Whether Bank Liable for Unauthorised Withdrawals from Account [JUDGMENT]

Banking Law - Electronic Banking - If a customer suffers loss on account of the transactions not authorised by him, the bank is liable to the customer for the said loss.

The relationship between a bank and its customers arises out of the contracts entered into between them. Such contracts consist of general terms applicable to all transactions and also special terms applicable to the special services, if any, provided by the bank to its customers. The relationship between a bank and its customer, in so far as it relates to the money deposited in the account of a customer, is that of debtor and creditor. The contractual relationship exists between a bank and its customers are founded on customs and usages. Many of these customs and usages have been recognized by courts and it is now an accepted principle that to the extent that they have been so recognized, they are implied terms of the contracts between banks and their customers. Duties of care is an accepted implied term in the contractual relationship that exists between a bank and its customer. It is impossible to define exhaustively the duties of care owed by a bank to its customer. It depends on the nature of services extended by the bank to its customers. But one thing is certain that where a bank is providing service to its customer, it owes a duty to exercise reasonable care to protect the interests of the customer. Needless to say that a bank owes a duty to its customers to take necessary steps to prevent unauthorised withdrawals from their accounts.

Banking Law - Electronic Banking - If a customer suffers loss in connection with the transactions made without his junction by fraudsters, it has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, and the banks are, therefore, liable for the loss caused to their customers.

In the absence of any statutory provision in India, the Reserve Bank of India, excercising control over the banks has issued directions to the banks from time to time indicating the various steps to be taken as part of the duties owed by them to their customers. Considering the recent surge in customer grievances relating to unauthorised transactions in the accounts of the customers enjoying electronic banking facilities like ATM-cum-Debit Cards, net banking etc, in terms of circular No. RBI/2017- 18/15 dated 6/07/2017, the Reserve Bank of India has directed all banks, among others, to put in place, appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers; robust and dynamic fraud detection and prevention mechanism; mechanism to assess the risks resulting from unauthorised transactions and measure the liabilities arising out of such events; appropriate measures to mitigate the risks and protect the banks against liabilities arising therefrom and a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payment related frauds. It is clarified in the said circular that the customer shall have no liability at all in the case of third-party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system. The only obligation which casts on the customers of the bank in terms of the circular is that the unauthorised transactions shall be brought to the notice of the bank forthwith so as to enable the bank to block the account. The circular aforesaid only reminds the banks, their obligations and responsibilities and it does not create any new rights or obligations.

Banking Law - Electronic Banking – SMS alerts - Unauthorised Transactions - SMS alerts cannot be the basis for determining the liability of the customer.

Various services are being provided by banks to their customers. In fact, banks are soliciting business by advertising the various services provided by them to their customers in connection with different accounts. SMS alerts is one of the facility extended by most of the banks to their customers in connection with the savings bank accounts having electronic banking facilities including ATMcum-Debit Card facilities. Such facilities are provided not only to those who specifically request for the same, but also to those who do not ask for such facilities. Could such a facility voluntarily given by banks to their customers determine the rights of parties, is the question. According to me, only if there exists a specific term in the contract between a bank and its customer to the effect that the bank would be exonerated from the liability in connection with the unauthorised transactions if the customer does not respond to the SMS alerts, SMS alerts cannot be the basis for determining the liability of the customer, for, there would be account holders who may not be in the habit of checking SMS alerts at regular intervals and account holders like the plaintiff in the instant case who is working in an offshore oil rig, who may not be able to access their mobile phones for several days having regard to the peculiarity of their avocation. The defendant has no case that there is a contract between them and the plaintiff to the effect that if the plaintiff does not respond to the SMS alerts given by them regarding the withdrawals from his accounts, they would not be liable for the loss, if any, caused to the plaintiff.

Banking Law - Electronic Banking - It is the obligation of the banks providing such services, to create a safe electronic banking environment to combat all forms of malicious conducts resulting in loss to their customers.

The basis of the said obligation is the implied term in the contracts entered into by the banks with their customers to exercise care to protect their money from transactions not authorised by them. In developed countries, in the light of the said obligation, statutes are put in place to protect the interests of the customers of the bank by defining the liabilities and providing enforcement mechanism.

