RBI Proposes One Hour UPI Delay and Kill Switch to Fight India’s Rising Digital Payment Fraud

India built UPI to make money move at the speed of a thought. Now the RBI wants to put a pause button on it. Behind that uncomfortable idea is a fraud problem that has grown tenfold in four years and shows no signs of stopping.

Think about the last time you sent money on UPI. You typed the amount, confirmed the recipient, pressed pay, and it was done. The whole thing took perhaps four seconds. That ease, that completeness, that sense that the transaction happened before you had time to second-guess it, is exactly what made UPI one of the most successful payment systems in the history of the world. It is also, the Reserve Bank of India now believes, part of what is making India’s fraud problem so difficult to solve.

On April 9, 2026, the RBI released a discussion paper with a title that sounds bureaucratic but carries a question that goes to the heart of how India built its digital economy: how do you protect people inside a system that was specifically designed to remove protection barriers? The paper proposes four structural changes to the way digital payments work in India. Each one trades some measure of the speed and frictionlessness that made UPI great, in exchange for a window of time in which a fraud can be caught before it becomes permanent.

To understand why this feels so uncomfortable, it helps to understand what kind of fraud the RBI is actually trying to stop. Most people imagine payment fraud as something that happens to them: a hacker gets into their account and moves the money out while they sleep. The problem the RBI is grappling with is almost the opposite. In authorised push payment fraud, the victim sends the money themselves. They are awake, they are at the keyboard or on the phone, and they are pressing pay intentionally. The fraud has already happened before the transaction begins, because a criminal has convinced them, through a phone call, a fake message, a spoofed customer care number, a fraudulent QR code, or an impersonated government official, that the payment is legitimate. Two-factor authentication does not help. Payee name verification does not help. Tokenisation does not help. By the time all those safeguards have been correctly applied, the victim has already been deceived. The RBI’s own annual report acknowledges this plainly: existing safeguards have not fully prevented fraudsters from exploiting users through social engineering. Artificial intelligence has further intensified the risk, with AI-driven tools now able to generate highly convincing voice calls, messages, and documents, making it increasingly difficult for users to distinguish genuine from fraudulent interactions.

The numbers that sit behind this proposal are not abstract. Fraud cases reported on the National Cyber Crime Reporting Portal rose from 2.6 lakh incidents in 2021 to 28 lakh in 2025, a tenfold jump in four years. The value of losses climbed from Rs 551 crore in 2021 to Rs 22,931 crore in 2025, a nearly 40-fold increase. Digital payment fraud now accounts for 56.5% of all reported banking fraud cases in India. India’s UPI system processed 219 billion transactions worth Rs 308 trillion in FY26 alone, and fraud followed that scale in a way that earlier fraud-prevention tools were simply not built to contain.

The centrepiece of the RBI’s proposal is a one-hour lag on peer-to-peer digital transfers above Rs 10,000. The mechanics matter. Under the proposal, the sender’s account would be debited immediately when they press pay, but the credit to the recipient’s account would be held for up to 60 minutes. During that window, the sender can cancel the transaction. The bank can use the time to flag suspicious patterns, contact the customer, or seek reconfirmation before the money moves beyond reach. The transaction is not blocked and the money is not frozen in the traditional sense. It is held in transit, giving both the customer and the system a moment that does not exist today. The Rs 10,000 threshold is designed to keep low-value transactions fully instant, so the person buying groceries on UPI or splitting a bill with a friend does not feel any change at all. The friction is targeted, not universal.

The kill switch is the second major proposal, and it may be the most human of the four. Customers would be given a single facility to disable all digital payment transactions from their account at one stroke, with a single tap in a UPI app or mobile banking interface. The moment a person realises they may have been scammed, before they can even speak to their bank, they could freeze every digital channel on their account instantly. Reactivation, under the proposal, would not be instant. It would require re-verification and, in many cases, a physical visit to a bank branch. That asymmetry is deliberate. Turning everything off should be easy and immediate. Turning it back on should require enough effort to confirm that the account is genuinely in the hands of its owner.

The other two proposals address different layers of the same problem. For senior citizens and persons with disabilities, transactions above Rs 50,000 would require a trusted-person authentication step, where a pre-designated family member or contact must approve before the payment goes through. This is aimed at the specific pattern of exploitation that targets people who are more likely to be persuaded by official-sounding callers and less likely to recognise social engineering in real time. The fourth proposal tackles mule accounts, the often-invisible back end of digital fraud where stolen money is laundered through a chain of low-KYC accounts opened by people who may not even know their account is being used for criminal purposes. The RBI proposes capping total annual credits to such accounts at Rs 25 lakh, a measure designed to make these accounts commercially worthless for money laundering at scale. This sits alongside MuleHunter.AI, a machine learning model developed by the RBI Innovation Hub and currently being rolled out across 26 banks, which flags suspicious accounts by tracking illicit fund flow patterns.

It is worth pausing on what India is being asked to give up if these proposals become rules. UPI’s speed has not just been a convenience. It has been the product’s core value proposition, the thing that made a billion people trust it enough to change behaviour that was embedded over generations. Asking those same people to wait 60 minutes for money to arrive is a real cost, even if it only applies to transactions above Rs 10,000. For small businesses collecting daily payments, for families sending emergency funds across cities, for anyone who has built their daily financial life around the assumption of instant settlement, the friction will be felt. The industry’s response to the discussion paper has broadly been supportive of the intent and sceptical of the uniform architecture, arguing that a risk-based, dynamic approach, using real-time fraud scoring to decide which transactions need a delay, would achieve the same protection with less collateral disruption.

The RBI is not the first central bank to wrestle with this. The UK introduced a 72-hour delay window for suspicious transfers and mandatory reimbursement for authorised push payment fraud victims in 2024. Singapore uses a 12-hour cooling-off period for high-risk account actions. Australia has passed legislation that shifts liability for APP fraud losses toward banks. India’s proposed 60-minute window is shorter than all of these. The RBI has described that gap as deliberate, an attempt to balance protection with the user experience that made UPI what it is.

The proposals closed for public comment on May 8, 2026. The RBI will review responses before moving to draft guidelines. Nothing in the paper is yet a rule. But the direction is clear. A payments system that has spent a decade removing every possible obstacle between the user and the transaction is now being asked to put some of those obstacles back, selectively, thoughtfully, and at a scale that requires rebuilding assumptions across hundreds of millions of accounts. The fraud problem is real, the losses are real, and the human cost to ordinary people who lose money they cannot recover is real. Whether a one-hour window is the right answer, or whether smarter technology can solve the same problem without any delay at all, is the question that will shape the next version of India’s most consequential infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *