negligent act on the part of the customer should be such which is gross, utterly reckless and unconscionable. In the present case, the petitioner had taken care not to share the OTPs, in fact he had no occasion to do so, and if that is the case, it would imply that even the most hyped 2 Factor Authentication [“2FA”] was breached as the same was not secure, which is directly attributable to deficiency in service provided by the respondent no.2 & 3 SBI.”
62. Once again the RBI Circular on Digital Payment Security Controls dated 18/02/2021 was invoked and the learned Single Judge concluded thus :-
“33. Lastly, it is well established under the Common Law, that funds in a bank account belong to the bank, but the bank acts as an agent for the principal (the customer). Consequently, the bank cannot refuse to process an online transfer if it appears to be authorized by the customer, however, upon detecting fraud, the bank has an implied duty to exercise reasonable care and take prompt action. Unhesitatingly, there was patent deficiency in services on the part of the bank, inasmuch as the response of the bank was lukewarm, defective, and not prompt. The respondent No. 2 i.e., SBI failed to take immediate measures to take up the issue with the other REs to whom the online payment had been remitted.”
Resultantly, a writ of mandamus was issued against the State Bank of India to make payment of Rs.2,60,000/- to the petitioner with interest @ 9% p.a. from the date when the fraud was reported within four weeks alongwith costs for legal proceedings.
We are informed that upon the matter being taken to the Apex Court, stay of the order passed by the learned Single Judge is granted subject to it tendering an FDR to the Registry of the amount involved, with direction for its renewal.
63. Another decision in this regard is in case of Jaiprakash Kulkarni (supra), where the Bombay High Court adopted a similar stance when the petitioner, who maintained the bank account, complained that on 01/10/2022 certain entities/individuals were added as beneficiaries, without an OTP being sent on registered mobile or registered e-mail IDs. According to the petitioners, on 02/10/2022, the accountant of the petitioner No.2-company informed the petitioners that he had received several messages from respondent No.2 regarding total sum of Rs.76,90,017/- being debited in several tranches to various unknown individuals by way of an online transaction. Since 02/10/2022 was a Sunday and a public holiday, the petitioners were certain that no transfer requests were initiated by them or any authorised person, to realise that money was illegally siphoned. Steps were taken by the petitioners by addressing communication to the bank as well as lodging of FIR. The petitioners even filed a complaint with Ombudsman, which was rejected on the ground that the transactions were completed post addition of the beneficiaries and input of valid credentials/2FA was only known to the account holder, and, therefore, there was no deficiency/lapse on the part of the bank.
64. In light of the facts placed through the petition and the counter submissions made by the bank, the Court held thus :-
“34 In the light of these three categorical reports by the Cyber Cell, which have been made after receiving information from the mobile service provider Airtel and the email service provider, Rediff mail, we are unable to accept the submission of Respondent No.2 that there was any negligence on the part of the Petitioners or that they had colluded with the persons/fraudsters who had debited the bank account of the Petitioners. In our view, from the said three reports of the Cyber Cell it is clear that both the bank and the Petitioners have been victims of fraud by third party fraudsters.”
65. Relying upon the Circular dated 06/07/2017 issued by the Reserve Bank of India, and in specific, clauses (9) and (12) thereof, the Division Bench concluded thus :-
“37. Both as per the said RBI Circular and the said Policy of Respondent No.2, a customer has zero liability when the unauthorized transactions occur due to a third party breach where the deficiency lies neither with the bank nor with the customer but elsewhere in the system and the customer notifies the bank regarding the unauthorized transactions within a certain time frame. Therefore, both as per the RBI Circular and the said Policy of Respondent No.2, the liability of the Petitioners in respect of the said unauthorized transactions would be zero as the unauthorized transactions have taken place due to a third party breach where the deficiency lies neither with Respondent No.2 nor with the Petitioners, as already held hereinabove on the basis of the said three Cyber Cell reports. In these circumstances, as per the RBI Circular and as per the Policy of Respondent No.2, the Petitioner is entitled to refund of the said amount from Respondent No.2. In this context, it is also important to note that, as per paragraph 12 of the RBI Circular, the burden of proving customer liability in case of unauthorized electronic bank transactions lies on the bank. In the present case, Respondent No.2 has no acceptable material to fasten any such liability on the part of the Petitioners. On the contrary, the three Cyber Cell Reports clearly show that the unauthorized transactions have taken place without any intimation to the Petitioners either on their mobile number registered with Respondent No.2 or on their email ID registered with Respondent No.2. For all the aforesaid reasons, Respondent No.2 will have to be directed to refund the amount illegally and unauthorizedly debited from the bank account of the Petitioners, to the Petitioners.”
