Developments from Supreme Court and Meity: November

Introduction

‍

The courts in India have repeatedly emphasised the importance of “enhanced customer protection” and “limited liability” on their part. The rationale behind such imperatives is to extend security against exploitation by institutions that are equipped with all the means to manipulate customers. India, with its looming financial literacy gaps that have to be addressed, needs to curb any manipulation on the part of banking institutions. Various studies have highlighted this gap in recent times; for example, according to the National Centre for Financial Education, only 27% of Indian people are financially literate, which is much less than the 42% global average. With only 19% of millennials exhibiting sufficient financial awareness yet expressing high trust in their financial skills, the issue is very worrisome. Thus, the increasing number of financial frauds intensifies the issue. 

Zero Liability in Cyber Frauds: Regulatory Safeguards for Digital Banking Customers

‍

In light of the growing emphasis on financial inclusion and consumer protection, and in response to the recent rise in complaints regarding unauthorised debits from customer accounts and cards, the framework for assessing customer liability in such cases has been re-evaluated. The RBI’s circular dated July 6, 2017 titled “Customer Protection-Limited Liability of Customers in Unauthorised Electronic Banking Transactions”  serves as the foundation for regulatory protections for Indian customers of digital banking. A clear and organised framework for determining customer accountability is outlined in the circular, which acknowledges the exponential increase in electronic transactions and related scams. It assigns proportional obligations for unauthorised transactions resulting from system-level breaches, client carelessness, and bank contributory negligence. Most importantly it establishes the zero responsibility concept, which protects clients from monetary losses in cases when the bank or another system component is at fault and the client promptly reports the breach. 

This directive’s sophisticated approach to consumer protection is what makes it unique. It requires banks to set up strong fraud prevention systems, proactive alerting systems, and round-the-clock reporting systems. Furthermore, it significantly alters the power dynamics between financial institutions and customers by placing the onus of demonstrating customer negligence completely on the bank. The circular emphasises prompt reversal of funds to impacted customers and requires banks to implement Board-approved policies on liability to redress. As a result, it is a consumer rights charter rather than just a compliance document, promoting confidence and financial accountability in India’s digital banking sector. 

Judicial Endorsement in Reinforcing the Zero Liability Principle

‍

 In the case of Suresh Chandra Negi & Anr. v. Bank of Baroda & Ors. (Writ (C) No. 24192 of 2022) The Allahabad High Court reaffirmed that the burden of proving consumer accountability rests firmly on the banking institution, hence reaffirming the zero liability concept in circumstances of unapproved electronic banking transactions. The Division bench emphasised the regulatory requirement that banks provide adequate proof before assigning blame to customers, citing Clause 12 of the RBI’s circular dated June 6, 2017, Customer Protection—Limited Liability of Customers in Unauthorised Electronic Banking Transactions. In a similar scenario, the Bombay HC held that a customer is entitled to zero liability when an authorized transaction occurs due to a third-party breach, where the deficiency lies neither with the bank nor the customer, provided the fraud is promptly reported. 

The zero liability principle, as envisaged under Clause 8 of the RBI circular, has emerged as a cornerstone of consumer protection in India’s digital banking ecosystem.  

Another landmark judgment that has given this principle the front stage in addressing banking frauds is Hare Ram Singh vs RBI &Ors. (W.P. (C) 13497/2022) laid down by Delhi HC which is an important legal turning point in the development of the zero liability principle under the RBI’s 2017 framework. The court reiterated the need to evaluate customer diligence in light of new fraud tactics like phishing and vishing by holding the State Bank of India (SBI) liable for a cyber fraud incident even though the transactions were authenticated by OTP. The ruling made it clear that when complex social engineering or technical manipulation is used, banks are nonetheless accountable even if they only rely on OTP validation. The legal protection provided to victims of unauthorised electronic banking transactions is strengthened by the court’s emphasis on the bank having the burden of evidence in accordance with RBI standards. 

Importantly, this ruling lays the full burden of securing digital banking systems on financial organisations and supports the judiciary’s increasing acknowledgement of the digital asymmetry between banks and consumers. It emphasises that prompt consumer reporting, banks’ failure to disclose important credentials, and their own operational errors must all be taken into consideration when determining culpability. As a result, this decision establishes a strong precedent that will increase consumer confidence, promote systemic advancements in digital risk management, and better integrate the zero liability standard into Indian digital banking law. In a time when cyber vulnerabilities are growing, it acts as a beacon for financial accountability. 

