Indians lost over Rs 20,000 crore last year, according to data from the National Cyber Reporting Platform. Policymakers have struggled to keep up with the scale of this problem. While there is heightened policy action in areas such as fraud reporting and flagging of suspicious transactions by financial institutions, much more is needed to mitigate the impact of frauds and scams on common citizens.
A latest report by the Standing Committee on Finance (SCF), which has been looking at this issue since 2023, suggests that victims often struggle to get their money back. Cybercrimes have spiked after Covid-19, as young people devoid of mainstream income generating opportunities are increasingly turning to illegal activities online. India has 69 crore smartphone users, most of whom are perennially online. A wider digital footprint, thus, means more vulnerability.
In December 2024, the SCF took stock of government actions to mitigate frauds and scams. It called for setting up a centralised repository of suspicious accounts and fraudulent transactions for better oversight, and a framework for automatic compensation to victims. The government would do well to pursue these ideas, with requisite attention to ground realities.
Lost money online, what next?
Frauds and scams are similar but not the same. An online scam is a type of online fraud, but not all frauds are scams. Scams rely on tricking people into revealing information or transferring money. Fraud, on the other hand, includes broader methods such as identity theft and hacking, where the victim might not even realise they’ve been targeted right away.
India requires victims of fraud to report adverse incidents very quickly. If victims report such losses to their banks within three days, they may get their monies back. If they report within seven days, they are entitled to partial reimbursement depending on their account type. And if they take more than seven days, they may not get anything back.
However, the big caveat is that if you are tricked into sharing details like your PIN or OTP with a scammer, the resulting loss is yours to bear and you will not be entitled to any reimbursement, as per the Reserve Bank of India (RBI)’s existing framework for loss mitigation. The one benefit of reporting such a loss is that a repeat scam by the same attacker will entitle you to a reimbursement from your bank.
Moreover, statutory requirements for prompt reporting assume individuals understand transaction alerts and authentication processes. A far cry in India, where less than a third of the youth (aged 15-29) can browse the internet properly, send emails, or conduct online transactions. India’s loss mitigation approach effectively penalises victims for lacking awareness about such signals.
Also read: India must weigh its interests in AI carefully. Don’t just follow California Bill, UNGA Compact
Global precedent
In contrast to India’s short reporting timelines, consumers in the United Kingdom have up to 13 months from the date of occurrence of a fraud or scam. The country ensures that such victims get reimbursed within five days, unless banks and payment firms can prove that the victim was complicit in the fraud or grossly negligent. It has a high bar for proving negligence on the victim’s part – the victim must have, for example, ignored specific and tailored warnings from a bank to be deemed ‘negligent’.
Singapore uses a narrower, more practical aperture for the types of incidents it considers for reimbursement. It only compensates users who have been tricked into sharing sensitive financial data with scammers via phishing. This includes scams where a perpetrator, posing as a trusted business or government agency, tricks Singaporean citizens via SMS, email or social media into entering banking details on a fake website, and uses the stolen details for unauthorised payments.
India should take the best of both worlds – emulating the UK’s victim-sensitivity while also specifying the types of situations in which users are entitled to compensation. The country should ensure, at the same time, that banks and financial institutions are not subject to compensation frauds themselves.
Also read: In contest between private broadcasters and Prasar Bharati, sport will be the ultimate loser
Fixing reporting, compensation
The SCF recommends that the RBI should set up an automatic compensation mechanism where financial institutions immediately reimburse fraud victims – without making them wait for investigations to conclude. But the government is rightly concerned that such wide coverage will encourage misreporting and even litigation.
India should balance consumer protection and accountability. It should penalise misuse of compensation mechanisms to disincentivise such outcomes while ensuring genuine victims, particularly those impacted in large frauds, are compensated.
The RBI already has comprehensive rules for suspicious activity monitoring and recordkeeping by financial institutions. It runs AI-enabled software to identify ‘mule’ or dummy accounts used by fraudsters to temporarily park the proceeds of crime. And if a fraudster makes several large transactions using compromised card details, the RBI will be able to follow the ‘money trail’ to the fraudster’s account.
In the long run, deeper coordination between financial institutions, regulators and digital users is going to help speed up compensation. Government agencies must continue to leverage emerging technologies and conduct collaborative investigations. The private sector must become more vigilant about suspicious transactions, and citizens must proceed cautiously in all digital interactions involving money. Unfortunately, there is no alternative to a ‘whole of society’ response to the menace of frauds and scams.
This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.
Ateesh Nandi and Siva Bhargavi Nori are fintech and payments experts at Koan Advisory Group, New Delhi. Views are personal.
(Edited by Zoya Bhatti)