In 2022, a retired schoolteacher from Lucknow received a call from someone posing as her bank. She was told her KYC needed urgent verification or her account would be blocked. She complied. Within minutes, nearly ₹2 lakhs disappeared from her savings in a series of transactions she never authorised. When she approached the bank, she was told it was her own fault for sharing the OTP. The consumer forum agreed. She got nothing.
This is not an isolated incident. It is a story that plays out thousands of times every year across India, and yet our legal system still has no clear, consistent answer to a basic question: when a customer loses money to digital fraud, who bears the liability, the bank or the customer?
The Scale of the Problem
India’s digital payment ecosystem has grown at a pace few countries can match. The Unified Payments Interface (UPI), launched in 2016 by the National Payments Corporation of India (NPCI), processed over 100 billion transactions in FY 2022-23 alone. Mobile banking, online wallets, and prepaid instruments have brought formal financial services to hundreds of millions of previously unbanked citizens.
But the same infrastructure that enabled financial inclusion has opened new doors for fraud. Criminals have adapted quickly exploiting gaps in user awareness, weaknesses in authentication systems, and the sheer volume of transactions to defraud ordinary citizens at scale. The RBI’s Annual Report for 2022-23 recorded a steady year-on-year rise in digital payment fraud, with card and internet frauds alone accounting for around 1,000 reported cases in a single year. The unreported cases are likely many times higher.
How Fraudsters Operate
Digital payment fraud in India typically takes one of four forms:
- Phishing and Vishing: Fraudulent emails, SMS, or phone calls impersonating banks or payment platforms to harvest credentials or OTPs.
- SIM Swap Fraud: Criminals obtain a duplicate SIM card through bribery or impersonation, redirecting OTPs to their own device without any action or negligence on the customer’s part.
- UPI Collect Request Scams: Fake ‘collect’ requests that appear like incoming payments, tricking users into authorising outgoing transfers.
- Malware and Remote Access Trojans: Fake banking apps or screen-sharing tools that give attackers real-time control of the victim’s device.
What these frauds share is sophistication. They are not the result of careless customers they are the result of well-designed criminal schemes that exploit the infrastructure banks have built and the trust customers place in it.
What the Law Says — and Where It Falls Short
The primary regulatory instrument is the RBI’s circular of July 6, 2017, on ‘Customer Protection Limiting Liability of Customers in Unauthorised Electronic Banking Transactions.’ The circular sets up a tiered framework:
- If the fraud is the bank’s fault (a system breach or internal failure), the customer bears zero liability.
- If the fraud results from the customer’s own negligence defined as sharing credentials the customer bears full liability.
- In ambiguous cases, liability is split based on the transaction amount and how quickly the customer reported it.
On paper, this looks reasonable. In practice, it is riddled with problems.
First, the circular is not a statute. It cannot be directly enforced in court as a matter of law. Second, the concept of ‘negligence’ is never defined. Courts have been left to decide for themselves whether sharing an OTP under extreme social engineering pressure constitutes negligence and they have reached wildly different conclusions. Third, the circular assumes customers will promptly detect and report suspicious transactions, which may be a reasonable assumption for a tech-savvy urban professional but not for an elderly pensioner or a first-generation smartphone user in a semi-urban town.
The Information Technology Act, 2000 (as amended in 2008) addresses cybercrime it criminalises identity theft and fraudulent impersonation but it creates no cause of action against a bank for processing an unauthorised transaction. The Banking Ombudsman Scheme offers an out-of-court remedy, but its monetary limits are low, its powers are constrained, and banks can appeal its decisions.
The Consumer Protection Act, 2019 provides another avenue by treating banks as ‘service providers,’ but outcomes before consumer forums are inconsistent and heavily dependent on the specific facts, the composition of the bench, and which interpretation of negligence the forum applies.
How Courts Are Handling It
No Supreme Court ruling has laid down a comprehensive framework for bank liability in digital fraud. Lower courts and consumer forums have been filling the vacuum with contradictory results.
In SIM swap cases, courts have generally ruled in the customer’s favour. The NCDRC has held that where fraud is enabled entirely through telecom infrastructure, without any cooperation or error by the customer, the bank must bear liability. The customer did nothing wrong; the authentication system was bypassed.
In phishing and vishing cases, some High Courts have held that a bank cannot escape liability simply by showing the transaction was technically authenticated, if the OTP was extracted through a fraudulent impersonation of the bank itself. The bank’s duty of care is not discharged just because someone used the right password.
The most contested territory involves OTP sharing under social engineering. Here, the outcomes are deeply inconsistent. Some forums treat any credential sharing as automatic negligence. Others adopt a contextual approach asking whether a reasonable person in the victim’s position, given the sophistication of the deception, would have behaved differently. A consumer forum in Kerala held that an elderly widow deceived by a convincing impersonation of an RBI official could not meaningfully be called negligent. The Kerala High Court applied a contributory negligence framework, finding that a bank’s failure to flag an anomalous transaction could render it partly liable even where the customer played some role in enabling the fraud.
