RBI allows risk-based checks in new digital payment guidelines

Sep 25, 2025

Synopsis
The Reserve Bank of India has released final guidelines for digital payment authentication, effective April 1, 2026, to enhance security and encourage fraud prevention innovation. Issuers can implement risk-based checks beyond two-factor authentication. The framework promotes new technologies while retaining SMS-based OTPs and mandates additional authentication for specific cross-border transactions.

India's central bank on Thursday issued final guidelines for authentication mechanisms in digital payment transactions, aiming to bolster security and encouraging innovation in fraud prevention.

The Reserve Bank of India said the new framework, effective April 1, 2026, allows issuers to adopt additional risk-based checks beyond the mandatory two-factor authentication, depending on a transaction's fraud risk.

The directions promote the use of emerging technologies for authentication without phasing out SMS-based one-time passwords.

They also mandate that card issuers validate additional authentication for non-recurring, cross-border, card-not-present transactions when requested by overseas merchants or acquirers.

The RBI, which released draft guidelines in July 2024 and February 2025, said public feedback has been incorporated into the final version.

[The Economic Times]