oppn parties Indians Lose Thousands of Crores to Cyber Fraud. Why Don't Banks Pay?

Story Of The Day

Workplace Discipline Does Not Require a Police Complaint
OPINIONS : Strongly Expressed

June 21, 2026

People Are Talking About

People Say TMC Is Reaping What It Had Sown

News Snippets

  • FSSAI to now train its lenses on claims like 'natural', 'heart-friendly' 'healthy' and 'no added sugar' etc to reduce instaces of misleading claims on food packaging
  • 5 killed and 18 injured as the under-construction roof of the Hanuman temple in Parbhani in Maharashtra collapses
  • Hindus in Bangladesh hold torch marches in Dhaka and other parts of the country to protest against alleged government inaction after vandalism at temples and hitting Hindu dieties with shoes during a procession
  • LIC issues notice to Suruchi Sangha (formerly controlled by TMC minister Aroop Biswas) to vacate 23 cottahs of land in Kolkata's upscale New Alipore area, which the club has allegedly poached on to hold its annual Durga Puja, within a month
  • Centre bans 16 fixed drug combinations, including painkillers, anti-biotics and skin fromulations, over safety issues
  • TMC news: Aroop Biswas and Firhad Hakim, once considered the right and left hands of Mamata Banerjee, now fall out of favour. Biswas issued showcause for writing s debit-freeze letter to HDFC Bank blocking party funds and Hakim removed from disciplinary committee
  • From Tarakeshwar in Bengal, PM Modi gives a call for 'new Bengal' and says the period of 'cut money' has ended and work has started on stalled projects in the state with the BJP government taking decisions at 'lightening speed'
  • A trader in Noida found a Rs 25l akh diamond in a Panna mine registered in his wife's name
  • 22.7 lakh to sit for NEET retest today
  • FIFA World Cup: Brazil get into the groove, score 3 against Haiti for a 3-0 win
  • FIFA World Cup: Paraguay beat Turkiye 1-0
  • FIFA World Cup: USA beat Australia 2-0 to enter knockouts and Morocco beat Scotland 1-0
  • ICC T20 Women's World Cup: India to play South Africa today
  • Nations Cup Women's Hockey: India thrash Chile 6-0 in the semifinals to set up a clash with New Zealand in the final
  • 3rd ODI versus Afghanistan: Yasashvi Jaiswal (110 not out) and Prasidh Krishna (5-23) shine as India (224 for 1) beat Afghanistan (218) by 9 wickets in the 3rd and final ODI to sepp the series 3-0
PM Modi celebrates International Yoga Day with more than 40000 people from Red Road in Kolkata /////// NEET re-test today with NTA saying it is committed to conduct it smoothly
oppn parties
Indians Lose Thousands of Crores to Cyber Fraud. Why Don't Banks Pay?

By Sunil Garodia
First publised on 2026-06-18 07:20:36

About the Author

Sunil Garodia Editor-in-Chief of indiacommentary.com. Current Affairs analyst and political commentator. Author of Cyber Scams in India, Digital Arrest, The Money Trap and The Human Hack

Every year, India loses tens of thousands of crores to cyber fraud. The government counts it, names it, and convenes panels about it. What it does not do is put the cost where it belongs - on the institutions best placed to stop it.

O.P. Singh, former Director General of Police, Haryana, who built the country's most effective cyber fraud recovery operation and drove Haryana from 23rd to 1st nationally in stolen-money recovery, has now named the reform India refuses to name: make the banks pay. The argument deserves to be heard, and then extended beyond one state's experience into the national policy it demands.

India has built an elaborate system for chasing stolen money after it vanishes. The professionals call the first sixty minutes after a fraudulent transfer the "golden hour" - act within it and you can freeze the money before it is layered through mule accounts and withdrawn at an ATM three states away. Miss it, and you are writing a post-mortem.

The problem is who we ask to win that race. The pensioner. She must realise she has been cheated, master her shame, find the helpline number, and explain a crime she does not yet understand - all inside sixty minutes. Only then does the machine begin to move. We have made the victim the first responder in a contest against professional criminals, and we are surprised when she loses.

This is not principally a technology problem. Where banks and police work in real time - on the same helpline, in the same room - recovery rates rise dramatically. Where they do not, the burden falls back on the victim. The lesson is simple: institutional coordination can recover stolen money. It cannot prevent the theft in the first place.

