RBI’s digital scam compensation pilot | Explained

The Reserve Bank of India (RBI) has finalised a new customer protection framework that, for the first time, brings common online scams — where victims are tr...

What Happened

The Reserve Bank of India (RBI) has finalised a new customer protection framework that, for the first time, brings common online scams — where victims are tricked or coerced into authorising fraudulent payments — under a formal compensation mechanism.
The framework will operate as a one-year pilot, effective January 1, 2027 (deferred from the originally planned July 1, 2026 start date, giving regulated entities six months to prepare).
Eligible victims — individuals and sole proprietors — who suffer losses of up to Rs 50,000 due to fraudulent electronic banking transactions (EBTs) will receive compensation of 85% of net loss, or Rs 25,000, whichever is lower.
The compensation is a one-time, lifetime entitlement: in joint accounts, if one holder claims, the lifetime eligibility for both holders is considered exhausted.
To qualify, victims must report the fraud within five calendar days to both their bank and the National Cyber Crime Reporting Portal (cybercrime.gov.in) or the National Helpline 1930.

Static Topic Bridges

RBI's Regulatory Framework for Digital Payments

The RBI derives its authority to regulate payment systems from the Payment and Settlement Systems Act, 2007 (PSS Act). The Act empowers the RBI to authorise, regulate, and supervise all payment systems in India — covering both large-value systems (RTGS) and retail systems (UPI, NEFT, card networks, mobile wallets). Under this framework, the RBI issues directions to payment system operators and banks, including customer protection norms. The existing "Limited Liability of Customers" guidelines (issued under the Banking Regulation Act, 1949) historically covered only unauthorised transactions where the customer was not at fault — but did not cover "authorised push payment" fraud, where a scam victim themselves initiates the transfer.

Payment and Settlement Systems Act, 2007: statutory basis for RBI's payment system regulation.
RBI can impose monetary penalties of up to Rs 1 million, or twice the amount involved (whichever is higher), for violations.
Previous customer liability framework: limited to unauthorised transactions; authorised-but-fraudulent payments were a gap.
The new pilot specifically fills this "authorised push payment" fraud gap for the first time.
National Payments Corporation of India (NPCI) operates UPI and other retail payment systems under RBI oversight.

Connection to this news: The pilot extends RBI's consumer protection mandate from "card fraud/hacking" scenarios to the much more prevalent social engineering scams where victims are manipulated into transferring money themselves.

Authorised Push Payment (APP) Fraud — the Core Problem

In traditional card fraud or account hacking, the customer does not authorise the transaction — the fraud is "unauthorised." Regulators in most countries already require banks to reimburse such losses. However, in APP fraud, victims are deceived into voluntarily initiating a payment — e.g., a fake customer service call, a "digital arrest" threat, a fake investment scheme, or an impersonation scam. Because the customer technically "authorised" the transfer, existing frameworks excluded these cases. The RBI's new pilot is India's first formal attempt to compensate APP fraud victims, similar to the UK's mandatory APP reimbursement regime introduced in 2023.

APP fraud typologies in India: fake tech support calls, "digital arrest" extortion, fake investment platforms, impersonation of bank/tax officials.
Eligibility cap: fraudulent transaction value must not exceed Rs 50,000 for compensation.
Compensation formula: 85% of net loss OR Rs 25,000, whichever is lower.
One-time lifetime entitlement per individual (including joint account co-holders).
Fraud must be reported within 5 calendar days to bank AND to National Cyber Crime Reporting Portal (NCRP) or Helpline 1930.

Connection to this news: The 5-day reporting window and dual-reporting requirement (bank + cyber portal) are designed to limit moral hazard while ensuring eligible victims can access relief within a structured timeline.

National Cyber Crime Reporting Portal and Helpline 1930

The National Cyber Crime Reporting Portal (cybercrime.gov.in) is operated by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs. Launched in 2019, it is the centralised platform for reporting cybercrimes, including online financial fraud. The National Helpline 1930 is a dedicated cyber fraud helpline enabling real-time reporting and, critically, providing a mechanism to freeze fraudulent transactions before funds are siphoned out. The RBI's pilot requires fraud victims to report via one of these channels within 5 calendar days as a condition for compensation eligibility.

NCRP (cybercrime.gov.in): operated by I4C (Indian Cyber Crime Coordination Centre), Ministry of Home Affairs.
Helpline 1930: dedicated financial cyber fraud helpline; enables early-stage transaction freeze.
I4C was established in 2018 under MHA to address cybercrime coordination across states.
Dual-reporting requirement (bank + cyber portal) creates an audit trail that banks need to process compensation.

Connection to this news: Mandating reporting to Helpline 1930/NCRP also serves a law-enforcement purpose — early reporting enables attempts to intercept and recover funds before they clear, independent of the compensation mechanism.

Pilot Approach in Financial Regulation

Regulatory pilots allow the RBI to test new policy interventions on a defined scope and timeline before deciding on full rollout. The one-year pilot structure (January 2027 – December 2027) gives the RBI data on claim volumes, bank compliance burdens, fraud patterns, and moral hazard risks. International precedents: the UK's Payment Systems Regulator mandated APP fraud reimbursement from October 2023, with a £415,000 per claim cap initially. India's pilot is more conservative in scope (Rs 50,000 loss cap, one-time entitlement) but represents a fundamental shift from the current zero-compensation status for APP fraud victims.

Pilot duration: one year, January 1, 2027 – December 31, 2027.
Original planned start: July 1, 2026; deferred by 6 months.
Applicable to: individuals and sole proprietors (not corporates).
Fraud value cap for eligibility: Rs 50,000 (transaction value of fraudulent EBT).
Compensation cap: Rs 25,000 or 85% of net loss, whichever is lower.
UK's APP reimbursement regime (October 2023) is the closest international precedent.

Connection to this news: The pilot framing ensures that learnings from the first year — including claim fraud, systemic bank compliance issues, and consumer awareness gaps — can inform the permanent framework design.

Key Facts & Data

Statutory basis: Payment and Settlement Systems Act, 2007; Banking Regulation Act, 1949.
Pilot start date: January 1, 2027 (deferred from July 1, 2026).
Eligible claimants: individuals and sole proprietors.
Fraudulent transaction cap: Rs 50,000.
Compensation: 85% of net loss OR Rs 25,000, whichever is lower.
Entitlement: one-time, lifetime per individual (joint account exhausts both holders' eligibility).
Reporting window: 5 calendar days from fraud event.
Required reports: (1) Bank; (2) NCRP (cybercrime.gov.in) or Helpline 1930.
National Cyber Crime Reporting Portal: operated by I4C, Ministry of Home Affairs, launched 2019.
Helpline 1930: dedicated financial cyber fraud helpline for real-time intervention.
RBI penalty for PSS Act violations: up to Rs 1 million, or 2x the amount involved (whichever is higher).
UK APP fraud reimbursement (comparator): mandatory since October 2023, £415,000 initial cap.