SIM Swapping Scams: Who Bears Responsibility For Losses?

In 2020, Paresh Chandra Deka found himself entangled in a puzzling case of subscriber identity module swapping scam and a banking fraud. 

Deka’s SIM card was registered in the name of his daughter Tulika. But during October 2-4, 2020, things went haywire when Tulika's SIM card suddenly stopped working. Tulika, worried about what was going on, quickly reported the issue to the telecom service provider, Bharti Airtel Ltd., on Oct. 4 to sort it out.

Meanwhile, Deka’s account witnessed suspicious activity. Between Oct. 3 and Oct. 4, several transactions drained his account balance to a meager Rs 69.61, a stark contrast to the healthy balance of over Rs 9 lakh on Oct. 2.

Upon investigation by the State Bank of India, it was revealed that internet banking transactions of over Rs 7 lakh occurred during this time, alongside unauthorised UPI transactions of over Rs 1 lakh.

Deka had never before used internet banking services, nor had he ever applied for them.

This is a case of SIM swapping scam where scammers try to get personal information from people, like names, birthdays, addresses, and phone numbers. With all this, they pretend to be the victim and contact the SIM company, saying they lost or broke their SIM card and need a new one with the same number.

Once they get control of the victim's phone number, they go after their bank accounts.

The question then arises: Who bears the responsibility for the losses caused?

In the present case, the court observed that Tulika's address in the documents given to the bank was different from the one provided by her impersonator.

The court observed that when someone applies for a new SIM card, the personnel at Bharti Airtel must check the ID proof carefully and make sure it matches the original.

They're supposed to record everything they do, like their name, signature, and where they work. But even though Tulika's real details didn't match the fake ones in the Bharti Airtel records, they went ahead and swapped the SIM card.

The rise in such cases highlights the urgent need for the telecom industry to address vulnerabilities, according to Nilesh Tribhuvann, partner at White and Brief—Advocates and Solicitors.

"The court's decision to hold the telecom service provider accountable for not meeting the required safeguards shows the need to fortify the security of mobile communications," he said.

Meanwhile, the bank told the court that internet banking can be activated without visiting a branch.

While this case remains pending, in a precedent-setting case in 2019, the Kerala High Court ruled that if someone is a victim of fraud, reports it promptly, and is found not at fault, banks should treat it as a "zero liability" transaction.

This means the victim shouldn't be held responsible for any losses. This rule is based on Reserve Bank of India guidelines from 2017, aimed at protecting people from fraud. The court directed banks to refund stolen money and pursue fraudsters for recovery.

In cases like these, mobile service providers and banks must strictly adhere to processes to avoid liability, according to Smiti Tewari, partner at Khaitan Legal Associates.

In addition to court orders, in 2016, the government had also issued a set of instructions to deal with this menace.

• The person at the point-of-sale must verify the identity document against the original and sign a declaration confirming the match.

• Before activating the new SIM card, the employee must ensure the details match the records and sign a declaration to confirm this.

If the telecommunication company doesn't strictly implement the mandate, and this results in the imposter being able to commit a fraud, clearly the telecommunication company would be liable, according to Anoj Menon, partner at Desai and Diwanji.