Author: Unnati Gautam, IME College
To the Point
Digital banking has transformed financial transactions by providing convenience, accessibility, and efficiency. However, the proliferation of internet banking and mobile banking services has also exposed customers and financial institutions to sophisticated cyber threats. The legal challenge often arises in determining liability when unauthorized transactions occur. The dispute in State Bank of India v. Hare Ram Singh & Anr. centered upon unauthorized withdrawals amounting the respondent, Hare Ram Singh, maintained a savings account with the State Bank of India (SBI). On 18 April 2021, he received an SMS containing a suspicious link. Subsequently, he received a call from an unknown individual who persuaded him to click on the link. Soon after accessing the link, two unauthorized transactions amounting to ₹2,60,000 were executed from his account through internet banking facilities. The respondent immediately contacted the bank and lodged complaints before the relevant authorities. The respondent contended that he never disclosed any OTPs, passwords, or confidential banking credentials. He alleged that the fraud occurred due to deficiencies in the bank’s security architecture. A Single Judge of the Delhi High Court accepted the respondent’s plea and directed SBI to reimburse the disputed amount along with interest. Aggrieved by the decision, SBI preferred a Letters Patent Appeal before the Division Bench.The case required the Court to determine whether the bank could be held liable merely because the customer claimed that he had not shared OTPs or confidential credentials. The judgment assumes importance because it interprets the RBI’s customer protection framework and establishes principles regarding the burden of proof in cyber fraud litigation.This article provides the complete analysis of the case and its mechanism with its judicial proceeding and analysis.
Use of Legal Jargon
The case of State bank of India v/s Hare Ram Singhraised significant legal questions concerning unauthorized electronic banking transactions and the allocation of liability between financial institutions and customers. The matter was adjudicated within the ambit of Article 226 of the Constitution of India, under which the petitioner sought judicial intervention against the alleged failure of banking safeguards. The controversy required interpretation of the Reserve Bank of India’s Circular on Customer Protection and Limiting Liability in Unauthorized Electronic Banking Transactions (2017), which establishes the circumstances under which a customer or bank may bear responsibility for financial losses arising from cyber fraud. The facts of the case also brought into consideration provisions of the Information Technology Act, 2000, particularly Sections 43, 66, 66C, and 66D, which deal with unauthorized access to computer systems, cyber offences, identity theft, and online cheating through electronic means. Furthermore, the Court examined principles of contributory negligence, duty of care, electronic authentication, burden of proof, and deficiency in banking services. The judgment emphasized that liability in digital fraud cases cannot be determined solely on the basis of a customer’s assertion that confidential credentials were not disclosed; rather, a detailed assessment of the facts, technical evidence, and compliance with regulatory obligations is necessary. The decision therefore reflects the growing interaction between constitutional remedies, banking regulations, and cyber law in the governance of modern financial transactions.
The Proof
The outcome of State bank of India v/s Hare Ram Singhwas largely influenced by the evidentiary materials placed before the Court and the inability of the respondent to establish any fault attributable to the bank. The records presented by the appellant bank indicated that the disputed transactions were processed through duly authenticated banking channels and were executed after the completion of prescribed verification procedures. No material evidence was produced to demonstrate that the bank’s security systems had malfunctioned, suffered a breach, or failed to comply with regulatory standards. The Court also took note of the fact that the respondent had interacted with a suspicious online link shortly before the unauthorized transfers occurred, a factor considered relevant in determining whether reasonable caution had been exercised. Since cyber fraud cases often involve technical issues such as phishing, credential compromise, and unauthorized digital access, the Court observed that such matters require substantial technical proof rather than mere assertions. In the absence of forensic reports, expert testimony, or any other reliable evidence establishing negligence on the part of the bank, the allegations remained unsubstantiated. Consequently, the Court concluded that the evidentiary burden necessary to fasten liability upon the bank had not been discharged, thereby justifying the decision in favour of the appellant.
Judicial Interpretation of Customer Negligence was that the Division Bench disagreed with the reasoning adopted by the Single Judge. The Court observed that negligence cannot be confined merely to situations involving direct disclosure of OTPs or passwords. In the modern digital environment, negligence may also occur when customers disregard repeated warnings and access suspicious websites, links, or applications. The Court emphasized that clicking a malicious link can compromise banking credentials without conscious disclosure. Therefore, customer negligence must be assessed broadly rather than mechanically. Burden of Establishing Bank Deficiency court held that liability cannot be imposed upon a bank in the absence of evidence demonstratingSecurity system failure , Deficient authentication mechanisms, Data breach attributable to the bank; orViolation of regulatory obligations. Since no such evidence was produced, the finding against SBI lacked an adequate factual basis.The necessity of Technical Examination stated that Court further noted that cyber fraud cases involve highly technical issues, includingMalware attacks; Credential harvesting; Phishing mechanisms; Device compromise; Authentication logs.Such matters ordinarily require forensic scrutiny and expert analysis. A writ court exercising jurisdiction under Article 226 of the Constitution is generally not equipped to conclusively determine disputed technical facts without evidence. Significance of RBI Circular was stated by the Court that the RBI Circular draws a clear distinction between Bank negligence; and Customer negligence. The Single Judge’s approach effectively eliminated this distinction by presuming bank liability merely because the customer denied sharing OTPs. The Division Bench held that such interpretation would dilute the object and scheme of the RBI Circular.
