Business Standard

Getting justice in cyber crime is difficult

The onus is on the customer to prove that the bank is at fault

If you’re a victim of cyber crime, the chances are you might have to pay for all the fraudulent transactio­ns charged to your debit or credit card, as it will be difficult to prove laxity of the bank.

Banks usually get away by saying their system is secure and a transactio­n cannot take place unless the card and personal identifica­tion number (PIN) or one-time password (OTP) are used together. So, if a fraudulent transactio­n has occurred, they claim it is due to the customer’s negligence because only the customer is privy to the PIN or OTP.

“While the law has provisions to punish offenders severely, it is hostile towards consumers as the onus is on them to prove that the bank is wrong,” says Pavan Duggal, a cyber law expert. He points out that the Informatio­n Technology Act, 2000 allows an individual to seek unlimited compensati­on if the intermedia­ries (banks) don’t have enough security and procedure to protect customers’ data. “But, proving that a bank didn’t have adequate security is a tall order,” adds Duggal.

There are, however, some situations where you can shift the onus on to the bank. If a person’s card is used on a foreign website fraudulent­ly, and no OTP was sent, it can work in favour of the individual. The mandatory two-factor authentica­tion, which requires an OTP to be sent to the account owner’s mobile to authentica­te a transactio­n, only works for payments within India. Many criminals, therefore, transact using the cards on foreign websites. The payment goes through without any OTP – just by entering the card details. “This is in direct violation to the Reserve Bank of India’s guidelines and it should tilt the case in the victim’s favour,” says Jehangir Gai, a consumer activist.

If an individual can prove in court that the fraud has occurred despite taking all the required precaution­s, it can put the onus on the bank to prove the customer is at fault, says Prashant Mali, a cyber-security expert. “If the money is transferre­d to another account, then one should focus on whether the bank followed the know-yourcustom­er (KYC) norms for the account where money was transferre­d. It’s likely that the bank had flouted KYC procedures. No one would defraud another person by giving real credential­s,” says Mali.

Courts have also ruled in favour of the victim when the complainan­t had brought similar cases against the bank in the same period to its notice. This indicates there is a lapse in the bank’s security and procedures. When you are filing a police complaint about unauthoris­ed transactio­ns on your card, inquire with the police officials if there were similar cases against your bank in the recent past. If there are, cite them in the court.

There are also chances of getting a favourable judgment if your card was used outside the country. In the past, there have been cases where fraudsters used the card outside the country while the customer was in India. As the victim’s passport supported this, banks were asked to reverse all the transactio­ns.