A small business in Lajpat Nagar receives a payment from a regular customer in March. The bank account is operable until early May, when a transfer fails and the bank says the account has been "marked under NCRP". The business owner has not had a cyber complaint filed against him. He has never met the complainant. The original fraud, when the details finally come through, took place in another state two months earlier. The customer who paid him received the money from someone else, who received it from someone else. The owner's account is, in the language of the NCRP system, Layer 4 or Layer 5. The freeze hit him because the system traces every link in the chain.
This is one of the most common patterns in cyber-fraud freezes in 2026, and it is also the pattern best practitioners spend the most time on. This page explains how the NCRP layer mechanism works, why innocent beneficiaries get caught, what the 2026 MHA SOP changed, and how to lift the freeze. For the broader framework, read the freeze pillar guide.
What "layer" means in NCRP
The National Cybercrime Reporting Portal (NCRP) is the entry point for cyber-fraud complaints filed by victims. Behind it sits the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS), which connects more than 85 banks and major payment intermediaries. When a complaint is filed through 1930 or NCRP, CFCFRMS pushes an electronic notice to the bank that first received the disputed money, asking it to put the available balance on hold.
The "first receiving account" is Layer 1. The account that received money from Layer 1, in any subsequent transfer, is Layer 2. The chain extends: Layer 3, Layer 4, Layer 5 and onward. CFCFRMS follows the trail.
This is a tracing tool, not a guilt-finding tool. The system flags accounts in the chain so that, if any of them still holds the disputed money, it can be held. But it cannot distinguish, on its own, between an account that is part of the fraud machinery and an account that received a perfectly legitimate payment from someone further upstream. The freeze lands first; the assessment comes later.
The two common ways an innocent beneficiary ends up frozen
The supplier or vendor pattern
You sold goods or rendered a service to a customer who paid you by UPI or bank transfer. Your customer's source of funds turned out to be tainted somewhere upstream. The system traces money to their account, then to yours. The freeze hits because you received the money, even though you provided full consideration in return and had no knowledge of the upstream history.
The personal payment pattern
A friend or family member returned a loan. A flatmate paid their share of the rent. A peer transferred their share of a group expense. The payer's account, at some point in the past, had received money from a transaction now being investigated as fraud. The chain runs through your account, and the system flags it.
Both patterns share a structural feature: the affected account holder has no relationship with the fraudster and no means, ex ante, of knowing about the upstream history of the money received.
What the law actually requires for a freeze on a downstream account
The cyber-fraud investigation framework runs through the Bharatiya Nagarik Suraksha Sanhita, the Information Technology Act, and provisions of the Bharatiya Nyaya Sanhita relating to cheating and fraud. None of these statutes contemplates a downstream freeze without a basis. The criminal-liability statutes require knowledge or mens rea. The procedural attachment provisions require the property to be linked to the offence.
In practice, an investigating officer who has identified a Layer 5 account holds two distinct questions in mind: (a) does the account still hold any traceable portion of the disputed money, and (b) is the account holder a participant in the fraud or merely a recipient of a legitimate downstream payment. The first question is a forensic question. The second is a knowledge question. The freeze can sit on the account while either is being assessed, but the legal basis for continuing it depends on the answers.
The MHA SOP 2026 articulates this distinction more clearly than the pre-SOP position did. Read the SOP explainer for the specifics.
What the 2026 SOP changed for downstream beneficiaries
Three changes matter most.
First, the SOP directs investigating officers to assess proximity and intent before recommending a full-account freeze on a downstream beneficiary. Where the chain is long and the account holder is plainly several layers removed, the default position is lien-only on the traceable sum.
Second, the SOP pushes the grievance redressal officers as the first-line route. A District officer of Additional or Deputy SP rank is meant to respond within 15 days. Unanswered representations escalate automatically. The State officer of DG or IG rank sits above. For an innocent beneficiary, this is the first administrative ladder the framework has offered.
Third, where the disputed sum traceable to the downstream account is below Rs. 50,000 and no judicial order is in place, the 90-day rule applies. The freeze is to be lifted at the end of that period.
What the SOP does not change, and what remains the harder problem, is the inter-state pattern. The complaint is registered in one state. The Layer 5 account is in another. The District officer in the complaint state has no jurisdiction over the bank in the account state. The customer is left navigating two procedural geographies.
