On 31 October 2020, Mr. Srikanth Subramanian, a Bengaluru resident and IndusInd Bank customer since 2012, logged into his accounts and discovered a financial nightmare. Over ten days he had not been watching, fraudsters had systematically drained his savings account and credit card — through UPI transfers, international card transactions, and repeated attempted attacks — totalling Rs. 9,46,320. The order that emerged from the Karnataka Adjudicating Officer's proceedings on 28 April 2023 is the first settled cyber banking adjudication in Karnataka, and it now proceeds to final hearing at TDSAT, New Delhi.

Argued by Roots Cyber Law Firm, this case establishes how Indian adjudicators weigh a customer's duty of vigilance against a bank's non-negotiable obligation to detect and prevent fraud through its own promised security systems.

01 ——

The Fraud: Ten Days, Multiple Fronts

The attack was not a single event but a sustained, multi-vector assault. From 16 to 26 October 2020, unauthorised transactions swept through both the complainant's savings account — via Paytm and Google Pay UPI — and his credit card, including two successful international transfers of USD 5,000 each to an entity in Kabul.

Date
Transaction
Amount
Status
17 Oct 2020
Multiple UPI transfers via Paytm to unknown "Aniket" & "GHC"
Rs. 1,79,400
Fraud
16 Oct 2020
Two foreign CC transactions (USD 2,000 each) — "Go Get Funding"
Rs. 3,04,124
Reversed
21–23 Oct 2020
Three UPI transfers via Google Pay to unknown recipient
Included above
Fraud
24 Oct 2020
CC airline ticket purchase — reverted next day
Rs. 9,18,000
Reversed
24 Oct 2020
Two attempted CC transactions (USD 15,000 each) — blocked at credit limit
Rs. 10,20,000
Blocked
26 Oct 2020
Two CC transactions (USD 5,000 each) — "Sherzad Idealistic Logistic Kabul"
Rs. 7,66,920
Fraud

The complainant discovered the fraud only on 31 October 2020 and raised a complaint the same day. That four-day delay in reporting after the final transaction would become a key factor in the adjudicator's reasoning on contributory negligence.

02 ——

The Bank's Defence — and Where It Failed

IndusInd Bank argued that all transactions were authenticated by OTP sent to the complainant's registered mobile and email, that the UPI transactions occurred through RBI-regulated third-party apps beyond the bank's control, and that since the complainant had sole access to his OTPs, any compromise was on his end alone.

"It is like someone trying to rob the house and tries to break the door 3 times and the 4th time he/she will be successful in breaking — and the security is watching without any action."

Written arguments of Complainant, adopted by Adjudicating Officer

The decisive blow came from the bank's own Customer Protection Policy §4.2, which promised a "robust and dynamic fraud detection and prevention mechanism." The complainant demonstrated that despite multiple failed attempts over the credit limit, repeated reversals, and over 16 UPI transactions in a single 24-hour window — exceeding NPCI Circular NPCI/2018-19/UPI OC NO/061's 10-transaction daily cap — the bank's fraud system raised no alarm, made no call, and blocked no card.

03 ——

Key Findings

Bank's own policy created enforceable obligations
IndusInd's Customer Protection Policy §4.2 committed it to robust fraud detection. When multiple red-flag events occurred without any bank action, the policy became the standard against which the bank's negligence was measured — and the bank was found wanting.
NPCI UPI frequency norms violated
Over 16 UPI transactions cleared in a single 24-hour period through Paytm, exceeding NPCI's prescribed limit of 10 P2P transactions per day. The bank's failure to enforce or flag this threshold was treated as a failure of its security obligations.
Complainant held contributorily negligent
The complainant did not monitor his accounts for ten days and reported the fraud four days after the final transaction. The Adjudicating Officer held this contributed to the loss, denying mental agony compensation, pocket expenses, and interest claimed.
Google Pay & Paytm exempted — §79 safe harbour
Both third-party UPI apps were protected as intermediaries under Sections 2(w) and 79 of the IT Act. No specific allegations were raised against them. Paytm had promptly blocked the involved merchant account upon learning of the fraud.
04 ——

Division of Liability

Held Liable
IndusInd Bank (R1–R3)

Liable for the credit card fraud sum of Rs. 7,66,920 — the amounts transferred on 26 October 2020 to Sherzad Idealistic Logistic Kabul. Fraud detection systems failed despite ten days of red-flag events. UPI savings account transactions excluded as bank's role in TPAP transactions is limited.