As a result, the order passed by the Banking Ombudsman was quashed and set aside and the Bank was directed to refund to the petitioner an amount of Rs.76,90,017/- within a period of six weeks from the date of pronouncement of the order with interest at the rate of 6% p.a. from 02/10/2022 till date of its payment.
66. In light of the aforesaid decisions, which ensured the implementation of the Circular issued by the RBI in form of Consumer Protection Policy, clearly providing that the customer’s liability will be ascertained based on the time taken by the customer to report the unauthorized electronic banking transaction, and since the said circular has conferred certain right on the customer and if a customer has suffered loss due to third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and the customer has notified the bank immediately, he is entitled for reverting back the amount and share zero liability. If, however, the complaint is made within four to seven working days, the customer will share some responsibility and may not be entitled for remittance of the entire amount of which he is defrauded.
67. One significant feature of the RBI Circular is, that the burden of proving the customer’s liability in case of unauthorized electronic banking transaction lies on the bank.
Mr.Seksaria has vehemently urged before us that in case of Jaiprakash Kulkarni (supra), the three cyber cell reports made reference to the unauthorized transactions having taken place, without any intimation to the petitioners, either on the mobile number or e-mail ID and that was the prime justification for the bank having been directed to refund the amount, which was unauthorizedly debited from the bank account of the petitioners. In the present case, according to him, there is no cyber report so as to establish that there was a cyber fraud and, therefore, no direction can be issued to the bank.
As regards this submission, we must mention that the whole object of the RBI issuing the circular/guidelines is to protect the customer, who has fallen prey to unauthorized transactions resulting in debit to his account/card, when the transaction is effected through electronic banking. The Reserve Bank of India has issued directions to all scheduled commercial banks for strengthening their system and procedure, by introducing various mechanisms, with an expectation that the system and procedure in the bank must be designed to make customers feel safe about carrying out electronic banking transactions and the RBI expected the Banks to adopt robust and dynamic fraud detection system.
One of the mode prescribed is the bank asking their customers to mandatorily registered for SMS alerts and wherever available register for e-mail alerts for electronic banking transactions. The RBI has made it mandatory that SMS alerts shall be sent to the customers, while e-mail alerts may be sent, wherever registered and simultaneously the customer must be advised to notify their bank of any unauthorized electronic banking transaction at the earliest after the occurrence of such transaction, as longer time taken to notify the bank will pose high risk to the customer.
The banks are directed to provide customers with 24x7 access through multiple channels for reporting unauthorized transactions that had taken place and/or loss or theft of payment instrument such as card, etc. and the bank shall also enable the customers to instantly respond by ‘Reply’ to the SMS and e-mail alerts so that the customers are not required to search for a web page or an e-mail address to notify the objection. The swift action on part of the customers as well as the bank is specifically underscored by RBI, since it is most important in determining the extent of the customer's liability. Keeping this aspect in view, the Reserve Bank has fastened zero liability on a customer, in case of third party breach when the deficiency lies neither with the bank nor with the customer, but lies elsewhere in the system and the customer notify the bank within three working days of receipt of communication from the bank regarding unauthorized transactions.
68. In our view, the circular of the RBI dated 06/07/2017 is independent of any criminal investigation to be conducted to establish any cyber crime, as the RBI intended to protect the customer who has suffered financial loss on account of fraudulent or unauthorized electronic banking transactions. Without even a semblance of reference to any cyber investigation, the RBI deemed it appropriate to issue directions for limiting the liability of the customers in unauthorized electronic banking transactions and particularly, when the customer is not at fault. The burden to establish that the customer is at fault is on the bank and once a customer has notified the bank about the fraudulent transaction, from the date when he received communication from the bank, it is imperative for the bank to credit the amount involved in the unauthorized electronic banking transaction to the customer’s account and if the reporting is within three days, then the liability of the customer is zero.
Since the burden of proving the customer’s liability in respect of unauthorized electronic banking transaction is on the bank, we have to ascertain whether the HDFC Bank has discharged its burden.
