A recent ruling by consumer court in Mumbai, India has held the bank responsible if it has not complied with regulations and the account holders money is fraudently transferred.
The Mumbai District Consumer Dispute Redressal Forum directed HDFC Bank on March 26 to pay Santacruz resident Nikhil Futan the money he had lost with 8 per cent interest, his legal expenses as well as Rs 25,000 for the “mental agony“ it had caused.
In October 2008, Futan, who himself works in a bank, found that Rs 4.6 lakh had been transferred from his HDFC account to an account in Lucknow in the name of a Shukla and another in Vijaywada to a Rajiv. Futan first approached the bank’s customer service centre but, he told the court, his com- plaint was not heard. He then went to the police’s Economic Offence Wing.
In January 2009, the case was handed over to Santacruz police. Both Shukla and Rajiv were arrested soon after, but the police recovered only Rs 70,500, which was returned to Futan. Determined to get back the remaining Rs 3.89 lakh, Futan then went to the consumer court in April 2009.
During the hearing, the bank argued that the money had been transferred after a transfer request from Futan. The bank also pointed out that it had alerted Futan through SMS and email, and that he failed to respond to the intimations. The bank said an unauthorized transaction could take place only if the customer shares account details with others, uses a shared computer or has malicious software in his computer.
Futan said he had not received any message or email from the bank, and the court accepted his contention that the bank had no evidence to prove there was malicious software or virus in his computer. Referring to the police arrests, the court said: “From this it is clear that the account hold- er did not give his assent for the transfer.“ It held that the bank had not taken precautions as per RBI Net banking guidelines.
Most banks have a password and PIN based authentication, and in such cases it may not be possible for them to validate the genuiness of customer at the other end. Also banks need to have strong logging and internal security systems to prove that the leak of authentication credentials did not happen from inside. Considering that many agencies today have database of bank customers with their addresses etc, it will be difficult for banks to prove that information leakage did not happen from inside in case of any fraudulent act.
Way forward for Indian Banks to protect themselves in case of any online fraud occurring in their customer accounts is
1. Intimate customer about the risks of online banking
2. Implement additional authentication mechanisms such as crypto tokens or out of the band authentication
3. Strong internal systems that can stand up to a legal scrutiny that breach of confidential or access information did not happen from inside the bank.
Comments are closed.