Conclusion

‍

The Zero Liability Principle serves as a vital safety net for customers navigating an increasingly intricate and precarious financial environment in a time when digital transactions are the foundation of contemporary banking. In addition to codifying strong safeguards against unauthorized electronic transactions, the RBI’s 2017 framework rebalanced  the fiduciary relationship by putting financial institutions squarely in charge. Through significant rulings, the courts have upheld this protective culture and emphasised that banks, not the victims of cybercrime, bear the burden of proof. 

It would be crucial to execute these principles consistently, review them frequently, and raise public awareness as India transitions to a more digital economy. In order to ensure that consumers are not only protected but also empowered must become more than just a policy on paper. 

‍

References

• https://www.business-standard.com/content/specials/making-money-vs-managing-money-india-s-critical-financial-literacy-gap-125021900786_1.html 
• https://www.livelaw.in/high-court/allahabad-high-court/allahabad-high-court-ruling-bank-liability-unauthorized-electronic-transaction-and-customer-fault-297962 
• https://www.mondaq.com/india/white-collar-crime-anti-corruption-fraud/1635616/cyber-law-series-2-issue-10-the-zero-liability-principle-in-cyber-fraud-hare-ram-singh-v-reserve-bank-of-india-ors-case 

‍

India’s Rapid Digital Expansion

‍
‍

‍

Over the past decade, India has experienced a rapid digitalisation process. The rise of digital financial services,  affordable internet costs, and the penetration of smartphones have transformed the way people communicate, transact and do business online.

Online payment systems, including Unified Payments Interface (UPI), have enabled real-time transactions between banks and financial systems. As much as these systems have enhanced access to finance and efficiency, they have also created new opportunities for cybercriminals.

Cybercrime has evolved alongside the shift of financial and social interactions to digital platforms. The fraud attacks on online payments, online banking, and personal information have become common and increasingly costly.

To analyse the scale and trend of cybercrime in India, this analysis will use the datasets released by the National Crime Records Bureau (NCRB) and financial fraud data released by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs.
‍

The Rise of Cybercrime in India
‍

‍

The Rise of Cybercrime in India
‍

Source: National Crime Records Bureau – Crime in India Reports

The data released by the NCRB documents cybercrime incidents registered by the police at the national level under the Information Technology Act, 2000 (IT Act) and criminal provisions covering offences such as cheating, impersonation, and digital fraud. In the past, the offences were listed in the provisions of the Indian Penal Code (IPC). Following criminal law reforms in India, on 1 July 2024, the Bharatiya Nyaya Sanhita (BNS), which replaced the IPC, came into force. Section 419 (cheating by impersonation), IPC, would be related to BNS Section 319 and Section 420 (cheating and dishonestly inducing delivery of property), which would be related to BNS Section 318(4). Similarly, crimes involving forgery and use of forged documents or electronic documents, which were previously contained in the IPC Sections 465-471, are dealt with in BNS Sections 335-340.

The data published by the NCRB represent the number of crimes that reached the point of the First Information Report (FIR) registration, meaning they reflect only cybercrime cases that were formally presented to the law enforcement system to investigate, rather than all complaints reported. The data shows that cybercrime cases increased from 27,248 in 2018 to 86,420 in 2023, a 3.17-fold increase in 5 years.

Two structural shifts are visible: the post-pandemic jump and subsequent acceleration.

However, these figures likely underestimate the true scale of cybercrime because many incidents are reported only through online complaint portals and may not result in FIR registration.
‍

The Financial Scale of Digital Fraud

‍

‍

The Financial Scale of Digital Fraud

‍

Source: Ministry of Home Affairs via,  Indian Cyber Crime Coordination Centre (I4C), and National Cyber Crime Reporting Portal (NCRP)

This dataset tracks financial fraud complaints reported through the National Cyber Crime Reporting Portal (NCRP) and the estimated financial losses associated with those complaints.

The financial losses reported between 2021 and 2024 increased by 41 times over four years, compared to 2021, from 551 crore to 22,848 crore. At the same time, the number of complaints rose from 262,846 to over 1.9 million, an increase of ~623%, indicating both rising victimisation and greater public awareness of reporting mechanisms.

The contrast between these two trends is striking:
‍

While complaints increased by around 7 times, financial losses increased by over 40 times. 

