Running Your Indian Bank Account From Abroad: UPI on a Foreign Number, the OTP-to-Dead-SIM Trap, and What the 2026 RBI Rules Change

It is a Sunday night in Dubai, your father's hospital deposit is due in Hyderabad by Monday morning, and the money is sitting in your NRO account. You open the bank app, enter the payee, hit transfer, and wait for the OTP that is supposed to land on the +91 number you stopped using two years ago. It never comes. The app times out, logs you out, and on the third attempt flags the login as suspicious because it is coming from a UAE IP address. The money is there. The rails work. The one thing between you and the transfer is a six-digit code your bank cannot deliver to where you actually live.

The 30-second answer: NRIs can run Indian accounts digitally from abroad and, since the NPCI circular of January 10, 2023, can use UPI on a foreign mobile number linked to a KYC-compliant NRE or NRO account. The supported list covers 12 countries: UK, USA, UAE, Canada, Singapore, Australia, Hong Kong, Saudi Arabia, Oman, Qatar, Malaysia and France. Enablement is uneven by bank and app, with IDFC FIRST and ICICI ahead of HDFC, Axis and SBI. The real friction is OTP delivery to foreign numbers, which fails because Indian systems often store only a 10-digit number or block international SMS. The durable fixes are to register a supported foreign number, switch to app or push approval, keep one Indian SIM alive, and enable email OTP. RBI's framework, mandating 2FA beyond SMS by April 1, 2026, is now pushing banks in exactly that direction.

This guide assumes you already know the difference between an NRE and NRO account and which one your money belongs in; if not, read the accounts comparison first. What follows is the part nobody documents honestly: the gap between what is technically permitted and what actually works at 11pm when you need to move money. The rules now genuinely favour the NRI. The implementation lags them by years, and the single point of failure for almost everyone is the one-time password. I will cover who gets UPI and from where, why the OTP fails and the four fixes that hold, how RBI's 2026 changes quietly fix the root cause, the NEFT, RTGS and IMPS picture, debit cards, and the workarounds when an app simply refuses a foreign login.

UPI on a foreign number works, but eligibility is a three-way lock

For years the answer to "can I use UPI from abroad" was effectively no, because registration demanded an Indian SIM to receive the verification SMS. The NPCI circular dated January 10, 2023 broke that open: it directed all UPI members to enable registration for NRIs using international mobile numbers, with banks given until April 30, 2023 to comply. You link your foreign number to your NRE or NRO account, onboard onto a UPI app that supports international numbers, and a UPI ID is created against the Indian account.

The part most write-ups get wrong is treating eligibility as a single yes or no. It is three locks that must all open at once. The first is your country code, which must sit on the NPCI list. As of 2026 that is 12 countries: the United Kingdom, United States, United Arab Emirates, Canada, Singapore, Australia, Hong Kong, Saudi Arabia, Oman, Qatar, Malaysia and France, with Malaysia and France the most recent additions to the original ten. All four countries this site writes for are on it. Germany, the Netherlands, New Zealand and South Africa are notably not, with no published timeline, which strands a large slice of the European and Antipodean diaspora on net banking and SMS alone.

The second lock is your account, which must be a KYC-compliant NRE or NRO account. UPI is a domestic rail. It moves rupees between Indian accounts and nothing else, so you cannot link a Barclays or Emirates NBD account to it. The NRE or NRO account is what UPI debits and credits, full stop.

The third lock, and the one that actually fails for people who are technically eligible, is bank-plus-app enablement. The NPCI list permits a country code at the network level. It does not guarantee your specific bank and your specific UPI app have both switched it on. The rollout has been staggered for three years. IDFC FIRST moved early and supports the full list. ICICI enabled it across most countries and built a clean digital onboarding flow. HDFC, Axis and SBI came later and unevenly, with some country codes live and others not. On the app side PhonePe, Google Pay, Paytm and BHIM all support international numbers, but it is the exact triple of "this app plus this bank plus this country code" that determines whether your registration goes through. When it fails, the cause is almost never your eligibility. It is that one link in that chain has not been turned on yet, which is why the right next move is to try a second supported app before assuming you are locked out.

