Internet Banking — A Practical Guide for Indian Practitioners

Introduction

Internet banking — the conduct of banking transactions over the Internet — is now a routine avenue for payments, fund transfers, account management and access to credit facilities. Its ubiquity has produced a parallel body of legal practice that sits at the intersection of banking law, cyber law, evidence law, regulatory instructions from the Reserve Bank of India (RBI) and consumer protection. For litigators and in‑house counsel the key skills are: (a) translating technical evidence into admissible proof; (b) framing liability under regulatory standards; and (c) choosing the quickest, most effective remedy (criminal reporting, RBI/Ombudsman complaint, consumer/ civil suit). This article sets out the statutory anchors, operational nuances, leading authorities and a practitioner’s checklist for handling internet‑banking disputes in India.

Core Legal Framework

Primary statutes, provisions and regulatory instruments you must invoke

• Information Technology Act, 2000 (IT Act)
• s.2(1)(t) — definition of “electronic record”: includes “data, record or data generated, image or sound stored, received or sent in an electronic form”.
• s.43A — liability for failure to protect sensitive personal data and compensation obligations.
• s.65, s.66, s.66C, s.66D — offences relating to tampering, hacking, identity theft and cheating by personation using a computer resource.
• s.72 — breach of confidentiality of electronic information.
• Interplay with sectoral regulation (banks remain subject to both IT Act obligations and RBI requirements).
• Indian Evidence Act, 1872
• s.65A and s.65B — special provisions for admissibility of electronic records in evidence; litigation practice has been shaped decisively by Supreme Court interpretations of these provisions. (In practice, production of certified technical documentation under s.65B(4) or proof of primary electronic originals is critical — see Landmark Judgments below.)
• Payment and Settlement Systems Act, 2007
• Governs payment system operators, authorisation of payment systems and provides a regulatory framework for electronic payments (RBI is the regulator).
• Banking Regulation Act, 1949
• General statutory obligations of banks; used in tandem with RBI instructions to establish supervisory duties.
• RBI Master Directions, Circulars and Guidelines
• Customer protection, two‑factor authentication, cybersecurity frameworks, grievance redressal and the 2017–2019 circulars that created the “limiting liability” framework for customers in unauthorised electronic banking transactions. These are often decisive on bank liability and practical allocation of loss.
• Consumer Protection Act, 2019
• Unauthorised transactions and failure of service by the bank can be framed as “deficiency in service” and pursued in consumer forums.
• Indian Penal Code, 1860
• IPC offences such as cheating (s.420), criminal breach of trust (s.406), conspiracy (s.120B) are used when cyber frauds are prosecuted alongside IT Act offences.

Practical note on Evidence: Electronic evidence must be both technically authentic and legally admissible. The Evidence Act provisions (65A/65B) and the Supreme Court’s interpretation require careful attention to forms of certificate, custody of devices, and chain of evidence.

Practical Application and Nuances

How internet‑banking disputes arise and how courts and investigators treat the issues in practice

1. Typical factual matrices
2. Unauthorised fund transfers (NEFT/IMPS/RTGS/UPI) from a customer’s account.
3. Account takeover via SIM‑swap/OTP compromise, malware on customer device, phishing.
4. Disputes with merchants/payment aggregators (failed refunds, double debits).

5. Disagreements over bank’s adherence to two‑factor authentication, or whether bank’s security controls were followed.

6. Immediate steps upon complaint (practical checklist)

   Explore More Resources

   • › Read more Government Exam Guru
   • › Free Thousands of Mock Test for Any Exam
   • › Live News Updates
   • › Read Books For Free
7. Preserve evidence: immediate written request to bank to preserve all logs (transaction logs, OTP logs, IP addresses, device IDs, merchant logs, SMS gateway records, CCTV for ATM/branch visits) and a demand for a formal acknowledgement.
8. File an FIR with local police (IT offences + IPC) and obtain an FIR copy; copy it to the bank and RBI if needed.
9. Lodge formal written complaint with the bank’s nodal officer and obtain acknowledgement.
10. Lodge a complaint with the Banking Ombudsman (RBI) if the bank rejects relief or delay persists; preserve copies of all communications.

