⚖️ Bank's Duties vs Customer's Duties
🏦 Bank's Duties
- Implement robust 2FA for all transactions
- Send real-time SMS/email alerts
- Provide 24x7 fraud reporting channels
- Maintain secure systems (ISO 27001)
- Conduct regular security audits
- Train staff on fraud prevention
- Credit disputed amount within 10 days
- Complete investigation within 90 days
VS
👤 Customer's Duties
- Never share OTP/PIN/Password
- Report fraud immediately
- Keep registered mobile updated
- Check transaction alerts regularly
- Use secure devices/networks
- Not write PIN on card
- Report lost card immediately
- Update KYC when required
⚠️ Bank Negligence Indicators
Courts and consumer forums consider the following as indicators of bank negligence:
🚨 Technical Failures
🔓
2FA/OTP bypass or failure📧
No SMS/email alerts sent🖥️
ATM skimmer not detected💾
Data breach at bank's end🔄
SIM swap not verified⏰
Transaction at unusual time/location allowed🚨 Procedural Failures
📞
No 24x7 helpline available📝
Complaint not acknowledged💰
Shadow credit not given in 10 days🔍
Investigation delayed beyond 90 days👨💼
Employee involvement in fraud📋
KYC failures allowing fraudulent accounts👤 Customer Contributory Negligence
When customers contribute to fraud through their actions, liability shifts:
| Customer Action | Liability Impact | Example |
|---|---|---|
| Sharing OTP verbally | Full liability | Told OTP on phone call |
| Sharing OTP via message | Full liability | Forwarded OTP SMS |
| Writing PIN on card | Full liability | Card stolen with PIN |
| Using public WiFi for banking | Contributing factor | Credentials intercepted |
| Ignoring security alerts | Contributing factor | Didn't read SMS warnings |
| Delayed reporting | Based on timeline | Reported after 7 days |
| Clicking phishing links | Context-dependent | Sophistication matters |
⚖️ Burden of Proof in Cyber Fraud Cases
📌 Key Principle: Bank Must Prove Customer Negligence
In disputes over unauthorized electronic transactions, the bank bears the burden of proving that the customer was negligent. The customer is not required to prove a negative (that they didn't share OTP). This is established by multiple consumer forum and High Court decisions.
Evidence Banks Must Produce
- System Logs: Showing OTP was sent and verified on customer's device
- IP Address: Transaction originated from customer's known IP/device
- Call Records: Customer called and authorized transaction
- Written Authorization: Signed mandate from customer
- CCTV Footage: Customer physically present (for ATM/branch fraud)
⚖️ Landmark Case Laws
ICICI Bank v. Official Liquidator of APS Star
Supreme Court, 2012
Banks have a heightened fiduciary duty in electronic transactions. They cannot simply shift the entire burden of proof to customers. Banks must demonstrate adequate security measures were in place.
M/s Manmohan Machines v. Citibank
Delhi State Commission
Bank held liable for ₹38 lakh fraud. Court noted bank failed to implement velocity checks on unusual transaction patterns. Customer's mere access to internet banking doesn't absolve bank's security obligations.
Cosmos Bank Cyber Attack
Pune, 2018
₹94 crore heist through ATM switch. Banks must ensure end-to-end security of their infrastructure. Third-party vendor failures don't absolve bank's liability to customers.
📝 Part 11.3 Quiz
Q1: In cyber fraud disputes, burden of proof lies on:
Q2: Which is NOT a bank negligence indicator?
Q3: Customer writing PIN on card results in:
Q4: Shadow credit must be provided within:
Q5: Bank must complete fraud investigation within:
Q6: Cosmos Bank heist amount was approximately:
Q7: Bank's fiduciary duty in e-transactions was emphasized in:
Q8: Which is a bank's mandatory duty?
Q9: Customer clicking sophisticated phishing link:
Q10: SIM swap without verification by bank indicates: