Vishleshan for Regulatory Exams 14th April 2026 | Address causes, not symptoms: Industry warns RBI’s new anti-fraud proposals are insufficient and disruptive

For aspirants of RBI, SEBI, NABARD, and other regulatory exams, understanding digital financial regulation is now as critical as monetary policy itself. The Reserve Bank of India’s April 2026 discussion paper on digital payment fraud marks a significant regulatory moment—proposing safeguards such as transaction delays, trusted-person authentication, and account-level controls to curb rising fraud in India’s rapidly expanding UPI ecosystem. However, this is not just a question of fraud prevention—it is a deeper debate on regulatory design. Should policy impose uniform safeguards, or should it evolve toward risk-based, data-driven intervention? In this Vishleshan, we decode the four proposed measures, examine the structural limitations highlighted by industry, and analyse what this episode reveals about the future of tech-driven financial regulation in India.

Address causes, not symptoms: Industry warns RBI’s new anti-fraud proposals are insufficient and disruptive

Context: India’s UPI system processed 219 billion transactions worth ₹308 trillion in FY26 — and fraud followed that scale. With digital payment fraud now accounting for 56.5% of all reported banking fraud cases, the RBI floated a discussion paper on April 9 proposing a one-hour lag on transactions above ₹10,000. The industry’s verdict is clear: well-intentioned, but the architecture is wrong.

Link to the Article: Mint

The RBI’s April 9 discussion paper proposes four core safeguards: a one-hour delay for transactions above ₹10,000; a trusted-person authentication for vulnerable users (senior citizens, PwDs) for transactions above ₹50,000; caps on credits into low-turnover accounts; and a customer-activated “kill switch” to instantly disable digital payments. RBI’s own data indicates that approximately 92% of fraud losses by value occur in transactions above ₹10,000 — which explains the threshold. Industry experts agree fraud is rising, but believe strict rules will hurt genuine users more than fraudsters, who can easily adapt.

The Fraud Landscape — What RBI Is Responding To

India’s digital payment fraud problem is real, growing, and structurally underreported.

What RBI Is Proposing — The Four Pillars

The Reserve Bank of India’s discussion paper, released on April 9, 2026, outlines four specific measures aimed at reducing the incidence of digital payment fraud. The four proposals operate at different points in the fraud chain — some target the victim’s decision, others the money’s destination.

1. A Mandatory Cooling-Off Period for High-Value Transfers

• The first and most widely discussed proposal introduces a one-hour delay on all digital transactions exceeding ₹10,000. Under this mechanism, the payer’s bank would debit the account immediately upon initiation, but hold the transfer for sixty minutes before releasing the funds to the recipient.
• The transaction would remain cancellable throughout this window. The conceptual basis for this proposal lies in what fraud researchers refer to as the “golden hour” principle — the observed phenomenon that a brief, structured pause between a victim’s decision and the completion of a transaction significantly increases the likelihood of reconsideration.

2. Trusted-Person Authentication for Vulnerable Account Holders

• The second proposal addresses the heightened vulnerability of specific demographic groups — particularly senior citizens and persons with disabilities — by introducing a secondary layer of human verification for high-value transactions.
• Under this framework, account holders belonging to these categories would be required to pre-register a trusted individual, such as a family member or designated caregiver. For transactions above ₹50,000, the trusted person would receive a notification and would be required to actively approve the transfer before it is processed.
• The logic is simple — someone who knows a person personally is harder to fool than a system that only knows their PIN.

3. Monitoring and Capping of Low Credit Turnover Accounts

• The third proposal shifts the focus from the point of initiation to the destination of fraudulently obtained funds. It specifically targets the phenomenon of mule accounts — bank accounts that serve as intermediary conduits through which stolen money is routed before eventual withdrawal or further transfer.
• In the majority of digital fraud cases, the victim’s funds do not remain in a single account. They are rapidly dispersed through a layered network of accounts — often belonging to individuals who have been recruited, coerced, or deceived into lending their banking credentials for criminal use.
• The RBI proposes that banks actively monitor or place caps on inflows into accounts characterised by abnormally low credit turnover history — accounts that display sudden and disproportionate inflow activity relative to their established transaction profile.
• Identifying and flagging such accounts in real time represents one of the few intervention points available after a fraud has already been initiated but before the funds become irrecoverable.

