Our Expert in India
No results available
On 21 April 2026, the Reserve Bank of India issued its consolidated Digital Payments – E‑Mandate Framework under the Payment and Settlement Systems Act, 2007, replacing a patchwork of circulars that had governed recurring digital payments since 2019. The new framework reshapes how every fintech, payment system provider (PSP) and merchant platform in India must handle enrollment, authentication and customer consent for recurring card, UPI, PPI and e‑NACH transactions. For in-house legal, compliance and product teams, the digital payments e-mandate India rulebook now demands a coordinated sprint across technology, contracts and audit infrastructure, and the window for implementation is tight. This article delivers the practical, step-by-step compliance checklist those teams need right now.
The RBI E‑Mandate Framework consolidates and supersedes earlier RBI circulars on e‑mandates issued between 2019 and 2024. It establishes a unified set of requirements for all entities involved in recurring digital payment flows, banks, payment aggregators, PSPs and merchants, with a particular emphasis on Additional Factor of Authentication (AFA), transparent consent capture and customer remediation rights. Simultaneously, the RBI’s authentication directions and digital-lending supplements from 2025–2026 introduce layered obligations that interact directly with the e‑mandate rules.
The primary compliance decision this article answers is: Does your organisation need to change its enrollment flows, authentication logic or commercial contracts for recurring payments, and if so, what must change, by when, and who bears the risk?
The immediate action list for fintechs, PSPs and platforms is as follows:
Every entity processing recurring payments in India must answer a single threshold question: Do we need to change enrollment, authentication or contracts for our recurring flows? In almost every case, the answer is yes. The decision tree below provides a structured path to the key actions required.
Industry observers expect that the organisations most at risk of enforcement action are those that treat the framework as a purely technical exercise. The practical reality is that legal, product and operations teams must work in concert, compliance is a three-legged stool, and any weak leg will invite regulatory scrutiny.
The Digital Payments – E‑Mandate Framework, 2026, issued on 21 April 2026, derives its authority from the Payment and Settlement Systems Act, 2007 (PSS Act). The PSS Act empowers the Reserve Bank to regulate and supervise payment systems operating in India, including the power to issue directions to payment system operators, participants and providers. The 2026 framework was issued as a Master Direction under Section 18 of the PSS Act, read with Section 10(2).
An e‑mandate, as defined in the framework, is a digital authorisation given by a customer to a payment system provider or merchant, permitting recurring debits from the customer’s account (bank account, card, UPI-linked account or PPI) for a specified purpose, amount ceiling and frequency. Additional Factor of Authentication (AFA) refers to an authentication step beyond the payment instrument itself, typically a one-time password (OTP), required at mandate registration and, depending on thresholds, at individual debits.
The framework repeals and consolidates earlier RBI circulars on e‑mandates issued between 2019 and 2024, creating a single, unified reference point for all recurring digital payments in India.
The framework applies broadly across the payments ecosystem. The following entities are directly covered:
Under the RBI E‑Mandate Framework, AFA is mandatory at the point of e‑mandate registration for all payment channels and all transaction amounts. This means every customer must complete OTP or equivalent authentication when first authorising a recurring payment, regardless of whether the recurring amount is ₹500 or ₹50,000.
The more nuanced question is when AFA is required for subsequent individual debits under an existing mandate. The framework establishes a tiered approach tied to the per-transaction amount and the payment channel:
| Payment Channel | AFA Threshold for Subsequent Debits | Practical Implication |
|---|---|---|
| Cards (credit/debit) | ₹15,000 per transaction | Recurring debits at or below ₹15,000 proceed without per-transaction OTP; debits above ₹15,000 require AFA |
| UPI (e‑mandate via NPCI) | ₹15,000 general; ₹1,00,000 for specified categories | UPI mandates for specified categories (subscription services, insurance premiums, mutual fund SIPs) benefit from the higher ₹1 lakh threshold; all others follow the ₹15,000 rule |
| PPI (wallets) | ₹15,000 per transaction | Same logic as cards, per-debit AFA only triggered above ₹15,000 |
| e‑NACH (bank debit mandates) | ₹15,000 per transaction | Bank-side NACH flows follow the general threshold; banks must send pre-debit notification regardless |
For all channels, the payment system provider must send a pre-debit notification to the customer at least 24 hours before the scheduled debit date, disclosing the amount, date and merchant name. The customer must have the ability to opt out, modify or cancel the mandate at any time without charge.
The framework took effect on 21 April 2026. Industry observers note that the RBI has historically permitted a transition window for technical implementation following the issuance of such directions. Entities already compliant with the earlier e‑mandate circulars from 2019–2024 will find that most enrollment and authentication flows require refinement rather than wholesale replacement, but the new consolidated requirements for evidence retention and consumer remediation are net-new obligations for many organisations.
Product and compliance teams should treat the first 90 days following the framework’s effective date as the critical implementation sprint, aligning with the action list set out in the Executive Summary above.
