Differences
This shows you the differences between two versions of the page.
| — | practical-guides:aadhaar-enabled-payment-aeps-unauthorized-withdrawal [2026/07/10 21:29] (current) – created - external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | {{htmlmetatags> | ||
| + | ====== AePS unauthorised withdrawal: 5 actions in the first 72 hours ====== | ||
| + | |||
| + | **Reviewed on:** 2026-06-12. | ||
| + | |||
| + | Someone has pulled cash from your account using your Aadhaar number and a cloned fingerprint at a micro-ATM. The clock that matters is RBI's: report within **3 working days** and your liability is **zero**. Do these five things now, in this order. | ||
| + | |||
| + | - **Lock your Aadhaar biometrics.** On [[https:// | ||
| + | - **Call 1930 and file on [[https:// | ||
| + | - **Report to your bank in writing the same day.** Phone the call centre for a reference number, then email or hand in a written complaint at the branch. The 3-working-day zero-liability window runs from when the bank tells you about the debit, so date-stamp everything. | ||
| + | - **Pull the evidence.** Mini statement or app statement showing the debit with the AePS or BC code, the SMS alert, and your //Aadhaar Authentication History// from myAadhaar, which shows the date, time and agency of the rogue authentication. | ||
| + | - **Check every other account linked to your Aadhaar.** The same fingerprint clone works on any seeded account. Check them all today. | ||
| + | |||
| + | ===== What RBI's limited liability rules give you ===== | ||
| + | |||
| + | RBI's circular on customer protection in unauthorised electronic banking transactions (DBR.No.Leg.BC.78/ | ||
| + | |||
| + | ^ When you report the fraud ^ Your maximum liability ^ | ||
| + | | Within 3 working days of learning of it | Zero | | ||
| + | | 4 to 7 working days | ₹5,000 for basic savings accounts, ₹10,000 for most other savings accounts, ₹25,000 for some current accounts and credit limits | | ||
| + | | Beyond 7 working days | As per the bank's board-approved policy | | ||
| + | |||
| + | Two more protections sit in the same circular. The bank should give **shadow credit** of the disputed amount within 10 working days of your report. And the bank must resolve the complaint within **90 days**. The burden of proving that the customer was negligent lies on the bank. You never shared a PIN or OTP in an AePS fraud, because AePS needs neither, so negligence is hard to pin on you. Say this plainly in your complaint. | ||
| + | |||
| + | ===== How the fraud works, in one paragraph ===== | ||
| + | |||
| + | AePS lets anyone withdraw cash at a Business Correspondent point with three inputs only: bank name, Aadhaar number, fingerprint. No card, no PIN, no OTP, no SMS before the money leaves. NPCI caps each AePS cash withdrawal at ₹10,000, so fraudsters fire repeated transactions just under the cap. Most cloned fingerprints are harvested from registered sale or lease deeds on registry websites, where Aadhaar numbers and thumb impressions sat side by side, or from cheap silicone moulds. This is why the biometric lock, not a new bank account, is the real fix. | ||
| + | |||
| + | ===== A worked example with realistic figures ===== | ||
| + | |||
| + | Ramesh, a schoolteacher in Deoghar, Jharkhand, got three SMS alerts on the evening of 2 June 2026: AePS cash withdrawals of ₹10,000, ₹10,000 and ₹8,500, total **₹28, | ||
| + | |||
| + | That night he locked his biometrics on mAadhaar and filed on cybercrime.gov.in, | ||
| + | |||
| + | ===== If the bank stalls or rejects ===== | ||
| + | |||
| + | - Escalate in writing to the bank's **Principal Nodal Officer**, named on the bank website, attaching the branch complaint and cyber acknowledgement. | ||
| + | - If 30 days pass without resolution, or the reply rejects liability, file with the **RBI Ombudsman** at [[https:// | ||
| + | - Raise the network-side flags in parallel: an AePS dispute through your bank's NPCI dispute channel, and an Aadhaar misuse complaint to UIDAI on 1947 or the myAadhaar grievance page. These support the bank case; they do not replace it. | ||
| + | - Police follow-up: if cybercrime.gov.in routes your case to the local cyber cell, ask for the FIR or CSR number. Banks sometimes wait for it before final reversal. | ||
| + | |||
| + | ===== Where RTI fits, and where it does not ===== | ||
| + | |||
| + | UIDAI, NPCI-regulated PSU banks and the police are public authorities, | ||
| + | |||
| + | RTI will not get you the fraudster' | ||
| + | |||
| + | ===== Prevention that actually works ===== | ||
| + | |||
| + | * Keep biometrics locked permanently; | ||
| + | * Use the Virtual ID (VID) instead of your Aadhaar number on documents. | ||
| + | * Never let a deed carry your Aadhaar number and thumb impression together unmasked. | ||
| + | * Keep SMS alerts active on every account, since AePS gives no warning before the debit. | ||
| + | |||
| + | ===== FAQs ===== | ||
| + | |||
| + | ==== How could money leave without any OTP or PIN? ==== | ||
| + | |||
| + | AePS authenticates with fingerprint alone. A cloned print plus your Aadhaar number is sufficient at a micro-ATM, which is why the biometric lock matters more than changing accounts. | ||
| + | |||
| + | ==== I reported on day 5. Have I lost everything? ==== | ||
| + | |||
| + | No. Between 4 and 7 working days your liability is capped, at ₹10,000 for most savings accounts, and the bank bears the rest. Beyond 7 days the bank's own policy applies, so report in writing now and ask for that policy in the same letter. | ||
| + | |||
| + | ==== What counts as " | ||
| + | |||
| + | A communication the bank can date: call-centre complaint with reference number, email to the official grievance ID, or an acknowledged branch letter. A verbal mention to a branch official with nothing in writing protects you poorly. | ||
| + | |||
| + | ==== Will locking biometrics block my pension, ration or bank KYC? ==== | ||
| + | |||
| + | It blocks fingerprint and iris authentication until you unlock, which takes one OTP on myAadhaar or mAadhaar. OTP-based and face-based authentication for ration can continue. For planned biometric use, unlock for ten minutes and relock. If ration-shop authentication is your daily struggle, see [[practical-guides: | ||
| + | |||
| + | ==== The withdrawals happened in another state. Does that weaken my case? ==== | ||
| + | |||
| + | It strengthens it. Your authentication history and the BC location show you could not have been present. Attach both to the bank complaint and the cyber complaint. | ||
| + | |||
| + | ==== The bank says I must have shared my biometrics. ==== | ||
| + | |||
| + | The RBI circular places the burden of proving customer negligence on the bank. A fingerprint is not a credential you can " | ||
| + | |||
| + | ==== Can I claim interest or compensation for the delay? ==== | ||
| + | |||
| + | The Ombudsman can award compensation for delay and deficiency in addition to the disputed amount, within scheme limits. Claim it explicitly when you file on cms.rbi.org.in. | ||
| + | |||
| + | ==== Does an AePS fraud mean my DBT subsidies are also at risk? ==== | ||
| + | |||
| + | The fraud drains whatever account the fingerprint reaches; it does not re-route future credits. But if your benefit money is landing in an account you do not control, that is the NPCI mapper issue, explained in [[practical-guides: | ||
| + | |||
| + | Download the AePS fraud first-72-hours checklist (PDF). | ||
| + | ===== AePS unauthorized withdrawal: How to report and claim refund from your bank? ===== | ||
| + | |||
| + | When an unauthorized withdrawal happens through AePS (Aadhaar Enabled Payment System), here is the complete guide: | ||
| + | |||
| + | - **Step 1: What is AePS?** (a) AePS (Aadhaar Enabled Payment System) allows withdrawals using Aadhaar number + biometric authentication (no debit card or PIN needed), (b) it is used at: (i) Bank Mitras (BCs), (ii) micro-ATMs, (iii) CSP (Customer Service Points), (c) the customer provides: (i) Aadhaar number, (ii) bank name (IIN), (iii) biometric (fingerprint/ | ||
| + | - **Step 2: How fraud happens.** (a) the fraudster clones the fingerprint (using a cloned fingerprint on a gelatin mold), (b) the fraudster uses the victim' | ||
| + | - **Step 3: How to detect.** (a) check your SMS alerts (if you receive a debit SMS you did not initiate), (b) check your bank statement (look for " | ||
| + | - **Step 4: How to report.** (a) call the bank's helpline immediately (note the complaint reference number), (b) file a written complaint at the home branch (within 3 working days of the unauthorized transaction), | ||
| + | - **Step 5: RBI zero liability.** (a) under the RBI's Limited Liability framework (2017): (i) if reported within 3 working days: zero liability (full refund), (ii) if reported within 4-7 working days: limited liability (max Rs 5,000 for basic accounts; Rs 10,000 for others; Rs 25,000 for credit cards with limit above Rs 5 lakh), (iii) if reported after 7 days: as per bank's policy (no guaranteed refund), (b) the bank must resolve the complaint within 10 working days (90 days for complex cases), (c) the bank must credit the refund within 10 days of resolution. | ||
| + | - **Step 6: Banking Ombudsman.** (a) if the bank does not resolve within 30 days: file a complaint with the Banking Ombudsman (cms.rbi.org.in), | ||
| + | - **Step 7: Preventive steps.** (a) lock your Aadhaar biometrics when not in use (UIDAI portal or mAadhaar app), (b) do not share your Aadhaar number with unauthorized persons, (c) do not give your Aadhaar photocopy without a "For < | ||
| + | |||
| + | See [[https:// | ||
| + | |||
| + | {{tag> | ||