‍

‍

Distribution of Cyber-Fraud Complaints and Financial Losses by Fraud Type
‍

Source: Ministry of Home Affairs via Indian Cyber Crime Coordination Centre and National Cyber Crime Reporting Portal; analysis based on reporting in Business Standard using government cyber-fraud data.
‍

This divergence implies an uneven relationship between the number of incidents and the financial damage that they inflict. Most cyber fraud incidents involve relatively small transaction values; however, a smaller group of fraud categories result in disproportionate numbers of financial losses.
‍

‍

Distribution of Financial Losses Across Major Cyber-Fraud Categories in India

‍

Source: Ministry of Home Affairs via,  Indian Cyber Crime Coordination Centre (I4C), and National Cyber Crime Reporting Portal (NCRP) figures reported by The Indian Express
‍

As reported by The Indian Express, based on the data compiled by the I4C, investment-related scams alone account for roughly 77% of reported cyber-fraud losses, followed by smaller shares from “digital arrest” scams (8%), credit card fraud (7%), sextortion (4%), e-commerce fraud (3%), and malware or app-based fraud (1%). This distribution means that even though scams with lower values, like phishing, OTP fraud, and small payment fraud, produce a high proportion of complaints, few categories of fraud produce most of the financial losses.

‍

Analysis

‍

1. Cybercrime is expanding faster than most traditional crimes: The fact that cybercrime cases have tripled in five years shows that cyber offences are presently becoming a significant element of Indian crime. Unlike conventional crimes that require physical proximity, cybercrime can be conducted remotely and at scale, enabling perpetrators to target large numbers of victims simultaneously.

2. Financial losses are concentrated in a small set of fraud categories: As cases of cybercrimes have been on the increase, the monetary losses of digital fraud cases have been increasing at a higher rate. The fact that the number of reported financial losses has increased 40 times in 4 years indicates that cybercrime has a very high economic impact.

3. Complaint volumes and financial damage follow different patterns: When comparing complaints and financial losses, it is evident that cyber fraud losses are unevenly distributed across types of incidents. Most of the prevalent scams reported, including phishing or OTP fraud, involve relatively small transaction values but yield a high portion of complaints. Conversely, fewer categories of fraud, especially investment-based schemes, contribute a significantly higher percentage of total financial losses.

4. Digital financial infrastructure has expanded the attack surface: India’s rapid adoption of digital payment systems, mobile banking and digital  financial systems has dramatically increased the number of potential victims of cybercriminals. The scale of online transactions creates new vulnerabilities that organised cybercrime networks take advantage of.

5. Reporting improvements reveal previously hidden crime: The expansion of national reporting systems has enhanced the transparency in the trends of cybercrime. The increase in the number of complaints recorded is partially due to improved reporting systems and not necessarily to the increased criminal activity, meaning that previous data might have understated the magnitude of cyber fraud.

Recommendations
‍

1. Move from reactive policing to proactive cyber-risk monitoring: The conventional models of policing focus on investigation of crimes that have already taken place. With such a magnitude and pace of cyber fraud, India should have systems that are designed to detect and prevent the fraud at its early stages, such as real-time observation of suspicious patterns in transactions by financial institutions.

2. Strengthen financial intelligence sharing across institutions: There are a lot of instances of cyber fraud that use more than one bank, payment system, and telecommunication provider. To detect new networks of fraud sooner, it can be suggested to establish more information-sharing measures between the financial institution and law enforcement agencies.

3. Target organised cyber fraud networks rather than individual incidents: Many digital scams operate through organised networks that coordinate phishing, mule accounts, and fake payment channels. The solution in regard to this involves dismantling these networks through investigative procedures instead of treating incidents on a case-by-case basis.

4. Improve recovery mechanisms for stolen funds: The recovery of the funds lost is one of the most difficult issues in cases of cyber fraud. Expanding systems such as the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS) can improve the speed at which fraudulent transactions are frozen or reversed.

5. Strengthen digital financial literacy: A significant percentage of cyber frauds are based on social engineering methods that take advantage of user behaviour as opposed to technical weaknesses. Victimisation can be greatly reduced through specific public awareness efforts on typical scam schemes.

Conclusion
‍

India’s experience illustrates a broader global trend: as economies digitise, crime increasingly follows the flow of digital money. While cybercrime incidents are rising steadily, the much faster growth in financial losses suggests that cybercriminals are becoming more organised, technologically sophisticated, and economically motivated.

