A few years ago I was travelling to Bangalore for a conference and stopped at a petrol pump to pay by card. Declined. I tried again — declined. I called HDFC helpline, confused and slightly embarrassed with a queue forming behind me. The customer service agent said: "Sir, your card was temporarily blocked — an unusual transaction pattern was detected." Three transactions in three different locations within two hours looked like card cloning to the system. It wasn't. But the AI wasn't wrong to be suspicious.
Every bank in India runs its own fraud detection layer — separate from UPI's NPCI system, separate from the card networks (Visa/Mastercard/RuPay). This is the layer that watches your entire account, not just individual payment channels. It's looking at a wider picture over a longer time window, and it can act in ways that UPI's infrastructure cannot: blocking your card, flagging your account, generating alerts, and — in serious cases — filing suspicious activity reports with the RBI.
When you make any digital payment in India, it passes through multiple fraud detection systems in sequence. Most people think of fraud detection as one thing. It's actually three independent checks happening simultaneously.
The UPI app runs its own on-device and server-side checks: device trust score, session behaviour, screen-share detection, recipient risk warnings. This is the first filter — fast, broad, catches obvious red flags before the transaction even hits the bank.
The network-level fraud intelligence layer — shared across all banks, screens for known fraud accounts, velocity anomalies, collect-request scams, and cross-bank money mule patterns. Operates in under 100ms at the transaction level.
Your bank's proprietary AI runs independently of NPCI. It has something the network layer doesn't: your complete financial history — salary credits, EMI patterns, savings behaviour, card spend, fixed deposits, loan repayments. It's watching a much wider picture, over months or years, not just individual transactions.
A transaction has to pass all three layers to go through cleanly. Any one of them can flag or block it independently. This redundancy means a fraud that slips past NPCI's network model still has a chance to be caught by your bank's proprietary system — which knows your personal financial profile far more deeply.
The bank-level model has access to signals that no other system in the chain has. Here's what it's looking at:
Your salary hits on the 1st. You pay rent via NEFT on the 3rd. Your SIP debit runs on the 5th. You spend ₹3,000–8,000 monthly on food delivery. You've never made an international transaction. This baseline — built over months — is your financial fingerprint. Any significant deviation triggers elevated scrutiny. A ₹2 lakh transfer to an unknown account two days after salary credit is a 5-sigma event for someone with your profile.
Your card was used at a Bengaluru petrol pump at 11am. It's being used at a Delhi electronics store at 1pm. You cannot physically be in both cities in two hours. This "impossible travel" pattern is one of the clearest fraud signals in banking — it almost always means card cloning or credential theft. My petrol pump block was exactly this signal.
Multiple transactions in quick succession — especially at round amounts (₹1,000, ₹2,000, ₹5,000) across different merchants — is the fingerprint of a compromised card being tested. Fraudsters run small test transactions first to confirm the card is active before attempting a large withdrawal. The model recognises this sequence pattern specifically.
You've never spent at a jewellery store. Suddenly there's a ₹80,000 charge at one. That specific merchant category is flagged for you specifically — not because it's unusual in general, but because it's unusual for your personal spend profile. The model doesn't just look at amounts; it looks at where you spend relative to your history.
High-value transactions between 1am–4am carry an elevated baseline risk score for most account profiles. If you've never made a transaction at 3am and one suddenly appears, the risk model notes it. Combined with other anomalies, late-night timing can be the signal that tips a borderline case into a block.
UPI fraud and credit card fraud are quite different challenges — and the AI that handles them reflects that difference.
UPI fraud usually requires the victim's active participation: entering a PIN, approving a collect request, being socially engineered. Credit card fraud often doesn't. A stolen card number (from a data breach, a skimmer, or a phishing page) can be used for online transactions without any physical card present, and without the victim knowing until they see their statement.
Credit card fraud detection therefore operates on a tighter time window and uses a different model. The card network (Visa or Mastercard) runs its own fraud model — called Falcon (Visa) or Safety Net (Mastercard) — at the network level, scoring every transaction globally in real time. Your bank then runs its own model on top. Two independent AI systems are checking every credit card swipe.
The credit card model pays particular attention to card-not-present transactions — online purchases where the physical card isn't swiped. These are the highest-risk transaction type because the merchant can't verify the card is in the buyer's hand. The combination of: a new merchant, a high amount, a shipping address different from your billing address, and an unusual time of day can trigger a block even on a legitimate purchase.
International activation (calling the bank before travelling) used to be mandatory. For most major banks it's now optional — the fraud model handles international transactions intelligently. What actually triggers a block is the combination of an unusual location AND an unusual merchant category AND an unusual amount. A small, familiar-category transaction in a new country often goes through fine. A large, unfamiliar-category transaction raises flags even with international activation on.
This is the question I get asked most often: "My own transaction got declined and I'm the real account holder — why?"
The honest answer is that fraud detection models are optimising a trade-off between two types of errors: false negatives (fraud that gets through) and false positives (legitimate transactions that get blocked). A model that never blocks legitimate transactions will also miss some fraud. A model that never misses fraud will block a lot of legitimate transactions.