There is a better arrangement, and Britain has been running it live since 7 October 2024.

Under rules issued by the UK's Payment Systems Regulator, banks must now reimburse victims of authorised push payment fraud - the category that covers digital arrest scams, fake investment schemes, and every variant in which the victim is manipulated into authorising a transfer - up to Â£85000, within five business days. The cost is split equally between the sending bank and the receiving bank. For the first time, the institution that opened and maintained the mule account shares the bill for the harm that account enabled.

Watch what that single change does. The receiving bank now has a direct commercial interest in knowing who opens accounts on its books, because every mule it negligently onboards is a liability it will carry. The sending bank develops an interest in flagging the unusual outward transfer, because it will pay too. Liability does what no awareness campaign can: it concentrates the mind of the party holding the data, running the rails, and collecting the fees.

The banking industry's objection is predictable and worth answering directly. The customer authorised the payment, they will say. He typed the OTP. Why should the bank compensate him for his mistake?

The word "authorised" is doing a great deal of misleading work in that sentence. The victim did not choose to send money to a criminal. He was frightened into it - by someone impersonating a CBI officer, an Enforcement Directorate notice, a Supreme Court bench. A consent manufactured through terror is not consent. British regulators understood this precisely, which is why they built a regime covering authorised push payments specifically, rather than pretending that a coerced transfer is indistinguishable from a free one.

The moral hazard objection fails for a second reason: it has already been empirically refuted. India caps cardholder liability for unauthorised card transactions. That cap did not make cardholders reckless. It made banks build fraud detection systems, because the loss became theirs. The same logic applies here. Put mule-account liability on the receiving bank's balance sheet and it will build what only it can build - the account-opening controls that identify a freshly created account receiving two hundred small credits in a single morning.

There is a harder counterargument that deserves honest treatment, because the banks will raise it and it is not entirely wrong. Reimbursement regimes can themselves be gamed. Critics of the British regime have warned that reimbursement systems may themselves be vulnerable to fraudulent claims - organised networks using complicit "victims" to extract refunds on transactions that were never genuine frauds. The answer, however, is not to abandon the framework - it is to build the safeguards into it. The British rules exclude gross negligence, require claims within a defined window, and allow banks to investigate before paying. Reimbursement fraud is a real risk that good design can contain. It is not a reason to leave genuine victims without protection while the banks externalise their losses onto the most frightened people in the country.

There is one further dimension that no government circular will acknowledge. The digital arrest works because the Indian state is feared. The fraudster does not invent his threat - he rents one. He borrows the terror that already exists in the citizen's mind when she imagines an Enforcement Directorate notice arriving at her door. The scam succeeds not because it is clever but because the institutional dread it mimics is entirely credible. A police force whose name can be borrowed to frighten innocent pensioners is not a powerful force. It is a compromised one. Repairing that is the long work of a generation.

The short work is available this year. The Reserve Bank of India does not need a new Act of Parliament. It does not need a constitutional amendment. It already possesses the regulatory authority under the Payment and Settlement Systems Act. What is missing is not power but willingness. Until banks bear a financial cost for the fraud that runs through their rails, fraud prevention will remain an afterthought - a compliance checkbox rather than a business imperative. The moment a mule account becomes a liability on a bank's books, the bank will close it before the regulator asks it to.

The device-blocking orders and SIM-binding rules will help at the margin. Liability would change the incentives of the entire system at a stroke.

Until we impose it, we are bailing an ocean with a portal, asking frightened citizens to outrun professional criminals inside sixty minutes, and calling that a fraud policy. The banks collect the fees, the float, and the account relationship. The pensioner carries the loss. That is not a market arrangement. It is a subsidy - extracted from the most vulnerable people in the country and handed, silently, to the most profitable institutions in it.

The lead image/collage is AI-generated

Other Stories You Make Like

Editorials

Punjab's Unfinished Debate

Punjab's Unfinished Debate

 The Dancing Girl Doesn't Need a Moral Guardian

The Dancing Girl Doesn't Need a Moral Guardian

In Depth

When Power Goes, the Mask Comes Off

When Power Goes, the Mask Comes Off

Editor's Pick

Indians Lose Thousands of Crores to Cyber Fraud. Why Don't Banks Pay?

Indians Lose Thousands of Crores to Cyber Fraud. Why Don't Banks Pay?
© 2014 India Commentary. All rights reserved.