India’s digital payments story has been extraordinary. In two decades, India moved from RTGS and paper cheques to Unified Payments Interface processing nearly half of the world’s real-time transactions. But the same seamless rails that drove inclusion have also made fraud easier. To address this, the trust layer now needs to catch up – and RBI’s Payment Vision 2028 suggests that this will define the next phase of India’s payments journey. In this edition of FinTales, we unpack the proposed shift. We examine India’s evolving anti-fraud architecture – from the Indian Cyber Crime Coordination Centre Suspect Registry to MuleHunter.AI – and where the gaps still remain. We also analyse RBI’s draft customer liability directions, which for the first time extend protection to victims of authorised push payment fraud and even contemplate RBI-backed compensation in some cases. And for dessert, we look at a potentially game-changing proposal: a new regulatory on-ramp for small payment system players that could reshape how payments innovation is tested and scaled.
Let’s dive in.
Main Course 1: A deep dive into India’s digital payments security stack.
Main Course 2: An analysis of the proposed customer liability framework in digital payments.
Dessert: Sweet news about a new class of payment service providers.
Mints: Quick refreshers on the latest fintech developments.
Main Course π
Fighting Fire with Fire: India's Digital Payments Security Stack
Image credits: AI-generated
India has long punched above its weight in digital payments. UPI today processes roughly half of all real-time payment transactions globally. But scale is a double-edged sword. Data from the National Cybercrime Reporting Portal (NPRP) shows that digital payment fraud complaints increased tenfold between 2021 and 2025, with reported losses rising from Rs. 551 crores to approximately Rs. 22,931 crores over the same period. This is concerning.
The regulatory response, however, has been ambitious and notably technology-forward. The Government and regulators, from the RBI to TRAI to the Ministry of Home Affairs, have chosen to fight fire with fire. The result is a layered architecture that operates at three distinct levels: building a centralized data foundation, synthesizing that data into real-time risk signals, and equipping consumers with better tools. This system, with some tweaks, can do wonders for the robustness of India’s digital payment ecosystem.
Layer 1: The Data Foundation
Fraud intelligence is only as good as the data feeding it. The I4C Suspect Registry, run by the Indian Cyber Crime Coordination Centre under the Ministry of Home Affairs, forms a critical aspect of this stack. Launched in September 2024, it is a real-time national database of cybercrime-linked identifiers, covering mobile numbers, bank accounts, UPI IDs, and device signatures. By end-2025, it had processed over 21.65 lakh suspect identifiers and blocked over Rs. 9,055 crores in fraudulent transactions.
Layer 2: Synthesis and Signal Distribution
Raw data alone does not prevent fraud. It needs to be translated into actionable signals and distributed quickly to the institutions that can act on it. That is the role of the following wave of initiatives.
- The Financial Fraud Risk Indicator (FRI), launched in May 2025 by the Department of Telecom's Digital Intelligence Unit, is a risk-based metric that classifies mobile numbers in near-real time as medium, high, or very high risk. Following an RBI advisory in June 2025, all scheduled commercial banks, small finance banks, payments banks, and cooperative banks were directed to integrate FRI into their systems. PhonePe, Paytm, HDFC Bank, and ICICI Bank are among early adopters. Within six months of launch, the tool had reportedly helped avert around Rs. 660 crore in fraud losses.
- MuleHunter.AI targets a specific and pervasive problem: mule accounts that criminals use to route illicit funds, often without the knowledge of the account holder. Developed by the Reserve Bank Innovation Hub (RBIH) and offered free of charge to banks as shared public infrastructure, it uses AI and ML to detect mule accounts in near-real time by analysing 19 distinct behavioral patterns identified in collaboration with banks. As of late 2025, 23 banks were live, with around 15 more in the pipeline.
- The Digital Payments Intelligence Platform (DPIP), managed by the Indian Digital Payments Intelligence Corporation (IDPIC) under the RBI's aegis and anchored by public sector banks, is designed to enable real-time fraud signal sharing across the entire payments ecosystem. The idea is that intelligence held by one institution should be available to all, pre-transaction, drawing on mule account data, telecom signals, and geolocation. It is explicitly positioned as a collaborative platform accessible to banks, NBFCs, PPI issuers, and fintechs.
Layer 3: The Consumer Interface
Even the most sophisticated backend cannot stop fraud that gets through at the point of transaction. Which is why regulators are paying equal attention to the consumer end of the stack.
