RBI tightens rules for Aadhaar-enabled payment operators to crack down on fraud
ADVERTISEMENT
In a bid to strengthen customer protection and bolster trust in Aadhaar Enabled Payment System (AePS) transactions, the Reserve Bank of India (RBI) today issued new compliance directives for banks and also the National Payments Corporation of India (NPCI). These guidelines, which mandate rigorous due diligence and risk management measures for AePS touchpoint operators, will come into force from January 1, 2026.
The new rules apply to all Scheduled Commercial Banks, Regional Rural Banks, Urban and State Cooperative Banks, District Central Cooperative Banks, and NPCI.
AePS—the Aadhaar‑enabled Payment System run by the National Payments Corporation of India—lets customers withdraw cash, transfer funds and check balances at any bank outlet with just their Aadhaar credentials. Its biometric, interoperable platform extends formal banking to rural and underserved communities, making it a cornerstone of India’s financial‑inclusion push.
August 2025
As India continues to be the world’s fastest-growing major economy, Fortune India presents its special issue on the nation’s Top 100 Billionaires. Curated in partnership with Waterfield Advisors, this year’s list reflects a slight decline in the number of dollar billionaires—from 185 to 182—even as the entry threshold for the Top 100 rose to ₹24,283 crore, up from ₹22,739 crore last year. From stalwarts like Mukesh Ambani, Gautam Adani, and the Mistry family, who continue to lead the list, to major gainers such as Sunil Mittal and Kumar Mangalam Birla, the issue goes beyond the numbers to explore the resilience, ambition, and strategic foresight that define India’s wealth creators. Read their compelling stories in the latest issue of Fortune India. On stands now.
However, recent incidents of identity theft and fraud through AePS has prompted the central bank to act. In line with the Statement on Developmental and Regulatory Policies released on February 8, 2024, RBI has now issued detailed directions under the Payment and Settlement Systems Act, 2007.
The circular issued today directs banks to conduct comprehensive customer due diligence (CDD) on every AePS Touchpoint Operator (ATO) before onboarding, in line with RBI KYC requirements; CDD already completed for ATOs acting as Business Correspondents or sub‑agents may be relied upon. Acquiring banks must also re‑verify the KYC of any ATO that remains inactive for three months, maintain continuous transaction‑surveillance monitoring, and establish operational limits tailored to each operator’s risk profile and transaction patterns. These parameters must be reviewed regularly to keep pace with evolving fraud trends.
Further, system-level controls must be implemented to ensure that AePS-related technological integrations, such as APIs, are strictly used for AePS functions only.
According to the RBI, the acquiring bank must keep a close, real‑time watch on every AePS Touchpoint Operator (ATO) through its transaction‑monitoring system. It should set clear operating limits—such as where the ATO works, what kinds of services it offers, and how many transactions it handles—based on the operator’s risk profile. These limits are not static: the bank must review them regularly to catch new fraud patterns as they emerge.
Finally, any technology links the bank provides (for example, APIs) may be used only for authorised AePS activities, ensuring the system stays focused on secure Aadhaar‑based payments.
Fortune India is now on WhatsApp! Get the latest updates from the world of business and economy delivered straight to your phone. Subscribe now.