Cyber and Digital Payments
AePS Unauthorized Withdrawal? How to Lock Aadhaar and Recover Your Money
If cash was pulled from your account through the Aadhaar-enabled Payment System (AePS) without your permission, act fast and in this order: get a mini statement to confirm the debit, lock your Aadhaar biometrics on the UIDAI portal or mAadhaar app, report the unauthorized transaction to your bank in writing, and file a cybercrime or police complaint. This guide walks you through each step, the NPCI and UIDAI angles, the RBI Ombudsman escalation, and exactly where an RTI can and cannot help.
Advertisement
Quick answer
Someone can withdraw cash from your account through AePS using only your Aadhaar number and a fingerprint at a Business Correspondent point. No card, PIN, or OTP is needed, which is why biometric misuse is the real risk. The single most urgent step is to lock your Aadhaar biometrics through the official UIDAI portal at uidai.gov.in or the mAadhaar app, so no further withdrawal can happen. At the same time, pull a mini statement to confirm the debit, report the unauthorized transaction to your bank in writing, and get a dated acknowledgement. Then file a cybercrime complaint at cybercrime.gov.in or call 1930. Reporting quickly matters because RBI's framework on customer liability for unauthorized electronic transactions protects customers who are not at fault and report without delay. If the bank does not resolve it, escalate to the RBI Ombudsman at cms.rbi.org.in.
Who this guide is for
This guide is for anyone who finds money taken from their bank account through the Aadhaar-enabled Payment System without their knowledge. It is especially relevant if you:
- Received an SMS about a cash withdrawal at a Business Correspondent or micro-ATM that you never made, or
- Noticed an unexplained debit while checking your passbook, mini statement, or net banking, often described as an AePS or BC withdrawal, or
- Suspect your fingerprint was cloned or captured, for example after enrolling somewhere or signing a biometric register, and money has started going missing.
It is useful whether your account is with a public sector bank or a private bank, and whether or not you have used AePS yourself. The aim is to stop further loss, build a clean evidence trail, and chase recovery through the correct channels.
Who this guide is NOT for
This guide does not cover ordinary failed transactions where cash was not dispensed but your account was debited at a micro-ATM. For that, see our guide on a failed card transaction where the account was debited, which deals with reversal of failed payments rather than fraud. It also does not cover loans or accounts opened in your name using your PAN or Aadhaar by a fraudster; for that, see our guide on PAN misuse and unknown company, loan, or bank accounts. This is not legal advice, and where the loss is large, consult a qualified lawyer.
What you can do this weekend
Friday evening
Stop the bleeding first. Open the official UIDAI website at uidai.gov.in or the mAadhaar app and lock your Aadhaar biometrics. This blocks any further AePS withdrawal immediately. Next, pull your account statement through net banking, the bank app, or a passbook update and find the exact unauthorized debit. Note the amount, date, time, and any Business Correspondent or terminal code shown against it. Take a screenshot of the SMS alert and the statement entry. Write down a clear timeline of when you first noticed the fraud, because that date is important for your liability protection.
Saturday
Report the fraud through every fast channel. Call your bank's customer care and report the unauthorized transaction, and note the complaint reference number. Then report on the National Cyber Crime Reporting Portal at cybercrime.gov.in or call the helpline 1930, because quick reporting can help trace and freeze the money trail. If you can reach the branch, submit a written complaint and get a dated, stamped acknowledgement. Keep your phone on, because the bank or cyber cell may call back. Do not unlock your Aadhaar biometrics during this period.
Sunday
Organise your evidence into one folder, named by date. Save the mini statement, the SMS alerts, your written complaint to the bank, the bank's acknowledgement or reference number, and the cybercrime acknowledgement. Draft your formal written complaint to the bank using the template below, ready to submit on Monday. If you have not already, check whether other accounts linked to your Aadhaar also show suspicious activity. From the moment you report in writing, follow up steadily, and prepare to escalate to the bank's nodal officer if the branch does not move within the bank's stated timeline.
