The Reserve Bank of India (RBI) on Thursday rolled out a new framework for authenticating digital payments beyond two-factor authentication (2FA), which will come into force from 1 April 2026.

The new rules are part of the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, announced today.

New guidelines issued

I. Card issuers are encouraged to introduce new factors of authentication by leveraging technological advancements. However, it does NOT mean that SMS-based OTP as an authentication tool would get discontinued.

II. The latest direction also enable card issuers to embrace additional risk-based checks beyond the minimum two-factor authentication. This could be based on the fraud risk perception of the underlying transaction.

III. The directions also emphasise facilitating interoperability and enabling open access to technology. As a result, system providers will offer an authentication or tokenisation service that is accessible to all the applications/token requestors functioning in that operating environment.

IV. The RBI also delineates the responsibility of issuers.

V. Additionally, the central bank mandates card issuers to validate AFA in non-recurring cross-border CNP (card-not-present) transactions whenever such a request is raised by the overseas merchant or acquirer.

Principles for authenticating digital payments 

1. Minimum two: There should be a minimum of two factors of authentication.

2. Dynamic: At least one of the factors of authentication is dynamically created or proven.

3. Robust: The factor of authentication will be such that the compromise of one factor does not affect the reliability of the other.

Stakeholders’ suggestions incorporated

Last year, in July, the RBI issued draft directions on Alternative Authentication Mechanisms for Digital Payment Transactions, followed by draft directions on the introduction of Additional Factor of Authentication (AFA) in cross-border CNP transactions in February this year to seek comments from stakeholders.

The views of the public were examined and incorporated in the directions which were issued today.

However, these measures outlined above will not be implemented in cross-border digital payments.

Meanwhile, the RBI has instructed card issuers to put in place a mechanism to validate non-recurring, cross-border CNP transactions by October 1 next year, where a request for authentication is raised by an overseas merchant or overseas acquirer.

To ensure compliance, card issuers will register their Bank Identification Numbers (BINs) with card networks.

For all personal finance updates, visit here