The Fast Rail Has A Fraud Problem
India’s instant-payment success is starting to create its own policy problem.
UPI, IMPS and other digital rails trained users to expect money movement now. That speed is the product. It is also the attacker surface. If a fraudster can socially engineer a victim into approving a payment, the same instant settlement that makes the system useful can remove the window for intervention.
The Reserve Bank of India is now asking whether some friction has to come back.
On April 9, 2026, RBI released a discussion paper on safeguards in digital payments. The paper says India’s digital-payment volume increased 38-fold over the past decade while value more than tripled. It also says many current frauds are not classic account takeovers, but authorised push-payment frauds, where victims are manipulated into initiating and authenticating transfers themselves (RBI discussion paper, April 9, 2026).
That distinction matters. Two-factor authentication does not stop a payment if the customer has been persuaded to approve it.
The fraud data explains why RBI is willing to question pure immediacy. Citing the National Cyber Crime Reporting Portal, RBI says reported digital-payment frauds rose from 2.6 lakh cases worth ₹551 crore in 2021 to 28 lakh cases worth ₹22,931 crore in 2025. The value did not just rise. It moved into systemic-payment-design territory.
This is the uncomfortable part. India’s payment rails became trusted because they were fast, cheap and always there. RBI’s question is whether the next trust layer requires selective delay.
RBI Is Not Proposing To Slow Everything
The most important proposal is narrow.
RBI suggests a one-hour lag for authorised push-payment transactions above ₹10,000. The threshold is not random. RBI says transactions above ₹10,000 account for approximately 45% of reported fraud cases by volume but about 98.5% by value. Under the possible approach, the payer’s bank would provisionally debit the customer, hold execution for one hour, and allow the payer to cancel during that period. The paper also discusses whitelisting time-sensitive transactions or trusted payees (RBI discussion paper, April 9, 2026).
That is not a proposal to make grocery payments miserable. RBI explicitly says low-value transactions should remain frictionless and merchant payments are proposed to be excluded.
The design target is account-to-account transfer fraud.
That is where the protections are thinner. Merchant payments generally sit behind bank and payment-aggregator due diligence. Card networks and merchant systems have dispute processes. Account-to-account transfers do not have the same structure. If a victim sends money directly to a mule account, the system’s speed becomes the fraudster’s exit route.
The lag is meant to interrupt that route.
It is also meant to interrupt psychology. RBI’s paper is clear that APP frauds often rely on urgency, coercion and continuous pressure. A one-hour pause gives the victim time to reconsider and gives the bank time to flag atypical activity.
That does not make it painless. It makes it targeted.
The Trade-Off Is User Trust, Not Just Cost
The payment industry pushback is not hard to understand.
Business Standard reported that RBI’s lagged-credit proposal could require significant changes at the switch level, including for UPI, and could raise transaction costs. The same report said the proposal comes as digital-payment fraud value has risen more than 40 times in five years, driven by social-engineering scams (Business Standard, April 10, 2026).
Financial Express later reported industry concerns that blanket cooling-off periods and transaction limits could hurt convenience and trust, with stakeholders proposing risk-based alternatives instead (Financial Express, April 20, 2026).
Both sides are right about different things.
RBI is right that instant rails need intervention points when fraud is mostly user-authorised. Industry is right that a clumsy rule can damage the very trust it is trying to protect. Users who have been trained for instant settlement will not calmly parse risk categories at a hospital counter, rent deadline or small-business payment desk.
The policy problem is therefore not speed versus safety. It is visible friction versus invisible risk scoring.
A blanket one-hour delay is easy to understand and hard to hide. A risk-based model is more elegant and harder to audit. It can spare ordinary transactions but also creates questions about false positives, explainability, bias, account profiling and liability when the model misses a scam.
India will probably need both: predictable baseline controls for high-risk categories and better real-time intelligence for cases where the threshold is too blunt.
The Real Product Is Reversibility
The deeper question is reversibility.
Instant payments made settlement feel final. That is good for merchants, friends, freelancers and small businesses. It is bad when a scammer has engineered the customer into finality.
RBI’s proposals try to create a reversible window before final execution. The paper also discusses trusted-person authentication for vulnerable customers, additional review before accounts can receive large credits, and customer-controlled payment limits and emergency disabling across digital channels. Those are not cosmetic add-ons. They are ways of creating time, context and control in a system where fraudsters exploit speed.
The trusted-person idea is especially revealing. RBI suggests enhanced safeguards for citizens aged 70 and above and persons with disabilities, with possible additional authentication for high-value transactions above ₹50,000. It notes that nearly 92% of fraud value reported in NCRP is above that threshold (RBI discussion paper, April 9, 2026).
That proposal is administratively messy. It also recognises something fraud systems often avoid saying: some users are more exposed to social engineering, and a purely self-service model can become unsafe at the exact moment it needs another human checkpoint.
The emergency-disable control points in the same direction. It gives the customer a simple way to stop digital payments when something feels wrong. That is not glamorous infrastructure. It is the payment equivalent of a circuit breaker.
Fast systems need circuit breakers.
What To Watch
The draft paper is not final policy. RBI invited comments until May 8, 2026 and said it would consider issuing draft guidelines after reviewing stakeholder feedback (RBI discussion paper, April 9, 2026).
The next signal is whether RBI keeps the ₹10,000 threshold, moves toward bank-determined risk scoring, or narrows the rule to new beneficiaries, unusual transfers or vulnerable users. The second signal is whether NPCI, banks and payment apps can implement cancellation and queuing without creating a new confusion layer for users. The third signal is liability: if a delayed transaction is still fraudulent, who owns the failure?
There is also a global read-through.
India built one of the world’s most important real-time payment systems by making transfers cheap and immediate. If even India starts adding selective friction, other payment systems will notice. Fraud pressure is turning speed from an unconditional virtue into a risk variable.
That does not mean instant payments were a mistake. It means mature payment rails eventually need adult supervision.
The sharp lesson is simple: a payment system can be too fast for the fraud environment around it.
RBI is trying to slow only the part of the rail where speed has become the attacker feature. The hard part is doing that without breaking the habit that made the rail work.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.