Clicked the Link? You Pay: Delhi High Court Limits Bank Liability for OTP Fraud
The Delhi High Court (SBI v. Hare Ram Singh) ruled that merely denying you shared an OTP won't make your bank pay: click a phishing link and the loss is yours. SIM-swap is different.
New Delhi, June 2026 — If you click a fraudulent link and lose money from your bank account, can you simply deny sharing your OTP and force the bank to refund you? In a judgment that resets the balance of responsibility in India’s digital-banking fraud disputes, the High Court of Delhi has answered: no.
Hero photo: a State Bank of India branch in Delhi, by Pinakpani via Wikimedia Commons, licensed CC BY-SA 4.0.
On 1 June 2026, a division bench of Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia, in State Bank of India v. Hare Ram Singh & Anr. (2026:DHC:4833-DB), held that “mere denial by a customer of sharing OTPs cannot automatically result in fastening liability upon a bank.” The court set aside a single judge’s order that had directed SBI to refund ₹2.60 lakh to a customer defrauded through internet banking.
What the court decided
The single judge had ruled the customer was not negligent and ordered the bank to refund the full amount with interest. The division bench reversed that. Crucially, it held that whether the bank or the customer is at fault is a question that “necessarily require[s] technical and forensic examination and adjudication on evidence” — and so cannot be decided through a writ petition. A customer who wants the loss shifted to the bank must actually prove the breach happened inside the bank’s systems, with material like transaction logs, IP records, or evidence of malware. A bare denial is not enough.
The Reserve Bank of India (RBI), the country’s banking regulator, sets three levels of customer liability for unauthorised electronic-banking transactions:
- Zero liability — when the loss is due to the bank’s fault or a system breach not attributable to the customer (and is reported promptly). The customer pays nothing.
- Limited liability — when neither party is clearly at fault and the customer reports with some delay. Loss is capped.
- Full liability — when the loss results from the customer’s own negligence, such as sharing credentials or acting on a fraudulent message. The customer bears the entire loss until they report it.
Phishing vs SIM-swap: two very different outcomes
The judgment draws a sharp line between how a fraud was carried out — and that line decides who pays:
- Phishing and vishing — where a customer clicks a fake link or is talked into engaging with a scam — is treated as negligence. The loss falls in the full-liability bucket, on the customer, even if they never explicitly typed out an OTP. Ignoring repeated cyber-fraud warnings only strengthens that finding.
- SIM-swap and impersonation — where a fraudster procures a duplicate SIM or assumes the customer’s identity to intercept OTPs — is different. There the breach is not the customer’s doing, and the loss can fall on the institution under the zero-liability category.
The bench noted that in this case no investigative finding established any “breach of the Appellant-Bank’s system,” distinguishing it from the Kerala High Court’s Tony Enterprises ruling, which involved a documented SIM swap. That same SIM-swap logic is exactly what drove a recent Karnataka High Court ruling holding BSNL liable for a ₹55-lakh SIM-swap fraud — when the failure is in issuing a duplicate SIM, the loss travels up the chain to the telecom or the bank, not the victim.
Why it matters
Read together, the two judgments map the new terrain of who pays when you are defrauded:
- If you clicked, you most likely pay. Falling for a phishing or vishing scam is now firmly treated as customer negligence, and a denial of sharing the OTP will not, by itself, recover your money.
- If your SIM or identity was hijacked, the institution may pay — but you will need documented proof of the breach.
- The forum matters. A writ petition is not the place to fight over disputed technical facts; victims must build an evidence-based case before a civil court or consumer forum.
How India compares with the world
The question the Delhi High Court grappled with — who absorbs the loss when a customer is tricked into a fraudulent transfer — is being answered very differently around the world:
- United Kingdom: since 7 October 2024, banks must reimburse victims of authorised push payment (APP) scams up to £85,000, usually within five business days, unless the customer acted with gross negligence — the most victim-friendly regime yet, with the cost split 50/50 between the sending and receiving banks.
- European Union: existing rules (PSD2) already make banks refund unauthorised transactions; the proposed PSD3 / PSR would extend refunds to customers deceived by impersonation scams, absent fraud or gross negligence.
- United States: much like India, US law (Regulation E) covers only unauthorised transfers, not payments a customer was deceived into authorising — a gap lawmakers have proposed closing.
Seen against this backdrop, the Delhi High Court places India closer to the United States’ current “the customer who clicks, pays” position than to the UK and EU’s shift toward reimbursing scam victims.
What to do if you are defrauded
- Report immediately — in India, call the cyber-fraud helpline 1930 and file on cybercrime.gov.in (elsewhere, your national fraud line and your bank). Notify your bank in writing. Prompt reporting is the single biggest factor in every liability framework, India’s included.
- Preserve evidence — the fraudulent message or link, transaction alerts, call records, and any SIM-related notifications.
- Never act on links or calls asking for OTPs, card details, or app installs — banks and the courts now treat doing so as your risk.
Sources
- High Court of Delhi, State Bank of India v. Hare Ram Singh & Anr., 2026:DHC:4833-DB, judgment dated 1 June 2026 (CJ Devendra Kumar Upadhyaya and Justice Tejas Karia).
- Reserve Bank of India, Circular dated 6 July 2017 — Customer Protection: Limiting Liability of Customers in Unauthorised Electronic Banking Transactions.
- Verdictum and The420.in case reports.