Digital scams: The Supreme Court must direct banks to improve flagging mechanisms

On 3 November, a three-Judge Bench of the Supreme Court, comprising the Chief Justice-designate, Surya Kant, and Justices Ujjal Bhuyan, and Joymalya Bagchi, said that it would pass “harsh and stringent orders to strengthen the hands of the agencies” to probe cyber scams. 

The declaration followed the Bench’s perusal of a Central Bureau of Investigation (CBI) report, which revealed that victims of cyber crime in India have cumulatively lost Rs. 3000 crore. The two-volume report had been presented to the Bench in a sealed cover. The Bench then resealed the report, and directed sharing of a copy to Senior Advocate N.S. Nappinai, the amicus curiae in the matter. 

The background

The matter was first heard on 17 October, by a two-Judge Bench comprising Justices Kant and Bagchi. It had taken suo moto notice of a complaint from a senior citizen couple, who claimed to have been defrauded of their life savings through a “digital arrest” scam. The victims alleged that they were contacted by persons impersonating CBI officers, Enforcement Directorate officials and judicial authorities through telephone and video calls. The fraudsters displayed forged orders of the Supreme Court. Under threat of arrest and property seizure, the victims were coerced to transfer more than Rs 1 crore through multiple bank transactions. 

The Bench, aghast that fraudsters had fabricated judicial orders in the name of the Supreme Court, said these actions compromised public trust in the judicial system. It observed that there was a need for stern action on a pan-India basis, including coordinated efforts between Central and state police, to unearth the full extent of this criminal enterprise.  

The problem of ‘mule accounts’ 

The listing of the matter before a three-judge Bench (with Justice Bhuyan added) was a signal of intent. This three-judge Bench, which observed that it would handle the case with “iron hands”, is set to continue hearing the matter on 17 November. 

It is an opportune moment to consider whether a pure ‘policing-and-arrest’ response is enough. In its eagerness to be seen as taking muscular steps against digital arrest masterminds, who are based abroad by many accounts, the Court should not miss the domestic choke point: ‘mule’ bank accounts and lax beneficiary addition. 

The Court must also guard against a situation where its priority to deal with digital arrest cases could result in ignoring scams which don’t involve impersonation of authorities from investigating agencies. Investment scams, for instance, are not one-shot deceptions but long games of psychological manipulation, often called “pig butchering”.  Victims are groomed over weeks on WhatsApp or Telegram, made to trust a seemingly knowledgeable “mentor”, shown small, successful test withdrawals, and only then pushed into large “fees” or “tax” payments to unlock “profits” that don’t exist. By the time they realise the fraud, the trail has passed through domestic mule accounts. 

The investigative picture is stark.The CBI’s investigations have revealed that around 700 branches across India have opened around 8.5 lakh mule accounts. The number is large enough to show that this is not a stray KYC or local-policing issue but a systemic soft spot in bank onboarding and monitoring. The Reserve Bank of India, too, has asked banks and payment players to tighten both onboarding and monitoring of accounts and wallets that figure repeatedly in cyber complaints.  

Yet, in the Supreme Court’s current framing, banks and the regulator appear more as sources of “inputs” than as institutions whose omissions enable the laundering of scam proceeds.

The ‘fake investment’ script

This is a material omission because most high-value online scams in the last two years have not followed the ‘digital arrest’ script. They have followed the ‘fake investment’ script. These, too, are involuntary transfers, secured through deception and impersonation, but such victims cannot claim unauthorised debit. 

There is potentially an angle of bank negligence in every fraudulent transaction routed through a domestic account. If the account was opened after a weak KYC process, or if it reflects an abnormal pattern of large inbound credits from multiple states or if it is linked to FIRs already filed, there is a duty on the receiving bank to raise the red flag. 

