Introduction to Payments India's Risk Control Mechanism

Introduction to Payments India's Risk Control Mechanism

India's payment risk control mechanism is a multi-layered system designed to secure electronic transactions, prevent fraud and maintain the stability of the financial system. The following are the core framework and features of risk control in the Indian payments industry:


1. Regulators and compliance frameworks

  • RBI (Reserve Bank of India): Leading the regulation of payment systems, issuing guidelines such as the Payment Systems Security Framework.
  • PCI-DSS compliance: All payment gateways that process credit card data must comply with international standards.
  • DPSS (Central Bank Payment and Settlement Sector): Oversee the risk management of real-time settlement systems (e.g., IMPS, UPI).

2. Core risk control techniques

  • Real-time transaction monitoring::
    • AI/ML-based anomaly detection (e.g., large transfers, high-frequency transactions).
    • The UPI platform's "30 transactions per second" speed limit rule.
  • Multi-Factor Accreditation (MFA)::
    • Mandatory use of two-factor authentication (OTP + biometrics/MPIN).
    • Aadhaar e-KYC integrated authentication.
  • Device Fingerprinting and Behavioural Analysis::
    Detect suspicious behaviours such as equipment changes, sudden changes in IP geolocation, etc.

3. Specialised risk control for the UPI ecosystem

  • quota control::
    • P2P has a single limit of ₹10,000 (about $120) and merchant payments are higher.
      Some banks set daily cumulative limits (e.g. ₹10 lakh).

4. Merchant-side risk control measures

  • Dynamic risk assessment models::

    • High-risk merchants (e.g., gambling, cryptocurrencies) may be restricted or shut down based on merchant industry, transaction history, refund rates, and other scores.
    • RBI requires periodic filing of Suspicious Transaction Reports (STRs).
  • Delayed settlement (T+n)::
    Payments for new registrations or high-risk merchants may be delayed for 1-3 days for manual review of unusual transactions.


5. Counter-fraud and dispute resolution

  • Automatic blocking rules::

    • Detecting fraudulent behaviour such as "multiple platform attempts with the same card number for a short period of time".
    • The NPCI (National Payments Corporation) Fraud Monitoring System shares cross-bank blacklisting data.
  • Consumer protection mechanisms::
    If a user claims an unauthorised transaction (e.g. OTP leakage), the bank is required to investigate and refund the money within 10 days (RBI mandatory).


6. Frontiers of AI and big data applications

  • Predictive analysis: Identify seasonal fraud patterns (e.g., a spike in phishing attacks during the holiday season) through historical data.
  • Speech/Semantic Analysis: Monitor customer service interactions for fraud cues (e.g., impersonating a customer to request an account reset).

Challenges and trends

  1. Social engineering attack grows* : About 351 TP3T payment frauds in India in 2023 stemming from SIM exchange fraud or fake UPI QR codes.
  2. Cross-border Payment Risk Control : RBI is promoting co-operation with international agencies to combat cross-border money laundering.
  3. Biometric penetration : Aadhaar Facial Recognition + Fingerprints gradually replacing traditional OTPs to reduce the risk of man-in-the-middle attacks.

If specific areas need to be explored in depth (e.g. UPI/Paytm/credit card risk control differences), this can be expanded upon further!