The RBI Directions on Authentication Mechanisms for Digital Payment mandate two distinct authentication factors for all digital transactions, with at least one dynamic factor unique to each transaction. The framework is deliberately technology-neutral, accepting fingerprint authentication, passkeys, and Aadhaar-based biometrics as valid second factors alongside SMS-OTP.
TRAI has also weighed in on the consumer protection front. Its mandate requiring all BFSI-regulated entities to route customer-facing transactional calls through a dedicated 1600-number series gives consumers a recognisable calling identity, making it easier to distinguish legitimate bank calls from impersonators.
Looking further ahead, the RBI's Discussion Paper on Safeguards in Digital Payments takes on a particularly tricky fraud category: Authorised Push Payment (APP) fraud, where the victim is manipulated into initiating and authorizing the transaction themselves. The RBI's proposed response includes digital payment kill switches and transaction controls at the account level, letting users set limits by payment channel or disable all digital transactions entirely. These proposals also appear in the RBI's Payments Vision 2028 document, signaling genuine intent to move from discussion to implementation.
Where the Wall Has Gaps
For all its ambition, the architecture has structural vulnerabilities.
The consumer remains the weakest link. The most carefully engineered backend is only as effective as the humans interacting with the front end. The RBI’s Authentication Directions rightly point toward more secure authentication modes. But SMS-OTP is likely to persist as the primary mechanism for a large portion of users, simply because the alternative requires hardware that many Indians do not own. APP fraud proposals that depend on customers proactively configuring kill switches or whitelists are similarly contingent on awareness and digital literacy that cannot be assumed. How that awareness will be built at scale remains an open question.
The TRAI 1600-series mandate illustrates a different kind of consumer problem: fatigue. Many users who are aware of the initiative simply block all calls from that series due to telemarketing overload, which means legitimate bank alerts go unheard. The initiative is well-designed in theory and largely counterproductive in practice, at least for a significant segment of users. This is a known problem, and it needs industry-level solutions, not more regulation.
Deployment still requires efforts. MuleHunter.AI is free to every bank in the country. As of late 2025, only 23 had gone live. The DPIP remains at the prototype stage. The I4C Registry is structured primarily around scheduled commercial banks. Fintechs, payment aggregators, and NBFCs currently have no official mechanism to query it in real time. Given that over 85% of cybercrime involves financial fraud, much of it flowing through non-bank digital platforms, this gap directly limits the Registry's reach.
Conclusion
India's anti-fraud infrastructure is more sophisticated than it has ever been, and the intent to keep building is credible. There are issues with specific mandates but there are also signs that regulators are willing to engage, and to adjust course when the evidence calls for it. The industry’s best move is to keep generating that evidence, and propose tech-enabled alternatives where mandates produce unintended consequences.
RBI’s Fraud Liability Reset: A New Safety Net For Digital Payments
Image credits: AI-generated
India’s digital payments story has, for years, been defined by speed, scale, and convenience. The policy focus has largely been on building rails that move money faster and cheaper, and enable financial inclusion.
The RBI’s Draft Amendment Directions on customer liability in digital transactions, released on 6 March 2026, mark an important shift. They recognise that as payment systems scale rapidly, the risks to customers also grow. The draft therefore proposes stronger measures to protect customers when things go wrong.
What makes this especially notable is the RBI’s own role. For the first time, the regulator has proposed a mechanism under which it would directly contribute to compensating certain fraud victims. It signals both a recognition of how digital fraud has evolved and a willingness to step in more visibly to preserve trust in the system.
Existing Framework and new proposals in the draft directions
The 2017 circular on customer liability was the first framework to give India a workable baseline for protection of customers. Under this, if a customer reported an unauthorized transaction promptly and was not negligent, liability was zero. Banks bore the loss. The framework was well-suited to the kind of fraud where someone unauthorizedly accessed customer’s credentials and moved their money without their knowledge or involvement.
What it was not designed for was the rising incidence of APP fraud. A scammer poses as a bank officer, a government agent, or a delivery executive. The customer, deceived, transfers money willingly. The transaction is authenticated. Neither is the bank at fault nor is the customer. Under the 2017 framework, this kind of fraud fell entirely outside the scope of customer protection.
The Draft Directions change that. They expand the definition of fraudulent transactions to include payments made under deception or coercion, covering phishing, social engineering, and other tactics where the customer's apparent consent was manufactured. This is a significant conceptual move, and one that aligns India more closely with global frameworks, including the UK Payment Systems Regulator's mandatory reimbursement regime for APP fraud, which came into force in late 2024.
The Draft Directions introduce two additional elements worth unpacking in some detail.
