RBI’s April 9 discussion paper proposes a mandatory 1-hour hold on all UPI transfers above Rs 10,000. For businesses that depend on intraday settlement to pay suppliers, this isn’t a fraud measure — it’s a cash flow event.
The Morning Your Supplier Won’t Wait
Your fresh produce vendor shows up at 6 AM. He’s got tomatoes, onions, coriander — the whole morning load for your restaurant. He wants Rs 22,000 via UPI before he unloads. You open PhonePe, scan, enter the amount, authenticate. The money leaves your account immediately.
Under the RBI’s new proposal, it doesn’t reach his.
For up to one hour, that Rs 22,000 sits in limbo. Your vendor is standing at your door with a truck. He can’t see the credit. You can’t prove it’s coming. And technically, you could cancel the transfer during that window.
This isn’t hypothetical. On April 9, 2026, the RBI published a discussion paper titled "Exploring safeguards in digital payments to curb frauds." Among four proposed options, the headline measure is a mandatory 1-hour cooling-off period on all account-to-account transfers above Rs 10,000 — UPI, IMPS, and NEFT included.
The comment window closes May 8, 2026. After that, draft guidelines follow. No final-rule date has been announced.
The exemptions matter: merchant payments (P2M), e-mandates, NACH auto-debits, and recurring bill payments are carved out. But every payment from one bank account to another — the way most SMEs pay their suppliers, freelancers, and informal vendors — is in scope.
The Problem Isn’t Fraud. It’s the Remedy.
The fraud numbers are real. Digital payment fraud hit Rs 22,931 crore in 2025, up from Rs 551 crore in 2021 (CyberPeace, citing Finance Ministry Lok Sabha data). Case volume went from 2.6 lakh to 28 lakh in the same period. A LocalCircles survey from June 2025 found 1 in 5 families with a UPI user experienced fraud at least once over three years, and 51% of victims never reported it.
The dominant type is Authorised Push Payment fraud — social engineering where victims are coerced into initiating the transfer themselves. The RBI’s own paper acknowledges this: fraudsters "rely on creating urgency and maintaining continuous psychological pressure." The system isn’t being hacked. People are being manipulated.
Here’s where proportionality breaks down.
UPI processed 22.64 billion transactions worth Rs 29.53 lakh crore in March 2026 alone (NPCI Product Statistics). UPI-specific fraud for FY2024-25 was Rs 981 crore — that’s 0.00033% of total transaction value. Even using the broader Rs 22,931 crore figure across all digital channels and doubling it for underreporting, you’re under 0.01%.
The proposal creates system-wide float friction on 100% of P2P transfers above Rs 10,000 to address fraud in a fraction of a fraction of them.
And the businesses that absorb this friction are the ones least equipped to handle it. MSMEs already wait approximately 195 days beyond agreed payment terms for their receivables (Credable industry analysis). Over 80% report delayed payments according to the same data set. An estimated Rs 10.7 lakh crore sits locked in receivables annually. The SMEs we build for typically carry less than a month of cash — the global average is 27 days. These are not entities with liquidity buffers.
A restaurant spending Rs 15,000-50,000 daily on raw materials — virtually all above Rs 10,000 — now has every vendor payment sitting in a 1-hour hold. A D2C seller whose marketplace settlement already takes T+7 to T+15, who urgently redeploys that cash to restock via UPI, now watches it freeze for another hour at the worst possible moment.
No Country That Reduced Fraud Chose This Approach
The global evidence is clear, and it cuts against blanket delays.
The UK launched Confirmation of Payee in 2020 — a pre-authorization name check that adds zero delay to payments. Result: 17% reduction in APP fraud, with 88% of in-scope fraud money returned to victims by June 2025 (Pay.UK, PSR Annual Report 2024-25). They also introduced mandatory reimbursement for APP fraud victims, capped at GBP 85,000.
The EU went live with Verification of Payee in October 2025 — IBAN-name matching before authorization, no delay. Their Instant Payments Regulation mandates 10-second settlement and explicitly prohibits charging more for instant transfers.
Australia’s CommBank NameCheck saved AU$650 million in 18 months with a 70% reduction in scam losses — no blanket delay. Their Scams Prevention Framework allows targeted holds on flagged accounts only, not universal delays.
Singapore’s 12-hour cooling-off applies only to new device activations, not per-transaction. Their 2025 results: scam cases down 27.6%, losses down 17.9%.
