AePS / Aadhaar Biometric Fraud Recovery 2026 — Bank Account Drained? Get It Back

Your bank account was emptied via the Aadhaar Enabled Payment System (AePS) without an OTP, without a card, without a phone alert — sometimes from a banking correspondent shop hundreds of kilometres away. This is AePS fraud — the fastest-growing biometric crime in India, with over 6 lakh complaints logged at NCRP in 2024 alone. The RBI's “Customer Liability Framework, 2017” + the 3-day rule says you get 100% refund if you report within 3 working days. Here is the exact, working recovery sequence — by the clock.

• First action — within 1 hour: Lock your Aadhaar biometrics at https://uidai.gov.in → My Aadhaar → Lock/Unlock biometrics. Free, instant, 24×7.
• Within 3 working days: file a written complaint to your bank citing RBI Customer Liability Framework, 2017 — full refund mandatory if reported in 3 days.
• Within 24 hours: dial 1930 + file at https://cybercrime.gov.in under Financial fraud → AePS / Biometric fraud.
• Within 48 hours: register an FIR at the cyber police station — IT Act §66C/§66D + BNS §318/§321.
• NPCI dispute: file at https://www.npci.org.in/what-we-do/aeps/dispute-management for inter-bank transactions.
• RBI Banking Ombudsman: https://cms.rbi.org.in if bank does not respond in 30 days. Free.
• Recovery rate: 96-100% if reported in 3 working days (RBI rule). Drops to 50% within 7 days. <5% after 30 days.
• Cost: ₹0 anywhere in the process.

1. Lock Aadhaar biometrics NOW at uidai.gov.in (or m-Aadhaar app → Biometric Lock toggle). Stops further fraud instantly.
2. Take screenshots of: bank SMS/email of the debit, account statement, any AePS terminal location info.
3. Call your bank on its registered helpline → log bank-side fraud complaint with a written acknowledgement number. Tell them: “Section 6.3 of RBI Customer Liability Framework — zero liability.”
4. Dial 1930 — Cyber Crime helpline. Lock the destination account.
5. File at https://cybercrime.gov.in within 24 hours.
6. Get FIR copy at the cyber police station within 48 hours.
7. NPCI dispute at npci.org.in — for AePS-specific transaction reversal.
8. Bank must reply in 10 working days, refund in 90 days (RBI rule).
9. If bank stalls — RBI Banking Ombudsman at cms.rbi.org.in.
10. RTI to UIDAI for transaction logs (which agency / device used your fingerprint).
11. Update Aadhaar mobile at the nearest enrolment centre — keep it linked.

AePS (Aadhaar Enabled Payment System) is a financial product run by NPCI that lets a citizen withdraw cash, deposit, or transfer using only Aadhaar number + fingerprint at any Banking Correspondent (BC) shop or micro-ATM. No card, no PIN, no OTP.

Fraud happens when your biometric is silently captured and replayed on an AePS terminal:

• Property registry biometric leaks — sub-registrar offices in MH, RJ, UP, KA, AP have leaked thumbprint scans into the public registry portal. Crooks lift these.
• eKYC trap — fake “Aadhaar update” stalls capture your fingerprint with a rogue biometric scanner.
• Rubber-finger clone — a 3D-printed or silicone replica using a scanned biometric.
• Compromised BC operator — a corrupt Banking Correspondent shop runs ghost transactions with stolen biometrics from public registry leaks.
• Telecom KYC trap — your biometric was captured for a fake new SIM, then reused.

You may discover the fraud only when you check your bank balance. No SMS is sent in many AePS transactions because the BC is offline.

• ₹40,000–₹2 lakh per victim — typical drain.
• 3-7 successive ₹10,000 withdrawals — AePS per-transaction limit is ₹10,000; criminals chain multiple.
• Geographically distant — victims in Delhi see withdrawals in Bihar, Telangana, West Bengal.
• CBI cracked an AePS racket in 2024 — 70+ accused, ₹14 crore wiped from 50,000+ victims using leaked sub-registrar biometrics.
• Telangana, Andhra Pradesh, West Bengal, Bihar, Maharashtra — top 5 fraud states.

Source: RBI/2017-18/15 dated 06 Jul 2017.

• Zero liability if reported within 3 working days (Banks: §6.3).
• Limited liability up to ₹25,000 if reported within 4-7 working days.
• Bank must credit shadow / temporary refund within 10 working days.
• Final resolution: 90 days from complaint.
• The burden of proof to show customer negligence is on the bank, not the customer.

• Inter-bank disputes must be raised by your bank to the acquirer bank within T+3 working days.
• TAT (Turnaround Time): 10 days for chargeback.
• Compensation: if bank misses TAT, ₹100/day penalty payable to customer (NPCI Master Direction).

• §7 — Aadhaar authentication for benefit / service.
• §8 — Rights of a Aadhaar number holder, including biometric lock at UIDAI.
• §29(4) — biometric data is classified personal data, can never be shared in public domain.
• §38, §39 — penalties for impersonation / unauthorised access (3 years jail).

