The case, filed with the National Consumer Disputes Redressal Commission (NCDRC) on 24 January, was admitted in March by its president, justice A.P. Sahi, and 7 July was the first deadline for banks to respond to the complainants’ plea. The complainants have claimed negligence on the banks’ part during incidents of digital arrests, and have argued that the lenders are partially responsible for the thefts—and thus should also be held liable for refunding or recovering the money lost.
Banks have rejected this claim, saying that since the losses happened because the users voluntarily made the transactions, they could not be held liable.
The order, a copy of which Mint has reviewed, requires the banks involved to respond to a plea filed by three complainants. These individuals collectively lost over ₹24 crore ($2.8 million) after falling victim to calls that exploited personal information and impersonated senior law enforcement officials, such as the chairman of the Central Board of Indirect Taxes and Customs, to extort large sums before disappearing.
“The primary point of concern in the hearing lay in the fact that banks safekeep vast troves of personal savings, and make for a vital partner to a person’s life. In such a commercial relationship, banks often claim user negligence and error in case of digital arrest thefts to indemnify their involvements in these cases—which is largely misleading because in digital arrests, a bank’s customer is making these vast transactions under threat, coercion and blackmail from a foreign party. This makes them liable for protection under the Reserve Bank’s limited liability guidelines for consumers,” advocate Mahendra Limaye, the lawyer representing the three digital arrest victims at NCDRC told Mint.
Sahi has allowed banks, which involve at least four private lenders across India, until 14 November to file their responses—following which dates for oral hearings will be issued. If successful, the victims will set a new precedent for others who fall prey to digital arrest—in terms of a viable recourse that they can seek against banks.
Responses submitted to the NCDRC by HDFC Bank and ICICI Bank, India’s top two private lenders, opposed the idea of sharing partial liability, saying the case itself was not squarely under consumer complaint jurisdiction. Further, in a 76-page response, a copy of which Mint has seen, HDFC Bank’s legal representatives underlined claim for indemnity by stating that transactions made by one victim, amounting to over ₹4 crore, were “executed with full knowledge, consent and active participation of the complainant.”
“Any subsequent claim of fraud, misrepresentation or coercion would lie outside the scope of the bank’s responsibilities, and would not attract the protection or liability envisaged under RBI guidelines,” HDFC Bank said.
ICICI Bank’s representatives, in a 39-page response, said that if a victim did not lose money from an account within the bank, it cannot be held responsible—citing NCDRC’s definition of a consumer. It was, however, challenged by Limaye since accounts in ICICI Bank were used as ‘mules’ to further distribute the money across various parties.
Queries emailed to HDFC Bank and ICICI Bank did not elicit a response till press time.
Rising incidents of digital arrest—an online scam in which perpetrators extort money from victims by impersonating a high-ranking law enforcement officialand threatening arrests and other legal actions—over the past two years have caused a huge of money being stolen from personal accounts, with attackers often being based in other nations. So far, most of these cases would take the course of criminal proceedings, coming under anti-money laundering, impersonation and other clauses under the Bharatiya Nyay Sanhita, 2023. However, the NCDRC hearing could potentially set a precedent as it approaches financial crimes from the purview of a consumer and service provider, senior lawyers and industry stakeholders said. If the consumer court rules in favour of the users, it will pile pressure on banks to proactively investigate digital arrests. It would also have big financial implications for banks, since they would have to bear a part of the loss and partially compensate the victims of such digital scams.
“The RBI (Reserve Bank of India) ought to lay out processes for payee banks to root out mule accounts or their abuse, and for such payee banks to be made liable in case of breach. To merely relegate victim losses to contributory negligence does not amount to effective justice. Further, apart from awareness about crimes, the RBI ought to mandate banks to also ensure awareness of remedies among users. Else, victims run the risk of losing valuable remedies merely for want of knowledge,” N.S. Nappinai, senior counsel at the Supreme Court of India and founder of Cyber Saathi, told Mint.
Others pointed to an RBI circular from July 2017 on limiting liability of customers in unauthorized electronic banking transactions. Sumant Nayak, senior partner at law firm Desai and Diwanji, said that while the circular primarily addressed unauthorized transactions, its provisions are interpreted to apply to cases where technical authorization is induced through deception.
“In the present case, it is particularly noteworthy that the customer liquidated crores of savings in digital arrest, and bank staff did not ask her twice—a phrase that underscores the absence of procedural safeguards,” Nayak added.
He further said that when a high-value transaction is initiated, especially under suspicious or emotionally distressed circumstances, bank personnel are expected to reconfirm intent, flag anomalies, and escalate concerns. “The failure to do so may amount to deficiency in service, thus further weakening the bank’s defence,” he added.
Citing a recent case from the Supreme Court—SBI v. Pallabh Bhowmick—Nayak said that the apex court has stated that it is the responsibility of the bank to avoid unauthorized transactions. However, the court also cautioned the customers to be vigilant in sharing their confidential information such as OTP. The court stated that the customers could also be held liable in such transactions for negligence.
The customer’s liability, in this case, could also be defined by the show of negligence from the bank itself, each of the lawyers cited above said.
Police inspector Surender, station head, Bhondsi, and in-charge of one of the inspections, said that while the police division in Haryana has set-up an in-house special inspection team (SIT) for the case, court rulings are proceeding independently. “We have already made recoveries of some amounts as part of us tracing the accounts, but the process is on—and is continuing as we speak,” Surender said.
Bank executives, however, maintain that it is “impossible for a bank to stop or question these transactions, when the customer is authorizing them, especially when it is being done at a branch.”
“When a customer is trying to liquidate their savings and investments all at once, banks will not raise red flags. At best, the relationship manager will try to sway the person since he or she will lose out on business,” said an official at a private sector bank, requesting anonymity due to the sensitivity of the case.
Asked whether banks are worried about these transactions ending up in mule accounts, he said that all lenders are working with the regulator on curbing this. “In cases where a dormant account suddenly sees a spurt in transactions or sees high-value transfers, banks raise red flags. But, in many cases, by the time they act, funds would have moved to several other accounts.”
“The best way to stop these mule accounts from exploiting the system is to be more selective when opening accounts and after multiple checks,” he added.