What are RBI's new UPI rules in 2026?

On April 9, 2026, RBI released a discussion paper proposing four UPI fraud safeguards: a 1-hour lag credit for P2P transfers above ₹10,000, a Kill Switch to instantly disable all UPI payments, a trusted-person authentication system for senior citizens, and a ₹25 lakh annual UPI credit ceiling to curb mule accounts. These are currently proposals — not yet live rules — and RBI has invited public feedback until May 8, 2026.

What is the UPI Kill Switch?

The UPI Kill Switch is an emergency feature proposed by RBI that allows users to instantly disable all digital payment channels — UPI, IMPS, and net banking — with a single tap. Reactivation would require re-verification and, in many cases, a physical bank visit. It is designed to help fraud victims stop losses immediately.

When do the new RBI UPI fraud rules come into effect?

RBI's new UPI rules are still in the proposal stage as of April 2026. The public comment period closes on May 8, 2026. Final rules will only be binding once officially notified by RBI in a circular. Banks and NBFCs should use this window to prepare their systems and compliance frameworks.

What is a mule account and how does RBI plan to stop them?

A mule account is a bank account used by fraudsters to receive and rapidly transfer stolen money. RBI proposes a ₹25 lakh annual ceiling on UPI credits per account to curb mule activity. Any amount above this cap would be held as 'shadow credit' — visible but inaccessible — until cleared by the bank.

How can FraudIntel help banks comply with RBI's new UPI fraud rules?

FraudIntel's real-time API can screen UPI IDs and phone numbers against 3,700+ live Indian fraud signals before transaction approval. This directly supports the mule account detection requirement in RBI's proposals and provides an audit trail for compliance reporting. Integration takes under a day via a single REST API call.

Regulation Breaking April 20, 2026 · 8 min read

RBI's New UPI Rules 2026: What Every Bank and NBFC Needs to Know Right Now

On April 9, 2026, the Reserve Bank of India released a discussion paper proposing four major structural safeguards against UPI fraud. The public comment window closes May 8, 2026. Here is a plain-language breakdown of what each rule means, who it affects, and what your compliance and risk teams should be doing today.

FraudIntel Research Team

Fraud Intelligence · Regulatory Tracking

April 20, 2026

Updated on publish

⚠ Status: Proposals, Not Final Rules

The four measures below are from RBI's April 9, 2026 discussion paper. They are not yet binding regulations. RBI is collecting public feedback until May 8, 2026. Final rules will only take effect after an official RBI circular. Banks and NBFCs should treat this window as a preparation phase, not a compliance deadline.

Why This Matters: The Scale of UPI Fraud in India

UPI processed over 20 billion transactions monthly in 2025. That scale has made it the world's largest real-time payments network — and one of the most targeted by fraudsters. The RBI's FY2024–25 Annual Report recorded 13,516 digital payment fraud cases accounting for 56.5% of all reported banking frauds, with losses totalling ₹520 crore.

A LocalCircles survey found that 1 in 5 Indian families with a UPI user has experienced fraud at least once — and 51% of those victims never filed a complaint. That underreporting gap is exactly what these new rules aim to close.

₹520 Cr

Digital payment fraud losses FY2024–25 (RBI)

34%

Year-on-year rise in digital payment fraud cases

1 in 5

Indian UPI families that have experienced fraud

51%

Fraud victims who never filed a complaint

The Four Proposed Safeguards — Explained

1. The 1-Hour Lag Credit for P2P Transfers Above ₹10,000

RBI proposes a mandatory 1-hour delay before funds credit to a recipient's account for person-to-person UPI transfers above ₹10,000. The sender's account is debited instantly, but the recipient only receives the funds after 60 minutes — giving the sender a window to cancel if they realise they've been scammed.

💡 What This Means for Banks

Your core banking system must support a "hold and release" state for incoming P2P credits. Funds must be visible in the recipient's balance (so they can see them) but not spendable for 60 minutes. Any systems that treat incoming credits as immediately liquid will require modification.

This rule does not apply to merchant payments — only P2P transfers. So regular retail UPI payments at shops, restaurants, and online platforms are unaffected.

2. The UPI Kill Switch

RBI proposes an emergency "Kill Switch" that lets users instantly disable all digital payment channels — UPI, IMPS, and net banking — in a single tap from their banking or UPI app. Once activated, no transactions can be made or received digitally until the account is reactivated.

Reactivation would not be instant. It would require re-verification — and in many cases a physical visit to a bank branch. This is designed to help fraud victims stop bleeding money the moment they realise they've been compromised, even before they can call their bank.

🔴 High Implementation Effort

Banks will need to build this control into their mobile apps, net banking portals, and core systems simultaneously. The Kill Switch also has to propagate across NPCI's UPI infrastructure in real time — not just within the bank's own systems. Expect significant backend work.

3. Trusted-Person Authentication for Vulnerable Users

Senior citizens aged 70+ and persons with physical disabilities would gain the right to nominate a "trusted person" — a family member or caregiver — who must approve any UPI transfer above ₹50,000 before it is processed.

This two-layer human verification prevents the class of fraud where scammers impersonate family members or officials and pressure elderly users into large transfers. A 24-hour cooling period would apply to changing or removing the trusted person — preventing fraudsters from removing the safeguard during an attack.

