RBI’s First Step Timely, But Guardrails Needed to Prevent Gaming of Fraud

On February 6, the Governor of the Reserve Bank of India, Sanjay Malhotra, signalled a significant shift in how India may respond to the everyday reality of digital fraud. Speaking after the Monetary Policy Committee announcement, he said the RBI proposes to introduce a framework under which customers could be compensated up to ₹25,000 for losses incurred in small-value fraudulent transactions.

The central bank’s reasoning is grounded in an uncomfortable statistic: while large frauds dominate headlines and aggregate value, the majority of digital fraud cases occur at lower amounts. Around 65% of such incidents, the Governor noted, involve sums below ₹55,000. These are not grand scams, but frequent, grinding acts of deception that steadily weaken public confidence in digital finance.

The announcement also reflects a recognition that the existing regulatory framework needs an upgrade. The current instructions on limiting customer liability in unauthorised electronic banking transactions were issued in 2017, in a different technological era. Since then, India has experienced an extraordinary expansion in digital payments, mobile banking, and instant transfer systems. Fraud has evolved alongside this growth, becoming more sophisticated, more psychologically manipulative, and far more scaled. In this context, a compensation mechanism is not merely a welfare gesture. It is an attempt to preserve trust in the architecture of modern finance, particularly for citizens for whom a loss of ₹10,000 or ₹20,000 is not a small inconvenience, but a destabilising blow.

Yet while the intent is commendable, the design challenge is formidable. A compensation regime, if not carefully calibrated, risks being gamed by precisely the actors it seeks to defeat. Fraud ecosystems adapt quickly. The moment a threshold is announced, incentives shift. Criminal networks could fragment scams into repeated small-value transactions engineered to fall within reimbursement limits. Mule accounts and collusive recipients may be deployed to create losses that appear legitimate. What is “small” in value may become industrial in volume. Without strong safeguards, a system built to protect victims could inadvertently create predictable, repeatable pathways for exploitation.

There is also the deeper issue of moral hazard. When losses are routinely reimbursed, behaviour changes on both sides of the transaction. Customers may become less cautious, assuming the system will make them whole. Financial institutions, meanwhile, may face a temptation to treat compensation as a cost of doing business rather than investing aggressively in prevention. Reimbursement after fraud is not the same as deterrence before fraud. If banks calculate that paying claims is cheaper than building real-time monitoring, behavioural analytics, and friction at suspicious moments, the system may drift toward indemnity rather than security.

This is why the RBI’s forthcoming draft must be read not only as a consumer protection measure, but as a structural reallocation of responsibility within the digital ecosystem. Compensation is never just about restitution. It reshapes incentives, accountability, and institutional behaviour.

The Risks
India’s payments ecosystem is among the fastest and most frictionless in the world. That efficiency is an achievement, but it also compresses the window for intervention. Once money moves, recovery is difficult. A compensation framework must therefore be paired with enforceable expectations on banks and payment intermediaries: stronger authentication, real-time anomaly detection, mandatory cooling-off mechanisms for suspicious transfers, and rapid intelligence-sharing across institutions. Otherwise, the regime risks becoming reactive rather than preventive, paying out after harm rather than stopping harm before it occurs.

Equally important is clarity on exclusions and standards of conduct. Not every case is identical. Fraud ranges from sophisticated impersonation scams to instances where customers ignore repeated warnings. A credible framework must define liability with nuance, ensuring genuine victims are protected without rewarding recklessness or enabling collusion. The RBI must avoid building a system so broad that it becomes financially unsustainable, or so ambiguous that it becomes mired in disputes and delays.

Lessons From UK
India is not alone in confronting this challenge. The United Kingdom has recently implemented one of the most consequential regulatory shifts in this space. From October 2024, the UK’s Payment Systems Regulator introduced mandatory reimbursement rules for authorised push payment fraud, requiring banks to repay victims of such scams up to a cap of £85,000, with liability shared between the sending and receiving institutions. This was a decisive move away from voluntary codes toward statutory obligation, recognising that fraud is not merely an individual misfortune but a systemic failure of the payments network.

The UK experience offers two critical lessons for the RBI. First, reimbursement must be tied to prevention. By making banks financially accountable, the UK regime has increased pressure on institutions to strengthen detection systems, intervene earlier, and collaborate across the ecosystem. The incentive is no longer simply to process payments efficiently, but to process them safely. India’s framework should similarly embed measurable fraud reduction obligations, not just compensation promises.

Second, mandatory reimbursement does not mean unconditional reimbursement. The UK model retains limited exceptions, such as cases of gross negligence, while also protecting vulnerable consumers from being unfairly penalised. The UK’s model is instructive precisely because it treats reimbursement as only one part of the solution. Under its new mandatory regime for authorised push payment fraud, banks are expected to strengthen detection systems and are permitted to delay suspicious transfers for up to 72 hours where fraud is reasonably suspected. This deliberate pause in an otherwise instant payments architecture reflects a regulatory recognition that speed without friction can become fraud’s greatest ally. By allowing intervention before money irreversibly exits the system, the UK framework shifts the emphasis from paying after harm to preventing harm at the moment it is unfolding, a lesson India would do well to absorb as it drafts its own compensation rules.

The RBI must therefore define thresholds, timelines, and responsibilities with precision, ensuring the scheme does not collapse under excessive claims or become an administrative labyrinth for genuine victims.

At its core, the RBI’s proposal is an acknowledgment that trust is now the central currency of digital finance. People will only embrace cashless systems if they believe the system will not abandon them when fraud strikes. The RBI’s consultation must ensure that this framework does not merely reimburse fraud after the fact, but fundamentally reduces the likelihood of fraud occurring in the first place. In the digital economy, resilience is not measured by how quickly losses are repaid, but by how rarely they are allowed to happen at all.