The rapid expansion of digital banking has significantly increased the incidence of cyber fraud and unauthorized electronic transactions. The case of State Bank of India v. Hare Ram Singh & Anr. (2026) decided by the Delhi High Court marks a significant development in the jurisprudence governing liability arising from cyber fraud in banking transactions. The Court examined the scope of the Reserve Bank of India (RBI) Circular dated 6 July 2017 concerning customer protection in unauthorized electronic banking transactions and clarified the distinction between customer negligence and bank deficiency. The judgment emphasized that mere denial of sharing One-Time Passwords (OTPs) does not automatically absolve a customer from negligence or render a bank liable for financial losses. The decision further highlighted the necessity of technical and forensic examination in cyber fraud disputes. This article analyzes the facts, legal issues, judicial reasoning, and implications of the judgment while examining its relevance within the broader framework of banking law and cyber security regulations.
RELEVANT LEGAL FRAMEWORK
RBI Circular dated 6 July 2017 I.e. The RBI issued the Circular titled “Customer Protection – Limiting Liability of Customers in Unauthorized Electronic Banking Transactions.” The Circular categorizes liability into three broad situations as Zero Liability of Customerwhere a customer bears no liability where the loss results from contributory fraud or negligence of the bank. There exists a deficiency in banking systems. Limited Liabilitya customer’s liability is restricted when unauthorized transactions occur due to third-party breaches without customer fault and are reported within the prescribed time frame and full Liability a customer bears the loss where unauthorized transactions arise due to negligence on the customer’s part, including compromise of payment credentials. The interpretation of these provisions formed the foundation of the present dispute.
CASE LAWS
1. Hare Ram Singh v. Reserve Bank of India & Ors. (2024)
The Single Judge had earlier directed SBI to compensate the customer for losses arising from cyber fraud, emphasizing the absence of evidence showing OTP disclosure. This decision was subsequently reversed in appeal.
2. Raghabendra Nath Sen v. Punjab National Bank
The Court recognized that liability in electronic banking disputes depends upon the facts of each case and the extent of negligence attributable to the parties.
3. India v. K.K. Bhalla
The judgment emphasized judicial restraint in exercising writ jurisdiction where disputed questions of fact require detailed examination.
4. Shreya Singhal v. Union of India
Although not a banking case, it highlighted the growing significance of digital rights and cyber governance in India.
5. Reserve Bank of India Regulatory Framework Cases
Various courts have consistently recognized that RBI circulars possess binding force upon regulated banking institutions and provide the governing framework for determining liability in electronic transactions.
CONCLUSION
The decision in State Bank of India v. Hare Ram Singh (2026) constitutes an important precedent in Indian banking and cyber law. The Delhi High Court clarified that customer negligence extends beyond the mere sharing of OTPs and may include reckless digital conduct such as accessing suspicious links. The judgment also reinforces the principle that banks cannot be held liable in the absence of demonstrable system failure or regulatory breach. By emphasizing technical scrutiny and proper evidentiary standards, the Court has contributed significantly to the jurisprudence governing unauthorized electronic transactions. The ruling is likely to influence future disputes involving phishing attacks, internet banking fraud, and digital payment security. As India advances toward a digitally driven economy, the judgment serves as a reminder that cyber security is a shared responsibility between banks and customers.
FAQs
Q1. What was the main issue in State Bank of India v. Hare Ram Singh?
The primary issue was whether SBI could be held liable for unauthorized transactions merely because the customer claimed he had not shared OTPs.
Q2. What amount was involved in the dispute?
The unauthorized withdrawals totaled ₹2,60,000.
Q3. Which RBI Circular was interpreted by the Court?
The Court interpreted the RBI Circular dated 6 July 2017 titled “Customer Protection – Limiting Liability of Customers in Unauthorized Electronic Banking Transactions.”
Q4. Did the Court hold SBI liable?
No. The Delhi High Court set aside the order directing SBI to reimburse the amount.
Q5. What constitutes customer negligence according to the judgment?
Customer negligence may include clicking suspicious links, ignoring security warnings, or otherwise compromising banking credentials.