That is where the Court’s trajectory risks missing the wood for the trees. Asking states and Union Territories to collate FIR numbers and arrest figures may produce a cleaner national spreadsheet but it will not reduce the next day’s losses. For the Court to create a dent in this problem, it may need to compel every bank to identify, freeze and report its stock of mule or suspect accounts. A Court-monitored exercise could, for example, require the RBI to file a consolidated statement containing details of: (a) detection rules in use across banks, (b) the number of accounts frozen on cyber-fraud suspicion in the last 12 months, and (c) inter-bank coordination on quick freezing once a victim reports.   

Another effort that could be led by the Court would be to determine the level of banks’ compliance with the RBI’s Know Your Customer Direction 2016 (last updated on 14 August 2025). Paragraph 59 of the KYC Direction notes that if an account is established to be a ‘Money Mule’ and if the concerned bank has not raised a Suspicious Transaction Report (STR), it shall be deemed that the bank has not complied with the Direction. 

A linked blind spot is beneficiary addition. Almost every large-ticket cyber fraud relies on how easy it is to add a new payee and move tens of lakhs within minutes. The National Payment Corporation of India and banks have the technical ability to slow this down by demanding multi-channel confirmation for risky beneficiaries. They are averse to this because of the valid concern that it would discourage ease of doing business.  

In this context, it could be useful for the Court to ask why (a) there is no uniform tiered cooling period across banks (for both online and offline transactions) for adding new beneficiaries whom customers may not know personally; (b) why receiving and sending banks do not get an automatic ‘possible cyber fraud’ flag on suspicious first-time credits;  (c) why customers are made to bear the full loss when money has travelled through a bank that should have spotted the pattern; (d) whether banks could exchange information and proactively stop addition of new beneficiaries (who own suspected mule accounts) by customers during the cooling-off period; (e)  whether customers could be quizzed by the banks about the reasons for adding a new beneficiary and asked to state them, apart from merely being warned in a pop-up message; and (f) whether banks could proactively stop addition of new beneficiaries by customers, if the stated reasons by them are found suspicious.   

The Court can also ask why a recent successful operation to thwart high-value cyber frauds across five states by identifying live victims cannot be replicated elsewhere and on a larger scale. 

In December last year, RBI was reportedly leveraging AI to crack down on mule bank accounts. Detection and monitoring of mule accounts and restrictions on withdrawal from such accounts should become part of banks’ obligations towards their customers. 

If the Court frames cyber fraud primarily as a policing and jurisdictional headache—too many states, too many foreign actors, too many forged documents—it will keep demanding more data from the police. If it reframes it as a banking-governance failure—too many mule accounts, too little real-time freezing, too-easy beneficiary addition—it can demand better risk controls from the banks and the RBI. 

Sharing ‘sealed cover’ information

Perhaps the report submitted by the CBI to the Court in a sealed cover in the present matter contains operational details. Disclosing those could compromise ongoing investigations or tip off actors behind scam infrastructure. The Bench was right in resealing the report after its perusal. Further, routing the material to a neutral officer of the Court (the amicus) added another layer of fairness: the amicus can test the government’s narrative, suggest redactions and help the Court separate sensitive intelligence from policy or coordination information that can be shared publicly. 

However, as the matter progresses, the Court would do well to record specific reasons for continued non-disclosure. A Public Interest Immunity-style review of the report may well conclude that it contains information that can be safely shared with the public without compromising sensitive findings. The startling Rs 3000 crore figure, after all, is from the report and puts a number to seemingly boundless, faceless frauds that have caused major distress to so many ordinary citizens. 

Some of the data points on which anonymised summaries of information can be publicly shared include: the typology of frauds; systemic choke points in KYC processes or beneficiary addition; coordination failures; recommended Standard Operating Procedures. This would also lend credence and backing to any Court orders directing the Union, states, regulators and banks to complete time-bound compliance tasks. This approach respects the MediaOne standard of revealing certain ‘sealed cover’ information while protecting live probes. 

After all, bank accountability and public transparency are crucial to fixing systemic choke points.