Understanding RBI (Authentication Mechanisms For Digital Payment Transactions) Directions, 2025: Obligations For Banks, NBFCs And Payment Providers

Article Insights

Kritika Krishnamurthy’s articles from AK & Partners are most popular:

within Technology topic(s)
with Senior Company Executives, HR and Finance and Tax Executives
in United States
with readers working within the Accounting & Consultancy, Advertising & Public Relations and Basic Industries industries

Introduction

With the rapid growth of digital payments in India, safeguarding transactions has become one of our top priorities. On September 25, 2025, the Reserve Bank of India (“RBI”) introduced new guidelines - RBI (Authentication mechanisms for digital payment transactions) Directions, 2025 (“Directions 2025”) for authentication mechanisms for digital payment transactions.

From April 1, 2026, all Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with Directions 2025, unless indicated otherwise for any specific provision in India¹. That means from the given effective date, it will be compulsory to meet the norm of two-factor authentication for all digital payment transactions in India. Earlier, two authentication factors were used, but they were not mandatory. Although the Directions 2025 does not focus on any specific authentication method, SMS based One-time password (“OTP”)² has become the most used option.

The Directions 2025 offer a more flexible approach by not specifying any one authentication method. This means banks and non-bank entities can choose other authentication methods that improve both security and users' convenience. Directions 2025 mainly apply to digital payment transactions in India. However, card issuers shall put in place a mechanism to validate non-recurring, cross-border card not present (“CNP”) transactions (a cross-border transaction where the card and acceptance infrastructure are not present in proximity while making the transaction³), where the authentication request is raised by an overseas merchant or acquirer. To ensure compliance, card issuers shall register their Bank Identification Numbers (“BINs”) with card networks.⁴

Background

On February 8, 2024, the RBI, through its Statement on Developmental and Regulatory Policies, announced its intention to introduce a principle-based framework for the authentication of digital payment transactions⁵. For several years, the RBI has prioritised security of digital payments, in particular the requirement of Additional Factor of Authentication (“AFA”). Though RBI has not prescribed any AFA particularly, the payments ecosystem largely relied on SMS based OTP as the default option. However, with the advancement in technology, alternative authentication mechanisms have emerged in recent years. To enable wider adoption of the alternatives for digital security, the RBI has proposed to adopt a principle-based “Framework for authentication of digital payment transactions”⁶. The present Directions 2025 are a step forward in implementing this vision, offering greater transparency and flexibility to the banks and non-bank entities while maintaining a strong security baseline.

Key Provisions of the Directions 2025

Coverage of Entities: These Directions 2025 are issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems (“PSS”) Act, 2007 (Act 51 of 2007). Directions 2025 provide the broad principles which shall be complied with by all participants in the payment chain while using a form of authentication. These Directions 2025 shall apply to all Payment System Providers, Payment System Participants (banks and non-banks) and all domestic digital payment transactions⁷, unless a specific exemption is provided by the RBI. By covering the entire ecosystem, the RBI has ensured that security standards are applied consistently across the payment sectors.
Core Authentication Principles: The RBI has laid down a set of basic rules that all payment service providers and participants must follow when verifying a digital payment. These rules ensure that the authentication process is strong, reliable and secure across all platforms.
1. Minimum two factors of Authentication: For all digital payment transactions, transactions shall be authenticated by at least two distinct factors of authentication⁸, unless exempted. Factors of authentication include the credentials of customers, which are used for authentication. The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter alia, password, SMS based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based)⁹. Existing exemptions from the requirement of at least two factors of authentication are small-value Contactless Card transactions, recurring transactions (other than the first) under the e-mandate framework, select Prepaid Instruments such as PPI-MTS (Prepaid Payment Instruments Mass Transit Systems¹⁰) and Gift PPIs (value of prepaid gift instrument)¹¹, NETC (National Electronic Toll Collection)¹² transactions, small-value digital payments in offline mode and travel booking involving Global Distribution System/IATA through commercial/corporate cards¹³.
2. One factor must be Dynamic: For all digital payment transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction¹⁴. This means it should change every time an OTP or a one-time biometric confirmation is done, so it cannot be reused or stolen for another transaction. This process is made a little difficult to provide strict security for all digital payment transactions.
3. Robust and Independent Factors: The authentication step must be strong enough so that if one factor is compromised, the other factor remains safe and reliable¹⁵. This added layer of authentication provides an extra layer of security to safeguard the user from any attack.
Interoperability / Open Access: All payment system providers and system participants must ensure that the authentication and tokenisation service can be accessed by all the applicants and token requestors¹⁶ operating in the same environment. This means that users and service providers should be able to use these services across different devices, platforms, and channels. The operating environment refers to factors like the device hardware, operating system, etc¹⁷.
Risk-based approach: The issuer can access the risk level of each transaction based on factors such as the location of transactions, the user's usual behaviour, the device being used, and past transaction history¹⁸. This allows them to apply extra security checks beyond the minimum two-factor authentication¹⁹, especially when a transaction seems unusual or high risk. For example, if a transaction appears suspicious, the issuer may ask for additional verification before approving it. Issuers can also consider using platforms like DigiLocker to send notifications or confirm high-risk transactions, adding another layer of security to their payment system.
Responsibility of the issuer: The issuer, such as banks and non-bank entities, should make sure that its authentication system is strong and secure before deployment. If a customer suffers a loss because the transaction was processed, ignoring these rules, then the issuer is responsible for compensating the customer fully without raising any objections. Additionally, issuers must ensure that their systems and processes comply with the Digital Personal Data Protection Act, 2023²⁰, protecting the personal data of their customers.
Cross-border transactions: The directions described above do not apply to cross-border digital payment transactions. However, card issuers shall, by October 1, 2026, place a mechanism to validate non-recurring CNP transactions, where an authentication request is raised by an overseas merchant or acquirer. To ensure compliance, card issuers shall register their BINs with card networks²¹. In addition, card issuers are required to implement a risk-based system for managing all cross-border CNP transactions²² by the same date. This means they should assess the risk for each transaction and apply extra checks, when necessary, to keep international payments safe.

