INTRODUCTION
As banking services go digital, customers increasingly use electronic payment systems like internet banking, mobile wallets, UPI, debit cards, and credit cards. These innovations have greatly improved convenience and financial inclusion, but they have also resulted in a rise in fraudulent third-party transactions. This brings up an important legal and regulatory question: To what extent are banks accountable for losses customers suffer from fraud committed by third parties? The answer involves contractual principles, negligence law, consumer protection, and regulatory guidance from the Reserve Bank of India (RBI). This raises a crucial legal and regulatory question:
To what extent are banks accountable for losses customers suffer from fraud committed by third parties?
The answer involves contractual principles, negligence law, consumer protection, and regulatory guidance from the Reserve Bank of India (RBI).
UNDERSTANDING FRAUDULENT THIRD-PARTY TRANSACTIONS
A fraudulent third-party transaction occurs when someone carries out an unauthorized transaction without the account holder’s knowledge or consent.
Common examples include:
* Phishing and vishing attacks
* Card skimming (debit/credit cards)
* Malware-based attacks on digital banking systems
* Unauthorised UPI or wallet transfers
These transactions usually happen due to security lapses on the customer’s end, weaknesses in banking systems, or increasingly sophisticated cyber fraud techniques.
CONTRACTUAL RELATIONSHIP BETWEEN BANK AND CUSTOMER
The relationship between a bank and its customer is fundamentally a contract. Banks have a duty to protect customer accounts and ensure reasonable security measures.
While account terms and conditions often include clauses that limit liability—especially when customers share confidential information like PINs, passwords, or OTPs—these clauses are not absolute. Banks cannot avoid liability if there is:
* Deficiency in service
* Failure to maintain adequate security infrastructure
* Delay or inaction after receiving timely notice of fraud
Courts and consumer forums have consistently ruled that standard contracts cannot override legal obligations or public policy.
ROLE OF NEGLIGENCE AND DUE DILIGENCE
Liability in cases of fraudulent transactions largely depends on the presence or absence of negligence.
1. Customer Negligence
If fraud happens because a customer is negligent—like sharing sensitive information, responding to phishing attempts, or ignoring basic security practices—the bank’s liability may be reduced or eliminated.
2. Bank Negligence
Banks may be held liable where the fraud results from:
* Weak authentication mechanisms
* Failure to detect suspicious or abnormal transactions
* Inadequate cyber security systems
* Delay in blocking accounts or reversing transactions after prompt reporting
In these cases, banks may have to compensate customers for their losses.
APPLICABILITY OF THE SAFE HARBOUR RULE UNDER SECTION 79 OF THE IT ACT
An important legal factor comes from Section 79 of the Information Technology Act, 2000, known as the Safe Harbour provision.
Concept of Safe Harbour
Section 79 of the Information Technology Act, 2000, provides conditional immunity to intermediaries from liability for third-party information, data, or communication passing through them. Banks, when facilitating electronic fund transfers or payments, may qualify as intermediaries.
Under Section 79(1) of the Information Technology Act, 2000, an intermediary is not liable for third-party data if it meets the conditions in Section 79(2) of the Information Technology Act, 2000.
CONDITIONS FOR AVAILING SAFE HARBOUR PROTECTION
A bank can claim protection under Section 79 of the Information Technology Act, 2000, only if it satisfies the following conditions:
1. Limited Role
The bank’s role should be limited to providing access to a communication system without initiating or controlling the transaction.
2. No Initiation or Modification
The bank should not initiate the transaction, choose the receiver, or change the information. If a transaction is done entirely by a third party with stolen credentials, this condition is likely met.
3. Due Diligence Compliance
The bank must observe due diligence and comply with regulatory guidelines, including those issued by the RBI. This includes:
* Strong cyber security systems
* Two-factor authentication
* Transaction monitoring mechanisms
* Efficient grievance redressal
EXCEPTIONS: WHEN SAFE HARBOUR PROTECTION IS LOST
Under Section 79(3) of the Information Technology Act, 2000, safe harbour protection is not available where:
* The bank has actual knowledge of unlawful activity and fails to act promptly
* The bank is complicit, negligent, or facilitates the fraud
In bank fraud cases, not detecting suspicious transactions, delaying account freezes, or having weak security can be seen as negligence, ruling out the bank’s protection.
INTERPLAY BETWEEN SECTION 79 AND RBI GUIDELINES
While Section 79 of the Information Technology Act, 2000, offers statutory protection, RBI guidelines require banks to fulfil obligations regarding unauthorized electronic transactions. Even if a bank claims to be an intermediary, not following RBI rules can indicate a lack of due diligence, resulting in the loss of safe harbour protection. Thus, statutory immunity does not replace regulatory.
JUDICIAL AND CONSUMER PROTECTION PERSPECTIVE
In India, courts and consumer forums have ruled that banks cannot simply rely on Section 79 of the Information Technology Act, 2000, to avoid liability. If customers act quickly and responsibly, banks are expected to take responsibility unless they can clearly show:
* The fraud was solely due to third-party actions
* Adequate security systems were in place
* There was no deficiency in service or delay
Safe harbour is therefore treated as a qualified defence, not absolute immunity.
BURDEN OF PROOF
In disputes involving fraudulent transactions:
* The customer must establish that the transaction was unauthorised
* The bank must demonstrate compliance with due diligence requirements under the IT Act and RBI guidelines
Failure to discharge this burden may result in liability for the bank.
CONCLUSION
The liability of banks in fraudulent third-party transactions is no longer viewed just through a contractual lens. Modern banking law acknowledges the power imbalance between banks and customers. Regulatory frameworks and court decisions increasingly support customer protection, as long as customers act promptly and responsibly. Banks must therefore invest in:
* Robust cyber security infrastructure
* Real-time fraud detection systems
* Efficient grievance redressal mechanisms
At the same time, customers need to stay alert and follow basic security practices. A balanced approach of accountability and due care is essential to maintain trust in the ever-changing digital banking landscape.
