Introduction
The proliferation of digital financial services in India has been one of the defining economic achievements of the past decade. The Unified Payments Interface, launched in 2016, processed over 11 billion transactions monthly by 2024. Jan Dhan accounts have brought hundreds of millions of previously unbanked citizens into the formal financial system. Digital wallets, mobile banking, and internet banking have become the primary interfaces through which a substantial portion of India’s population manages its finances.
With this expansion of digital finance has come a corresponding expansion in financial cybercrime. Phishing attacks, which deploy deceptive emails, messages, or websites to extract login credentials or one-time passwords, are the most common vector. Vishing attacks, which use telephone calls to social-engineer victims into disclosing account details or approving fraudulent transactions, have become increasingly sophisticated, often deploying voice AI to impersonate bank officers. Smishing (SMS-based phishing), SIM swapping (fraudulent porting of a victim’s mobile number to a criminal’s SIM), and fraudulent UPI request links represent further variations on the social engineering theme.
The central legal question in this domain is the apportionment of loss between the victim, typically an individual customer with limited technical sophistication, and the financial institution, which is a sophisticated regulated entity with professional security capabilities. This question is answered differently depending on whether one approaches it through contract law, regulatory principles, consumer protection law, or the tort of negligence. The answers are not consistent, and the resulting uncertainty harms both consumers (who may not know their rights) and financial institutions (who face unpredictable liability exposure).
Legal Framework
The Reserve Bank of India’s circular on “Customer Protection: Limiting Liability of Customers in Unauthorised Electronic Banking Transactions,” issued in July 2017, represents the foundational regulatory statement on this question. The circular establishes a framework based on attribution of responsibility for the breach.
Where the fraud is attributable to a deficiency on the part of the bank (system failure, data breach, inadequate security controls), the customer bears zero liability regardless of whether the customer reported the incident promptly. The full loss falls on the bank.
Where the fraud is attributable to a third party, not to the bank’s systems and not to the customer’s negligence, the customer’s liability depends on the speed of reporting. If the customer reports the incident within three days, the maximum loss borne by the customer ranges from zero to Rs. 5,000 depending on the transaction limit, with the bank absorbing the remainder. Reporting between three and seven days results in higher customer liability. Reporting after seven days means the liability is determined by the bank’s board-approved policy.
Where the fraud is attributable to the customer’s own negligence, sharing of credentials, falling for phishing or vishing, or approving fraudulent UPI requests, the customer bears the full loss. The circular places the burden of proving customer negligence on the bank, but in practice the determination of negligence is contested and inconsistently applied.
This framework is grounded in the contractual relationship between the bank and the customer, but it interacts with consumer protection principles, the Banking Ombudsman scheme (now the Reserve Bank Integrated Ombudsman Scheme), and the courts. The Consumer Protection Act, 2019 provides a separate avenue for customers to claim deficiency in service against financial institutions, and consumer forums have increasingly engaged with digital fraud claims.
Judicial Developments
The Banking Ombudsman and consumer forums have produced a body of decisions on phishing and vishing liability that reflects both the evolution of fraud tactics and the evolving judicial understanding of digital security. These decisions, while not constituting binding precedents in the strictest sense, reveal the normative standards that adjudicators apply.
A recurring pattern in Banking Ombudsman decisions from 2022 to 2024 involves vishing attacks where the complainant received a call from a number presenting as the bank’s customer care, was persuaded to provide an OTP to “verify their account” or “reverse a fraudulent charge,” and the OTP was used to authorise a fraudulent transaction. In several such cases, Ombudsman decisions have held the bank partially liable on the ground that the bank’s telephony infrastructure allowed caller ID spoofing (displaying the bank’s genuine number on a fraudulent call), constituting a deficiency in the bank’s security systems even though the customer also contributed by sharing the OTP.
The Supreme Court in State Bank of India v. Rajnish Kumar Agrawal (2022, and related appeals) and several High Court decisions have addressed the evidentiary standards for bank liability in electronic transaction disputes. Courts have held that the burden of proving that a transaction was authorised or that the customer was negligent lies with the bank, which as the entity in control of the transaction logs and security systems is better positioned to produce this evidence. This allocation of the burden of proof is significant: it means that a customer who asserts that a transaction was fraudulent does not need to prove the fraud; rather, the bank must prove the transaction was authorised or the customer was negligent.
Consumer forums in Tamil Nadu, Delhi, and Karnataka have awarded compensation to phishing victims where the bank’s security infrastructure was found to lack adequate anomaly detection (for instance, a transaction originating from an unusual device or geographic location that the bank’s systems should have flagged) or where the bank’s customer care failed to process a timely fraud complaint and block the account within a reasonable time. These decisions implicitly hold banks to a standard of reasonable security practice defined by what a prudent financial institution would have implemented.
Contemporary Issues and Analysis
The threshold question of negligence, specifically what constitutes a customer’s negligent contribution to a phishing or vishing loss, is fiercely contested and technically complex. The traditional banking law approach, reflected in the RBI circular, treats sharing of credentials or OTPs as inherently negligent. This was a reasonable position when the only way to obtain an OTP was through crude phishing emails that a moderately attentive consumer could identify as fraudulent. It is a much less reasonable position given the sophistication of contemporary social engineering attacks.
Modern vishing operations deploy voice-spoofing technology to replicate bank customer care call scripts with high fidelity, social engineering victims with specific account information (obtained from earlier data breaches) to establish credibility, and creating artificial urgency through fabricated fraud alerts. The question of whether an individual who is deceived by such an operation into sharing an OTP has been “negligent” in any meaningful moral or legal sense is difficult to answer affirmatively. They have been the victims of sophisticated professional fraud, not simply careless with their credentials.
