MUMBAI: In a landmark judgment on online banking frauds, six banks, a telecom giant and a card company have been asked to pay out Rs 1.06 crore compensation to customers who have been victims of various online frauds in the past two years. In most of the cases, customers had lost money to fraudsters but banks had held customers responsible for their accounts being compromised.

The order for compensation was issued by the state government’s equivalent of a cyber crime court which is presided over by the principal secretary in charge of information technology. The principle secretary, Rakesh Aggarwal, functions as adjudication officer under Section 45 of the IT Act 2000. The banks that have been ordered to pay compensation include Central Bank of India, Royal Bank of Scotland, Punjab National Bank, IndusInd Bank, Yes Bank, State Bank of India. Other institutions who have been directed to pay are Vodafone and SBI Cards.

The order is significant as this is the first time that any authority has said that an individual’s liability in respect of online frauds should be capped. The Banking Standards and Codes Board of India had earlier last year suggested that the onus of establishing liability in the event of online fraud should rest with the banks. Until now banks have been throwing up their hands whenever a customer’s credentials were compromised, holding the customer fully liable for anyone hacking into his email or mobile.

Advocate Prashant Mali, who specializes in IT cases and has appeared for the complainant, said “Banks should ideally pay off the aggrieved consumer instead of making him run pillar to post and then spend money in courts and costly appeals. This way less harassment would be caused to consumers and confident online banking customers will evolve.”

The largest order has been against SBI which has been directed to pay Rs 40 lakh to Chander Kalani whose funds were transferred to an account in London on the basis of an email. The fraudster had hacked into Kalani’s email and instructed the bank to transfer funds. In his order directing SBI to pay a compensation of Rs 40 lakh, Aggarwal observed that “the Banking Codes and Standard Board of India (BCSBI) unit has issued a Code of Bank’s Commitment wherein customers of such fraud will be liable to the extent of Rs 10,000 only and the bank has to make good the rest of the amount. But acceptance of this code by banks is not visible.”

In another case, the account of Prabhakar Sadekar a businessman, with Punjab National Bank was hacked and funds transferred to accounts in IndusInd Bank and Yes Bank. Sadekar did not receive SMS alerts as his mobile accounts were also cloned. In this case Agarwal had held that banks had not followed RBI guidelines on money mule accounts and guidelines on information technology. Vodafone was asked to pay a compensation of Rs 20 lakh for not following reasonable security practices and procedure and the established guidelines before issuing a duplicate SIM card. PNB, IndusInd and Yes Bank have been asked to pay Rs 20 lakh, Rs 5 lakh and Rs 3 lakh respectively.

In the fourth case where a company, Raatronics, was defrauded of its account in Central Bank by changing the mobile number in the bank’s online database, Central Bank and Royal Bank of Scotland were asked to pay Rs 8 lakh each for lack of due diligence. The adjudicating officer also ordered compensation of Rs 1.3 lakh and Rs 1.4 lakh for frauds committed upon users of SBI Credit Card and SBI’s International Debit Card.

Source: Times of India