RBI digital fraud plan: 1-hour UPI delay in 2026

Why RBI is tightening digital payment rules now

The Reserve Bank of India (RBI) has proposed a revised framework to address unauthorised electronic banking transactions, with a sharper focus on customer protection in online fraud cases. The package includes a compensation mechanism for small-value fraud and additional safeguards designed to slow down high-risk payments. RBI released the updated instructions for public and stakeholder consultation on March 6, 2026, citing the rapid growth of digital payments and a rise in cyber fraud. The proposals build on RBI’s 2017 guidelines that limit customer liability in unauthorised transactions.

The central bank’s message is that security has to keep pace with the scale and speed of real-time payments. RBI’s discussion paper also acknowledges that fraud patterns are evolving, with social engineering playing a bigger role than pure technical compromise. It has invited comments until May 8, 2026, before considering draft guidelines.

Fraud numbers that frame the discussion

RBI’s consultation comes alongside a sharp increase in reported incidents on the National Cyber Crime Reporting Portal (NCRP). Cases rose from 2.6 lakh in 2021 to 28 lakh in 2025, according to the discussion paper cited in the material. The value of fraud also climbed steeply, from ₹551 crore in 2021 to nearly ₹22,931 crore in 2025. Another data point cited is that total losses surged nearly 40 times to over ₹230 billion.

At the same time, the payments ecosystem expanded rapidly. Digital payments volumes rose 38-fold over the past decade, and one section notes a compound annual growth rate (CAGR) of 53% over the same period. RBI’s approach aims to introduce selective friction in high-risk scenarios, while keeping low-value payments instant.

Proposal 1: One-hour delay for transfers above ₹10,000

The centrepiece proposal is a one-hour pause on certain account-to-account digital transfers above ₹10,000, including transactions on real-time retail payment networks such as UPI. During this one-hour window, the payer’s bank would provisionally debit the customer’s account, but the customer would have the option to cancel the transaction for any reason. Banks could also flag transactions that look suspicious and seek reconfirmation.

RBI has linked the ₹10,000 cut-off to fraud concentration. Transactions above ₹10,000 account for around 45% of reported fraud cases by volume, but about 98.5% by value, based on NCRP data cited. The idea is that a delay could disrupt attempts by fraudsters to create urgency and give a short window for intervention.

Which payments may be exempt, and customer whitelisting

The consultation material also mentions carve-outs. All merchant transactions done through any mode such as UPI, cards, or net banking are proposed to be exempted from the delay. Recurring payments, including e-mandates and NACH-based payments, and payments through cheques are also proposed to be exempt.

RBI has also discussed allowing the payer to whitelist a particular transaction if it is time sensitive, and or a particular payee. This is positioned as a way to preserve convenience where the risk profile is lower or the beneficiary is familiar.

Proposal 2: Trusted-person approval for vulnerable users above ₹50,000

A second safeguard targets senior citizens and persons with disabilities. For digital transactions above ₹50,000, RBI has proposed an additional authentication layer through a nominated “trusted person”. The same material notes this is mandatory for users above 70 years of age or differently abled, and optional for others.

RBI has cited that nearly 92% of fraud losses by value occur above ₹50,000. It has also proposed that any change of a trusted person may be allowed only after a mandatory 24-hour cooling period. The framework is intended to reduce impersonation scams and other social engineering attacks that pressure users into authorising transfers.

Proposal 3: Tackling mule accounts with a ₹25 lakh annual credit cap

To curb mule accounts used for layering and diverting funds, RBI has proposed account-level restrictions. Accounts that have not undergone enhanced due diligence may face a cap of ₹25 lakh in annual credits. Funds exceeding the prescribed threshold may be parked as “shadow credits” and released only after the bank is satisfied about their legitimacy.

A related proposal states that if the customer cannot prove legitimacy within 30 days, the money could be reversed or sent back. RBI has positioned this as a way to reduce the misuse of banking channels to route fraud proceeds, especially through mule account networks.

