RBI allows risk-based checks beyond two-factor authentication for digital payments, compliance deadline set for April 2026
ADVERTISEMENT
The Reserve Bank of India (RBI) has issued new directives requiring all digital payment transactions in the country to adhere to the two-factor authentication (2FA) process to guarantee secure and reliable payments.
According to the RBI, although no specific factor is required for authentication, the digital payments industry in India has predominantly relied on SMS-based One Time Passwords (OTPs) as the second authentication factor. The new directions outline broad principles that all participants in the payment chain must follow when using any form of authentication, allowing for flexibility in adopting alternative mechanisms beyond OTPs.
"Enabling issuers to implement extra risk-based checks beyond the minimum two-factor authentication according to the fraud risk perception of the transaction," per the RBI circluar.
“All Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with these directions by April 1, 2026, unless indicated otherwise for any specific provision,” the RBI said in a circular.
The RBI initially signalled its intention to revise authentication norms in its Statement on Developmental and Regulatory Policies released on February 8, 2024. The recent directions aim to enable the payments ecosystem to utilize technological advancements for implementing alternative authentication methods, such as biometric verification, app-based approvals, or device-based security features, either alongside or instead of SMS OTPs.
October 2025
As India’s growth story gains momentum and the number of billionaires rises, the country’s luxury market is seeing a boom like never before, with the taste for luxury moving beyond the metros. From high-end watches and jewellery to lavish residences and luxurious holidays, Indians are splurging like never before. Storied luxury brands are rushing in to satiate this demand, often roping in Indian celebs as ambassadors.
RBI by mandating risk-based checks in its latest directions has formalised a framework that encourages a variety of authentication mechanisms beyond just SMS-based OTPs. The specific requirement for validating an Additional Factor of Authentication (AFA) in cross-border card-not-present transactions is a crucial step in increasing trust and reducing risks, ultimately benefiting both businesses and their customers," says Sanjay Tripathy, CEO & Co-Founder, BRISKPE, a cross-border payments platform. "It provides a clear, uniform standard that aligns with global best practices, thereby strengthening India's position in the international digital payments landscape. The move will foster a more robust and compliant ecosystem, ensuring smoother and more secure cross-border transactions for all.”
While the new rules mainly cover domestic digital transactions, they also include guidelines for certain cross-border card transactions. “To provide a similar level of safety for online international transactions undertaken using cards issued in India, the directions incorporate necessary instructions for specific cross-border card transactions,” the RBI said. This aligns with the policy statement made on February 7, 2025.
The directions will apply to all payment system providers and participants, including both banks and non-bank entities involved in India’s rapidly expanding digital payments sector. They cover all domestic digital payment transactions unless explicitly exempted.
The RBI has stated that these guidelines aim to balance user convenience with robust security, ensuring that India’s digital payments ecosystem remains both secure and prepared for the future.
Fortune India is now on WhatsApp! Get the latest updates from the world of business and economy delivered straight to your phone. Subscribe now.