11. Seek forensic analysis: request preservation of end‑points and consider engaging a forensic expert to preserve chain of custody.

12. Burden and standard of proof

13. The complainant must establish the unauthorised nature of the transaction but the bank must explain how the transaction was authenticated and why measures to prevent fraud were not breached.
14. RBI circulars have created a practical presumption that if the bank fails to prove it complied with its own authentication norms and cybersecurity controls, it may be required to bear the loss (subject to exceptions of customer negligence).

15. Courts will examine evidence such as device binding, two‑factor authentication logs, OTP generation and usage timestamps, merchant reconciliation statements, and SIM swap records.

    Explore More Resources

    • › Read more Government Exam Guru
    • › Free Thousands of Mock Test for Any Exam
    • › Live News Updates
    • › Read Books For Free

16. Electronic evidence — admissibility nuance

17. Electronic records that a bank relies on (server logs, call data records, application logs) must be produced in accordance with s.65A/65B Indian Evidence Act. After the Supreme Court’s judgments (see below), courts insist on either:
    • production of the original electronic record (device, server) as primary evidence; or
    • production of a s.65B certificate accompanying secondary electronic evidence (e.g., printouts or copies of logs).

18. Practical consequence: before trial, serve a legal notice demanding the s.65B certificate and certified copies — failure to obtain production in the correct form can render the log evidence inadmissible.

19. Remedies and routes

    Explore More Resources

    • › Read more Government Exam Guru
    • › Free Thousands of Mock Test for Any Exam
    • › Live News Updates
    • › Read Books For Free
20. Criminal complaint (FIR): to enable police investigation and to preserve evidence via seizure of devices/servers.
21. Banking Ombudsman: faster resolution of customer complaints; monetary caps apply.
22. Consumer forum: claim for deficiency in service and compensation — typically quicker than civil courts for amounts within jurisdictional limits.
23. Civil suit for recovery (money suit) and interim injunctions (direction to bank to provisionally restore funds).

24. Regulatory escalation to RBI (especially where systemic lapses are suspected).

25. Examples of courtroom arguments

26. Claimant’s framing: demonstrate that authentication norms (RBI two‑factor authentication, device binding, OTP logs) were not complied with, establish timeline of unauthorised transaction vs. notice to bank, produce KYC and device possession evidence.
27. Bank’s defence: present server logs, OTP generation and delivery records, customer’s device details, evidence of customer’s negligence (e.g., sharing credentials), or merchant fraud.
28. Forensic points: IP geolocation inconsistencies, SIM change timestamps, discrepancies in messaging gateway logs, mismatch between card present and card not present transactions.

Landmark Judgments

Two Supreme Court decisions have decisively framed the handling of electronic evidence — which is the backbone of internet‑banking litigation:

1. Anvar P.V. v. P.K. Basheer & Ors., (2014) 10 SCC 473

2. Principle: The Supreme Court held that electronic records are admissible only if produced in compliance with s.65B of the Evidence Act. The judgment emphasised the mandatory nature of the certification requirement for secondary evidence of electronic records. Practitioners must therefore ensure that server logs/printouts are accompanied by the appropriate s.65B certificate.

3. Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal & Ors., (2019) 9 SCC 1 (Constitution Bench)

4. Principle: This decision clarified the scope of s.65B. The Court held that where the original electronic record is produced as primary evidence in accordance with the law, the requirement of a s.65B(4) certificate to admit electronic evidence may not be necessary. It distinguished situations where secondary evidence is tendered and emphasised that compliance with the statutory mechanism is vital. Practically, this reinforced two routes: produce the original device/server or produce certified secondary evidence with the statutory certificate.

Practical takeaway from these authorities: do not assume printouts of logs will be admitted automatically. Either obtain the s.65B certificate with secondary copies or secure production/preservation of original devices/servers as early as possible.