On limits, the lazy line everywhere is "Rs 1 lakh a day", and it is incomplete. The standard UPI ceiling is Rs 1 lakh per transaction and per day for ordinary person-to-person and merchant payments, with a deliberate Rs 5,000 cap in the first 24 hours of a newly created UPI ID as an anti-fraud cooling-off. But NPCI lifts the ceiling for specific categories that matter to an NRI moving real money: up to Rs 2 lakh for capital markets, insurance, collections and foreign inward remittances, up to Rs 5 lakh for IPO and the RBI Retail Direct scheme, and up to Rs 10 lakh at verified education and healthcare merchants such as schools, colleges and hospitals. So your father's hospital bill may go through on UPI at a far higher limit than your brother's birthday transfer. Individual banks can still set tighter caps than NPCI allows, so the binding number is whichever of the two is lower.

The OTP fails for three different reasons, and the fix depends on which

Everything in digital banking from abroad eventually collides with the one-time password. You can have UPI registered, net banking live and the right account, and still be stuck because a six-digit code will not reach you. It is worth diagnosing precisely which failure you have, because the cure is different for each, and people routinely waste a week treating the wrong one.

The most common and the most maddening is that the number was never stored correctly. A large share of Indian banking back ends were built around a 10-digit Indian mobile number. The "update mobile number" screen has no country-code field, no dropdown for +44 or +971, and the system silently assumes an Indian number. When you typed your UK number, it was rejected, truncated, or saved as a malformed Indian one. The OTP is being sent, faithfully, to a number that does not exist. No amount of waiting fixes a wrong record. If you have never once managed to register a foreign number, this is you.

The second is that the bank is blocking the international route. Some banks and payment processors throttle or drop SMS to international destinations as a fraud control, because international SMS is a known vector for OTP interception. The code is generated, the record may even be right, but the message is held back or handed to a carrier that drops it. You see nothing, with no error to diagnose. If your number is accepted but codes simply never arrive, suspect this.

The third is the plain dead SIM or expired window. If your account still points to your old +91 number, that SMS goes to a SIM that has lapsed or a phone with roaming off. And here the TRAI rules are specific enough to plan around: an Indian prepaid SIM stays active for 90 days without any use, after which a balance of at least Rs 20 is deducted to extend it 30 more days, up to roughly 120 days, followed by a 15-day grace period before the number is permanently deactivated and reassigned to someone else. Lose the number and you have not just lost OTP delivery, you have handed a stranger the number your bank still trusts. Even when the SIM is alive on roaming, international SMS delays mean the code can arrive after its 30-to-60-second validity has closed, which is functionally the same as never arriving. If codes used to come on your Indian SIM and stopped, this is the one.

RBI is phasing out the very thing that strands you, by April 2026

Here is the development that changes the medium-term picture and that most NRI banking guides have not caught up to. The root cause of every story above is structural dependence on SMS OTP. RBI is now dismantling that dependence by regulation, not leaving it to each bank's goodwill.

The central piece is RBI's authentication framework requiring full two-factor authentication on domestic digital payments by April 1, 2026, and crucially it names the acceptable factors beyond SMS: passwords, passphrases, PINs, hardware and software tokens, FIDO-based credentials, and biometrics whether device-native or Aadhaar-based. In plain terms, the regulator has told banks that a rotating in-app token or a device-bound push approval is a first-class authentication factor, not a second-best one. That is the official tailwind behind every bank building the exact mechanisms that sidestep the international-SMS problem. The advice to "move off SMS" used to be a workaround. It is now the direction of travel the regulator is enforcing.

