RBI auto-debit rules explained: What new changes mean for your UPI and card payments

The Reserve Bank of India (RBI) has rolled out a revised Digital Payments — E-mandate Framework, 2026, introducing significant changes to how auto-debit transactions work across UPI, credit cards, debit cards, and prepaid instruments. The move comes amid rising digital payment usage and increasing concerns around fraud, with the central bank aiming to balance convenience with stronger user protection.

Auto-debit up to ₹15,000

One of the most important changes is the relaxation of authentication requirements for recurring payments. Under the new rules, transactions of up to ₹15,000 can now be processed automatically without requiring a one-time password (OTP) each time.

However, this convenience comes with a structured onboarding process. Users must first register a one-time e-mandate using Additional Factor Authentication (AFA) — such as OTP or PIN. Once approved, recurring payments within the ₹15,000 limit will be auto-debited seamlessly.

This applies to a wide range of payments, including:

• OTT subscriptions and DTH services
• Utility bills such as electricity, water, and internet
• EMIs and insurance premiums
• Mutual fund SIPs and recurring deposits

Higher limits

In a notable relaxation, the RBI has allowed certain categories of payments—such as insurance premiums, mutual fund investments, and credit card bill payments—to go up to ₹1 lakh without additional authentication, provided they are registered under an e-mandate. 

For all other transactions exceeding ₹15,000, OTP-based authentication will continue to be mandatory.

Pre-debit alerts

To improve transparency, the RBI has made it mandatory for banks and payment providers to send pre-debit notifications at least 24 hours before a transaction is processed. These alerts must include key details such as the amount, debit date, and merchant name.
This gives users a window to review, cancel, or modify the transaction before the money is debited. Customers can also choose their preferred mode of receiving these alerts, including SMS or email.
An exception has been made for automatic recharges of FASTag and National Common Mobility Card (NCMC), where pre-debit alerts are not mandatory.

 

Full control over mandates

The updated framework places strong emphasis on user control. Customers can view, modify, pause, or cancel e-mandates at any time through their bank or payment provider, using AFA authentication.

For variable payments—such as utility bills—users can set a maximum debit limit to avoid unexpected or excessive charges. Banks are also required to clearly disclose the validity period of mandates at the time of registration.

No extra charges 

The RBI has clarified that no charges can be levied on customers for enabling e-mandates, ensuring accessibility across user segments.

Additionally, post-transaction alerts are mandatory, along with proper grievance redressal mechanisms. Importantly, the central bank has extended its zero-liability protection to e-mandate transactions. This means customers will not bear losses from unauthorised debits if they report them promptly.

New norms for digital wallets

Alongside e-mandate changes, the RBI has also proposed revised rules for prepaid payment instruments (PPIs):

• General wallet balance capped at ₹2 lakh
• Monthly cash loading limit of ₹10,000
• Gift cards capped at ₹10,000
• Transit wallets capped at ₹3,000
• Banks may also be allowed to issue PPIs after notifying the Department of Payment and Settlement Systems (DPSS).

What it means for users

For consumers, the new rules bring a clear shift: fewer OTPs for small recurring payments, but greater visibility and control over every transaction. While the process becomes smoother for everyday payments, safeguards such as alerts, limits, and zero-liability protection ensure that security is not compromised. In essence, the RBI is pushing towards a more frictionless yet accountable digital payments ecosystem—one where convenience and consumer protection go hand in hand.