UPI has made payments in India incredibly easy. Scan a QR, enter PIN, done. But that same simplicity has created a new fear for millions of Indians: UPI fraud.
Every day, people lose money to fake calls, incorrect collection requests, QR code tricks, or fake customer care numbers. And once the money is gone, the biggest confusion begins:
Who is legally responsible for UPI fraud: the bank, the app, or the user?
This blog answers that question honestly, legally, and practically, without blaming victims and without spreading myths.
Last Month, one of my friends lost ₹75,000 through a fake collection request. Reported within 2 hours.
The bank initially rejected the claim, citing “user authorised”. He approached the RBI Ombudsman.
The bank was directed to refund the amount due to the delayed response and lack of fraud alerts.
The law worked because the action was timely.
First, Understand What Counts as UPI Fraud
UPI fraud is not one single thing. It happens in many ways:
- Sharing UPI PIN or OTP due to fake calls
- Accepting a fraudulent “collect request.”
- QR code scams promising refunds or prizes
- Fake customer care numbers found online
- Remote access apps used to control a phone
In most cases, the transaction looks “authorised” on paper, which is why responsibility becomes legally complex.
The Big Myth: “UPI Fraud Means User Is Always at Fault”
This is what most banks and apps want you to believe. But legally, that’s not always true.
Indian law and RBI guidelines do not hold the user responsible for every UPI fraud.
Responsibility depends on:
- How the fraud happened
- How quickly it was reported
- Whether security systems failed
- Whether the RBI guidelines were followed
Role 1: Is the User Legally Responsible?
The user may be held responsible when:
- UPI PIN was knowingly shared
- Warnings were ignored repeatedly
- Fraud was reported very late
However, even in these cases:
- Sharing OTP/PIN is not a crime
- User is a victim, not an offender
- Liability is not automatic or absolute
RBI rules focus on limiting customer liability, not punishing victims.
Role 2: Is the Bank Responsible for UPI Fraud?
Banks play a critical role in UPI transactions.
A bank can be held legally responsible if:
- Transaction alerts were delayed or missing
- Multiple suspicious transactions were allowed
- The account was not blocked promptly after the complaint
- RBI cybersecurity norms were violated
If the victim reports fraud within:
- 3 days → Customer liability is usually zero
- 4–7 days → Limited liability
These principles come directly from RBI circulars on digital banking fraud.
Role 3: Is the UPI App (PhonePe, Google Pay, Paytm) Responsible?
UPI apps often say: “We are only a platform.” Legally, that is only partly true.
UPI apps can be questioned if:
- Fraud patterns were ignored
- App security features failed
- Misleading interface caused user confusion
- Grievance redressal was ineffective
Under the Consumer Protection Act, even digital platforms can be held accountable for service deficiencies.
So, Who Is Actually Responsible for UPI Fraud?
There is no single answer.
Legal responsibility is shared based on facts:
- User → duty to protect PIN
- Bank → duty to secure account & respond fast
- UPI app → duty to maintain a safe digital platform
Courts and ombudsman offices decide this on a case-by-case basis.
First 24 Hours After UPI Fraud – Legal Checklist
1. Inform Bank Immediately
Call the bank’s fraud helpline and note the complaint number.
2. Block UPI and Account
Prevent further loss immediately.
3. File Cyber Crime Complaint
File at https://cybercrime.gov.in
4. Send Written Complaint
Email bank and UPI app with transaction details.
Can You Get a Refund in UPI Fraud Cases?
Yes, many victims do; especially when:
- Fraud was reported quickly
- Bank systems showed lapses
- The victim escalated legally
If the bank refuses:
- Escalate to the grievance officer
- Approach the RBI Banking Ombudsman
- File a consumer court complaint
UPI fraud refunds are not charity; they are legal outcomes.
What NOT to Do After UPI Fraud
- Don’t wait, hoping money will return
- Don’t rely only on customer care calls
- Don’t accept bank rejection blindly
- Don’t feel ashamed; fraud can happen to anyone
How to Protect Yourself Going Forward
- Never approve unknown collection requests
- No one needs OTP/PIN to send you money
- Verify customer care numbers only from official sites
- Enable transaction alerts always
UPI fraud cases are increasing, but so is legal awareness. Victims are no longer helpless.
Responsibility is shared, and the law decides accountability, not bank scripts.
If you act fast, document everything, and escalate legally, justice is possible.
— — —
Disclaimer:
This article is published for general legal awareness and informational purposes only, and should not be construed as legal advice or a solicitation to act.
About the Author:
Joginder Poswal is an advocate enrolled with the Bar and practising law, specialising in cyber law, criminal law, and corporate compliance.
For more information, please refer to the contact details provided on this website.