• §43A IT Act — body corporate liable for negligence with sensitive personal data.
• §66C — identity theft (3 years).
• DPDP §8 — data fiduciary must respect lock requests from data principals; non-compliance ₹250 cr penalty.

• §318 — cheating (7 years).
• §321 — cheating by personation (3 years).
• §336 — forgery for cheating (7 years).

Right to lock/unlock biometrics is a statutory right under §8(2)(b), Aadhaar Act, 2016 — UIDAI must comply.

1. Open m-Aadhaar app (Android / iOS, free, official) OR https://uidai.gov.in → My Aadhaar.
2. Login with Aadhaar number + OTP to your mobile.
3. Lock/Unlock Biometrics → tap Lock.
4. Your biometric is now disabled for AePS, eKYC, all third-party authentications. You can unlock temporarily for genuine eKYC.

1. Visit branch or call helpline. Get complaint number in writing (not just verbal).
2. Mention specifically: “AePS unauthorised debit. Section 6.3 RBI Customer Liability Framework, 2017. Zero liability. I have reported within 3 working days.”
3. Submit a written letter + bank statement + ID proof. Get a receiving stamp with date/time.
4. Demand shadow credit within 10 working days (RBI rule).

Sample bank complaint letter (use the RTI Drafter to auto-generate):

To, Branch Manager, [Bank], [Branch].
Sub: AePS Unauthorised Debit — RBI Customer Liability Framework Claim.
Account no: … I noticed unauthorised AePS debits totalling ₹… on dates… I confirm I did not authorise these transactions; I did not share my Aadhaar / biometric. As per RBI/2017-18/15 dated 06 Jul 2017 §6.3, I am reporting within 3 working days; my zero-liability claim attaches. Kindly: (a) issue a shadow credit within 10 working days, (b) raise an AePS dispute at NPCI, © provide a copy of the AePS terminal log + BC ID. — [Signature, Date].

1. Dial 1930 (24×7) — give bank account, transaction details. Scammer's destination account is frozen.
2. File at https://cybercrime.gov.in → Financial fraud → AePS / Biometric fraud. Save Acknowledgement Number.

1. Cyber police station (or your area police if no separate cyber cell).
2. Sections to cite: IT Act §66C, §66D, BNS §318, §321, §336.
3. Carry: ID proof, bank statement, NCRP acknowledgement, screenshots.

1. Submit at https://www.npci.org.in/what-we-do/aeps/dispute-management.
2. The acquirer bank (BC location's bank) is required to provide: BC ID, terminal MAC, GPS coordinates, biometric capture timestamp.
3. TAT: 10 working days for chargeback. Penalty ₹100/day if delayed.

1. File at https://cms.rbi.org.in — Banking Ombudsman Scheme, 2021.
2. Free. No advocate required.
3. Order in 60-90 days. Compensation: actual loss + interest + ₹1 lakh max for mental harassment.

File RTIs to track investigation:

• To UIDAI: Authentication logs for my Aadhaar number on dates X-Y; AUA / Sub-AUA names; OTP / biometric flag; outcome./ * To your bank (public sector): Status of complaint number Z; date NPCI dispute raised; reply received from acquirer bank; reason for delay if past 90 days. * To Police: FIR number A — investigating officer, date of next investigation step, action taken on banking correspondent. Use the RTI Drafter — drafts these 3 RTIs from your case description. ===== Documents Required ===== | Document | Purpose | | Aadhaar card + masked Aadhaar | ID proof (use masked for FIR/online filings). | | PAN card | KYC at bank. | | Bank statement — 90 days | Proof of unauthorised debits. | | Mobile number registered with Aadhaar| For OTPs during UIDAI lock. | | NCRP acknowledgement | Generated when filed at cybercrime.gov.in. | | FIR copy | After cyber police station registration. | | NPCI dispute reference | Once bank raises chargeback to acquirer. | | m-Aadhaar lock screenshot | Evidence biometrics were locked at time T. | ===== Common Mistakes to Avoid ===== - Waiting “to see if money comes back” — every day costs you the zero-liability ceiling. - Calling bank on a non-registered number from Google search — can be a scam helpline. Use the number on your debit card / passbook. - Sharing OTP with “bank verification officer” — banks never ask for OTP. Hang up. - Going to a “cyber cell agent” who promises 100% recovery for a fee — they are second-stage scammers. - Not locking biometrics — fraud continues even while complaint is pending. - Skipping NPCI dispute — bank handles chargeback only via NPCI for AePS. - Settling for partial refund — RBI 3-day rule mandates full refund. Push back. ===== FAQs ===== ==== Can the bank refuse refund saying “you must have shared biometrics”? ==== No. Under RBI Customer Liability Framework §6.3, the burden of proof is on the bank to demonstrate customer negligence. Mere assertion is not enough. If the fraud was via leaked sub-registrar biometric, courts have held this to be zero-liability even at 7+ days. Citation: Banking Ombudsman Order Mumbai 2024-073. ==== Should I close my bank account? ==== Don't close immediately — refund depends on the same account. Freeze AePS only by writing to your bank (Disable AePS-out facility on my account). Switch to a Jan Dhan account ONLY for AePS-needed benefits. ==== How does Aadhaar locking affect my regular life? ==== It only blocks biometric authentication (AePS, eKYC). Your Aadhaar OTP, demographic verification, ration card, IT filings all work normally. You can unlock temporarily for genuine eKYC. ==== What if I'm a senior citizen / illiterate / from a village? ==== Your Banking Correspondent or Common Service Centre (CSC) can lock Aadhaar for you. Or call UIDAI helpline 1947. The local District Legal Services Authority (DLSA) can help file FIR + bank complaint for free. ==== My biometric was leaked from a sub-registrar office. Who is liable? ==== The State Government (Stamp & Registration Department) is liable under Article 21 (privacy) + DPDP §8 + §40. Class action is possible. Several PILs are pending in Maharashtra and Telangana High Courts. ==== Can the BC operator be arrested? ==== Yes — IT Act §66C + §66D + BNS §318 + §321 are cognisable + non-bailable for organised cases. NCRB data shows 1,200+ BC operators were charged in 2024 specifically for AePS fraud. ==== What's the difference between AePS fraud and UPI fraud? ==== UPI: needs your OTP / device + UPI PIN. Loss reverses through 1930 → bank freeze. AePS: needs only your Aadhaar + biometric. Loss reverses through bank complaint → NPCI dispute. The 3-day rule applies to both. ==== Will RBI compensate me directly? ==== RBI is the regulator, not the payer. Your bank pays — RBI orders it. Banking Ombudsman can award up to ₹1 lakh for mental harassment in addition to refund. ==== Can I claim mental distress? ==== Yes — through Consumer Court (District Commission) under Consumer Protection Act §2(47) + Banking Ombudsman award. Typical: ₹25,000-₹2,00,000. ==== I haven't filed FIR but I want to. Am I too late? ==== No deadline for FIR filing under §175 BNSS. But every day weakens evidence. File even at Day 60 — the FIR triggers police investigation that may still recover money via inter-bank reversals. ==== What if my bank ignores my complaint? ==== After 30 days of silence: file at RBI Banking Ombudsman (https://cms.rbi.org.in) → Mobile or Internet Banking → Customer Liability Framework violation. Order compels bank action. ==== Is AePS being phased out? ==== NPCI is upgrading to AePS 2.0 with liveness detection and mandatory SMS to customer — rolling out across 2025-2026. Until then, lock biometrics by default is the safest stance. ==== Can NRIs use AePS / be affected? ==== NRIs can have NRO/NRE accounts. AePS uses Aadhaar — if you don't have Aadhaar, no exposure. If you do, lock biometrics. Same RBI rules apply. ===== Internal Linking Suggestions ===== * Cyber Crime Complaint in India — full process * UPI Fraud Recovery — Dial 1930 + RBI 3-day rule * RTI Drafter — file an RTI to UIDAI / Bank / Police * Loan App Harassment Recovery * Digital Arrest Scam — 7-minute rescue plan * Aadhaar Status Check — update mobile, verify biometric lock * Consumer Court — file online via e-Daakhil * Aadhaar Validator — Verhoeff offline check ===== External References ===== * RBI Customer Liability Framework, 2017 — https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11040 * NPCI AePS Dispute Management — https://www.npci.org.in/what-we-do/aeps * UIDAI Lock/Unlock Biometric — https://uidai.gov.in * National Cyber Crime Reporting Portal — https://cybercrime.gov.in * RBI Banking Ombudsman (CMS) — https://cms.rbi.org.in * m-Aadhaar app — Google Play / App Store (UIDAI official). ===== Conclusion ===== AePS fraud is preventable: lock your Aadhaar biometric today, even before any incident. If you've been hit, the 3-day window to bank + 24-hour window to NCRP is what determines whether you get 100% back or 0%. The law is unambiguously on your side — RBI, UIDAI, NPCI, NALSA all converge on protecting the citizen. The only failure mode is delay. If your bank stalls, file an RTI to extract the AePS terminal log + BC ID — that single document forces internal action. The RTI Drafter auto-generates this. ===== Sources ===== * RBI Customer Liability Framework, 2017 (RBI/2017-18/15). * NPCI Master Direction on AePS Dispute Management. * Aadhaar Act, 2016 — §7, §8, §29(4), §38, §39. * Information Technology Act, 2000 — §43A, §66C, §66D. * Bharatiya Nyaya Sanhita, 2023 — §318, §321, §336. * Banking Ombudsman Scheme, 2021. * Digital Personal Data Protection Act, 2023. Last reviewed: 5 May 2026 — RTI Wiki editorial team.

  aeps, aadhaar, biometric-fraud, npci, rbi-3-day-rule, banking-ombudsman, cyber-crime, 2026, uidai