Indian banks have historically set their thresholds to be relatively conservative — blocking more to miss less fraud — because the reputational cost of a fraud incident is high and the customer service cost of an unblocked false positive is also high. The result is that legitimate customers occasionally get blocked.
The situations that most reliably trigger false positives:
First transaction at a new category of merchant. Your first purchase at a foreign currency merchant, a luxury goods store, or a crypto exchange will face higher scrutiny because there's no historical pattern to compare against.
Travel. Especially domestic travel to cities you don't normally visit. The impossible-travel detection that catches real fraud also catches you when you fly to a conference and use your card at the hotel. Banks that share location data from your mobile app mitigate this somewhat — if your phone GPS shows you in Delhi, a Delhi card transaction is less suspicious.
Unusually large one-off purchases. Buying a laptop, a bike, or jewellery for a wedding pushes well outside your normal spend range. The model sees a 10x deviation from your median transaction size and flags it.
The practical fix for all of these is the same: call your bank before the transaction, or use their app to temporarily raise limits or whitelist a merchant. It's friction — but it's the friction of a system that's actually protecting you.
There's a distinction most people don't know about: transaction-level fraud detection (what we've discussed so far) catches fraud in real time. But banks also run account-level AI that operates more slowly, looking for patterns across weeks and months.
Account-level AI is looking for things like: a sudden increase in the number of linked UPI apps on the account (possible credential sharing), a shift in where money is being sent (new recipients appearing, old trusted ones disappearing), a pattern of just-under-limit transactions (structuring, the financial crime of breaking large transfers into small ones to avoid reporting thresholds), and long-term dormant accounts suddenly becoming active with large transactions.
This slower-moving model is what generates the reports banks are required to file with the Financial Intelligence Unit (FIU-IND) under RBI's anti-money laundering framework. It's not primarily a personal fraud protection tool — it's a regulatory compliance tool. But the output of catching AML patterns also catches a lot of sophisticated account-level fraud that real-time transaction models miss.
India's fraud landscape has characteristics that Western banking AI models weren't built to handle. Indian banks have had to train their own models — or heavily customise global ones — for this context.
Cash-heavy to digital transition. Large segments of the Indian population shifted from cash to digital payments rapidly, often within a single year. Their transaction histories were short and thin. A fraud model trained on years of data doesn't work well for accounts with three months of history. Banks developed "thin file" sub-models specifically for new-to-digital customers.
Festival-period spikes. Diwali, Dhanteras, Eid, and wedding season generate genuine transaction spikes that look like anomalies to a naive model. A user spending 5× their normal amount on jewellery in October is almost certainly shopping for Dhanteras, not being defrauded. Indian bank models are seasonally calibrated in ways that global models aren't.
Family account patterns. In India, a single account is often used by multiple family members — especially older parents who share their card with adult children. This creates mixed behavioural signals that can generate false positives. Some banks now offer "family card" features that set separate behavioural baselines for each sub-user.
The OTP problem. India relies heavily on OTPs for transaction authentication. OTP-based social engineering — where the victim is tricked into sharing the OTP — is India's dominant fraud vector. Banks have responded with time-limited OTPs, device-bound OTPs, and AI that flags a transaction if the OTP was entered unusually quickly after being sent (suggesting the victim is on a call reading it out to a scammer in real time).
Indian bank fraud AI is solving problems that most global banking models have never encountered at this scale: a billion-person population moving from cash to digital in a single decade, with 20+ languages, highly variable digital literacy, and the world's highest-volume real-time payment network underneath it all.
Bank fraud AI in India is genuinely impressive — and also genuinely imperfect. False positives are an ongoing problem, especially for customers who travel, make large one-off purchases, or have thin transaction histories. The appeals process when you're wrongly blocked is slow and frustrating.
There's also a surveillance dimension worth acknowledging directly. Your bank has a comprehensive picture of your financial life: where you eat, what you buy, where you travel, what you pay for medical care, which political parties or causes you donate to. This data is protected by RBI regulations and banking secrecy laws — but it exists. Your bank knows more about your actual life than almost any other institution, including your employer.
I'm not suggesting you move to cash. The fraud protection the AI provides is real and valuable — my uncle's UPI near-miss, my own petrol pump incident, the countless OTP scams that never completed because the system flagged them. That protection is worth the data trade-off for most people. I just think it's worth knowing the trade-off exists, rather than assuming the system is looking out for you with no skin in the game.
After the Bangalore incident, I started doing one thing before every trip: opening my bank app and checking that my card limit and international/domestic settings match what I'm about to do. Takes 60 seconds. Has saved me from a blocked card three times since.
The other thing I do: keep two cards from different banks for travel. If one gets blocked by its own fraud model, the other usually goes through. The AI systems at different banks use different models and different thresholds — so a transaction that triggers HDFC's model might not trigger ICICI's.
The system is working for you. But it's not infallible, and it doesn't know you're on a trip unless you tell it. A little proactive communication with your bank before anything unusual goes a long way.
Next in the series: AI in your smartphone camera — the computational photography stack that fires before you press the shutter, and why your phone's photos look better than the hardware alone should allow.