For the First time in India,
Bank Absorbs Phishing Liability
Phishing attacks are a common form of risks in today's
based Banking. Banks have been largely bulldozing the customers into
believing that the liability for Phishing should be boarne by the customers
because they were negligent in responding to the Phishing mail.
However, the legal position can be different.
Phishing is a result of multiple contraventions of ITA 2000 particularly
after the amendments of 2008. It results in wrongful loss to the customer.
The contravention therefore attracts provisions of Section 43 for
several complaints have been registered on Banks under Section 66 and 66A
of ITA 2000/ITA 2008 in Bangalore, Chennai and Hyderabad.
The Banks are basically being held liable under the age
old Banking law that "Forgery
cannot be held against the customer, however clever or undetectable the
In this connection we may
refer to the Supreme Court decision in the Canara Bank Vs Canara
Sales Corporation AIR 1987 SC 1603 II) in which Supreme Court held that
bank can escape liability only if it could establish that the client knew
of the forgery.
This principle has been
used time and again in Banking Cases such as the following.
a) Citizen Co-opertive
Bank Ltd Vs Ritesh Mittal,-2004 CTJ 211 (Jammu and Kashmir High Court)
b) N. Venkanna Vs Andhra
Bank, National Disputes Redressal Commission, 11th January,
c) Bhagwandas Vs Creet
d) L. Pirbhu Dayal Vs
Jwala bank, AIR 1958 All. 374
e) Dawood Vs Firm
Pereinan Chetty, AIR 1924 Rang.264
The fact that using the stolen password of the customer amounts to forgery
and unauthorized access needs no special explanation. Hence in all Phishing
cases, Banks are liable.
Additionally, Banks are ignoring the
law of the land through IAT 2000 as well as the Internet Guidelines of RBI
and not using digital signatures for authentication of Internet
transactions. This renders them negligent (lack of due diligence) under
Sections 79 and 85 making them liable for any offence attributable to a
computer belonging to the Bank.
This principle has also been followed
by the German Court
Wiesloch -Az4C57/08. The Danish Law also provides that
banks are required to compensate private account holders everything but a
1200 kroner deduction if their accounts are hacked. Recently, a new
provision has extended the same guarantee to small businesses which is
expected to cover 90 percent of
the country’s companies.
In the light of the above, it is heartening to note
that Bank of India has set a precedence by accepting liability for Phishing
in one the cases filed in Bangalore and repaying the amount along with
interest to the customer who was a victim of a Phishing fraud. In this
case, the banking Ombudsman also directed the Bank to make the payment and
the Bank obliged.
We appreciate the attitude of Bank of India and hope
they will follow up the decision with the hardening of security with an
introduction of digital signatures as a means of authentication of Internet
Comments are Welcome at