Your digital payment methods will change from October 1st! RBI issues new transaction guidelines

RBI Authentication Guidelines 2025: RBI has issued new authentication mechanisms for digital payments. These rules, which will come into effect from April 1st, 2026, will continue to require OTPs.

RBI Authentication Guidelines 2025: Digital payments are constantly growing, and with them, so too is the risk of fraud. In this context, the Reserve Bank of India (RBI) has taken a major step to further strengthen customer security. Today, the RBI released the "Authentication Mechanisms for Digital Payment Transactions Directions, 2025." These new rules will come into effect from April 1st, 2026.

When and why were these rules enacted?

The RBI released a draft on Alternative Authentication Mechanisms in Digital Payments on July 31, 2024, and proposed introducing an Additional Factor of Authentication (AFA) in Cross-Border Card Not Present (CNP) Transactions on February 7, 2025. Feedback was sought from the public and stakeholders on these drafts. Now, the RBI has released the final rules incorporating these suggestions.

Key Points of the New Rules

1. Promotion of New Authentication Factors

The RBI has stated that new security factors (authentication factors) can now be introduced using technology. However, SMS-based OTP (One-Time Password) will still be valid and will not be phased out.

2. Additional Risk-Based Checks with Minimum 2FA

Banks and card issuers will be required to comply with at least 2-Factor Authentication (2FA). Additionally, additional security checks may be implemented if a transaction poses a high risk of fraud.

3. Interoperability and Open Access

The new framework emphasizes making the technology interoperable and open access so that all payment service providers can use it.

4. Defining Responsibilities

The responsibilities of card and payment issuers have been clearly defined so that customers do not suffer losses in the event of fraud or disputes.

5. Strictness on Cross-Border Transactions

Card issuers will now be required to require AFA for non-recurring cross-border CNP transactions if such a request comes from a foreign merchant or acquirer.

What will change for customers?

Existing processes such as OTP + PIN or biometrics will still apply for domestic transactions. However, if you make an online payment from abroad, additional authentication factors may be required. Banks and card companies will be free to conduct additional security checks based on the potential for fraud. This is expected to reduce fraud and forgery.

When will the new rules come into effect?

The RBI has stated that these new rules will be mandatory from April 1, 2026. This means banks and payment companies have approximately one year to upgrade their systems and implement the technology.

FAQs

Q1. Will SMS-based OTPs be phased out?

No, the RBI has clearly stated that OTPs will still be valid and will not be discontinued.

Q2. What will the new authentication mechanisms be?

Banks have been given the flexibility to adopt biometric, AI-based risk analysis, and new technology-based security factors.

Q3. What changes will cross-border transactions see?

If you make online card payments from abroad, additional authentication factors may now be required.

Q4. Will these rules come into effect immediately?

No, these rules will come into effect from April 1, 2026.

Q5. What will be the benefit to customers?

The new rules will make online payments more secure and reduce the risk of fraud.