(There are numerous High Court decisions and Ombudsman awards applying RBI circulars to allocate liability in internet‑banking frauds. Those decisions repeatedly emphasize bank compliance with RBI’s authentication/cybersecurity circulars and prompt lodging of customer complaints.)

Strategic Considerations for Practitioners

How to craft winning strategies and avoid common pitfalls

1. Move fast — preservation is decisive

2. Electronic logs are ephemeral. Immediately issue a written preservation notice to the bank and the payment service provider (PSP) and obtain an acknowledgment. Where delay is visible, seek urgent judicial preservation orders and incorporate that into FIR.

   Explore More Resources

   • › Read more Government Exam Guru
   • › Free Thousands of Mock Test for Any Exam
   • › Live News Updates
   • › Read Books For Free

3. Use the regulatory framework to shift burden

4. RBI circulars set out timelines and presumptive liabilities. Use them to frame the bank’s primary obligations, and push the bank to prove strict compliance with authentication and security protocols. If bank’s claim rests on customer negligence, force production of objective logs proving device binding, IP addresses, OTP timestamps etc.

5. Evidence strategy — think 65B from day one

   Explore More Resources

   • › Read more Government Exam Guru
   • › Free Thousands of Mock Test for Any Exam
   • › Live News Updates
   • › Read Books For Free

6. Specify in pleadings and notices the demand for s.65B certificates and certified logs. If the bank refuses or delays, take prompt steps to secure the original servers/devices via police seizure or court order so you can rely on primary evidence as per Arjun Panditrao.

7. Remedies sequencing — choose the right forum

8. For rapid interim relief (restoration of funds), civil courts or consumer forums with interim power and injunctions are often suitable. Parallel FIR should be filed to keep a criminal investigation alive and to assist with preservation.

9. Banking Ombudsman often gives faster monetary relief within prescribed limits; start there where appropriate but do not lose the right to pursue civil/criminal remedies.

   Explore More Resources

   • › Read more Government Exam Guru
   • › Free Thousands of Mock Test for Any Exam
   • › Live News Updates
   • › Read Books For Free

10. Expert evidence matters

11. Engage a credible digital forensic expert early; ensure proper chain of custody and create a clear expert report explaining logs, IPs, device forensic findings and a timeline the court can digest.

12. Drafting tips for pleadings

    Explore More Resources

    • › Read more Government Exam Guru
    • › Free Thousands of Mock Test for Any Exam
    • › Live News Updates
    • › Read Books For Free
13. Be specific: specify the exact transactions, timestamps, transaction IDs and the relief sought (provisional credit, permanent refund, damages, interest).
14. Plead compliance/ non‑compliance with RBI circulars and attach copies; cite IT Act offences and demand investigation.

15. Request production of specific material — server logs, switch logs, SMS/IVR logs, merchant reconciliation, KYC records, SIM‑swap details.

16. Pitfalls to avoid

17. Relying on unsworn, uncertified printouts without a 65B certificate or production of originals.
18. Delays in filing complaints or notices — they weaken presumptions and can be fatal to the claim under RBI timelines.
19. Not preserving the device or failing to instruct forensic experts immediately.
20. Making speculative accusations of internal bank collusion without prima facie evidence — courts expect factual particularity.
21. Ignoring the multiplicity of forums — a strategic mix of Ombudsman + consumer/ civil + criminal approaches often yields the best results.

Conclusion

Internet banking disputes combine technical proofs with regulatory duties. For practitioners the practical law is straightforward: act quickly to preserve evidence, insist on properly certified electronic records (s.65B) or production of originals, lean on RBI guidelines to fix bank obligations, and prosecute parallel criminal and consumer/regulatory remedies where appropriate. Success turns on forensic discipline (chain of custody and expert proof), procedural promptness (timely complaints and preservation), and a clear litigation strategy that marshals regulatory norms (RBI circulars) alongside the IT Act and Evidence Act authorities (notably Anvar and Arjun Panditrao). Keep checklists and templates ready — the difference between recovery and loss is often hours, not weeks.