Fighting the New Playbook of Financial Fraud

Three regulatory developments are targeting the new fraud playbook, but their real strength lies in working as one system

Financial fraud in India has changed significantly in the last decade. Ten years ago, it was largely a technical problem. Fraudsters either stole your card data, cloned your credentials, or intercepted your OTP, trying to break into the system. The solution was to make the system harder to break.

Ramkumar Venkatesan
CTO
Cashfree Payments.

India largely succeeded in this. Initiatives like two-factor authentication, device binding, card tokenisation, SIM verification collectively made the transaction layer of India’s payments infrastructure genuinely difficult to compromise. The Reserve Bank of India’s own Discussion Paper on payment safeguards states that account takeover fraud is now negligible.

However, the nature of fraud and fraudsters continued to evolve. Reported cybercrime losses grew from Rs. 551 crores in 2021 to Rs. 22,931 in 2025. This increase was not driven by system compromise, but by two new attack surfaces that the existing security architecture was not designed to address.

The first attack surface targets customer judgment. Fraudsters manipulate trust through fake investment platforms, impersonations, or deepfakes to simulate legitimate authority. Since these methods deceive the user and make the transaction and authentication appear authentic, the fraud succeeds before system-level safeguards can intervene. In 2025 alone, this manipulative approach led to losses of Rs. 19,812.96 crores, according to the Ministry of Home Affairs.

The second surface is the account onboarding layer. In this method, legitimate people open bank accounts using their genuine identity documents and sell their complete ‘bank kit’ for a fixed commission. Popularly, these are known as mule accounts. These accounts serve as the infrastructure through which stolen funds are moved, split, and converted into cryptocurrency within hours.

One common characteristic of these two attack surfaces is that neither is addressed through the system strengthening approach we have built over the last decade. It is very difficult to identify whether a payment being made by a consumer is being done under duress or being done legitimately. The security question, in this context, has changed and the architecture has not fully caught up.

India has built meaningful reactive defences. The 1930 helpline and the Cyber Fraud Mitigation Centre have helped recover Rs. 8,690 crores across 24.65 lakh complaints since 2021. The Suspect Registry, launched in September 2024, has proactively blocked Rs. 9,518 crore in fraudulent transactions. These are positive achievements.

However, the structural constraints is that for India’s current scale of fraud, reactive defenses will always chase a threat that moves faster than we are able to prevent it. Larger instances of fraud now are being designed to be irreversible. Hence, we need to build an infrastructure which is able to stop the fraud before settlement of the funds.

In the last few months, there have been three regulatory developments which try to address this gap directly. Each targets a distinct layer of the problem but each also carries a tradeoff that the other two, over time, can help resolve, when viewed as a system.

The first is the RBI Discussion Paper on ‘Exploring safeguards in digital payments to curb frauds.’ It proposes introducing deliberation into the payment process through methods like mandatory one-hour lag on transfers above Rs. 10,000, trusted-person authentication for vulnerable customers, credit ceiling on new accounts with limited transaction history, and a customer-controlled kill switch. The logic behind these recommendations is very sound. Fraud above Rs. 10,000 represents 98.5% of total fraud value reported to the National Cybercrime Reporting Portal (NCRP), and a reconsideration window directly disrupts the psychological pressure that makes Authorized Push Payment (APP) fraud effective.

However, the tradeoff is precision. A uniform one-hour lag applied to every transfer above Rs. 10,000 imposes friction on the vast majority of legitimate transactions to catch a minority of fraudulent ones. A determined fraudster can also instruct a victim to whitelist the transaction, bypassing the safeguard entirely.

The second development is the Digital Payments Intelligence Platform (DPIP) being built by the Reserve Bank Innovation Hub (RBIH). This addresses the data architecture problem. DPIP will generate a pre-transaction risk score for every digital payment in India, drawing on pooled signals from banks, payment aggregators, and telecom operators before settlement occurs. The tradeoff, however, is the timing. DPIP is still a prototype being handed over to the newly formed Indian Digital Payments Intelligence Corporation. In the gap between today and full deployment, fraud will evolve significantly.

The final development has been the fraud compensation framework finalised by the Reserve Bank of India. According to this framework, for the first time, the bank that receives stolen funds and the customer’s own bank, both bear financial liability, bearing 10% of the compensation for losses up to Rs. 50,000 respectively. Victims can now recover up to Rs. 25,000 through a defined process, with banks required to pay within five calendar days of receiving the complaint. This changes the incentive architecture of the ecosystem, creating a financial reason for receiving institutions to treat mule account detection as a core risk function.

While individually, each development is a meaningful step towards reducing fraud, the benefits might be limited if we treat them as siloes. Each of them has a trade-off. However, when they are seen as a system, integrated with each other, their limitations begin to resolve each other.

Look at it this way, DPIP’s risk signals make the Discussion Paper’s lag more intelligent and contextual. A pre-transaction score identifying a high-risk receiving account gives banks and PSPs reason to apply the one-hour window contextually only to transactions that actually show fraud signatures. This ensures that legitimate payments continue at UPI speed and the deliberation mechanism is reserved for transactions that warrant it, reducing the whitelist bypass risk in the process.

Similarly, the compensation framework’s liability structure makes DPIP adoption a financial imperative. When receiving a fraudulent credit costs a bank money, investing in MuleHunter.ai and integrating DPIP’s risk signals becomes a straightforward risk-management decision.

The Discussion Paper’s proposed credit ceiling on new accounts addresses the onboarding vulnerability directly. By capping aggregate credits into accounts without demonstrated transaction history, the framework limits the utility of mule accounts. At the same time, with the greater maturity and adoption of MuleHunter and DPIP systems due to aforementioned factors, will ensure that limits are not put on legitimate new accounts.

Such integration of these recent developments is the architecture of a maturing fraud prevention system where deliberation mechanism, pre-transaction intelligence, and financial accountability operate as connected layers. The journey from where each development stands today to where they function as an integrated whole will require sustained coordination across banks, fintechs, payment aggregators, and regulators.

India built a payments system the world studied and, in many cases, replicated. The security architecture now being assembled has the same potential, provided technology, policy, and incentive design are built to reinforce each other and not treated as three parallel responses to the same problem.

Authored by Ramkumar Venkatesan, Chief Technology Officer, Cashfree Payments

Author