Who is liable for unauthorised transactions via prepaid payment instruments? Madras High Court answers

Madras High Court: In a writ petition filed praying to issue an interim direction directing the City Union Bank, to immediately credit a sum of Rs. 3 lakhs, being the sum unlawfully and authorizedly siphoned off from the account of the petitioner using Paytm, R.N. Manjula*, J. said that no fraudulent actions were done by the petitioner, but the violations were done by the third parties and Paytm has failed to resolve the dispute within 90 days and has not come out with any concrete structure as to how the loss suffered is going to be compensated. Further, it did not prove how the customer is liable, thus, the Court held that Paytm is liable to make out the loss suffered by the petitioner.

However, the Court modified the relief to the effect that Reserve Bank of India (‘RBI’) is directed to issue directions to Paytm to make good the loss suffered by the petitioner without any other reduction, except the reduction of the amount, if any already reversed to the account of the petitioner in pursuant to the earlier orders of this Court.

Facts:

The petitioner was a resident doctor at a Medical College. She was being paid with a stipend of Rs. 25,000/- per month by the Medical College, and the amount gets credited to her bank account with the City Union Bank (‘Bank’). Out of the said earnings, she had saved a sum of Rs. 3,20,000/- and was planning to utilise the same to meet her final year fees. On 09-02-2021, an attempt was made by some miscreant to hack into her savings account, bearing with the Bank. The said fact was known to her through an SMS alert. She noticed the said message only on 11-02-2021. She immediately sent a message to the Bank asking them to block the account. She was under the impression that the account had been blocked pursuant to her request. Once again, on 13-02-2021, she received another SMS informing her that there had been an attempt to break into her savings account. The petitioner sent another message to the bank along with her registered mobile number, requesting the bank to block her account.

On 15-02-2021 she received an SMS informing her that someone had hacked into her account and within a few minutes, there was an unauthorised debit from her account at different intervals of a total amount of 3 lakhs by making successive transactions using the Paytm application. The miscreants had hacked into her account and stolen her money. The petitioner called the bank and asked them to block her account. However, her money had been illegally siphoned off; no OTP for withdrawal has been received on her mobile phone and she has not shared her bank details or personal details with anyone. She received the information from the Bank that her money had been transferred fraudulently to the Paytm account. Immediately, she called Paytm and registered a complaint.

The RBI had issued a circular dated 04-01-2019 vide No. DPSS.CO.PD.No.1417/02.14.006/2018-19 and it is applicable to all authorized non-bank payment transactions through Prepaid Payment Instruments (‘PPIs’) issuers for customer protection/limiting the liability of customers in unauthorised electronic PPI issued by authorized non-bank. Paragraph 6(b) of the said circular, states about the customer’s limited liability in cases of third-party breach where the deficiency lies neither with the PPI issuer nor with the customer but elsewhere in the system and the customer notifies the PPI issuer or the Bank regarding the unauthorised payment transaction. In the same circular, it is stated that the burden of proving customer liability in cases of unauthorised electronic payment transaction shall lie on the PPI issuer.

Further, RBI issued another circular dated 06-07-2017 and bearing No.RBI/2017-18/15, applicable to all Scheduled Commercial Banks (including RPBs), all Small Finance Banks and Payments for Customer Protection/ Limiting Liability of Customers in unauthorised electronic banking transactions. Under paragraphs Nos. 6 and 7 of the above circulars, the bank is liable in cases where the responsibility for the unauthorised electronic banking transactions lies neither with the bank nor with the customer but elsewhere in the system. According to Paragraph No. 12 of the circular, the burden of proving the customer’s liability in case of unauthorized electronic banking transactions shall lie with the bank.

Analysis:

The Court said that even though the public is encouraged to use payment banks such as Paytm, Google Pay, Amazan Pay, etc., the customer is made to run from pillar to post, in case he is affected due to any third-party violations or fraudulent intervention. The Court was surprised that even when the RBI has issued detailed master directions for both banks and Prepaid Payment Instruments (‘PPI’), every institution shifts the blame upon the other and no one has come up with a concrete idea as to who has to bear the loss suffered by the petitioner, for none of her mistakes.

