If you've paid for chai, split a restaurant bill, or sent rent money this week, you've probably used UPI without thinking twice. That's the whole point — it's fast, it's everywhere, and it works. But that same speed is now at the center of a growing UPI payment fraud problem that the RBI is trying to fix.
The Reserve Bank of India has released a discussion paper proposing a structured pause on certain digital transactions. Here's what that actually means, how it could work in practice, and whether it'll change anything for the average user.
The core idea is straightforward: slow down some payments just enough to stop fraud, but not enough to break anything.
Under the proposal, transfers above Rs 10,000 sent from one individual to another wouldn't land instantly anymore. Your bank would debit the amount from your account right away — but hold it for up to 60 minutes before releasing it to the recipient. During that window, you'd have the option to cancel.
Merchant payments are almost certainly staying instant. Scanning a QR code at a shop, paying a restaurant, settling an e-commerce order — none of that falls under this proposal. Same goes for recurring transactions like subscriptions and mandates. The delay is narrowly aimed at peer-to-peer transfers, specifically the higher-value ones where fraud tends to hit hardest.
For most people's daily spending, nothing changes.
Most digital payment scams today don't involve anyone hacking into a bank. No passwords are stolen. No systems are breached. The fraud is far simpler — and far harder to stop.
These are called authorised push payment (APP) frauds. The victim sends the money themselves. A fraudster calls posing as a bank representative, a government official, or sometimes even a relative in trouble. The conversation is designed to feel urgent. There's a problem that needs fixing right now, and a transfer is the only way to fix it. Under pressure, the victim complies.
By the time the call ends and the discomfort sets in, the money is already gone.
The RBI has flagged this pattern specifically: these frauds work through social engineering, not system compromise. The payment infrastructure isn't broken. It's the human being using it who's being manipulated.
UPI's speed is why it took off the way it did. Transfers complete in under two seconds. That's also what makes social engineering fraud so effective on this platform.
The moment a transaction goes through, the money can be moved again. Withdrawn, sent elsewhere, split across accounts — all of it can happen in minutes. By the time a victim reports the fraud to their bank, the trail is already cold.
Post-transaction recovery in these cases is slow and uncertain. Banks can file disputes, law enforcement can get involved, but actual money recovery rates remain low. The RBI's own acknowledgement is that once the funds move, there's very little a bank can realistically do.
Speed that makes payments seamless also makes mistakes irreversible.
The RBI's proposal centers on what it describes as the "golden hour" — the window immediately after a transaction is initiated, when it can still be stopped.
A 60-minute pause does several things at once. It breaks the urgency that scammers rely on to push victims into acting without thinking. It gives the sender time to hang up, call someone they trust, and reconsider. In many fraud cases, that's genuinely all it takes — a few minutes of distance from the pressure of the moment.
It also creates a window for banks to act. If a transaction looks suspicious — an unusually large transfer to a new recipient, a pattern that flags as high-risk — the bank can pause it and ask the sender to confirm before the money moves. That's not currently possible in a real-time system.
Worth noting: the golden hour concept, while well-established in fraud research internationally, is largely untested at the scale of India's UPI volume. Implementation will matter enormously.
Adding a delay to an instant payment system sounds like it defeats the purpose. In practice, the disruption may be smaller than it sounds.
Abhinav Parashar, co-founder and CEO of Digio, said the impact on routine transactions will be limited if the rule is rolled out carefully. Payments through formal payment aggregators, which cover most e-commerce, are already subject to strong merchant verification processes. Recurring transactions aren't touched at all because they're pre-authorised by verified merchants.
"The main friction point would be informal offline payments and pure P2P transfers," he said.
He also pointed to a potential workaround built into the system's design. Physical QR code scans could be treated differently — location data could confirm the buyer is actually standing at the shop, which would allow the delay to be bypassed safely.
Dr. Raj P Narayanam, founder and executive chairman of Zaggle, acknowledged that some friction is unavoidable. But he argued it's worth it. UPI's real value to users isn't just speed — it's trust. And that trust has been eroding as fraud cases mount.
"Even a short intervention window can significantly reduce financial loss and give users time to reconsider transactions," he said.
The proposal is deliberately narrow. Here's a quick breakdown:
Affected: Person-to-person transfers above Rs 10,000, including transfers made by sole proprietors and small partnership firms operating informally.
Not affected: Payments to merchants (QR code scans, online checkout), recurring mandates, subscriptions, pre-authorised transactions.
