RBI allows risk-based checks beyond two-factor authentication for digital payments, compliance deadline set for April 2026
ADVERTISEMENT
The Reserve Bank of India (RBI) has issued new directives requiring all digital payment transactions in the country to adhere to the two-factor authentication (2FA) process to guarantee secure and reliable payments.
According to the RBI, although no specific factor is required for authentication, the digital payments industry in India has predominantly relied on SMS-based One Time Passwords (OTPs) as the second authentication factor. The new directions outline broad principles that all participants in the payment chain must follow when using any form of authentication, allowing for flexibility in adopting alternative mechanisms beyond OTPs.
"Enabling issuers to implement extra risk-based checks beyond the minimum two-factor authentication according to the fraud risk perception of the transaction," per the RBI circluar.
“All Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with these directions by April 1, 2026, unless indicated otherwise for any specific provision,” the RBI said in a circular.
September 2025
2025 is shaping up to be the year of electric car sales. In a first, India’s electric vehicles (EV) industry crossed the sales milestone of 100,000 units in FY25, fuelled by a slew of launches by major players, including Tata Motors, M&M, Ashok Leyland, JSW MG Motor, Hyundai, BMW, and Mercedes-Benz. The issue also looks at the challenges ahead for Tata Sons chairman N. Chandrasekaran in his third term, and India’s possible responses to U.S. president Donald Trump’s 50% tariff on Indian goods. Read these compelling stories in the latest issue of Fortune India.
The RBI initially signalled its intention to revise authentication norms in its Statement on Developmental and Regulatory Policies released on February 8, 2024. The recent directions aim to enable the payments ecosystem to utilize technological advancements for implementing alternative authentication methods, such as biometric verification, app-based approvals, or device-based security features, either alongside or instead of SMS OTPs.
While the new rules mainly cover domestic digital transactions, they also include guidelines for certain cross-border card transactions. “To provide a similar level of safety for online international transactions undertaken using cards issued in India, the directions incorporate necessary instructions for specific cross-border card transactions,” the RBI said. This aligns with the policy statement made on February 7, 2025.
The directions will apply to all payment system providers and participants, including both banks and non-bank entities involved in India’s rapidly expanding digital payments sector. They cover all domestic digital payment transactions unless explicitly exempted.
The RBI has stated that these guidelines aim to balance user convenience with robust security, ensuring that India’s digital payments ecosystem remains both secure and prepared for the future.
Fortune India is now on WhatsApp! Get the latest updates from the world of business and economy delivered straight to your phone. Subscribe now.