Two adjacent deadlines matter to you. Banks had to migrate their digital banking and payments domains to the exclusive .bank.in domain by October 31, 2025, which is a phishing-reduction measure worth knowing because the scam ecosystem that targets NRIs leans heavily on look-alike banking URLs. And card issuers must apply risk-based additional-factor authentication to cross-border card-not-present transactions by October 1, 2026, the online overseas-merchant payments an NRI makes constantly. The model RBI is steering toward is risk-based: a transaction from a familiar device and location passes with low friction, while a genuinely anomalous one triggers a step-up check. For an NRI who registers a trusted device once, that is precisely the regime you want, because your "unusual" foreign location stops being treated as inherently suspect once the device is known.

The honest caveat is timing. A deadline of April 1, 2026 does not mean every PSU bank's branch system was rebuilt by then, and the slower banks will lean on SMS for as long as they can. But the direction is fixed, and it is the first structural reason to expect the OTP-to-dead-SIM trap to ease rather than persist.

The four fixes that actually hold

There is no single switch that solves OTP delivery for every NRI at every bank, so most people end up running two of these together for redundancy.

The cleanest is to register a supported foreign number correctly, with its country code, so codes go to where you live. Banks that modernised for the UPI-for-NRIs rollout are likelier to support this, because the same plumbing that lets a foreign number register for UPI lets it receive an OTP. This almost never works through the self-service screen that assumes an Indian number. It needs a proper channel: a video KYC session, a branch visit, or a verified net-banking request. For an NRI already abroad, video KYC is the single highest-leverage move in this entire guide, because it is the one channel that reliably gets a foreign number stored against your account with the correct country code, and ICICI and HDFC both run video-based verification for exactly this.

The second is to move to app-based or push approval. Most major banks now offer authentication that does not touch SMS: a push notification you approve in-app, or a rotating soft token inside the app, like an authenticator. Because it rides over data, not the cellular SMS network, it bypasses the international-SMS problem entirely, and it is the method RBI's 2026 framework explicitly blesses. The catch is the bootstrap: enabling it often itself needs one working SMS OTP, so set it up while you still have working delivery, ideally before you leave India. If you are reading this before a move, this is the thing to do today.

The third is the low-tech one that never fails: keep one Indian SIM alive on a long-validity plan, in a spare phone on data or in a dual-SIM device. Annual long-validity recharges exist precisely for this, and given the 90-day-then-grace deactivation timeline above, a once-a-year recharge is cheap insurance against losing a number your bank trusts. Many long-term NRIs treat one Indian number as permanent financial infrastructure, the way they treat their PAN. It is inelegant, and it works at every bank regardless of how backward their systems are.

The fourth is to turn on email OTP as a backup. Several banks can send the code, or a secondary confirmation, to your registered email, which is not blocked the way international SMS is. Make sure the bank holds an email you can actually reach abroad. It is rarely the primary method, but as the fallback when the SMS does not come, it has rescued many a deadline.

Which combination you need depends entirely on your bank, and the spread is wide. A reader at IDFC FIRST or ICICI may find the first two fixes work out of the box. A reader at a smaller PSU bank may find only the third works at all. The rule is to test any single method with a small transaction while you still have a fallback in hand, never to discover at 11pm that your only channel is broken.

Put the trade-offs side by side and the choice gets obvious.

Fix	Depends on SMS	Setup channel	Works at backward banks	Best for
Foreign number registered	No, once done	Video KYC or branch	Only if bank stores country codes	The permanent clean fix
App or push approval	No	Enable while SMS still works	Most major banks, not all PSUs	Day-to-day default
One live Indian SIM	Yes, but reliably	Long-validity recharge	Every bank	Universal backup
Email OTP	No	Confirm email on file	Many, not all	Deadline fallback

Run net banking and the app on a foreign number

Once authentication is solved, the rest is largely the resident experience with two NRI-specific wrinkles. Net banking itself does not care where you log in from in principle: balance, statements, transfers, FD creation, payee management and tax payments are all there. What trips NRIs is authentication, covered above, and occasionally geo-blocking of foreign IPs, covered at the end.

