Fraud Management & Cybercrime , Fraud Risk Management , Mobile Payments Fraud
Facing a Surge in UPI Fraud, It's Time for India to Act
Reserve Bank, Indian Government Should Adopt Best Practices From Other CountriesIn its annual fraud report released last week, the Reserve Bank of India sent an urgent warning to Indian banks to enhance scam controls and improve money mule management. The report highlights a significant surge in fraud cases on the Unified Payments Interface in India.
See Also: How to Unlock the Power of Zero Trust Network Access Through a Life Cycle Approach
Since its launch, UPI has been a key part of India's growth story, positioning the country as a leader in the global real-time payments market. The government's push for digital payments largely drove this success. But the U.K. and Australian governments, where discussions about fraud, scams and regulations dominate the real-time payment conversation, India's approach has been significantly different. Little has been done to protect consumers. The narrative still revolves around India being the leader in the payment space.
To be fair, the RBI has been actively taking steps to educate users, but relying on education alone to mitigate fraud is rarely successful. It's time for the government to take active measures to involve not only the banks but also other stakeholders. The UPI user base has reached critical mass for large-scale fraud to become worth the effort.
How big is the problem? During fiscal 2023-24, total payments increased by 137% over the prior two years, while fraud surged by more than 900%. Digital payment fraud reached $175 million in the fiscal year ending March 2024. Although the RBI did not provide a breakdown of the types of fraud in the marketplace, past data suggests that the majority of these incidents are scams and authorized push payment fraud. APP scams in India grew from 13.7% of fraud in 2021 to 25% in 2022 (see: APP Scams Rise as Adoption of Real-Time Payments Grows). According to data by ACI Worldwide, APP scams are expected to double from $330 million in 2021 to $612 million in 2026 in India.
The report also highlights the temporal aspect of fraud detection, indicating a significant delay between the occurrence and discovery of fraudulent activities. Ninety-four percent of the fraud value reported in the year 2022-23 originated from incidents in prior financial years, and 89.2% of the fraud value reported in 2023-24 also pertained to earlier years, underscoring the challenge of timely fraud detection in the banking sector.
Lessons From Around the World
To address the problem, the Reserve Bank of India and the Indian government could learn from their counterparts in the U.K., Australia and Singapore.
The U.K government is leading the charge to have a reimbursement model for customers that fall prey to authorized push payment scams. The legally binding rules going into effect in October 2024 will require payment providers to refund up to $528,793 to customers who have been victims of fraudulent payment scams. The rules are being introduced by the Payment Systems Regulator and are targeted at APP fraud, where retail and business customers are tricked into making fraudulent payments. APP fraud accounts for about 40% of bank-to-bank transfers by volume. But the PSR is facing a backlash from fintech firms over the new rules, prompting calls for the managing director of PSR to step down.
A mandatory reimbursement model for banks does not create the most effective incentives for all organizations to work together to disrupt scams.
Around the world, regulators are putting more focus on controls rather than reimbursement. Their thinking is: If we can stop the scam, there's no money lost, so let's put controls in place.
Another approach that India could emulate from initiatives in Singapore, Australia and the U.K. involves bringing together all stakeholders - banks, internet companies and telecommunication firms - to collectively address the problem of scams.
The Reserve Bank of India also needs to quickly adopt real-time validation of payee names during fund transfers. This practice will align with the provisions of the recently introduced Digital Personal Data Protection Act of 2023. This measure, if implemented, will help reduce misdirected payments and scams.
Another crucial need is a money mule management program that focuses on online account opening and inbound and outbound transactions. "One of the main reasons that these scams continue to work is because we have a plethora of money mules in every country, so the banks have to own that," said Ken Palla, fraud expert and retired director at MUFG Union Bank, in an interview with Information Security Media Group.
The numbers are in, and Indian banking customers are at risk. It's time for the Indian government to change its UPI narrative, require effective controls and assign liability to stakeholders. As the saying goes, relying on security through obscurity is a flawed strategy, and it's time to abandon it.