New RBI rules make banks fully liable if payment safeguards fail: Details
New Delhi, Sep 26, 2025
RBI on Digital Transactions Fail: Banks will be responsible for compensating customers if fraud occurs due to them not following authentication process
The Reserve Bank of India (RBI) has issued new directions on authenticating digital transactions, seeking to balance consumer safety and ease of use. The rules were notified on Thursday and will apply to banks and non-bank payment system providers from April 1.
Two-factor authentication stays central
Every domestic digital payment must be verified using at least two distinct factors of authentication, according to the RBI. These could come from:
Something you know: Password, PIN, or passphrase
Something you have: A card, token, or SMS-based one-time password (OTP)
Something you are: Biometric data such as fingerprint or facial recognition
One of these factors should be dynamic. For example, an OTP that is unique to a single transaction qualifies, ensuring that even if one credential is compromised, the overall security is not.
Risk-based checks for safer payments
The guidelines allow issuers to go beyond the minimum requirement, especially when transactions appear unusual. Lenders and payment providers can analyse:
Transaction location
Device attributes
Spending behaviour
Past transaction history
Based on risk, issuers may seek extra confirmation, such as a notification via DigiLocker, for high-value or unusual payments.
Cross-border safeguards
The RBI has set timelines for cross-border card-not-present transactions. By October 1, card issuers will need to implement a risk-based system to validate such transactions. They must also register their Bank Identification Numbers (BINs) with card networks to ensure seamless authentication when requests come from overseas merchants.
What it means for consumers
For most users, the experience may not change drastically since SMS OTPs and PINs are already standard practice. However, the new framework opens the door for wider use of device-based biometrics and tokenisation, which could make digital payments both safer and smoother.
“If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer for the loss in full without demur,” said a RBI notification, implying banks’ responsibility.
With fraud risks evolving alongside rising digital adoption, the RBI’s move signals a stronger push to protect consumers while preparing the ecosystem for future technologies.
[The Business Standard]
