SBI vs HDFC vs ICICI: Which Bank Gives Zero Liability on UPI Fraud in 2026?
All three banks say “zero liability.” But one refunds in 10 days, one asks for a police FIR first, and one can legally take 90 days. Same RBI rules. Wildly different outcomes. Before your next UPI payment, find out which bank actually protects your money.
SBIvsHDFCvsICICI Which Bank Gives Zero Liability on UPI Fraud in 2026?
You lost money on UPI. You called your bank. And then you discovered that “zero liability” means something very different depending on which bank holds your account — and whether it happened before or after July 1, 2026.
RBI issued landmark draft guidelines on March 6, 2026 proposing up to 85% compensation (capped at ₹25,000) for small-value UPI fraud — effective July 1, 2026. Public comments open until April 6, 2026.
Nearly 13,500 cases of card and internet fraud involving ₹520 crore were reported in 2024–25 alone, according to RBI data. India processes over 120 billion digital transactions annually. Yet most UPI users have no idea what their bank actually owes them when fraud strikes — or that the answer changes dramatically between SBI, HDFC, and ICICI.
The question “which bank protects me from UPI fraud?” has no simple answer. All three banks follow the same RBI 2017 framework on paper. But in practice, the speed of refund, the burden of proof, the definition of “negligence,” and the customer experience diverge sharply. And with the RBI’s new March 2026 draft circular proposing to rewrite the rules entirely from July 1, 2026, the stakes have never been higher.
This guide breaks down exactly what SBI, HDFC, and ICICI offer today, what changes on July 1, 2026, and what every UPI user must do within 5 days of any fraud to protect their right to a refund.
🏦 The Three Banks at a Glance
Before comparing their fraud policies, it helps to understand the scale at which these banks operate — because scale directly correlates with fraud volume and the robustness of their fraud response infrastructure.
⚖️ The RBI Framework Both Then and Now
The RBI’s 2017 circular on customer liability established India’s foundational framework for UPI fraud protection. The rules hinge entirely on two variables: who was negligent and how fast you reported it. Here is how it works under the current (pre-July 2026) rules:
Zero Liability: When You Owe Nothing — Under Current 2017 Rules
If the fraud occurred due to bank negligence (system failure, failure to send SMS alerts, security breach at the bank’s end) — you have zero liability regardless of when you report it. The bank must refund the full amount. If fraud occurred through no negligence on your part AND you reported within 3 working days, you also have zero liability.
Limited Liability: When You Share Some Responsibility
If you reported within 4–7 working days and the fraud was not due to your negligence, the bank bears a portion of the loss based on transaction amount. If you shared your OTP, PIN, or password — even under deception — most banks currently classify this as “customer negligence” and deny full refunds, making recovery a difficult legal battle.
📊 SBI vs HDFC vs ICICI: The Complete Fraud Policy Comparison
Bank-by-Bank UPI Fraud Protection Scorecard — 2026
Research Based| Parameter | 🔵 SBI | 🔴 HDFC | 🟠 ICICI |
|---|---|---|---|
| Zero Liability Trigger | Bank negligence | Bank negligence | Bank negligence |
| Report Window for Zero Liability | Within 3 working days | Within 3 working days | Within 3 working days |
| Dedicated Fraud Helpline | 1800-11-2211 (General) | 1800-258-6161 (Dedicated) | 1860-120-7777 (General) |
| Refund Timeline (Post-Claim) | Up to 90 days (RBI max) | 10 working days | 10–30 working days |
| OTP-Shared Fraud Stance | Typically denied | Typically denied | Typically denied |
| FIR Required? | Often required | Case-by-case | Usually required |
| In-App Fraud Reporting | YONO App (limited) | HDFC App (robust) | iMobile (strong) |
| Burden of Proof (New 2026 Rule) | Shifts to Bank (July 2026) | Shifts to Bank (July 2026) | Shifts to Bank (July 2026) |
| Eligible for RBI ₹25,000 Comp? | Yes (commercial bank) | Yes (commercial bank) | Yes (commercial bank) |
| Escalation Path | Branch → Ombudsman | PhoneBanking → Ombudsman | Branch/App → Ombudsman |
🔵 SBI Deep Dive: India’s Biggest Bank, India’s Biggest Backlog
SBI follows the RBI 2017 framework strictly. Zero liability applies when bank negligence is proven, but the sheer volume of SBI’s customer base — over 500 million accounts — creates significant processing delays. The 90-day outer limit permitted by RBI is frequently utilised. SBI customers consistently report that fraud claims require branch visits, written complaints, and often a police FIR for amounts above ₹10,000. YONO’s in-app fraud reporting is functional but limited compared to private sector peers.
⏱ Verdict: Covered by rules, but expect delays🔴 HDFC Deep Dive: Private Sector’s Best-in-Class Fraud Response
HDFC Bank has invested significantly in fraud detection and customer redressal infrastructure. Their dedicated PhoneBanking fraud line (1800-258-6161) connects customers to a specialised cyber fraud team — not a general customer service agent. HDFC typically processes UPI fraud claims within 10 working days once liability is established, and their in-app reporting mechanism is the most streamlined among the three banks reviewed. However, HDFC’s stance on OTP-shared fraud remains strict — if you shared your PIN or OTP under deception, standard policy still treats this as customer negligence.
✅ Verdict: Fastest refund, best infrastructure🟠 ICICI Deep Dive: Strong Tech, Strictest Negligence Clause
ICICI Bank’s iMobile app has a strong built-in dispute resolution feature, and their fraud response team is digitally capable. However, ICICI is widely reported to apply the strictest negligence clause interpretation among the three banks — consistently requiring an FIR copy before processing fraud refunds even for amounts as low as ₹5,000. Their 10–30 working day SLA is wider than HDFC’s and reflects a more case-by-case investigative approach. For tech-savvy users who can document their fraud thoroughly, ICICI’s process works. For senior citizens or first-time fraud victims, the documentation burden is significant.
