.svg)
A Reserve Bank of India (RBI) discussion paper has proposed a series of measures to address rising fraud levels in digital payments and ensure that consumers adopting new modes of payment are not making themselves more vulnerable to scams.
The RBI’s discussion paper, published earlier this month, noted that a massive increase in the volume and value of digital payments has led to a surge in criminal activity directed against Indian consumers through social engineering, coercion and impersonation to illegally extract money online.
A Ministry of Finance press release issued on March 16, 2026, identified that India’s instant payments system, the Unified Payments Interface (UPI), accounted for 81 percent of retail digital payments in financial year (FY) 2024–25, making it the world’s largest real-time retail payments system.
This level of usage means that UPI is a significant target for criminal activity, and the RBI’s discussion paper identified four options for addressing the rise in fraud:
- Slowing the transaction rate to buy time for both customers and payment systems operators (PSOs) to stop fraudulent transactions being executed or the proceeds being moved quickly.
- Introducing additional authentication by a trusted person for higher-value transactions by “vulnerable sections of society”.
- Limiting the accounts that can receive large credits to those that have passed additional reviews and controls that give customers an on/off switch for both domestic and international transactions.
- Setting limits for different transaction types.
The discussion paper includes a request for submissions to a public consultation on these measures that runs until May 8, 2026.
No timeline has been shared about when the measures might be implemented following the consultation period.
The recommended measures
The RBI’s paper examines the implementation of similar solutions in other jurisdictions. For example, it points to time-lag mechanisms for authorised push payments (APPs) used in the UK, Singapore and Sweden.
It concludes that the best option may be to introduce a time lag at the payer’s end, given that that is where the decision to pay is made and where fraudsters employ their techniques. The RBI suggests that an hour-long delay at the payer’s end can disrupt the fraudster’s psychological influence over the victim, giving them an opportunity to change their mind.
This represents a significant trade-off, however: India has sought to present itself as a global leader in frictionless payments, and by introducing a time lag, the RBI is essentially admitting that reduced friction has become a liability.
The impact of introducing this measure on user experience and business efficiency will be a concern, and affected parties must consider the risk that a one-hour delay could kill the very instant appeal that has made UPI so successful.
Introducing additional authentication could become mandatory for anyone aged 70 years old or more, as well as for individuals with non-specified “disabilities”, while being optional for everyone else.
An opt-out could be available, and certain types of payments more likely to be used by people in these groups could also be exempted.
The focus on additional protections for some consumers is an acknowledgement that technical fixes such as firewalls and encryption are not enough to prevent fraud that focuses on social engineering. Human behaviour and frailty is increasingly the primary unpatched vulnerability in the banking system, and it will be a challenge for regulators and payments service providers (PSPs) to eradicate risk here.
In terms of capping the amounts, the RBI suggests a $27,000 annual aggregate ceiling, with a “flag” system to signal the level of activity from low to high. This option would also allow individual banks to set a lower annual limit based on their internal risk management.
The RBI makes it clear that banks would still have to comply with know-your-customer (KYC) standards with the overall objective “to ensure enhanced responsible conduct of bank accounts without unduly inconveniencing genuine customers.”
Creating an on/off switch would allow customers to control debit transactions at the account level across digital payment channels. It could be available to customers via bank branch visits or internet, mobile, phone or any other authenticated bank interface. Also known as a “kill switch”, it would let users disable all digital payment transactions at a stroke.
The end of frictionless payments?
Each option has been presented with a series of questions that anyone commenting on the proposals is asked to consider, either solely or in combination “with other possible mechanisms, while keeping in mind the measures already in place or in the works.”
The lagged credit option is explained in the greatest amount of detail, which may indicate the RBI’s direction of travel. The bank has clearly thought carefully about its approach, and may already have determined its focus, so banks and PSPs should start preparing for the technical integration of time-lag systems.
If any or all of the measures pass, it would likely create a significant compliance and customer-support hurdle for financial institutions.
Taking the so-called kill switch as an example, giving millions of users an easy off button could lead to a wave of accidental lockouts and support calls, which banks and PSPs will need to manage.
Given the care the RBI has taken over its discussion paper, it seems unlikely that it has not considered these impacts, meaning that it is prepared to take drastic steps such as slowing the pace of transactions and thus diminishing the appeal and value of “instant” payments because it believes the threat of fraud to be the greater danger.
India’s status as a world leader in real-time payments means that what happens here will likely be the blueprint for other developing digital economies such as Brazil and Nigeria. It may be that time lags, additional authentication and kill switches become the global standard for digital fraud prevention.