The mobile app is where the friction concentrates, specifically at two moments: first installation and re-authentication. Banking apps typically bind to your device and verify it by sending an SMS from your phone to the bank or reading an incoming one, both of which assume an Indian SIM in the handset. On a foreign phone with no Indian SIM, that device-binding step can fail outright, which is why a freshly installed app on a new foreign handset is one of the most common lock-out points. The sequence that works: install the app and enable push or token login while you still have working SMS, ideally before leaving India, and register the device then. After that the app authenticates with a PIN or biometric plus a push approval, none of which needs SMS. Change phones abroad and you are back to the device-binding problem, which is exactly why people keep the old bound device, or one live Indian SIM, specifically to get a new device registered.

Pick the right transfer rail, then make the OTP go through

The transfer rails are not the bottleneck. All three of India's electronic systems run on NRE and NRO accounts and you initiate them from net banking or the app the same way a resident does, from anywhere. The skill is choosing the right one and remembering each still needs authentication.

IMPS settles instantly, 24x7x365, and caps at Rs 5 lakh per transaction at most banks. It is the tool for an urgent, modest transfer: a parent's expenses, a missed EMI, a deposit due tomorrow. NEFT is also 24x7 now, settling in near-real-time half-hourly batches, with no system-level cap though banks set their own per-transaction limits, often around Rs 10 lakh for retail. It suits routine, non-urgent transfers. RTGS is for high value: a minimum of Rs 2 lakh per transaction with no upper ceiling, and it has run 24x7 since December 14, 2020. It is the rail for an FD maturity, a property down payment, or a lump sum moved between your own NRE and NRO accounts. The shorthand: instant and small, IMPS; large, RTGS; everything between, NEFT. UPI overlaps with IMPS for small instant transfers and is usually more convenient once set up, but its Rs 1 lakh standard daily limit means anything larger still needs IMPS, NEFT or RTGS.

The recurring theme holds. Every one of these triggers an OTP or app approval, so whichever rail you pick, the authentication fixes above are what make it actually clear.

NRE cards travel, NRO cards mostly do not

Your NRI debit card is a genuinely useful tool, and here the NRE-versus-NRO split surprises people. NRE account debit cards can generally be used worldwide, at ATMs and for online and point-of-sale transactions across the globe. NRO account debit cards are typically restricted to use within India. This mirrors the accounts themselves: NRE money is freely repatriable foreign income, so the card travels, while NRO money is India-sourced and stays closer to home. Always check your specific card's terms, but treat "NRE card works abroad, NRO card works in India" as the default. Activation differs too: an NRE card can often be activated at any ATM globally or by phone, while an NRO card's ATM activation may be possible only in India, which catches out people who open the account and fly out before activating.

Two habits make debit cards reliable abroad. Enable international usage explicitly in the app before you travel, because many banks ship cards with international transactions off by default. And scope the card tightly: set per-transaction and channel-level limits to what you actually need, and switch off channels you never use, for example disabling international ATM withdrawals if you only shop online. A tightly scoped card is both safer and less likely to be falsely blocked, and from October 1, 2026 RBI's risk-based cross-border CNP rules will add a step-up check on anomalous online overseas use, so a card the bank already recognises as yours will sail through more often.

How this plays out in practice

Consider Priya in London, banking with ICICI, holding both an NRE and an NRO account that are KYC-current. She wants to send Rs 40,000 to her brother in Pune this evening, and all she has is her UK +44 number. She first confirms the three locks are open: the UK is on the NPCI list, ICICI supports international numbers, and her accounts are compliant. She installs PhonePe, selects her UK number during onboarding, and because PhonePe and ICICI both support the UK code, the verification SMS routes correctly and the number verifies. She links her NRO account, since the gift is from India-sourced funds she keeps there, and creates a UPI ID. Then she hits the wall everyone forgets: her brand-new UPI ID is capped at Rs 5,000 for the first 24 hours. So she sends Rs 5,000 by UPI now to cover the urgent slice and moves the remaining Rs 35,000 by IMPS from the same NRO account, instantly and well under the Rs 5 lakh cap, approved by the push notification she had switched on in the ICICI app rather than over SMS. Rs 5,000 by UPI plus Rs 35,000 by IMPS equals Rs 40,000, settled the same evening. The next day, window passed, her UPI ID lifts to the standard Rs 1 lakh and she uses it freely. The lesson is to plan around the first-day cap and keep IMPS as the instant fallback.

