Right To Refuse: - Why Indian Banking Needs A 'Consent Layer' To Protect Innocent Account Holders

Currently, an account holder has no legal or technical agency to accept or deny a payment before it hits their ledger. in the landscape of modern Indian jurisprudence, the rapid evolution of the UPI (Unified Payments Interface) is often hailed as a triumph of financial inclusion and digital efficiency. However, beneath the surface of this "ease of transaction" lies a perilous statutory lacuna, the absence of a consent mechanism for inbound payments. While digital social platforms are built on the bedrock of permission requiring a "friend request" before a connection is established the Indian banking architecture remains an "open-gate" system.

This systemic flaw has birthed a sophisticated form of procedural abuse. By merely obtaining a target's UPI ID or account details, a malicious actor can deposit "tainted" funds often sourced from accounts flagged for cyber-fraud into the account of an unsuspecting citizen. Under the prevailing interpretation of Section 102 of the CrPC (now mirrored in the Bharatiya Nagarik Suraksha Sanhita), the mere presence of these funds, regardless of the amount or the recipient's lack of mens rea, triggers an immediate and often blanket freeze of the entire account by cyber cells.

The result is a gross violation of the Doctrine of Proportionality. As seen in recent cases, a nominal unsolicited credit of a few hundred rupees can lead to the freezing of life savings worth lakhs, forcing innocent account holders into a grueling, months-long legal battle to prove their innocence. This article examines the urgent necessity for the Reserve Bank of India (RBI) and the National Payments Corporation of India (NPCI) to introduce a "Consent Layer" granting account holders the Right to Refuse unsolicited credits and shielding them from the weaponization of the banking system.

REAL WORLD CASE STUDY

In a recent case, a client maintaining a substantial balance of Rs. 50 lakhs earmarked for the purchase of a residential flat in Noida fell victim to the "open-gate" banking flaw. On the very day the client intended to issue a Demand Draft for the registration of the property, he discovered that his entire account had been frozen.

The catalyst for this total financial paralysis was an unsolicited credit of a mere Rs. 900 received via UPI from an unknown source a few days prior. Because that nominal sum was linked to a suspicious origin, the entire account was flagged and blocked by the cyber cell, regardless of the fact that the disputed amount represented less than 0.02% of the total holdings.

The fallout of this procedural victimization was catastrophic. Beyond the legal hurdles of moving an application before the concerned Magistrate and navigating a lengthy de-freezing process, the client suffered tangible economic loss. His commitment to the seller failed at the critical hour of registration, forcing him to pay significant additional interest to the vendor to keep the deal alive. This case highlights a disturbing reality: under the current framework, an innocent account holder can be held hostage by a transaction they never requested, leading to breached contracts, financial penalties, and a gross violation of their right to enjoy their own property.

COMPARATIVE STUDY: GLOBAL CONSENT-BASED BANKING FRAMEWORKS

1. United Kingdom: The Pay.UK "Request to Pay" Framework: - The UK has implemented one of the most robust "Request to Pay" (RtP) frameworks, designed specifically to sit as an overlay on top of existing clearing systems (like Faster Payments). The mechanism promotes, instead of money being "pushed" into an account without warning, a biller or individual sends a secure message. The recipient has four distinct legal/technical options:

*Pay in Full: Immediate settlement.

*Pay in Part: Useful for managing liquidity.

*Pay Later: Requesting a deferral.

*Decline to Pay: This is the critical safeguard. If the payer does not recognize the request or suspects fraud, they can decline it, preventing the transaction from ever hitting their ledger.

2. European Union: SEPA Request-to-Pay (SRTP): - The European Payments Council (EPC) launched the SEPA Request-to-Pay scheme to standardize digital payments across 36 countries. SRTP is a messaging functionality. A payee initiates a request, and the payer must explicitly authenticate and authorize the transaction. It follows "security by design" principles. Because only verified entities can issue requests through the framework, it significantly reduces the risk of Authorized Push Payment (APP) fraud and malicious "unsolicited" credits.

3. Australia: The New Payments Platform (NPP) & PayTo: - Australia's "PayTo" system is a modern alternative to traditional direct debits and push payments. When a business or individual wants to initiate a payment from a user's account, they must create a “PayTo Mandate”. The account holder sees this mandate in their banking app and must click "Authorize" before any funds move. They can also pause or cancel mandates instantly, giving them absolute control over who can interact with their account.

