MUMBAI: The Reserve Bank of India (RBI) has released a comprehensive framework to strengthen authentication in digital payments, which will take effect from April next year. The move aims to ensure stronger security and better user protection as digital transactions continue to surge month after month.
At present, most digital payments depend on SMS-based one-time passwords (OTPs) as the additional layer of security. However, with the rapid expansion of UPI, cards, and wallet-based platforms, the RBI has stressed the need for a more robust system.
Under the new guidelines, every digital payment transaction must follow two-factor authentication. While the central bank has not prescribed specific methods, the system must use at least two elements from the following categories:
• Something the user knows (password or PIN)
• Something the user has (card, hardware token, or software token)
• Something the user is (biometric verification such as fingerprint or Aadhaar-based identification).
Importantly, the RBI has clarified that one of the factors must be dynamically generated—unique to each transaction and validated in real time.
In a major shift, the RBI has directed issuers to adopt a risk-based approach for specific transactions. This allows payment providers to assess transactions against behavioural and contextual factors such as a user’s location, device information, or past transaction patterns.
“Depending on the risk perception of a transaction, issuers may apply additional checks beyond the mandatory two-factor authentication,” the RBI noted in its circular.
The regulator has further advised issuers to consider leveraging DigiLocker for sending notifications and confirmations in the case of high-risk transactions.
Industry reaction
“The Reserve Bank of India’s new directions on the authentication of digital payment transactions represent a progressive step in strengthening India’s fast-growing digital economy. By moving beyond the traditional SMS-OTP model and adopting risk-based checks along with modern alternatives such as biometrics, tokens, and device-based authentication, the RBI is setting the foundation for both stronger security and a seamless user experience.
Digital financial transactions are expected to reach $ 481 billion by 2028-29, marking a threefold growth, according to a report by PwC India. In this journey, robust yet user-friendly authentication will be critical to deepening trust in digital payments, especially among first-time and underserved users. At Spice Money, where we empower 1.55 million Adhikaris to serve millions across rural India, we have seen that trust and safety are the real enablers of inclusion. The RBI’s move is a timely step that balances innovation with responsibility and advances the vision of a safe, inclusive Digital India.” – Dilip Modi, Founder & CEO of Spice Money