For the vast majority of daily users, nothing about their UPI experience changes. The shift is felt only when sending a larger amount to an individual — a new contact, a freelancer, a family member you don't transfer to often.
The Rs 10,000 threshold looks specific. It is — and there's data behind it.
Transactions above that amount account for roughly 45% of all reported UPI fraud cases by volume. More significantly, they make up nearly 98.5% of the total money lost. Smaller scams are actually more frequent, but the big financial damage comes from higher-value transfers.
The threshold is an attempt to target fraud where it actually hurts, without slowing down the millions of small daily transactions that form the backbone of India's digital payment ecosystem.
This is the question that will determine whether the rule actually works.
Parashar thinks the safety signal will land clearly for P2P transfers. "Social engineering is the biggest threat right now," he said. "Adding a 60-minute undo window for first-time transfers acts as a necessary panic button." He added that the RBI has already moved to restrict UPI Collect requests — one of the most heavily exploited fraud channels — so this proposal fits within a broader pattern of targeted interventions.
The user experience design will be critical, though. If an app just shows a spinning timer with no explanation, frustration follows. If it clearly displays a message like "Security hold active — payment will complete by 3:47 PM," that same delay feels like a feature rather than a bug.
Narayanam agreed that execution is everything. "Users are likely to feel safer if the intent and design of the delay are clearly communicated," he said. Applied inconsistently or without context, though, the same rule could create confusion — especially for users who've come to expect sub-second settlements as the baseline.
For most everyday spending, nothing changes. But if you regularly send larger amounts to individuals — freelancers, landlords, family members — a small shift in habit will help.
Parashar suggested a practical fix for urgent situations: send a small test transfer of Re 1 to a new recipient earlier in the day. Once that person is whitelisted on your UPI app, larger transfers to them won't trigger the delay. It's a simple step that takes 30 seconds and pre-empts the problem entirely.
For emergencies where you can't plan ahead, scanning a merchant QR code may bypass the delay — so keeping that option available matters. IMPS is also worth keeping active as a fallback for truly time-sensitive bank transfers where instant confirmation is non-negotiable.
Narayanam's advice was simpler: for high-value transfers, build in a little more lead time and lean on trusted, saved beneficiaries where possible. The habit shift is minor. The protection is real.
Send a small test payment — even Re 1 — to the recipient's UPI ID earlier in the day. Once they're whitelisted, larger transfers to them should go through instantly. For offline emergencies, merchant QR code payments are likely to bypass the delay entirely. It's also worth keeping IMPS active as a backup before you need it in a rush — not after.
Based on the current proposal, no. The delay targets person-to-person transfers above Rs 10,000. Payments to registered merchants — scanning a QR code at a restaurant, checking out online, paying a utility bill — route through payment aggregators and are expected to stay instant. Subscriptions and recurring mandates are also unaffected.
UPI is a real-time settlement system. Once you hit send, the money reaches the recipient's account within seconds — and after that, there's no built-in cancellation. Getting it back requires either the recipient's voluntary cooperation or a formal bank dispute, both of which are slow and uncertain. The proposed 1-hour window is specifically designed to close that gap, holding the funds long enough for you — or your bank — to catch a mistake before it's final.
The biggest concern is authorised push payment (APP) fraud, where victims are tricked into sending money themselves. Scammers pose as bank officials or government representatives, manufacture urgency, and push the victim to transfer funds immediately. No system is breached — the victim authorises the payment willingly, under pressure. RBI data shows these scams account for nearly 98.5% of the total value lost to UPI fraud, even though smaller scams are more frequent in volume.
Not yet. This is a proposal from an RBI discussion paper, currently open for feedback from banks, payment companies, and the wider fintech industry. Once that consultation closes, the RBI may issue formal guidelines. After that, banks and payment platforms would need time to build the technical infrastructure — a holding system that can pause, monitor, and if needed cancel a transaction within 60 minutes. For now, UPI operates exactly as it always has.
The proposal doesn't break UPI. It adds friction at the one point where the current system is genuinely vulnerable — the moment someone sends a large transfer to a new individual under pressure, without time to think. That's not a system flaw. It's a human one. And a 60-minute pause might be exactly the size of intervention needed to address it.
The rule isn't final. The RBI has asked for responses from the industry, and the shape of any eventual guideline could look different from what's on the table now. But the direction is clear: India's UPI payment fraud problem is significant enough that the regulator is willing to trade a little speed for a meaningful shot at reducing it.
Your email address will not be published. Required fields are marked *