 (8).png)
3 weeks ago
7
ARTICLE AD BOX
Summary
RBI’s directive on compensation for digital fraud is a whip-crack that banks must heed. They must invest in high-end systems designed explicitly to safeguard customers. As online scams grow more sophisticated, data sharing networks will help.
The Reserve Bank of India’s (RBI) draft amendment directions released this month are timely and appropriate. These will hopefully persuade banks to prioritize resource deployment for controlling digital fraud overall and not just in payments.
While the Indian economy has benefitted significantly from digital infrastructure, including for payments, the time is right to step up the institutional capacity to keep digital fraud in check. This will enhance adoption of the digital infrastructure by providing a safety net for retail victims.
By proposing a compensation mechanism for victims of digital frauds ranging from phishing to coerced money transfers, the central bank is acknowledging something the numbers have been saying for years: fraud in India is not a payment-rail problem. It is a systemic one.
RBI is in lockstep with global regulators: Major global regulators have been moving towards hard liability frameworks on the understanding that sophisticated digital frauds can’t be stopped by warning consumers alone.
In the UK, the Payment Systems Regulator’s mandatory reimbursement rules came into force in October 2024, requiring payment service providers (PSPs) to split losses equally between the sending and receiving institution up to £85,000. A receiving bank that permits mule accounts on its platform now bears a direct financial cost for that failure.
The EU went further under its PSD3 framework; its Parliament and Council reached a provisional political agreement in November 2025. If a fraudster impersonates a PSP and tricks a customer into a transfer, the PSP owes a full refund with no ceiling.
Singapore’s Monetary Authority deployed its Shared Responsibility Framework on a waterfall principle: Financial institutions pay when controls fail, telecom firms pay if SMS channels are exploited and only when both have met their obligations does the loss fall on the customer. Scam cases fell 26% in the first half of 2025 itself.
Regulators in other major economies such as the US, Australia and New Zealand are at various stages of applying such regulations.
RBI’s current draft focuses on digital frauds below ₹50,000; each victim may claim compensation only once in a lifetime. This should go a long way in bolstering the confidence of the economically weak, although more effort may be required by the whole ecosystem. The framework runs for one year. After that, RBI has signalled it will progressively shift more cost onto banks, sharpening their incentive to prevent fraud rather than absorb its aftermath.
Digital fraud beyond small tickets: India recorded over 2.8 million cybercrime complaints on the National Cyber Crime Reporting Portal in 2025, a 24% jump over 2024. Financial losses reached ₹22,495 crore. Investment- related scams dominated, accounting for 76% of total losses and 35% of all cases: fake trading platforms, Ponzi schemes and crypto traps run on WhatsApp and Telegram groups.
Within banking, RBI’s Annual Report for 2024-25 recorded 13,516 digital payment fraud cases, representing 56.5% of all banking frauds, with losses of ₹520 crore. One in five families with a UPI user has been hit at least once, yet 51% never file a complaint so official figures understate the reality.
Pre-emptive fraud detection: While exceptional players exist, the typical players in India’s banking and payment ecosystem may not be keeping pace with an evolving and ever-sophisticated adversary. The reason may not be capability so much as lack of prioritization.
Some industry players that have highly evolved digital processes in terms of customer onboarding and loan decision-making may have relatively under-developed fraud detection systems. They still run on transaction velocity thresholds, geographic flags, fixed transaction caps and other outdated mechanisms engineered for a different era of payments. These generate false positives that frustrate genuine customers and false negatives that let sophisticated fraud through.
Wider adoption of advanced tools, such as graph-network models that map mule account networks, detect synthetic identities, apply behavioural biometrics and are linked with suspect-mobile databases, would help. The systems needed to run these models require capital commitments, which most institutions have deferred.
We need systemic capability: India’s fraud ecosystem requires shared infrastructure—an inter-bank fraud intelligence platform run by a specialized bureau for fraud signals, mule account identifiers, device fingerprints and emerging attack patterns to be exchanged in real-time across the financial system. Fraudsters exploit information gaps between institutions, often using the same ploys to attack banks successively. Lack of communication imposes higher costs on bank account holders than need be.
RBI’s draft sets a compensation floor. However, it cannot reduce the volume of frauds that makes compensation necessary. Whether institutions build upon it, driven by considerations of customer service and operational resilience, is the question that will determine whether Indian consumers find themselves better protected.
The authors are, respectively, managing director, senior partner and APAC head, risk and compliance, at Boston Consulting Group (BCG); and principal, risk and data science at BCG.
English (US) ·