69. Referring to the transactions through which the Petitioner had suffered a loss, it is the case of the Petitioner that he was using mobile service of BSNL and his mobile number and e-mail ID were registered with HDFC Bank for alerts and OTP. According to the Petitioner, on 14/07/2021, three beneficiaries were added to his savings and current account in Aundh Branch of HDFC Bank, the beneficiary account being maintained with HDFC Bank and ICICI Bank. The Petitioner received no intimation or OTP to validate addition of any of the beneficiaries. Wakad Police Station has confirmed that no SMS was received by the Petitioner.
The HDFC Bank has produced before us a list of SMS/E- mails containing OTPs sent to the Petitioner for addition of beneficiaries.
The text of the OTP logs annexed to the reply, make a reference to the message pushed by HDFC Bank through its different vendors engaged for the said purpose and this include the vendors, ACLOTP, GupshupOtp and also A2WHTTPS.
The message pushed in respect of all the three beneficiaries is followed by the addition of the beneficiaries and the message pushed is, “------is your SECRET OTP to add payee Samir tamang, A/c No. ending in --- for Funds Transfer. Do not share it with anyone”. Followed by this, within a few seconds is another message, “You have added/modified Funds Transfer Beneficiary samir tamang, A/c No. in HDFC Bank NetBanking for queries contact Bank.” In respect of Aloke Pal, the transaction at 03:03:37.515000 PM through GupshupOtp is the message shown is XXXXX. In fraction of seconds i.e. 03:04:08.940000 PM beneficiary Aloke Pal is added.
The aforesaid chart is only reflective of message being pushed, but not a proof of the message being received. Moreover, the record of the Full Text OTP logs is not produced before us as primary record, but it is a log prepared by the bank and in some cases, the message pushed is XXXXX.
It is the pleaded case of the Petitioner that he did not receive any SMS or e-mail and in any event, it is evident from the e-mail log, which is also produced alongwith the affidavit, that the e-mails do not contain any OTPs. More pertinent to note is the SMS and e-mails are alleged to be forwarded by third party vendors and it is difficult for us to admit its credibility, as there is no indication of any full-proof system of the vendor, and what is placed before us alongwith the reply affidavit is the log of OTP and e-mail with the status ‘delivered (D) and sent (S)’.
Followed by the addition of beneficiaries, on 14/07/2021, unknown to the Petitioner, the third party transfer limit of Rs.4,00,000/- was increased to Rs.40,00,000/- and once again it is the case of the Petitioner that no intimation or OTP was received by him to validate the increase of transfer limit and the screen shots of the flexible Third Party Transfer (TPT) limits through net banking refer to the customer ID/user ID with a password PIN, which then reflected the balance in the savings account and increase in the amount of transfer limit. Once again, it is the case of the bank that the message of third party transfer limit being being set at Rs.40,00,000/- was also intimated through OTP and the vendor has shown its status as ‘delivered’, with OTP being sent to increase the limit, and also about the limit being increased to Rs.40,00,000/-. Even for this transaction, we do not have the original message but only the log prepared by the bank, based on the information by the vendor, reflecting the status of the message as ‘delivered’. The case of the Petitioner is, he never received the OTP/intimation.
70. Then comes 15/07/2021, when the Petitioner received an SMS alert from the bank that there was a transfer of Rs.2,14,000/- from his savings bank account and the Petitioner received the alert and logged on to the net-banking facility to check his account, as received the SMS alert at 17:55 hours to find that a sum of Rs.38,04,000/- was transferred from his two accounts by eight transactions between 15:06 hours and 15:47 hours i.e. within 41 minutes. Out of the eight transactions, in four transactions Samir Tamang is the beneficiary, in one transaction of amount of Rs.7,00,000/- Aloke Pal is the beneficiary and one Subhomoy Biswas is the beneficiary in three transactions. The Petitioner was debited to the sum of Rs.38,04,000/- from the three accounts despite his specific case that he never added the beneficiaries, and he never enhanced the transaction limit and the amount was never transferred by him in favour of the beneficiaries.