Questions of Law

(i) Are not the banks permitting withdrawal of cash from the accounts of their customers making use of ATM cum debit cards liable for the loss caused to the customers in connection with the transactions made without their junction by fraudsters?;

(ii) Could a bank be exonerated from the liability for the loss caused to its customer on account of the unauthorised withdrawals made from his account merely on the ground that the customer has not responded promptly to the SMS alerts given by the bank?

Facts of the Case

The plaintiff belongs to Pala in Kottayam District. He is working in a South American country, namely, Brazil. The defendant is a bank. The plaintiff is maintaining a NRE (Non-Resident External) account with the defendant. The defendant has provided net banking and Automated Teller Machine (ATM) services to the plaintiff for operating the said account. As the plaintiff is working in an offshore rig in Brazil, he used to be in India for 28 days after every 28 working days. The plaintiff was in India from 04.03.2012 to 27.03.2012. It is stated by the plaintiff that on 26.03.2012 he noticed that a sum of Rs.2,40,910.36 has been withdrawn from his account though the ATMs located at different places in Brazil between 22.03.2012 and 26.03.2012.

IN THE HIGH COURT OF KERALA AT ERNAKULAM

PRESENT THE HONOURABLE MR. JUSTICE P.B.SURESH KUMAR

WEDNESDAY,THE 09TH DAY OF JANUARY 2019 / 19TH POUSHA, 1940

RSA.No. 1087 of 2018

[AGAINST THE JUDGMENT AND DECREE DATED 31.08.2018 IN AS 107/2015 OF SUB COURT, PALA]

[AGAINST THE JUDGMENT AND DECREE DATED 31.08.2015 IN OS 212/2014 OF MUNSIFF COURT, PALA]

APPELLANT/RESPONDENT/DEFENDANT:

STATE BANK OF INDIA, REPRESENTED BY ITS CHIEF MANAGER, PALA BRANCH, KOTTAYAM DISTRICT. (FORMERLY SBT).

BY ADV. SRI.T.SETHUMADHAVAN (SR.) SRI.KODOTH PUSHPARAJAN SRI. K.JAYESH MOHANKUMAR

RESPONDENT/APPELLANT/PLAINTIFF:

P.V. GEORGE

J U D G M E N T

The defendant in a suit for realization of money is the appellant in the second appeal.

2. The plaintiff belongs to Pala in Kottayam District. He is working in a South American country, namely, Brazil. The defendant is a bank. The plaintiff is maintaining a NRE (Non-Resident External) account with the defendant. The defendant has provided net banking and Automated Teller Machine (ATM) services to the plaintiff for operating the said account. As the plaintiff is working in an offshore rig in Brazil, he used to be in India for 28 days after every 28 working days. The plaintiff was in India from 04.03.2012 to 27.03.2012. It is stated by the plaintiff that on 26.03.2012 he noticed that a sum of Rs.2,40,910.36 has been withdrawn from his account though the ATMs located at different places in Brazil between 22.03.2012 and 26.03.2012. The matter was informed by the plaintiff to the defendant forthwith and the ATM card issued to the plaintiff was consequently blocked by the defendant on 26.03.2012 itself. It is also stated by the plaintiff that though complaints have been lodged by him on 27.03.2012 and on 30.03.2012 stating that the withdrawals are unauthorized and requesting the defendant to refund the said amounts, no action, whatsoever, has been taken by the defendant on those complaints. According to the plaintiff, as the withdrawals made from his account were unauthorised, the defendant is liable to refund the amounts involved with interest. The suit is, therefore, for realisation of the said amounts with interest and costs.

3. The defendant contested the suit contending that withdrawals are not possible from the account of the plaintiff without the knowledge of the plaintiff and the defendant is, therefore, not liable for the loss caused to the plaintiff. It was also contended by the defendant that at any rate, since the loss caused to the plaintiff is not due to any action or inaction on the part of the defendant, even if the withdrawals are made fraudulently by third parties without the knowledge of the plaintiff, the bank is not liable for the same. It was, however, admitted by the defendant in their written statement that 14 withdrawals amounting to Rs.2,40,910.36 were made from the account of the plaintiff between 22.03.2012 and 26.03.2012 through the ATMs located at different places in Brazil.

