On 12 January 2024, Sri Basavarajaiah B., a 75-year-old retired Sub-Inspector receiving his pension through a Canara Bank savings account in Vijayanagar, Bengaluru, received a phone call from persons falsely representing themselves as bank officials. They informed him that his account was linked to an unknown mobile number and that he needed to follow their instructions to deactivate it. Believing the call to be genuine, he shared his One Time Password — and ₹1,81,000 was debited from his account. He lodged an FIR the very next day. On 28 March 2025, the III Additional Bengaluru Urban District Consumer Disputes Redressal Commission held Canara Bank guilty of deficiency in service and directed it to refund the entire amount with interest.

The judgment is a significant consumer-law precedent on the intersection of banking security obligations, KYC confidentiality, and the RBI's zero-liability framework — and on why a bank's failure to produce an internal enquiry report after a reported fraud is itself evidence of deficiency of service.

01 ——

Background: The Fraud and the Complaint

Basavarajaiah B. maintained a savings bank account with Canara Bank, Vijayanagar Branch (53, M.C. Road, Bengaluru) and used it exclusively to receive his police pension. He was not a user of online banking facilities. On 12.01.2024, fraudsters called him, identified themselves as Canara Bank officials, and told him his account was linked to an unknown mobile number. Believing this to be a legitimate security call, he shared his OTP — upon which ₹1,81,000 was immediately debited from his account.

He filed a complaint with Vijayanagar Police Station on 13.01.2024 under Sections 66C and 66D of the Information Technology Act, 2008 — offences relating to identity theft and cheating by personation using computer resources. He then filed this consumer complaint under Section 35 of the Consumer Protection Act, 2019, alleging deficiency of service on the part of the bank.

The opposite party (Canara Bank) filed its written version after the statutory period had expired. By order dated 28.01.2025, the Commission rejected the version as time-barred. The bank's case was therefore never placed before the Commission, and no witness was produced on its behalf.

02 ——

Chronology of Events

Date
Event
Significance
12.01.2024
Fraudsters call complainant posing as Canara Bank officials; OTP shared; ₹1,81,000 debited from account
Fraud Date
13.01.2024
FIR lodged at Vijayanagar Police Station under Sec 66C & 66D IT Act against unknown persons
FIR Filed
02.09.2024
Consumer complaint CC No.340/2024 filed before III Addl. DCDRC, Bengaluru under Sec 35, CPA 2019
Filing
07.12.2024
Canara Bank issues letter regarding SMS alerts sent during transactions on 12.01.2024
Bank Letter
28.01.2025
Bank's written version rejected by the Commission as filed beyond statutory period
Version Rejected
28.03.2025
Final order — complaint allowed in part; bank directed to pay ₹2,01,000 + 9% interest
Final Order
03 ——

Evidence on Record

The complainant (PW.1) filed an affidavit by way of evidence in chief and got the following documents marked as exhibits:

Exhibit
Document
Filed By
Ex.P.1
Pass book of the complainant's savings bank account — establishing the debit of ₹1,81,000 on 12.01.2024
Complainant
Ex.P.2
Xerox copy of FIR lodged at Vijayanagar Police Station against unknown persons for offences under Sec 66C & 66D IT Act
Complainant
Ex.P.3
Copy of RBI Guidelines dated 14.12.2017 & 28.02.2023 on customer liability in unauthorized electronic transactions
Complainant

Notably, the opposite party produced no witness and no document before the Commission — its written version having been rejected as time-barred and no evidence having been filed on its behalf. The Commission therefore proceeded solely on the complainant's evidence, cross-referenced against a bank letter dated 07.12.2024 (produced during arguments) showing SMS alerts were sent on 12.01.2024.

04 ——

Contentions of the Parties

Complainant's Case
Sri Basavarajaiah B.

