The landscape of cybercrime in India has witnessed a terrifying evolution, shifting from simple phishing emails to sophisticated psychological warfare known as “digital arrests.” As the nation grapples with this surging menace, the Supreme Court of India has stepped into the fray, signaling a paradigm shift in how accountability is perceived in the digital ecosystem. The recent proceedings before the apex court have highlighted a critical contention: that the responsibility for financial losses in these scams may no longer rest solely on the shoulders of the gullible victim. Instead, institutional lapses by banks, telecom service providers, and other intermediaries are now being scrutinized as potential grounds for legal liability.

Understanding the Phenomenon of Digital Arrests

To appreciate the legal gravity of the Supreme Court’s recent observations, one must first understand the mechanics of a “digital arrest.” Unlike traditional cyber-fraud, which relies on technical vulnerabilities, a digital arrest relies on the exploitation of human psychology and the inherent fear of state authority. Fraudsters, often operating from sophisticated call centers outside or across state borders, impersonate officials from the Central Bureau of Investigation (CBI), the Narcotics Control Bureau (NCB), the Enforcement Directorate (ED), or even local police departments.

Victims are typically informed via a video call that a parcel containing illegal contraband, such as drugs or fake passports, has been intercepted in their name. They are then placed under a “digital arrest,” where they are coerced into staying on a video call (often via Skype or WhatsApp) for hours or even days, effectively confined to their homes under the threat of immediate physical arrest and public humiliation. During this period, the perpetrators extort massive sums of money as “clearance fees” or “security deposits,” which are quickly laundered through a network of mule accounts.

The Supreme Court’s Intervention and the MHA Committee

The Supreme Court was recently informed that the Ministry of Home Affairs (MHA) has taken a proactive stance by constituting an inter-departmental committee. This committee is tasked with a monumental objective: examining the extent to which financial institutions and service providers can be held liable for the losses suffered by victims. This move marks a departure from the traditional “buyer beware” (caveat emptor) philosophy that has dominated cybercrime discourse, moving instead toward a framework of institutional accountability.

The committee’s focus on “institutional lapses” suggests that the government and the judiciary are recognizing that these scams cannot succeed without the unwitting or negligent cooperation of established systems. If a bank allows a fraudulent account to be opened without proper KYC (Know Your Customer) verification, or if a telecom provider issues thousands of SIM cards to a single entity using forged documents, they are essentially providing the infrastructure for the crime to occur.

The Core Question: Vicarious and Direct Institutional Liability

In the eyes of a Senior Advocate, the central legal question is whether an institution’s failure to implement robust security protocols constitutes “actionable negligence.” In Indian tort law, negligence involves a breach of a duty of care that results in damage to the claimant. Banks and intermediaries owe a statutory and fiduciary duty of care to the public to ensure that their platforms are not weaponized by criminals.

Lapses in Banking Protocols

Banks are often the primary conduits through which the proceeds of digital arrests are siphoned. The use of “mule accounts”—accounts belonging to low-income individuals who “rent” their credentials to fraudsters—is a systemic failure. If a bank’s internal monitoring systems fail to flag suspicious, high-volume transactions that are inconsistent with the account holder’s profile, it may be argued that the bank has committed a “lapse.” The Supreme Court’s focus suggests that if negligence in KYC compliance is proven, the bank could be directed to compensate the victim for the financial loss, rather than the victim merely being told to wait for a police recovery that seldom happens.

The Role of Telecom Service Providers (TSPs)

Telecom providers are another pillar under scrutiny. Most digital arrest scams begin with a phone call. The proliferation of “spoofed” calls and the ease with which fraudsters obtain hundreds of SIM cards point to a failure in the regulatory compliance of TSPs. When a service provider ignores patterns of mass-registration or fails to verify the identity of subscribers as mandated by the Department of Telecommunications (DoT), they contribute to the anonymity that shields these criminals. Liability in this context would mean that TSPs must bear a portion of the financial burden if their failure to adhere to verification norms led directly to the scam.

The Legal Framework: IT Act and Beyond

Under the Information Technology (IT) Act, 2000, “intermediaries” are generally granted “safe harbor” protection under Section 79, provided they follow “due diligence” guidelines. However, this protection is not absolute. If an intermediary has actual knowledge, or is notified by the government, that a particular piece of data or communication is being used to commit an unlawful act, and fails to act, they lose their immunity.

The Supreme Court is now examining whether the “due diligence” standard under Section 79 needs to be heightened. In the context of digital arrests, “due diligence” should arguably include proactive monitoring and the use of Artificial Intelligence to identify fraudulent patterns. A failure to evolve with the technology used by criminals could be interpreted as a failure of the statutory duty, thereby attracting liability.