4. The trial court dismissed the suit. However, in appeal, the appellate court reversed the decision of the trial court and decreed the suit. The defendant is aggrieved by the decision of the appellate court.

5. Heard the learned senior counsel for the appellant.

6. The fact that a total sum of Rs.2,40,910.36 was withdrawn from the account of the plaintiff between 22.03.2012 and 26.03.2012 through the ATMs at different places in Brazil has not been disputed by the defendant. Likewise, the fact that the plaintiff was in India from 4.03.2012 to 27.03.2012 is also not disputed by the defendant. The defendant has admitted, by producing Ext.B1 statement of transactions that the plaintiff has withdrawn money from the very same account using the ATM card issued to him from Pala while he was in India on 07.03.2012 and 09.03.2012. Likewise, the fact that the plaintiff has returned the ATM card issued to him by the defendant on 26.03.2012 itself is also not disputed by the defendant. The stand of the defendant all throughout was that money could be withdrawn from the account of the plaintiff only using the ATM card issued by the defendant and the pin number known only to the plaintiff. The case of the plaintiff is that the disputed withdrawals are unauthorised and made without his junction and therefore, the defendant is bound to refund the amounts involved to the plaintiff. The view taken by the appellate court is that in so far as it is established that the disputed withdrawals were unauthorized and made by third parties without using the debit card issued to the plaintiff, that too, through the ATMs in a foreign country, the defendant is liable for the loss caused to the plaintiff.

7. The learned senior counsel for the appellant contended that when amounts are withdrawn by international fraudsters from ATM counters in a foreign country, the defendant cannot be made liable for the loss caused to the account holders. It was also contended by the learned senior counsel that in a case of this nature, the plaintiff should have set the criminal law in motion in the foreign country for redressal of his grievance concerning the loss caused to him. It was further contended by the learned senior counsel that, at any rate, in so far as SMS alerts were given by the defendant to the plaintiff in respect of the disputed withdrawals, the plaintiff should have requested for blocking of the account immediately and in so far as the plaintiff has not responded to the SMS alerts given to him by the defendant, the defendant is not liable for the loss caused to him.

8. Having regard to the facts admitted by the parties and the submissions made by the learned senior counsel for the appellant, the following substantial questions of law have been formulated for decision in the matter:

(i) Are not the banks permitting withdrawal of cash from the accounts of their customers making use of ATM cum debit cards liable for the loss caused to the customers in connection with the transactions made without their junction by fraudsters?;

(ii) Could a bank be exonerated from the liability for the loss caused to its customer on account of the unauthorised withdrawals made from his account merely on the ground that the customer has not responded promptly to the SMS alerts given by the bank?

9. Question (i) : The relationship between a bank and its customers arises out of the contracts entered into between them. Such contracts consist of general terms applicable to all transactions and also special terms applicable to the special services, if any, provided by the bank to its customers. The relationship between a bank and its customer, in so far as it relates to the money deposited in the account of a customer, is that of debtor and creditor. The contractual relationship exists between a bank and its customers are founded on customs and usages. Many of these customs and usages have been recognized by courts and it is now an accepted principle that to the extent that they have been so recognized, they are implied terms of the contracts between banks and their customers. Duties of care is an accepted implied term in the contractual relationship that exists between a bank and its customer. It is impossible to define exhaustively the duties of care owed by a bank to its customer. It depends on the nature of services extended by the bank to its customers. But one thing is certain that where a bank is providing service to its customer, it owes a duty to exercise reasonable care to protect the interests of the customer. Needless to say that a bank owes a duty to its customers to take necessary steps to prevent unauthorised withdrawals from their accounts. As a corollary, there is no difficulty in holding that if a customer suffers loss on account of the transactions not authorised by him, the bank is liable to the customer for the said loss.