The complainant never obtained or used online banking. When the fraud occurred, the bank sent no SMS or email alerts, nor any calls. The bank failed to maintain control over its KYC data, allowing fraudsters access to the complainant's account number and registered phone number. Under the RBI circular dated 14.12.2017, customer liability is zero where the unauthorized transaction arises from negligence on the part of the bank. The bank had a bounden duty to maintain confidentiality of KYC details — its failure amounts to gross negligence and deficiency of service.

Opposite Party (Bank)
Canara Bank

The bank contended that SMS alerts were dispatched to the complainant's registered phone number for every transaction on 12.01.2024 — producing a letter dated 07.12.2024 to substantiate this. The bank's case was, however, fatally undermined by two procedural failures: its written version was filed beyond the statutory period and was rejected; and it produced no witness, no internal enquiry report, and no documents before the Commission in its defence.

05 ——

Key Findings of the Commission

"It is the bounden duty of the bank to maintain confidentiality with regard to the KYC details and other information of the customer. Further, banks owe a fiduciary duty to protect customers' data and transactions."

Para 9, Judgment dated 28.03.2025, III Addl. DCDRC, Bengaluru
KYC Credentials Leaked — Fiduciary Duty Breached
The Commission expressed surprise that the imposters knew both the complainant's account details and the phone number registered with the bank. The bank offered no explanation for how this information reached the fraudsters. The Commission held that the bank had failed to maintain the secrecy of the complainant's credentials — a fundamental fiduciary obligation. No internal enquiry report was produced, and no explanation was given for the leakage.
Complainant Never Obtained Online Banking — No Contrary Evidence from Bank
It was the specific contention of the complainant that he never obtained or used online banking facilities. The bank produced no document to contradict this. The Commission found no evidence that the complainant had enabled internet banking — making it more remarkable that fraudsters could execute an OTP-based transaction against his account.
SMS Alerts Sent — But No Internal Enquiry Produced
The Commission accepted, on the basis of the bank's letter dated 07.12.2024, that SMS alerts were dispatched to the complainant's phone on 12.01.2024. This disposed of the claim that the bank sent no alerts. However, the Commission separately found that the bank never produced any internal enquiry report about the fraudulent transactions after receiving the complaint — a failure that independently established deficiency of service.
RBI Circular: Zero Customer Liability Where Breach Is on Bank's Side
The complainant relied on RBI guidelines dated 14.12.2017 (Ex.P.3), which state that customer liability is zero where an unauthorized transaction occurs due to negligence or deficiency on the part of the bank — irrespective of whether the transaction is reported by the customer. The Commission found this principle directly applicable: the bank's failure to safeguard KYC data enabled the fraud, and the complainant notified the bank immediately after the incident. Accordingly, the bank bore full liability for the lost amount.
§
NCDRC Precedent Applied — Bank Responsible for Its Security Failures
The Commission relied on the NCDRC judgment in First Appeal No.112/2015 (Chairman, Punjab National Bank & Anr. v. Leader Valves Ltd.), holding that when an account is maintained by the bank, the bank itself is responsible for its safety and security. Any systemic failure — whether by virus, hacking, or credential leakage — is the responsibility of the bank and not the customer. The Commission applied these principles to hold Canara Bank liable for the deficiency in its system.
OTP Shared Under Fraudulent Inducement — No Voluntary Disclosure
The bank's implicit defence — that the complainant shared the OTP and thereby assumed risk — was rejected. The Commission observed that it was not the bank's case that the complainant voluntarily gave the OTP to a known person. The imposter pretended to be a Canara Bank employee; the complainant acted in good faith on what he believed was an official communication. The Commission found that the OTP sharing was induced by the fraudsters' knowledge of the complainant's credentials — knowledge that ought never to have left the bank's systems.
RBI Circular — 14.12.2017 (Ex.P.3)

The RBI's circular on Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions provides that where the breach of security / unauthorized transaction occurs due to negligence on the part of the bank, the customer shall bear zero liability, regardless of whether the customer reports the transaction to the bank. This circular was decisive in the Commission's reasoning for making the bank fully liable for the refund of ₹1,81,000.

