logo

This Product is Licensed to ,

Change Font Style & Size  Show / Hide
24

  •            

 
CDJ 2026 (Cons.) Case No.008 print Preview print print
Court : National Consumer Disputes Redressal Commission (NCDRC)
Case No : First Appeal No. 573 of 2017
Judges: THE HONOURABLE DR. INDER JIT SINGH, PRESIDING MEMBER & THE HONOURABLE MR. JUSTICE SUDHIR KUMAR JAIN, MEMBER
Parties : Axis Bank & Others Versus Dr. Shabir Khan Ranjan Rawther & Others
Appearing Advocates : For the Appearing Parties: Bharat Sood, Advocate (VC), Divyansh Rai, Proxy Counsel Ltd. (through VC), Ankur S Kulkarni Ms. Priya S Bhalerao, Advocates.
Date of Judgment : 04-12-2025
Head Note :-
Consumer Protection Act 2019 - Section 19 -
Judgment :-

Inder Jit Singh, Presiding Member

These two First Appeals (FAs) have been filed by the under section 19 of Consumer Protection Act 2019, against the order dated 09.11.2016 of the State Consumer Disputes Redressal Commission, (hereinafter referred to as the 'State Commission'), in Consumer Complaint (CC) No. 47/2012.

2. First Appeal No. 573/2017 has been filed by the Appellant (hereinafter referred to as Axis Bank), who was Opposite Party Nos.1&2 before the State Commission and FA/1950/2017 has been filed by Appellant (hereinafter referred to as Vodafone Mobile), who were Opposite Party Nos. 3 & 4 before the State Commission, inter alia praying for setting aside the impugned order passed by the State Commission in CC/47/2017.

3. As both the Appeals have been filed against the same order of the State Commission vide which State Commission has allowed the Complaint filed by the Complainants against all the OPs-1 to 4, jointly & severally, these are taken up together.

4. Notice was issued to the Respondent(s) in both the FAs on 18.04.2017 and 26.10.2017 respectively.

5. Brief facts of the cases, as presented by the Complainant and as emerged from the FAs, Order of the State Commission and other case records are that:

The complainant was having a Vodafone mobile connection No. 9846289101. He was also having two saving bank accounts with the OP/Axis Bank Ltd. for which, the complainant has also availed the services of ATM and net banking from the Axis Bank Ltd. On 30.03.2012, between 4 p.m. and 6 p.m., complainant's mobile phone went dead. The Complainant contacted the Vodafone store on the very next day @ about 2.30 p.m. The complainant came to know that a duplicate SIM was replaced/issued to a third person by the OP-4. On realizing that the complainant's mobile number was misused, OP-3 & OP-4 cancelled the SIM issued to the unknown person immediately and issued a new SIM to the complainant from the Vodafone Store, Kadavantra. On 31.03.2012, the complainant received a message on the mobile phone, that Rs.50,000/- has been credited to his account. It was an unexpected transaction, therefore, the complainant tried to check his account through online, but he was not able to access his account and it was displayed invalid username or password. On 30.03.2012 and 31.03.2012, unknown persons operated the accounts of the complainant, by using duplicate SIM, whereby amount of 9.42 lakhs was transferred from one of the complainant's account to some other account and further Rs.1,72,500/- has been transferred to another accounts, which were as many as 20 in nos. Complainant after knowing this, through mini statement, made a complaint to the customer care of the Axis bank and got both these accounts blocked. On 01.04.2012, FIR No. 840/12 was lodged by the complainant with Central Police Station, Cochin, as regards alleged fraudulent transactions and nine persons were arrested in connection with the crime. On 09.04.2012, the Complainant issued legal notice to the bank and Vodafone, but in reply, the bank and Vodafone denied the allegations. The complainant filed complaint CC/47/2012 before the State Commission, Thiruvananthapuram alleging that the Axis Bank does not provide virtual key pad in internet banking to prevent key loggers attack, bank has also failed to comply with the provisions of . Money laundering Act, 2002. In addition, the Vodafone has assisted the fraudster in the alleged illegal transaction by issuing duplicate SIM without verification of ID proof and documents. The complainant filed the complaint seeking award of 11,14,500/- with interest @ 18% p.a. w.e.f. 30.03.2012 and 75 lakhs for mental agony and cost of litigation.

6. Vide Order dated 09.11.2016, the State Commission allowed the complaint -directed the OPs to pay jointly and severally Rs. 11,14,500/- with interest @ 9% p.a. w.e.f. 31.03.2012 till date of payment plus Rs.5 lakhs as compensation and Rs. 10,000/- as legal costs to the complainant and directed to comply the order within 2 months from the date of order.

