Our Expert in India
Updated: May 11, 2026
The Reserve Bank of India’s Authentication Mechanisms for Digital Payment Transactions Directions, issued on 25 September 2025, have fundamentally reset the security baseline for every domestic digital payment channel, UPI, cards, wallets and net‑banking alike. Under these directions, RBI two factor authentication India requirements became enforceable on 1 April 2026, mandating a minimum of two distinct authentication factors for every covered transaction and rendering single‑OTP flows non‑compliant in most scenarios. In parallel, the RBI’s new banking rules for April 2026 introduced a digital fraud compensation framework that shifts liability squarely onto issuers and payment system participants who fail to meet the prescribed security standards.
This guide provides the operational compliance playbook that general counsel, compliance heads, CTOs and vendor‑procurement leads at banks and fintechs need to navigate these changes, covering checklists, contract clause templates, liability matrices and regulatory‑reporting timelines.
The April 2026 package imposes three categories of obligation on regulated entities. First, every domestic digital payment must be authenticated using at least two factors drawn from separate categories, something the customer knows, something the customer has, or something the customer is. Second, authentication must be dynamically linked to the specific transaction, meaning static credentials alone no longer suffice. Third, banks and payment system participants bear primary liability for fraud losses where the mandated authentication was not correctly applied.
For compliance and legal teams, the immediate decisions are:
The Authentication Mechanisms for Digital Payment Transactions Directions, 2025, issued under RBI circular reference CO.DPSS.POLC.No.S‑668/02‑14‑015/2025‑2026, apply to all domestic digital payment transactions processed through systems authorised under the Payment and Settlement Systems Act, 2007. The directions require every regulated entity, banks, non‑banking financial companies (NBFCs), prepaid payment instrument (PPI) issuers, and authorised payment system operators, to authenticate digital payment transactions using a minimum of two distinct factors before authorising the transaction.
The first factor must consist of customer credentials (typically something the user knows, such as a PIN or password). The second factor must come from a different category: either “something the user has” (such as a registered device, hardware token or possession‑based OTP) or “something the user is” (biometric verification). Critically, the second factor must be dynamically generated or verified in a manner linked to the specific transaction, amount, payee, and timestamp, rather than being a reusable static credential.
The compliance deadline was 1 April 2026. Entities that had not implemented compliant two‑factor authentication by that date face supervisory action under the Payment and Settlement Systems Act, 2007, and may bear enhanced liability for fraud losses occurring on non‑compliant channels.
The directions apply broadly across the digital payment ecosystem in India:
Cross‑border inbound transactions (where the issuer is outside India) are excluded from the AFA mandate, though industry observers expect RBI to extend similar requirements to such transactions in future revisions.
The RBI has not removed two‑factor authentication, contrary to some consumer‑press headlines. What has changed is that the updated e‑mandate framework permits recurring transactions, such as SIP debits, insurance premiums and subscription payments, to be processed without Additional Factor Authentication (AFA) at the time of each recurring debit, provided the transaction amount does not exceed ₹15,000 per transaction and the customer has given a one‑time authenticated e‑mandate registration. The initial mandate registration itself must use full two‑factor authentication. Fintech compliance India teams should map all recurring‑payment product flows against this threshold and ensure the e‑mandate registration capture includes compliant AFA.
The RBI’s directions organise acceptable authentication into three factor categories. Each digital payment must use factors from at least two of these categories. The following table summarises the practical options:
| Factor Category | Examples Accepted by RBI | Security / Friction / Complexity |
|---|---|---|
| Something the user knows | PIN, password, passphrase, pattern lock (if cryptographically stored) | Low implementation complexity; moderate security; low user friction when combined with device binding |
| Something the user has | Registered mobile device (device binding / token), hardware security key, SIM‑based OTP on registered number, app‑generated TOTP | Medium to high security; moderate friction (OTP delays possible); medium implementation complexity for device‑binding; high for hardware tokens |
| Something the user is | Fingerprint, iris scan, facial recognition (on‑device or server‑side), voice biometric | High security; low user friction (seamless); high implementation complexity (liveness detection, accessibility fallback required) |
A single OTP delivered to a registered mobile number counts as “something the user has” only when combined with a separate first factor (e.g., a PIN or password). OTP alone, without a distinct first factor from another category, is no longer sufficient to satisfy the directions for most transaction types. The RBI’s emphasis on transaction‑linked dynamic authentication means that the second factor should be cryptographically bound to the transaction parameters (amount, payee, timestamp), reducing the risk of replay attacks and social‑engineering interception.
UPI transactions have historically relied on a combination of device binding (registered mobile) and UPI PIN. Under the new directions, this combination remains compliant, device binding constitutes “something the user has” and UPI PIN constitutes “something the user knows.” Third‑party application providers (TPAPs) must ensure their onboarding flows include robust device‑binding verification and that UPI PIN entry is rendered in a secure, isolated environment. For UPI Lite (small‑value offline transactions), the RBI has permitted relaxed authentication subject to per‑transaction and cumulative‑balance caps.
