From April 1, 2026, the Reserve Bank of India's new authentication directions modernise how every digital payment you make is verified and places the burden of security squarely on your bank, not on you.
Every time you pay a bill on your bank's app, transfer money via UPI or shop online with your debit card, something invisible happens before the money moves.
Your bank asks a question: Is this really you?
The process of answering that question is called authentication and for well over a decade, India's digital payments ecosystem had converged on one dominant answer -- the SMS-based one time password or OTP.
That answer is no longer sufficient on its own.
Key Points
- RBI now mandates at least two independent authentication factors for all digital payments with one dynamic marking a structural shift in security norms.
- OTP-based verification is no longer sufficient by itself; the RBI pushes for biometrics, device-based authentication and real-time confirmation systems.
- Banks can deploy risk-based systems analysing behaviour, device and transaction patterns to trigger additional security checks when required.
- If fraud occurs due to non-compliance, banks must compensate customers fully without dispute, shifting liability firmly onto institutions.
- The new rules apply from April 1, 2026, with a separate October 1, 2026, deadline for securing international card-not-present transactions.
RBI authentication rules explained
The Reserve Bank of India has published the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, bringing into force a principled upgrade to how all domestic digital payments must be secured.
All Payment System Providers and Payment System Participants -- including banks and non-bank entities -- must ensure compliance with these directions by April 1, 2026.
Why the OTP era is ending
The story of this reform begins not in September 2025 when the final directions were issued but in February 2024, when the RBI first publicly diagnosed the problem.
In its Statement on Developmental and Regulatory Policies dated February 8, 2024, the RBI acknowledged that while it had not prescribed any particular additional factor of authentication, the payments ecosystem had largely adopted the SMS-based OTP; now, with innovations in technology, alternative authentication mechanisms had emerged.
To facilitate their use, the RBI proposed adopting a principle-based framework for authentication of digital payment transactions.
Then, a year later, the RBI extended its concern beyond India's borders.
In its Statement on Developmental and Regulatory Policies dated February 7, 2025, the RBI noted that increased instances of fraud in digital payments were a significant concern and proposed enabling an Additional Factor of Authentication for international card-not-present transactions -- in order to provide a similar level of safety for online international transactions using cards issued in India.
The trajectory was clear: The OTP-only era had run its course.
Two-factor authentication mandate
The directions are issued under Section 18, read with Section 10(2) of the Payment and Settlement Systems Act, 2007, and apply to all domestic digital payment transactions, unless specifically exempted.
Three binding principles sit at the heart of the framework.
1. A minimum of two factors for authentication
All digital payment transactions must be authenticated using at least two distinct factors.
These factors may come from three categories: something the user has (such as a card, hardware token or software token), something the user knows (such as a password, PIN or passphrase) or something the user is (such as a fingerprint or any other biometric, whether device-native or Aadhaar-based).
Issuers may, at their discretion, offer customers a choice of authentication factors in compliance with these directions.
2. At least one factor must be dynamic
This is the structural upgrade at the heart of the reform.
For digital payment transactions other than card-present transactions, at least one of the factors of authentication must be dynamically created or proven -- meaning the proof of possession of that factor, as transmitted during the transaction, must be unique to that specific transaction.
A live biometric scan, a cryptographic key generated by your device or a real-time app-based confirmation all qualify.
A reusable static password does not.
3. The two factors must be independent
The factor of authentication must be such that the compromise of one factor does not affect the reliability of the other.
Even if a fraudster obtains one credential, they cannot automatically breach the second.
Risk-based payment security system
The new framework goes beyond mechanical compliance.
Issuers may, in line with their internal risk management policies, identify transactions for evaluation against behavioural and contextual parameters -- including transaction location, user behaviour patterns, device attributes and historical transaction profile.
Based on the perceived risk, additional checks beyond the minimum two-factor authentication may be applied.
Issuers may also explore using DigiLocker as a platform for notification and confirmation of high-risk transactions.
What this means in practice: A routine payment from your registered device, at your usual time, to a familiar merchant may proceed smoothly.
An unusual transaction -- a large transfer from an unfamiliar location -- could trigger additional verification.
The system is designed to be proportionate, not merely procedural.
Banks liable for payment fraud
The RBI's directions mandate that payment system providers and participants offer authentication or tokenisation services to all applications and users availing the service for all use cases, channels or token storage mechanisms.
No single bank or platform may build a proprietary lock-in so that India's payments security infrastructure remains open and competitive.
Embedded in the technical language of the directions is a provision with direct, tangible consequences for every user of digital payments in India.
If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer for the loss in full, without demur (question).
Issuers must also ensure adherence to the Digital Personal Data Protection Act, 2023.
The phrase ‘without demur’ carries legal weight.
It means your bank cannot dispute, delay or contest a reimbursement claim rooted in its own non-compliance with the authentication rules.
The financial liability in such cases rests with the institution, not the individual.
If you use an Indian debit or credit card on a foreign website, the April 1 deadline does not yet apply but a separate deadline has already been set.
Card issuers shall, by October 1, 2026, put in place a mechanism to validate non-recurring, cross-border card-not-present transactions where the request for authentication is raised by an overseas merchant or overseas acquirer.
Card issuers must also register their Bank Identification Numbers with card networks; a risk-based mechanism for handling all cross-border card-not-present transactions must also be in place by this date.
The RBI has preserved its existing exemptions, recognising that certain payment contexts do not warrant the full two-factor requirement.
These include: Small-value contactless card transactions; recurring transactions other than the first under the e-mandate framework; select prepaid instruments such as PPI-MTS (prepaid payment instrument for mass transit systems is simply a rechargeable travel card -- think your Delhi Metro Smart Card, Mumbai Metro card or FASTag on the windshield of your car) and Gift PPIs (a prepaid gift card -- like an Amazon, Flipkart or Myntra gift card that someone loads with money -- up to Rs 10,000 -- and gives to you); NETC (National Electronic Toll Collection like FASTag) toll transactions; small-value digital payments in offline mode and travel bookings involving the Global Distribution System or IATA through commercial or corporate cards.
For most users, the change will often be invisible.
Your UPI PIN already qualifies as a valid authentication factor.
Your fingerprint to approve a payment already satisfies the biometric requirement.
What shifts is the intelligence and accountability behind the screen.
Banks and payment apps must now deploy risk-aware systems that assess each transaction against your device profile, behaviour patterns and transaction history in real time.
The era of waiting for an SMS that may or may not arrive -- and hoping it was not intercepted -- is being supplemented by smarter, more contextual verification.
The RBI's directions do not merely tighten a rule.
They signal a maturation of India's digital payments infrastructure; one where security is principled and dynamic and where, for the first time, accountability for a lapse sits unambiguously with the institution -- not the individual.
© 2026