7. Appellant(s) in FA/573/2017 and FA/1950/2017 have challenged the Order of the State Commission mainly on following grounds:

                   FA/573/2017 (Appeal filed by the Axis Bank)

                   i) The State Commission has passed the impugned order in disregard of the settled position of the law and incorrect appreciation of the evidences brought on record.

                   ii) The State Commission has recorded a finding in favour of the Appellant that from the stage from which fraudster used the duplicate SIM of the complainant, no deficiency in service can be attributed on the part of the Bank and in spite of this, the State Commission has directed the Appellants to jointly and severally pay to the Respondent-1 along with Respondents-2 & 3. By virtue of Section 14 of the Consumer Protection Act, 1986, a Consumer Forum is empowered to pass order against the OP to pay the Complainant only when the said Consumer Forum is satisfied that the alleged deficiency of service against the OP stands proved. In the instant case, the State Commission has recorded finding that no deficiency of service can be attributed on the part of the Appellant and in view of the same the impugned order deserves to be set aside.

                   iii) The State Commission overlooked its own findings recorded in the impugned order that merely because the Respondent-1's accounts were hacked, the bank employees cannot be held responsible for the same.

                   iv) The State Commission holding the Appellants liable to pay to Respondent-1 militates against its own finding that there is no evidence regarding the role of the Bank brought out in the criminal investigation in the fraudulent transfer from Respondent-Ts account, and despite such finding, the State Commission has fastened liability upon the Appellants along with the Respondents - 2 & 3 jointly and severally disregarding the basic legal principle underlying the provisions of the Consumer Protection Act i.e. liability can be fastened upon the OP only upon the injury sustained by the Complainant is positively proved to have been caused by such OP.

                   v) The impugned order suffers from perversity arising out of the mismatch between the finding recorded that the Appellant is not directly responsible for the loss suffered by Respondent-1 and operative portion of the order whereby the Appellant has been directed to pay to Respondent-1. The state Commission is not justified and exceeded its jurisdiction in making observation in the impugned order that there was no convincing evidence to show that the prompt action was taken by the Appellant to block the amount already transferred. The amount alleged to have been fraudulently transferred from the account of Respondent-1 and subsequently withdrawn via ATM quite before the Appellant Bank was intimated as shown in the entries made in Statement of Accounts of the Respondent-1 during the relevant period i.e. 30.03.2012 and 31.03.2012.

                   vi) On the complaint of the complainant to the customer care of the Axis Bank Ltd., the bank accounts of the complainant have been immediately blocked. On 02.04.2012 (being an annual closing day), the Appellant Bank de-activated the debit cards and i-connect ids of all the beneficiary accounts. Mails were sent to all the concerned branches of the Appellant Banks and the Branch heads of the respective branches were personally contacted over phone and accordingly appraised. Thereafter, the Operations head of the Appellant No.2 personally visited the local branches of ICICI Bank and Kotak Mahindra Bank and submitted the letter for freezing the beneficiary accounts and consequently the said accounts were frozen by the respective Banks accordingly. It was beyond the control of the Appellant to block that amount which had been transferred in view of the same having been already withdrawn before the Bank was intimated.

                   vii) It is not justified on the part of the State Commission while making observation that there was laxity on the part of the Bank in allowing to exceed the limit transaction for a single day. There is no inviolable permanent ceiling on the financial transactions being done by a user through internet. The default ceiling on the transaction of Rs.50,000/- for Type -I and for Type -II. However, there is a facility in i-connect that allows the customer to enhance (upto 5 lakh) or reduce the daily financial transaction limits. This increase in limit is also allowed after one-time password is generated and sent to the customer's mobile. Only when the customer enters the code on the screen, the same is validated and the limit is increased. If the limit needs to be increased beyond Rs.5 lacs, the customer's request is subject to approval from the branch. Once the limit is increased, the user can make transactions without any time gap. In the present case, the limit for both Type -I and Type-ll transaction was increased to 5 lacks each on 30.03.2012 at 8-30 P.M., which was effected after the 2nd factor authentication (by sending the secure code to the customer's mobile).

                   viii) The State Commission exceeded its jurisdiction in order to fasten the liability on the Appellants on the ground that the money held by the Bank as trustee of the customer and any loss suffered by the customer should be borne and reimbursed by the Bank.

                   FA/1950/2017 (filed by Vodafone Mobile)

                   i) The State Commission failed to consider the question as to whether an allegation in a consumer complaint which forms the subject matter of criminal proceedings can be proceeded with, under the Consumer Protection Act, 1986. The State Commission failed to consider as to whether admittedly criminal acts of third parties can form the subject matter of allegations of deficiency of service against the Appellants. The entirety of the allegations against the Appellants are based on the fact that its representatives were defrauded by one fraudster into believing that said fraudster was a legitimate customer. In such cases, an action under the Consumer Protection Act, 1986 does not lie, being the subject matter of a crime cannot be said to be any deficiency in service. The State Commission has not considered that admittedly the Appellants are victim of a crime, it cannot be said to be the basis for a finding of deficiency in service.

                   ii) The subject matter of the consumer complaint is sub-judice. The crus of the allegations made out in the subject complaint are already pending consideration before the court of Ld. Chief Judicial Magistrate, Cochin vide CC No.212/14 and is now at the stage of framing of charges u/s 120B r/w 419, 420, 465, 468, 471 r/w 34 IPC, and S. 66C and 66D of IT Act. The State Commission failed to consider that the entire chain of events starts with the averment of Respondent-1 that the said transactions affected from his bank accounts have not been made under his authorization and further, he has not made such transactions for his own benefits. Respondent-1 is bound to lead evidence in this regard before the court of Ld. Chief Judicial Magistrate, Cochin as a prosecution witness. The State Commission has failed to consider that the court of Chief Judicial Magistrate, Cochin is empowered under the Code of Criminal Procedure 1973, to grant appropriate compensation to victims of criminal activities.