Exempted
Google Pay & Paytm (R4, R5)

Protected as intermediaries under §§2(w) and 79 of the IT Act. No specific relief sought against them. The Supreme Court's ruling on eBay and the Karnataka High Court's order in Kunal Bahl v. State of Karnataka applied. Paytm cooperated by blocking the merchant account involved.

Final Order — Dr. E.V. Ramana Reddy, 28 April 2023
Total Claimed
Rs. 11,38,904
Awarded
Rs. 7,66,920
Scope
Credit Card Only

Compensation restricted to the credit card fraud sum of Rs. 7,66,920 (the 26 October 2020 international transfers). Mental agony (Rs. 50,000), pocket expenses (Rs. 1,00,000) and 18% interest were not awarded, the Adjudicating Officer noting that the complainant's failure to monitor accounts and report promptly contributed to the loss.

05 ——

Case Update: Appeal Before TDSAT

Ongoing Proceedings

Posted for Final Hearing at TDSAT, New Delhi

The matter is currently before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), New Delhi, in appeal against the order of the Karnataka Adjudicating Officer dated 28 April 2023. The case has been posted for final hearing.

The TDSAT appeal presents an opportunity to revisit and potentially expand the scope of relief — including the savings account UPI transaction losses and the full quantum of damages that were denied at the first instance. The appeal also raises broader questions on whether a bank's limited role as a PSP Bank in third-party UPI transactions can entirely shield it from liability when its own NPCI compliance failures directly enabled the fraud.

Roots Cyber Law Firm continues to represent the complainant's interests in the appellate proceedings.

06 ——

Why This Case Matters

01
First cyber banking adjudication in Karnataka
Complaint No. 01/2021 is the first cyber banking case decided on merits under the IT Act by the Karnataka Adjudicating Officer — the foundational reference for all future adjudications in the state.
16+
UPI transactions in 24 hours cited as negligence
First recorded use of NPCI's UPI P2P frequency cap circular as an evidentiary standard of bank negligence. Banks that allow over-limit UPI volumes now face a documented legal risk.
§79
Safe harbour boundary for UPI apps clarified
Google Pay and Paytm are confirmed intermediaries insulated from liability — drawing the line of accountability squarely at the issuing bank's fraud detection obligations.
4.2
Bank's own policy used as liability standard
A bank's Customer Protection Policy was for the first time in Karnataka used as the yardstick for measuring its security failures. Banks that overpromise in policy documents will now be held to those promises.
07 ——

Legal Team

Roots Cyber Law Firm  —  For the Complainant
Lead Counsel  ·  Roots Cyber Law Firm
Adv. Ranganath M.A.
Lead counsel who drove the technical and legal strategy, deploying IndusInd's own Customer Protection Policy and NPCI's UPI frequency circular as central tools to establish bank negligence — and now leads the appeal before TDSAT.
Lead Counsel  ·  Roots Cyber Law Firm
Adv. Chinmayee Sahoo
Lead counsel who jointly built the regulatory and evidentiary framework alongside Adv. Ranganath M.A., contributing to the arguments that secured the award against IndusInd Bank.
Assisting Counsel
Adv. Shiva Shankar
Assisted both lead counsel throughout the proceedings with research, regulatory analysis, and advocacy support across the complex multi-respondent structure.
Filing Assistance
Adv. Viji Kumar A
Assisted Mr. Srikanth Subramanian in filing the complaint before the Karnataka Adjudicating Officer, helping initiate the proceedings that led to this landmark order.
08 ——

Conclusion

The Srikanth Subramanian case draws a new accountability map for the UPI era. Banks cannot route customer money through third-party apps and then claim they have no visibility when fraud occurs. Their fraud detection systems remain fully obligated to flag anomalous patterns — multiple failed attempts, over-limit transactions, repeated reversals, foreign currency bursts — regardless of what application layer the transaction uses.

Equally, customers now have a legal obligation, not just good practice, to monitor transaction alerts and report suspicion promptly. Where a customer fails to do so, adjudicators will apportion responsibility accordingly.

With the matter now posted for final hearing at TDSAT, the outcome of the appeal may further sharpen these principles — and potentially extend liability to the UPI savings account transactions left unaddressed at the first instance. Roots Cyber Law Firm continues to pursue the full measure of relief on behalf of the complainant.