Project XBY

Asia-Pacific · GDP rank #5

India

IN · INR @ 0.0104/USD

The single most important instant-payments story in the world. UPI cleared 22.35 billion transactions and ₹29 lakh crore (~US$340bn) in April 2026 alone, a +25% YoY expansion. The policy architecture (UPI + RuPay + Aadhaar-eKYC + Account Aggregator + ONDC) is the de facto reference stack for emerging-market digital finance. India is one of five founding IPSs inside BIS Project Nexus.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

₹13.9B +46% vs FY2024

INR · FY2025

Includes card, UPI and net-banking frauds reported by scheduled commercial banks.

Loss rate

~0.5bp

basis points on digital transaction value · FY2025

CNP share of fraud

~70%

% · FY2025

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • UPI-enabled push payment fraud~55%
  • Card CNP~30%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

~95%

% · 2024

Mandatory card-on-file tokenisation since October 2022 — the world's highest penetration.

3DS coverage · CNP

100%

% · 2024

RBI mandates AFA/OTP on all CNP transactions — India was one of the first markets to enforce it.

Biometric mobile wallet txns

~35%

% of digital payments · 2024

Consumer protection

Framework
RBI Circular on Customer Liability + Integrated Ombudsman Scheme
Max consumer liability
₹5,000–₹25,000 depending on transaction type and reporting delay; zero if reported within 3 working days
Liability rules
Zero liability for unauthorised transactions reported within 3 working days. Between 4-7 days, liability capped per transaction type (₹5k-25k). After 7 days, subject to bank policy. All scheduled commercial banks must run Enhanced Customer Due Diligence for transactions above ₹50k.

Source · RBI

Security standards

  • Card-on-File Tokenisation (mandatory Oct 2022)
  • Additional Factor of Authentication (AFA) for all CNP
  • RBI Master Direction on Digital Payment Security Controls (2021)
  • UPI 2.0 pre-authorised transaction mandates