The Karnataka High Court has put the kibosh on any notion that the digital payments space in India is without risk. In a no-nonsense ruling on a BSNL SIM-swap, the court made it plain that your OTP is only as good as the checks the telco has in place. They have put the onus on the operator and set a stiffer standard for how the sector should be vetting for duplicate SIMs.
Why the judgment matters for OTP-led payments
This isn’t just about one bank being out of pocket. The court sees the OTP as the last line of defence for online banking and puts the telcos in the position of gatekeepers. Let an imposter in with a carelessly issued SIM and you’ve lost that defence.
As the order puts it, we depend on the OTP for everything from UPI to NEFT and RTGS. The court pointed out that once a fraudster is in possession of a copycat SIM, that system is in tatters and the subscriber is left with the bill.
A provider’s responsibility in this regard is not some side issue. It is what underpins the whole of digital finance. That makes a thorough KYC less of a box to tick and more of an obligation.
What the court ordered
Justice Suraj Govindaraj upped the compensation for Basaveshwara Pattana Sahakara Bank Niyamitha, having found service deficiencies on the part of Bharat Sanchar Nigam Limited. BSNL has been told to come up with Rs 50,50,762 within three months to make good on the net loss.
Then there is another Rs 5,00,000 for the hit to the cooperative bank’s reputation, its liquidity and the costs of doing business. On top of that, 9 per cent interest is to be applied from February 7, 2019, when the last of the fraudulent activity was recorded.
The bench made an analogy of a vault keeper who is too loose with the keys. If the one in charge lets a con artist in, the enabler has to live with the fallout, the court said.
The fraud timeline
The bank had a current account with Canara Bank and used its BSNL number for all the necessary OTPs. Some time between the 6th and 7th of February 2019, seven RTGS and NEFT transfers were made without the bank’s say-so.
In all, Rs 87,70,000 was siphoned off. Canara put back Rs 30,00,000 and the police put their hands on Rs 7,12,238. That left a hole of Rs 50,50,762. It turned out someone at a BSNL office in Bengaluru had given a duplicate SIM to an unknown party for the bank’s number.
After filing a report with the Cyber Crime station in the city, the bank went to the Permanent Lok Adalat in 2021. The Adalat gave them Rs 5 lakh in August 2024, but both sides wanted to take it to the High Court.
BSNL’s defence and why it failed
BSNL tried to argue the case before the Permanent Lok Adalat wasn’t even in order, citing Section 22C of the 1987 Legal Services Authorities Act to say the forum was for conciliation, not for settling fraud. The court didn’t have it.
It ruled that you can’t keep a civil claim out of the Adalat just because the facts also amount to a crime. A SIM is part of the telephone service; a dispute over it is a deficiency in that service, period.
For one thing, BSNL had already put up a fight on the merits in the Lok Adalat. You can’t let it run its course and then object on a technicality. Whether or not a charge sheet is filed has no bearing on the civil side of things.
Negligence, vicarious liability, and the standard of proof
The court was blunt about negligence: a registered number doesn’t just get re-assigned to a stranger. If a non-subscriber ends up with a duplicate, the verification process was either non-existent or a farce.
They noted that a BSNL man was held to account for the duplicate and is facing departmental action. The company’s effort to disown him while he is in hot water was seen as a contradiction.
BSNL would have you believe that without a criminal charge sheet against its manager, they are in the clear.
The court put an end to that, making it plain that in a civil case you are looking at the balance of probabilities, which is not the same as in a criminal matter.
A systemic duty of care, not a private contract
SIM swap fraud is no secret; it’s well on record. The DoT and TRAI have put in place KYC rules for a reason – to head off this kind of trouble. For a major player in the telecom space, following those rules is a legal must. You don’t just issue a duplicate SIM without some hard-nosed identity checks; that’s what the regulations are for.
The bank was counting on BSNL to be the sole keeper of its registered number. But when BSNL handed a duplicate to an imposter, the court saw it for what it was: a basic failure in service that led directly to the loss. And for that, there is full civil liability.
What the ruling makes clear is that telcos are the custodians of the mobile numbers that make OTP-based services work. It’s a public responsibility. If their standards slip, then everyone from the banks to the digital wallets is left open to risk.
The bench wanted to be unambiguous: if a provider’s negligence is what made a SIM swap possible, they will answer for it in civil court. In effect, the judgment puts telecom verification right at the foundation of India’s digital finance.
The whole system is built on the premise that the subscriber has the OTP number under lock and key. A weak spot in verification doesn’t just put one account in jeopardy; it’s a systemic problem.
What’s expected of banks and telcos now
To keep SIM swap risks down, the court has put forward some specific protections for both sides. These are an extra line of defence and in no way let the operator off the hook.
Put simply, here is the court’s advice for managing the risk:
– Have more than one way to deliver an OTP
– Put in a time lag once you’re notified of a SIM swap
– Use other channels to send out alerts
– Make sure your customers know the ins and outs of SIM swap safety
On the telco side, a request for a duplicate SIM is to be taken seriously. Look at the documents, be thorough. If there’s any question, put the request on hold and get in touch with the subscriber another way before you do anything.
Banks can also be more proactive. There are ways to build in some redundancy with OTPs or put a brake on large transactions after a SIM is changed, giving you time to spot something amiss before the money is gone.
None of this is to get around doing proper KYC at the source. The SIM issuance is where the gate is.
BSNL’s position was that with the insurance and what they could recover, the books were balanced. The court didn’t buy it. It’s not fair to let a negligent party walk away just because the victim was smart enough to be insured.
Think of it this way: the fact that an insurer has paid out doesn’t let the wrongdoer off. The law holds the one who caused the harm to make good on it.
How the compensation was settled
So the court upped the ante. BSNL is to come up with Rs 50,50,762 as principal for the net loss, plus Rs 5,00,000 in consequential damages and 9 per cent interest a year from 7 February 2019.
Timelines and redress
You have three months to put up the principal sum. With the clock on the interest running from the last fraudulent move, the court is leaving no room for stalling.
This supersedes the Lok Adalat’s earlier figure of 5 lakh. This new remedy is more in line with the bank’s actual losses, the hit to its reputation and the disruption it has had to put up with.
Judicial signal to the industry
With this, the court has put telecom KYC at the centre of financial stability. By linking how careful you are with a SIM to the soundness of UPI, NEFT, RTGS and the like, the bar for operators is higher.
It’s not just about one company. Miss a step in vetting a duplicate and you are on the hook for a lot of civil liability. That is going to change how things are done in the field.
A message for the digital economy
For the rest of us, the ruling affirms that your mobile number is a point of security. Stricter checks are the way to keep trust in the simple act of an OTP hitting the right phone.
In the end, the court is treating telecom oversight as a matter of public interest. One bad SIM swap can weaken the whole payments system, so it has to be nipped in the bud.
You can expect to see some tougher protocols for duplicates, better coordination between the banks and the telcos, and more hoops to jump through for high-risk moves. As the court would have it, when the gatekeeper does his job, the line of defence is secure.
