The Letter From the Bank That Made You Sit Down

You did everything you were supposed to do — almost. You called the bank within an hour of the fraud. You called 1930. You filed at cybercrime.gov.in. You submitted a written complaint with screenshots. Two weeks later the bank replies with a one-line email: "As the transaction was authenticated by OTP shared by you, the same is treated as customer-authorised. No refund is due."

The amount that left your account was three months of your salary. The phrase that punched you in the stomach was "shared by you". As if you had handed cash to a stranger on the street. As if there had not been a man on the phone, claiming to be from "Bank Risk Department", telling you your account would be frozen in five minutes if you did not "verify the OTP for security cancellation". This article is about what to do when a bank uses your one mistake to wash its hands off your money.

The bank's argument rests on a single idea: OTP authentication is your second factor, so the transaction is yours. That sounds neat in a circular but falls apart on the facts of an OTP-fraud case. The legal question is not "did the OTP enter the system" — it is "did you consent to the transaction in the eyes of law".

Indian law treats consent obtained by deception as no consent at all. The Indian Penal Code defines cheating in Section 415:

"Whoever, by deceiving any person, fraudulently or dishonestly induces the person so deceived to deliver any property to any person... is said to 'cheat'." — Section 415 IPC

The IPC commentary explains that the offence of cheating, like extortion, is committed by the wrongful obtaining of consent — the cheat obtains it by deception. A customer who reads out an OTP under deception has not "authorised" the transaction; the consent is vitiated. That is the doctrinal hook your refund argument hangs on.

The RBI Customer-Liability Framework

The Reserve Bank of India's circular on "Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions" sets up three buckets:

  1. Zero customer liability — applies where the unauthorised transaction occurred due to (a) the bank's contributory fraud, negligence or deficiency, regardless of whether the customer reported, or (b) a third-party breach where neither the bank nor the customer is at fault and the customer reports promptly.
  2. Limited customer liability — applies where the loss is due to the customer's negligence (such as sharing the credentials) and the customer reports within prescribed working days. The customer's liability is capped at small statutory amounts depending on the type of account.
  3. Customer's full liability — applies where the customer caused the loss and delayed reporting beyond the prescribed days. Even here, liability is only up to the time of reporting; further loss shifts to the bank.

The crucial moves are: (i) report immediately so the clock stops, (ii) get a written acknowledgement of the date and time of complaint, and (iii) push the bank to classify your case correctly, because the difference between "limited" and "full" liability can be your entire savings.

The IT Act Sections That Make You a Victim, Not a Wrongdoer

Section 66C — your OTP and password are 'unique identification features'

Section 66C of the Information Technology Act, 2000 punishes the fraudulent or dishonest use of any "unique identification feature" of any person. The commentary stresses that the words are deliberately broad and futuristic: passwords, electronic signatures, biometrics, OTPs and any future digital credential are all covered. When the fraudster uses your OTP to authorise a debit, that is a Section 66C offence — punishable with imprisonment up to three years and fine up to one lakh rupees.

Section 66D — the call itself is a crime

Section 66D punishes "cheating by personation" using a computer resource or communication device. The commentary points out that this section imports Section 416 IPC (cheating by personation) into the digital world. A man who calls you claiming to be from "the bank" has personated. Whether you fell for it for two seconds or twenty minutes, the offence was complete the moment he extracted the OTP.

Section 66 read with Section 43 — unauthorised access

Section 66 of the IT Act criminalises any of the Section 43 acts when done dishonestly or fraudulently — unauthorised access, downloading data, damage. When the fraudster uses your OTP to log into your UPI session and pull money, he has accessed your computer system without permission. Section 66 punishment: up to three years imprisonment or fine up to five lakh rupees, or both.

Cheating, Inception of Intent and Why It Matters

Section 420 of the IPC adds the cheating-and-dishonestly-inducing-delivery-of-property layer. Indian courts have built up a rule that for Section 420 to apply, fraudulent or dishonest intention must exist at the inception of the transaction. As the Supreme Court explained in Hridaya Ranjan Pd. Verma v State of Bihar (2000), the "dishonest intention on the part of the accused at the beginning of negotiations" must be made out. In a parallel decision, Inder Mohan Goswami v State of Uttaranchal (2007), the Court reiterated that mere failure to keep a promise does not equal cheating; intent at the moment of inducement is the key.

Apply that to your case. The fraudster set up the call to deceive you. The intent was dishonest from the very first ring. The IPC commentary's distinction between civil disputes and criminal cheating helps you here — this is not a contractual misunderstanding, it is a structured fraud. Your FIR should plead this clearly: "the accused, with dishonest intention from the inception, deceived me by personating a bank officer and induced me to share a one-time password, thereby cheating me of Rs. ___."