                   iii) The consumer fora do not have jurisdiction to adjudicate on the present dispute in the light of express bar contained in Section 61 of the Information Technology Act, 2000. The State Commission failed to consider that in light of the factual averments made in the complaint and the nature of the dispute that is existing between the parties, the same can only be determined by the Adjudicating Authority appointed under the Information Technology Act, 2000 ('IT Act'). The State Commission failed to take note of Section 61 of the IT Act. The only deficiency alleged on the part of Appellants is failing to protect the sensitive information contained in and obtained via a SIM card, and any negligence in maintaining adequate security for the same, can only be said to fall within the ambit of contraventions mentioned under the IT Act and would thereby exclude the jurisdiction of consumer fora. Even the police filed a charge-sheet against 11 accused persons alleging violation of the IT Act. It is trite law that in the absence of jurisdiction, no findings arrived at can be upheld, and therefore, the decision following by virtue of such a finding also deserves to be set aside.

                   iv) Findings of the State Commission based on photocopies of documents, are inadmissible as per the Evidence Act, 1872. It is trite law that photocopies of documents cannot be used for purposes of evidence, as the same violates the provisions of the Evidence Act.

                   v) The State Commission has not considered the fact that HDFC Bank, which had reversed the fraudulent transaction that was made in its account, was a necessary party for the determination as to whether the security practices adopted by Respondents- 2 & 3 were adequate or not.

                   vi) The ICICI Bank and Kotak Mahindra Bank are also necessary parties for the proper adjudication of the present dispute, in as much as they were also the bankers of beneficiary accounts where the amounts were transferred from the accounts of Respondent-1 and they are required to answer as to whether they took appropriate steps for the purposes of recovering the said amounts. It is trite of law that in cases of nonjoinder of necessary parties, the impugned judgment cannot be upheld.

                   vii) The State Commission failed to consider that the proceedings before it were without jurisdiction. The consumer fora do not have jurisdiction to adjudicate disputes between a telecom service provider and its subscriber as it falls within the ambit of disputes covered by Section 7B of the Indian Telegraph Act, 1889 ('Telegraph Act'). (Relied upon the judgment passed by the Hon'ble Supreme Court in General Manager, Telecom v. M. Krishnan & Anr.)

                   viii) Even after a detailed investigation, the investigating authorities have been unable to find any culpability qua the Appellants, and therefore, it is wrong on the part of Respondent-1 to allege such culpability, and for the State Commission to base its findings on such allegations. There are no reasons or findings on the alleged deficiency in service of the Appellants.

                   ix) The impugned order is contrary to the contractual relations between the parties and provisions of the Indian Contract Act, 1872. The State Commission failed to consider that the stated loss to Respondent-1 is remote and cannot be awarded in view of specific provisions of Sections 73 & 74 of the Indian Contract Act, 1872.

                   x) The facts demonstrating contributory negligence on the part of Respondent-1 have been disregarded. The State Commission failed to take note of certain relevant facts which demonstrate the non-action on the part of Respondent-1 which led to him being scammed. Even as per Respondent-1 there were three levels of security for the purposes of net-banking viz user ID, Password and transaction password. Out of these three, it is only the transaction password that is received on the mobile phone number provided by the Appellants. The other two security facts are only between the bank and its customer, and the Appellant telecom service provider has no role to play in the same. It has been explained by Respondents- 2& 3 to Respondent-1 that User ID, password and other details should not be compromised with a third party unknowingly or as an answer to phishing messages received from unknown persons. However, it appears that in spite of this clear direction, Respondent-1 did in fact compromise the User ID and password to unknown strangers, thereby making the entire security procedure vulnerable. The OTPs and transaction alerts are also generally received by way of e-mail, and further, attempts at re-setting password, user ID etc. are also generally received on e-mail, which at the relevant time, were admitted in the custody and control of Respondent-1. In view of this admitted fact, contributory negligence on the part of Respondent-1 cannot be exculpated.

                   xi) Upon learning of non-functioning of complainant's mobile phone on 30.03.2012 at around 4 P.M., he had enough time to contact the customer care of the Appellant and trace out the relevant details in this regard, and thereafter to ensure that the replacement SIM card was blocked. If Respondent-1 had deigned fit to resolve this with the customer care, then none of the transactions giving rise to the present proceedings would have taken place. It was further proved in evidence that Respondent-1 was well aware of 24x7 functioning of the Appellant's customer care services. In the light of the factual scenario, it is not correct to say that no fault was attributable to Respondent-1.

                   xii) As per the case of the complainant, a sum of Rs.50,000/- was returned to his account from HDFC bank on account of certain discrepancies in regard to the transfer. In this eventuality, the State Commission has erred by not considering as to why these amounts were not returned back from the accounts maintained by Respondents-2 & 3, especially when they had the transaction pattern details of Respondent-1 as well as were aware of the fact that amounts were deposited in his accounts for the purposes of studying abroad. It would not be out of place to assume that some manner of suspicions ought to have arisen with Respondents-2 & 3 and its IT system, when 20 consecutive transactions eliminating the entirety of the holdings in the accounts were made and no accounts held in distant and far off places from where the account of Respondent-1 was situated. The State Commission failed in not considering the allegations of Respondent-1 qua Respondents- 2 & 3, whereby it was specifically recorded in the impugned order.

                   xiii) Respondent-1 had been availing service to the tune of Rs. 1500-2000 per month from the Appellants. The threshold for the duty of care owned by the Appellants can only be measured against this standard.

