‘India’s digital economy depends on integrity of OTP-based authentication architecture’

The Karnataka High Court has held Bharat Sanchar Nigam Limited (BSNL) liable for negligence and deficiency and directed the government-owned telecom company to pay a compensation amounting to Rs 55 lakh to a cooperative bank, which lost its money to cyber fraudsters who obtained a duplicate SIM card from BSNL and gained access to the net banking account held by the bank in another bank.

In an order dated June 1, Justice Suraj Govindaraj partly allowed the petition filed by Basaveshwara Pattana Sahakara Bank Niyamitha (cooperative bank) and modified the order passed by the Permanent Lok Adalat, which directed BSNL to pay a compensation of Rs 5 lakh to the bank.

The court in the order said, “Just as a vault keeper who carelessly or dishonestly gives access to unauthorised persons bears responsibility for the resulting theft, a telecom service provider that carelessly or dishonestly issues a duplicate SIM bears responsibility for the financial fraud that the duplicate SIM enables. When the gatekeeper opens the gate to a fraudster, whether through negligence or through the misconduct of its own official, it enables the fraud and must bear the civil consequences.”

Accordingly, the court has directed BSNL to pay in three months a sum of Rs 50,50,762, as compensation for the net financial loss suffered by the cooperative bank on account of the seven fraudulent RTGS/NEFT transactions effected between 06.02.2019 and 07.02.2019, caused and facilitated by the unauthorised and negligent issuance of a duplicate SIM card by BSNL.

Further, the BSNL is directed to pay an amount of Rs 5,00,000 as compensation for consequential damages, including reputational harm, loss of public confidence, liquidity disruption, and operational costs incurred by the cooperative bank as a direct and foreseeable consequence of BSNL’s negligence.

The bench in its order also underscored that “India’s digital economy depends on the integrity of the OTP-based authentication architecture. The Government of India’s Digital India programme, the NEFT and RTGS payment systems, the UPI ecosystem, and virtually every internet banking platform use OTP-based as the last line of defence. When a telecom company, through its official, issues a duplicate SIM to a fraudster, it demolishes that last line of defence and exposes the subscriber to a catastrophic financial loss. The duty of care of telecom service providers in relation to SIM issuance is therefore not a peripheral concern, it is central to the integrity of the digital financial system.”

How the SIM swap fraud occurred

The cooperative bank operated a current account with Canara Bank. On 07.02.2019, the cooperative bank noticed seven unauthorised transactions aggregating to Rs 87,70,000. It immediately informed Canara Bank, which had later reverse-credited a sum of Rs 30,00,000 to the account of the cooperative bank.

Story continues below this ad

The bank also lodged a complaint with the Cyber Crime Police Station, Bengaluru. During the investigation, it was discovered that certain unknown persons had obtained a duplicate SIM card pertaining to the registered mobile number of the cooperative bank from the BSNL office at Bengaluru and thereby gained access to the OTP mechanism associated with the cooperative bank’s internet banking operations. Thus, using such access, the said persons are stated to have effected unauthorised online transfers from the account maintained with Canara Bank. The amount siphoned was around Rs 87,70,000. During the investigation, the police recovered a sum of Rs 7,12,238, which was subsequently released to the cooperative bank.

The cooperative bank had moved the Permanent Lokadalat in 2021, seeking compensation from BSNL for the deficiency in service. The Lokadalat, by its order dated August 9, 2024, granted a compensation of Rs 5 lakh to the cooperative bank. Challenging the same, BSNL and the bank approached the high court.

Jurisdiction of Permanent Lok Adalat

One of the primary contentions raised by BSNL was about the maintainability of proceedings before the Lok Adalat. Advocate A N Gangadharaiah for BSNL had argued that “Permanent Lok Adalat lacked jurisdiction to adjudicate the dispute referred to it under Section 22C of the Legal Services Authorities Act, 1987. The Permanent Lok Adalat could only conduct conciliation proceedings and assist the parties in arriving at an amicable settlement in an independent and impartial manner and could not assume adjudicatory powers in respect of the dispute.”

Further, it was argued that the proceedings could not have been taken up by the Lok Adalat when the dispute related to allegations of fraud and non-compoundable offences in respect of which criminal proceedings had already been initiated before the Cyber Crime Police.