71. As soon as the Petitioner received an alert at 17:55 hours on 15/07/2021, at 18:03 hours, he addressed an e-mail to his Relationship Manager, Mr.Prashant Patil, apprising him of the unauthorized transactions and he even attempted to connect to HDFC’s Toll Free Number, but was unable to do so. The Petitioner also made a request to the bank to block his accounts and on the next day, approached Wakad Police Station informing the police about the unauthorized transactions.
72. We have already reproduced the communications and the action taken by the bank immediately on the Petitioner alerting it. We have recorded the submissions of Mr.Seksaria and from reading of the same, it is evidently clear to us that the bank attempted to take steps by treating the complaint as urgent, but could do nothing as the amount was already debited from the Petitioner’s account. The HDFC Bank has not produced before us any primary record of SMS/e-mail being forwarded to the Petitioner, but its vendors have merely prepared a log showing that every OTP was forwarded on the Petitioner’s mobile.
73. The mobile number used by the Petitioner is 9422247109 and fortunately for us, Respondent No.5-BSNL has marked its appearance through a counsel and also filed an affidavit-in-reply.
The authorized signatory of BSNL through his affidavit dated 09/02/2026, has provided a clear clue as to what has transpired and how the money got debited from the Petitioner’s account by manipulating the SIM card.
Submitting that the alleged amount was transferred from the two accounts of the Petitioner through eight different on-line banking transactions and thereafter withdrawn through ATMs. Respondent No.5, therefore, state that the transactions establish that the alleged fraud was executed through banking and ATM mechanism, and it categorically state that, on 12/07/2021, the SIM card of the number used by the Petitioner was replaced by its franchisee Sharma Communications.
As per Respondent No.5, Petitioner’s mobile phone was stolen and that was the cause for replacement of the SIM card. The affidavit also state that for replacement of the SIM, there is manual verification of the photo ID with the subscriber and the procedure require verification of self-attested documents of POI/POA with original documents and it is admitted that the certificate of verifying the same is signed by the franchisee M/s Sharma Communications and the replacement was done by manual verification.
When there was further replacement at Kalyan, once again it was allowed on the basis of lost of SIM accompanied with an application for replacement and it is categorically stated that there are two methods of verifying the identity when the SIM card is replaced, namely, (a)DKYC : Live photograph of subscriber and documents are uploaded and CAF Documents, and (b) EKYC : Biometric of the subscribers are captured and matched with Aadhaar Biometrics.
74. The document annexed with the affidavit of BSNL, in relation to the mobile number 9422247109 with the customer’s name Subodh Chandrakant Korde has given the permanent address at Nashik.
The reason for replacement of SIM, is cited as ‘SIM Lost’ and the application is dated 14/07/2021. A perusal of the photograph placed on the SIM Swap/Replacement/Up- Gradation Form bear a photograph of a person Subodh Chandrakant Korde, which according to the Petitioner, is not his photograph, as the Aadhar Card at page No.10 reveal his identity through the photograph and what was annexed alongwith the application was a copy of the PAN card. It was also accompanied with the police report at Mira-Bhayandar, Vasai-Virar Police on 14/07/2021with the complaint of lost of Samsung Phone bearing No.9422247109.
The affidavit has also annexed a SIM replacement application dated 12/07/2021 at Nashik, where it is informed that the handset is lost due to accident. By using the same PAN card and annexing the photograph of Sachin Subodh Korde, which according to the Petitioner, is not of his son’s photograph.
While responding to the notice received from Wakad Police Station, furnishing information with respect to the SIM replacement of BSNL mobile number, it is indicated that the SIM was replaced on four occasions through swap request received on 12/07/2021, 13/07/2021, 14/07/2021 and 15/07/2021 and the swap was completed on all these dates.
In Nashik, the swap/replacement is undertaken through franchisee Sharma Communication, and in Chinchwad Pune, it is done through franchisee M/s Print Express and in Vasai Kalyan, it is done through CSC Vasai Kalyan and once again in Chinchwad, Pune when it was done on 15/07/2021 with the swap completed at 16:26:26 through M/s Print Express, Pune. In all the aforesaid transactions of SIM swap, the swap remark reflect ‘Defect with SIM’.
