RBI New Rules on Digital Payments: India is among the countries that emphasize two-factor authentication. Until now, financial institutions primarily relied on SMS alerts for transactions. The new rules aim to make digital payments more secure.
The Reserve Bank of India (RBI) has announced new rules regarding digital payments. It stated that two-factor authentication options other than SMS OTP will now be available for payments. These new rules aim to make digital payments more secure. They will come into effect on April 1, 2026. The RBI has issued the “Authentication Mechanisms for Digital Payment Transactions Directions, 2025.”
The RBI stated that payment authentication factors may include “something possessed by the user,” “something known to the user,” or “something identified by the user.” This could include a password, passphrase, PIN, card hardware, software token, fingerprint, or other biometric method, in addition to an OTP sent via SMS to the mobile phone. SMS OTP will continue to be used as before.
At least one authentication factor must be unique and new
India is among the countries that emphasize two-factor authentication. Until now, financial institutions relied primarily on SMS alerts for transactions. Under the new regulations, at least one authentication factor must be unique and new for each transaction. Payment systems must also be robust so that compromise of one factor does not impact the reliability of the other factors.
Additionally, the RBI stated that, for risk management purposes, financial institutions may identify transactions for evaluation based on factors such as transaction location, user behavior, device details, and transaction history. Additional verification may be conducted for high-risk transactions. DigiLocker may be used for notification and confirmation.
Compensation will have to be given if the customer suffers any loss
The Reserve Bank has stated that if any financial loss occurs due to non-compliance with these instructions, the issuer will be required to fully compensate the customer. Additionally, card issuers will also be required to implement a validation mechanism for non-recurring, cross-border card-not-present (CNP) transactions initiated by overseas acquirers from October 1, 2026.
