RBI Mandates Additional Security Steps Beyond OTPs For Digital Payments – Trak.in

In a major step to enhance the security of India’s fast-growing digital payments ecosystem, the Reserve Bank of India (RBI) has announced new guidelines mandating additional risk-based authentication measures beyond the current two-factor standard. The new rules, issued under the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, will come into effect from April 1, 2026.

Beyond Two-Factor Authentication

While two-factor authentication (2FA) — often involving passwords and OTPs — remains mandatory for all digital transactions, the RBI now requires extra layers of security based on the fraud risk perception of each transaction. Issuers will need to implement risk-based checks that consider parameters such as transaction location, device attributes, user behaviour patterns, and transaction history.

Importantly, at least one authentication factor must be dynamically generated or unique to each transaction, ensuring that even if one factor is compromised, the second remains secure.

Broader Coverage and Cross-Border Transactions

The new directions apply to all domestic digital payments and require payment system providers and participants — including banks, non-banks, and fintech companies — to adhere to stricter authentication protocols.

Additionally, card issuers must now validate Additional Factor of Authentication (AFA) for non-recurring cross-border card-not-present (CNP) transactions when requested by the overseas merchant or acquirer. This aims to enhance security for online international transactions conducted using Indian-issued cards.

Interoperability, Tokenisation, and New Tools

RBI has also stressed the need for interoperability and open access to authentication technologies. System providers must offer tokenisation and authentication services that are compatible across platforms and applications.

Issuers are encouraged to explore new tools — including DigiLocker notifications — for additional verification in high-risk transactions. These dynamic checks will add an extra layer of protection without compromising user convenience.

Accountability and Customer Protection

The central bank has made it clear that if any fraudulent transaction occurs due to non-compliance with the new authentication guidelines, issuers will be liable to fully compensate customers. All participants must also ensure compliance with the Digital Personal Data Protection Act, 2023.