Facts

Dhule Vikas Sahakari Bank Ltd (hereinafter referred to as the “Complainant”) is an established co-operative bank that maintains a Current Account with Axis Bank using the platform for Cash Management Services (CMS), namely RTGS and NEFT.

An employee of the Complainant logged into the Axis Bank account to find 27 unauthorised transactions allegedly totalling INR 2,06,50,165/-.

The Complainant uses Axis Bank’s Pay-Pro system, requiring a secure login process of user credentials, OTPs, and a maker-checker authorisation mechanism ensuring that transactions are only completed after verification by both the maker and the checker.

During the unauthorised transactions, these safety measures were bypassed without notice to the Complainant. Neither maker nor checker received the mandatory OTPs required to complete the transactions, and no batch numbers, a critical step in their internal processes, were generated. Furthermore, the Complainant maintains separate registered phone numbers for receiving OTPs for the maker and checker, but still no OTPs were received at any point during the unauthorised transactions. The incident was immediately reported to Axis Bank by the Complainant, requesting the account to be blocked to prevent further loss.

The Complainant highlights this as a failure in Axis Bank’s system to enforce basic security protocols, alleging that the unauthorised transactions occurred due to a grave contravention of the Information Technology Act, 2000 (“IT Act”), by Axis Bank.

Issues

Did Axis Bank violate the IT Act, causing the security breach, and is Axis Bank to be held accountable for such lapses in security?

Contentions

The Banking Codes and Standards Board of India (BCSBI) guidelines limit customer liability to ₹10,000 in cases of unauthorised transactions. As Axis Bank is a BCSBI member, the counsel for the Claimant contends that the loss exceeding ₹10,000 should be covered by the Respondent, assuming the Claimant was not negligent.

Counsel for the Claimant also highlights that the unauthorised transactions would not have occurred had Axis Bank, bound by the regulatory requirements of the Reserve Bank of India (“RBI”), adequately verified the KYC details of the accounts that received the unauthorised transactions, such as those held at ICICI Bank and HDFC Bank. Axis Bank’s failure to adhere to RBI guidelines on KYC and anti-money laundering practices facilitated the fraudulent transactions.

Counsel for the Respondent stated that the unauthorised transactions occurred because of a software installed in the Complainant’s bank servers, wherein OTP generation was not required. The Respondent, with the help of an investigation report by KPMG Cyber Forensic Team, identified that five remote desktop logons were recorded on 6^th June, 2020 from different IP addresses.

The unauthorised transactions were conducted on 7th June, 2020, contradicting statements made by the counsel. Furthermore, it was found that on June 10, 2020, the Respondent had filed an FIR at a police station through a Branch Manager, stating that the hacking appears to have primarily occurred within Axis Bank’s systems by unknown individuals.

Holding

The Honourable Adjudicating Officer held that Axis Bank’s failure to ensure reasonable security practices and procedures, as mandated under Section 43A of the IT Act, directly contributed to the unauthorised transactions. The absence of robust real-time monitoring and fraud detection mechanisms underlines Axis Bank’s failure to comply with the prescribed standards for data protection and security under the IT Act and Reserve Bank of India (RBI) guidelines.

This lack of vigilance also caused immense financial and reputational harm to the Complainant and has been ordered to reimburse the Compliant the losses incurred, with interest from the date of contravention until full payment is made. Legal charges and compensation for emotional distress were also ordered.

Judgement

The Honourable Adjudicating Officer held that Axis Bank was negligent in the events that resulted in the unauthorised transactions.

Firstly, it was found that the lack of real-time fraud detection by the Respondent’s systems (demonstrated by lack of OTPs, bypass of maker-checker system, and no batch number generation) indicates non-compliance with Section 43A of the IT Act.

Secondly, the absence of the aforementioned real-time monitoring mechanisms is emphasised by Axis Bank’s failure to comply with the prescribed standards of data protection and security under not only the IT Act but the RBI guidelines also.

Lastly, the hacking of its systems, as admitted in the FIR, indicates a lapse in implementing adequate measures to protect sensitive customer data. Section 43A expressly imposes liability on entities that handle sensitive personal data and then fail to maintain reasonable security measures that result in wrongful loss or damage. In this case, Axis Bank’s negligence in securing its systems led to the compromise of the complainant’s confidential information and subsequent fraudulent transactions.

This lack of vigilance and violation of statutory obligations resulted in financial, reputational and emotional distress, all of which were rightly remedied.

Conclusion

The case of Dhule Vikas Sahakari Bank Ltd v. Axis Bank Limited serves as a critical precedent in reinforcing the obligations of banks under the IT Act and RBI’s regulatory framework. It underscores the imperative for financial institutions to maintain robust cybersecurity infrastructure and enforce strict compliance with real-time fraud detection protocols. The adjudicating authority’s decision not only holds Axis Bank accountable for its systemic lapses but also affirms the rights of customers to be safeguarded against financial fraud resulting from institutional negligence.