The “Negligence” Threshold

For liability to be established, the inter-departmental committee is likely looking at the “but-for” test: but for the bank’s failure to verify the account, would the loss have occurred? If the answer is no, then the institution’s negligence becomes the proximate cause of the loss. This is a significant leap in Indian jurisprudence, as it moves the focus from the criminal (who is often untraceable) to the regulated entity (which is solvent and reachable).

The Burden of Proof and Victim Protection

One of the most harrowing aspects of digital arrests is the victim-blaming that often follows. Victims are frequently told they were “foolish” to believe a voice on a screen. However, the Supreme Court’s interest in institutional liability shifts the narrative. It recognizes that the sophistication of these scams—using fake official backdrops, forged warrants, and accurate personal data—can deceive even the most prudent citizens.

By considering institutional liability, the law acknowledges that the “burden of prevention” lies with the entity that has the technical and financial means to prevent the crime. A citizen cannot be expected to know that a bank account in a distant state is a mule account, but the bank, with its access to the Centralized KYC Registry and transaction monitoring software, certainly can.

Global Precedents and the Indian Context

India is not alone in this struggle. Several jurisdictions in the European Union and the United Kingdom have implemented “Authorized Push Payment” (APP) fraud regulations. These regulations often require banks to reimburse victims of scams unless the victim acted with “gross negligence.” The discussions within the MHA and the Supreme Court appear to be trending toward a similar compensatory model. In India, where digital literacy is unevenly distributed across a massive population, the “gross negligence” threshold for victims must be set very high, while the “standard of care” for institutions must be equally elevated.

Challenges in Implementing Institutional Liability

While the concept of holding banks and telcos liable is legally sound from a consumer protection standpoint, it faces several practical hurdles. First, intermediaries argue that they are merely “conduits” and cannot be expected to monitor every transaction or call without infringing on privacy rights. Second, there is the risk of “moral hazard,” where users might become less cautious if they know they will be reimbursed for any loss.

However, the Senior Advocate’s perspective suggests that these challenges are secondary to the protection of the citizen’s right to property and the right to life (which includes the right to live without the terror of psychological digital confinement). The Supreme Court’s role is to balance these interests, likely by creating a tiered system of liability where the degree of institutional failure determines the extent of the compensation.

Recommendations for a Robust Regulatory Roadmap

The inter-departmental committee’s findings will likely lead to a new set of guidelines or perhaps an amendment to the existing IT Rules. Key recommendations may include:

Mandatory Real-time Alerts: Banks must be required to implement AI-driven systems that flag unusual patterns (e.g., a dormant account suddenly receiving and transferring large sums) and pause such transactions until verified.
Telecom Identity Integrity: Stricter penalties for TSPs that fail to verify SIM card users, and a mandatory “caller identity” verification system that is harder to spoof.
Centralized Victim Registry: A streamlined process for victims to report scams, which triggers an immediate, nationwide “freeze” on all beneficiary accounts across different banks.
The Liability Fund: The creation of a victim compensation fund contributed to by intermediaries, specifically for cases where “institutional lapse” is evident but the criminal cannot be caught.

The Role of the Judiciary as a Sentinel

The Supreme Court of India has a long history of expanding the scope of Article 21 of the Constitution to include the right to a secure and dignified life. In the digital age, this security is threatened by the very tools meant to facilitate progress. By examining institutional liability, the Court is acting as a sentinel, ensuring that as we move toward a “Digital India,” the safety of the citizen is not sacrificed at the altar of corporate convenience or technical neutrality.

The ongoing deliberations signify that the law is no longer a silent spectator to cyber-terrorism disguised as fraud. When a citizen is “digitally arrested,” it is not just a failure of police intelligence; it is a failure of the banking net, the telecom infrastructure, and the regulatory oversight of the state. Holding these institutions liable is the first step toward a more accountable and secure digital future.

Conclusion: A New Horizon for Cyber Jurisprudence

The notification to the Supreme Court regarding the MHA’s committee is a watershed moment for Indian law. It marks the transition from a reactive criminal justice approach to a proactive regulatory approach. As we await the committee’s detailed report and the Court’s subsequent directions, the message to banks, telcos, and tech giants is clear: “Safe Harbor” is no longer a shield for negligence. Institutional lapses will have financial and legal consequences.

For the victims of digital arrest scams, this development offers a glimmer of hope. It suggests that the legal system recognizes their plight not as an act of individual gullibility, but as a systemic failure. The evolution of “institutional liability” will likely become the cornerstone of 21st-century Indian tort law, ensuring that those who profit from providing digital services also bear the responsibility of keeping those services safe from predators.