Referring to India’s rapidly deepening digital economy and the UPI ecosystem, which handles over a thousand crore transactions monthly, the High Court of Karnataka said digital transactions have a single critical dependency: the mobile number registered for OTP authentication.
In a verdict with far-reaching consequences for telecom service providers (TSPs), the High Court of Karnataka has held that the TSPs bear civil liability for financial losses caused by SIM swap frauds enabled directly by their negligence, while terming the TSPs “custodians” whose role is equivalent to a “vault keeper in a traditional banking system”.“Just as a vault keeper who carelessly or dishonestly gives access to unauthorised persons bears responsibility for the resulting theft, a telecom service provider that carelessly or dishonestly issues a duplicate SIM bears responsibility for the financial fraud that the duplicate SIM enables,” the court observed.Justice Suraj Govindaraj made these observations in a case where Basaveshwara Pattana Sahakara Bank Niyamitha (BPSBN), a cooperative bank of Shiralkoppa in Shivamogga district, had lost ₹50.5 lakh from its current account maintained in a public sector bank, after a BSNL official issued a duplicate SIM for the mobile number of BPSBN without its express and verified consent.The court, while dismissing BSNL’s petition challenging the decision of the Lok Adalat which had asked it to pay a compensation of ₹5 lakh to BPSBN, has enhanced the compensation to ₹55 lakh, holding that BSNL owed a clear and non-negotiable duty of care to BPSBN, as its subscriber, to ensure that no duplicate SIM card was issued without BPSBN’s express and verified consent.OTP authenticationReferring to India’s rapidly deepening digital economy and the UPI ecosystem, which handles over a thousand crore transactions monthly, the court said digital transactions have a single critical dependency: the mobile number registered for OTP authentication.“If this dependency fails, as it does in a SIM swap fraud, the entire security architecture is bypassed instantly,” the court observed.The court further stated that “the verification of subscriber identity before issuing a duplicate or replacement SIM card is not a bureaucratic formality. It is a critical security measure upon which the financial safety of millions of bank account holders depends. Every telecom service provider must treat every request for a duplicate SIM card with the gravity it deserves.”The dispute stemmed from fraudulent RTGS and NEFT transfers carried out between February 6 and 7, 2019, from BPSBN’s account. BPSBN alleged that unknown persons obtained a duplicate SIM linked to its registered mobile number from a BSNL office in Bengaluru, thereby gaining access to OTPs and executing unauthorised transactions. The core allegation against BSNL was that the duplicate SIM had been issued without proper verification or authorisation.BSNL, however, contended that the fraud arose from complex criminal acts involving impersonation and internal lapses at BPSBN, and not from any deficiency in telecom service. BSNL had also argued that issuance of SIM cards falls within statutory telecom functions, but liability cannot arise where third-party fraud intervenes. It also emphasised that OTP access alone was insufficient to complete transactions, as banking login credentials remained confidential with the BPSBN.Vicariously liableRejecting BSNL’s argument that the matter was exclusively criminal in nature, the court observed that civil liability and criminal proceedings can co-exist while holding BSNL vicariously liable for the acts of negligence of its officials and mere presence of allegations such as cheating or impersonation does not strip a dispute of its civil character when the relief sought is compensation for financial loss.Meanwhile, the court also said that banking institutions must also take proactive steps to protect their customers and themselves from SIM swap fraud. Published - June 05, 2026 08:48 pm IST
