You received a call from someone claiming to be your bank. They said your account was at risk and you needed to share an OTP to "verify" your identity. Minutes later, ₹45,000 was gone. When you called the bank back, they told you the transaction was "OTP authenticated" — meaning you authorised it — and refused a refund.
This is one of the most common UPI fraud patterns in India. Banks routinely hide behind OTP authentication as proof of consent. But RBI guidelines draw a clear line between authentication and informed consent — especially when the OTP was obtained through deception.
The RBI Liability Framework
The RBI's Master Direction on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions sets out when you bear zero, limited, or full liability for fraudulent debits. The key factors are:
- How quickly you reported — reporting within 3 working days typically limits your liability to zero for third-party fraud
- Whether you were negligent — the bank must prove actual negligence, not assume it from OTP use alone
- The nature of the fraud — social engineering and phishing are treated differently from wilful sharing of credentials for a known transaction
RBI Master Direction — Customer Liability
OTP Authentication Is Not Consent Under Deception
Banks love the argument: "An OTP was used, therefore you authorised the payment." This conflates two separate legal concepts.
Authentication confirms that someone with access to your device entered a code. Consent means you knowingly agreed to a specific transaction with full understanding of what you were approving. When a fraudster impersonates your bank and tricks you into entering an OTP under false pretences, you did not give informed consent — you were deceived.
The RBI framework requires banks to investigate the circumstances before assigning liability. A blanket "OTP = authorised" response without examining how the OTP was obtained is not compliant.
What to Do Immediately
- Call your bank's fraud helpline — most banks have a 24/7 number. Report the transaction and ask for a written reference number. Do this within hours, not days.
- File a written complaint — email or submit through the bank's portal citing the "RBI Master Direction on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions." State explicitly that the OTP was obtained through social engineering, not wilful negligence.
- Block your UPI ID and card — request immediate suspension of further debits while the dispute is open.
- File a cybercrime complaint — at cybercrime.gov.in or your local cyber cell. This creates an official record of the fraud.
- Escalate to the RBI Ombudsman — if the bank does not resolve within 30 days, file for free at cms.rbi.org.in.
What to Write in Your Complaint
Use language the bank cannot easily dismiss:
"The OTP was obtained through social engineering by a third party impersonating [Bank Name]. This does not constitute customer negligence under the RBI's liability framework. I reported the fraud within [X hours]. I request immediate reversal of transaction [ID] and confirmation in writing."
Include the timeline: when the call happened, when the debit occurred, when you reported it, and any screenshots or call logs you have.
Frequently Asked Questions
Am I liable if a fraudster tricked me into sharing my UPI OTP?
Usually not, if you reported promptly. RBI guidelines limit customer liability for third-party fraud when negligence is not proven.
Does OTP authentication mean I authorised the transaction?
No. Authentication confirms someone entered a code; it does not prove informed consent when the OTP was obtained through deception.
How quickly must I report UPI fraud to the bank?
Report as soon as possible — ideally within hours. Prompt reporting strengthens your claim under RBI zero-liability rules.
Related Guides
Fix AI has a PayFast UPI dispute case where the bank's bot insists "OTP authenticated" means you authorised a ₹45,000 fraud transfer. Practice the RBI liability arguments before you need them for real.
Practice This Dispute Free →