Read the above article in text format below:
In the 1970s, Jack, a United States (US) citizen, wanted to marry Anna, a citizen of the Communist Soviet Union. To get approval, Jack was asked to get a document from the US authorities certifying he was not married. This was a clever bureaucratic ploy for rejecting his application. Getting the US authorities to certify a negative fact — that Jack was not married — was an impossible task.
I recalled this story while reading a Mumbai High Court decision requiring a bank to refund Rs 77 lakh that had been debited from a company called PSAPL’s bank account without authorisation.
On October 2, 2022, PSAPL received 13 SMS messages notifying it of the transfer of Rs 77 lakh from its account to unknown parties. The beneficiaries were not known to PSAPL and it had not added them as beneficiaries. Aside from the SMS alerts, it had received no other communication from the bank.
PSAPL immediately filed complaints with both the bank and the cybercrime cell of the police. It was confident of receiving a refund in line with the Reserve Bank of India’s (RBI’s) circular of July 6, 2017, on Unauthorised Electronic Banking transactions, which mandates refunds where the account holder has not been negligent. The burden of proving negligence also lies with the bank.
The bank claimed PSAPL had been negligent for two reasons: One, it had authorised the addition of beneficiaries on October 1, 2022, by logging into its net banking account and approving the additions using the One Time Passwords (OTPs) sent to its mobile and email.
Two, it had logged into its net banking account on October 2, 2022, and authorised 13 payments totalling Rs 77 lakh using OTPs sent to its mobile and email.
The dispute hinged on whether PSAPL had added the beneficiaries and authorised the payments, and whether it had received the OTPs the bank claimed to have sent. The bank’s internal systems team certified that the OTPs had been sent and delivered. The bank then asserted that PSAPL was “hand-in-glove with the fraudsters”.
This internal certification was deemed sufficient by the banking ombudsman, who dismissed PSAPL’s complaint.
PSAPL then filed a writ petition in the Mumbai High Court. It faced the challenge of proving it had never received the OTPs — a negative fact, reminiscent of Jack’s dilemma.
Fortunately, the court ordered PSAPL’s service providers, Airtel and Rediffmail, to certify based on their logs. Both providers confirmed that no SMSes or emails from the bank were received by PSAPL on the specified days. Consequently, the court ordered the bank to refund Rs 77 lakh to PSAPL.
PSAPL’s story ended on a positive note, but only after it endured the ordeal of losing Rs 77 lakh and being branded a fraudster. To prevent ordinary citizens from facing a similar situation, several measures are needed.
Technology allows senders to receive a delivery confirmation when an SMS is delivered. RBI should mandate a log from the bank’s telecom provider as proof.
Citizens should also be able to obtain verified logs of their calls, texts, and emails from their telecom and email providers. An Account Aggregator-like framework can enable these authenticated logs to be sent directly to the bank or the banking ombudsman as proof of non-receipt of OTPs.
Truth be told, keeping surplus money in a bank account has become perilous. Frauds like these have eroded trust. Another big risk is mis-selling by bank employees. Banks, which are an essential pathway for a nation’s economic progress, must act swiftly to stem the growing mistrust.
The writer heads Fee-Only Investment Advisors LLP, a Sebi-registered investment advisor; X (formerly Twitter): @harshroongta
Disclaimer: These are personal views of the writer. They do not necessarily reflect the opinion of www.business-standard.com or the Business Standard newspaper
(A slightly different version of this column first appeared in the Business Standard on July 01, 2024)