UPI fraud — how to get your money back

The recovery grammar for a UPI fraud sits in three statutes read together — the Payment and Settlement Systems Act, 2007, the Information Technology Act, 2000, and the RBI's circular DBR.No.Leg.BC.78/09.07.005/2017-18 of 6 July 2017 on limiting customer liability — supplemented by the cheating provisions of the Bharatiya Nyaya Sanhita, 2023 [Indian Penal Code, 1860] and the FIR-investigation route of the Bharatiya Nagarik Suraksha Sanhita, 2023 [CrPC]. The route a victim takes depends on which of these statutes is doing the work.

The Unified Payments Interface ("UPI") clears, on the National Payments Corporation of India's published figures, in excess of fourteen billion transactions a month in 2026. The same volume that has made the rail attractive to retail users has made it attractive to a parallel industry of fraud — phishing pages dressed as bank portals, fake collect-requests, screen-mirroring AnyDesk and TeamViewer scripts, SIM-swap takeovers timed to OTP delivery, and merchant-side spoofs that pull funds against a customer-initiated authorisation. Recovery, when it works, runs on a precise statutory grid — the Payment and Settlement Systems Act, 2007 (the "PSS Act") provides the architecture; the Reserve Bank of India's circular dated 6 July 2017, DBR.No.Leg.BC.78/09.07.005/2017-18, supplies the liability calculus; the Information Technology Act, 2000 and the Bharatiya Nyaya Sanhita, 2023 provide the offence-side overlay; and the Bharatiya Nagarik Suraksha Sanhita, 2023 provides the investigation machinery. This guide walks the grid.

The PSS Act architecture and NPCI as system operator

UPI is not a statute, a contract, or a product — it is a payment system operated by the National Payments Corporation of India ("NPCI") under authorisation from the Reserve Bank of India under the PSS Act, 2007. Section 4 of the PSS Act forbids the commencement or operation of a payment system in India without RBI authorisation; Section 7 governs the grant of that authorisation; Section 25 makes dishonour of an electronic-funds transfer punishable on the same footing as cheque dishonour under Section 138 of the Negotiable Instruments Act, 1881. NPCI is the authorised system operator. Sponsor banks, issuer banks (the payer's bank), beneficiary banks (the payee's bank), the third-party application provider (PhonePe, Google Pay, Paytm and the like) and the Payment Service Provider bank that hosts the app each occupy a defined role.

Two structural consequences follow. First, every UPI transaction passes through a regulated chain — there is no off-grid leg. A fraudulent debit is, in regulatory terms, a debit booked through an authorised payment system, and the issuer bank's books reflect it. Second, the liability question is therefore not who caused the loss but who must bear it under the RBI's customer-protection framework, given how the debit was authorised and how quickly the customer reported.

The PSS Act is silent on customer-side liability for unauthorised electronic transactions. That gap was filled administratively by the RBI in 2017.

The 6 July 2017 limited-liability circular

The Reserve Bank's circular DBR.No.Leg.BC.78/09.07.005/2017-18 of 6 July 2017, titled "Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions," is the single most important text in UPI recovery practice. The circular issues under the RBI's directive power under Section 35A of the Banking Regulation Act, 1949 and binds every scheduled commercial bank in India. Its scheme rests on three liability buckets that turn on (a) where the fault lay and (b) how quickly the customer notified the bank.

Bucket one — zero customer liability. The customer bears nothing where the unauthorised transaction occurred because of contributory fraud, negligence or deficiency on the part of the bank (irrespective of when the customer reports), or because of a third-party breach where the deficiency lies neither with the bank nor with the customer (a "system" breach) and the customer notifies the bank within three working days of receiving the communication.

Bucket two — limited customer liability. Where the loss is due to the customer's own negligence (a shared password, an OTP voluntarily disclosed), the customer bears the entire loss until the bank is notified, and beyond notification the loss passes to the bank. Where the loss is due to a third-party breach and the customer notifies between four and seven working days, liability is capped per transaction by reference to the account type — the cap is fixed in Annex II of the circular and ranges from Rs 5,000 for Basic Savings Bank Deposit accounts to Rs 25,000 for other savings, salary and credit-card accounts.

Bucket three — full customer liability. If the customer reports beyond seven working days after the bank's communication, the bank's policy (Board-approved, but ultimately a per-bank document) governs. In practice most policies impose the full loss on the customer in this bucket.