Breaking a 'Negligence' Refusal in Writing

Banks refuse refunds with a stock paragraph. Break it with a structured legal letter. A good letter does five things:

  1. Identifies the unauthorised transaction — date, time, amount, beneficiary VPA / account.
  2. States the reporting timeline — minute-by-minute, with proof — and demands the bank's classification under the RBI customer-liability circular.
  3. Pleads the legal characterisation — that the consent was vitiated by Section 66D cheating-by-personation and Section 420 IPC cheating, so the transaction is not "customer-authorised" in any meaningful sense.
  4. Asks for specific evidence the bank holds — transaction-monitoring logs, fraud-flag rules, beneficiary KYC, IP/device records.
  5. Demands written reasons within 30 days, failing which escalation to the Internal Ombudsman, the RBI Banking Ombudsman, and the District Consumer Commission.

Most banks fold at this stage, because their refusal letter is a templated risk-shift, not a legal opinion. Where the bank does not fold, the same letter becomes Annexure A in your forum complaint.

Escalation Ladder When the Bank Says No

Internal Ombudsman of the bank

Every bank has one. If your branch and grievance cell refuse, the Internal Ombudsman is the first independent reviewer inside the bank. They are required to give a reasoned reply.

RBI Banking Ombudsman

If the bank does not resolve within thirty days or you are dissatisfied, file with the RBI's Banking Ombudsman through the cms.rbi.org.in portal. The Ombudsman can direct refund and compensation.

District Consumer Commission

The Consumer Protection Act, 2019 treats a wrongful denial of refund as deficiency in service. File before the District Consumer Commission with jurisdiction over your residence or the bank's branch. Reliefs: refund, compensation for harassment, and litigation costs. This is also the right forum if the bank is delaying your basic banking-service obligations under consumer law.

Criminal side — push the FIR

Run the criminal track in parallel. If the FIR is being stalled, escalate under Section 173(4) BNSS to the SP/SSP, then under Section 175(3) BNSS to the Magistrate. The Supreme Court in Sakiri Vasu v State of Uttar Pradesh (2008) confirmed that the magistrate-route is the right remedy for police inaction.

What Should I Actually Do Now?

  1. Pull the bank's refusal letter and your complaint trail into a single timeline: date, time, channel, what was said, what was promised.
  2. Send a structured legal letter to the bank by email and registered post. Quote Sections 66C, 66D IT Act, Section 420 IPC, the RBI circular, and demand reasoned reply within 30 days.
  3. If the FIR is missing or weak, visit the cyber police station with all evidence. Insist on Sections 66C, 66D IT Act and 420 IPC.
  4. Escalate inside the bank — branch manager, grievance cell, Nodal Officer, Internal Ombudsman.
  5. File at cms.rbi.org.in with the RBI Banking Ombudsman after 30 days.
  6. Prepare a District Consumer Commission complaint in parallel. Limitation is two years from the cause of action — do not delay.
  7. Demand the bank's monitoring logs — fraud-flag rules, IP/device records of the disputed transaction.
  8. Pull your CIBIL report to confirm no parallel loan or card has been opened in your name.
  9. Save and freeze evidence — every SMS, every email, every call recording — and back up to a separate cloud account.

When a Lawyer's Letter Saves Months

Many OTP-fraud refund disputes settle once a properly drafted lawyer's notice lands in the bank's grievance inbox — quoting the right circular paragraphs, the right IT Act sections and the right consumer-protection remedies. At Pinaka Legal we have seen banks reverse their refusal within two weeks of a structured notice, and we have also taken the harder cases to the Banking Ombudsman and the District Consumer Commission. If your bank has issued a written refusal and the amount is significant, a single consultation can reset the entire dynamic.

Get legal help from Pinaka Legal — Cyber & Digital experts in Delhi

A Fairer Fight Than It Feels

Banks rely on victims feeling stupid. The shame of "I shared the OTP" is the single biggest reason fraud refunds go unfought. The law does not see you as stupid. It sees you as a person whose consent was extracted by a Section 66D personator, whose money was moved by a Section 66C identity-thief, and whose loss falls under a customer-protection circular that exists precisely for this situation. With the FIR copy in one hand and the RBI circular in the other, the conversation with the bank is not a plea — it is a claim. Make it.

Frequently Asked Questions

Can the bank refuse refund if I shared OTP by mistake?

It depends. The RBI customer-protection circular on unauthorised electronic banking transactions does not give blanket protection where the customer voluntarily shared credentials. But it also does not give banks a free pass. If you were tricked through cheating by personation under Section 66D IT Act — a fraudster pretending to be a bank officer — the courts have repeatedly held that the customer is a victim of crime, not a wilful participant. Report fast, escalate in writing, and the refusal can often be reversed at the Internal Ombudsman or Banking Ombudsman stage.

What is the RBI's customer-liability rule on unauthorised transactions?

The RBI's framework places customers in three buckets. Zero liability where the bank's own fraud or negligence caused the loss. Limited liability — capped at small statutory amounts — where a third party caused the breach and the customer reported within prescribed days. Full liability up to the date of reporting where the loss was due to the customer's own negligence in sharing credentials. After reporting, further loss shifts to the bank. The exact amounts and time windows are in the circular itself, but the principle is: report fast, write everything down, and your liability shrinks.

Did sharing the OTP make me a criminal or just a victim?