8. The matter was heard at length from both sides on 15.09.2025 and 16.09.2025, when the arguments concluded and judgment was reserved. Relevant extract of these orders is produced below:

                   Order dated 15.09.2025

                   "2. State Commission has concluded that in this case, complainant is not at fault for the fraudulent transactions and bank is also not at fault for the fraudulent transactions which took place from the stage which fraudsters used the duplicate sim. However, State Commission had fixed the liability jointly and severally on the bank as well on two counts (i) prompt action was not taken by the Bank and (b) laxity on the part of the bank in allowing to exceed the limit of transaction for a single day.

                   3. It is the case of the complainant that per day transaction limit was Rs.50,000/-. Had bank strictly observed these limits, even the fraudsters could not have succeeded in withdrawing the amount beyond Rs.50,000/. In this regard, our attention was also drawn to the written version of the Axis Bank filed before the District Commission, in particular para 18. Although, counsel for the bank argued that Rs.50,000/- was per day transaction limit but this para clearly shows that reference is to daily limit and not per day transaction. No doubt, in the online system, the account holder is free to modify the transaction limits from time to time but bank as custodian of the back-end records is always supposed to be aware as to on what date / time,, the account holder has changed such limits. Hence, bank need to place on record as to what was the daily limit and / or per transaction limit, if any, under different categories, especially online transaction limit as on 30.03.2012, when unauthorized transaction took place. They may seek further instructions from their client in this regard and come prepared with formal response tomorrow aiongwith copy of relevant records, if possible.

                   4. Further, Bank should place on record copy of the relevant guidelines of the RBI with respect to fraudulent online transactions which were in force on the date of fraudulent transfer as on 30.03.2012.

                   5. Counsel for Vodafone Mobile Service Ltd should specifically come prepared to give their response to the findings of the State Commission recorded in para 11,12 and 13."

                   Order dated 16.09.2025

                   "4. During the hearing, learned Counsel representing Axis Bank has placed on record copy of Reserve Bank of India Guidelines dated 08.04.2002 and 06.07.2017 as well as. an undated Customer Compensation Policy of Axis Bank. Learned Counsel for the Complainant has placed on record a copy of the judgment of this commission dated 21.11.2024 in Revision Petition No. 1551 of 2023 Union Bank of India and the judgment dated 03.01.2025 of the Hon'ble Supreme Court in SLP No. 30677 of 2024, State Bank of India vs. Pallabh Bhowmik & Ors.

                   5. Both the Appeals, one by Axis Bank and the other by Vodafone have been filed challenging the order dated 09.11.2016 of the State Commission in CC No.47 of 2012 vide which liability has been fixed jointly and severally on both Axis bank and Vodafone, directing them to pay an amount of Rs.11,14,500/- with interest 9% p.a. from 31.03.2012 till the date of payment and compensation of Rs. 5 Lakhs and Rs.10,000/- as litigation costs.

                   6. It was argued by learned Counsel for the Axis Bank that although, the State Commission gave a finding that from the stage from where the fraudsters used the duplicate SIM, no deficiency in service can be attributed on the part of the Bank but still fixed joint and several liability on the Bank along with Vodafone. The reasoning for doing so is contained in Para 17 of the State Commission's order wherein the State Commission records that regarding the attempt to block the money already transferred, there is no convincing evidence to show that prompt action was taken. Further, the State Commission observed that there is also laxity on the part of the Bank in allowing to exceed the limit of transactions for a single day. The State Commission has returned categorical findings that the Complainant is nowhere responsible for the fraudulent transfer effected from his account. It is the case of the Bank that the fraudulent transactions were first intimated to them on 31.03.2012 at 10:30 p.m. over customer care number as per usual laid down procedure.

                   7. Learned Counsel for the Complainant clarifies that he came to know about such fraudulent transactions only on 31.03.2012 as his SIM got deactivated on 30.03.2012. The Bank contends that on 02.04.2012 itself they wrote to ICICI Bank (page 88) and Kotak Mahindra Bank (page 89) requesting them to freeze the said accounts in which fraudulent transfers from the Complainant's account were credited. However, by that time the amount had already been withdrawn from these two accounts. He further adds that there were a total of 20 transactions, one each pertaining to ICICI Bank and Kotak Mahindra Bank and remaining 18 belonging to their own different branches outside Kerala state and they immediately froze those accounts on 01.04.2012, although, there is no document on record to show that it was done on 01.04.2012. He further submits that even with respect to these 18 transactions, by the time they froze these accounts, the money had already been withdrawn from these branches as well. The total amount covered under 20 transactions amounts to Rs.11,14,500/-. Hence, the Bank contends that they have taken prompt action and the State Commission observations in Para 17 are not correct.

