How to Escalate Payment Gateway Complaints in India: A Step-by-Step Guide (2026)

Quick Summary

• Payment gateways (PGs) are defined as entities providing technology infrastructure to route payment transactions without handling funds, as per the RBI Master Directions on Payment Aggregators and Payment Gateways.
• The Reserve Bank – Integrated Ombudsman Scheme (RB-IOS), 2026 replaces the 2021 framework and is fully effective from July 1, 2026.
• Complaints must first be filed with the regulated entity before approaching the Ombudsman, as per Clause 10(1) of RB-IOS, 2026.
• Compensation for consequential loss can go up to ₹30 lakh and up to ₹3 lakh for harassment or mental anguish.
• The new digital fraud liability framework introduces a lifetime compensation mechanism of 85% of net loss or ₹25,000, whichever is lower, for individual persons.

How Does the Payment Gateway Complaint Escalation Process Work Under RBI Rules?

The escalation process for payment gateway complaints in India follows a structured hierarchy established under the Reserve Bank of India Act, 1934, the Banking Regulation Act, 1949, the Payment and Settlement Systems Act, 2007, and the Credit Information Companies (Regulation) Act, 2005. The RBI Integrated Ombudsman Scheme, 2026, notified under Section 35A of the Banking Regulation Act, 1949, is the primary escalation mechanism for consumers.

Step 1 – File with the regulated entity first. Under Clause 10(1) of RB-IOS, 2026, a complainant must necessarily file the complaint first with the regulated entity (the bank, NBFC, or payment system operator). If this step is skipped and the complaint is filed directly with the RBI Ombudsman, no action will be taken. The regulated entity is required to file its written response within 15 days before the Office of the RBI Ombudsman, as per Clause 14(2) of the Scheme.

Step 2 – Escalate to the RBI Ombudsman. You can approach the Ombudsman if no reply is received within 30 days of the regulated entity receiving the complaint, or if you are not satisfied with the resolution. The complaint must be filed within 90 days from the date the timeline expires or the date of the last communication from the entity, whichever is later, as per Clause 10(1)(g). The complaint can be filed online at cms.rbi.org.in, by emailing [email protected], or by post to the Centralised Receipt and Processing Centre, Reserve Bank of India, Central Vista, Sector 17, Chandigarh – 160 017.

Step 3 – Await resolution or invoke appellate rights. The Ombudsman shall endeavour to facilitate settlement by agreement. If the complaint is rejected, the regulated entity must advise the complainant about the option of approaching the RBI Ombudsman and provide the CMS portal URL, as per Clause 12 of the NBFC Internal Ombudsman Directions, 2026.

What Are the Key Changes in RBI’s 2026 Digital Fraud Liability Framework?

The RBI released the Third Amendment Directions to the Commercial Banks Responsible Business Conduct Directions, overhauling the customer protection framework for electronic banking transactions, including those involving payment gateways and aggregators.

Third-party breach defined explicitly. The new Section DA (Customer Protection in Electronic Banking Transactions) defines a third-party breach as a situation where the deficiency lies neither with the bank nor the customer but with intermediaries such as Third-Party Application Providers (TPAPs), Payment Aggregators (PAs), Payment Gateways (PGs), and Telecom Service Providers (TSPs). This is a critical development for payment gateway disputes.

Zero liability if reported within five calendar days. Under paragraph 76L, a customer is entitled to zero liability and reversal of the transaction in cases of third-party breach where the customer reports the unauthorised transaction to the bank within five calendar days from the date of occurrence. This applies irrespective of whether the fault lies with the payment gateway or aggregator.

Compensation mechanism for delayed reporting. Under paragraph 76T(1), a bona fide victim who is an individual person, with a gross loss up to ₹50,000 from fraudulent electronic banking transactions, shall be compensated 85% of the net loss or ₹25,000, whichever is less, once during their lifetime. For losses below ₹29,412, the Reserve Bank bears 65%, the customer’s bank 10%, and the beneficiary bank 10%. For losses of ₹29,412 to ₹50,000, the Reserve Bank contributes ₹19,118, and each bank contributes ₹2,941.