For card‑not‑present (CNP) transactions, the historical 3D Secure + OTP model must now include a first factor (such as a card PIN, password or in‑app authentication) before the OTP is triggered. PPI (wallet) issuers must implement two‑factor authentication for all outward fund transfers and merchant payments above the small‑value thresholds specified in PPI master directions. Net‑banking platforms must move beyond single‑password access, pairing passwords with device‑registered tokens or biometric challenges for transaction approval.
The following checklist translates the regulatory text into concrete operational tasks. Compliance leads should adapt timelines based on institutional scale, but the structure applies to all entities within scope.
Board‑level or management‑committee ratification is the first governance step. Institutions should update their IT security policy, digital payment policy and fraud management policy to expressly reference the Authentication Directions. The designated compliance officer should be notified to the RBI as the point of contact for supervisory queries relating to AFA implementation.
Engineering teams must map every payment flow, customer‑initiated and merchant‑initiated, and identify where authentication occurs in the transaction lifecycle. Each flow requires a documented authentication matrix showing which two factors are applied and how the second factor is bound to the transaction. System integration testing (SIT) and user acceptance testing (UAT) should simulate both compliant and non‑compliant scenarios, including fallback paths for authentication failures (e.g., biometric sensor failure routing to OTP + PIN).
The directions implicitly require that authentication events be logged with sufficient granularity to support fraud investigations and regulatory audits. Logs should capture: timestamp, factor type used, transaction reference, device identifier, IP address (where applicable), and authentication outcome. Incident response playbooks should be updated to include scenarios where authentication is bypassed, spoofed or fails silently.
| Task | Owner | Deadline | Evidence Required |
|---|---|---|---|
| Gap analysis of all payment flows against two‑factor requirement | Head of Digital Payments / CTO | Immediate (completed by May 2026) | Flow‑by‑flow authentication mapping document |
| Update board‑approved IT security and digital payment policies | CISO / Compliance Officer | 30 days | Board resolution / committee minutes |
| Amend PSP, PA and merchant contracts | Legal / Procurement | 60 days | Executed amendment letters or addenda |
| Deploy transaction‑linked dynamic authentication in production | CTO / Engineering Lead | 90 days (if not already live) | SIT/UAT sign‑off; production deployment records |
| Update customer‑facing disclosures and FAQs | Product / Legal | 30 days | Published disclosure documents; app/web change logs |
| Implement authentication event logging and monitoring dashboards | CISO / IT Operations | 60 days | Log schema documentation; dashboard screenshots |
| Establish fraud claims triage and compensation workflow | Head of Operations / Compliance | 60 days | SOP document; claims tracker template |
| Conduct penetration test and third‑party security audit | CISO | 6 months | Audit report; remediation tracker |
| File board compliance report on AFA metrics | Compliance Officer | 6 months | Board report with KPIs (auth success rates, fraud rates, claims data) |
Contractual infrastructure is the enforcement layer for AFA compliance. Every agreement between a bank or NBFC and its PSPs, payment aggregators, technology vendors and acquiring merchants must be reviewed and, in most cases, amended to reflect the Authentication Directions. The key contractual priorities are: allocation of liability for authentication failures, mandatory security standards, change‑control provisions that allow the bank to require upgrades when RBI issues new guidance, and audit rights.
The following illustrative clauses are intended as starting points. Legal teams should adapt language to their institution’s contracting standards and risk appetite.
| Clause Purpose | Example Language | Negotiation Point |
|---|---|---|
| Security and standards compliance | “The Vendor shall ensure that all payment authentication services provided under this Agreement comply with the RBI Authentication Mechanisms for Digital Payment Transactions Directions, 2025, as amended from time to time, including the requirement for a minimum of two distinct authentication factors dynamically linked to each transaction.” | Vendors may push to limit obligation to “commercially reasonable efforts”, resist this; compliance is binary, not best‑efforts. |
| Indemnity and liability allocation | “The Vendor shall indemnify and hold harmless the Bank against all losses, claims, penalties and regulatory fines arising from the Vendor’s failure to implement or maintain authentication mechanisms that meet the standards prescribed by RBI, including any liability under the digital fraud compensation framework.” | Negotiate carve‑outs for losses caused solely by the Bank’s own system failures or customer negligence; ensure mutual indemnity where appropriate. |
| Change control for AFA updates | “Upon issuance of any amendment, circular or guidance by RBI relating to authentication standards, the Vendor shall implement such changes within [60] days of notification by the Bank, at no additional cost to the Bank, unless the change requires material new development, in which case the parties shall negotiate in good faith.” | The timeline (60 days) is negotiable; vendors may seek 90–120 days for material changes. Include a mechanism for interim risk mitigation during the implementation window. |
Banks and PAs acting as acquirers should update merchant onboarding agreements to require merchants to support authentication redirects (e.g., 3DS 2.0 challenges, in‑app authentication callbacks) without friction‑reducing workarounds that bypass the second factor. Consumer disclosures should clearly explain: what two‑factor authentication is, why an additional step may appear during checkout, how to report failed or suspicious authentication prompts, and the customer’s rights under the fraud compensation framework. This disclosure language serves a dual purpose, consumer protection and a liability defence if a dispute arises over whether the customer was adequately informed.
