SDG 9: Industry, Innovation & Infrastructure | SDG 16: Peace, Justice & Strong Institutions
Institutions: Reserve Bank of India | Ministry of Finance

The Reserve Bank of India (RBI) has issued the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, setting new standards for two-factor authentication (2FA) in domestic payments and selected cross-border transactions. All banks, non-banks, and payment system providers must comply by April 1, 2026.

Key provisions:

• Mandatory two-factor authentication for all digital payments, with at least one dynamic factor (e.g. OTP, biometrics, token).

• Issuer responsibility: if authentication rules are breached, issuers must compensate customers in full.

• Risk-based checks allowed, using behaviour, device attributes, or contextual data; DigiLocker may be used for high-risk confirmations.

• Cross-border card not present (CNP) transactions: by Oct 1, 2026, Indian issuers must validate non-recurring overseas payments and put in place risk-based monitoring.

• Open access/tokenisation: authentication services must be interoperable across apps and channels.

By codifying stronger authentication norms, RBI aims to reduce fraud, improve consumer protection, and ensure that India’s fast-growing digital payment ecosystem maintains trust, resilience, and compliance with the Digital Personal Data Protection Act, 2023. For banks and fintechs, this may require upgrading infrastructure, while for consumers it promises more secure online payments.

What RBI’s New Authentication Rules Mean for Users

For customers, the new RBI rules mean that every digital payment will require two checks, with at least one being unique to each transaction, making payments more secure. Banks may also offer alternatives to SMS OTPs such as biometrics, tokens, or app-based approvals. In cases where a payment looks suspicious, users may face extra verification steps. Importantly, if fraud occurs because banks fail to comply, customers are entitled to full compensation. From 2026, online international card transactions will also be subject to tighter safeguards, ensuring greater protection against misuse.

Follow the full notification here: RBI Notification – Authentication Mechanisms for Digital Payment Transactions Directions, 2025