30-day resolution deadline. Under paragraph 76Q, banks must examine, establish liability, and respond within 30 calendar days from the date of receipt of the complaint, a significant reduction from the earlier 90 working days. The compensation payout must be made within five calendar days of receiving the customer’s application form, as per paragraph 76T(5).

What Documents and Information Should You Gather Before Escalating a Payment Gateway Complaint?

Before approaching any escalation authority, you must compile a complete documentary trail. Without this, complaints under the Reserve Bank – Integrated Ombudsman Scheme, 2026, face rejection at the maintainability stage itself.

Transaction-level evidence. Collect the transaction reference number, date, amount, the merchant name as displayed on your bank statement or payment gateway receipt, and the UPI reference ID or card transaction ID. Under the RBI Master Directions on Payment Aggregators and Payment Gateways, payment aggregators are required to assign proper reason codes and maintain dispute records, so reference these codes in your complaint.

Communication trail with the regulated entity. Keep copies of every email, chat transcript, and complaint registration number you received from the bank, NBFC, or payment aggregator. Clause 10(1)(f) of RB-IOS, 2026, requires that you have already raised the matter with the regulated entity and either received no reply within 30 days or are dissatisfied with the response. If you cannot prove this initial filing, the Ombudsman will not entertain your complaint.

Cybercrime complaint reference. Under the corresponding Commercial Banks Directions, you must lodge a complaint with the National Cyber Crime Reporting Portal at cybercrime.gov.in or call the National Cyber Crime Helpline at 1930 at the earliest after discovering the fraud. The compensation application form under paragraph 76T(4) explicitly requires you to mention the NCRP/1930 complaint reference number and the affected bank account or credit card number.

Identity and account documents. Keep a copy of your KYC documents, the bank statement showing the disputed transaction, and any SMS or email alerts received for the transaction. Paragraph 76I mandates that the bank’s system must auto-register your complaint and send an acknowledgement with a complaint number and timestamp, so retain that acknowledgement as well.

How Do the Escalation Timelines and Compensation Limits Compare Across RBI Mechanisms?

The table below maps the key escalation paths available to you, with their respective timelines, eligibility criteria, and compensation ceilings.

Worked Example: How Much Compensation Can You Claim for a Payment Gateway Fraud?

Consider this scenario. Meera used her debit card on a merchant’s website that routes payments through a payment gateway. The gateway’s systems were compromised, and ₹40,000 was debited fraudulently from her account. She discovered the transaction on Day 2, immediately reported it to her bank, and filed a complaint on the National Cyber Crime Reporting Portal on Day 3, obtaining reference number NCRP/2026/XXXXX.

Classification. This is a third-party breach as defined under paragraph 4(26A) of the Third Amendment Directions – the deficiency lies with the payment gateway, not with Meera or her bank. Since she reported within five calendar days, she qualifies for zero liability under paragraph 76L. Her bank must reverse the full ₹40,000 with value dating to the original transaction date under paragraph 76R.

What if she had reported on Day 7? If Meera had reported after five calendar days, zero liability would not apply. Instead, the compensation mechanism under paragraph 76T would kick in. Her gross loss is ₹40,000, which falls in the ₹29,412 to ₹50,000 bracket. She would receive ₹25,000 as compensation (since 85% of ₹40,000 = ₹34,000, which exceeds the ₹25,000 cap). The Reserve Bank contributes ₹19,118, her bank contributes ₹2,941, and the beneficiary bank contributes ₹2,941. The bank must pay this within five calendar days of receiving her application form under paragraph 76T(5).

Who Is Eligible to File a Complaint Under the RBI Ombudsman Scheme, and What Are the Limits?

Not every payment gateway dispute qualifies for escalation under the Reserve Bank – Integrated Ombudsman Scheme, 2026. The Scheme has specific maintainability criteria, and understanding these before filing saves time and effort.

Who can file. Any individual person who is a customer of a regulated entity (bank, eligible NBFC, non-bank PPI issuer, or credit information company) can file a complaint. For the compensation mechanism under paragraph 76T(1), the victim must be an individual person — corporates, firms, and HUFs are not eligible. The compensation is available once during the individual’s lifetime, and a joint account claim exhausts the eligibility of all joint holders.