How to lift a Layer-N freeze, in practice
The work, broadly, runs in five steps.
1. Identify the chain. Ask the bank in writing for the issuing authority, the reference number, the disputed amount, and the date of instruction. The bank should also be able to confirm whether the freeze is account-level or lien-only and the originating state. Without this paper trail, no representation can be filed with the right office.
2. Build the underlying-transaction record. The single most important document set: invoice, contract, GST or e-way bill, delivery or service proof, communication with the counter-party, account statement showing both the credit and the consideration moving in the opposite direction. The objective is to show, on paper, that the money came in against a real underlying transaction and that the account holder is several layers removed from any fraud.
3. File a representation with the issuing officer. The representation cites the MHA SOP 2026 expressly, attaches the documentary record, and explains the layering. Where the account holder is downstream and the disputed traceable sum is identifiable, the representation should request lien-only restriction limited to that sum, not full-account freeze. The 15-day clock under the SOP starts ticking.
4. Use the grievance ladder if the issuing officer does not respond. Escalate to the District Grievance Redressal Officer at the 15-day mark, then to the State officer. Each escalation should be a documented filing with the same record attached, so that downstream judicial proceedings can show the administrative ladder has been exhausted. A separate guide sets out the contact and structure for these officers.
5. Move to court if the freeze is materially disproportionate or the ladder has failed. The forums are the magistrate's court (where the freeze is account-level under BNSS provisions) and the High Court (where the action is arbitrary, disproportionate, or unsupported by procedure). The writ jurisdiction has produced faster orders in inter-state matters where the magistrate forum is impractical.
Common mistakes the affected account holder makes
- Calling the investigating officer in another state without the documents, and providing inconsistent explanations that get recorded.
- Treating the bank's email as the whole instruction. It is usually a paraphrased extract. The full instruction should be requested in writing.
- Waiting for the freeze to be lifted automatically. Where the sum is above Rs. 50,000, no automatic timeline applies.
- Skipping the grievance ladder and going straight to court. Where the District officer route has not been tried, the writ court will often ask why.
- Conflating the original fraud complainant with the affected account holder. They are different parties with different rights and different remedies.
If you are the complainant, not the affected account holder
The same chain looks different from the other end. As the complainant, the question is whether your money can be traced through the layers and recovered before it dissipates. See the recovery guide for the complainant-side route, and the 1930 helpline page for the first steps.
Frequently asked questions
What is an NCRP Layer 5 bank freeze?
A freeze on an account that is the fifth in the chain of transfers traced by NCRP from the original fraud. The system flags every account in the chain; downstream layers are flagged even where the holder had no knowledge of the upstream history.
How does the NCRP layer system work?
CFCFRMS, which sits behind NCRP, connects to 85+ banks and traces fund flow from the complainant's account through successive transfers. Each receiving account becomes a layer. Layer 1 is the first receiving account; Layer 5 is the fifth in the chain.
My account was frozen but I never knew the fraudster.
You are most likely a downstream beneficiary — your account received money from another account that itself received the disputed sum upstream. The freeze flags the chain, not your direct involvement. The remedy is a documentary representation showing the legitimate underlying transaction and the chain distance.
How do I prove I am an innocent beneficiary?
Invoice or contract, GST or e-way bill, delivery or service proof, communication with the counter-party, account statement showing consideration moving in the opposite direction, and a written chronology. The combined record demonstrates a legitimate underlying transaction and a chain distance from the original fraud.
Does the 2026 MHA SOP help?
Partly. The SOP directs investigating officers to assess proximity and intent before a full freeze on a downstream beneficiary, pushes lien-only as the default, and sets up grievance officers with a 15-day response window. The inter-state pattern remains the hardest problem.
How long does it take?
Below Rs. 50,000 with no judicial order, the 90-day rule applies. Above that, no SOP timeline. Practitioner experience suggests 2 to 8 weeks where the representation is complete and the officer is responsive; longer where writ intervention is required.
Account frozen as a downstream beneficiary?
Share the bank communication, the underlying invoice or contract, and the originating state for an assessment of the SOP-compliant route forward.