We've just released a major update for LAWFYI to improve its capabilities. Kindly clear your browser cache to avoid any disruptions in our services or delays in updates reaching you!

Reached Daily Limit?

Explore a new way of legal research!

Click Here
Indian CasesSupreme Court of India

Vodafone Cellular Limited vs Mr Sanjay Govind Dhande And Others on 14 February, 2020

Print Friendly, PDF & Email

Telecom Disputes Settlement Tribunal

Vodafone Cellular Limited vs Mr Sanjay Govind Dhande And Others on 14 February, 2020

Bench: Shiva Kirti Singh

TELECOM DISPUTES SETTLEMENT & APPELLATE TRIBUNAL

NEW DELEI

Dated ; “! February, 2020

Cyber Appeal No.1 of 2014

Yodatone Idea Lid. Petitioner

Vs.

Mr. Sanjay Govind Dhande & Ors. … Respondents

Cyber Appeal No.4 of 2014 ICICI] Bank Lid. .. Petitioner Vs.

Mr, Saniay Govind Dhande & Ors. .. Respondents BERPORE:

HON BLE MR.FUSTICE SHIVA BIRTI SINGH, CHAIRPERSON For Petitioner (in C.A. No.l of 2014) =: Mr, Thyagrajan, Advocate Ms. Akanksha Banerjee, Advocate For Petitioner (in C.A. No.4 of 2014) : Mr. Alok Sharma, Advocate For Respondents > Mr. Arpun Natrajan, Advocate QRDER By S.K. Singh, Chairperson — At the outset, it ig recorded that learned counsel for Vodafone Cellular Ltd, appellant in Cyber Appeal No.1 of 2014 has informed that the name of the above corporate entity now stands changed to Vodafone Idea Lid. He prays that this change may be recorded and the changed name should appear in the judgment. This prayer has not been opposed by the learned counsel for the other side and hence the change in the name of Vodatone Cellular Ltd. to that of Vodafone Idea Lid. is recorded and the cause title of this judgment and order is accordingly modified so as to teflect the name of Vodafone Idea Lid. Cyber Appeal No.1 of 2014 has been taken as the lead matter. The appellant in the other appeal (Cyber Appeal No.4 of 2014) Le. ICICT Bank Lid. is one of the respondents in Cyber Appeal No.1 of 2014,

2. Both these appeals have been heard together because they arise out of the same judgment and order dated 16.01.2014 passed in Complaint No.30/2013 by learned Adjudicating Officer, Principal Secretary(information Technology}, Government of Maharashtra. The essential facts of the case noted in brief on the basis of averments in the Complaint show that Complainant Nos.1 and 2, Sanjay Govind Dhande and Dr(Smt.) Medha Sanjay Dhande are the Directors of M/s Sango Consultants Pvt. Lid, Pune which is Complainant No.3. The complainants hold a Current Account with ICICI Bank, Aundh Branch(Respondent No.1) an appellant herein. The above Current Account is linked with the mobile number belonging to the complainants which was issued by a Vodafone Store a Pune(Respondent No.2) representing Vodafone India Lid.(Respondent No.3) an appellant herein.

3, it is complainants’ case that between 6″ to 196″ September 2013, several fraudulent find transfers in total for about Rs.19 lakhs were done from the above account by unknown persons, According to the complainant, Vodafone did not take adequate security measures to protect complainant’s data available with them. Vodafone issued a duplicate SIM of complainant’s mobile number to fraudsters without cross-checking the documents submitted by them with the identity documents of complainant made available at the time of issue of the original SIM. Such negligent act of Vodafone enabled the fraudsters to commut the fraudulent fund transfers that caused financial loss to the complainants. 3, The chronology of important events appearing from the complaint is as follows:

