RBI tightens rules for Aadhaar-enabled payment operators to crack down on fraud

In a bid to strengthen customer protection and bolster trust in Aadhaar Enabled Payment System (AePS) transactions, the Reserve Bank of India (RBI) today issued new compliance directives for banks and also the National Payments Corporation of India (NPCI). These guidelines, which mandate rigorous due diligence and risk management measures for AePS touchpoint operators, will come into force from January 1, 2026.

The new rules apply to all Scheduled Commercial Banks, Regional Rural Banks, Urban and State Cooperative Banks, District Central Cooperative Banks, and NPCI.

AePS—the Aadhaar‑enabled Payment System run by the National Payments Corporation of India—lets customers withdraw cash, transfer funds and check balances at any bank outlet with just their Aadhaar credentials. Its biometric, interoperable platform extends formal banking to rural and underserved communities, making it a cornerstone of India’s financial‑inclusion push.

However, recent incidents of identity theft and fraud through AePS has prompted the central bank to act. In line with the Statement on Developmental and Regulatory Policies released on February 8, 2024, RBI has now issued detailed directions under the Payment and Settlement Systems Act, 2007.

The circular issued today directs banks to conduct comprehensive customer due diligence (CDD) on every AePS Touchpoint Operator (ATO) before onboarding, in line with RBI KYC requirements; CDD already completed for ATOs acting as Business Correspondents or sub‑agents may be relied upon. Acquiring banks must also re‑verify the KYC of any ATO that remains inactive for three months, maintain continuous transaction‑surveillance monitoring, and establish operational limits tailored to each operator’s risk profile and transaction patterns. These parameters must be reviewed regularly to keep pace with evolving fraud trends. 

Further, system-level controls must be implemented to ensure that AePS-related technological integrations, such as APIs, are strictly used for AePS functions only.

According to the RBI, the acquiring bank must keep a close, real‑time watch on every AePS Touchpoint Operator (ATO) through its transaction‑monitoring system. It should set clear operating limits—such as where the ATO works, what kinds of services it offers, and how many transactions it handles—based on the operator’s risk profile. These limits are not static: the bank must review them regularly to catch new fraud patterns as they emerge.

Finally, any technology links the bank provides (for example, APIs) may be used only for authorised AePS activities, ensuring the system stays focused on secure Aadhaar‑based payments.