Documents and evidence checklist
| Document / Evidence | Why you need it | Where to get it |
|---|---|---|
| Mini statement or account statement showing the AePS debit | Identifies the unauthorized withdrawal, amount, date, time, and any BC or terminal reference | Net banking, bank mobile app, ATM mini statement, or passbook update |
| SMS or email alert of the withdrawal | Proves the transaction happened and fixes the time you became aware of it | Your phone messages and email inbox; take screenshots |
| Proof of Aadhaar biometric lock | Shows you acted to stop further misuse; useful for the bank and any complaint | uidai.gov.in or mAadhaar app confirmation; screenshot the lock status |
| Written complaint to the bank and its acknowledgement | Establishes that you reported the unauthorized transaction and when; key for liability protection | Branch acknowledgement slip, customer care reference number, or email reply |
| Cybercrime portal acknowledgement or police FIR | Records a criminal complaint; banks and the Ombudsman ask for this number | cybercrime.gov.in acknowledgement, 1930 helpline reference, or local police station |
| List of accounts linked to your Aadhaar | Helps you check whether more than one account was hit | Your own records; AePS is account-agnostic, so review all linked accounts |
| Copy of your Aadhaar and bank account details | Needed to identify yourself in every complaint | Your own records; never share these with unknown callers or agents |
| Timeline note of when you noticed the fraud | Reporting delay affects how much liability protection you get under RBI's framework | Write it yourself, based on your SMS alerts and statement |
Step-by-step action plan
Step 1 — Get the mini statement and identify the transaction
You cannot dispute what you cannot describe precisely. Pull a mini statement or full account statement and find the unauthorized AePS or Business Correspondent withdrawal. Note the exact amount, the date and time, and any reference shown, such as a terminal ID or BC agent code. AePS withdrawals are usually labelled differently from your own ATM or UPI use, so look carefully. If you have multiple accounts linked to your Aadhaar, check each one, because the same fingerprint can be used across linked accounts. Save screenshots of everything.
Step 2 — Lock your Aadhaar biometrics immediately
This is the step that stops the loss. Open the official UIDAI website at uidai.gov.in or the mAadhaar app and use the biometric lock service. You verify with an OTP sent to your registered mobile number, then lock your biometrics. Once locked, your fingerprint and iris cannot be used for any Aadhaar authentication, including AePS, until you temporarily unlock them yourself. Keep biometrics locked by default and unlock only when you genuinely need them, for example for a one-time authentication. This single setting is your best long-term defence against repeat biometric misuse.
Step 3 — Report the unauthorized transaction to your bank in writing
Report the fraud to your bank as an unauthorized electronic transaction, and do it in writing, not only by phone. Call customer care first and note the complaint reference, then follow up with a written complaint to the branch or the bank's official grievance email. State your account number, the disputed amount, the date and time, and that you never authorised the AePS withdrawal. Get a dated acknowledgement. Reporting quickly is important because RBI's framework on limited customer liability for unauthorized electronic transactions gives the strongest protection to customers who are not at fault and report without delay.
Step 4 — File a cybercrime or police complaint
An unauthorized AePS withdrawal is a criminal offence. Report it on the National Cyber Crime Reporting Portal at cybercrime.gov.in or call the cyber fraud helpline 1930 as soon as possible, because fast reporting can help freeze the money trail. You can also file a complaint at your local police station and ask for a copy of the acknowledgement or FIR. Keep the acknowledgement number safe. Your bank and, later, the RBI Ombudsman will ask for it as part of the investigation. The criminal complaint is also the only route that can actually identify and act against the fraudster or the BC agent involved.
Step 5 — Raise the NPCI and UIDAI angles
NPCI operates the AePS network that routes the transaction between banks, and UIDAI runs the Aadhaar authentication system. Your banking relationship, though, is with your bank, so the bank stays your main complaint point. Separately, you can raise an AePS transaction dispute through NPCI's grievance channels and report Aadhaar biometric misuse to UIDAI through uidai.gov.in. These are supporting steps, not substitutes. Do not pause your bank, police, or Ombudsman action while waiting for NPCI or UIDAI to respond.
Step 6 — Escalate to the bank nodal officer and the RBI Ombudsman
If the branch does not resolve your complaint within the bank's stated timeline, escalate in writing to the bank's Principal Nodal Officer, listed on the bank's website under grievance redressal. Reference your earlier complaint number and the cybercrime acknowledgement. If the bank still does not resolve the matter to your satisfaction within the prescribed period, file a free complaint with the RBI Ombudsman at cms.rbi.org.in under the Reserve Bank-Integrated Ombudsman Scheme. Upload all your evidence. For PSU bank grievances, you can also use CPGRAMS together with RTI to add pressure.