Monetary limits. There is no limit on the amount involved in the dispute that can be considered under the Ombudsman Scheme itself. However, the Ombudsman can grant compensation up to ₹30 lakh for consequential loss and up to ₹3 lakh for harassment or mental anguish, as per RB-IOS, 2026. The separate compensation mechanism for digital fraud under paragraph 76T covers gross losses up to ₹50,000, with a payout cap of 85% of net loss or ₹25,000, whichever is lower.

Timeline for filing. Under Clause 10(1)(g) of RB-IOS, 2026, a complaint must be made to the Ombudsman within one year from the date of registration of the complaint with the regulated entity or the date of the last communication from the entity, whichever is later. Additionally, the original complaint to the regulated entity must have been made before the expiry of the limitation period under the Limitation Act, 1963. For complaints involving unauthorised electronic transactions, the bank must resolve and respond within 30 calendar days under paragraph 76Q, failing which you can escalate.

What is excluded. Complaints related to internal employee disputes, pay decisions, frauds by the merchant themselves (as opposed to third-party system breaches), and matters already decided by a court or tribunal fall outside the Ombudsman’s purview. Under the NBFC Internal Ombudsman Directions, 2026, complaints related to frauds or misappropriations by the merchant that do not impact the customer, suggestions, and commercial decisions of the NBFC are also excluded from the Internal Ombudsman’s scope.

How Does the Compensation Mechanism Work When a Payment Gateway Breach Causes Loss?

The Third Amendment Directions introduce a structured compensation framework under paragraph 76T for cases where neither the bank nor the customer is at fault, but a third-party intermediary such as a payment gateway or aggregator is compromised.

Eligibility criteria you must meet. To qualify for compensation, you must be an individual person (not a corporate or firm), the gross loss must be up to ₹50,000, the loss must be bona fide as per the bank’s internal policy, and you must have reported the fraud to both the bank and the National Cyber Crime Reporting Portal (cybercrime.gov.in) or Helpline 1930 within five calendar days.

How the compensation is calculated. Under paragraph 76T(1), the compensation is 85% of the net loss (gross loss minus recoveries made by the bank, whether before or after paying compensation) or ₹25,000, whichever is lower. The cost is shared among the Reserve Bank, the customer’s bank, and the beneficiary bank as follows:

Worked example. Suppose you lost ₹40,000 through a compromised payment gateway, and the bank recovered ₹15,000 before the compensation decision. Your net loss is ₹25,000 (₹40,000 minus ₹15,000). 85% of ₹25,000 equals ₹21,250, which is below the ₹25,000 cap. Since the gross loss of ₹40,000 falls in the ₹29,412 to ₹50,000 bracket, the bank would pay ₹21,250 in this case. The Reserve Bank contributes 65% of ₹21,250 = ₹13,813, your bank contributes ₹2,125, and the beneficiary bank contributes ₹2,125. The bank must disburse this within five calendar days of receiving your application form, as per paragraph 76T(5).

What Are the Common Reasons Payment Gateway Complaints Get Rejected by the RBI Ombudsman?

Understanding why complaints fail at the Ombudsman stage can save you months of effort. Under Clause 10(1) of the Reserve Bank – Integrated Ombudsman Scheme, 2026, the Ombudsman will not entertain complaints that fail maintainability checks.

Filing directly with the Ombudsman without approaching the regulated entity. This is the single most common reason for rejection. Clause 10(1) mandates that you must first file with the bank, NBFC, or payment aggregator. If you skip this step, no action will be taken. The regulated entity’s grievance redress mechanism must be exhausted or must have failed to respond within 30 days.

Filing after the one-year limitation window. Under Clause 10(1)(g), the complaint must be made to the Ombudsman within one year from the date of registration of the complaint with the regulated entity or the date of the last communication from the entity, whichever is later.

Complaints outside the Ombudsman’s jurisdiction. Under the NBFC Internal Ombudsman Directions, 2026, complaints related to internal employee matters, commercial decisions of the NBFC, and disputes for which remedies exist under Section 18 of the Credit Information Companies (Regulation) Act, 2005, are outside the Ombudsman’s purview.

How Does the Internal Ombudsman Route for NBFCs Differ from the RBI Ombudsman Route?

