The Reserve Bank of India has proposed a set of measures to curb rising digital payment fraud, particularly scams that trick individuals into authorising transfers via UPI and IMPS. The draft rules aim to reduce losses by introducing time-bound checks, enhanced protections for vulnerable users, and stronger transaction monitoring using technology.
One-hour delay for high-value P2P transfers
Under the draft guidelines, person-to-person (P2P) transfers above ₹10,000 would be subject to a one-hour execution delay. The amount would be debited immediately but the transfer would complete only after the cooling-off period, during which users can cancel the transaction if they detect fraud.
RBI notes that while such transactions account for roughly 45% of reported fraud incidents, they represent nearly 98.5% of the total monetary loss. Routine daily payments—such as merchant transactions, bill payments and authorised auto-debits—would be exempt. Users would also be able to designate trusted contacts to enable instant transfers without delay.
Additional safeguards for seniors and persons with disabilities
The draft prescribes enhanced protections for vulnerable customers. Transfers exceeding ₹50,000 initiated by senior citizens or persons with disabilities would require a secondary approval from a pre-designated trusted person.
To prevent rapid manipulation, any change to the designated trusted approver would become effective only after a 24-hour waiting period. The measure is intended to block fraudsters from quickly altering security settings to circumvent controls.
Technology-led monitoring and stricter authentication
To strengthen real-time fraud detection, the RBI has begun deploying AI-driven tools—citing systems such as MuleHunter.AI—and has set up the Indian Digital Payment Intelligence Corporation (IDPIC) to coordinate system-wide monitoring and intelligence-sharing.
From April 1, 2026, the draft requires stricter two-factor authentication (2FA) for digital payments, mandating at least two independent verification elements such as a PIN and an OTP. Banks and payment service providers may apply additional risk-based checks for transactions flagged by behavioural, device or geolocation signals. A “kill switch” option would be available to customers to swiftly block all digital payments if they suspect compromise.
The RBI’s draft also makes banks liable for losses arising from non-compliance with the new security requirements. The central bank has invited public comments on the proposals until May 8, 2026, before finalising the rules.