Now take Arjun, who moved to Toronto in 2024, banks with a mid-sized bank, and let his Indian SIM lapse. He needs to move Rs 6 lakh from a matured NRE fixed deposit into his NRE savings account and send Rs 2 lakh of it home, and his OTP simply will not come. Diagnosing it, he sees he has never managed to register his Canadian number and his Indian SIM is dead, so he is in failure modes one and three at once: codes are going to a number that no longer receives anything. He works the fixes in order. The self-service screen rejects a +1 number, so he books a video KYC session, during which the bank stores his verified Canadian number with the correct country code and updates his email. He then enables app-based push approval so authentication never depends on SMS again, and confirms email OTP as a backup. With authentication working, the Rs 6 lakh FD maturity moving between his own accounts goes by RTGS, above the Rs 2 lakh floor and approved by push, and the Rs 2 lakh onward transfer goes by RTGS too, both clearing without a single SMS. Rs 6,00,000 repositioned internally and Rs 2,00,000 sent on leaves Rs 4,00,000 in his NRE savings, all authenticated by push and email, with no live Indian SIM anywhere. Had he instead chased the dead SIM, ordering a roaming top-up and waiting on delayed codes, he would have burned the week and still been at the mercy of a 60-second window. When SMS is the broken link, the durable fix is to stop depending on SMS, and video KYC is the channel that gets a foreign number stored correctly in the first place.

The contrast between the two is the whole guide in miniature. Priya's problem was a fresh-UPI limit, an afternoon's planning. Arjun's was structural, a wrong record plus a dead number, and it needed the heavy lever of video KYC. Knowing which situation you are in tells you whether you are an hour from fixed or a video call away.

Security when you bank across borders

Running an Indian account from abroad widens your attack surface a little, so a few habits matter more than at home. Prefer app and push-based authentication over SMS OTP wherever you can, not only because it is more reliable abroad but because SMS interception is a real fraud vector and the one RBI is steering the system away from. Use a strong, unique net-banking password and never reuse it. Turn on biometric login so a stolen password alone is not enough. Set transaction alerts to email as well as SMS, so a blocked SMS does not also hide a fraudulent debit from you. Scope your debit card tightly, as above. And be ruthless about OTP social engineering: no bank ever asks you to read out a one-time code, and the most common NRI-targeted scam is precisely a caller offering to "unblock" your account if you share the code that just arrived. The .bank.in migration helps here too, since a genuine bank URL now ends in .bank.in, making the look-alike phishing domains easier to spot. If you bank over public Wi-Fi abroad, use the app on mobile data or a trusted connection rather than an open cafe network, and keep the app and phone OS updated, because banking apps lean on the OS security layer for device binding and biometrics.

The cases that sit outside the clean rules

A handful of situations deserve their own note. If your country is not on the NPCI 12, UPI on your foreign number is simply unavailable until NPCI adds the code, so Germany, Netherlands, New Zealand and South Africa residents fall back on net banking and the app authenticated by push or a live Indian SIM, plus NEFT, RTGS and IMPS. UPI is a convenience layer, not the only way to bank. If your bank supports the country code but your app does not, or the reverse, a registration can fail even when you are eligible, so try a different supported app before concluding you are locked out. If a resident relative operates your account under a mandate or Power of Attorney, the OTP and login are tied to the registered holder's credentials, so decide deliberately whose number and device the account authenticates against and keep it consistent. And none of this works on a dormant or KYC-lapsed account: a dormant NRE or NRO account must be reactivated and lapsed KYC re-verified before UPI, net banking or transfers will function, so if your OTP is failing and the account has not transacted in a long time, check the account status before you blame the SMS.

