Table of Contents
The RBI's four part plan to fix what scale broke, and what the next 90 days mean for 500 million UPI users.
For nearly a decade, India has shown the world how fast a country can move money. UPI made digital payments feel like sending a text. That speed was the win. It is also, increasingly, the problem.
On April 9, the RBI released a discussion paper that, for the first time, openly questions whether instant should always mean instant. It proposes four safeguards aimed at one of the fastest growing problems in Indian banking: payment fraud that the rails are technically helping along.
Before we look at what the RBI is proposing, it helps to understand why the regulator felt the need to step in now.
The Scale of the Challenge
Consumer credit in India has always had a distribution problem. Branches need foot traffic. Cards need merchant infrastructure and creditworthy applicants. Lending apps need acquisition spend and enough stickiness to survive. UPI removes all three constraints. The customer is already on the rail, transacting daily. The merchant is already there. Plug credit into that flow and the unit economics of acquiring a borrower change in a way that has never been true in Indian retail credit.
The card business served roughly the top decile of credit-eligible India. Credit on UPI sits on a rail that has already gone four layers deeper, into Tier 3 towns, gig workers, small merchants, and first-jobbers who never qualified for a card. That is not a slightly larger market. It is a different one.
Join Our Newsletter
Get exclusive insights on banking, fintech, regulatory updates and industry trends delivered to your inbox.
Fraud Value and Volume Growth (2021 to 2025)
Why Is RBI Acting Now?
UPI volumes have grown 38 times over the last decade. That is the good news. The bad news is that the threat has grown right alongside it. Digital payment fraud in India is no longer something that happens to other people. It is a systemic risk that the regulator can no longer treat as an edge case.
Most of the fraud sitting on bank ledgers today is not the kind where someone hacks an account. It is what the industry calls Authorised Push Payment fraud, or APP fraud. The victim makes the transfer themselves. Someone on the phone convinces them their account is about to be frozen, or that a refund is on the way, or that their son is in trouble. The customer hits send. The money is gone in seconds. By the time anyone realises what happened, it has already moved through three more accounts.
That is the problem the RBI is trying to solve. Public consultation is open right now. The stakes are real. India needs to keep what makes UPI special, while finally building guardrails for what speed has made possible.
The Four Proposals at a Glance
One Hour Lag on Authorised Push Payments
Here is the simplest of the four ideas. If you are sending more than Rs. 10,000 to another individual, the money sits in a holding state at your bank for 60 minutes before it actually leaves. During that hour, you can cancel it. After that, it moves like normal. Small payments, merchant payments, e-mandates and NACH stay instant. The RBI's own data shows that 98.5 percent of fraud value comes from transfers above this threshold, so the lag is targeted exactly where the damage is. If you transfer to the same payee often, you can put them on a trusted list and skip the wait.
| Pros | Cons |
|---|---|
|
Disrupts fraudster’s psychological pressure tactics |
Conflicts with UPI’s core instant-payment promise |
|
Gives payer a real window to reconsider |
Major infrastructure overhaul for banks and PSOs |
|
Bank can flag and seek reconfirmation |
Whitelisting can be exploited by fraudsters |
|
Builds user trust in digital payments |
User confusion between delayed and instant payments |
Trusted Person Authentication for Vulnerable Users
This one is built for the people who are most exposed. Anyone aged 70 or above, and any person with a disability, will have to nominate a trusted person. For transfers above Rs. 50,000, that trusted person has to co-approve before the money goes out. The Rs. 50,000 threshold is deliberate. It covers 92 percent of reported fraud value. For everyone else, the feature is optional. If you want to change your trusted person, the new one only takes effect 24 hours later, so a scammer cannot push you to swap names on the spot. Opting out is allowed, but with the same 24 hour cooling period and an explicit warning from the bank.
| Pros | Cons |
|---|---|
|
Human verification layer immune to the same fraud pressure |
Trusted person has no legal authority over the account |
|
Protects the highest risk demographic with the largest exposures |
Delays if trusted person is unreachable |
|
24 hour cooling on changes prevents coerced switches |
Privacy concerns around sharing transaction details |
|
Optional enrolment signals a future mainstream rollout |
Complex to define and verify PwD eligibility |
Credit Limits Tied to KYC Relationship
Most fraud money does not stay where it lands. It hops through a chain of accounts opened on minimum KYC, often by people who do not even know their account is being used. These are mule accounts, and they are the laundering layer that makes APP fraud profitable. The RBI is proposing a simple but powerful idea. Cap the total credits that can flow into a low KYC account. The number being discussed is Rs. 50,000. Cross that limit and the bank has to review before any further credit goes in. This sits well alongside existing tools like MuleHunter.AI and the Digital Payment Intelligence Platform.
| Pros | Cons |
|---|---|
|
Directly disrupts mule account launder networks |
False positives risk for new or irregular income users |
|
Incentivises banks to maintain robust, live KYC |
Friction for gig workers, small businesses, new accounts |
|
Systemic choke point before proceeds dissipate |
Heavy operational review burden on banks |
|
Aligns with existing AI powered fraud detection tools |
May delay legitimate salary or government transfers |
Customer Induced Controls
You already use this idea every day on your credit card. Switch it off, set a daily limit, block international use, all from the app. The RBI now wants the same thing extended to every digital payment instrument, UPI included. You will be able to set per transaction limits, restrict which modes can be used, build your own whitelist of payees and even add time or geography rules. Everything sits with the customer to configure, and everything can be changed in real time. The principle is simple. People who want more protection should be able to dial it up themselves.
| Pros | Cons |
|---|---|
|
Real time user control over personal payment risk |
Passive users who do not engage remain fully exposed |
|
Low friction for the majority of transactions |
Misconfiguration risk can block legitimate payments |
|
Proven model, already works for debit and credit cards |
Requires significant UI and UX investment from fintechs |
|
Creates proactive financial hygiene culture |
Less tech savvy users may find controls hard to navigate |
Current vs Proposed System
The Bottom Line
Each of these four ideas is sensible on its own. Together, they tell you something bigger. The RBI is signalling that the era of speed at all costs is winding down. Not ending. Winding down. Most payments will still clear in seconds. The ones that need a second look will get one.
The real question is implementation. Can banks and fintechs build this without turning the everyday experience into a mess for 500 million users? That is the work of the next 90 days. The consultation is open. The debate is just starting.
"Should UPI keep its instant settlement promise, or is a 60 minute pause a fair trade for safer payments? Forward this to a fintech colleague, a banker, or a policymaker who has a view. The RBI is reading the submissions."
Reading the New Payment Landscape?
The Digital Fifth works with banks, NBFCs, PSPs and fintechs on payments strategy, fraud risk operating models, KYC redesign and the customer experience shifts that the new rules will bring.
