Most of us in India have now become accustomed to authorised push payment (APP) frauds—such as phishing emails, or threats of digital arrests—where customers are tricked into making the transfer themselves. Reports suggest that there were around 28 lakh cyber frauds in 2025, amounting to Rs 22,931 crore.
On 6 March 2026, the Reserve Bank of India released a proposal under which victims of such frauds, involving gross loss up to Rs 50,000, could receive partial compensation—85 per cent of the net loss or Rs 25,000, whichever is lower. The mechanism, however, is available only once in a customer’s lifetime. Most strikingly, the RBI itself would bear 65 per cent of the compensation cost, with the remainder split between the sending and receiving banks.
While one can understand the policy instinct of bringing such transactions into a compensation net, there are serious concerns about its design.
Difficulties in the proposal
First, there’s a practical problem of verifying whether the transaction was indeed fraudulent. The burden of proof for customer eligibility lies with the bank, but this requires that banks have the data, the systems, and the incentive to check. When 65 per cent of the cost is borne by the RBI—at least once in the customer’s lifetime—the bank will have limited incentive to conduct rigorous due diligence.
More troubling is the moral hazard. The draft covers cases where customers shared credentials, downloaded malicious software, or were “tricked into willingly sending money”. Consider a scenario where two parties collude: one transfers money to the other, then claims it was fraud. The transferred funds are returned; the RBI still compensates the claimant. The National Cyber Crime Reporting Portal (NCCRP) has already received approximately 28 lakh complaints in 2025. Adding a financial incentive to such complaints will only add to the number.
Additionally, how will the RBI know that it’s a “once in a lifetime” claim for an individual? A customer who has already claimed compensation under this scheme could, without a robust tracking mechanism, attempt to claim again through a different bank account or after a KYC update. Alternatively, either the bank, the RBI, or the NCCRP will have to set up additional systems to verify the once-in-a-lifetime status. There is no guarantee that a bona fide customer, once defrauded, will not face the situation ever again. What then happens to the compensation of such a victim?
The deeper question that the RBI must confront is whether this is really the mandate of a central bank? The RBI’s mandate is inflation targeting and financial stability, not consumer insurance. When the RBI steps in as a direct compensation source, it conflates two entirely separate functions: systemic oversight and retail-loss socialisation. These should be kept apart.
The RBI’s own sunset clause acknowledges the awkwardness: it states that compensation will be reviewed after one year to ‘reduce or eliminate’ the RBI’s share. If the design intention is ultimately to remove the RBI from this equation, why put it there in the first place?
International experience
A comparison with international frameworks is instructive. It is in contrast to the RBI’s proposal.
The United Kingdom addressed APP fraud through the Financial Services and Markets Act 2023, which empowered the Payment Systems Regulator to require payment service providers to reimburse customers. The UK model mandates full reimbursement — up to £85,000 per claim — with the cost split 50:50 between the sending and receiving payment service provider.
There is no role for the Bank of England in absorbing any portion of the cost. Payment Service Providers (PSPs) can refuse reimbursement only on two grounds: proven customer fraud or gross negligence, and the burden of proof rests with the PSP. There is no lifetime claim limit; a genuine victim can claim again. In this set-up, those who control the payment infrastructure bear the cost of its failures.
The policy thus incentivises the payments industry to invest further in end-to-end fraud prevention. Brazil, which operates PIX, an instant payment system created by the central bank, requires financial institutions to implement mandatory fraud-screening mechanisms and impose strict timelines for complaint resolution and fund recovery. Critically, the cost of fraud falls on the institutions, not the regulator.
Also read: Why shielding consumers from rising fuel prices can backfire
This proposal should not be implemented
The problem of digital fraud is significant and deserves our attention.
But the current proposal is open to abuse, and places the burden of liability exactly in the wrong direction: the RBI bears most of the cost, while banks—who are best placed to prevent fraud at the network level—bear the least.
The central bank neither has the mandate nor the institutional capacity to run a consumer compensation mechanism. The RBI may also want to consider evaluating the structural reasons why banks do not invest in fraud protection.
In today’s policy environment—with zero Merchant Discount Rate (MDR) and National Payments Corporation of India’s (NPCI) centralised control over UPI product design—banks have little incentive for building better fraud detection. Because they don’t earn from UPI transactions, they can’t differentiate the product. The result is a classic underinvestment problem that compensation by the RBI cannot fix.
Renuka Sane is managing director at TrustBridge, which works on improving the rule of law for better economic outcomes for India. She tweets @resanering. Pratik Data is a programme director at TrustBridge. Views are personal.
(Edited by Ratan Priya)