NEW DELHI: The Reserve Bank of India (RBI) on Thursday released draft guidelines on the authentication mechanism framework for digital payment transaction authentication that will come into effect from April 1, 2026.
The Central Bank said the feedback from the public has been examined and suitably incorporated in the final directions.
The directions focus on encouraging introduction of new factors of authentication by leveraging upon technological advancements.
The framework, however, does not call for discontinuation of SMS-based OTP as an authentication factor.
The aim is also to enable issuers to adopt additional risk-based checks beyond the minimum two-factor authentication based on the fraud risk perception of the underlying transaction and facilitate interoperability and open access to technology, along with delineating the responsibility of Issuers.
The draft guidelines also mandate card issuers to validate AFA in non-recurring cross-border CNP transactions whenever such a request is raised by the overseas merchant or acquirer.
The RBI says that all digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor.
“All digital payment transactions shall be authenticated by at least two distinct factors of authentication, unless exempted. Issuers may, at their discretion, offer a choice of authentication factors to their customers in compliance with these directions, ” according to the RBI.