Advertisement
Escalation ladder
| Level | Who / Where | How to reach | When to use | Expected outcome |
|---|---|---|---|---|
| 1 | UIDAI biometric lock | uidai.gov.in or mAadhaar app; lock with OTP | Immediately, before anything else | No further AePS withdrawal possible |
| 2 | Your bank | Customer care for a reference number, then written complaint to branch or grievance email | The moment you spot the unauthorized debit | Dispute registered; investigation and possible reversal under RBI liability framework |
| 3 | Cybercrime portal / police | cybercrime.gov.in or call 1930; local police station | Same day as you notice the fraud | Criminal complaint registered; money trail may be frozen; FIR or acknowledgement issued |
| 4 | NPCI and UIDAI | NPCI grievance channels for AePS dispute; UIDAI for biometric misuse report | Alongside the bank complaint | Network-level dispute logged; Aadhaar misuse flagged |
| 5 | Bank Principal Nodal Officer | Email on the bank's grievance page; attach earlier complaint and cyber acknowledgement | If the branch does not resolve within the bank's timeline | Senior internal escalation; faster review |
| 6 | RBI Ombudsman (RB-IOS) | cms.rbi.org.in | If the bank does not resolve to your satisfaction within the prescribed period | Free adjudication of the unauthorized transaction dispute; binding direction to the bank |
| 7 | RTI to PSU bank or police (records only) | File an RTI online to a PSU bank PIO or police PIO | To obtain process records and action taken on your complaint | Discloses policy, procedure, and action-taken on your own complaint, not third-party identities |
Copy-paste complaint template
Replace the text in square brackets with your own details before sending.
When RTI can help
The RTI Act, 2005 applies to public authorities. Public sector banks, which are substantially owned or controlled by the Central Government, are public authorities. So if your account is with a PSU bank, you can file an RTI with the bank's Public Information Officer to:
- Ask for the bank's policy and procedure for handling unauthorized electronic transactions and AePS disputes.
- Find out the action taken on your own complaint, including dates and the status of the investigation.
- Obtain copies of the bank's communications to you about your specific complaint.
The police are also public authorities, so you can file an RTI with the police PIO asking for the action taken on your own cybercrime or police complaint and its current status. UIDAI is a public authority too, so you can file an RTI for general process and policy information, such as how Aadhaar biometric locking works or the broad framework for handling biometric misuse complaints. Read our guide on how to file an RTI online in India for the step-by-step process, and our guide on filing a first appeal under Section 19 if a public authority does not respond in time.
When RTI will not help
Private banks: If your account is with a private bank, that bank is not a public authority under the RTI Act, so you cannot file an RTI directly against it. Use the bank's grievance process first, then the RBI Ombudsman at cms.rbi.org.in. The RBI itself is a public authority, so you can file an RTI with the RBI about the broad framework for unauthorized transactions, though not about a private bank's internal records.
Third-party personal data: RTI will not give you a stranger's personal information. You cannot get the identity, KYC details, or biometric records of the Business Correspondent agent or the fraudster through RTI, because that is third-party personal data that is normally exempt. Identifying the culprit is the job of the criminal investigation, not RTI.
What RTI cannot compel: RTI gives you information; it does not order a bank to reverse the transaction or order the police to make an arrest. However, the records you obtain, such as the action taken on your complaint, can strengthen your case before the RBI Ombudsman or a consumer forum. For complaints against a government department or PSU bank, our guide on using CPGRAMS with RTI explains how to combine both tools.
Common mistakes to avoid
- Not locking Aadhaar biometrics first. Every hour your biometrics stay unlocked, another AePS withdrawal is possible. Lock them on uidai.gov.in or mAadhaar before you do anything else, and unlock only when you genuinely need biometric authentication.
- Reporting only by phone. A call to customer care does not create a strong written record. Always follow up with a written complaint to the bank and keep the dated acknowledgement, because reporting delay affects your liability protection.
- Waiting before filing the cybercrime complaint. The first hours matter for tracing and freezing the money. Report on cybercrime.gov.in or call 1930 the moment you notice the fraud, not after the bank replies.