The global shift toward consent-based banking architectures provides a clear blueprint for mitigating the risks currently inherent in the Indian digital payment landscape. By analyzing the UK's "Request to Pay" framework, the European Union's SRTP scheme, and Australia's "PayTo" mandates, a common standard emerges: the legal and technical recognition of the account holder as an active gatekeeper rather than a passive recipient. These systems prove that "The Right to Refuse" is not merely a theoretical preference but a functional necessity that prevents financial contamination at the source.

Implementing a similar "Consent Layer" in India would effectively bridge the gap between digital efficiency and procedural due process. By transitioning from an "open-gate" model to a "permission-based" ledger, the RBI and NPCI can ensure that a recipient's financial life is no longer held hostage by the unilateral actions of a third party. Ultimately, adopting these international best practices is the only sustainable way to protect innocent citizens from the disproportionate hardships of blanket account freezes, ensuring that the technology meant to empower the public does not inadvertently become a tool for their victimization.

INDIAN LEGAL SYSTEM

While the Indian judiciary, through landmark rulings in cases like Malabar Gold^[1] and the Allahabad High Court directives, has begun safeguarding citizens against arbitrary account freezes, these interventions remain largely post-facto correcting the damage only after the financial injury has occurred. There persists a critical regulatory vacuum at the transaction entry point. Currently, the legal framework focuses on curbing the symptoms of "procedural overreach" rather than addressing the root cause: the unsolicited credit itself. We are, in effect, forcing the Judiciary to clean up a systemic mess that the banking architecture overseen by the RBI and NPCI should have structurally prevented through a robust consent layer.

To date, there is a glaring absence of specific legislation, rules, or comprehensive Standard Operating Procedures (SOPs) designed to regulate the inception of these transactions. While the Payment and Settlement Systems Act, 2007 and various RBI master circulars govern the speed and security of "pushing" a payment, they remain silent on the recipient's Right to Refuse. This lack of a "pre-credit" regulatory filter ensures that the burden of proof and the hardship of litigation continue to fall entirely on the innocent account holder, rather than the system that facilitated the intrusion.

THE WAY FORWARD: A CALL FOR REGULATORY EVOLUTION: -

To rectify this systemic vulnerability, a multi-pronged approach involving legislative amendments and technical re-engineering is imperative. The following measures are proposed to transition the Indian banking system from an "open-gate" liability to a "consent-based" security model:

1. Amending the Master Directions: - The Reserve Bank of India (RBI) should issue updated Master Directions under the Payment and Settlement Systems Act, 2007, mandating banks to provide "Inbound Transaction Controls." These controls should allow users to:

Set thresholds for automatic credits.

Block credits from unverified or flagged VPA categories.

Enable a "Permission Mode" for high-value accounts or businesses susceptible to professional rivalry.

2. The Inbound Consent Layer: - The NPCI must integrate a "Request-to-Credit" (RTC) protocol within the UPI framework. Much like a "Friend Request" on social media, any transaction initiated by a non-whitelisted VPA (Virtual Payment Address) or a first-time sender should be held in a "Pending" state. The recipient should have the technical agency to Accept or Decline the credit. If declined, the funds must be auto-reversed to the source without ever reflecting in the recipient's ledger, thereby preventing any "criminal link" from being established.

The digital revolution in India cannot be sustained if the "Ease of Doing Business" comes at the cost of the "Security of Holding Property." As we move toward a more sophisticated digital economy, our laws must evolve from being reactive to being proactive. We cannot continue to rely on the High Courts to perform "judicial surgery" on every disproportionate account freeze.

The Right to Refuse is not just a technical feature; it is a fundamental safeguard for the modern age. By introducing a Consent Layer, the RBI and NPCI can ensure that a bank account remains what it was always intended to be: a secure sanctuary for one's life savings, rather than a vulnerable target for procedural sabotage. It is time to close the gates and give the power of the ledger back to the account holder.

1. Malabar Gold and Diamond Limited & Ors. v. Union of India & Ors 2026 LLBiz HC (DEL) 95

Author is an Advocate. Views are personal.