Axis Bank Ordered to Compensate Dhule Vikas Sahakari Bank Ltd for System Security Failures

A significant security breach in Axis Bank’s system has highlighted its failure to enforce basic security protocols, leading to severe financial losses for Dhule Vikas Sahakari Bank Ltd, a prominent co-operative bank headquartered in Dhule City, Maharashtra. The incident involved unauthorized transactions amounting to ₹2,06,50,165 from the Complainant’s Current Account on June 7 and June 8, 2020.

The Incident

Dhule Vikas Sahakari Bank Ltd, which operates a Current Account (Account No. 91402008206406) with Axis Bank’s Dhule branch, uses Axis Bank’s Pay-Pro platform for conducting RTGS and NEFT transactions. This system includes a secure login process requiring user credentials, OTPs, and a maker-checker authorization mechanism to ensure dual verification of all transactions.

On June 8, 2020, between 10:30 AM and 11:00 AM, a bank employee discovered 26 unauthorized RTGS transactions and one NEFT transaction totaling ₹2,06,50,165. These transactions had occurred earlier that morning between 7:00 AM and 10:00 AM—outside the Complainant’s operating hours, which start at 10:30 AM. Alarmingly, the transactions bypassed the mandatory security measures, including OTPs and batch numbers. Neither the maker nor the checker received OTPs, and no batch numbers were generated, indicating a significant failure in Axis Bank’s security protocols.

Immediate Actions Taken

The Complainant promptly reported the unauthorized transactions to Axis Bank, requesting the account be blocked to prevent further losses. The matter was also reported to the Dhule City Police Station for investigation. Despite maintaining separate registered mobile numbers for the maker and checker to receive OTPs, no OTPs were sent during the unauthorized transactions, highlighting systemic flaws in Axis Bank’s security infrastructure.

Legal Allegations

The Complainant accused Axis Bank of gross negligence and violations under the Information Technology Act, 2000. The alleged violations include:

1. Failure to implement reasonable security practices (Section 43A).
2. Permitting unauthorized access (Section 43(g)).
3. Repeated breaches under Section 47(c).
4. Corporate accountability for lapses (Section 85).

The bank alleged that Axis Bank’s system failed to comply with basic IT and banking regulations, resulting in financial and emotional damages.

Financial and Emotional Impact

The incident caused the Complainant a financial loss of ₹2,06,50,165, of which ₹1,76,06,381 remained unrecovered. In addition to financial losses, the Complainant suffered mental distress, harassment, and hardship. As a result, the Complainant sought compensation for:

• The remaining loss of ₹1,76,06,381.
• Interest at 18% per annum from June 8, 2020.
• Legal charges of ₹3,00,000.
• Compensation of ₹50,00,000 for mental agony.
  
  

Adjudication Order

After reviewing the case, the adjudicating authority held Axis Bank accountable for its failure to implement adequate security measures. Axis Bank was ordered to:

1. Reimburse the actual loss of ₹1,76,06,381 with compound interest at 18% from the date of contravention until full payment.
2. Pay ₹3,00,000 in legal charges.
3. Compensate the Complainant ₹50,00,000 for mental agony, pain, and undue harassment.

The order directed Axis Bank to comply within one month and notify the adjudicating authority of the same.

Conclusion

This case highlights the critical importance of robust security systems in banking operations. Lapses in enforcing basic protocols not only expose financial institutions to significant liabilities but also erode customer trust. The judgment emphasizes the need for stricter compliance with IT and banking regulations to prevent similar incidents in the future.