() On 06.09.2013 the mobile phone of the complainants stopped functioning in proper manner. On the next date, the complainants through their family driver contacted the Vodafone shop located in Sanghvi, Pune. The Vodafone representative checked the mobile phone and communicated that the instrument was working properly but the SUM card required to be replaced. Since 8″ and 9″ September 2013 were holidays, on 10.09.2013 an application was submitted for new SIM with the necessary documentary proofs such as PAN Card etc. A new SIM was issued but the calls were getting diverted to some other number. The complainant again contacted the Vodafone Store and they corrected the fault. The phone started functioning without any problem from evening hours of 10.09.2013. It is the complainant’s case that during the period when the mobile phone was non-functionmeg, the fraudulent transactions took place between 06.09.6013 to 10.09.2013 and an amount of Rs.19,01,073.16p was fraudulently withdrawn. When the complainant submitted a complaint to Vodafone on 16.09.2013, it was revealed to the complainant by Vodafone Store at Pune that a fake SIM of complamant’s number was issued by Vodafone on 06.09.2013 at their franchisee office im Nagpur. Complainant had also approached the concerned police station at Pune where an FIR. was registered bearing CR No.315/2013 on 14.09.2013. Later the case was transferred to Cyber Crime Cell, Pune for further investigation.

Gi) It is the case of Vodafone thal a person claiming to be Dr.(Smt.) ‘Medha Sanjay Dhande(Complainant No.2) visited VYodafone’s Nagpur franchisee office on 06.09.2013 with a request for replacement to SIM made in the prescribed form along with the requisite documents of the subseriber. The request was duly processed and a new SIM was issued to the person who had visited the Store and it was activated on the same day. The claim of the Complainant No.2 that on request the non-functional SIM was replaced by Vodafone Store at Pune on 10.09.2013 has been accepted by Vodafone. Vodafone received information of the fraudulent transfers through the concerned officer in-charge of the police station on 14.09.2013. On 18.09.2013, on the basis of internal investigation Vodafone informed the Police Inspector, Cyber Crime Cell, Nagpur that on 06.09.2013 a fraudster had obtained replacement of SIM for the mobile number of the complainant but the same was issued under the belief that the fraudster was the lawful owner of the SIM. Vodafone offered to cooperate with the police and as required it submitted the relevant documents te the Cyber Crime Cell, Pune on 26.09.2013.

Gi) The complainants have submitted copy of their bank account statement, copy of the FIR and also copy of the correspondence with the bank and its officials dated 11″, 16″ and 21″ September, 2013. Vodafone have submitted copy of the Customer Agreement Form dated 30.08.2012, copy of the PAN card and electricity bill of the complainant, copy of documents submitted by the imposter, copy of the SIM replacement request with documents submitted by the subscriber, copies of correspondence with the police with documents submitted to the Cyber Crime Cell, Pune.

Gv) The stand of the ICIC] Bank is that complainant is a frequent user and well-versed with the Internet Banking Facility of the ICICI Bank. According to bank, the FIR filed by the complainant was under investigation and the culprit was yet to be identified, hence, until an official report is made by the police, no relief should be given to the complamant. The bank denied any role in the fraudulent transactions. The material allegations, according to bank, were against Vodafone and its Store. Bank also tock the stand that it sends SMS for every transaction to the mobile number of the customer which is registered with the bank and a transaction can be denied or restricted only if any dispute is raised in respect thereto. The bank denied that it had any responsibility to deny the transactions only because the fraudulent transactions took place at a rapid pace. Bank relied upon the terms and conditions for availing Corporate Internet Banking Facility of ICICI Bank. According to the bank, customer is responsible for security of Internet Banking 1D Password and the Transaction Password. Even a payee is not registered unless a Unique Registration Number(URN) generated by the bank is filled-in by the customer for confirming the payee. The URW is sent on the registered mobile number of the customer. For making any payments as fund transfer, the customer has to fill the details of the grid which is available on the backside of its debit card.

(vy) Lastly, ICICI bank has claimed that it extended full support to the investigation and by is efforts, it was able to recover a sum of Rs.3,26,504.17p out of the fraudulent transactions. It had also frozen the complainant’s account to prevent further loss. The money recovered was credited to the complainant’s account by the bank. The bank has submitted to the AG copy of the List of Transactions, copy of Customer Relationship Form, copy of Terms and Conditions of Corporate Internet Banking and copy of Terms and Conditions governing Mobile Banking Facility.

x

4. Learned AO has noted the arguments on behalf of Vodafone in detail which arĂ© fo the effect that H is only a service provider under the licence granted by the Department of Telecom. It does not “possess, handle or deal with” any sensitive personal data or information and hence Section 43A of the Information Technology Act, 2000(IT Act) will not apply to a telecom service provider like Vodafone. Further defence of Vodafone is that it has Customer Agreement Form(CAP) only from Complainant No.2 in individual capacity and not as a representative of other two complainants. The subscriber verification is not included in the scope of reasonable security practices and procedures under Section

434. The identity and nature of sensitive personal data or information possessed or handled by Vodafone has not been established. In any case, since there was no intentional act for assisting the fraudster, therefore, no contravention of Section 43{z) of the IT Act can be attributed.

