The Reserve Bank of India (RBI) said, “fraudsters are deploying various tactics, such as bogus call centres, deepfake-driven impersonation scams and mule account networks”. Almost all sections of society, especially the vulnerable groups such as senior citizens, have fallen prey to such APP frauds. Therefore, there is an urgent need to put in place systems and processes to address these issues”.
The apex bank has put up a discussion paper on its website and sought the view of assorted stakeholders on the need for introducing extra layers of safeguards.
According to the RBI, frauds attributed to account take-over are now negligible. “Most frauds are Authorised Push Payments or APP frauds, which thrive in environments characterised by easy and frictionless payments wherein funds can be transferred instantaneously by customers (victims) with minimal effort before realising that they are being duped,” it said. “Post-transaction remedies to recover such funds being limited, a defrauded user is often left with a few remedies and uncertain outcomes, which are time-consuming and show low recovery rates,” it added.
The RBI discussion paper sets out four options. They are:
*Lagged credit for authorised push payments other than low value.
*Additional authentication by trusted persons for high-value digital transactions by vulnerable sections of society.
*Only accounts with satisfactory additional review to receive large credits.
*Customer-induced controls
These options, according to the RBI, are aimed at the broad objectives of inducing a lag in select category of digital payments (by way of process-level changes or in terms of additional due diligence requirements), thereby buying time for both customers and PSOs to limit fraudulent transactions from being executed or proceeds thereof from being moved quickly, and, empowering the customer through provision of customized controls.
Over the years, the Reserve Bank has introduced several measures to strengthen the safety and resilience of digital payments. Two-factor authentication was mandated in digital payment transactions. Storage of actual card data by any entity in the payment chain, other than the card issuer, was sought to be restricted through device tokenisation (2019) and  card-on-file tokenisation (2021). Customer- induced controls in cards were mandated in 2020, thereby empowering cardholders to switch on / off and set / modify transaction limits (within the overall card limit, if any, set by the issuer) for all types of transactions – domestic and international – at PoS/ online transactions/contactless transactions etc.
In 2024, the Reserve Bank’s wholly-owned subsidiary – Reserve Bank Innovation Hub (RBIH) – built Mulehunter.AI to enable quick and effective detection of mule bank accounts by the banks. The Reserve Bank is also presently working with RBIH to set up a prototype of a Digital Payment Intelligence Platform (DPIP) by harnessing advanced technologies (AI/ML) to mitigate payment fraud risks. To a remitting bank, the platform is envisaged to provide information about the beneficiary’s profile through a risk score generated on a real-time and transaction-by-transaction basis, even before the transaction is executed.