Two procedural features of the circular often decide cases. First, the burden of proof of customer negligence is squarely on the bank — paragraph 6 of the circular reads that "the burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank." Second, the bank is required to credit (shadow-reverse) the disputed amount to the customer's account within ten working days of notification, regardless of where the liability ultimately falls; the credit operates as a working balance pending the bank's internal inquiry and the final allocation of liability. The shadow-reversal obligation is not a discretion — it is a mandatory time-bound step, and consumer fora have begun treating breaches as deficiency in service.

The IT Act overlay — Sections 43, 66, 66C and 66D

The civil-recovery picture is one half of the article. The offence-side picture, which feeds the FIR and the criminal investigation, is supplied by Chapter XI of the Information Technology Act, 2000. Four sections are repeatedly invoked in UPI-fraud charge-sheets.

Section 43 of the IT Act, 2000 is the civil-penalty provision. Any person who, without permission of the owner, accesses or secures access to a computer, computer system or computer network; or downloads or copies data; or causes denial of access; or disrupts or causes disruption; is liable to pay damages by way of compensation. Section 43 is the gateway because Section 66 hangs off it.

Section 66 of the IT Act, as amended by the Information Technology (Amendment) Act, 2008, makes the offences listed under Section 43 punishable when committed "dishonestly or fraudulently" within the meaning of Sections 24 and 25 of the Indian Penal Code, 1860 (now Sections 2(7) and 2(11) of the Bharatiya Nyaya Sanhita, 2023). The punishment is imprisonment up to three years, or fine up to five lakh rupees, or both. The mens rea ingredients are doctrinally settled — the Supreme Court in Shreya Singhal v Union of India, AIR 2015 SC 1523, while striking down Section 66A, expressly contrasted Section 66's reasoned drafting (defined dishonesty and fraud requirements) with the void-for-vagueness fatal to Section 66A. The Section 66 doctrine survived and is the offence-side workhorse of UPI fraud.

Section 66C of the IT Act punishes identity theft — the fraudulent or dishonest use of the electronic signature, password or any other unique identification feature of any other person. The MPIN, the UPI PIN, the device-bound public key and the registered mobile number all fall squarely within "any other unique identification feature" as the term has been read by the High Courts.

Section 66D punishes cheating by personation by using any communication device or computer resource — the staple charge in phishing-page and fake-merchant fraud where the perpetrator has masqueraded as a bank, a payment app, an electricity-board collection counter or a UPI handle of a legitimate institution. Sentence is up to three years' imprisonment and a fine up to one lakh rupees.

Where customer data has been disclosed in breach of a contract — for example, by a customer-service representative, a telesales operator or a third-party processor — Section 72A of the IT Act adds an offence punishable up to three years' imprisonment or fine up to five lakh rupees. The provision lies in the background of nearly every SIM-swap and call-centre-leak fraud.

The BNS/BNSS overlay — cheating, conspiracy, and the FIR

Most UPI-fraud FIRs in 2026 are registered under the IT Act sections above read with the cheating provisions of the Bharatiya Nyaya Sanhita, 2023. Section 318 of the BNS [Section 420 IPC] punishes cheating and dishonestly inducing delivery of property — the elemental offence in any successful UPI fraud, where the perpetrator has by deception caused the victim to part with money. Section 319 BNS [Section 416 IPC] punishes cheating by personation — the parallel BNS offence where the IT Act's Section 66D speaks of cheating by personation by computer resource. The Section 66D charge and the Section 319 BNS charge are routinely framed together, and the High Courts have not treated this as double jeopardy because the gravamen of the IT Act offence is the use of a computer resource as the instrument of personation, distinct from the BNS offence of personation simpliciter.

Section 336 of the BNS [Section 463 IPC] covers forgery — relevant where the fraud has involved a forged screenshot, a fabricated transaction reference, or a doctored e-statement. Section 61 of the BNS [Section 120B IPC] covers criminal conspiracy — invariably invoked where the fraud is the product of an organised network with mule accounts, SIM-card runners and call-centre operatives. In larger-loss cases, money-laundering charges under the Prevention of Money Laundering Act, 2002 follow on enforcement-directorate referrals; that route is outside the scope of this article.

The investigative route is governed by the Bharatiya Nagarik Suraksha Sanhita, 2023. Section 173 of the BNSS [Section 154 CrPC] requires the officer-in-charge of a police station to register an FIR on information disclosing a cognizable offence; cheating under Section 318 BNS and Section 66D of the IT Act are cognizable. The Supreme Court in Lalita Kumari v Government of Uttar Pradesh, (2014) 2 SCC 1 has held that registration is mandatory where the information discloses a cognizable offence, with the narrow preliminary-inquiry window now codified at Section 173(3) BNSS. A zero-FIR is available at any station regardless of jurisdiction under Section 173(1) read with the second proviso. The FIR is, in addition to the criminal route, an evidentiary document of considerable weight in the parallel banking-ombudsman complaint and in the consumer-fora deficiency-in-service complaint that often follows.