The UPI mechanism introduces additional complexity. UPI collects payment requests work by sending the customer a notification asking them to “approve” a payment. Many customers are deceived into approving outgoing payments by fraudsters who frame the request as receiving money. The NPCI has addressed this through user interface changes requiring explicit confirmation of payment direction, but the fraudulent framing of UPI collect requests has proven stubbornly persistent. When a customer approves a collect request believing they are receiving money, attributing the resulting loss entirely to “customer negligence” seems analytically strained.
SIM swapping attacks raise distinct liability questions. When a fraudster obtains a duplicate SIM card for the victim’s mobile number through fraudulent documentation submitted to the victim’s mobile network operator, the criminal can receive all OTPs sent to that number and drain the victim’s bank accounts. The mobile network operator has failed to verify the SIM swap request adequately; the bank’s security relies entirely on SMS-based OTPs sent to a number now controlled by the criminal. In this scenario, the customer has done nothing wrong. Several Banking Ombudsman and consumer forum decisions have held both the bank and the telecom operator jointly liable in SIM swap cases.
Comparative and International Perspective
The United Kingdom’s approach to authorised push payment (APP) fraud, where the victim is deceived into authorising a payment to a fraudster, provides a substantially more consumer-protective model than India’s current framework. The Payment Systems Regulator’s mandatory reimbursement scheme, which took effect in October 2023, requires banks to reimburse victims of APP fraud up to a cap of £85,000, with the cost shared between the sending bank and the receiving bank. Exceptions exist for gross negligence and for fraud where the victim ignored specific warnings from the bank, but the default is reimbursement, not denial.
The Confirmation of Payee (CoP) system in the UK, which checks whether the account name entered by the payer matches the account held by the payee before a payment is processed, provides a technical safeguard that reduces a specific category of misdirection fraud. India’s UPI infrastructure has some analogous features (beneficiary name display before payment confirmation) but the implementation has been uneven.
Australia’s Scam-Safe Accord, adopted by Australian banks in late 2023, is a voluntary industry commitment to implement a series of anti-scam measures including confirmation of payee, intelligence sharing about misdirected payments, delay periods for high-risk payments, and enhanced identity verification. The Accord is being underpinned by regulatory requirements under Australia’s Scams Prevention Framework Bill. Australia’s approach reflects a broader shift from “caveat emptor” to “shared responsibility” in digital financial fraud.
The US framework relies heavily on the Electronic Fund Transfer Act (Regulation E), which protects consumers against unauthorised electronic transfers but historically excluded “authorised” transfers (where the customer is deceived into approving the transaction) from its protections. The Federal Trade Commission has increasingly focused on the “authorised transfer” gap and has encouraged banks and payment companies to voluntarily extend reimbursement protections.
Practical and Policy Implications
For individual customers, the most practical protection remains a combination of awareness and prompt reporting. The RBI circular’s reporting timelines are directly material to the amount of loss a customer must absorb; a customer who reports a fraudulent transaction within three days is in a substantially better legal position than one who reports after seven days. Banks are required to acknowledge fraud complaints immediately and must resolve them within specified timelines.
For banks, the emerging regulatory and judicial environment suggests that security infrastructure investment is not merely a cost of compliance but a direct risk management imperative. Banks that maintain robust anomaly detection systems, multi-factor authentication that resists SIM swap attacks (hardware tokens or biometric verification rather than SMS-based OTPs), and documented customer communication about fraud tactics are in a better position to demonstrate that losses resulted from customer negligence rather than bank security deficiency.
The rise of real-time fraud intelligence sharing among financial institutions could substantially reduce losses. A fraudulent account that receives misdirected payments would be flagged more quickly if receiving banks pooled anomaly data. The RBI’s regulatory sandbox environment has facilitated some innovation in this space, but systematic real-time fraud intelligence sharing has not yet been mandated.
Suggestions and Reforms
India should move towards a shared responsibility framework for APP fraud analogous to the UK model. Rather than placing the entire burden of proof on individual customers to disprove their own negligence, the default should be proportionate reimbursement from both the sending and receiving financial institutions, with reductions only for demonstrable gross negligence by the customer.
The RBI should issue updated guidance specifically addressing SIM swap fraud, making clear that where a SIM swap is the enabling vector for a fraud, the liability lies primarily with the telecom operator and the bank, not the customer.
The NPCI should mandate standardised fraud warnings for UPI collect requests that are unambiguous in their direction: every collect request should display prominently that approving the request sends money out of the customer’s account. The current user interface, while improved, remains a source of confusion.
A mandatory real-time fraud alert sharing mechanism, operated through the I4C or another central body, would allow financial institutions to flag fraudulent beneficiary accounts more rapidly, reducing the window available to criminals to extract funds before blocks can be applied.
Conclusion
The legal framework governing phishing and vishing liability in India is caught between a regulatory circular written for the fraud environment of 2017 and the dramatically more sophisticated social engineering attacks of 2024 and beyond. The fundamental principle of the 2017 circular, that customers who share their credentials bear the loss, was defensible when sharing credentials required obvious carelessness. It is increasingly indefensible as a general rule in an environment where professional criminal operations specifically designed to defeat consumer vigilance are the norm.
The comparative experience of the UK, Australia, and increasingly the US points towards a shared responsibility model that distributes the burden of cybercrime losses across customers, sending banks, and receiving banks, with strong incentives for all parties to invest in security. India’s rapidly expanding digital financial ecosystem, with its hundreds of millions of relatively inexperienced digital financial consumers, needs regulatory frameworks that protect these consumers rather than placing the entire responsibility for security on individuals who lack the information and technical capacity to protect themselves effectively.