They propose a new compensation mechanism for small-value fraud. Under paragraph 76T, individual customers who suffer fraud losses of up to Rs 50,000 are eligible for compensation equal to 85% of the net loss, capped at Rs 25,000, provided they report the incident to their bank and to the national consumer helpline (1930) within five calendar days. What makes this unusual is who funds it. For losses below Rs. 29,412, the RBI itself contributes 65% of the compensation, with the customer's bank and the beneficiary bank contributing 10% each. The remaining 25% is effectively the uncompensated loss the customer absorbs. This mechanism is structured as a one-year pilot, after which the intent is to review it, increase the banks’ share, and eventually phase out the RBI's contribution. There is a one-time cap on availing this mechanism: a customer can claim this relief only once in their lifetime.
Also, the draft explicitly identifies non-bank intermediaries as potential fraud breach sources. The Draft Directions’ definition of ‘third-party breach’ names Payment Aggregators, Third-Party Application Providers (TPAPs), Payment Gateways, and Telecom Service Providers as entities whose system deficiencies can give rise to this classification. Under the existing 2017 framework, no such identification exists. Under the new one, if a fraud is traced back to a weakness in a TPAP’s system or inadequate merchant verification by a Payment Aggregator, the customer’s bank is required to treat it as a third-party breach and bear the customer’s loss immediately, with zero liability to the customer if the fraud is reported within five days.
What the Draft Directions leave unresolved
The framework solves the customer's problem quite effectively. The bank pays, the RBI backstops, and the customer gets rapid relief. But it does not, at least not yet, solve these key problems at the ecosystem level:
First, how does the bank recover its loss from the intermediary whose failure caused the loss in the first place? The Draft Directions impose clear obligations on banks but are silent on downstream liability allocation. Where a TPAP’s vulnerability or a Payment Aggregator’s inadequate onboarding processes enable fraud, the bank must compensate the customer under the new framework. But there is no defined mechanism for the bank to determine who is at fault and recover from the at-fault intermediary. Recovery will depend entirely on bilateral contractual arrangements between banks and their intermediary partners, most of which predate these directions and were not drafted with these liability scenarios in mind.
Second, the definition of ‘beneficiary bank’ is absent from the Draft Directions, even though that entity is assigned a 10% contribution responsibility in the new proposed compensation mechanism. India's payment architecture is fragmented across UPI flows (where the PSP bank and the account-holding bank are different entities), PPI-mediated transactions (where the beneficiary institution may not be a ‘bank’ under the Banking Regulation Act at all), and PA-mediated e-commerce flows running through nodal accounts. The question of which entity bears the beneficiary-side contribution, in each of these architectures, is left open.
Third, procedural timelines for coordinating between banks and intermediaries are not prescribed. The Draft Directions require banks to resolve customer complaints within 30 calendar days. But there is no specified window within which the bank must notify a downstream intermediary, no deadline for that intermediary to respond, and no prescribed process for obtaining forensic data from a TPAP or Payment Aggregator operating under no binding obligation to provide it. Banks face the prospect of remediating customers within 30 days while chasing information from partners who have no regulatory countdown clock of their own.
What RBI must clarify in the Final Framework
The Draft Directions were open for stakeholder feedback until 6 April 2026. Based on the gaps identified above, we hope for several clarifications in the final version.
On downstream liability, explicit attribution mechanisms are the most important ask. The RBI must consider introducing broad guidance on indemnification standards, or potentially safe harbour protection for intermediaries that can demonstrate compliance with prescribed technical benchmarks. The precise mechanism will depend on whether the RBI prefers to embed these standards in the directions themselves or leave them to contractual frameworks, with a separate broad guidance.
On forensic standards and third-party breach determination, the final framework should establish a parallel notification requirement: when a bank acknowledges a customer's fraud complaint, it should simultaneously be required to notify the relevant intermediary. That intermediary should have a defined response window. This is basic procedural fairness, and its absence creates a structural problem for ecosystem stability, particularly for TPAPs and PAs operating at thin margins with limited capacity to absorb contested liability.
On beneficiary institution definitions, the framework needs to specify which entity bears the 10% contribution across UPI, PPI, and PA-mediated payment flows. Without this, the compensation mechanism will be unworkable in practice for a large portion of the transaction types it is supposed to cover.
What It Means for the Industry
For Payment Aggregators and TPAPs, the immediate implication is contract review. Banks that carry new statutory obligations to compensate customers for breaches attributable to intermediaries will revisit their downstream agreements, and they will be looking for indemnification clauses, liability caps, compliance-linked safe harbors, and clear forensic protocols. Intermediaries that get ahead of these conversations, rather than waiting to be approached, will be in a better negotiating position and will face less operational disruption when the framework takes effect.
