RBI issues new guidelines on digital payment authentication, effective April 2026

The Reserve Bank of India (RBI) on Thursday issued a comprehensive framework for strengthening authentication mechanisms in digital payment transactions. The guidelines, announced in a statement dated September 25, 2025, will come into effect from April 1, 2026, unless otherwise specified for certain provisions. The move comes amid rapid growth in India’s digital payments ecosystem, which has seen exponential adoption across UPI, card, and wallet-based platforms. With rising transaction volumes, ensuring robust security and user protection has become a priority for the central bank.

Mandatory two-factor authentication

Under the new rules, all digital payment transactions must comply with the norm of two-factor authentication (2FA). While the RBI has not mandated specific methods, the system must draw from at least two categories: something the user knows (such as a password or PIN), something the user has (such as a card, hardware token, or software token), and something the user is (biometric identifiers like fingerprint or Aadhaar-based verification).

Currently, most digital payments rely on SMS-based One Time Passwords (OTPs) as the additional factor. The RBI has clarified that going forward, at least one of the factors should be dynamically created, meaning it must be unique to each transaction and validated in real time.

Risk-based authentication

In a significant shift, the RBI has asked issuers to adopt risk-based approaches for certain transactions. This means payment providers can flag and evaluate transactions against behavioural and contextual parameters, such as the user’s location, device details, or past transaction history.

“Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to,” the RBI said. The regulator also suggested that issuers explore the use of DigiLocker for notifications and confirmations in high-risk transactions.

Cross-border transaction rules

The guidelines also address authentication in cross-border payments, which have been particularly vulnerable to fraud. While the rules will not apply to all cross-border digital transactions, the RBI has directed card issuers to implement risk-based mechanisms for handling cross-border card-not-present (CNP) transactions by October 1, 2026.

Issuers must also establish systems to validate non-recurring CNP transactions initiated by overseas merchants or acquirers. To ensure compliance, banks will be required to register their Bank Identification Numbers (BINs) with card networks.

Industry impact

Analysts say the move is expected to enhance consumer confidence in digital payments while aligning India’s payment security with global best practices. Payment companies, however, will need to upgrade infrastructure and processes to accommodate dynamic authentication and advanced risk checks.

The RBI’s latest step underscores its focus on balancing innovation with security in India’s booming digital economy.