IT Act 2000 — Frequently Asked Questions
Are electronically signed loan agreements valid under Indian law?
Yes. Under Section 10A of the IT Act, contracts formed through electronic means are not invalid merely because they are electronic. Combined with Section 3A (electronic signature validity), a loan agreement executed through eSign, OTP-based authentication, or a DSC is a legally valid and enforceable contract. Digital lenders and banks increasingly use these methods for paperless lending. The borrower cannot challenge the loan agreement solely on the ground that it was digitally executed — though they can raise issues about the specific authentication method's reliability or whether they actually signed.
What is the IT Act's relevance to cyber fraud affecting bank accounts?
The IT Act provides both civil and criminal remedies for cyber fraud. Section 43 allows affected customers to claim compensation from those who unauthorisedly accessed their accounts or fraudulently charged their accounts. Section 66 criminalises the same acts when done dishonestly. Section 66C specifically targets identity theft — using someone else's OTP, password, or digital identity. Banks owe a duty of care under Section 43A to implement reasonable security practices — failure resulting in customer loss can make the bank itself liable. Victims file complaints before the IT Adjudicating Officer (civil) or with the Cyber Crime Police (criminal).
Does the IT Act apply to cheques and mortgage documents?
No. The IT Act specifically excludes negotiable instruments (including cheques, promissory notes, and bills of exchange) and contracts for sale or conveyance of immovable property. These must remain in paper form. A mortgage deed for immovable property must be on paper and registered under the Registration Act — it cannot be replaced by an electronic document. Similarly, cheques must be paper instruments — though truncated cheque clearing under the NI Act uses electronic images for processing, the underlying instrument remains a paper document.
What is an intermediary under the IT Act and why does it matter for banking?
An intermediary is any entity that stores, transmits, or facilitates electronic communications on behalf of others — payment gateways, UPI apps, net banking platforms, and internet service providers are intermediaries. Under Section 79, intermediaries enjoy a safe harbour from liability for third-party content passing through their platforms, provided they do not initiate or modify the transmission and comply with takedown orders from courts. For banking, this means payment processors and aggregators are not automatically liable for fraudulent transactions passing through their systems — their liability depends on whether they had knowledge of the fraud and took appropriate action.
What liability do bank directors face for IT Act violations by the bank?
Under Section 85 IT Act, directors, managers, and officers responsible for the company's conduct are personally liable for IT Act violations committed by the company — similar to the vicarious liability framework under Section 141 NI Act. The only defence is proving the violation occurred without their knowledge and that they exercised all due diligence to prevent it. For banks suffering data breaches or cybersecurity failures, CTO/CISO-level officers must document their security governance processes to avail the due diligence defence if proceedings are initiated.
What is Section 43A and how does it affect banks handling customer data?
Section 43A makes companies (including banks and NBFCs) liable to pay compensation if they negligently handle "sensitive personal data" — including financial information, transaction records, and account details — and this negligence causes wrongful loss to a customer. The SPDI Rules 2011 define sensitive personal data and specify minimum security standards. Banks achieving ISO 27001 certification can claim a safe harbour under these Rules. With the Digital Personal Data Protection Act 2023 now in force, Section 43A's scope has been significantly expanded — banks must review their data handling practices across both frameworks.
Can a bank customer sue a bank under the IT Act for cyber fraud losses?
Yes, under two routes. First, a civil compensation claim before the IT Act Adjudicating Officer under Section 43 (claims up to Rs. 5 crore). Second, if the bank's negligence in implementing security practices caused the loss, a Section 43A claim. Additionally, the RBI's Customer Protection Circular creates a separate administrative framework — if the customer reported the fraud within specified timelines and the fraud was not due to customer negligence, the bank bears full liability for the loss regardless of IT Act proceedings. Many customers use the Banking Ombudsman route first before IT Act adjudication.
What changed with the replacement of Section 65B IEA by BSA Section 63?
Substantively, the requirements are nearly identical — both sections require a certificate from a responsible official authenticating electronic records before they are admissible in court. The change is primarily in the statutory vehicle: proceedings filed on or after 1 July 2024 should cite BSA Section 63, not Section 65B IEA. The landmark ruling in Arjun Panditrao Khotkar (2020) — which mandated that the certificate must accompany the electronic record when first produced, not as an afterthought — applies equally to Section 63 BSA. Banks should update their evidence filing templates to reference the correct provision.
What is identity theft under the IT Act and how is it prosecuted?
Section 66C criminalises fraudulent use of another person's electronic signature, password, or unique identification feature — with imprisonment up to 3 years. In banking, this covers SIM swapping attacks, OTP interception, phishing-obtained credentials, and misuse of stolen debit/credit card PINs. Banks filing FIRs on behalf of defrauded customers should specifically invoke Section 66C alongside relevant BNS provisions on fraud and cheating. Section 66D (cheating by personation in a computer resource) is a companion provision with the same punishment.
Digital Banking, Cyber Fraud and IT Compliance
Advocate Subodh Bajpai advises banks and borrowers on digital lending contracts, cyber fraud liability, data breach obligations, and electronic evidence in banking proceedings.