How RBI’s new rules will change digital payments from April 1

India’s digital payments ecosystem is set for a significant security upgrade as the Reserve Bank of India (RBI) prepares to implement stricter authentication norms from April 1. The move comes amid rising transaction volumes and a parallel increase in fraud risks, marking a shift toward more robust and adaptive security frameworks.

What is changing?

Under the new guidelines, digital transactions will require two-factor authentication (2FA), with at least one dynamic factor—such as a one-time password (OTP), biometric verification, or device-based authentication. This goes beyond the current reliance on OTP-only systems, which industry players say are vulnerable to phishing and SIM-swap attacks.
The RBI’s approach is also notably less prescriptive. Instead of mandating specific technologies, it focuses on outcomes—allowing banks and fintech firms to deploy a mix of tools such as biometrics, tokenisation, device binding, and risk-based authentication models.

Why now?

Industry experts point to the scale of growth in digital payments as a key driver. As adoption expands, so do threats like unauthorized access and social engineering frauds.

Prakash Ravindran, CEO & Director at InstiFi, said the new framework reflects a broader shift in how trust and security are managed. He noted that layered authentication will help reduce fraud risks while creating a safer operating environment for merchants.

Similarly, Amit Kumar, CTO & Director at Easebuzz, described the move as timely, given the simultaneous rise in transaction volumes and fraud attempts.

He added that stronger authentication could enhance consumer trust, even if it introduces slight friction in transaction flows.

Impact on banks, fintechs, and merchants

A key feature of the new rules is increased issuer liability. Banks and payment providers will be held accountable in cases of non-compliance, effectively making strong authentication mandatory rather than optional.

Harsh Vardhan Masta, Head of Payments at Policybazaar, said this shift would push institutions to adopt stricter transaction processing standards while ensuring quicker compensation in fraud cases.

For merchants—especially small and medium businesses—the changes are expected to reduce risks related to disputes, financial losses, and reputational damage, thereby boosting confidence in digital payments.

Balancing security and user experience

While stronger authentication improves safety, it can also add friction to the payment process. To address this, companies are expected to adopt risk-based authentication, where the level of verification depends on factors such as transaction value, user behavior, and device details.

This means low-risk transactions may remain quick and seamless, while high-risk ones undergo additional checks.

The bigger picture

The RBI’s new framework signals a transition from rule-based compliance to principle-driven regulation, encouraging innovation while setting a baseline for security.