8. Learned AO had the benefit of detailed investigation into the case by the police and report submitted by it. Police investigation infer alta disclosed that the money from complainant’s account was transferred to 11 accounts of ICICT Bank and some other accounts. Police could obtain from ICIC{ Bank accounts documents with KYC documents only for 8 accounts. Police arrested Vinayak Mahadev Tirlotkar in whose account money was transferred in two tranches and he had withdrawn the amount totaling Rs.1,00,115/ by using ATM ecard. The details of 10 transactions from complainant’s account to “itzeasheard” with use of internet via an IP address of Turkey were also collected, < & The police investigation disclosed that ICICI] Bank failed to notice suspicious nature of altogether 22 illegal transactions from the account of the complainant within two days for an amount of Rs.19,01,073/-. Since foreign IPs were involved, bank should have verified before allowing the unusual transactions. The bank did not provide CCTV footage of ATM as well as in-person cheque/cash withdrawal at branch. There was nc verification whether the transaction OTP had been received by the genuine customer. The bank had not followed the RBI guidelines in order to comply with the KYC norms and AML related guidelines. Police found that the address of aceused Vinayak Mahadev Tirlotkar provided by KYC was bogus. Bank did not provide details of accounts opened during the last one year under a particular bank official. Money was also transferred to a fake account of ICICI Bank at Bangalore. That account holder was arrested in Mumbai and his name was found to be different. ICICI Bank had failed to observe due diligence to create a secured environment and had violated KYC norms with impunity while permitting opening of accounts. Police also concluded that ICICI Bank and its officials were not assisting the police in the investigation.

7, As per report of the police the conduct of Vodafone in the matte also suffered from lacunaes. The fraudsters could successfully deactivate the mobile of the complainant with the help of a Vodafone Store on 06.09.2013 and collected a duplicate SIM for a mobile number which was linked to complainant’s account. The SIM Replacement Form mentioned no date. Replaced SIM was given to a third person even after finding out that the person was not the SYM owner (Smt.Medha Sanjay Dhande}. There was no due diligence on behalf of Vodafone on several issues. The SIM Replacement Form was verified on the basis of a passport copy of a male person whereas the owner is a female customer. The address on the passport and the address on the original SIM Registration Form were different. The mandatory verification through File Net System for SIM replacement was not carried out because the system was said to be down at that time. Vodafone did not provide the original documents submitted with SIM Replacement Farm and provided only photocopy through email. The Vodafone Store at Nagpur admitted that there was only a scanned copy of photo and no original photo. The photo was of ex-Union Minister Shri Dayanidhi Maran. Vodafone had non-functional CCTV cameras which were not changed in spite of emails sent by the police. CCTV footage could be obtained only from camera outside the Store building and that too for 03.09.2013 and not for 06.09.2013 when the SUM replacement was done.

8. On the basis of all the relevant facts the learned AO held that the two big names in the banking and telecom sectors, ICICI Bank and Vodafone, had badly let Fey fa their customers down. They were totally non-repentant about their laxity bordering on connivance which has resulted in this crime. It has been noted by the learned AO that the bank had opened many account of bogus persons with fake addressed and it showed that KYC norms were being violated with total impunity. Bank was not cooperating nor it conducted any internal investigation. CCTV footage of ATM and in-person withdrawal at branch was also not made available. Foreign IP addresses and successive quick withdrawals did not raise any alerts within the bank’s system showing that security measures are not adequate. Learned AO noticed the provisions of RBI Guidelines on KYC as well as on security in respect of Electronic Banking and Cyber Frauds etc. and he found that ihe Guidelines have been violated by not taking sufficient precautions as suggested by the RBI.