75. The affidavit is accompanied with a certificate issued by JTO, Nashik stating that the first replacement happened on 12/07/2021 at Nashik CSC and subsequently it is restored in Pune CSC on 13/07/2021. While responding to Wakad Police Station, BSNL has furnished the information by stating that the SIM replacement was done as per customer request at BSNL Customer Service Center Chinchwad Pune on 13/07/2021, but again the SIM got faulty and, therefore, replacement was done on 15/07/2021 by M/s Print Express, Pune in presence of Subodh Chandrakant Korde alongwith his wife and the SIM replacement details are also offered. The name of the official who approved the SIM replacement and activated new SIM card is also offered to Wakad Police Station.
We have these SIM Swap details annexed and it would be most apposite to reproduce the same:-
“SIM swap details of BSNL Postpaid Mobile number 9422247109
76. From the affidavit filed by BSNL, it is, therefore, clear that it is the case of SIM swapping.
SIM swapping is a technique used by criminals to obtain a duplicate or clone of a SIM card linked with a phone number to impersonate identity of line holders and gain access to their bank account by sending an SMS (OTP Code) used as two factors authentication. BSNL has stated in its affidavit that since an application was made for SIM replacement on the count that the mobile phone was lost, a new SIM is provided with the same number and from the affidavit of BSNL, it is evident that the SIM was replaced on four occasions, right from 12/07/2021 to 15/07/2021.
As far as the Petitioner is concerned, he admitted that there was some issue with his SIM card and he had approached the service provider on 15th i.e. on one occasion.
The Indian Cyber Crime Coordination Centre (I4C), which is operated through Ministry of Home Affairs, has floated national cyber crime helpline 1930 (Call Immediately To Report Fraud and Freeze Bank Accounts) and Sanchar Saathi Portal. The precautionary and safety tips and advisory from the Coordination Centre is, ‘act on ‘no signal’….if your phone suddenly loses signal unexpectedly, immediately contact your service provider’.
SIM swapping has received attention from the Ministry of Home Affairs as a sophisticated form of identity theft, where fraudsters take over a victim’s phone number and this has been expressed to be a rising concern in India. The fraudsters collect personal details via phishing social media or previous data licks and they adopt procedure of impersonation. The fraudsters tricks the mobile operator claiming the SIM is lost/damaged and request for a new one and in such a scenario, the victim’s actual SIM loses connectivity (no network). The fraudsters then receive OTPs and banking alerts on the new SIM enabling them to drain bank accounts, often by bypassing two fold authentication. The net-banking frauds involve access to the bank account basic details and the mobile number and then approaching the service provider, impersonating the owner of the number with fake papers and a request to swap the SIM. After verification, the service provider deactivate the old SIM and the fraudsters get access to the new active mobile SIM, when the original one fails to operate as a result all financial SMS, OTP alerts as regards the transactions are arrived on new active card, which is in the hands of the fraudster.
This is precisely the methodology, which has been adopted here and this is evidently clear to us from the affidavit of BSNL, as the Petitioner has pleaded that he faced trouble in connectivity and even approached to his service provider and his SIM was replaced. That is the specific reason why the Petitioner did not receive any OTP on 14th or 15th when the beneficiaries were added or the financial limit of transaction was increased and the actual transaction took place on 15/07/2021 and it is obvious that the message must have been received on a cloned/duplicate SIM and the Petitioner did not receive any message/OTP.
In no case, we find that the Petitioner was careless or that he had shared the password with anyone and ultimately the burden is upon the bank to establish that he was careless or negligent, which the bank in our view, has failed to establish.
77. In consonance of the circular dated 06/07/2017, since the Petitioner has not contributed to the fraud nor he was negligent and he immediately reported about his accounts being debited, or he receiving only one message and that too, after a lapse of time and with the specific stand of the BSNL, reflecting that there was swapping of his SIM card, according to us, the Petitioner is a victim of cyber fraud. The transactions from his account, including addition of beneficiaries, increase of TPT limit and the debit of the amount from his two accounts through eight transactions were all unauthorized. Surprisingly, the Bank, despite the alert created, has not taken any serious steps and has adopted a stand simplicitor that it had discharged its obligations, once it sent OTPs. The Petitioner never received the OTPs nor did he receive any e-mail communication in respect of the unauthorized transactions.