                   8. As regards laxity on the part of the Bank in allowing to exceed the limit of transaction for a single day, it is the case of the Bank that the customer has the facility to himself modify the transaction limit online. Although the Bank argued initially that it was Rs.50,000/- per transaction, their written version filed before District Forum shows that this was possibly a per day transaction limit (page 130 para 18). It is the case of the Bank that even prior to 30.03.2012, the Complainant has been doing per day transaction exceeding *50,000/- and possibly he has fixed a per day limit higher than Rs.50,000/- and hence the Bank has no liability for fraudulent withdrawals happening on 30.03.2012 and 31.03.2012 exceeding Rs.50,000/-. In support of their contention, they have drawn our attention to the account statement of the Complainant at page No. 186 which shows a transaction on 17.11.2011 of Rs.2,44,050/- (international transaction) and three transactions on 21.11.2011 of Rs.50,000/-, Rs.633/- and Rs. 1,000/-, total exceeding Rs.50,000/-. However, the Complainant contents that the transaction dated 17.11.2011 is an international transaction and falls in a different category of the limit and the three transactions on 21.11.2011 are of different categories, Rs.50,000/- being online transaction, Rs.633/- transaction being a purchase possibly a POS transaction and the third one being an ATM cash withdrawal.

                   9. Learned Counsel for the Bank vehemently argued that it is Vodafone who has faulted in issuing duplicate SIM without appropriate verification. They have drawn our attention to the SIM Replacement Form at page 535 which is dated 22.03.2012 in which reason for seeking SIM replacement is shown as "lost". He contends that the original SIM of the Complainant was very much active till 30.03.2012 till 4 p.m. when fraudulent transactions started happening. Hence, had Vodafone done proper verification, they could have found that the original SIM was very much active and they ought not to have issued the replacement SIM without satisfying themselves whether the original SIM was with the Complainant himself. He has further drawn our attention to the signatures of the customer (the Complainant) at page 535 and SIM Replacement Form and his signatures on the original Customer Agreement Form at page 226 and submits that even a common man with a bare perusal, who need not to be an handwriting, expert/signature expert, can say that these two signatures did not match at all. Counsel representing Vodafone fairly agreed that signatures at page 535, SIM Replacement Form and Customer Agreement Form at page 226 do not appear to match. However, he further contends that the signatures at page 228 and 229 which are copies of passport and driving license, matches with signatures at page 226. However, copy of the passport at page 229 is not readable and the parties have not placed on record a readable copy of the same. Although, the affidavit of the executive of the Vodafone dated 11.02.2015 (page 515-516) records that he requested for SIM replacement confirmation from the circle office in Kerala and after comparison they have given confirmation for SIM replacement, there are no documents placed on record in this regard.

                   10. Further, Vodafone has not placed on record copies of ID proof/address proof etc. taken along with the SIM Replacement Form, except copy of the passport at page 534, which as stated earlier is unreadable. 11. Learned Counsel for the Vodafone as well as Counsel for the Complainant clarified that there is no doubt that at the time of original SIM being given through the Customer Agreement Form at page 226, the only document given was the copy of the driving license at page 228 and not copy of passport which is given at page 229 and again given at page 534. The State Commission in para 12 of its order has observed that an application form for Vodafone collection submitted by the Complainant contains his photograph and is dated 22.05.2010 and he submitted a copy of his driving license along with application (and not the passport). It further records that the SIM Replacement Form was not fully filled up, with no photograph, and the application submitted contained signature purported to be of the Complainant and also contains the photocopy of the passport allegedly of the complainant. The State Commission observes that the photograph on Exhibit A-9 i.e. SIM Replacement Form is that of an entirely different person than that of the Complainant. Opposite Party No.4 Vodafone allowed SIM replacement without verification of the identity of the Complainant in a casual way. It observed that the further circumstances are such that the Opposite Party No. 4 in all probability knowingly aided the culprits in procuring a duplicate SIM intended for fraudulent use. The State Commission in para 13 of its order also records that the original. SIM was active till 4 p.m. on 30.03.2012. Application for SIM Replacement Form was submitted on 22.03.2012 so a prompt verification of the truth of the allegation would have been sufficient to refuse the application. Opposite Parties No. 3 and 4 never verified that the original SIM was active or not before issuing duplicate SIM. So the available circumstances available in evidence overwhelmingly show that in issuing duplicate SIM in a casual manner and, thereby, facilitating hackers to gain access to the accounts of the Complainant, Opposite Parties No.3 and 4 have committed grave deficiency in service.

                   12. One thing which emerges clearly from the above and hearing today is that the Complainant (Respondent No.l herein) is not at fault for the fraudulent transactions. Hence, the only issue to be determined in the present case is with respect to the liability of the Bank and Vodafone, whether both should be jointly and severally liable as held by the State Commission order or only the Bank or only the Vodafone is liable as contended by Vodafone and Bank respectively in their respective Appeals.

                   13. It was also clarified by the Complainant and the counsel for the Bank that the fraudulent transactions took place from two accounts of the Complainant, one with account number ending with 2222 and the second account number ending with 1558. Total 31 fraudulent transactions of debit happened in account no.2222 and 15 fraudulent transactions of debit happened in account number ending with 1558.

                   14. It was also clarified by the counsel for the Complainant that when his SIM got deactivated on 30.03.2012 without his request, by the time he came to know, the Vodafone store was dosed and he went to Vodafone store on 31.03.2012 to get it activated. Learned Counsel for the Vodafone clarifies that on getting such a request they cancelled the fraudulently obtained SIM on the previous day and issued a fresh SIM to the Complainant herein on 31.03.2012."

