RBI proposes a one-hour delay for digital payments above Rs 10,000, alongside safeguards like trusted authentication and account monitoring, as fraud cases surge sharply
Among other measures, the RBI has also suggested additional authentication by trusted individuals for vulnerable users, tighter scrutiny of accounts receiving large credits | Image: Bloomberg
To curb rising fraudulence in digital payments, the Reserve Bank of India (RBI), in a discussion paper released on Thursday, has suggested measures such as introducing a requirement of one hour delay for digital payments worth more than ₹10,000 to be credited to a beneficiary’s account.
Among the other measures suggested is additional authentication by “trusted individuals” for vulnerable users, a tighter scrutiny of accounts receiving large credits, and expanded customer-controlled safeguards.
The central bank has kept the window for comments on the discussion paper open until May 8. After that it will review the feedback and consider issuing draft guidelines.
During the one-hour lag the RBI has suggested for authorised push payments (APPs), the payer’s bank will provisionally have the account debited while allowing the customer to cancel the transaction at any time.
During the one hour, the bank may flag anomalies and alert the customer. Should the customer choose to proceed after reviewing these prompts, the transaction will be executed.
This, however, will slow the movement of funds.
The suggestion comes at a time when transactions over ₹10,000 account for about 45 per cent of fraud cases by volume and 98.5 per cent by value.
This system will come with exemptions for merchant payments, recurring payments, and payments by cheque. This is because most payments to merchants are enabled only after due diligence by banks and payment aggregators while no comparable safeguard exists for account-to-account transactions.
The paper suggested a “whitelisting” mechanism by which payers can authorise certain transactions to payees bypassing the lag.
It noted that frauds related to account takeover were negligible. However, APP frauds thrived at a time when frictionless payments were widely adopted before users realised that they had been duped.
However, lagged transactions may conflict with the immediacy principle of digital payments and implementing such a system, across bank systems and payments infrastructure, involves costs and effort.
The paper has outlined that certain sections of people such as citizens more than 70 or those differently abled may be particularly vulnerable to socially engineered frauds. For them, a “trusted person” designated by such vulnerable customers can act as another layer of authentication for high-value transactions over ₹50,000.
This prioritisation ensures tailored protection for those at a higher risk of fraud or exploitation due to age or disability, while allowing for flexibility for the broader customer base, the paper said.
This is important because 92 per cent of the value of fraudulent transactions reported is above this limit.
Any change of a trusted person may be permitted only after a mandatory 24-hour cooling period, ensuring that such decisions are deliberate and informed.
For opting out, vulnerable customers may withdraw from the safeguard system after a 24-hour waiting period following their request, the paper said.
Banks will be expected to explain to customers of associated risks before processing such requests.
Exceptions will be similar to lagged credit mechanisms such as merchant and recurring transactions and payments by cheque.
Another proposal aims to curb the use of bank accounts as conduits of fraud by aligning permissible credits with a customer’s verified financial profile under KYC norms.
It suggests a ceiling — about ₹25 lakh annually — on inflows for accounts without enhanced due diligence, with such accounts flagged as low-credit turnover.
Any credit beyond this limit will be held in shadow mode and released only after the bank verifies its legitimacy, or else it will be reversed. The measure builds on ongoing due diligence requirements, seeking to tighten monitoring of fund flows while limiting disruption to genuine users.
The measure applies to individual, joint, sole proprietorship and partnership (including LLP) accounts, while excluding companies, listed entities, and government accounts.
The paper also proposes extending account-level controls across digital-payment modes, allowing customers to switch them on or off. This is akin to the functionality currently available for card-based payments.
Users can set transaction limits across channels, accessible via branches or digital interfaces.
In addition, a unified “kill switch” can allow users to instantly disable all digital payment from their accounts in a single step.
Once the kill-switch is enabled, disabling the kill-switch to re-activate digital payments can be permitted either through digital mode after taking authentication, stringent verification measures, or a physical visit to a bank branch by the account holder.
The paper states that while the digital payment controls and the kill switch can certainly be extended to existing customers as an optional facility, a key policy question is whether or not digital payment modes should be disabled by default for new customers unless explicitly enabled by them.
aniltikotekar4sme.com 