The digital fraud compensation framework introduced alongside the AFA mandate creates a structured liability regime. Where a customer suffers a loss due to an unauthorised digital payment transaction, the issuing bank or PPI issuer bears the initial liability unless it can demonstrate that the customer was at fault (e.g., shared credentials voluntarily, delayed reporting beyond the prescribed window). The framework operates as follows:
Compliance teams should establish a structured triage process for every fraud claim:
| Entity Type | Reporting Obligations | Potential Liability Exposure |
|---|---|---|
| Issuing bank / NBFC | Customer complaint acknowledgment within defined timeline; investigation completion; provisional credit; regulatory incident reporting to RBI if systemic | Full transaction value if authentication was non‑compliant or if customer reported within prescribed window and was not negligent; plus regulatory penalties |
| Payment aggregator / PSP | Cooperate with issuer investigation; provide transaction and authentication logs; report merchant‑side failures | Contractual indemnity to issuer; potential direct regulatory action if PA licence conditions are breached |
| Merchant | Cooperate with chargeback and investigation process; maintain transaction records | Chargeback liability; contractual penalties under acquirer agreement; reputational risk |
Non‑compliance with the Authentication Directions exposes entities to supervisory action under the Payment and Settlement Systems Act, 2007, which includes the power to impose monetary penalties, issue directions to cease and desist, and revoke authorisations. The practical enforcement risk extends beyond penalties: a bank or fintech that cannot demonstrate compliant two‑factor authentication at the time of a disputed transaction will face an uphill battle in any fraud‑compensation dispute and before the RBI Ombudsman.
Entities must reconcile their AFA obligations with related regulatory frameworks, the Information Technology Act, 2000 (for data security and breach notification), the Digital Personal Data Protection Act, 2023 (for biometric and device data processing), and consumer protection legislation (for transparency and fair treatment). A fintech compliance India programme should treat AFA as one component of an integrated compliance architecture rather than a standalone project.
Routine authentication failures (individual transaction declines, customer lockouts) are handled internally. Notification to RBI is required when: a systemic authentication failure affects multiple customers or channels; a security breach compromises the integrity of the authentication mechanism itself; or a pattern of fraud suggests that the authentication system has been circumvented. The notification should be directed to the Department of Payment and Settlement Systems (DPSS) through the entity’s designated compliance officer, with a preliminary incident report followed by a detailed root‑cause analysis.
The following phased timeline consolidates the regulatory milestones and operational deadlines discussed above:
| Date / Phase | Measure | Practical Action Required |
|---|---|---|
| 25 September 2025 | RBI Authentication Directions issued | Begin architecture review, vendor scoping and legal analysis |
| 1 April 2026 | Enforcement / compliance deadline for AFA | All domestic digital payment flows must use compliant two‑factor authentication in production |
| April–May 2026 | Digital fraud compensation framework effective | Implement claims handling process, provisional credit workflow and reserve policy |
| June 2026 (Immediate + 60 days) | Contract amendments deadline (internal target) | Execute PSP, PA and merchant contract addenda; complete customer disclosure updates |
| October 2026 (6 months) | Post‑deployment audit | Third‑party penetration test; board compliance report; reconcile fraud‑claims data |
Hypothetical scenario: A mid‑sized private bank processes a ₹50,000 card‑not‑present transaction using only a single OTP (no first‑factor PIN or password). The customer disputes the transaction, reporting within two days that they did not authorise it. Because the bank’s authentication was non‑compliant, only one factor was used, the bank bears full liability under the fraud compensation framework and cannot shift responsibility to the customer. Industry observers expect that the bank would also face potential supervisory scrutiny if the issue reflects a systemic configuration error rather than an isolated incident. Had the bank deployed compliant two‑factor authentication, the liability analysis would shift to whether the customer was negligent (e. g.
, shared both PIN and OTP with a fraudster), providing the bank with a viable defence.
The RBI two factor authentication India mandate and the accompanying fraud compensation framework are now in force. Institutions that have not completed full compliance face immediate liability and supervisory risk. For banks, NBFCs and fintechs seeking specialist assistance, including compliance audits, contract‑revision packages and operational workshops, Global Law Experts’ India lawyer directory connects you with Banking & Finance practitioners experienced in RBI regulatory compliance.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Debashree Dutta at Vritti Law Partners, a member of the Global Law Experts network.
posted 20 minutes ago
posted 20 minutes ago
posted 43 minutes ago
posted 44 minutes ago
posted 1 hour ago
posted 1 hour ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message