9. The State Commission considered at length the rival contentions of the parties. The extract of relevant paras of State Commission's order is reproduced below:

                   "12. It may be observed that the application form for Vodafone connection submitted by the complainant contains his photograph and is dated 22.05.2010. He had submitted copy of his driving licence along with the application. It is also included in Ext.AlO. It is seen that the SIM was issued after verification and re-verification. At the same time Ext.A9 which contains the SIM replacement form is not fully filled up. No photograph of the applicant is submitted. The application is seen submitted on 22.03.2012. It contains a signature purported to be that of the complainant. Ext.A9 also contains the photocopy of the passport allegedly of the complainant. It is seen that the photograph on Ext.A9 is that of an entirety different person than that the complainant. No expertise is required to arrive at this conclusion. Below the photograph a signature purportedly of the complainant is seen. This signature is markedly different from that of the admitted signature of the complainant seen on the customer agreement form contained in Ext.AlO. It is not mere dissimilarity. So it is quite obvious that opposite party no.4 allowed SIM replacement without verification of the identity of the applicant and in a casual way. The circumstances are such that the 4th opposite party in all probability knowingly aided the culprits in procuring a duplicate SIM intended for fraudulent use.

                   13. The further question is whether the evidence of DW3, in any way improves the defence of opposite parties 3 & 4. He is the customer service manager with opposite party no.3 for the past 41/2 years. According to him, SIM replacement would be allowed when there is loss of the original SIM, or when the original SIM does not work or for the purpose of converting a nano SIM to a micro SIM and vice versa. In the SIM replacement application the full address of the applicant is not mentioned. As referred to already only the name of the applicant is mentioned in Ext.A9. In the SIM replacement application other details are left blank. As opposed to the endorsement in the customer agreement form in which there is endorsement that the SIM was issued after verification and re verification, absolutely no endorsement is seen on the SIM replacement application DW2 claimed that the Punjagutta store claimed over telephone that they had seen the original of the documents submitted as his identity proof. He also claimed just like DW2 that there is similarity between the photos in Exts.A9 & A10 and explained that two photographs taken at different point of time need not be similar. But as already observed this claim of DW3 cannot in any way be sustained and indicates that even now DWS 2 & 3 want to support the culprits and not the truth. When confronted with the question whether there is dissimilarity between these signatures, the answer was that there are similarities. So DW3 also does not want to speak the truth in this regard. He admitted that the original application for SIM, photo and identity proof could be scanned and saved in their system. The scanned image can be seen only in the respective State but for verification the photocopy of ID proof would be scanned and sent to the original stage when there is application for duplicate SIM. To the question whether without verifying the forged identity proof duplicate SIM was issued DW3 admitted that only the address was verified. This is a poor precaution to avoid issue of SIM to fraudsters. It may be further mentioned that in the SIM replacement application the reason is mentioned as loss of the original SIM. It may be reminded that the definite allegation in the complaint is that the original SIM was active till about 4.p.m on 30.03.2012. The application for SIM replacement was submitted on 22.03.2012. So a prompt verification of the truth of the allegation would have been sufficient to refuse the application. Opposite parties 3 & 4 never verified whether the original SIM issued by them was active or not before issuing the duplicate SIM. So the circumstances available in evidence overwhelmingly show that in issuing duplicate SIM in a casual manner and thereby facilitating hackers to gain access to the accounts of the complainant opposite parties 3 & 4 have committed grave deficiency in service.

                   14. Complainant has alleged that opposite parties 1 & 2 have committed deficiency in service as well. Admittedly, the complainant held to accounts in the second opposite party branch of the Axis Bank. The disputed transactions happened on 30.03.2012 and 31.03.2012. 20 transfers were effected from the two accounts of the complainant 18 of which were two various branches of the first opposite party bank itself but outside Kerala. The remaining two transfers were to accounts held in a branch of the ICICI Bank and Kodak Mahindra. Those transfers were also made to account outside the State of Kerala. According to the complainant in effecting these transfers opposite parties 1 & 2 committed deficiency in service. Complainant has a case that the internet banking system of opposite parties 1 & 2 is such that the system can be easily hacked. Further opposite parties 1 &2 have violated the Reserve Bank of India guidelines in maintaining the internet banking system. They also violated the KYC (know your customer) norms. There was inaction on the part of the bank in recovering the amounts transferred to various accounts in the branches of the bank after they came to know of the illicit transfers. The bank failed to exercise due care and caution in effecting the internet transfers. The complainant has a further case that the customer id and password were actually leaked from the bank.

