8 months ago
4
The Reserve Bank of India (RBI), to further unafraid integer payments transactions, has mandated introduction of further risk-based checks beyond the minimum two-factor authentication by leveraging upon technological advancements.
The RBI connected Thursday (September 25, 2025) issued Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025 which volition travel into force from April 1, 2026.
These directions volition beryllium applicable to each Payment System Providers, Payment System Participants (banks and non-banks) and each home integer outgo transactions.
As per the directions issuers indispensable follow further risk-based checks based connected the fraud hazard cognition of the underlying transaction.
They person been asked to facilitate interoperability and unfastened entree to technology.
The directions telephone for mandating card issuers to validate Additional Factor of Authentication (AFA) successful non-recurring cross-border Card Not Present (CNP) transactions whenever specified a petition is raised by the overseas merchant oregon acquirer.
Currently each integer outgo transactions successful India are required to conscionable the norm of 2 factors of authentication. While nary circumstantial origin was mandated for authentication, the integer payments ecosystem has chiefly adopted SMS-based One Time Password (OTP) arsenic the further factor.
The directions supply the wide principles which volition beryllium complied with by each the participants successful the outgo chain, portion utilizing a signifier of authentication.
While these directions are applicable lone to home transactions, to supply a akin level of information for online planetary transactions undertaken utilizing cards issued successful India, the directions besides incorporated indispensable instructions for circumstantial cross-border paper transactions.
“It shall beryllium ensured that for integer outgo transactions, different than paper contiguous transactions, astatine slightest 1 of the factors of authentication is dynamically created oregon proven, i.e., the impervious of possession of the factor, being sent arsenic portion of the transaction, is unsocial to that transaction,” the RBI said.
The origin of authentication volition beryllium specified that compromise of 1 origin would not impact reliability of the other.
“System Providers and System Participants volition request to connection authentication oregon tokenisation work that is accessible to each the applications / token requestors functioning successful that operating situation for each usage cases / channels oregon token retention mechanisms,” it said.
Issuers may, successful enactment with their interior hazard absorption policies, place transactions for valuation against behavioural / contextual parameters specified arsenic transaction location, idiosyncratic behaviour patterns, instrumentality attributes, humanities transaction profile, etc, it added.
Based connected the perceived hazard associated with the transaction, further checks beyond the minimum two-factor authentication whitethorn beryllium resorted to. Issuers whitethorn besides research utilizing DigiLocker arsenic a level for notification and confirmation for high-risk transactions, the regulator said.
“An issuer shall guarantee the robustness and integrity of the authentication mechanics earlier deployment,” it said.
“If immoderate nonaccomplishment arises retired of transactions effected without complying with these directions, the issuer shall compensate the lawsuit for the nonaccomplishment successful afloat without demur,” it said
Issuers volition guarantee adherence to the provisions of Digital Personal Data Protection Act, 2023, it added.
RBI had issued draught directions connected Alternative Authentication Mechanisms for Digital Payment Transactions connected July 31, 2024 and draught directions connected instauration of AFA successful cross-border CNP transactions connected February 07, 2025, for stakeholder comments.
These directions person been issued aft incorporating feedback from the public.
