UPI Fraud Controls Are Too Late — Risk Builds Before the Transaction

In this expert article, Manish Thakwani, Head of Business Development for India & South Asia at JuicyScore, examines the Reserve Bank of India proposal to introduce delays on higher-value UPI transactions — and what it reveals about how fraud is currently addressed. More importantly, he explains why these controls may fail to stop fraud where it actually begins — and what needs to change if the goal is to reduce risk without slowing down payments.

UPI fraud controls are evolving — but still focused too late

There’s been a lot of discussion around UPI fraud and how to address it.

The RBI’s proposal to introduce a delay on higher-value UPI transactions is a response to a real and growing problem. It reflects a broader shift toward stronger, more preventive controls.

But it also reveals a deeper assumption: that fraud can be stopped at the moment of transaction.

In practice, that’s already too late.

Fraud does not start at the transaction

Most fraud controls today are still applied at the point of payment:

• introduce a delay
• trigger additional authentication
• apply transaction limits

These are all transaction-stage interventions.

But by the time a transaction is initiated, the risk has already formed.

Modern fraud is not evenly distributed — it is behavioural, clustered, and often shaped by factors like communication patterns, geography, and timing

APP fraud, in particular, is not about breaking systems, but manipulating people.

It unfolds as a sequence:

• a call or message
• a narrative that creates urgency or trust
• a decision made under pressure

The transaction is simply where the fraud becomes visible, not where it begins.

Risk builds earlier — across the user journey

If the objective is to reduce fraud without introducing unnecessary friction, detection needs to move earlier.

Risk signals exist before the payment event — especially across telecom and behavioural layers — but they are not yet fully integrated into decision-making.

A large part of these early signals sits outside the payments layer altogether — in telecom infrastructure. SIM swaps, device re-binding, number spoofing, and abnormal communication patterns often precede fraudulent transactions by minutes or even hours.

Yet today, these signals are rarely connected to real-time payment decisioning — making telecom one of the most critical missing layers in fraud prevention architecture.

In practice, this requires a shift from point-in-time checks to continuous risk context across the user journey.

That includes signals such as:

• device consistency over time
• session-level behaviour
• changes in execution environment
• anomalies in interaction patterns

Individually, these signals may not be decisive. Together, they provide early visibility into how risk is developing.

From static controls to adaptive decisions

A delay is a control. It is not a strategy.

Uniform controls applied to a non-uniform risk environment will either over-intervene or miss where risk is actually concentrated.

This challenge is further amplified by fragmentation across the ecosystem. Different PSPs operate with different risk standards, controls, and response mechanisms — allowing fraud to migrate toward the weakest point in the system rather than being eliminated.

In real systems, fraud prevention is adaptive:

• risk is evaluated continuously
• friction is applied selectively
• monitoring extends across sessions, not just transactions

This allows systems to preserve speed for legitimate users while intervening where risk is actually present.

What this means in practice

As fraud becomes more behavioural and ecosystem-driven, the question shifts.

It is no longer just about rules or models. It is about the quality, continuity, and connection of signals behind each decision.

This also points to a broader requirement: improving individual controls is not enough without shared intelligence across the ecosystem. Without coordination, detection remains siloed — and fraud patterns continue to repeat across institutions.

Device intelligence plays an important role here as one of the core input layers:

• connecting behaviour across sessions
• providing consistency of the execution environment
• helping detect anomalies earlier in the journey

It does not replace other controls — but it strengthens them by adding context where it matters most.

Final thought

India has built one of the fastest payment systems in the world. The next step is not to slow it down — but to make risk decisions smarter.

Fraud is not a moment in time. It is a sequence.

And systems that act only at the transaction stage are already too late.

If you’re working on fraud risk or UPI flows and want to see how this works in practice, you can book a demo with me and the team — happy to walk through how device intelligence helps detect risk earlier in the user journey and support real-time decisions.