In a landmark move, the National Consumer Disputes Redressal Commission (NCDRC) had issued notices to a clutch of banks for alleged “deficiencies in service” in relation to digital arrest scams.
For the first time, the commission formally admitted petitions filed by victims of digital arrest fraud in an order dated March 3, 2025, and heard responses from major banks like ICICI Bank, HDFC Bank, State Bank of India, and others during a hearing on July 7, 2025.
The cases were clubbed by the bench led by Justice (retired) A P Sahi and Bharatkumar Pandya, and concern multiple victims: two from Gurugram, who lost Rs 10.3 crore and Rs 5.85 crore, and one from Mumbai, who lost Rs 5.88 crore.
In its March 3 order and the subsequent July 7 hearing, the NCDRC said it would consider invoking the assistance of government agencies such as the Financial Intelligence Unit (FIU), and the Indian Cyber Crime Coordination Centre (I4C), if it deems the complaints “maintainable.”
The FIU monitors suspicious financial transactions to combat money laundering, and the I4C is the Home Ministry’s nodal agency for coordinating nationwide responses to cybercrime.
The NCDRC’s next hearing is scheduled for November 14, 2025, when it will decide whether these petitions are maintainable and whether central agencies like the FIU and I4C will be roped in.
If the court rules in favour of the victims, it could define if banks can still claim the customer acted of their own free will when digital threats force someone’s hand.
What is a digital arrest scam?
Digital arrest scams are a newer form of cyber fraud where scammers impersonate law enforcement or regulatory officials, from agencies like the Income Tax Department or Customs, and threaten victims with immediate arrest. These calls, often conducted via video or voice, create an atmosphere of fear and urgency.
Victims are told they are under investigation or that their documents were found at a crime scene, and are coerced into transferring money as a supposed “legal safeguard” or “penalty.”
In reality, the money is being funnelled through complex networks of mule accounts.
For example, in the case of the Gurugram victim who lost Rs 5.85 crore, reports suggest, fraudsters allegedly moved the funds through 141 different accounts spread across India, often within seconds or minutes, leaving no room for detection or recovery.
The funds are routed in three layers of transactions, making tracking almost impossible.
It has also been revealed that the same mule accounts were allegedly used repeatedly across multiple cyber frauds, showing systemic flaws in bank-level scrutiny.
How widespread is the problem?
According to an investigative series published by The Indian Express, India reported a staggering 1,23,672 cases of digital arrest scams in 2024 alone, with victims collectively losing Rs 1,935 crore.
These numbers represent just the officially reported cases, and the actual figures could be much higher due to underreporting caused by shame or fear, according to reports.
The scale and speed at which these frauds are executed have overwhelmed traditional banking safeguards, and in many cases, banks reportedly failed to flag or freeze suspicious transactions, even when large sums were being routed across newly opened or unverified accounts, often within moments of receiving funds.
What is the legal case now before the NCDRC?
Three petitions -- two from Gurugram and one from Mumbai -- have been filed before the NCDRC by advocate Mahendra Limaye on behalf of the victims.
The key allegation is that the banks involved failed to follow RBI-mandated customer due diligence procedures, and allowed large-value, high-risk transactions to proceed without any intervention.
The RBI-mandated due diligence procedures require banks to verify account holder identities (KYC), monitor transactions for unusual activity, and flag or freeze suspicious accounts.
In its March 3 order, the NCDRC stated that “customer diligence was clearly compromised”, and that “RBI guidelines were blatantly violated.”
The commission noted that the recipient accounts showed all signs of being high-risk or fraudulent, and yet no red flags were raised, no alerts were issued, and no measures were taken to stop or delay the transactions.
The court also observed that the circulars governing unauthorised electronic banking transactions place a burden on banks to safeguard customers.
The issue now is whether the NCDRC accepts these petitions as valid “consumer complaints” and whether the losses fall within its pecuniary jurisdiction, that is, whether the amount involved meets the monetary threshold that legally allows the commission to hear and decide on the case, which currently stands at over Rs 2 crore for the national body.
Which banks have been named in the case?
The banks that have received notices or were represented during the July 7 hearing include ICICI Bank, HDFC Bank, UCO Bank, Federal Bank, Sreenivasa Padmavathi Bank, Yes Bank, State Bank of India, and Kotak Mahindra Bank.
These institutions allegedly either processed or held the recipient mule accounts through which scammed money was funnelled.
The NCDRC’s scrutiny revolves around whether these banks performed adequate due diligence and whether they should bear responsibility for facilitating the laundering of funds.
What are the victims asking from the NCDRC?
The petitioners argue that even though they initiated the transactions, the transfers were made under coercion and psychological manipulation, and therefore do not constitute valid “consent.”
They contend that banks should be held liable not only for the initial failure to protect their accounts, but also for allowing their platforms to be used as conduits for large-scale money laundering.
They want the NCDRC to classify these frauds as consumer complaints, hold banks accountable for deficiencies in service, mandate compensation and potential refunds, and set a precedent for greater oversight and intervention in such cases.
What is the banks’ defence?
In their replies, banks such as ICICI and HDFC have argued that once a customer authorises a transaction, they cannot be held responsible, regardless of external coercion. Their interpretation is based on RBI’s limited liability guidelines, which define bank responsibility largely around unauthorised transactions, not coerced ones.
They argue that no internal systems were compromised, no accounts were hacked, and the transactions were executed as instructed by the customer, and thus absolving them of fault.
ICICI Bank, in a 39-page submission, has further said that fraud or misrepresentation by a third party outside the bank’s ecosystem does not trigger liability under current regulations.
What is the legal counter to this argument?
Advocate Mahendra Limaye, representing all three victims, has taken a sharply opposing stance.
He said that banks are ignoring the intent and nature of the transaction. If coercion, blackmail, or deception is used to extract “consent,” then that consent is legally invalid.
Limaye argued that the burden is on banks to intervene when faced with red flags, such as sudden large-value transactions to unknown or recently opened accounts, particularly when routed in complex patterns.
He has called for an expanded definition of bank liability in the context of modern, tech-enabled fraud, and cited that repeated use of certain bank accounts for scams is proof of poor vigilance and weak compliance.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
