Fraud today has no geographical boundaries. Generative AI, mule networks, and social engineering at scale do not respect them either. The institutions getting safer are the ones who learn from what other markets are doing. Today's post is about something happening in India, written for a US audience, and the framing is intentional.
The Reserve Bank of India did something almost four weeks ago that most US fraud product leaders have not read.
On April 9, the RBI published a discussion paper titled Exploring Safeguards in Digital Payments to Curb Frauds. The public feedback window closes May 8.
That is the news. The reason it matters far more than its current readership in the US reflects is that India is doing something on real-time payment fraud the US has so far avoided. They are responding architecturally rather than technologically.
A quick context check before the substance. UPI processed roughly 228 billion transactions in 2025 and was averaging 698 million transactions per day by December. Reported digital payment fraud cases in India have grown more than tenfold since 2021. Loss values rose nearly fortyfold. Authorized push payment fraud, where a legitimate user is socially engineered into authorizing a payment, is now the dominant attack pattern. Over 2.6 million suspected mule accounts have been identified in the system as of December 2025. Mule accounts at that scale are not a fraud problem. They are a logistics operation.
This is not a problem the US has at this scale yet. It is a problem the US will have, because FedNow and RTP are designed to deliver the same kind of irreversible, near-instant payment that UPI delivers, and fraudsters are paying closer attention than most boards realize.
Four proposals worth reading
Four proposals from the RBI paper stand out:
1. A one-hour lag on P2P transfers above 10,000 rupees. The user authorizes. The transfer holds for an hour. If something is wrong, there is a window to catch it before the funds move.
2. Trusted-person authentication for seniors and persons with disabilities. A second person, designated in advance, must approve high-value transactions for accounts flagged as belonging to these vulnerable users.
3. Annual UPI credit caps for newer accounts. Designed to make mule accounts harder to operate at scale, since mules require high incoming volume to be useful to fraudsters.
4. A kill switch that allows for instant disablement of an account by the user, the bank, or the regulator.
None of these are detection improvements. They are architectural controls.
The RBI has effectively given up on winning the detection arms race against generative-AI-driven social engineering and is rebuilding the rails. If the user can be convinced to authorize, they will. The control layer adds friction at the architecture level so that an authorized payment is no longer synonymous with a completed payment.
This is the same shift I wrote about last week in the context of deepfake defense. The institutions getting this right have stopped relying on detection as the ceiling and started building the architecture around it. The RBI is now applying that thinking at the regulatory level.
Three takeaways for US fraud product leaders
Three things US fraud product leaders should take from this paper:
First, India is currently the canary in the coal mine for what real-time payment fraud at scale looks like. The US will arrive at this volume and threat profile within the next three to five years, depending on FedNow and RTP adoption curves. Reading the RBI paper now is a free preview of the conversation US regulators will be having by 2028 or 2029.
Second, the proposals worth borrowing without waiting for a US regulator are the kill switch and the trusted-person authentication. Both are implementable as product features today. Both add architectural protection that detection cannot. Banks and fintechs that build these now will have a meaningful posture before the threat scales to Indian volumes.
Third, the most important signal in the paper is not any single proposal. It is the underlying admission that detection alone is not enough. A regulator with India's UPI scale could have responded by mandating better fraud detection. Instead, they are mandating structural controls. That is the philosophical shift worth tracking, because it is the same shift the most thoughtful US fraud product leaders have already started making at the institution level.
The direction matters more than the details
The May 8 feedback deadline is real, and the specific proposals will be debated. Some will be implemented in modified form. Others will not survive industry pushback. The details matter less than the direction.
The direction is that real-time payment fraud has outpaced what detection alone can catch, and the institutions and regulators handling this best are the ones who have already stopped pretending otherwise.
Reactions welcome, especially from anyone who has worked on these problems on either side of the Pacific.
Shyam Menon is a product leader specializing in fraud and identity in financial services. This is part of an ongoing series on the architecture of trust in financial services. He writes at shyammenon.com.