SUBODH C KORDE v. UNION OF INDIA THR MINISTRY OF FINANCE AND ORS

Maintainability of Writ Petitions Against Private Banks and Enforcement of RBI's Zero Liability Policy for Victims of SIM Swapping Cyber Fraud.

Court: Bombay High Court
Citation: 2026:BHC-AS:16973-DB
Decision Date: 06-04-2026

List of Laws

Article 226 of the Constitution of India; The Banking Regulation Act, 1949; The Reserve Bank of India Act, 1934; RBI Circular on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions (2017); Information Technology Act, 2000

1. Facts: The Petitioner, a business consultant, fell victim to cyber fraud on July 15, 2021, resulting in the unauthorized transfer of Rs. 38,04,000 from his HDFC Bank accounts within 41 minutes. Prior to the theft, unknown beneficiaries were added and the transaction limit was increased tenfold. The Petitioner contended he never received One-Time Passwords (OTPs) or alerts for these changes. Investigation revealed a "SIM swapping" fraud where the fraudster cloned the Petitioner's BSNL SIM card. HDFC Bank refused to reverse the transactions, claiming the Petitioner must have compromised his credentials as their logs showed OTPs were sent. The Banking Ombudsman also rejected the complaint, leading the Petitioner to seek relief under the constitutional writ jurisdiction.
2. Procedural Posture: The Petitioner filed a Writ Petition under Article 226 of the Constitution of India before the Bombay High Court, seeking a direction against the Reserve Bank of India (RBI) to take action against HDFC Bank and ICICI Bank, and a direction to HDFC Bank to refund the siphoned amount.
3. Issue: 1. Is a writ petition under Article 226 maintainable against a private bank like HDFC for the enforcement of RBI guidelines? 2. Is the Petitioner entitled to "Zero Liability" under the RBI Circular on "Customer Protection - Limiting Liability of Customers in Unauthorised Electronic Banking Transactions" dated July 6, 2017?
4. Holding: 1. Yes, the petition is maintainable as the bank performs a public duty regulated by statutory RBI directions. 2. Yes, the Petitioner is entitled to zero liability.
5. Reasoning: The Court reasoned that while HDFC Bank is a private entity, it is a "Scheduled Bank" bound by the RBI’s regulatory framework under Section 35A of the Banking Regulation Act, 1949. Enforcement of circulars issued in public interest provides the necessary "public law element" for writ maintainability. On merits, the Court applied the 2017 RBI Circular which mandates "Zero Liability" for customers in cases of third-party breaches where the customer is not negligent and notifies the bank within three working days. The Court found that the burden of proving customer negligence lies strictly on the bank. HDFC failed to produce original logs proving the Petitioner actually received OTPs, whereas evidence suggested the fraud was executed via SIM swapping, meaning any OTPs reached the fraudster's cloned SIM, not the Petitioner. Consequently, the Petitioner was a victim of a sophisticated cybercrime without any proven negligence on his part.

🔒   For Members Only

Read the Judgment → Take the Case Law Quiz →

Not a member? View Membership Plans