Proposal 4: Customer controls and a one-click kill switch

The fourth measure focuses on giving customers more control at the account level across any or all digital payment channels. RBI has proposed “switch on or off” controls for digital payment modes, along with self-set limits for different transaction types. These controls are expected to be accessible through channels including mobile banking, internet banking, branches, and IVR systems.

RBI has also proposed a “kill switch” that would allow customers to disable all digital payments in their accounts at one stroke. Re-activating digital payments could be permitted either through digital modes after proper authentication measures, or through a physical visit to a bank branch by the account holder. RBI is also examining whether new accounts should have digital payment features disabled by default.

Compensation for small-value fraud and stronger bank monitoring

Alongside preventive controls, RBI has proposed a formal compensation framework for small-value fraudulent digital transactions, offering coverage up to ₹25,000 subject to conditions. This is presented as a customer-protection response to a payments environment that has changed significantly since the 2017 liability framework.

RBI has also directed banks to strengthen internal systems, deploy real-time transaction monitoring tools, and use advanced analytics to detect suspicious patterns and fraud-linked networks. It has issued advisories for prevention and early detection of cyber-enabled frauds, including stricter monitoring of accounts suspected to be used as money mules.

RBI’s technology and awareness push: MuleHunter.AI, CFLs, and campaigns

On the enforcement side, RBI has deployed “MuleHunter.AI”, an AI-driven solution designed to identify mule accounts. The system is currently operational in 26 banks and is being expanded further.

RBI has also highlighted financial awareness efforts. Its Centre for Financial Literacy (CFL) project, launched in 2017, had established 2,421 centres across the country as of March 2025. Campaigns such as Financial Literacy Week, RBI’s multimedia initiative “RBI Kehta Hai”, and SEBI’s “SEBI vs SCAM” campaign are cited as public education tools. SEBI has also launched the Saa₹thi mobile app to provide investment-related information and help protect users from scams.

Reporting and coordination: NCRP, 1930 helpline, and I4C teams

The ecosystem for reporting fraud is also part of the broader context. The National Cyber Crime Reporting Portal enables the public to report incidents across cyber crime categories. A toll-free number 1930 has been operationalised to assist with lodging online cyber complaints.

The Citizen Financial Cyber Fraud Reporting and Management System module has also been launched for immediate reporting of financial frauds and to stop siphoning off funds. Separately, the Indian Cyber Crime Coordination Centre (I4C) provides a framework for law enforcement coordination, including Joint Cyber Coordination Teams constituted for seven regions at Mewat, Jamtara, Ahmedabad, Hyderabad, Chandigarh, Visakhapatnam and Guwahati.

Key proposals and thresholds at a glance

What changes for customers, banks, and payment flows

If implemented, RBI’s proposals could change how high-value digital payments are processed, especially for transactions that currently have no chargeback mechanism when fraud occurs. The one-hour delay is designed to create a narrow time window to reconsider payments made under pressure, which RBI links to authorised push payment fraud patterns. For vulnerable users, the trusted-person requirement would formalise a second checkpoint for large transfers.

For banks, the proposals imply heavier real-time monitoring and tighter account-level governance, especially around accounts that receive large credits without enhanced due diligence. The combined approach mixes prevention, detection, and redress, with compensation up to ₹25,000 for small-value fraud proposed as a customer-facing backstop.

Conclusion

RBI’s consultation outlines a layered response to rising digital fraud, combining a one-hour delay above ₹10,000, trusted-person authentication above ₹50,000 for vulnerable users, mule-account controls around a ₹25 lakh annual credit cap, and customer-operated switches including a kill switch. It also ties in stronger bank monitoring, MuleHunter.AI rollout across 26 banks, and a larger push on reporting and financial literacy.

The next step is the consultation process, with stakeholder feedback open until May 8, 2026. RBI has said it will review responses before considering draft guidelines on additional measures to mitigate digital payment fraud risks.