10. Coming to electronic banking regime, it is the obligation of the banks providing such services, to create a safe electronic banking environment to combat all forms of malicious conducts resulting in loss to their customers. The basis of the said obligation is the implied term in the contracts entered into by the banks with their customers to exercise care to protect their money from transactions not authorised by them. In developed countries, in the light of the said obligation, statutes are put in place to protect the interests of the customers of the bank by defining the liabilities and providing enforcement mechanism. The law that governs the area in this connection in the United States of America is Electronic Funds Transfer Act. The said statute provides that a consumer is liable for any unauthorised electronic fund transfer involving his account only if the card or other means of access utilised for such transfer is an accepted card or other means of access and if the issuer of such card or other means of access has provided a means whereby the user of such card or other means could be identified as the person authorised to use it such as by signature, photograph or fingerprint or by electronic or mechanical confirmation. In Canada, electronic banking consumers and card users are protected under the Canadian Code of Practice for Consumer Debit Card Services. Under the said Code, consumers are not liable for losses arising from unauthorised usage of a card. In the absence of any statutory provision in India, the Reserve Bank of India, excercising control over the banks has issued directions to the banks from time to time indicating the various steps to be taken as part of the duties owed by them to their customers. Considering the recent surge in customer grievances relating to unauthorised transactions in the accounts of the customers enjoying electronic banking facilities like ATM-cum-Debit Cards, net banking etc, in terms of circular No. RBI/2017- 18/15 dated 6/07/2017, the Reserve Bank of India has directed all banks, among others, to put in place, appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers; robust and dynamic fraud detection and prevention mechanism; mechanism to assess the risks resulting from unauthorised transactions and measure the liabilities arising out of such events; appropriate measures to mitigate the risks and protect the banks against liabilities arising therefrom and a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payment related frauds. It is clarified in the said circular that the customer shall have no liability at all in the case of third-party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system. The only obligation which casts on the customers of the bank in terms of the circular is that the unauthorised transactions shall be brought to the notice of the bank forthwith so as to enable the bank to block the account. The circular aforesaid only reminds the banks, their obligations and responsibilities and it does not create any new rights or obligations. In short, there is also no difficulty in holding that if a customer suffers loss in connection with the transactions made without his junction by fraudsters, it has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, and the banks are, therefore, liable for the loss caused to their customers. All over the world, the courts are adopting the aforesaid approach to protect the interests of the customers of electronic banking. Reverting to the facts of the case on hand, though it was contended by the defendant in the written statement filed in the suit that the disputed withdrawals cannot be said to be withdrawals without the junction of the plaintiff, in the light of the facts established by evidence, such a contention was not pressed into service by the defendant in the second appeal. Instead, as noted, the main contention pressed into service by the defendant in the second appeal is that the defendant is not liable for the unauthorised withdrawals made from the account of the plaintiff by fraudsters abroad. As the second contention was found against, the question is answered against the appellant.

11. Question (ii): Various services are being provided by banks to their customers. In fact, banks are soliciting business by advertising the various services provided by them to their customers in connection with different accounts. SMS alerts is one of the facility extended by most of the banks to their customers in connection with the savings bank accounts having electronic banking facilities including ATMcum- Debit Card facilities. Such facilities are provided not only to those who specifically request for the same, but also to those who do not ask for such facilities. Could such a facility voluntarily given by banks to their customers determine the rights of parties, is the question. According to me, only if there exists a specific term in the contract between a bank and its customer to the effect that the bank would be exonerated from the liability in connection with the unauthorised transactions if the customer does not respond to the SMS alerts, SMS alerts cannot be the basis for determining the liability of the customer, for, there would be account holders who may not be in the habit of checking SMS alerts at regular intervals and account holders like the plaintiff in the instant case who is working in an offshore oil rig, who may not be able to access their mobile phones for several days having regard to the peculiarity of their avocation. The defendant has no case that there is a contract between them and the plaintiff to the effect that if the plaintiff does not respond to the SMS alerts given by them regarding the withdrawals from his accounts, they would not be liable for the loss, if any, caused to the plaintiff. In the circumstances, question (ii) is also answered against the appellant.

In the light of the findings on the questions formulated for decision, there is no merit in the second appeal and the same is, accordingly, dismissed.