When the app blocks the login itself, not the OTP

Sometimes the problem is not the code but the login: the app or net banking detects a foreign IP, flags it as suspicious, and either blocks the session or forces a verification you cannot complete. The cleanest fix is to tell the bank you are abroad. Many banks let you flag the account as NRI or travelling, which whitelists foreign access, and if your account is correctly tagged as NRE or NRO, foreign logins should not be flagged at all. If they are, the account may still be tagged as resident, which is itself a compliance problem worth fixing, since holding a resident savings account after you become an NRI is not permitted. Beyond that, prefer the mobile app over net banking, because a login bound to a registered device is trusted differently from a fresh browser session on a foreign IP and often sails through where the web login is blocked, and complete device and number registration before you travel so the bank already trusts your device. People sometimes route through an Indian VPN so the login appears to originate in India, which can bypass an IP block but is a workaround for a symptom, not a fix, and it sits awkwardly with the bank's own terms and fraud monitoring. The better path is to get the account correctly tagged as non-resident and use a trusted, registered device, so foreign access is expected rather than disguised. RBI's risk-based direction makes this the winning strategy anyway: a recognised device beats a spoofed location every time.

The honest read

The rules have moved decisively in the NRI's favour, and 2026 is the year that becomes structural rather than incidental. UPI on a foreign number is real and spans 12 countries including all four this site writes for, the transfer rails run 24x7, and RBI's authentication framework is actively retiring the SMS-OTP dependency that strands people abroad. That is a genuine change from even three years ago, and it means the fixes in this guide are now the direction the whole system is heading, not clever hacks against it.

The honest read is still that implementation lags the rules, and the gap is almost entirely about authentication. Eligibility is rarely your problem; OTP delivery is. So commit to this, in this order. Before you leave India, or before your Indian SIM lapses, enable app or push-based approval and register your device, because that one step removes the dependency that causes most of the pain. If you are already abroad and stuck, book a video KYC session, because it is the single channel that gets your foreign number stored correctly and lets you switch off SMS for good. Keep one Indian SIM alive on an annual long-validity recharge as universal backup, since at a few hundred rupees a year it is the cheapest insurance you will buy and it protects a number your bank still trusts. And turn on email OTP wherever offered, as the fallback for the night the push fails.

Above all, choose your bank for this deliberately, weighing it as heavily as the interest rate. A bank that embraced the UPI-for-NRIs rollout, stores foreign numbers correctly, offers push approval and email OTP, and does not block legitimate foreign logins will make banking from abroad almost invisible, and on current evidence that points to IDFC FIRST and ICICI for a digital-first NRI relationship. A bank that still assumes a 10-digit Indian number behind every screen will make it a recurring fight, regardless of what RBI mandates on paper. For most NRIs running a digital-first relationship, the combination that simply works is the right bank, push-based authentication, and one live Indian SIM as backup. Set that up once and the Sunday-night hospital deposit goes through on the first try.

Related guides

• NRE, NRO and FCNR accounts compared
• How to open an NRE or NRO account from abroad
• Choosing the right NRI bank
• NRI credit cards in India
• Sending money to India as an NRI
• Sending money out of India: NRO vs LRS
• The NRO repatriation process
• Joint accounts and mandates for NRIs
• Closing NRI accounts
• Setting up an NRI demat account
• Banking guides hub
• Investments guides hub

---

This guide is general information, not financial or legal advice. UPI country-code support, bank-level enablement, OTP delivery options, transaction limits, debit card rules and the RBI authentication timeline change frequently and differ between banks. NPCI maintains the authoritative list of supported country codes, banks and UPI apps; verify the current list and confirm your own bank's capabilities before relying on any feature described here. Authentication methods and transaction limits are set by individual banks, by NPCI and by RBI and are subject to change.