The recovery roadmap, in operational order

The procedural sequence below is the standing practice that has emerged from the interplay of the four statutory layers. It is set out as a sequence because the time-windows in the RBI circular drive the rest.

Step 1 — Notify the issuer bank, in writing, within three working days. The three-working-day clock under the 2017 circular runs from the bank's communication of the transaction (SMS or email alert) and not from the date of debit. Notification can be by the bank's twenty-four-hour customer-care channel, by branch visit, or by the in-app dispute mechanism — all three are recognised. Insist on a complaint reference number and retain the timestamp. The bank's obligation to shadow-reverse the disputed amount within ten working days is triggered by this notification.

Step 2 — Raise the NPCI dispute through the UPI app's transaction history. Each UPI app exposes an in-app "raise concern" flow that creates a UPI dispute ticket routed through NPCI's central dispute-management system to the beneficiary's payment service provider. The flow operates parallel to (not in substitution of) the issuer-bank notification, and the ticket number forms part of the evidence package in subsequent complaints. The dispute mechanism is governed by NPCI's UPI Procedural Guidelines, which the RBI has accepted as the operational settlement-and-dispute framework under the PSS Act.

Step 3 — File an FIR under Section 173 BNSS within seventy-two hours. The FIR is best registered at the cyber-crime cell of the local police station; a zero-FIR is available where the cyber-crime cell is in a different jurisdiction. The offences invoked are typically Sections 66, 66C and 66D of the IT Act, 2000 read with Sections 318, 319, 336 and 61 of the Bharatiya Nyaya Sanhita, 2023. Where the police refuses registration, the remedy lies in Section 173(4) BNSS (complaint to the Superintendent) and Section 175(3) BNSS [Section 156(3) CrPC] (complaint to the Magistrate). The Supreme Court's framework in Lalita Kumari v Government of Uttar Pradesh, (2014) 2 SCC 1 governs the registration question.

Step 4 — Lodge the National Cyber Crime Reporting Portal complaint. The cybercrime.gov.in portal, operated by the Ministry of Home Affairs' Indian Cybercrime Coordination Centre (I4C) under the National Cyber Crime Reporting Portal scheme, accepts financial-fraud complaints and routes them to the relevant State police and the relevant banks. The portal's "report-and-block" feature has, in practice, recovered mule-account balances where the complaint reaches the system within the first twenty-four to forty-eight hours of the fraud. The portal is not a substitute for the formal FIR; it is a parallel investigative channel.

Step 5 — Escalate to the RBI Integrated Ombudsman if the bank does not resolve in thirty days. The RBI's Integrated Ombudsman Scheme, 2021 ("the Scheme"), which replaced the earlier Banking Ombudsman Scheme, 2006 and its sibling schemes for NBFCs and digital-transactions, operates under Section 35A of the Banking Regulation Act, 1949 and Section 18 of the PSS Act, 2007. A complaint is filed at cms.rbi.org.in once the bank has either rejected the complaint or failed to respond within thirty days. The Ombudsman has the power to direct compensation up to Rs 20 lakh for direct loss arising from a banking deficiency and an additional Rs 1 lakh for mental anguish and harassment. Settlement-based and award-based disposal are both available; the Ombudsman's award is appellable within thirty days to the Appellate Authority (a Deputy Governor of the RBI).

Step 6 — File a consumer complaint under the Consumer Protection Act, 2019. The District, State or National Consumer Disputes Redressal Commission has jurisdiction over a "deficiency in service" claim against the bank for failure to comply with the 2017 circular. The pecuniary jurisdiction post-2019 is up to Rs 50 lakh at the District Commission, Rs 50 lakh to Rs 2 crore at the State Commission, and beyond at the National Commission. Consumer fora have, in a steady line of decisions including the Punjab National Bank v Manju Devi series and the State Bank of India v K K Misra line, treated unjustified withholding of shadow-reversal credit, failure to discharge the burden of proof of customer negligence, and refusal to act on customer notification within the circular's windows as deficiencies in service warranting full restitution plus compensation for harassment.

Open questions — NPCI's own liability and the collect-request fraud

Two doctrinal questions deserve a candid acknowledgment because they are unresolved in 2026 and recur in serious UPI-fraud litigation.

