AePS unauthorised withdrawal: 5 actions in the first 72 hours

Reviewed on: 2026-06-12.

Someone has pulled cash from your account using your Aadhaar number and a cloned fingerprint at a micro-ATM. The clock that matters is RBI's: report within 3 working days and your liability is zero. Do these five things now, in this order.

1. Lock your Aadhaar biometrics. On myAadhaar or the mAadhaar app, use Lock/Unlock Biometrics. This kills any further AePS debit instantly. Screenshot the locked status.
2. Call 1930 and file on cybercrime.gov.in. The national cyber helpline can flag the beneficiary account and try to freeze the money in transit. Speed decides whether anything is recoverable. Save the acknowledgement number.
3. Report to your bank in writing the same day. Phone the call centre for a reference number, then email or hand in a written complaint at the branch. The 3-working-day zero-liability window runs from when the bank tells you about the debit, so date-stamp everything.
4. Pull the evidence. Mini statement or app statement showing the debit with the AePS or BC code, the SMS alert, and your Aadhaar Authentication History from myAadhaar, which shows the date, time and agency of the rogue authentication.
5. Check every other account linked to your Aadhaar. The same fingerprint clone works on any seeded account. Check them all today.

RBI's circular on customer protection in unauthorised electronic banking transactions (DBR.No.Leg.BC.78/09.07.005/2017-18, dated 6 July 2017) covers AePS because it is a third-party breach outside your control. The framework, in plain terms:

Two more protections sit in the same circular. The bank should give shadow credit of the disputed amount within 10 working days of your report. And the bank must resolve the complaint within 90 days. The burden of proving that the customer was negligent lies on the bank. You never shared a PIN or OTP in an AePS fraud, because AePS needs neither, so negligence is hard to pin on you. Say this plainly in your complaint.

AePS lets anyone withdraw cash at a Business Correspondent point with three inputs only: bank name, Aadhaar number, fingerprint. No card, no PIN, no OTP, no SMS before the money leaves. NPCI caps each AePS cash withdrawal at ₹10,000, so fraudsters fire repeated transactions just under the cap. Most cloned fingerprints are harvested from registered sale or lease deeds on registry websites, where Aadhaar numbers and thumb impressions sat side by side, or from cheap silicone moulds. This is why the biometric lock, not a new bank account, is the real fix.

Ramesh, a schoolteacher in Deoghar, Jharkhand, got three SMS alerts on the evening of 2 June 2026: AePS cash withdrawals of ₹10,000, ₹10,000 and ₹8,500, total ₹28,500, at a BC point in another district he had never visited. The ₹10,000 repeats are the classic AePS cap signature.

That night he locked his biometrics on mAadhaar and filed on cybercrime.gov.in, acknowledgement number in hand by 11 pm. Next morning, 3 June, he submitted a written complaint at his SBI branch quoting the RBI circular and the three transaction IDs, and attached his authentication history showing the rogue authentications at 18:42, 18:47 and 18:53 through a bank he had no relationship with. Because he reported within one working day, the zero-liability slab applied. SBI gave shadow credit of ₹28,500 on 12 June, within the 10-working-day norm, and confirmed final reversal after investigation in July. His only lasting loss was a wasted afternoon, because every step was in writing and inside the window.

1. Escalate in writing to the bank's Principal Nodal Officer, named on the bank website, attaching the branch complaint and cyber acknowledgement.
2. If 30 days pass without resolution, or the reply rejects liability, file with the RBI Ombudsman at cms.rbi.org.in. It is free, online and binding on the bank. Quote the 2017 circular, your reporting date and the shadow-credit rule.
3. Raise the network-side flags in parallel: an AePS dispute through your bank's NPCI dispute channel, and an Aadhaar misuse complaint to UIDAI on 1947 or the myAadhaar grievance page. These support the bank case; they do not replace it.
4. Police follow-up: if cybercrime.gov.in routes your case to the local cyber cell, ask for the FIR or CSR number. Banks sometimes wait for it before final reversal.

UIDAI, NPCI-regulated PSU banks and the police are public authorities, so RTI is a legitimate pressure tool here. Useful RTI questions: the action taken on your written complaint with dates, the bank's board-approved customer liability policy, and the status of your cyber complaint with the police PIO. File through rtionline.gov.in; see how to file RTI online.

RTI will not get you the fraudster's identity or the BC agent's KYC file. That is third-party personal information, normally exempt under Section 8(1)(j), and identifying the culprit is the criminal investigation's job. Private banks are outside RTI entirely; for them the chain is bank grievance cell, nodal officer, then RBI Ombudsman. If a frozen account rather than a stolen sum is your problem, read removing a cybercrime debit freeze.

• Keep biometrics locked permanently; the unlock is temporary by design.
• Use the Virtual ID (VID) instead of your Aadhaar number on documents.
• Never let a deed carry your Aadhaar number and thumb impression together unmasked.
• Keep SMS alerts active on every account, since AePS gives no warning before the debit.

AePS authenticates with fingerprint alone. A cloned print plus your Aadhaar number is sufficient at a micro-ATM, which is why the biometric lock matters more than changing accounts.

No. Between 4 and 7 working days your liability is capped, at ₹10,000 for most savings accounts, and the bank bears the rest. Beyond 7 days the bank's own policy applies, so report in writing now and ask for that policy in the same letter.

A communication the bank can date: call-centre complaint with reference number, email to the official grievance ID, or an acknowledged branch letter. A verbal mention to a branch official with nothing in writing protects you poorly.

It blocks fingerprint and iris authentication until you unlock, which takes one OTP on myAadhaar or mAadhaar. OTP-based and face-based authentication for ration can continue. For planned biometric use, unlock for ten minutes and relock. If ration-shop authentication is your daily struggle, see the authentication failure guide.

It strengthens it. Your authentication history and the BC location show you could not have been present. Attach both to the bank complaint and the cyber complaint.

The RBI circular places the burden of proving customer negligence on the bank. A fingerprint is not a credential you can “share” like a PIN. Put that sentence in your nodal officer escalation and, if needed, before the RBI Ombudsman.

The Ombudsman can award compensation for delay and deficiency in addition to the disputed amount, within scheme limits. Claim it explicitly when you file on cms.rbi.org.in.

The fraud drains whatever account the fingerprint reaches; it does not re-route future credits. But if your benefit money is landing in an account you do not control, that is the NPCI mapper issue, explained in Aadhaar linked to the wrong bank account for DBT.

Download the AePS fraud first-72-hours checklist (PDF).