📋 Verdict: Good tech, high documentation barThe New RBI Framework: How Everything Changes for SBI, HDFC, and ICICI
The RBI’s March 6, 2026 draft directions — the most significant update to customer liability rules since 2017 — fundamentally shift the power balance between banks and fraud victims. For the first time, the burden of proof moves to the bank, not the customer.
Crucially, the new framework expands the definition of fraud to explicitly include coerced transactions (where you were threatened or tricked into paying), phishing or social engineering attacks (where you shared an OTP under deception), and third-party breaches (where the fault lies with payment gateways or telecom providers — not you or the bank). This is a landmark shift: millions of OTP-scam victims who were previously told “you shared your OTP, so it’s your fault” will now potentially qualify for partial compensation under the new rules.
If the fraud occurs due to bank negligence — system failure, failure to send SMS alerts — the customer still enjoys Zero Liability and the bank must refund the full amount regardless of the ₹25,000 cap.
— RBI Draft Amendment Directions, March 6, 2026There is one critical limitation: this is a one-time, lifetime benefit. You get exactly one chance to use the RBI compensation mechanism. If you claim it once and are defrauded again, the ₹25,000 compensation is gone. The RBI has incorporated Aadhaar verification to track and prevent repeat claims. Joint account holders must note that if one holder claims the relief, the lifetime eligibility for both holders is considered exhausted.
📋 What To Do the Moment You Discover UPI Fraud — Step by Step
-
1
Call 1930 — The National Cyber Crime Helpline — Immediately
1930 is India’s official cyber fraud helpline. Calling it within hours of a fraud event can sometimes freeze funds before the fraudster withdraws them. This call also starts your official complaint trail, which is required for the new RBI ₹25,000 compensation claim. Save this number now: 1930.
-
2
File a Complaint at cybercrime.gov.in Within 5 Days
The new RBI framework requires you to log a complaint at the National Cyber Crime Reporting Portal (cybercrime.gov.in) within five calendar days of the fraud. This is mandatory to qualify for the 85% compensation. Take a screenshot of your complaint confirmation and preserve the complaint ID permanently.
-
3
Notify Your Bank in Writing — Same Day
Call your bank’s fraud helpline (SBI: 1800-11-2211 / HDFC: 1800-258-6161 / ICICI: 1860-120-7777) and follow up with a written complaint — via email or in-app — on the same day. Verbal complaints alone do not start the official refund timeline. The bank must respond within 30 days under the new 2026 rules.
-
4
Gather Evidence: Transaction ID, Time, Screenshots, Communication
Collect every piece of documentation: UPI transaction IDs, timestamps, screenshots of the fraudulent communication, any WhatsApp messages or call recordings if applicable. Under the new RBI rules, the bank must prove you were negligent — not the other way around. Strong documentation prevents the bank from invoking the negligence clause falsely.
-
5
Escalate to RBI Ombudsman If Not Resolved in 30 Days
If your bank does not respond within 30 days or rejects your claim unfairly, file a complaint at the RBI Integrated Ombudsman portal: cms.rbi.org.in. This is free, fully digital, and powerful. Banks typically resolve complaints much faster once the Ombudsman is involved. The new 2026 rules also mandate banks to have an Internal Ombudsman review before escalation.
The One Rule That Separates Refund from Rejection at All Three Banks
The single most important determinant of whether SBI, HDFC, or ICICI refunds your money is not which bank you chose — it is how fast you reported the fraud. Report within 3 working days: zero liability under current rules. Wait longer than 7 days: the bank can legally deny your claim entirely. Under the new July 2026 rules, report within 5 calendar days to cybercrime.gov.in and your bank to qualify for up to 85% compensation. Speed is everything.
The DailyFinancial.in Fraud Protection Verdict
❓ Frequently Asked Questions
Under current (2017) rules: no. Sharing an OTP is typically treated as customer negligence, which eliminates zero liability protection. However, the new RBI 2026 draft framework changes this partially — it now includes “phishing and social engineering” (i.e., being tricked into sharing an OTP) as eligible for the 85% compensation mechanism, up to ₹25,000. This is a one-time lifetime benefit and only applies from July 1, 2026 onwards.
Based on publicly available policy data and reported customer experiences, HDFC Bank has the fastest fraud resolution timeline — approximately 10 working days once liability is established. ICICI typically takes 10–30 working days depending on the case complexity and documentation submitted. SBI, due to its enormous customer base, can take up to the RBI-permitted 90-day maximum in complex cases, though straightforward cases resolve faster.
The new RBI framework applies to commercial banks — SBI, HDFC, ICICI, Axis, Kotak, and others. Payment banks (like Paytm Payments Bank) and small finance banks are explicitly excluded from the current draft. However, if your PhonePe or Google Pay account is linked to an eligible commercial bank, transactions through those apps using your bank’s UPI ID would fall under the bank’s obligation. Check whether your UPI app’s linked account is with a covered commercial bank.
The new RBI ₹25,000 compensation mechanism specifically covers fraud below ₹50,000. For larger amounts, the existing 2017 zero liability and limited liability framework still applies — meaning if the fraud was due to bank negligence and you reported promptly, the bank must refund the full amount regardless of the cap. For larger fraud amounts involving customer negligence, you would typically need to pursue legal action via the Banking Ombudsman or Consumer Forum.
As of March 16, 2026, the RBI framework is still in draft form — officially titled “RBI (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026.” The public comment window was open until April 6, 2026. If finalised as proposed, it will come into effect on July 1, 2026. The existing 2017 rules remain in force until then. Monitor rbi.org.in for the final notification.