Two customers. The same fraud. Opposite outcomes. This is the current state of Indian law on bank liability for digital fraud.
The Core Structural Failures
There are two deep structural problems with the current framework.
The first is the negligence problem. The word ‘negligence’ appears in the RBI circular without definition and is applied across adjudicatory forums without any settled standard. This produces arbitrary outcomes that corrode public trust. More fundamentally, the negligence standard ignores the structural reality of digital banking: banks design the authentication systems, issue security advisories, have real-time visibility into transaction patterns, and have the technical capability to flag anomalous transactions. When a sophisticated criminal exploits gaps in this infrastructure even by deceiving the customer placing the entire legal weight of the resulting loss on the customer is difficult to justify under any coherent theory of liability.
The second is the burden of proof problem. Customers seeking to hold banks liable must prove a deficiency in service or demonstrate they were not negligent both of which require access to transaction logs, audit trails, fraud detection records, and system data that is entirely in the bank’s custody. Customers litigate under a severe informational disadvantage. Some forums have partially addressed this through res ipsa loquitur reasoning where money disappears from a secure account without authorisation, the burden should shift to the bank to explain how, but this is not applied consistently.
What Other Jurisdictions Have Figured Out
India’s framework compares poorly with more developed regulatory regimes. In the United Kingdom, the Payment Services Regulations 2017 (implementing the EU’s PSD2) place the burden of proof squarely on the bank. The bank must demonstrate customer fraud or gross negligence before it can decline a refund claim. The presumption runs in favour of the customer.
In the United States, Regulation E under the Electronic Fund Transfer Act provides statutory liability caps for consumers who report unauthorised transactions within prescribed timeframes regardless of whether the customer was technically negligent in sharing credentials.
Both frameworks share a common premise: the financial institution, as designer and operator of the payment infrastructure, is better positioned to absorb the risk of fraud and to invest in preventing it. This is straightforward application of the ‘least cost avoider’ principle liability should attach to the party best placed to prevent harm. Banks have fraud analytics, real-time transaction monitoring, and risk management infrastructure. Retail customers do not.
What Needs to Change
The following reforms would meaningfully strengthen consumer protection in India’s digital payment ecosystem:
- A Statutory Liability Framework: Parliament should enact clear, enforceable liability standards for banks in digital fraud cases whether through amendments to the IT Act or the Payment and Settlement Systems Act, or through standalone legislation. The statute should define customer negligence with reference to a reasonable person standard that accounts for the victim’s digital literacy and the sophistication of the fraudulent scheme.
- Reversal of the Burden of Proof: Where a customer reports an unauthorised transaction within a prescribed period, the burden of proving customer negligence should shift to the bank. Banks hold the relevant data; banks should bear the burden of proof. This is the approach in the UK and EU, and it is both legally sound and practically essential.
- Mandatory Fraud Detection Standards: The RBI should prescribe minimum standards for real-time fraud detection and anomaly monitoring, with civil liability consequences for banks that fail to implement them.
- Strengthened Grievance Redressal: The Banking Ombudsman Scheme should be reformed with higher monetary thresholds, simplified procedures, and binding awards. A specialised digital fraud tribunal with technical expertise and expedited processes would be an even more ambitious and ultimately necessary institutional reform.
- Disclosure Requirements in Regional Languages: Banks should be legally required to inform customers, in plain language and regional languages, about common fraud types, the bank’s monitoring capabilities, and the customer’s rights in the event of an unauthorised transaction.
Conclusion
India’s digital payment infrastructure is a remarkable achievement. UPI’s design, reach, and adoption are genuinely world-class. The legal framework protecting the people who use it is not.
The current regime relies on an undefined negligence standard, places ordinary citizens at an informational disadvantage in litigation, and lacks the statutory clarity necessary to enforce meaningful accountability against banks. The RBI’s 2017 circular was a step in the right direction, but it has proven insufficient both because it lacks direct enforceability and because its key concepts remain dangerously underspecified.
The consequences extend beyond individual victims. Consumer trust in digital payment systems is foundational to India’s financial inclusion agenda. If users particularly first-generation digital banking adopters in rural and semi-urban India learn that fraud can wipe out their savings without meaningful legal recourse, adoption will stall. Financial inclusion will become financial vulnerability.
India’s journey toward a digital economy is at a turning point. The infrastructure is there. The adoption is remarkable. What is missing is a legal architecture that assures users that the system will protect them when things go wrong. Building that architecture is not merely a legal reform question it is a question about the kind of inclusive, trustworthy digital economy India intends to build.
Author Bio