If your complaint is against an NBFC (such as a non-bank payment aggregator or a digital lending platform using a payment gateway), an additional escalation tier exists before you reach the RBI Ombudsman. The Reserve Bank of India (Non-Banking Financial Companies – Internal Ombudsman) Directions, 2026 mandates that eligible NBFCs must have an Internal Ombudsman (IO) office.

When the IO route applies. The IO does not handle complaints directly from complainants. Under clause 14(1) of the NBFC IO Directions, 2026, the IO deals only with complaints that have already been examined by the NBFC but have been partially resolved or wholly rejected. The NBFC’s complaint management system must auto-escalate such complaints to the IO. The IO then examines the complaint based on records available with the NBFC and issues a decision within 20 days of receipt.

What happens after the IO review. If the IO upholds the NBFC’s rejection or partial resolution, the NBFC must explicitly state this in its reply to the complainant and advise them of the option to approach the RBI Ombudsman, including the CMS portal URL and the CRPC address, as per clause 12 of the NBFC IO Directions, 2026. When the complaint is escalated to the RBI Ombudsman, the IO’s decision must be mandatorily included in the NBFC’s submission.

What Should You Do Next?

1. Compile all transaction evidence including reference IDs, timestamps, merchant names, and the payment gateway or aggregator involved. Download your bank statement entries for the disputed transactions.
2. File a formal written complaint with your bank or the payment aggregator, clearly stating the nature of the dispute, the amount involved, and the resolution you seek. Note the complaint registration number and date.
3. Lodge a complaint on the National Cyber Crime Reporting Portal at cybercrime.gov.in or call the National Cyber Crime Helpline at 1930 within five calendar days of discovering any unauthorised transaction. Retain the complaint reference number as it is mandatory for claiming zero liability under paragraph 76L and for the compensation mechanism under paragraph 76T.
4. Wait for the regulated entity’s response for up to 30 days. If no reply arrives or the resolution is unsatisfactory, prepare your escalation to the RBI Ombudsman through the CMS portal at cms.rbi.org.in.
5. Draft your Ombudsman complaint with all supporting documents attached, including the complaint filed with the regulated entity, their response (if any), transaction evidence, and the NCRP or 1930 complaint reference. File within 90 days of the expiry of the regulated entity’s response timeline or the date of last communication, whichever is later, as per Clause 10(1)(g) of RB-IOS, 2026.
6. If your claim involves a third-party breach or customer negligence with losses up to ₹50,000, ask your bank for the compensation application form as per Annex II(1) of the draft Third Amendment Directions. Submit it with all supporting documents. The bank must process your claim and pay compensation within five calendar days of receiving your application.
7. Track the status of your Ombudsman complaint on the CMS portal and respond promptly to any queries from the Office of the RBI Ombudsman. If the Ombudsman’s decision is not in your favour, you retain appellate rights under the Scheme.

Common Pitfalls to Avoid

Based on our experience, here are the mistakes people often make:

• Ignoring RBI circulars – RBI circulars directly impact your banking and investment decisions. Not staying updated can result in missed opportunities or non-compliance.
• Not reading the fine print – RBI policy changes often have implementation timelines and transitional provisions that matter for your financial planning.
• Delayed action on rate changes – When RBI changes repo rate, loan EMIs and FD rates are affected. Act within the transition window to maximize benefit.

Frequently Asked Questions

Sources

• Reserve Bank of India – Draft Directions (RE-wise)
• TaxGuru – RBI Integrated Ombudsman Scheme, 2026 Analysis
• Reserve Bank of India – Master Directions on Payment Aggregators and Payment Gateways
• Reserve Bank of India – Payments Banks Responsible Business Conduct Directions
• TaxGuru – RBI Digital Fraud Liability Framework Overhaul Analysis
• Reserve Bank of India – Third Amendment Directions on Customer Protection
• Reserve Bank of India – NBFC Internal Ombudsman Directions, 2026

Take action today: If your payment gateway complaint remains unresolved, start by filing a formal written complaint with the regulated entity and simultaneously lodge a report on the National Cyber Crime Reporting Portal at cybercrime.gov.in or call 1930. This dual filing preserves your eligibility for zero liability and the compensation mechanism under the new framework. If the entity fails to respond within 30 days, escalate to the RBI Ombudsman through cms.rbi.org.in within the next 90 days to keep your claim alive.