‍

References:
‍

• https://indianexpress.com/article/india/indians-lost-rs-53000-crore-fraud-cheating-cases-six-years-maharashtra-2025-10452185/ 
• https://www.pib.gov.in/PressReleasePage.aspx?PRID=2226441&reg=3&lang=2 -
• https://www.ncrb.gov.in/crime-in-india.html 
• https://i4c.mha.gov.in/index.aspx 
• https://i4c.mha.gov.in/index.aspx 

‍

Introduction:

With the rapid advancement in technologies, vehicles are also being transformed into moving data centre. There is an introduction of connectivity, driver assistance systems, advanced software systems, automated systems and other modern technologies are being deployed to make the experience of users more advanced and joyful. Software plays an important role in the overall functionality and convenience of the vehicle. For example, Advanced technologies like keyless entry and voice assistance, censor cameras and communication technologies are being incorporated into modern vehicles. Addressing the cyber security concerns in the vehicles the Ministry of Road Transport and Highways (MoRTH) has proposed standard Cyber Security and Management Systems (CSMS) rules for specific categories of four-wheelers, including both passenger and commercial vehicles. The goal is to protect these vehicles and their functions against cyber-attacks or vulnerabilities. This move will aim to ensure standardized cybersecurity measures in the automotive industry. These proposed standards will put forth certain responsibilities on the vehicle manufacturers to implement suitable and proportional measures to secure dedicated environments and to take steps to ensure cyber security. 

The New Mandate

The new set of standards requires automobile manufacturers to install a new cybersecurity management system, which will be inclusive of protection against several cyberattacks on the vehicle’s autonomous driving functions, electronic control unit, connected functions, and infotainment systems. The proposed automotive industry standards aim to fortify vehicles against cyberattacks. These standards, expected to be notified by early next month, will apply to all M and N category vehicles. This includes passenger vehicles, goods carriers, and even tractors if they possess even a single electronic control unit. The need for enhanced cybersecurity in the automotive sector is palpable. Modern vehicles, equipped with advanced technologies, are highly prone to cyberattacks. The Ministry of Road Transport and Highways has thus taken a precautionary measure to safeguard all new-age commercial and private vehicles against cyber threats and vulnerabilities.

Cyber Security and Management Systems (CSMS)

The proposed standards by the Ministry of Road Transport and Highways (MoRTH) clarify that CSMS refers to a systematic risk-based strategy that defines organisational procedures, roles, and governance to manage and mitigate risks connected with cyber threats to vehicles, eventually safeguarding them from cyberattacks. According to the draft regulations, all manufacturers will be required to install a cyber security management system in their vehicles and provide the government with a certificate of compliance at the time of vehicle type certification.

Electrical vehicle charging system

Electric vehicle charging stations could also be susceptible and prone to cyber threats and vulnerabilities, which significantly requires to have in place standards to prevent them. It is highlighted that the Indian Computer Emergency Response Team (CERT-In), a designated authority to track and monitor cybersecurity incidents in India, had received reports of vulnerabilities in products and applications related to electric vehicle charging stations. Electric cars or vehicles becoming increasingly popular as the world shifts to green technology. EV owners may charge their cars at charging points in convenient spots. When you charge an EV at a charging station, data transfers between the car, the charging station, and the company that owns the device. This trail of data sharing and EV charging stations in many ways can be exploited by the bad actors. Some of the threats may include Malware, remote manipulation, and disturbing charging stations, social engineering attacks, compromised aftermarket devices etc.

Conclusion

Cyber security is necessary in view of the increased connectivity and use of software systems and other modern technologies in vehicles. As the automotive industry continues to adopt advanced technologies, it will become increasingly important that organizations take a proactive approach to ensure cybersecurity in the vehicles. A balanced approach between technology innovation and security measures will be instrumental in ensuring the cybersecurity aspect in the automotive industry. The recent proposed policy standard by the Ministry of Road Transport and Highways (MoRTH) can be seen as a commendable step to make the automotive industry cyber-resilient and safe for everyone.

References:

• https://economictimes.indiatimes.com/news/india/road-transport-ministry-proposes-uniform-cyber-security-system-for-four-wheelers/articleshow/105187952.cms
• https://www.financialexpress.com/business/express-mobility-cybersecurity-in-the-autonomous-vehicle-the-next-frontier-in-mobility-3234055/
• https://www.gktoday.in/morth-proposes-uniform-cyber-security-standards-for-four-wheelers/
• https://cybersecurity.att.com/blogs/security-essentials/the-top-8-cybersecurity-threats-facing-the-automotive-industry-heading-into-2023

‍