1. Immediate "Golden Hour" Actions

• Call 1930: This is the National Cybercrime Helpline. In Kerala, this connects you to the state’s centralized cybercrime response cell. Provide transaction details (amount, time, and merchant/bank info).
• Block the Card & Account: Use your bank’s mobile app or customer care to permanently block the credit card.
• Deactivate the Cloned SIM: Contact your mobile service provider (e.g., BSNL, Jio, Airtel) to report the unauthorized cloning and block the current SIM.

2. Regulatory & Financial Remedies (RBI Guidelines)

• Zero Liability: If the fraud is due to a third-party breach (like SIM cloning) and you report it within 3 working days, the customer has zero liability. The bank must credit the amount back within 10 working days.
• Limited Liability: If you report within 4 to 7 working days, your liability is capped (usually at ₹10,000 for credit cards, depending on the limit/type).
• Banking Ombudsman: If the bank refuses to reverse the charges despite timely reporting, you can file a complaint with the Reserve Bank Integrated Ombudsman Scheme (RB-IOS) online via the CMS portal.

3. Legal & Police Remedies in Kerala

• Online Reporting: Register the complaint at [https://cybercrime.gov.in/]. This generates a National Crime Reporting Portal (NCRP) acknowledgement, which is necessary for the bank's "Zero Liability" claim.
• Kerala Police Cyberdome: For high-value or complex cloning cases, you can approach the Cyberdome (located in Thiruvananthapuram or Kochi) for technical assistance.
• Adjudicating Officer (IT Act): Under Section 46 of the IT Act, 2000, the Secretary of the IT Department in Kerala acts as the Adjudicator. You can file a petition for compensation (damages) against the bank or telecom provider if "reasonable security practices" were not followed.

The Statutory Shield: RBI’s Zero Liability Framework

• Zero Liability: If a third-party breach occurs (where neither the bank nor the customer is at fault) and the customer reports it within three working days, the customer has Zero Liability.
• The Burden of Proof: Critically, the law does not require the customer to prove they were not negligent. Instead, the onus of proving customer negligence lies solely with the bank.
• Shadow Reversal: Once a fraud is reported, the bank is mandated to credit (shadow reversal) the disputed amount to the customer’s account within 10 working days, pending further investigation.

Sophisticated Malware vs. "Negligence"

• If a fraudster gains remote access to a device via a malicious link, they can "trace" or "read" OTPs without the customer ever actively "sharing" them.
• As established in SBI v. P.V. George (2019), even a failure to check an SMS notification does not automatically shift liability to the customer. The bank must provide a secure ecosystem that prevents such unauthorized intrusions.

The Remedy of "Zero FIR" and Police Accountability

• Zero FIR: If a victim is stationed in Kochi but the fraud originated in West Bengal, the local police  are duty-bound to register a Zero FIR and subsequently transfer it to the relevant jurisdiction. Refusal to do so is a procedural lapse and amount of dereliction of duty. 

Judicial Precedents: The Kerala High Court’s Stance

• Fiduciary Duty: The relationship between a bank and a customer is fiduciary. If the bank's system allows a third party to bypass security (like large transactions without a confirmation call), it constitutes a Breach of Statutory Duty.
• The IT Act: Section 43A of the Information Technology Act mandates that bodies corporate (banks) must implement "reasonable security practices." Failure to prevent a malware-based intrusion is a prima facie failure of these practices.

Remedies 

1. Writ Jurisdiction: Approaching the High Court under Article 226 to seek a stay on the recovery of the disputed amount, citing the  directives issued by RBI, and sought for the compliance of directives. 
2. Banking Ombudsman: Filing a formal complaint with the RBI Ombudsman for non-compliance with the 2017 Circular.
3. Consumer Protection: Approaching the Consumer Disputes Redressal Commission for "deficiency in service."

Conclusion