Impact on Payment System Providers and Payment System Participants

As the industry adapts to these new guidelines, several key shifts are expected:

System Upgrades and Innovation: Bank and non-bank entities will need to enhance their technical infrastructure to align with the risk-based and dynamic authentication mechanisms. This will likely accelerate innovation in authentication technologies and foster more robust digital ecosystems.
Operational Investments: Implementing advanced authentication systems and maintaining strong risk-based checks will require strategic investments. While this may increase operational costs, it also opens opportunities for service providers to differentiate themselves through enhanced security and reliability.
User Experience Evolution: The introduction of more rigorous checks may introduce some friction in the short term, but it is expected to lead to a more secure and trustworthy user experience in the long run. The industry will likely focus on balancing security with seamlessness to maintain customer satisfaction.
Cross-Border Payment Enhancements: While domestic transactions are well-covered under the new framework, the industry will need to collaborate on strengthening cross-border payment mechanisms. This presents an opportunity for innovation in global payment security and interoperability.
Cybersecurity and Adoption Challenges: As issuers adopt newer authentication methods, they may encounter technical and cybersecurity challenges. However, this will also drive the industry toward more resilient systems and better user education, ultimately enhancing digital trust.

Way Forward

The Directions 2025 aims to increase the security, flexibility, and reliability of digital payments in India, for both customers and issuers. By introducing a principle-based approach, mandating at least two-factor authentication, supporting dynamic and risk-based checks and ensuring interoperability across digital payment transactions, these rules strengthen the safety of both domestic and cross-border digital payment transactions. While there may be challenges in implementation and costs for issuers, the framework provides a year to adopt new technologies and improve customer experience without compromising security. Overall, these directions represent a major step forward taken by the RBI in building a safer digital payments environment in India.

Footnotes

1. Paragraph 3, Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

2. Paragraph 1, Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025

3. Paragraph 5(b), Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

4. Paragraph 10 (a), Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025

5. Statement 5, Statement on Developmental and Regulatory Policies, February 08, 2024.

6. Statement 5, Statement on Developmental and Regulatory Policies, February 08, 2024.

7. Paragraph 4, Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

8. Paragraph 6(a), Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

9. Paragraph 5 I (f), Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

10. Paragraph 10.2, Reserve Bank of India Master Directions on Prepaid Payment Instruments, 2021, dated August 27, 2024.

11. Paragraph 10.1, Reserve Bank of India Master Directions on Prepaid Payment Instruments, 2021, dated August 27, 2024.

12. Paragraph 15.3 (f), Reserve Bank of India Master Directions on Prepaid Payment Instruments, 2021, dated August 27, 2024.

13. Annexure-1, Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

14. Paragraph 6(b), Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

15. Paragraph 6(c), Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

16. Paragraph 7, Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

17. Paragraph 7(i), Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

18. Paragraph 8, Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

19. Paragraph 8, Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

20. Paragraph 9, Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

21. Paragraph 10, Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

22. Paragraph 10, Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.