Unicaus NEWS
The newest RBI instructions are relevant to Payment System Providers, Payment System Participants (banks and non-banks) and all home digital fee transactions. | Photo Credit: Getty Images/iStockphoto
The RBI on Thursday (September 25, 2025) issued Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025 which is able to come into drive from April 1, 2026.
These instructions might be relevant to all Payment System Providers, Payment System Participants (banks and non-banks) and all home digital fee transactions.
As per the instructions issuers should undertake further risk-based checks primarily based on the fraud danger notion of the underlying transaction.
They have been requested to facilitate interoperability and open entry to know-how.
The instructions name for mandating card issuers to validate Additional Factor of Authentication (AFA) in non-recurring cross-border Card Not Present (CNP) transactions at any time when such a request is raised by the abroad service provider or acquirer.
Currently all digital fee transactions in India are required to fulfill the norm of two elements of authentication. While no particular issue was mandated for authentication, the digital funds ecosystem has primarily adopted SMS-based One Time Password (OTP) as the extra issue.
The instructions present the broad rules which might be complied with by all of the contributors within the fee chain, whereas utilizing a type of authentication.
While these instructions are relevant solely to home transactions, to offer an analogous degree of security for on-line worldwide transactions undertaken utilizing playing cards issued in India, the instructions additionally incorporate crucial directions for particular cross-border card transactions.
“It shall be ensured that for digital fee transactions, apart from card current transactions, a minimum of one of many elements of authentication is dynamically created or confirmed, i.e., the proof of possession of the issue, being despatched as a part of the transaction, is exclusive to that transaction,” the RBI stated.
The issue of authentication might be such that compromise of 1 issue wouldn’t have an effect on reliability of the opposite.
“System Providers and System Participants might want to provide authentication or tokenisation service that’s accessible to all of the purposes / token requestors functioning in that working atmosphere for all use instances / channels or token storage mechanisms,” it stated.
Issuers might, in keeping with their inside danger administration insurance policies, establish transactions for analysis towards behavioural / contextual parameters similar to transaction location, consumer behaviour patterns, machine attributes, historic transaction profile, and so on, it added.
Based on the perceived danger related to the transaction, further checks past the minimal two-factor authentication could also be resorted to. Issuers can also discover utilizing DigiLocker as a platform for notification and affirmation for high-risk transactions, the regulator stated.
“An issuer shall make sure the robustness and integrity of the authentication mechanism earlier than deployment,” it stated.
“If any loss arises out of transactions effected with out complying with these instructions, the issuer shall compensate the client for the loss in full with out demur,” it stated
Issuers will guarantee adherence to the provisions of Digital Personal Data Protection Act, 2023, it added.
RBI had issued draft instructions on Alternative Authentication Mechanisms for Digital Payment Transactions on July 31, 2024 and draft instructions on introduction of AFA in cross-border CNP transactions on February 07, 2025, for stakeholder feedback.
These instructions have been issued after incorporating suggestions from the general public.
Published – September 25, 2025 04:31 pm IST
