A bank account in 2026 is a control panel, not just a balance. The same account is the origin point for UPI, IMPS, NEFT, RTGS, debit and credit-card autopay, NACH mandates, SIPs, EPF, NPS, and tax refunds. A handful of small settings inside that control panel determine whether the household stays safe from fraud and whether the family inherits the account cleanly if something happens to the primary holder. Most salaried Indians have never sat down to audit these settings. A solid bank account safety india baseline takes about 90 minutes per account, runs through eight specific checks, and should be repeated once a year.
This guide walks through the eight settings that matter most under current RBI and NPCI rules, with the rationale for each, the screen path to find it inside most major Indian banking apps, and the safe default value. It also covers the first 72 hours after a fraud, since RBI rules favour prompt reporting.
Why Bank Account Settings Matter More Than They Used To
The volume of digital banking activity in Indian households has grown by orders of magnitude over the last seven years. UPI alone now processes well above 10 billion transactions a month per NPCI statistics, and many salaried households route 80 to 95 percent of monthly outflows through digital rails. The same digital surface that creates convenience also creates the attack surface that fraudsters exploit.
The RBI customer-rights overview
The RBI Charter of Customer Rights, anchored in the Banking Codes and Standards framework, sets out the basic protections that every bank customer is entitled to: the right to fair treatment, the right to transparency, the right to suitability, the right to privacy, and the right to grievance redress. RBI guidelines on limited liability for unauthorised electronic banking transactions further define what the customer is responsible for and what the bank carries.
The role of “zero liability” in fraud
RBI’s framework on limited liability for unauthorised electronic banking transactions provides that a customer who reports an unauthorised transaction promptly to the bank (typically within three working days of receiving notification) generally bears zero liability for the loss, with the bank required to credit back the amount. Delayed reporting reduces this protection materially, which is why the response window matters.
Why an annual audit beats a reactive fix
Most households discover a misconfigured setting (an excessive UPI limit, a missing nominee, an outdated mobile number for alerts) only when something has gone wrong. The annual audit shifts the discovery into a low-stakes Saturday afternoon and prevents the higher-stakes incident from happening in the first place.
Setting 1: UPI Transaction Limits
UPI per-transaction and daily limits are configurable within each UPI app, within the bounds set by NPCI and the bank. The default is usually the maximum the bank allows, which is rarely what a household actually needs.
What the limits typically look like
NPCI permits a per-transaction limit of up to Rs.1,00,000 (1 lakh) for most retail UPI use cases, with higher caps for certain categories like capital markets, insurance, and select bills (such as Rs.5,00,000 or Rs.10,00,000 in defined categories). Daily aggregate limits and per-app limits are layered on top. The household’s actual peak use case (the highest single legitimate UPI payment in a typical month) is usually a small fraction of these caps.
The right-sizing principle
The cleanest practice is to set the per-transaction UPI limit at about 110 to 120 percent of the household’s largest legitimate single UPI payment in any month. The benchmark table below summarises the eight settings in one view and is worth screenshotting for the annual audit.
| Setting | Safe default | Where to set |
|---|---|---|
| UPI per-transaction limit | Rs.25,000 to Rs.50,000 for typical households | UPI app, Profile / Settings |
| SMS and email alerts | All debits above Rs.500, all mandate changes | Bank app, Alerts / Notifications |
| Nominee | One close family nominee per account | Bank app or branch |
| Joint holder | At least one savings account either-or-survivor | Branch or net banking |
| Card channel controls | International off by default, online capped | Card app or net banking |
| Net banking login | Unique password, 2FA, trusted devices only | Net banking profile |
| Standing instructions and mandates | Audited list, unused cancelled | Net banking, UPI apps |
| KYC and contact details | Current PAN, Aadhaar, mobile, email, address | Bank branch or video KYC |
How to set the limit
UPI apps expose the per-transaction limit under Profile or Settings. Some banks also expose a separate per-day net-banking limit that interacts with UPI; both should be aligned. Confirm the change with a small test transaction afterwards.
Setting 2: SMS and Email Alert Preferences
Transaction alerts are the single most effective fraud-detection layer because they put the customer in the loop in near-real time. Misconfigured alerts are silent in the moments when noise matters most.
What to enable
Every account should have SMS alerts enabled for: all debits above Rs.500, all UPI mandates created or modified, all card-not-present transactions on debit and credit cards, all login attempts to net banking, and all changes to standing instructions. Email alerts are a useful backup, especially for monthly summary statements.
What to verify quarterly
Mobile numbers and email addresses on file with the bank drift over time as people change SIM cards or email providers. A 30-second check of the registered mobile and email on the bank app, done quarterly, ensures the alert stream is reaching the right channel. A change of mobile number that is not updated at the bank is a silent fraud-detection gap.
