Decoding the RBI's New Security Shield: What the Latest Anti-Fraud Mandates Mean for Your Digital Wallet

India's RBI has quietly built one of the world's most layered anti-fraud systems: the .bank.in domain, MuleHunter.AI, a telecom fraud signal, and tougher authentication. What each means for your digital wallet, and the one gap it still leaves.
While much of the world is still debating how to police digital payments, India's central bank has quietly been building one of the most layered anti-fraud systems anywhere. Over the last eighteen months the Reserve Bank of India has rolled out a bank-only internet domain, an AI that hunts the "mule" accounts scammers rely on, a live telecom-to-bank fraud signal, and tighter authentication on every digital payment. Taken together, it is a genuine security shield around your digital wallet. Here is what each layer does, what it means for you, and, just as honestly, the one big gap it does not yet cover.
On this page
- The .bank.in domain: killing phishing at the root
- MuleHunter.AI: hunting the accounts that move stolen money
- The Fraud Risk Indicator: your telecom network warns your bank
- Stronger checkout: tokenisation and two-factor everywhere
- The fraud "brain" being built: DPIP
- How India compares to the UK, Singapore and the EU
- What this means for you
- FAQs
- Sources
The .bank.in domain: killing phishing at the root
Most banking fraud starts with a fake website or a fake link. The RBI's answer is unusually direct: give banks a domain that scammers cannot register. Announced in the February 2025 monetary policy and made binding by an operational circular on 22 April 2025, every Indian bank must move to an exclusive .bank.in domain, with non-bank financial companies moving to .fin.in. The domains are allocated and verified by IDRBT, the banking sector's own technology institute, and banks were told to migrate by 31 October 2025.
What it means for you: once migration completes, a genuine bank address ends in .bank.in. If a "bank" site or link uses anything else, treat it as suspect. This is a stronger approach than the voluntary .bank programmes in the United States and United Kingdom, because in India the domain is mandatory and gate-kept by a regulated registrar, not sold to whoever asks.
MuleHunter.AI: hunting the accounts that move stolen money
When you are scammed, the money rarely stays put. It is funnelled through "mule" accounts, ordinary-looking accounts rented or tricked out of real people, to launder and disappear the funds. The RBI Innovation Hub built MuleHunter.AI to find them. The model studies 19 distinct patterns of mule behaviour and, in pilots with two large public-sector banks, reported over 85% accuracy and flagged roughly 20,000 suspected mule accounts a month.
It is still a pilot rather than a nationwide deployment, but it is genuinely novel: no other major central bank's innovation arm has built and shared a centralised AI mule-detection model of this kind. What it means for you: a faster freeze on the account your money was pushed into improves the slim chance of recovering it, and cuts off the pipeline that funds the next scam.
The Fraud Risk Indicator: your telecom network warns your bank
This is the most quietly ambitious piece. India's Department of Telecommunications runs a Financial Fraud Risk Indicator (FRI), launched in May 2025, that scores mobile numbers as Medium, High or Very High risk using cybercrime reports, its Chakshu reporting platform, and bank inputs. On 30 June 2025 the RBI advised all banks to plug that signal directly into their transaction systems. In plain terms, if a number has been widely reported for fraud, your bank can now see that at the moment a payment is being made to it, and can warn, delay, or hold the transfer.
Early adopters include PhonePe, ICICI, HDFC, PNB, Paytm and India Post Payments Bank. The DoT reports that in its first four months the system helped stop over 4.8 million fraudulent transactions and protect more than ₹140 crore, figures that are government-reported and not independently audited, but striking nonetheless. Wiring a country's telecom fraud intelligence straight into bank payment controls is architecturally bolder than what most peers have attempted.
Stronger checkout: tokenisation and two-factor everywhere
Two older but important layers have been tightened. Under tokenisation (card-on-file tokenisation, mandatory since 2022), merchants can no longer store your real card number; they hold a useless token unique to that card, merchant and device, so a merchant breach does not spill your card. And under the RBI's Authentication Mechanisms for Digital Payment Transactions Directions, 2025 (issued 25 September 2025), two-factor authentication becomes mandatory for all domestic digital payments from 1 April 2026, and the extra authentication step extends to cross-border card-not-present payments from 1 October 2026. What it means for you: that international online payment which used to go through on card details alone will soon ask for a second factor, closing a long-exploited gap.