The broader shift the Draft Directions represent, from pure liability allocation (who pays) to consumer restitution (how victims recover, and quickly), is the right one. India’s digital payments story has been built on volume and velocity. For it to continue expanding into populations that are less digitally confident, it needs to also be built on trust. A customer who recovers Rs 25,000 within 30 days is a customer who keeps transacting digitally. That outcome benefits everyone in the stack.
The framework is not yet complete. The gaps in downstream liability are real and need to be addressed. But the direction is clear, and the industry must engage constructively on the open questions on the draft directions than waiting to see what the final text says.
Dessert π¨
RBI’s Small Payment System Providers Proposal Could Be a Big Shift
In its latest Payments Vision 2028, the RBI has proposed exploring a new category of Small Payment System Providers (SPSPs) that may not need prior authorization before starting operations. This is a notable shift. India’s payments regulation has so far largely followed a binary approach: either an entity must comply with the full burden of licensing and regulation from day one, or it operates in a grey area where the licensing position is unclear. For example, an entity managing a small, closed network of merchants, collecting payments on their behalf, and settling funds to them may technically fall within the regulatory perimeter, but it does not necessarily pose the same risks as a full-scale payment aggregator. The SPSP proposal, along with the idea of a perpetual regulatory sandbox, signals a more nuanced approach. It reflects an important recognition that early-stage payment products should be regulated based on actual scale, activity, and systemic relevance, rather than being treated the same as mature players from the outset.
If implemented well, this could become one of the most important enablers for the next wave of payments innovation in India. A perpetual sandbox can give startups room to test new products, customer journeys, and infrastructure solutions without being weighed down by full regulatory costs too early. It can also help the RBI observe risks in real time and step in when an entity reaches meaningful scale. In a market like India, where product cycles move quickly and innovation often runs ahead of regulation, this kind of calibrated pathway can improve ease of doing business while preserving trust and systemic stability. For founders and investors, this is a very positive signal.
Mints π
π± ULI goes consumer-facing: Reserve Bank Innovation Hub is building a borrower-facing app for the Unified Lending Interface – India’s digital public infrastructure layer for faster, consent-based lending.
With 64 lenders already onboarded and 136+ data services across 12 loan journeys, the app could let borrowers compare loan options on a single interface. By enabling access to verified income, land, GST and other data, it could sharply reduce underwriting friction, especially for MSMEs and agriculture.
π³ RBI pushes for a single dashboard to track all recurring payment mandates: RBI wants the payments industry to build a single interoperable dashboard where users can view and manage all recurring payment mandates in one place. RBI Executive Director P Vasudevan said that UPI alone saw 87 crore mandates created in February 2026, but users still have to navigate multiple platforms to track subscriptions and raise complaints. He urged the industry to focus on interoperability and deliver a simpler and seamless customer experience.
π NPCI International scales UPI acceptance in Sri Lanka: NPCI International has expanded UPI merchant acceptance across Sri Lanka, allowing Indian tourists to pay through LankaQR codes at hotels, supermarkets, and retail outlets. The push targets a booming tourist corridor, with India remaining the largest contributor to Sri Lanka’s tourism sector. NIPL is collaborating with the Central Bank of Sri Lanka and local acquiring banks to further scale adoption.
π³ RBI explores AI-based ATM security: The RBI has sought feedback from banks on deploying facial recognition and other AI-based systems at ATMs, branches and banking outlets, especially in fraud-prone areas. The move aims to add a real-time security layer to detect and block fraud, though banks have flagged concerns around the cost of hardware upgrades, integration with existing systems and compliance with the Digital Personal Data Protection Act. Potential Aadhaar linkage and the need for UIDAI support add further complexity.
π IRDAI pushes Public Insurance Registry to digitise India's insurance backbone: IRDAI convened senior insurance CEOs on March 17, 2026, to deliberate on the design and rollout of the proposed Public Insurance Registry (PIR) and Bima Sugam platform. The PIR aims to unify the entire insurance lifecycle, from policy issuance to claims and grievance redressal, under a single, consent-based digital infrastructure. Insurers broadly welcomed the initiative but flagged data ownership and cybersecurity concerns as integration protocols remain under discussion.
For any queries reach out to us at contact@ikigailaw.com
Author credits: Aparajita Srivastava, Astha Srivastava, Sidharth Chamarty , Abhigyan Tripathi, Pravi Jain and Samyukta Iyer
