RBI is right to act on digital payment fraud. But some safeguards need sharper design

Read more at:
https://economictimes.indiatimes.com/industry/banking/finance/banking/rbi-is-right-to-act-on-digital-payment-fraud-but-some-safeguards-need-sharper-design/articleshow/132309496.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

India’s digital payment story is one of its most important fintech successes. However, the rapid rise in digital payments has been accompanied by a less flattering reality: cyber fraud has scaled alongside the convenience of digital payments. In 2025, around 24 lakh complaints were reported up from 19 lakh in 2024 and 13 lakh in 20231. The reported value lost in cyber fraud in 2025 was nearly Rs. 22,000 crore2. This is not just a sign of a rise in the incidence of cybercrime, but an evidence of governance architecture struggling to keep pace with the advancing digital economy. Cyber frauds have exposed vulnerabilities and weaknesses such as fraud prevention, response, reporting, and recovery measures in the digital payment system.

It is in this context that the Reserve Bank of India’s (RBI) latest discussion paper titled ‘Exploring safeguards in digital payments to curb frauds’3, should be assessed. The most important contribution of the paper is the accurate identification of the core problem. Much of today’s frauds are not unauthorised transactions. Instead they are authorised push-payment (APP) fraud wherein the users are manipulated or deceived into authorising transactions. The RBI’s discussion paper, therefore, tries to introduce “positive frictions” in an attempt to reduce frauds in a system optimised for speed. This attempt is welcome, but the proposed frictions need a closer inspection.

Starting with the proposal for a one-hour lag on APP transactions above Rs. 10,000, the paper notes that 45% of reported fraud cases are above this threshold and account for roughly 98.5% of the total value lost. While the RBI’s logic may be valid if the objective is to minimise aggregate financial loss, it also risks understating the significance of low-value frauds, which constitute 55% of total reported cases. Their lower share in aggregate losses does not make them less important. On the contrary, the high volume of such frauds may indicate that many users do not report losses of Rs. 500, Rs. 2,000, or Rs. 5,000, either because reporting channels are weak or because they have little confidence in recovering their money or both. Studies have shown that over half of those who experience digital fraud through UPI, the most widely used digital payment system, do not file any official complaint.

More importantly, from a consumer protection perspective, even a Rs. 5,000 loss can be significant for a low-income individual. If small-value frauds are frequently absorbed, likely by low-income individuals, and remain underreported or unreported, a threshold-led design may miss an important part of the problem. A threshold-based intervention can therefore be useful, but it needs to be tested and should not be considered sufficient on its own.
The implication here should also not be that all digital payments are delayed, as it would be disproportionate and undermine the Indian digital payment ecosystem’s biggest advantage. Instead the RBI should consider a more risk-sensitive approach than a single monetary threshold based trigger. For example, transactions to first-time payees, unusual transfers at odd hours, other behavioural changes in transactions deserve scrutiny even below the proposed threshold.

The second proposal is to introduce an additional layer of authentication by a trusted person for high-value transactions by vulnerable users. Again, this is a well-intentioned proposal that has the potential to reduce the effectiveness of the fake panic fraudsters induce into users. RBI has proposed this for users above the age of 70 and disabilities for APP transactions above Rs. 50,000. However well-intentioned, the implementation of this proposal would depend on operational clarity. It is unclear how banks and other financial institutions identify vulnerable users, onboard and verify trusted persons, and manage instances where the trusted person is either unavailable or compromised. More importantly, since this trusted person would influence the execution of a transaction, questions around the legal standing and liability of this person would have to be addressed.

The paper’s third proposal to restrict large aggregate credits into certain accounts unless banks undertake additional review is aimed to curb the issue of mule-accounts. For the uninitiated, mule accounts are central to how fraud proceeds are layered and moved across the financial intermediaries. Hence, this is a welcome proposal as it shifts the focus of anti-fraud measures from victims to the infrastructure that enables them. But, this proposal would have to be supported by a framework that helps financial institutions from distinguishing credits into an account as fraudulent or legitimate transactions. There can be many instances in small businesses, partnerships, family arrangements where on-off transactions can produce large inflows, which are all legitimate. The RBI must be careful to ensure that a measure targeted to detect misuse should not delay access to lawful funds for ordinary users. Here, as a result, proportionality matters – an anti-mule measure should not become an impediment for legitimate account holders.

The customer-induced controls and a ‘kill switch’ for digital transactions are perhaps the easiest to support in principle. It is only natural that users should be able to disable different payment modes at once, as part of a broader effort to empower them. But the real challenge lies in the operational design of these controls. It is unclear which stakeholder would be responsible for providing them: the bank, the TPAPs, or both. If banks are expected to operationalise such controls at the account level, do they already have this functionality across different payment rails? If not, what explains the implementation gap? In the discussion paper, RBI rightly notes that such controls would require significant technological development.

Finally, RBI deserves credit for recognising that the next phase of regulatory intervention in India’s digital payments ecosystem must focus on APP transactions. But that recognition must now be matched by sharper design and feasible implementation. India’s swift and seamless digital payments system does need more friction, but it must be the right kind of friction: precise enough to deter fraud, and careful enough not to burden legitimate users.

This article has been contributed by Sumit Gupta, Co Founder at CoinDCX.

Leave a Reply