Why India desperately needs a ‘cure code’ for the QR code era

When the Unified Payments Interface (UPI) was launched in 2016, many were doubting whether it would succeed and whether people would adopt it. But today, it is used by billions of people all over India. From a roadside vendor to a supermarket, parking to a five-star hotel, platform to a flight ticket, there are hardly any places in India where UPI has not penetrated.

UPI is widely regarded as India’s flagship Digital Public Infrastructure (DPI) due to its profound economic impact and its role as a global blueprint for digital payments.

Today, UPI is an irrefutable cornerstone of India’s digital landscape. It has reshaped economic life by enabling instant, low-cost transactions while accelerating the formalisation of the informal sector and enhancing financial inclusion.

However, these advancements are not without risks. Let us now turn to the challenges that accompany this digital revolution.

Prevailing Risks and Challenges

Though UPI is witnessing remarkable growth, some risks and challenges still prevail, such as an increase in fraud cases over the years.

According to the Ministry of Finance and Parliament data released in 2025, incidents of fraud in domestic UPI transactions rose by 85 percent in FY2023-24 compared to the previous year.

While the 85 percent rise in UPI fraud in FY24 is a serious concern, it also exposes inherent vulnerabilities in the rapid deployment of India’s DPI model. This highlights the critical policy challenge of balancing the extraordinary success of financial inclusion with the necessary structural resilience to combat sophisticated cyber threats effectively (MoF 2025; RBI 2025).

The reported cases nearly doubled from 7.25 lakh in Financial Year (FY) 2023 to 13.42 lakh in FY 2024. During the same period, the financial loss has increased from ₹573 crore to ₹1,087 crore (MoF 2025; RBI 2025).

However, it is to be noted that the volume of transactions also exploded over the years, which also means that the fraud-to-sales ratio remains relatively low compared to global standards.

Additionally, the Reserve Bank of India (RBI) made it mandatory to mention beneficiary name in displays on all UPI apps to stop fraud (RBI, 2025).

Increase in UPI frauds is not merely an operational failure, but is rooted in two main structural challenges:

1. Technological Gaps in Infrastructure: There is a “velocity security match” in the present digital framework. When the front-end, i.e. fintechs make near-instant payments, the back-end institutional mechanisms, i.e. banks, for grievance redressal remain slow and old-fashioned. This creates a window for scammers to operate without fear of immediate detection. Therefore, this has to be addressed at the earliest.
2. Socio-Demographic Vulnerabilities: No doubt, UPI has expanded rapidly across the spectrum and is technically well-connected. However, it is connected to vulnerable users too, who are digitally illiterate. The vulnerable people – often rural and elderly people – are exploited by scammers through so-called “assisted” transactions. Therefore, there is an urgent need to expand digital literacy so that thousands of vulnerable people can be saved from scammers.

Policy Paradox

The implementation of the DPDP Rules 2025 transition from voluntary privacy to mandatory accountability. Despite the existence of the law, there is still a gap in institutional knowledge among millions of UPI users who are unaware of their new rights, such as the right to withdraw consent or seek grievance redressal within a 90-day window.

There is a need for a strong policy framework for the structural challenges (which are mentioned above). They are:

1. Framework to address the Institutional Gap — Institutional Accountability: It is essential to have institutional accountability, as hard-earned money is scammed more often. Therefore, to address the increase in fraud incidents and improve digital governance, the “Consensus of Care” model, under which the financial intermediaries (i.e. banks) are held legally responsible for fraud transactions, is pertinent. By doing so, the “velocity of security” increases as the burden is shifted from the victim to the bank and thus reduces the risks of fraud. Banks may implement a freeze of suspicious transfers and enforce a 24-hour cooling period for high-end transactions, thus avoiding fraudulent transactions and saving users from scammers.
2. Digital Inclusion with “Security First” literacy: It is important to focus on security literacy rather than on access. Biometric authentication for welfare-linked accounts to fight scams targeting rural and low-income users is important. Instead of SMS-based OTPs, non-transferable identifiers, such as voice recognition, thumb impression, can be used. A Local Digital Ombudsman network at the Gram Panchayat level will be more useful to address the grievance process and also more accessible to the marginalised/ rural people. The main goal before financial inclusion should be educating or providing financial literacy, security and economic participation for all individuals.

While the notification of the DPDP Rules (2025) provides a statutory force for accountability, the framework’s true success depends on closing the literacy gap for the millions currently entering the digital fold.

It is an undeniable fact that India has made a remarkable revolution by evolving as a global leader in digital payments in 2025, by approximately by handling 50 percent of the world’s volume. UPI has expanded globally to eight economies by late 2025, including Singapore (via linkage to its PayNow system), the UAE, Mauritius, and the European Union via specific gateways in France and Cyprus (PIB 2025).

This international adoption not only provides convenience for tourists and the diaspora but also positions India’s low-cost DPI model as a viable blueprint for the Global South, directly challenging traditional payment rails like SWIFT and major card networks on the global stage.

This global expansion underscores a structural shift: the export of a public utility as a new standard for international finance.

But the dominance and rapid growth of UPI reveals a critical policy paradox: the pursuit of inclusion and speed has come at the expense of systemic resilience and security – and this demands immediate structural attention. While the sheer volume of transactions grew exponentially, so did the associated risks, with reported fraud incidents surging by 85 percent in FY2023-24 (MoF, 2025).

It is time to redefine the meaning of true financial inclusion by ensuring a secure economic existence for all users. The rise in cyber frauds each year shows the need to move beyond talk of ‘access’ and focus on real institutional accountability. Ensuring safe and secure transactions should become the main vision for a truly inclusive digital India, not a secondary objective.

Conclusion

Earlier this year (i.e. 2025), there was a significant system outage that remains a critical concern. There are clear directives regarding the resilience of core financial infrastructure by the RBI in its Master Directions on Cyber Resilience and Digital Payment Security Controls (updated in July 2024 and enforced for large operators by April 1, 2025), which mandate that critical systems like UPI/RTGS should have complete Business Continuity Plans (BCP) in place, to ensure smooth, uninterrupted transactions by users, mainly during unexpected outages.

Any outage of critical systems or infrastructure should be reported to the RBI within six hours of detection, as per these directions (i.e. current regulations).

Major payment system operators were required to comply with these enhanced cyber resilience and reporting standards by April 1, 2025.

There is a need for the most advanced security measures, such as mandated beneficiary name display, for all direct and sub-member banks of RTGS and NEFT by April 1, 2025.

As the economy evolves with more integration of emerging technologies such as AI-driven services, expanding global imprints, etc, there is a need for a stronger regulatory framework.

In August 2025, the RBIs FREE-AI Framework was released, which addresses seven “Sutras” – guiding principles that mandate accountability, transparency, and clarity in AI-driven financial services.

This should ensure data privacy and cybersecurity risks are effectively addressed.

The New “Authentication Mechanisms for Digital Payment Transactions” Directions 2025 will be implemented from 1 April 2026.  There will be a shift towards risk-based authentication, like biometrics and behavioural analytics, to move away from the weaknesses of traditional SMS-based OTPs.

Finally, for UPI to become a sustainable mode of the world, policymakers should ensure a more resilient, secure, accountable and world-class financial service that can withstand growing risks, and protect the interests of users.

The RBI’s new framework, implemented post-2025, ensures accountability and user protection are primary goals, and no longer just regulatory ideals, which lie at the very heart of India’s digital financial system.