Story continues below this ad

Rejecting the contention, the court in its order held, “In the Indian legal system, virtually every fraud gives rise to both civil and criminal liability. If a civil compensation claim arising from fraud were excluded from the PLA’s jurisdiction merely because the same facts constitute criminal offences, no civil claim involving any element of fraud could ever go before a Permanent Lok Adalat.”

Emphasizing that issuance of a SIM card, including a duplicate SIM card, is a core function of BSNL’s telephone service, and this act, whether negligent or fraudulent, is fundamentally an act performed in the course of providing a telephone service, the bench noted, “Any civil claim for compensation arising from such an act is a claim for deficiency in telephone service, squarely within Section 22-C read with Section 22-A(b)(ii) of the Act.”

Noting that such an argument was not raised earlier, and BSNL had participated in the proceedings and contested the matter on merits, the bench said, “Having allowed the proceedings to reach conclusion, BSNL cannot raise a threshold monetary objection for the first time in these writ proceedings.”

The order added, “Filing or non-filing of a criminal charge sheet, or the inclusion or exclusion of a particular person from a charge sheet, cannot affect the jurisdiction of the Permanent Lok Adalat to entertain a civil compensation claim for deficiency in telephone service.”

‘BSNL well aware of SIM swap fraud’

Story continues below this ad

Justice Govindaraj underscored that SIM swap fraud is well-known and extensively documented. The DoT and TRAI have issued guidelines on KYC norms for SIM issuance, precisely because of the potential for financial harm. “BSNL, as one of India’s largest telecom service providers, is aware of these guidelines and is legally obligated to comply with them. The duty to conduct rigorous identity verification before issuing a duplicate SIM is not a recommendation; it is a regulatory mandate,” the bench said.

The order added, “The loss suffered by the Co-operative Bank is the natural and foreseeable consequence of BSNL’s failure to verify identity before issuing the duplicate SIM.”

Stating that the cooperative bank had placed its trust in BSNL to maintain exclusive connectivity for its registered mobile number, the bench remarked, “When BSNL violated that trust by issuing a duplicate SIM to an impostor, it committed a fundamental deficiency in the service it owed to its subscriber.”

The high court observed that “Courts must send a clear message through their judgments that telecom service providers who enable SIM swap fraud through their negligence will be held fully accountable in civil law for the losses they cause.”

Story continues below this ad

The court held, “The unauthorised issuance of the duplicate SIM card amounted to negligence and deficiency in service attributable to BSNL, and constituted the proximate cause of the loss suffered by the Co-operative Bank.”

The bench noted that India’s digital payment ecosystem is one of the largest and most sophisticated in the world, and this ecosystem operates on the premise that a mobile number is a secure authentication anchor. “The entire edifice of India’s digital financial architecture rests upon the assumption that the mobile number registered for OTP purposes is controlled by the legitimate subscriber,” the court in the order said.

Following which, it observed, “Telecom service providers, who are the gatekeepers of this assumption, bear a commensurate obligation. When a telecom service provider issues a duplicate SIM carelessly, it does not merely cause harm to one subscriber; it introduces a systemic vulnerability into the digital financial architecture.”

The court also highlighted that every entity that has linked a mobile number to a bank account, an investment account, a payment wallet, or any OTP-dependent financial service is at risk if the telecom service provider’s verification standards are inadequate. The bench said, “The responsibility of telecom service providers like BSNL in the digital economy is therefore not merely private and contractual, it is systemic and public.”

Story continues below this ad

Further, the court underlined that telecom service providers occupy a unique and irreplaceable position in this architecture and are not merely peripheral service providers but custodians of the mobile numbers that serve as authentication anchors for the entire OTP-based digital payment system.

The bench suggested, “Every telecom service provider must treat every request for issuance of a duplicate SIM card with the gravity it deserves. The verification must be thorough, the documentation must be examined carefully, and where there is any doubt about the identity or authority of the applicant, the request must be declined, and the subscriber must be contacted through alternate channels.”

Similarly, it suggested that banking institutions must also take proactive steps to protect their customers and themselves from SIM swap fraud.

The court has suggested that a few safety measures be taken by telecom companies and banks alike, such as registering multiple OTP delivery channels, implementing time delays between SIM swap notifications and large transactions, sending transaction alerts to alternate communication channels, and educating customers about the risks of SIM swap fraud and the precautions they can take. “These measures are not a substitute for telecom service providers’ duty of care but are an additional layer of protection,” Justice Govindaraj said.