9. Leared AO has taken note of an emotional letter written by the complainant, Mr.Sanjay Govind Dhande to the MD and CEO of ICICI Bank. He disclosed that he had served as Director, IIT, Kanpur for 11 years and received Padmashree awards for services to the Nation. At the time of occurrence he was a Member, National Security Advisory Board. However, the MD or her office did not bother to give even a reply to the said letter. It only shows shabby treatment to the customers and lack of arievance redressal mechanism. On the issues relating to Vodafone, learned AO has held that there was direct nexus between blocking of SIM cards of the complainant, issuance and use of a duplicate SIM card by the fraudster and the unauthorized financial transactions from the account of the complainant. The importance of mobile numbers for use in financial transactions and other sensitive transactions is growing by leaps and bounds and it is not a secret to telecom service providers like Vodafone. They earn huge revenues from such valid use of mobile phones. The significance of SIM or a duplicate SIM can best be understood by such service provider. In this case, the documents of ICICI Bank show that not only bank transaction alerts but even OTP was sent to the registered mobile number but in fact it went to the duplicate SIM card which was issued purely on account of negligence bordering on connivance and laxity in maintaining reasonable security measures; and by ignoring the standard procedures for verification of documents for replacement of SIM with the original documents and data available in the CAF of original SIM owner. But for such duplicate SIM issued to the fraudster, the unauthorized financial transactions were not possible. The fraud could still be prevented had Vodafone not blocked the original SIM card of the complainant without contacting the original SIM owner. This prevented the complainant from getting alerts in respect of unauthorized transactions from his ICICyY Bank account. The security measure of Vodafone was hopelessly inadequate because it has come on record that online File Net System was down for days. The fraudster obtained a blank form from the Vodafone Store and soon came back with forged details, a photo of a male person scanned on a plain paper and no payment was obtained for duplicate car i fee. Even a cursory comparison or check would have revealed the fraudulent nature of request for duplicate SIM. As to why the Vodafone did not check whether original number was in use or not remains a mystery. On the basis of aforesaid findings, leamed AO held that while out of initial fraud of Rs.19 lakhs and odd, Rs.3.26 lakhs had been recovered, yet the complainants were entitled to compensation of Rs.18 lakhs which would cover their loss and legal fees etc. Vodafone was found to be a bigger wrongdoer and hence, while ICICI] Bank was directed to pay damages to the tune of Rs.6 lakhs only by way of compensation, Vodafone was directed to pay Rs.12 lakhs. The payments were to be made within a month failing which compound interest of 12% compounding monthly would be chargeable.

18. Learned counsel for Vodafone has raised all the technical pleas on the lines of submissions earlier made before the AO and farther on account of provisions in the IT Act. However, it is not found necessary to go into detailed discussion of these submissions for the simple reason that Vodafone Idea Lid., was appellant in a similar matter bearing Cyber Appeal No3 of 2018. The facts and issues of that case were almost similar to the present case. There the complainant had his bank account with Bank of India at Nagpur and he suffered a loss of about Rs.18.5 lakhs out of which Rs. 15 lakhs was imposed as compensation payable by Vodafone. The if balance was held payable by Bank. Considering all the possible defence raised on behalf of Vodafone, including those which have been raised in this appeal, this Tribunal dismissed the appeal of Vodafone as well as Bank of India through a judgment and order dated 20.12.2019. That judgment in Cyber Appeal No.3 of 2018 (Bank of India Vs. Shri Sandeep & Anr.) and Cyber Appeal No.3 of 2018 (Vodafone Idea Lid. Vs. Shri Sandeep Singhal & Any.) applies to the facts of the present appeals on all fours. In that case the Vodafone was found Liable under Section 43(g}, 43.4 of the IT Act whereas the Bank of India was found Hable only under Section 43A of the Act. Here the pleas of ICIC! Bank are similar. But the findings of learned AO are found to suffer from no infirmity.

ii. In the present case also, on the basis of acts noticed above and the law reiterated by this Tribunal in the aforesaid judgment dated 20.12.2019, Vodafone is found deficient in security measures and hence Hable under Section 43A of the IT Act. The appeals are found to be without merits and are dismissed accordingly. In case the appellant(s) have not paid the decretal money as granted by the AO, it should be paid within one month. Both the appellants shall further pay a sum of Rs.50,000/- (Rupees Fifty Thousand only) each by way of cost of the appeal to the complainants within one month. The complainants shall be entitled to get the 5H ed