The framework’s AFA thresholds apply to the general category of recurring payments. The ₹1,00,000 elevated threshold for UPI e‑mandates applies only to three specified categories, subscription services, insurance premium payments and mutual fund SIP contributions, and does not extend to EMI or loan repayments. Early indications suggest that EMIs and loan repayments continue to be governed by the standard ₹15,000 threshold, meaning that any loan EMI above ₹15,000 will require per-debit AFA. Lenders and RBI digital lending 2026 compliance teams must factor this into product design, as the practical effect is that most home loan, auto loan and personal loan EMIs will trigger per-debit OTP requirements.
Card-based recurring payments have been subject to e‑mandate rules since 2019, but the 2026 framework introduces additional requirements for consent record-keeping and cancellation flows.
UPI e‑mandate implementation involves interaction with NPCI’s UPI infrastructure and the customer’s UPI-linked PSP application.
PPI-based recurring payments are a newer use case and require careful attention to the digital payments e-mandate India rules.
e‑NACH (Electronic National Automated Clearing House) mandates represent the traditional bank-debit route and remain widely used for insurance premiums, SIPs and utility payments.
The E‑Mandate Framework places obligations across the payments chain, but the allocation of responsibility between banks, aggregators, PSPs and merchants is ultimately governed by contract. Payment aggregator obligations in India now require explicit contractual terms addressing AFA, evidence retention and remediation. The table below summarises obligations by entity type:
| Entity Type | Key Obligations Under E‑Mandate | Practical Steps (Contract/Ops) |
|---|---|---|
| Banks / Issuers | Verify enrollment, execute AFA, store authentication evidence, facilitate customer cancellations and remediation | Update APIs to support revised enrollment flows; retain consent artifacts for prescribed period; include SLA commitments in agreements with PSPs and aggregators |
| Payment Aggregators / PSPs | Ensure compliant enrollment UX, route AFA requests to issuer, maintain transaction and consent logs, conduct merchant onboarding checks | Update merchant T&Cs; insert AFA responsibility clauses in vendor SLAs; implement reconciliation and evidence-retrieval workflows |
| Merchants / Platforms | Collect valid customer consent, support mandate modification and cancellation without charge, respond to disputes within prescribed timelines | Update checkout UX and subscription management pages; build cancellation flows; train customer support teams on complaint resolution |
The following four clause templates address the most critical contractual gaps created by the framework. These should be adapted to each organisation’s specific risk profile and commercial context.
Compliance with the RBI E‑Mandate Framework requires robust evidence infrastructure. At a minimum, organisations must retain the following data elements for every recurring payment mandate:
| Evidence Type | Minimum Retention Period | Who Stores It |
|---|---|---|
| Mandate registration and consent artifact | 10 years from last transaction | Issuing bank and PSP/PA jointly |
| AFA event logs (OTP delivery and verification) | 10 years from last transaction | Issuing bank (primary); PSP (mirror copy) |
| Pre-debit notification delivery records | 10 years from last transaction | PSP or PA (whichever sends the notification) |
| Transaction debit/credit records | 10 years from transaction date | Issuing bank, acquiring bank and PA |
| Modification and cancellation records | 10 years from event date | Issuing bank and PSP/PA jointly |
| Customer complaint and remediation records | 8 years from resolution date | Entity that resolved the complaint |
Organisations should designate a single internal owner (typically the Chief Compliance Officer or Head of Payments Compliance) responsible for producing evidence within 48 hours of a regulatory request. Consumer remediation under the framework requires that any unauthorised or disputed recurring debit be reversed within the timelines prescribed by the RBI’s Integrated Ombudsman Scheme. Product teams must build automated reversal workflows that can be triggered without manual intervention when a complaint meets defined criteria.
The fintech compliance checklist for India must include a clear internal owner matrix for regulatory interactions. The framework requires entities to report material incidents, including systemic AFA failures, data breaches affecting mandate records, or large-scale customer complaints, to the RBI’s Department of Payment and Settlement Systems.
| Regulatory Query Type | Internal Owner | Response Timeline |
|---|---|---|
| RBI inspection or audit request | Chief Compliance Officer | 48 hours for document production |
| Customer complaint (Ombudsman referral) | Head of Customer Grievance Redressal | 30 days from receipt per Ombudsman Scheme |
| Systemic incident (AFA failure, data breach) | CISO + Chief Compliance Officer | Immediate notification to RBI; written report within 24 hours |
| Mandate-related dispute (bank-to-PSP) | Head of Payments Operations | Per SLA (recommend 5 business days) |
The following payment system provider checklist organises the critical workstreams by team and timeline:
The RBI’s 2026 E‑Mandate Framework is not merely a technical update, it is a structural reset of how recurring digital payments must be authorised, evidenced and governed across India’s payments ecosystem. For fintechs, PSPs and platforms, the compliance imperative spans product engineering, commercial contracts and audit infrastructure in equal measure. Organisations that treat digital payments e-mandate India compliance as a coordinated, cross-functional programme, rather than a siloed engineering task, will be best positioned to avoid enforcement risk and to build the trust-based recurring revenue models that India’s digital economy demands.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Siddharth Mahajan at Athena Legal Advocates & Solicitors, a member of the Global Law Experts network.
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
posted 6 hours ago
posted 7 hours ago
posted 8 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message