UPI has seen record-breaking growth, with over 13 billion transactions recorded in April 2024 alone. Its popularity and ease of use have made it a target for fraudulent activities. In its Annual Press Conference, the Indian Cybercrime Coordination Centre (I4C, Ministry of Home Affairs) reported a rising trend of financial cybercrimes. The modus operandi (MO) of these scams is varied and dynamic.
When one scamming MO is thwarted, others emerge immediately. As fraudsters become more sophisticated, effective regulatory coordination and data-sharing among system participants are critical to safeguarding users at scale and thwarting bad actors’ attempts, be they individuals or organised crime syndicates.
Scamsters not only exploit social engineering tactics and users’ naïveté of certain UPI features to defraud users, but often also compromise security PINs, KYC information, SIM cards, or bank accounts through malicious URLs or apps without directly interacting with users.
While awareness campaigns and in-app security measures can help protect users from scams before they occur, post-scam recourse channels for the users, as well as streamlined complaint registration, information sharing, and investigative methods, are equally critical.
Today when users try to contact their UPI app over which the fraudulent transaction may have occurred, or the bank they are associated with, they are redirected to the nearest police station, the National Cybercrime Reporting Portal (NCRP) or its helpline number, 1930, where they can file a complaint.
This then triggers an initial investigation by the Law Enforcement Agencies (LEAs) of the respective jurisdiction. The underlying database of NCRP is the Citizen Financial Cyber Fraud Reporting Management System (CFCFRMS). Data on frauds is also available in other databases including RBI’s DAKSH, the Ministry of Home Affairs’ CyberSafe, NPCI’s Real-Time Fraud Risk Monitoring and Management System, and the Crime and Criminal Tracking Network and Systems (CCTNS).
From publicly available inputs, it is difficult to gauge whether all these databases interact with each other. Fraud data in silos can result in fragmented investigative efforts that are less effective in nabbing criminals and recovering money. An opportunity for robust fraud intelligence is also foregone.
Banks, third-party application providers (TPAPs), and regulatory authorities like the I4C and the Reserve Bank of India all play critical roles, but a cohesive strategy for fraud reporting and management is harder to implement.
The existing infrastructure provides a solid foundation upon which certain enhancements can be implemented. We discuss these below.
Multi-channel platform
A multi-channel reporting mechanism for digital financial fraud is essential for effective coordination. Victims of fraud via UPI may intuitively reach out to their TPAP or bank to file their concerns, but redirecting them to a different platform may cause drop-offs in the registration process.
It may be helpful to reimagine a future where fraud victims can approach any platform for filing their complaint — their bank, the UPI in-app redress platform, or the NCRP — such that the complaint details get shared with a centralised database. Such a technological solution would serve as a single point of entry for all fraud reports, enabling real-time and digitised data collection and analysis.
All stakeholders, including banks, TPAPs, and customers, would be able to access this platform to report both successful and attempted frauds.
Such a system can ensure that all relevant data is captured promptly and as accurately as possible, providing a comprehensive view of the fraud landscape.
Standardised Data Collection
The presence of different databases for fraud reports may be reasoned by the different objectives that each entity seeks to fulfil. While RBI’s objectives may be supervisory, NCRP’s is investigative.
However, to enable efficient, consistent, complete, and easily analysable data sharing, all stakeholders would have to gather a minimum common set of data points for every complaint, which is complementary to their data collection objectives, and follow a set of data-sharing protocols for this data that can then enable fast analytics.
These common data points may include the defrauded amount value, bank account or mobile number or UPI ID into which the money had been directed, bank account details of the complainant, MO of the fraud, and any other screenshots or recordings that the complainant may have.
Graded actions
With standardised fraud data points from multiple databases centralised at a common technological system, robust and expansive analysis of the data inputted into it will be possible.
Insights that will now be enriched from data points from other databases can include the veracity of incoming complaints, the background risk profile of the account accused, and the risk associated with such a complaint.
The risk score assigned to each complaint can guide stakeholders’ actions with respect to such a case in real-time.
A high risk score associated with the accused bank account in a complaint may trigger the freezing of such an account, while a moderate risk score may imply banks/TPAPs must flag such risk to users who may be transacting with this account, and a low score only requires that the account be actively monitored.
Such graded and risk-proportionate action will result in the efficient use of investigation resources of LEAs, simultaneously creating an intelligence engine rich with historical data on frauds and the actions that they triggered.
The system can also dynamically update the score, which will in turn update the graded response expected from banks, TPAPs, mobile network operators, e-commerce platforms, and LEAs.
Fostering real-time inter-agency collaboration and developing tech-system-driven intelligence can help India build a resilient and secure digital payment ecosystem.
The writers are Researchers at Dvara Research