4. A Universal Kill Switch for Digital Payment Channels

• The fourth proposal introduces a customer-activated emergency control mechanism, referred to as the “kill switch,” that would allow any account holder to instantaneously disable all digital payment channels associated with their account — including UPI, mobile banking, and internet banking — through a single action.
• This measure is designed for situations where an account holder suspects that their credentials have been compromised, their device has been lost or stolen, or they are in the process of verifying a suspicious communication.
• By enabling immediate, self-initiated suspension of all payment activity — without requiring a branch visit, a call to customer service, or any third-party intervention — the kill switch places meaningful control directly in the hands of the account holder at the moment it is most needed.

Decoding the Article — Analysis and What’s Next

When fintechs push back on a regulatory proposal, the instinctive reading is that they are protecting commercial interests. Here, the criticism is more substantive — it rests on three structurally valid grounds.

1. The Downstream-Upstream Problem

• A one-hour delay in transactions is ineffective because the fraud has already succeeded psychologically before payment.
• Victims, still under pressure from scammers, are likely to wait out the delay rather than cancel the transaction.
• True prevention must act before the payment stage, by disrupting manipulation in real time.
• Solutions like detecting suspicious calls or behavioural anomalies target the root cause, whereas delays only offer a limited second chance.

2. The Bluntness Problem

• A ₹10,000 delay threshold is too low and disrupts normal transactions like business payments and everyday transfers.
• It undermines UPI’s core advantage of instant settlement, affecting legitimate users.
• The rule is easy to bypass — fraudsters can split transactions into smaller amounts.
• As a result, it imposes high costs on genuine users while offering limited effectiveness against fraud.

3. The Data Gap Problem

• India’s fraud data is incomplete, as around 51% of UPI fraud cases go unreported, meaning official data captures only part of the problem.
• The actual scale and patterns of fraud remain unclear due to lack of detailed, disaggregated data.
• Policies based on incomplete data risk focusing only on visible fraud, ignoring hidden categories.
• This creates systematic blind spots, making regulation appear comprehensive but fundamentally incomplete.

Who Bears the Cost

This asymmetry is the core structural flaw: the proposals impose real, measurable costs on law-abiding users while presenting fraudsters with a set of predictable, easily-navigable rules.

Action Agendas

Area	Problem	Solution
Risk-based transaction scoring	The blanket ₹10,000 threshold applies identical friction to safe and high-risk transactions alike	RBI should mandate AI-driven real-time risk scoring at the transaction layer — friction must follow risk, not rupee value
Shared fraud intelligence registry	Banks currently fight fraud in silos; a number flagged by one institution remains invisible to all others until the next advisory cycle	NPCI must build a cross-institutional fraud signal registry — banks, fintechs, and telcos contributing live data — so a flagged account is known everywhere, instantly
Mule account detection	Mule networks are the universal exit point for all fraud types, yet banks still rely on reactive monitoring	Banks should deploy ML models to proactively identify mule account signatures — dormant-to-active switches, geography mismatches, and disproportionate inflow patterns — before funds disappear
Telco-financial sector integration	Most social engineering fraud is executed over phone calls, yet telecom and banking data are never cross-referenced in real time	The government must mandate telcos to share SIM-swap alerts and call-pattern data with banks during live suspicious transaction windows — this is the single most effective upstream intervention available
Tiered compliance timelines	Small fintechs and co-operative banks cannot absorb the same infrastructure cost as large banks on the same timeline	RBI should phase implementation by institutional capacity — large banks first (6 months), mid-tier next (12 months), small fintechs and co-ops last (18–24 months) with Centre-subsidised technology support
Closing the reporting gap	51% of fraud victims never file complaints, making the true fraud map invisible and policy design systematically incomplete	RBI must build a dedicated Fraud SOS channel — separate from general customer care — with one-tap account freeze and anonymised complaint data fed directly into its policy framework

The Structural Measure That Matters Most

The discussion paper overlooks one passive but powerful intervention: closing the visual UI gap on UPI. Currently, verified and unverified merchants appear identical to the user — making it impossible to distinguish a legitimate payee from a mule account. Mandating verification badges for legitimate merchants and visibly marking unverified payees at the point of transaction would be an always-on fraud deterrent requiring zero change in user behaviour.

What to Watch

The May 8 public comment deadline is the first real test — whether submissions lean toward risk-proportionate scoring or accept the blanket-delay model will signal how significantly the framework will be revised before notification. Three markers will define FY27’s fraud trajectory: NPCI’s progress on a shared fraud signal registry, whether the Digital India Act mandates telco-banking data sharing, and whether the 51% non-reporting gap begins to close. The last one matters most — policy built on half the data will always be half effective.