For years, Indian banks treated deposit operations as relatively “safe” compared to the messy world of loan books. That comfort is gone. A surge in mule accounts, legitimate bank accounts commandeered or rented to launder proceeds of cybercrime has shifted operational risk from loans to deposits. Senior bankers are tightening KYC and continuous due diligence on savings/current accounts as fraudsters industrialise social-engineering, investment scams, gaming app traps and “digital arrest” cons. The new front line isn’t credit underwriting; it’s stopping stolen money from ever settling into the system.
The scale of the threat
Government data show the cyber-fraud response machine is finally scaling. Under the Indian Cyber Crime Coordination Centre (I4C), authorities report 9.23 lakh mule accounts lien-marked, over 7 lakh SIM cards and 2.08 lakh IMEIs blocked up to 31 Dec 2024. A new Suspect Registry launched in September 2024 has already circulated 4.99 lakh suspect identifiers and flagged 18.29 lakh mule accounts to participating entities, helping save more than ₹2,009 crore. The 1930 helpline and the Citizen Financial Cyber Fraud Reporting system have together helped freeze flows and save over ₹3,919 crore across 11.2 lakh complaints. This is the clearest evidence yet that mule accounts are not anecdotal, they are systemic.
RBI’s own fraud lens shows the battlefield has moved online: in FY24, total fraud incidents jumped to 36,075 (from 13,564), with 29,082 card/internet cases; while amounts fell year-on-year as large legacy loan frauds tapered, the volume is firmly in retail/digital rails, an unmistakable operational-risk signal to banks and large corporates operating payment flows. Early highlights from FY25 carry this forward, with the central bank explicitly calling out mule-account risk.
What RBI and banks are doing
The regulator has moved from advisories to architecture. Three pillars stand out:
- AI for Fraud Intelligence: RBI has piloted MuleHunter.AI, an AI/ML system to detect mule accounts across institutions. The initiative recognises that a single bank view is inadequate; the signal emerges only when patterns are stitched across banks, wallets and rails.
- Digital Payments Intelligence Platform (DPIP): RBI and major banks are building a real-time fraud-intelligence utility to share red flags and stop payments mid-flight, think of it as an anti-fraud UPI for the entire ecosystem. The RBI Innovation Hub is leading the prototype work. Done right, DPIP can become critical “digital public infrastructure” for risk, just as UPI is for payments.
- NPCI’s Network-Level Screening. On the rails side, NPCI now runs AI/ML-based fraud monitoring that generates alerts and declines, complementing bank-side systems. Combined with consumer awareness pushes (SMS, radio, education), it’s a layered defense, transaction-level analytics plus public-facing hygiene.
Banks, for their part, are re-risk-weighting deposits, tightening KYC/CKYCR, re-verifying high-velocity accounts, extending continuous due diligence to low-balance but high-movement profiles, and integrating fraud data feeds from law enforcement and platforms. The philosophical shift is key: first-party misuse (customers “renting” their accounts) is being treated as a control-failure, not a customer-service issue.
Why this matters for financial stability and corporates
The macro-risk is about trust in retail rails. India’s digital economy depends on confidence that instant payments won’t be instantly siphoned. If mule accounts become a parallel shadow-banking layer for criminals, banks will face higher compliance drag, higher false-positive blocks, and customer friction, eroding the very efficiency gains that made UPI and instant collections a corporate CFO’s dream. Reputational risk compounds: a single viral “digital arrest” story travels faster than any awareness campaign. For listed lenders and payments-heavy corporates, that translates into higher operational risk capital, audit intensity and board scrutiny and, ultimately, a higher cost of doing business.
The technology angle
Graph intelligence and entity resolution are now table stakes. Mule networks are multi-bank, multi-SIM, multi-device. The signal is relational: common devices across accounts, repeat beneficiary patterns, micro-splitting and time-sliced velocity. Banks need real-time graph scoring at the edge of payment decisioning.
Next, consentful data-sharing: DPIP can work only if privacy-preserving analytics (hashing, tokenisation, homomorphic techniques where feasible) let banks share enough to stop fraud without oversharing PII. Model governance matters too: bias and drift are not academic concerns if models down-score rural or migrant profiles and miss affluent mules or vice versa.
Finally, human-in-the-loop triage must evolve. Fraud desks need playbooks that blend analytics with law-enforcement escalations (1930, I4C, Suspect Registry) so “freeze-and-seize” happens inside the golden few minutes before funds fan out across accounts and crypto off-ramps.
Policy and market fix we need next
1) Make DPIP mandatory, time bound: Set a regulatory “go-live” window and require APIs into I4C’s Suspect Registry so bank and state capacity scales together. The MHA’s metrics show the state can move quickly; the financial system should plug in by design, not MoUs.
2) Tiered liability with safe harbours: For instant digital rails, adopt shared-liability frameworks: if a bank can prove DPIP participation, timely 1930 escalation and model governance, offer safe-harbour relief on disputed transactions so institutions aren’t punished for doing the right things fast.
3) Criminalise account-renting explicitly and uniformly: Today’s deterrence is patchy. A crisp offence category for knowingly renting/selling accounts or SIMs, with graded penalties, would shrink the supply of mules.
4) Push “continuous KYC” and device hygiene: One-and-done onboarding is obsolete. Regulators should endorse risk-based re-verification triggers (device change + unusual velocity + new beneficiary clusters) and back banks to pause accounts pending review, without fear of consumer-protection backlash when controls are proportionate.
5) Corporate treasurers: Corporates should whitelist beneficiary banks, use just-in-time limits, and subscribe to bank fraud-intel feeds. If your collections run at scale, treat mule-risk as an operational continuity risk, not merely a bank problem.
The bottom line
India’s fraudsters have discovered the weak link: speed + scale + social engineering + mule liquidity. The state is responding at scale and the RBI-bank tech stack (MuleHunter.AI, DPIP, NPCI analytics) is taking shape. But winning this war requires closing the last mile, real-time, privacy-aware data-sharing, deterrence for account-renting, and board-level ownership of deposit-side operational risk. In the digital economy, your biggest vulnerability isn’t bad credit. It’s a “good” account doing bad things at scale and at speed.