- Checking only one account. AePS works on any account linked to your Aadhaar. Review every linked account for suspicious debits, not just the one where you first noticed the loss.
- Expecting NPCI or UIDAI to refund you. Your banking relationship is with your bank, so the bank drives the reversal. Treat NPCI and UIDAI complaints as supporting steps, not as your main recovery route.
- Filing an RTI against a private bank or for the fraudster's identity. Private banks are outside the RTI Act, and third-party personal data is exempt. Use RTI only for process records and action taken on your own complaint with a public authority.
- Sharing OTPs, Aadhaar, or biometrics with callers claiming to help. No genuine bank or UIDAI official asks for your OTP or biometrics. Sharing them can worsen the fraud and may weaken your liability protection.
Frequently asked questions
How did someone withdraw money using my Aadhaar without my card or OTP?
The Aadhaar-enabled Payment System (AePS) lets a person withdraw cash at a Business Correspondent point using only their Aadhaar number and a fingerprint scan. No card, PIN, or OTP is needed. Fraudsters can misuse this if they capture a copy of your fingerprint, for example a cloned biometric lifted from a document you signed or a captured scan. They then use that fingerprint at a micro-ATM to pull cash from any account linked to your Aadhaar. This is exactly why locking your Aadhaar biometrics on the UIDAI portal or mAadhaar app is the single most urgent step.
What is the first thing I should do after an AePS fraud?
Do two things at once. First, lock your Aadhaar biometrics through the official UIDAI portal at uidai.gov.in or the mAadhaar app, so no further AePS withdrawal can happen. Second, report the unauthorized transaction to your bank in writing immediately and get a written acknowledgement with a complaint reference number. Reporting quickly matters because RBI's framework on limited customer liability for unauthorized electronic transactions gives the best protection to customers who report without delay.
Will I get my money back after an unauthorized AePS withdrawal?
It depends on how quickly you report and what the investigation finds. RBI's framework on customer protection limits a customer's liability for unauthorized electronic transactions where the customer is not at fault and reports promptly. The exact outcome depends on your bank's investigation, the evidence, and the specific facts. Report in writing, keep every acknowledgement, escalate to the bank's nodal officer, and if the bank does not resolve it within the prescribed period, take the matter to the RBI Ombudsman through cms.rbi.org.in.
How do I lock my Aadhaar biometrics to stop further AePS withdrawals?
Go to the official UIDAI website at uidai.gov.in and use the Lock or Unlock Biometrics service in the My Aadhaar section, or use the mAadhaar app on your phone. You verify with an OTP sent to your registered mobile number, then lock your biometrics. Once locked, your fingerprint and iris cannot be used for any Aadhaar authentication, including AePS, until you temporarily unlock them yourself. Keep biometrics locked by default and unlock only when you genuinely need biometric authentication.
Can I file an RTI to find out who withdrew my money through AePS?
Partly. If your account is with a public sector bank, that bank is a public authority under the RTI Act, so you can file an RTI for process and policy records and the action taken on your own complaint. You can also file an RTI with the police on the action taken on your complaint. However, RTI will not give you a stranger's personal data, such as the identity or KYC of the Business Correspondent agent or the fraudster, because that is third-party personal information that is usually exempt. The criminal investigation, not RTI, is the route to identify the culprit.
Is NPCI or UIDAI responsible for my AePS fraud?
NPCI operates the AePS network that routes the transaction, and UIDAI runs the Aadhaar authentication system, but your banking relationship is with your bank. Your bank is your first point of complaint for an unauthorized transaction. You can separately raise the matter with NPCI through its dispute and grievance channels and report Aadhaar biometric misuse to UIDAI, but do not wait on them. Drive the recovery through your bank, the police or cybercrime complaint, and the RBI Ombudsman if needed.
Where do I file the police or cybercrime complaint for AePS fraud?
Report online on the National Cyber Crime Reporting Portal at cybercrime.gov.in, or call the cyber fraud helpline 1930 as soon as you notice the fraud, because quick reporting can help freeze the money trail. You can also file a complaint at your local police station and ask for a copy of the acknowledgement or FIR. Keep the acknowledgement number safe, because your bank and the RBI Ombudsman will ask for it during the investigation.
Advertisement
Advertisement