The Reserve Bank of India (RBI), to additional safe digital funds transactions, has mandated introduction of extra risk-based checks past the minimal two-factor authentication by leveraging upon technological developments.
The RBI on Thursday (September 25, 2025) issued Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025 which can come into pressure from April 1, 2026.
These instructions might be relevant to all Payment System Providers, Payment System Participants (banks and non-banks) and all home digital fee transactions.
As per the instructions issuers should undertake extra risk-based checks based mostly on the fraud danger notion of the underlying transaction.
They have been requested to facilitate interoperability and open entry to know-how.
The instructions name for mandating card issuers to validate Additional Factor of Authentication (AFA) in non-recurring cross-border Card Not Present (CNP) transactions each time such a request is raised by the abroad service provider or acquirer.
Currently all digital fee transactions in India are required to satisfy the norm of two components of authentication. While no particular issue was mandated for authentication, the digital funds ecosystem has primarily adopted SMS-based One Time Password (OTP) as the extra issue.
The instructions present the broad rules which might be complied with by all of the members within the fee chain, whereas utilizing a type of authentication.
While these instructions are relevant solely to home transactions, to offer the same degree of security for on-line worldwide transactions undertaken utilizing playing cards issued in India, the instructions additionally incorporate essential directions for particular cross-border card transactions.
“It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction,” the RBI mentioned.
The issue of authentication might be such that compromise of 1 issue wouldn’t have an effect on reliability of the opposite.
“System Providers and System Participants will need to offer authentication or tokenisation service that is accessible to all the applications / token requestors functioning in that operating environment for all use cases / channels or token storage mechanisms,” it mentioned.
Issuers could, according to their inside danger administration insurance policies, establish transactions for analysis in opposition to behavioural / contextual parameters resembling transaction location, person behaviour patterns, machine attributes, historic transaction profile, and so forth, it added.
Based on the perceived danger related to the transaction, extra checks past the minimal two-factor authentication could also be resorted to. Issuers may discover utilizing DigiLocker as a platform for notification and affirmation for high-risk transactions, the regulator mentioned.
“An issuer shall ensure the robustness and integrity of the authentication mechanism before deployment,” it mentioned.
“If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer for the loss in full without demur,” it mentioned
Issuers will guarantee adherence to the provisions of Digital Personal Data Protection Act, 2023, it added.
RBI had issued draft instructions on Alternative Authentication Mechanisms for Digital Payment Transactions on July 31, 2024 and draft instructions on introduction of AFA in cross-border CNP transactions on February 07, 2025, for stakeholder feedback.
These instructions have been issued after incorporating suggestions from the general public.