The threshold trade-off
Some banks allow customers to set an alert threshold (e.g., only alert for transactions above Rs.5,000) to reduce noise. The threshold trade-off is between alert fatigue and detection coverage. For most households, an SMS alert on every debit above Rs.500 is the right balance, because fraud often starts with small test transactions before larger ones.
Setting 3: Nominee Registration
A registered nominee is the single most useful estate-planning step a salaried Indian can take in 15 minutes. The absence of a nominee turns a routine post-bereavement account closure into a months-long legal exercise.
Why nominees matter
Under the Banking Regulation Act, 1949 (as amended), banks are permitted to release the balance in a deceased account holder’s account to the registered nominee upon furnishing of a death certificate and basic documentation. Without a nominee, the bank typically requires legal heir certification, succession certificate, or probate, depending on the amount and the bank’s policy, which adds significant time and cost.
Who to nominate
The nominee should be a close family member (spouse, parent, or child) who would handle the immediate financial arrangements if the primary account holder is unavailable. For minor nominees, an appointee must also be registered. The nominee designation does not override succession law; it provides procedural ease and is a separate decision from a will.
How to register or update
Nominee registration is done through the bank’s net banking, mobile app, or branch, depending on the bank. Most banks now offer the option online with Aadhaar OTP authentication. Each account (savings, current, fixed deposit, recurring deposit, demat) needs its own nominee designation; one common nominee across all accounts is not automatic.
Setting 4: Joint Holder Status and Operating Instructions
Whether and how an account has a joint holder materially changes the experience during routine life events (a hospitalisation, a trip abroad) and in the event of a sudden incapacity or bereavement.
Single vs joint holding
A single-holder account requires the holder’s authentication for every operation. A joint account allows the second holder to operate the account based on the agreed operating instruction. Either-or-survivor is the most common operating instruction and allows either holder to operate; both jointly requires both signatures; former-or-survivor restricts to the first holder while alive.
The most useful design for married couples
For married salaried households, a useful design is at least one savings account held jointly with either-or-survivor instruction, so that the spouse can operate the account immediately if the primary earner is unavailable. The other accounts can remain single-held for simplicity. This design provides resilience without complicating ordinary operations.
Conversion mechanics
Converting a single-holder account to a joint one or vice versa is typically a branch-led process with KYC documents for the added holder. Some banks now allow the addition through net banking. The conversion is reversible and should be reviewed at major life events (marriage, divorce, bereavement).
Setting 5: Card Controls and Channel Toggles
Debit and credit cards in 2026 have granular controls that let the customer enable or disable specific channels (ATM, POS, online, international). The defaults at issuance are usually conservative but not always.
The channel-wise toggle
Every card should be reviewed for whether it actually needs each channel enabled. If the household never uses the debit card for international transactions, the international toggle should be off; turning it on for a specific trip and off afterwards is a 30-second operation. The same applies to contactless tap-and-pay and to online (CNP) usage if the household uses a different card for online spends.
Per-channel limits
In addition to the on-off toggle, each channel typically has a per-day limit that can be set below the card’s overall limit. A debit card with an online limit set to Rs.20,000 a day is structurally protected against high-value online fraud even if the card details are compromised. The limit can be raised for known large purchases and returned to the default afterwards.
The lost-card flow
Every card-issuing bank exposes a “block card” or “lock card” function in the app, usable in 10 seconds without calling customer care. The function should be tested at least once on a non-critical card so that the screen path is muscle memory before it is needed in a real incident. Time to block matters in fraud cases.
Setting 6: Net Banking Login Hygiene
The login layer is the gateway to everything else, and small hygiene practices materially reduce the success rate of common attack patterns.
Password and two-factor
The net banking password should be unique to the bank (not reused on any other site) and changed at least once a year. Two-factor authentication, typically OTP-based or device-bind-based, should be enabled where the bank offers it. The two-factor step is the single most effective protection against credential-stuffing attacks that reuse passwords leaked from other sites.
Device registration and trusted browsers
Many banks now offer device registration, where logging in from a previously registered device or browser is permitted with reduced friction, and login from new devices triggers additional verification. Registering only personal devices and removing old devices from the list is good hygiene.
The session-timeout default
Most banks set a 5 to 10 minute idle session timeout by default, which is appropriate. Customers who use the bank app on shared or work devices should never enable “stay logged in” features. The minor convenience is not worth the residual risk if the device is lost or accessed.
Setting 7: Standing Instructions and NACH Mandate Audit
Standing instructions and NACH e-mandates are the auto-pay rails that fund SIPs, insurance premiums, EMIs, subscriptions, and utilities. The same convenience that makes them useful makes them invisible if they are not audited.