You are a victim. Section 66D of the IT Act punishes cheating by personation using a computer or communication device. The crime is committed by the fraudster who pretends to be your bank or a courier or a relative. The IPC commentary on Section 415 makes the position clear: the offence of cheating is committed by the deceiver, not the deceived. Sharing an OTP under deception is a mistake of trust, not a crime. The FIR is filed naming the unknown fraudster as the accused, with you as the informant and victim.

How fast must I report an OTP fraud to keep my refund rights?

As fast as possible. The RBI circular ladders liability on the day of reporting. Reporting within working days of receiving the bank communication keeps you in "limited liability". Reporting after a longer delay shifts more loss to you. The simplest rule: call your bank within minutes, call 1930, file at cybercrime.gov.in, write to the bank by email and registered post within 24 hours quoting the RBI customer-protection circular. Get a written acknowledgement of date and time of complaint — that single piece of paper decides the entire liability question.

My bank says "OTP-authenticated transactions are final". Is that correct?

It is half-true. OTP authentication is the bank's evidence that the second-factor was completed. But it is not the end of the analysis. Where the OTP was extracted by Section 66D cheating-by-personation, courts and the Banking Ombudsman have held that the transaction is not "authorised" by the customer in any meaningful sense — the customer's consent was vitiated by fraud. Banks routinely settle such matters once the customer puts the legal position in writing. A blanket refusal letter is the start of negotiation, not the end.

What if the fraud also involved a fake KYC update or a fake APK?

Then your case is even stronger, because you can show the bank that the fraud was a structured cybercrime, not careless behaviour. Fake KYC links and rogue APK files are typically charged under Section 43 (unauthorised access) read with Section 66 IT Act, plus Section 66C (identity theft) and Section 66D (cheating by personation), and Section 420 IPC. Preserve the message, the URL and the APK install screen. Banks find it harder to call you "negligent" when the fraud used a malicious app installed on your phone.

Can I file a consumer complaint against the bank for refusing refund?

Yes. The Consumer Protection Act, 2019 treats banking services as a "service" and a wrongful denial of refund as deficiency in service. Once the bank's Internal Ombudsman has confirmed refusal, or if 30 days have passed without resolution, you can file before the District Consumer Commission with jurisdiction over the bank's branch or your residence. Attach the FIR copy, 1930 acknowledgement, RBI circular and your written communication. Reliefs include refund of the amount, compensation for harassment and litigation costs.

What sections will the police use against the OTP fraudster?

The standard package is Section 66C of the IT Act for fraudulent use of your unique identification feature (the OTP and your password), Section 66D of the IT Act for cheating by personation using a communication device (the call), and Section 420 IPC for cheating that induced you to part with money. Where the fraudster sent a fake message or impersonated a bank logo, Sections 467, 468 and 471 IPC for forgery and use of forged electronic record may also be added. The IT Act sections carry up to three years imprisonment; Section 420 IPC carries up to seven years.

Does the bank have to give me written reasons for refusing refund?

Yes. The RBI's Charter of Customer Rights and the bank's own grievance-redressal policy require a reasoned reply to a written complaint within stipulated days. Push for it. A vague "OTP shared, no refund" email is not a reasoned reply. Send a follow-up demanding (a) the specific clause of the RBI circular relied on, (b) the evidence of negligence, and (c) the route of escalation. Once the bank puts a defective reason on paper, your consumer-forum or banking-ombudsman complaint becomes much stronger.

Should I lodge an FIR even if the amount is small?

Yes — for two reasons. First, the FIR under Section 173 BNSS (corresponding to Section 154 CrPC) is what triggers the criminal investigation and asset-tracing powers of the police. Second, banks and forums treat the absence of an FIR as a sign that the customer is not serious. Even for amounts of a few thousand rupees, lodge the FIR. Use the cyber police station, attach the 1930 acknowledgement, and ask for sections 66C, 66D IT Act and 420 IPC. The FIR copy is your single most useful document.

Can the bank ever be "zero liable" if I shared the OTP?

Yes, in two situations. First, if the bank's own systems leaked the data or its staff was complicit, the loss is treated as "bank's contributory fraud" and zero customer liability applies regardless of OTP. Second, if the bank failed to act on a "red flag" transaction — for example, multiple high-value transfers within minutes from a dormant account — and did not call you back to verify, the bank's negligence becomes a factor. Demand the bank's transaction-monitoring logs in writing; surprising things show up.

What if I told the bank the same day, but they took 30 days to reply?

Your liability stops at the date of your complaint, not their reply. Keep proof of when you first reported — email timestamp, registered-post receipt, call-centre ticket, 1930 acknowledgement. The RBI circular allows the bank a window to investigate, but it cannot use its own delay against you. If they cross the deadlines specified in the circular without a credible justification, escalate to the Internal Ombudsman, then to the RBI Banking Ombudsman. The clock is on their side only as long as they meet it.

Related Reads

For more articles on Indian law, visit the Pinaka Legal Blog. For queries, call +91 8595704798 or email info@pinakalegal.com.