4. ₹25 Lakh Annual UPI Credit Ceiling — The Mule Account Killer

RBI proposes that no bank account can receive more than ₹25 lakh in UPI credits in a single financial year. Any amount above this cap would be held as "shadow credit" — visible in the balance but inaccessible — until the bank clears it.

This directly targets mule accounts: bank accounts opened by fraudsters (or sold by their legitimate owners) to receive and rapidly move stolen money, making it nearly impossible for investigators to trace funds. A mule account hit by this ceiling becomes useless for laundering at scale.

✅ Already Detectable with FraudIntel

FraudIntel's existing database flags thousands of known mule accounts across India. Financial institutions can screen against these signals today — before the RBI rule is even finalised — using our real-time API. Request access here.

Summary Table: All Four Proposals at a Glance

LIVE FRAUD DATABASE

Is a number or UPI ID suspicious?

Check instantly against India's largest fraud database. Free, no account needed.

Check Free →

Proposal	What It Does	Who It Affects	Implementation Effort
1-Hour Lag Credit	Delays P2P credit above ₹10,000 by 60 minutes	All banks, NPCI	Medium — hold/release ledger state
Kill Switch	Instantly disables all digital payment channels	All banks, fintechs, UPI apps	High — cross-system real-time control
Trusted-Person Auth	Secondary approval for senior citizen transfers >₹50K	Banks, UPI apps (for eligible users)	Medium — new auth layer for subset
₹25L Annual Cap	Limits UPI credits per account per FY	All banks, payment processors	Medium — annual rolling counter + shadow credit

What Should Your Team Do Before May 8, 2026?

Even though these are proposals, the direction is clear. RBI has been progressively tightening digital payment fraud controls since the Central Payment Fraud Information Registry (CPFIR) and MuleHunter.AI launches in 2024–25. These four rules will become law in some form.

Submit comments to RBI by May 8. If your institution has technical constraints — for example, the lag credit affecting escrow or merchant settlement flows — document them and respond to the discussion paper. RBI does incorporate feedback that identifies real implementation barriers.
Audit your mule detection coverage. If you don't have a real-time fraud signal layer for incoming UPI IDs, start evaluating options now. The ₹25L cap is one measure; proactive screening is another.
Map the Kill Switch dependency chain. Identify every system that would need to be frozen — UPI rails, IMPS, net banking, standing instructions — and who owns each in your tech stack.
Review your senior citizen user base. Identify how many customers qualify for the trusted-person system and what onboarding flow you'd need to build for them to nominate a trusted contact.
Engage your core banking vendor. For the hold/release ledger state required by the lag credit, your CBS vendor needs to be part of the planning conversation now, not after the circular is issued.

RBI's Broader Fraud Infrastructure in 2025–26

These four proposals don't exist in isolation. They build on a series of RBI-led initiatives over the past 18 months:

CPFIR (Central Payment Fraud Information Registry) — AI/ML-powered cross-bank fraud tracking, active since 2024
MuleHunter.AI — RBI's own mule account detection tool, piloted in two public sector banks in December 2024
.bank.in and .fin.in domains — Exclusive domains for verified financial institutions, rolling out to combat phishing
NPCI's AI scoring pilots — Real-time transaction scoring that has reportedly blocked 90% of anomalies in internal tests
Biometric requirement for transactions >₹10K — Already being rolled out by select banks

The pattern is consistent: RBI is building layered infrastructure to detect fraud at the network level, while simultaneously giving users and institutions more tools to stop losses in real time. The April 2026 discussion paper is the most aggressive set of user-facing controls yet.

How FraudIntel Fits Into This Picture

FraudIntel is India's real-time fraud intelligence API — purpose-built for the compliance and risk requirements that RBI is pushing toward. A single API call returns a risk score, fraud signals, and a recommended action for any UPI ID, phone number, domain, or email address.

The mule account detection capability is live today. Banks and NBFCs using FraudIntel can screen beneficiaries against 3,700+ live fraud signals — including mule account patterns — before approving transactions. This directly supports the risk management posture that RBI's new rules are trying to mandate at the system level.

🛡️

Start Screening UPI Fraud Before the Rules Are Finalised

FraudIntel's API is live. Under 200ms response time. RBI data localisation compliant. Free for the first 100 calls/day — no credit card required. Banks and NBFCs can be integrated in under a day.

Request API Access →

Frequently Asked Questions

Are RBI's new UPI rules already in effect?

No. As of April 20, 2026, these are proposals in a discussion paper. The public comment period runs until May 8, 2026. Final rules will only be binding after RBI issues an official circular following the consultation process.

Will the 1-hour lag apply to all UPI transactions?

No. The proposed lag credit applies only to person-to-person (P2P) UPI transfers above ₹10,000. Merchant payments — at shops, apps, and platforms — are not affected.

What is a mule account?

A mule account is a bank account used by fraudsters to receive stolen money and move it rapidly before investigators can trace it. The account may belong to an unwitting victim whose details were stolen, or to someone paid by the fraudster to receive and forward funds. RBI's ₹25 lakh UPI cap is designed to make these accounts economically useless for large-scale laundering.

How do I submit feedback to RBI on this discussion paper?

RBI's discussion papers are open for public comment via the official RBI website (rbi.org.in). Submissions must be made before May 8, 2026. Institutions with specific technical or operational concerns are strongly encouraged to respond — RBI has historically incorporated substantive feedback from regulated entities.