The fraud "brain" being built: DPIP
The RBI's most forward-looking project is the Digital Payments Intelligence Platform (DPIP), a network for banks to share fraud intelligence in near real time instead of each fighting alone. It is being built through a dedicated not-for-profit company, IDPIC, incorporated in October 2025, with the State Bank of India taking a 50% stake. It is important to be accurate here: DPIP is under construction, not yet live in full form. A first-phase "negative registry" that pools data from telecom, the national cybercrime database and banks is the precursor. When complete, it would let a fraud spotted at one bank instantly raise defences at every other.
How India compares to the UK, Singapore and the EU
On the infrastructure of defence, prevention, detection and shared intelligence, India is moving faster and more prescriptively than most. But a credible verdict has to be honest about where it still trails, and it does so on one thing: paying victims back.
- United Kingdom: since 7 October 2024, reimbursement for authorised push payment (APP) scams, where you were tricked into sending the money yourself, is mandatory, up to £85,000 per case, split between the sending and receiving banks.
- Singapore: a Shared Responsibility Framework has been live since 16 December 2024, assigning banks and telcos clear duties and liability for phishing losses.
- European Union: under the Instant Payments Regulation, a mandatory Verification of Payee (a name-versus-account match warning) applies to euro-area providers from 9 October 2025.
India has strong pieces of this. UPI apps have shown the payee's verified bank name at checkout since June 2025, and a proposal in 2026 would add a short cooling delay on large payments to new payees. But it protects consumers only against unauthorised transactions, under the RBI's 2017 zero-liability rules. For authorised scam payments, where a victim is manipulated into paying, there is still no enacted reimbursement law. A March 2026 RBI draft proposes limited compensation, but capped at just ₹25,000, once in a lifetime, and it is not yet in force. Next to the UK's £85,000 mandatory scheme, that gap is the clearest sign of where India's shield still needs building.
What this means for you
- Trust the .bank.in address. As banks migrate, treat any banking link that is not on .bank.in (or .fin.in for finance firms) as a red flag.
- Expect an extra step on international payments. The added authentication from 2026 is protection, not friction for its own sake.
- Report unauthorised transactions within 3 working days. Under the RBI's zero-liability rules, reporting a fraud you did not authorise within three working days generally means zero liability, and the bank must credit you provisionally within 10 working days.
- The shield does not cover scams you were tricked into approving. If you willingly sent money to a fraudster, none of these layers guarantees a refund. Slow down on any unsolicited "urgent" payment, and report scams immediately at cybercrime.gov.in or the helpline 1930, which also improves the odds of a freeze upstream.
Frequently asked questions
What is the .bank.in domain? An exclusive internet domain that only verified Indian banks can use, allocated by IDRBT, to make phishing sites easier to spot. Banks were to migrate by 31 October 2025.
Will two-factor authentication slow my payments down? Slightly, and deliberately. From 1 April 2026 it is mandatory on domestic digital payments, and from 1 October 2026 on cross-border card-not-present payments.
If I get scammed, will RBI's rules refund me? Only for unauthorised transactions reported quickly. If you were tricked into authorising the payment yourself, there is no enacted reimbursement scheme yet; a small draft proposal exists but is not law.
Is DPIP live? Not yet. The company running it (IDPIC) was set up in October 2025 and the platform is still being built.
Sources
- Reserve Bank of India, Statement on Developmental and Regulatory Policies (7 Feb 2025) and .bank.in operational circular (22 Apr 2025); IDRBT registrar details.
- RBI Innovation Hub, MuleHunter.AI project page and pilot coverage.
- Department of Telecommunications, Financial Fraud Risk Indicator (May 2025); RBI advisory to banks (30 Jun 2025).
- RBI, Authentication Mechanisms for Digital Payment Transactions Directions, 2025 (25 Sep 2025); card-on-file tokenisation notifications.
- Indian Digital Payment Intelligence Corporation (IDPIC) incorporation; RBIH DPIP project page.
- RBI, Customer Protection – Limiting Liability circular (2017); RBI draft on APP-fraud compensation (Mar 2026).
- UK Payment Systems Regulator (APP reimbursement, Oct 2024); MAS Shared Responsibility Framework (Dec 2024); EU Instant Payments Regulation / Verification of Payee (Oct 2025).
- RBI Annual Report 2024–25; PIB digital-payments release (UPI volume).
Scammed despite the safeguards? You are not alone. See our country-by-country cybercrime help hub for how to report and try to recover, step by step.