The Reserve Bank of India (RBI) has issued a new regulation called “Authentication Mechanisms for Digital Payment Transactions Directions, 2025” that mandates two-factor authentication (2FA) for virtually all digital payments in India.
- This rule comes into force on April 1, 2026.
- All Payment System Providers (banks and non-bank entities) must comply by that date, except in areas where certain exemptions are specified
Key Changes Under the New Rule
Here are the major changes introduced:
| Requirement | Details |
|---|---|
| Two-Factor Authentication | All digital payments must use at least two different types of authentication. One of these must be dynamic (unique to each transaction). |
| Allowed Authentication Methods | These include something the user knows (PIN, password, passphrase), something the user has (card hardware, software token), something the user is (biometrics such as fingerprint, Aadhaar-based verification) etc. |
| Risk-Based Checks | Depending on transaction risk (e.g. amount, location, device, behaviour), additional verification may be required. |
| Cross-Border “Card-Not-Present” (CNP) Transactions | For non-recurring cross-border CNP transactions, issuers must implement extra authentication whenever requested by overseas merchants/acquirers by October 1, 2026. |
Why RBI Did This: Purpose & Background
- Curbing Fraud: Digital payment transactions have increased massively, and with them, fraud and phishing risks. Strengthening authentication is meant to reduce unauthorized access.
- Modernizing Payment Security: The regulation gives flexibility in the choice of authentication methods beyond the usual SMS-based OTPs, which are more vulnerable.
- Balancing Convenience & Security: By allowing risk-based checks, issuers can impose additional verification only when needed. For low‐risk or small value transactions, the friction should be minimal.
What It Means for Users, Banks & Fintechs
For Consumers / Users
- You will see more authentication steps in many digital payments, especially cross-border ones or higher risk ones.
- Some methods other than OTP will become available (biometrics, hardware tokens etc.), which may improve convenience for some users.
- Potentially fewer fraud risks — better protection of money and data.
For Banks, NBFCs, Fintechs & Payment Providers
- Need to upgrade technology, authentication infrastructure.
- Must ensure that one of the authentication factors is dynamic per transaction. Static factors alone won’t be enough.
- Need to prepare for cross‐border CNP transactions rules by Oct 1, 2026.
- If they fail to comply, they may be liable for compensating customers in cases of loss due to non-compliance.
Timelines & Implementation
- April 1, 2026: Full compliance deadline for most provisions
- By October 1, 2026: For non-recurring cross-border card-not-present authentication requirements.
Challenges & Considerations
- Infrastructure Upgrade Costs: Banks & payment firms may need to invest in new authentication tools (biometric hardware, device‐tokens, etc.).
- User Experience: More steps may mean some friction; must balance security with usability.
- Exemption Management: Identifying which transactions qualify for exemptions (small value, recurring etc.) and applying rules correctly.
- Data Protection & Privacy: As more biometric data and behaviour/location data may be used, compliance with privacy laws like Digital Personal Data Protection Act, 2023 will matter. Moneylife
Broader Implications
- This rule signals RBI’s increasing focus on safer digital payments as India becomes more digitally transacted.
- It may push more innovation in authentication technologies—biometrics, tokenisation, device security.
- Globally, this aligns India with international best practices in payment authentication.
- Users and fintechs that adapt well may gain trust and market share; those lagging behind may face regulatory or business challenges.
Conclusion
The RBI new rule for digital payments—mandating two-factor authentication from April 1, 2026—is a major shift toward more secure transaction environments. It aims to reduce fraud, protect consumers, and modernize the payments ecosystem while still allowing flexibility.