The reason now is very clear, being that his SIM card was cloned/swapped and, therefore, somebody else other than him, has received the OTP and probably, shared the OTP so as to authenticate the transaction. The Petitioner, however, acted promptly, once he realised that some amount is debited to his account and he reported the matter to the higher officer and did whatever was possible to him to do. The Petitioner is, therefore, entitled for the benefit of ‘zero liability’, as we do not conclusively say that the Bank was deficient, but it appears that the Bank was casual in stating that it had sent the OTP and put the blame on the Petitioner, of being negligent in sharing the password, which the Petitioner never did.
78. We also note that not a single original log of sending messages or e-mails and its receipt by the Petitioner is placed before us on behalf of the Bank and merely some excerpts from the Log Book of private agency are placed before us to urge that the Bank has sent OTPs and e-mails, which are in fact are never received by the Petitioner.
It is also pertinent to note that, as per the investigation report of the HDFC Bank, IP location of four transactions adding beneficiary and the transaction modifying the TPT limit is Chennai and the same IP location is to be found in respect of the transaction on 15/07/2021 right from 3:06:57 PM IST. The IP of the aforesaid transaction is different from the IP of the genuine transaction of the Petitioner, when it was compared against the transaction of July 4, 2021, the IP location being shown as Pune.
Therefore, the IP investigation of the Bank has clearly inferred that the disputed transaction IP do not match with the genuine transaction IP of the customer. Therefore, there is no merit in the stand of the Bank that somebody messed up with the device of the Petitoner or he shared the password as it not uncommon for the fraudster to mimic devised ID, but for all the unauthorized transactions, the IP is different than the genuine IP and the IP location is different than the genuine IP and this is also a indicator that the Petitioner has not done the transaction.
79. The internal investigation report, which has disclosed the reason that transaction not being alerted is very specific, namely, “Decline Add Payee-Blacklisted Accounts”. The report also state that the Bank has automated risk based on authentication system, where the risk score is calculated based on the usage pattern of the customer nature of transaction and other factors and high risk transaction is declined. But, in this case, the risk score was 691, hence it is not declined/alerted. The Bank has, therefore, clearly admitted that the transaction was not alerted and we find it surprising that Bank blames the Petitioner.
In Rider 3 of the investigation report, for every transaction, which according to the Petitioner is unauthorized, there is a report of ‘not alerted’ and despite this, the Bank has projected its case that in every situation, the OTP was sent. It is also evident from the internal investigation report that since the HDFC Bank was aware that no alert was created and has also set out the reasons, why it was not alerted because the account was described as “Blacklisted Account” and the customer could not be contacted, when the amount was debited, HDFC Bank itself made a request to ICICI Bank for reversal of the amount under the transactions.
It is, therefore, evident that the HDFC Bank attempted to take necessary steps and was conscious that no alert was created and when beneficiary addition attempt got alerted, the report disclose “tried calling the customer, but unable to establish contact”. This is repeated in the transactions adding beneficiary and also when the transaction limit was enhanced. The alert was sounded since even according to the HDFC Bank, it was a super high value case and thus the officers in helm of affairs of the Bank immediately initiated the investigation.
80. In no case, we put the blame of the unauthorized transactions on the Bank, but when the fault is neither with the Bank nor with the customer/Petitioner, the RBI circular dated 06/07/2017 and in particular, the clause fixing zero liability on the customer gets triggered and the Petitioner is entitled for its benefit.
Though it is a contention advanced on behalf of the Bank that in absence of any investigation by the cyber cell or a conclusion being derived that a cyber fraud has been committed, the Bank cannot be fastened with the liability, but we refuse to accept the said contention. The whole purpose of the circular/guidelines issued by the RBI is to provide a buffer to a customer, who is diligent, and is not responsible for negligence or contribute to the fraud by sharing OTP/password and since, the Bank has failed to establish that the Petitioner did so, in our view, the Petitioner is entitled for the benefit under the circular of RBI dted 06/07/2017 and he deserve the amount of which he is deprived back in his account.
Since the Bank had denied him the benefit, despite clear directions from the RBI, we deem it appropriate to direct HDFC bank to remit the amount of Rs.38,04,000/- to the Petitioner’s account within a period of eight weeks alongwith interest at the rate of 6% p.a., as for no fault of his, the Petitioner was deprived of his own money.
The HDFC Bank shall make the aforesaid remittance within a period of eight weeks and if it failed to do so within the aforesaid period, it shall carry interest at the rate of 8% p.a.
The Writ Petition is made absolute in the aforesaid terms.
 |
This Product is Licensed to , |