It's been almost ten years since UPI turned every smartphone in India into a mini bank branch. In that time, digital payments went from a novelty to a daily habit for hundreds of millions of people. But that convenience came at a cost. Scammers got just as comfortable with the system as everyone else did.UPI (MINT)Social engineering cons, phishing links, remote screen-sharing tricks, mule accounts moving stolen money around. All of it has been quietly riding on the same rails that make UPI and net banking so easy to use. The Reserve Bank of India (RBI) has responded with something concrete: A formal compensation framework for people who fall victim to small-value digital fraud. It'll kick in on January 1, 2027.What's notable here isn't just that the rule exists. It's what it represents. For the first time, someone who loses money to an unauthorised transaction doesn't have to hope their bank feels generous. There's now an actual process, with defined rules, for getting at least some of that money back.But look closer at how this safety net is built--the caps on compensation, the conditions attached, who's actually paying for it.So, how much money are we actually talking about? Individual customers and sole proprietors can recover part of what they lost to unauthorised electronic banking transactions, but only up to a point. The scheme only kicks in for smaller frauds, capped at ₹50,000 per incident. Within that limit, victims can claim back up to 85% of their net loss, or ₹25,000, whichever number is smaller.The good news is that the scheme doesn't just cover one narrow type of scam. It's built to handle the messier, more common ways people actually get defrauded, like being pressured or tricked into transferring money themselves, having credentials or One Time Passwords (OTP) stolen through phishing, or losing funds because of a breach at a payment gateway or telecom provider that had nothing to do with the customer at all.There are some real limits baked into this, though. You only get to use this benefit once in your lifetime. The RBI is tracking eligibility through Aadhaar, so there's no gaming the system by filing multiple claims. And time matters here: Victims have exactly five calendar days to report the fraud, both to their bank and to the government's cybercrime portal via helpline 1930. Miss that window, and the protection disappears.Banks aren't off the hook either. They're working against their own set of deadlines. If it's a credit card fraud complaint, the bank still has to issue a shadow reversal or provisional credit within five calendar days of being notified, as per existing card network rules. But for this specific compensation scheme, the actual pay-out (the ₹25,000 or 85% of the loss) has to hit the customer's account within five days of the bank receiving a completed claim. The broader complaint itself still has a longer runway to close: 45 days for domestic fraud, 60 days if it involves a cross-border transaction.What really sets this framework apart is how the money actually flows. Instead of dumping the entire cost on banks or having the government quietly absorb it all, the RBI built a system where multiple parties each pay a slice.For losses under ₹29,412, the RBI picks up 65% of the pay-out. That money comes out of the Depositor Education and Awareness Fund. The remaining 20% is split evenly between the customer's own bank and the beneficiary bank (wherever the stolen money actually ended up), with each covering 10%. Together, that adds up to the full 85% compensation. Above ₹29,412, the math shifts slightly. The pay-out flattens at a fixed ₹25,000, split roughly as ₹19,118 from the RBI and around ₹2,941 each from the two banks. Cross-border fraud follows a different split, since there is no domestic beneficiary bank to share the burden.Few questions in fraud disputes are as contentious as the issue of negligence. For years, customers who inadvertently shared OTPs under social engineering pressure were effectively told they were on their own. The new framework softens this stance. It extends relief even in cases involving limited customer negligence, such as being manipulated into sharing credentials, provided other eligibility conditions are satisfied. At the same time, it preserves a strong zero-liability regime for cases where fraud results solely from bank negligence or third-party system failures. In such instances, banks are required to refund the full amount, without being constrained by the ₹25,000 cap. To stop people from getting careless just because they know they're covered, the RBI is leaning on the same three guardrails already in place: The lifetime cap, the reporting deadline, and the fact that anything above ₹50,000 simply isn't eligible.That lifetime cap, i.e. the rule that you only get to claim this once, ever, has been one of the more debated parts of the scheme since it first showed up in draft form. Critics point out that it feels unfair to repeat victims, or to older customers who scammers tend to target again and again. But regulators see it differently. To them, this isn't an oversight. It's a deliberate nudge.The thinking follows the same moral hazard logic: By limiting the pay-out to just one incident per person, the scheme stays framed as emergency relief, not something people can rely on as ongoing insurance. There's also a behavioural push built into the design. The hope is that knowing this is a one-shot safety net will make people more careful. Securing their devices, double-checking who they're actually sending money to, and thinking twice before clicking a random link or picking up a call asking for remote access.MuleHunter.AI, an Artificial Intelligence (AI) tool built by the Reserve Bank Innovation Hub to flag mule accounts, the ones fraudsters use to launder stolen money, is already live in 26 banks. Separately, the RBI has proposed a one-hour cooling-off pause on digital transfers above ₹10,000 to new payees, still under review. Commercial banks are also operating under Responsible Business Conduct Directions issued late last year, which tightened rules on disclosures, alerts and recovery practises.Taken together, these measures mark a shift from preventing fraud altogether to accepting that fraud will happen and building a structured path to relief when it does.For product and design teams within banks and fintechs, the new framework amounts to more than a compliance obligation; it is effectively a UX and communications brief, organised around three questions.Victims have five calendar days to report a fraud to both their bank and the National Cyber Crime Reporting Portal. That window only works if the reporting journey is easy to find and quick to complete, not a form buried three menus deep inside a banking app.Banks now operate under fixed deadlines of their own. While overall fraud complaint resolutions are capped at 45 days (or 60 days for cross-border cases), the actual compensation under this new scheme must be credited to the customer’s account within five days of receiving the completed claim. Meeting those deadlines consistently means new internal workflows, clear ownership at each stage, and routing that doesn't depend on a single overloaded fraud desk.A customer left in silence during a resolution process that can run for weeks, experiences the wait very differently from one given a visible status tracker. Building that tracker and pairing it with well-timed nudges at genuinely risky moments, such as a first-time payee or a login from an unrecognised device, turns a compliance deadline into a moment of trust rather than anxiety.(The views expressed are personal)This article is authored by Hitesh Agrawal, founder & managing director, Them Consulting.
RBI's new fraud safety net - What ₹25,000 in compensation really means for digital India
This article is authored by Hitesh Agrawal, founder & managing director, Them Consulting.