South Korea tried something closer to what the RBI is proposing — a voluntary, opt-in delay system. In a 2025 crypto analog, 59% of fraudulent accounts bypassed the mandatory withdrawal delays entirely, and 75.5% of fraud losses occurred despite the delay mechanism (CoinDesk).
The pattern is consistent. Pre-authorization verification works. Targeted interdiction works. Blanket delays don’t.
The RBI already has a piece of this puzzle. MuleHunter.AI, launched in December 2024 and piloted at two public sector banks, uses ML to identify mule accounts in real time — catching the destination without slowing the source. The April 9 paper itself proposes a customer-controlled kill switch. Both are targeted. Neither requires freezing every transfer above Rs 10,000.
What You Can Do Before May 8
The comment deadline is May 8, 2026, via the RBI’s Connect 2 Regulate portal. This is a discussion paper, not an enacted rule. The final form will depend on the feedback received.
Map your exposure this week. Pull your last 90 days of UPI outflows. Filter for P2P transfers above Rs 10,000 — payments to individual accounts, not merchants with payment gateways. That’s your affected volume. For the SMEs we’ve built payment systems for, this is 60-80% of supplier payments.
Identify your time-sensitive flows. Which of those payments happen in a context where a 1-hour delay creates an operational problem? Morning vendor payments. Freelancer settlements on delivery. Same-day stock replenishment. COD remittance cycles. List them.
Understand the exemptions. P2M payments are carved out. If your vendor has a Razorpay or Cashfree payment link, that transaction may not be affected. But the vegetable supplier, the packaging vendor, the daily-wage contractor — they’re receiving into personal accounts. Those are P2P.
Start building a whitelist now. The proposal explicitly allows whitelisting of pre-approved beneficiaries to bypass the delay. If the rule goes through in any form, a clean, verified list of your regular payment recipients — with account details confirmed — is the difference between a minor adjustment and daily chaos.
Submit operational data, not abstract opposition. The RBI portal accepts structured feedback. Transaction volumes, delay scenarios, and cash flow impact numbers land harder than open letters.
Where It Gets Structurally Harder
The whitelisting and exemption logic sounds straightforward until you look at how payments actually flow through your systems.
Your accounting software — whether it’s Zoho Books or Tally — currently treats UPI payments as binary: success or fail. Under this proposal, there’s a third state: provisionally debited, credit pending, reversible for up to 60 minutes. Zoho fires a payment-confirmed trigger on debit notification. If the sender cancels during the hour, Zoho has recorded a receipt that must be reversed. There’s no native support for this.
Tally doesn’t handle provisional payment states at all. You’d need a "payment in transit" general ledger entry that auto-resolves — or doesn’t. Month-end close now requires a new check: are any payments sitting in "debit confirmed, credit pending" at 11:59 PM?
If you use Cashfree Payouts or RazorpayX for vendor disbursements, their APIs will need to expose a new intermediate status between payment.captured and settled. Webhook schemas change. Reconciliation logic changes. Settlement reporting needs to distinguish provisionally-debited from fully-settled.
The EY India Treasury Survey 2025 found that over 70% of treasury teams still rely on spreadsheets — a number that matches what we see when we onboard mid-size businesses. Nearly 50% rank automation as their top priority, but fewer than 25% have launched any pilot. For these teams, a third payment state isn’t a software update — it’s a process redesign they’re not staffed for.
And then there’s the question nobody is asking yet: if UPI-CBDC interoperability goes live — the RBI has signaled intent but set no firm date, does the 1-hour delay apply to digital rupee wallet-to-wallet transfers? The April 9 paper doesn’t address it. That’s a potential arbitrage channel sitting wide open.
The whitelist management, the provisional state handling in your ledger, and the reconciliation pipeline for reversible debits — that’s where the actual system design decisions will land.
---
Related reading
- [Your ITC Is Leaking. The April 2026 GST Changes Made It Worse.](/blog/gst-itc-reconciliation-ims)
- [Your Payroll System Was Not Built for a 48-Hour Clock](/blog/payroll-fnf-48-hour-compliance)
- [Your FSSAI License Is Now Perpetual. Your Compliance Obligations Just Got Harder to Track.](/blog/fssai-perpetual-license-compliance-april-2026)
← All posts