The Court noted that there were certain attempts made by some miscreants to access the petitioner’s account with the City Union Bank through the Paytm app from 09-02-2021. The City Union Bank had alerted the petitioner by sending an SMS that her account was accessed by someone. The petitioner happened to notice the message on 11-02-2021 and she had sent an SMS to block her account. But it was unsuccessful. The fraudulent attempts were continuing, and things went beyond the control of the petitioners and the banker.

The Bank contended that their liability ends with alerting the customer and they were not able to block her account because the SMS was not sent in a proper manner. The petitioner omitted to call the branch directly to see that her account is blocked.

The Court said that in view of the various online mechanisms provided by the banks for almost all banking services, no one goes to the branch physically to make any complaint. So it is not a surprise that the petitioner did not make any direct contact with the bank and that she followed scrupulously how she was instructed in the alert SMS.

The Court noted that in the status report, it is stated that the fraudsters have managed to access the app by being in some other states, like Bihar. Further, it was not the petitioner who had revealed the details of her PIN Number or other details to the fraudsters either knowingly or unknowingly. It also noted that as per the records it is clear that the access was done through a payment bank named Paytm.

The Court found the counter affidavit of the RBI diplomatic to the extent that the RBI did not pinpoint either the Bank or the Paytm to be liable to compensate the petitioner. In fact, the RBI guidelines are customer-friendly, and if the customer happens to report fraudulent transactions within three days of the occurrence, as per the guidelines, there is ‘zero liability’ fixed on the customer. The above position is similar for both banks and Prepaid Payment Instruments, except for the fact that they were through different circulars. Since the transaction was not done through any `net banking sites but through a payment bank application by name ‘Paytm’, it has to be seen whether the banker or the payment banker is liable.

The Court noted that the liability of the customer is fixed at Rs. 10,000/- per transaction if the complaint has been made within 4 to 7 days and if beyond 7 days, it is as per the policy of the prepaid payment instrument issuer. In the case in hand, the petitioner had given her complaint to her banker immediately after the transaction. It cannot be claimed by Paytm that the petitioner ought to have given her complaint to Paytm instead of the Bank, as even she did not know how the fraud was committed. Further, the Bank has been communicating with paytm about the fraudsters’ activity. So, it cannot be said that Paytm was not aware of the fraud just because the customer gave her complaint to her bank directly.

Further, the Court rejected Paytm’s contention that payment bank is a private corporation and not a government institution, and hence, it cannot be subjected to the jurisdiction of this Court.

The Court said that the liability is on Paytm and not on the Bank. However, as it cannot give a straight away direction against a private body like Paytm, the Court mold the relief and gave direction to the RBI, to act against Paytm for violating its own guidelines.

The Court further said that as per the RBI guidelines the non-bank PPI issuers shall ensure that a complaint is resolved, and the liability of the customer is established within the said time not exceeding 90 days. But Paytm has not come forward to take cognizance of the grievances suffered by the petitioner, who was the user of the Paytm banking services. Further, if the PPI issuer is unable to resolve the complaint and determine the customer’s liability within 90 days, the amount as prescribed under RBI guidelines shall be paid to the customer irrespective of whether the negligence is on the part of the customer or otherwise.

Thus, the Court directed RBI to issue directions to Paytm for compensating the loss suffered by the petitioner.

[Dr. R. Pavithra v Commissioner of Police, 2023 SCC OnLine Mad 3165, Order dated 28-04-2023]

*Order by: Justice R.N. Manjula

Advocates who appeared in this case :

For Petitioner: Advocate. Sharath Chandran;

For Respondents: Government Advocate A.Gopinath, Advocate V.S.Rishwanth, Advocate S.R.Sundar, Advocate Shivakumar, Advocate Suresh, Advocate B.Sivakollapan, Advocate D.Sathiyaraj.