                   15. On the contrary opposite parties 1 & 2 contend that the user id security password and other details of the complainant were compromised by the complainant himself. Opposite parties 1 & 2 have a technically sound system of internet banking. Immediately on coming to know of the involvement of the fraudsters steps were taken to block the beneficiary accounts. The bank has very well co-operated with the investigation by the police officers. That was why fraudsters were arrested and police filed charge sheet against them. Ext.All is the copy of the charge sheet filed by the Ernakulam Central Police before the Chief Judicial Magistrate Court, Ernakulam. Charge sheet is filed against 11 accused for having committed various offences in connection with the fraudulent transfers of money from the account of the complainant. All the accused hail from outside the State of Kerala and scattered all over India. It is in the above background opposite parties 1 & 2 contend that the user id security password and other details were comprised by the complainant himself. This contention is not a serious one taken in the version of opposite parties 1 & 2. DW1, who was the Manager of the Kochi Branch of the Axis Bank insisted that phishing attack generally happens when user id and password are compromised by the customer himself. But in the version of opposite parties 1 & 2 it is admitted that on getting message on 31.03.2012 about the credit of Rs.50,000/- in the account of the complainant, he directly logged into the net banking. However he could not operate the same as the fraudsters changed the password user name etc. Further phishing attacks are very common these days by which the miscreants obtain the customer's credentials through social engineering. It will be pertinent to mention here that malicious 'Trojans' are also cause for serious threat these days. These 'Trojans' are malicious programs which automatically enter the computers of users through use of the internet and keep running in the background without the knowledge of the users and their identification credentials including passwords are liable to be stolen by these Trojans'. Simple Trojans are called keystroke loggers'. There are crime syndicates which control the 'Trojan' drop boxes and use these credentials to dupe the customers. Therefore it is possible that the customer may be innocent and credentials were compromised through Trojan (Paragraph 7 of the version). In paragraph 9 of the version the contention taken is that in the instant case fraudsters logged into complainant's account using log in id. Log in password and transaction password and other details which he has compromised knowing or unknowingly and further using the duplicate SIM card procured in the name of the complainant and not that bank's system was hacked. It is further contended that the complainant is an innocent victim of internet fraudsters and bank had no role directly or indirectly in the fraudulent phishing attack that happened in the account of the complainant. As rightly pointed out merely because complainant's accounts were hacked the employees of the bank cannot be held responsible. There is no evidence regarding their role brought out even in the criminal investigation. The nature of the transactions and available evidence show that only the complainant's accounts were hacked on that day. There is also no evidence to show that complainant knowingly compromised his user id password etc. As admitted in the version he was an innocent victim of the internet fraudsters who hacked his accounts and secured vital details such as login id password etc. Once that was done the careless issue of duplicate SIM made the task of the fraudsters easier. By using the duplicate SIM the fraudsters could easily get the one time password from the bank and effectively execute the transfers from the accounts of the complainant. From the stage from which fraudsters used the duplicate SIM no deficiency in service can be attributed on the part of the bank.

                   16. Coming to the contention that by not recovering the money from the various branches of the bank to which 18 transfers were affected, the bank has committed deficiency in service it appears that as soon as the fraudulent transfers were brought to the notice of the bank those accounts were blocked. But by that time the fraudsters had withdrawn the money after leaving meagre amount in the accounts, using ATM facility. What is tacking is specific proof to establish this contention. The fact also remains that opposite parties 1 & 2 have easily permitted the fraudsters to exceed the limit of transfer of money permissible in a single day's transaction. Regarding the allegation that the RBI guidelines as well as KYC norms were violated it may be mentioned that these are for guiding the bank itself and there is nothing to indicate that the RBI had found the bank responsible for such lapses. The complainant has a further contention that the bank should have insured his accounts but this is a policy matter and cannot be extended to a single individual.

                   17. In short, from the available evidence it can only be concluded that the complainant is in no way responsible for the fraudulent transfers effected from his accounts. Equally the bank was not directly responsible. It cannot also be stated that the bank had not co-operated with the investigation. Regarding the attempt to block the money already transferred, there is no convincing evidence to show that prompt action was taken. There is also laxity on the part of the bank in allowing to exceed the limit of transactions for a single day.

                   18. There is yet another aspect to be emphasised in fixing the liability of opposite parties 1& 2. As held already the complainant is an innocent victim of the fraudsters. In such a situation when money is lost while lying in the account of the opposite parties it is only just and proper that they reimburse the loss of the complainant. The bank held the money in trust for the customer. So it is unjust to ask the customer to bear the burden. The fact remains that opposite parties 3 & 4 provided the opportunity for hacking and made the task easier by casually issuing duplicate SIM. Hence if so advised, opposite parties 1 & 2 can opt to proceed against opposite parties 3 & 4 for reimbursement or contribution of the money ordered to be paid by this commission. But in view of the dear deficiency in service committed by opposite parties 3 & 4 and the legal position as explained with regard to opposite parties 1& 2. The complaint is liable to be allowed against all the opposite parties."

10. Learned Counsel for the Vodafone submitted that the replacement SIM was issued after due verification by their executive who has also filed an affidavit dated 11.02.2015 before the State Commission. Relevant paras of the said affidavit are extracted below: '

                   "2. On 22-03-2012, the SIM replacement request of Kerala customer Mr. Shabbir Khan had been processed by me. The SIM replacement request was made by a person who had absolute resemblance to the photograph in the original ID proof/address proof produced before me. The person produced the original proof has resemblance to the photograph scanned in our system. There was possibility of reasonable changes on passage of time with respect to the photograph produced with the company when the connection had been taken. So as per a reasonable comparison we found the photo in our system have resemblance to the photograph in the original ID proof, and photocopy of the said ID proof was furnished to us along with SIM replacement request form. The signatures were also found resembling to one another in the replacement request form, in the ID proof and signature in our system.

                   3. Confirming the above I requested for SIM replacement confirmation from the Circle Office in Kerala and alter comparison they have given confirmation for SIM replacement. Accordingly after following procedures Sim was replaced and activated on 30-03-2012.

                   4. AH due diligence and care had been applied by me white processing the SIM replacement request. I checked the person with the photograph in the original ID proof, the correctness of photocopy of original proof provided to us and ensured comparison with the scanned photograph of the customer at the time of subscription and compared the signatures in the SIM replacement request, ID Proof and signature in our system. Recently I resigned from the service."