The first is the liability of NPCI itself as the authorised system operator. The 2017 circular is addressed to scheduled commercial banks and binds them. NPCI is not a bank; it is a company incorporated under Section 8 of the Companies Act, 2013 and authorised as a payment-system operator under Section 7 of the PSS Act, 2007. Whether NPCI bears any residual liability for a system-level failure (for example, a routing bug that misroutes a transaction, or a UPI handle resolution failure that delivers funds to a wrong virtual payment address) — beyond what it is obliged to indemnify under its agreements with member banks — has not been authoritatively decided. A claim against NPCI would have to be framed under the general law of negligence or under deficiency-of-service in consumer fora, and there is, as of 2026, no reported Supreme Court ruling on the point. The question is likely to be litigated as transaction volumes grow.

The second is the application of the 2017 circular to merchant-side fraud — the collect-request scam in which a fake merchant sends a collect-request that the customer authorises, believing it to be a refund or a payment-receipt acknowledgment. The customer has, on the face of it, authenticated the transaction with the UPI PIN. The bank's position has been that the transaction is therefore not "unauthorised" within the meaning of the circular, and that the bucket-one zero-liability rule does not apply. The customer's position is that authentication procured by fraud is not authorisation. The position has split in consumer fora and at the Ombudsman — some awards have applied the bucket-two limited-liability framework to merchant-side frauds on the reasoning that the customer's contributory fault is bounded; others have applied the bucket-three full-liability framework on the reasoning that the customer's PIN authorisation is conclusive. The RBI has not, as of mid-2026, issued a clarificatory direction. A larger-bench consumer-fora ruling or an RBI circular update would settle the field.

Procedure, evidence, and the limits of recovery

A UPI-fraud claim, whichever route is taken, lives or dies on the evidence package — the transaction reference number ("UTR" or "RRN") generated by NPCI, the dated SMS/email alert from the issuer bank, the screenshot of the in-app dispute ticket, the FIR copy, the National Cyber Crime Reporting Portal acknowledgment, and the bank's written response (or its absence). The 2017 circular's shadow-reversal obligation begins on notification, but the burden-of-proof allocation between bank and customer is decided on the documents at a later stage; the customer who has not preserved the alert and the in-app screenshot is in a weaker position regardless of the merits.

The criminal route and the civil-recovery route operate in parallel and the success of one is not a precondition for the other. A high-conviction-rate jurisdiction on Section 66D charges is not, on the present data, a high-recovery jurisdiction; conversely, an unfavourable police investigation does not bind the consumer forum or the Ombudsman. The bank's burden of proof under paragraph 6 of the 2017 circular is independent of the criminal investigation's progress.

The limits of the recovery framework should also be stated. The 2017 circular caps bucket-two compensation at Rs 25,000 for most accounts — a victim of a Rs 10 lakh fraud notified on day five faces a Rs 25,000 ceiling unless the case can be moved to bucket one (no customer fault) or escalated to a consumer forum on a deficiency-in-service theory. Where the fraudulent funds have moved through layered mule accounts and have left the regulated banking system (through cryptocurrency exchanges, prepaid instruments, or cross-border remittance shells), the issuer bank's recovery levers are limited and the residual loss is real. The legal framework is not a substitute for prompt notification — it presumes it.

Where the recovery framework sits today

The position in 2026 can be stated in five points. One — the PSS Act, 2007 supplies the architectural backbone, NPCI operates as the authorised payment-system operator, and every UPI transaction is, in regulatory terms, a transaction over a regulated payment system. Two — the RBI's 6 July 2017 circular is the binding customer-protection text, and its three liability buckets, the bank's burden of proof under paragraph 6, and the ten-working-day shadow-reversal obligation are the operational levers of recovery. Three — the IT Act's Sections 43, 66, 66C, 66D and 72A, read with the cheating provisions of the BNS, 2023 (Sections 318, 319, 336, 61) and the FIR-investigation provisions of the BNSS, 2023 (Sections 173 and 175), supply the criminal overlay; the offences are cognizable and the registration mandate of Lalita Kumari applies. Four — the RBI Integrated Ombudsman Scheme, 2021 and the Consumer Protection Act, 2019 are the principal escalation forums, with consumer fora having developed a steady line of awards on deficiency-in-service grounds in the Manju Devi and K K Misra tradition. Five — two doctrinal questions remain open: NPCI's own liability as system operator and the application of the 2017 circular to authorised-but-induced collect-request transactions. Both are likely to be litigated more sharply over the next eighteen months.

The recovery grammar is statutory, time-bound, and unforgiving of delay. A customer who notifies within three working days and follows the six-step roadmap above sits within the framework the RBI has designed. One who notifies on day eight is outside it, and is left with the criminal route and a deficiency-in-service claim — slower, less certain, and rarely a complete remedy.