RBI mandates tougher authentication process for digital transactions 

The Reserve Bank of India (RBI), to further secure digital payments transactions, has mandated introduction of additional risk-based checks beyond the minimum two-factor authentication by leveraging upon technological advancements.

The RBI on Thursday (September 25, 2025) issued Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025 which will come into force from April 1, 2026.

These directions will be applicable to all Payment System Providers, Payment System Participants (banks and non-banks) and all domestic digital payment transactions.

As per the directions issuers must adopt additional risk-based checks based on the fraud risk perception of the underlying transaction.

They have been asked to facilitate interoperability and open access to technology. 

The directions call for mandating card issuers to validate Additional Factor of Authentication (AFA) in non-recurring cross-border Card Not Present (CNP) transactions whenever such a request is raised by the overseas merchant or acquirer.

Currently all digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor.

The directions provide the broad principles which will be complied with by all the participants in the payment chain, while using a form of authentication.

While these directions are applicable only to domestic transactions, to provide a similar level of safety for online international transactions undertaken using cards issued in India, the directions also incorporate necessary instructions for specific cross-border card transactions.

“It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction,” the RBI said.

The factor of authentication will be such that compromise of one factor would not affect reliability of the other.

“System Providers and System Participants will need to offer authentication or tokenisation service that is accessible to all the applications / token requestors functioning in that operating environment for all use cases / channels or token storage mechanisms,” it said.

Issuers may, in line with their internal risk management policies, identify transactions for evaluation against behavioural / contextual parameters such as transaction location, user behaviour patterns, device attributes, historical transaction profile, etc, it added. 

Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions, the regulator said.

“An issuer shall ensure the robustness and integrity of the authentication mechanism before deployment,” it said.

“If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer for the loss in full without demur,” it said 

Issuers will ensure adherence to the provisions of Digital Personal Data Protection Act, 2023, it added. 

RBI had issued draft directions on Alternative Authentication Mechanisms for Digital Payment Transactions on July 31, 2024 and draft directions on introduction of AFA in cross-border CNP transactions on February 07, 2025, for stakeholder comments.

These directions have been issued after incorporating feedback from the public.