11. We have carefully gone through the orders of the State Commission, other relevant records and rival contentions of the parties. As already recorded in the order dated 16.09.2025 of this Commission, in the present case, the Complainant is not at fault for fraudulent transactions. Hence, he is entitled to the reliefs granted by the State Commission. The only issue to be determined is with respect to the respective liability of the Axis Bank and Vodafone Mobile. The facts and evidence on record clearly show that Vodafone has faulted in issuing a duplicate SIM without proper verification. Application for duplicate SIM was made on 22.03.2012 while the SIM of the Complainant was very much active till about 4-00 P.M on 30.03.2012. The officials of Vodafone Mobile made no efforts to check this aspect by calling on this number. Had they done so, the Complainant could have come to know that someone else is trying to procure a duplicate SIM on his behalf and such an action could have been easily prevented. Further, the Vodafone mobile official issued duplicate SIM in a very casual way, without proper verification of the identity of the Complainant. As at the time of giving original SIM, the only document given was copy of the driving license and not the copy of the passport, the official of Vodafone mobile should have insisted on copy of the same document for verification at the time of issuing duplicate SIM. Further, the SIM replacement form was not fully filled up, with no photograph. After due consideration of the entire facts and circumstances of the case, we hold that State Commission has correctly concluded that Vodafone mobile issued the duplicate SIM in a very casual way and without proper verification, thereby facilitating hackers to gain access to the accounts of the Complainant. Hence, the Vodafone mobile is liable for deficiency in service on their part. As regards role and liability of the bank, notwithstanding the liability of Vodafone for deficiency in service on their part, which has been elaborated in the preceding paras, we are of the considered view that bank has not placed on record any acceptable evidence/documents to show as to what was the per transaction and/or per day limit in the accounts of the Complainant. When and how were such limits set by the Complainant or the bank. Had such limits been observed meticulously, the loss could have been restricted to a maximum of per transaction or per day limit, as the case may be. Bank's contentions in this regard have been summed up in para 8 of order dated 16.09.2025 which also records Complainant's response to the same. Going by the written version of Bank, it seems Rs.50,000/- was the per day limit. Complainant's response to transactions on 17.11.2011, which is above RS.50,000/- and is an international transaction, and transactions dated 21.11.2011 that these are different kind of transactions with separate limit in each category/sub-category seems correct. Except for these transactions, bank has not been able to show any other single day transaction of same category i.e. online transactions exceeding Rs.50,000/-. Hence, had the bank strictly observed the daily transaction limit of Rs.50,000/- for online transactions, possibly the loss could have got restricted to this amount only. Hence, we hold that notwithstanding the observations of the State Commission that from the stage from where the fraudsters used the duplicate SIM, no deficiency in service can be attributed on the part of the bank, Axis bank is equally liable for allowing online transactions beyond the per day limit. Hence, State Commission was right in fixing joint and several liability on the bank also, along with Vodafone mobile.

12. RBI vide its Circular dated 06.07.2017 have issued detailed guidelines on Customer Protection - Limiting Liability of Customers in Unauthorized Electronic Banking Transactions. Extract of relevant paras of this Circular is reproduced below:

                   "Limited Liability of a Customer

                   (a) Zero Liability of a Customer

                   6. A customer's entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:

                   i. Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).

                   ii. Third party breach where the deficiency Ues neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.

                   (b) Limited Liability of a Customer

                   7. A customer shall be Hable for the loss occurring due to unauthorised transactions in the following cases:

                   i. In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

                   ii. In cases where the responsibility for the unauthorised electronic banking transaction Ues neither with the bank nor with the customer, but Ues elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table 1, whichever is lower."

13. Prior to the issuance of the above stated Circular dated 06.07.2017, similar instructions were in force vide RBI Circular dated April 8, 2002. Axis Bank relying on this Circular submitted that in cases, where neither the bank is at fault nor the customer, but the fault lies elsewhere in the system, in that situation the banks should compensate the customers only upto a limit as part of the Board approved customer relation policy. However, in the present case, we hold that the Bank was at fault with respect to non-observance of the per day transaction limit. Hence, even as per this Circular, the Bank has to compensate the customer without demur. Moreover, the Customer Compensation Policy placed on record is an un-dated policy, which in cases where neither the Bank nor the customer is at fault, but the fault lies elsewhere in the system, Bank will compensate the customer upto a limit of Rs.5,000/- only, that too would be paid only once in the life's time. The extract of the relevant para of the Circular dated April 8, 2002 is reproduced below.

                   "5. With a view to redressing the grievances of die customers in this regard, we have reviewed the position and advise that (i) in cases where banks are at fault, the banks should compensate customers without demur, and (ii) in cases where neither the bank is at fault nor the customer at fault but the fault lies elsewhere in the system, then also the banks should compensate the customers ( upto a limit) as part of a Board approved customer relations policy."

14. For the reasons stated hereinabove, and after giving a thoughtful consideration to the entire facts and circumstances of the case, various pleas raised by the learned Counsel for the Parties, we are of the considered view that the State Commission has passed a well-reasoned order, duly addressing contentions of all the parties based on evidence before it and we find no reason to interfere with its findings. Hence, the order of the State Commission is upheld. Accordingly, both the First Appeals FA/573/2017 and FA/1950/2017 are dismissed.

15. The pending IAs, in any of the FAs, if any, also stand disposed off.
 
  CDJLawJournal