What to list once a year
The annual audit produces a single list of every active standing instruction and NACH mandate on the account: payee, amount, frequency, and start date. The bank usually exposes this list in net banking under “Standing Instructions”, “Mandates”, or “Subscriptions”. UPI auto-pay mandates appear separately under each UPI app.
Cancelling the unused
The list almost always contains two to four entries that the household no longer uses: an old gym subscription, a streaming service shifted to a different account, an app trial that converted to a paid plan. Each cancellation typically saves Rs.300 to Rs.2,000 a month, and the cumulative leak is usually material.
Aligning amounts and dates
Standing instructions for SIPs and insurance premiums should be reviewed for amount alignment (a SIP step-up that was implemented in the AMC portal needs the mandate amount updated at the bank) and for date alignment (premium-due-dates clustered near salary credit reduce the risk of bounce charges).
Setting 8: KYC and Contact Information Update
RBI mandates periodic KYC updates for bank customers, typically every two, eight, or ten years depending on the risk category. An out-of-date KYC can lead to account freeze and significant inconvenience.
What to check
The basic items to verify are: current address, current mobile number, current email, valid PAN linkage, and Aadhaar seeding (if the customer has consented). The PAN linkage in particular interacts with TDS, refunds, and account operability, and a mismatch is a common silent issue.
The re-KYC process
Banks notify customers when re-KYC is due. The process can usually be completed online with Aadhaar OTP authentication or video KYC; in-branch is the fallback. Letting the deadline lapse can result in account-operation restrictions until KYC is completed.
What to Do in the First 72 Hours After a Fraud
The 72-hour window is the single most important variable in the fraud-recovery process, because RBI’s limited-liability framework heavily favours prompt reporting.
The reporting timeline
Per RBI guidance on limited liability for unauthorised electronic banking transactions, reporting to the bank within three working days of receiving the transaction notification generally limits customer liability to zero, with the bank required to credit back the amount within a defined period. Reporting between four and seven days may attract a defined per-transaction limit on customer liability. Beyond seven days, the policy of the bank governs the outcome.
The immediate steps
- Call the bank’s 24×7 fraud helpline immediately; do not wait until business hours.
- Note down the complaint reference number and the time of the call.
- Use the bank app to block the affected card or freeze net banking access.
- File a complaint on the cybercrime portal (cybercrime.gov.in) or the 1930 helpline.
- Submit a written complaint to the bank branch and obtain an acknowledgement.
The follow-up
Within 10 to 90 working days (varies by case and bank), the bank investigates and provides a written response. Escalations, if needed, go to the bank’s internal ombudsman first, then the RBI Banking Ombudsman through the CMS portal at rbi.org.in. Maintain a folder with every screenshot, SMS, and bank communication; the file is the case.
FAQ
How often should I audit my bank account settings?
Once a year is enough for most salaried households. The audit covers UPI limits, alert preferences, nominee, joint holder, card controls, net banking login hygiene, standing instructions, and KYC. An additional quick check after any major life event (a job change, a move, a marriage, a bereavement) catches issues that the annual cycle would miss.
If I lose my phone, what is the first action to take for the bank account?
First, block the SIM with the telecom operator to prevent OTP-based unauthorised access. Second, use a secondary device to log into the bank app and freeze or block the debit and credit cards, and disable UPI on the lost device. Third, change the net banking password. Fourth, inform the bank’s fraud helpline of the loss to put the account on watch. The sequence is sometimes called the “SIM-card-app-bank” order and is worth memorising.
Can I have different nominees for my savings account, FD, and demat?
Yes, and many households do. The nominee for the savings account, for each fixed deposit, for the demat account, and for any insurance policy is a separate designation. The cleanest practice is to keep them aligned where the family preference allows, but the law and bank policy treat each as independent.
Are the new RBI proposals on UPI lag-credit and the kill switch already in force?
As of the time of writing in 2026, several of the new UPI fraud-protection proposals (lag-credit on high-value P2P transfers, trusted-person authentication, kill switch) were in public discussion or draft phase rather than fully notified. Customers should track final notifications from RBI and NPCI before relying on them. The basic settings (limits, alerts, nominee, card controls) covered in this guide are already available and should be configured regardless.
What is the safest UPI per-transaction limit for a salaried household?
For most salaried households without large recurring high-value UPI use cases, a per-transaction limit between Rs.25,000 and Rs.50,000 is a reasonable default, raised temporarily for specific large payments. Lower limits reduce the maximum loss from a single fraudulent transaction without materially affecting everyday convenience. The limit should be reviewed annually along with the rest of the settings.
Related guides on this topic are coming to learnfinedge.com soon.