06 ——

The Final Order

Final Order — Sri Shivarama K., President  ·  III Addl. DCDRC, Bengaluru  ·  28 March 2025
Principal Refund
₹1,81,000
Interest Rate
9% p.a.
Mental Agony
₹10,000
Litigation Cost
₹10,000

Canara Bank directed to comply within 45 days of the order. In the event of failure to comply, the sum of ₹20,000 (mental agony + litigation cost) shall also carry interest at 9% p.a. from the date of order till realization. Interest on the principal sum of ₹1,81,000 runs from the date of order till realization. Applications pending, if any, stand disposed of in terms of this judgment.

07 ——

Why This Judgment Matters

Zero Liability
RBI Circular Applied Firmly
This case confirms that Indian consumer courts will enforce the RBI's 2017 zero-liability circular in its full force — placing the burden squarely on the bank to explain how customer credentials leaked and to demonstrate systemic security compliance. The absence of an internal enquiry report was treated as an independent indicator of deficiency.
KYC
Confidentiality Is a Fiduciary Duty
The Commission treated the bank's duty to protect KYC details as a fiduciary obligation — not merely a contractual one. The fact that fraudsters knew the complainant's account number and registered phone number was sufficient to raise an adverse inference against the bank, regardless of how the information was obtained.
OTP
Induced Disclosure ≠ Voluntary Disclosure
The Commission drew a clear distinction between a customer who voluntarily gives credentials to a known person and one who is fraudulently induced to do so by a person impersonating the bank. In the latter case — especially involving elderly customers unfamiliar with online banking — the moral responsibility lies with the institution that failed to protect its data, not the customer.
Version
Procedural Default Has Consequences
The bank's failure to file its written version within the statutory period under the Consumer Protection Act, 2019 resulted in its entire defence being shut out. This case is a reminder that limitations periods in consumer law are enforced strictly, and a delayed version — however strong on merits — will be rejected, leaving the Commission to proceed uncontested.
08 ——

Legal Team

Roots Cyber Law Firm  —  For the Complainant
Counsel for Complainant  ·  Roots Cyber Law Firm
Adv. M.A. Ranganath
Lead counsel for the complainant before the III Additional Bengaluru Urban District Consumer Disputes Redressal Commission. Adv. Ranganath M.A. successfully established the bank's liability on multiple grounds — invoking the RBI's zero-liability circular of 14.12.2017, demonstrating the bank's failure to maintain confidentiality of KYC credentials, highlighting the absence of any internal enquiry report following the fraud, and applying NCDRC precedent to confirm that a bank bears full responsibility for systemic security failures — securing a full refund of ₹1,81,000 together with 9% interest, ₹10,000 for mental agony, and ₹10,000 towards litigation costs.
09 ——

Conclusion

The judgment in Basavarajaiah B. v. M/s Canara Bank is a firm articulation of the principle that banks cannot externalize the risk of their own security failures onto customers. When a 75-year-old retired police officer — who never enrolled for online banking — loses his pension savings because fraudsters knew his account number and registered phone number, the legal question is not merely whether he should have been more careful with his OTP. The prior question is: how did that information leave the bank?

Unable to answer that question — and having forfeited its right to place a defence on record by filing its version out of time — Canara Bank was left with no credible position before the Commission. The RBI's zero-liability framework, the fiduciary duty of confidentiality, and NCDRC precedent all converged to place full liability on the institution.

For practitioners advising bank fraud victims, this case is a clear road map: establish that credentials were known to the fraudster (raising the adverse inference against the bank), invoke Ex.P.3 (RBI circular 14.12.2017), demand production of the internal enquiry report (and note its absence), and press for zero customer liability under the RBI framework. The Commission's willingness to draw adverse inferences from the bank's silence sets a powerful precedent for consumer-side advocates across Karnataka.