The Reserve Bank of India's new framework for authentication of digital payment transactions will take effect on April 1, 2026, fundamentally reshaping how payment security operates across India's digital payments ecosystem. Released via circular on September 25, 2025, the framework introduces a risk-based approach to authentication that moves beyond the longstanding mandatory reliance on SMS one-time passwords.
Under the new framework, financial institutions may deploy a range of authentication factors including biometrics, device tokens, app-based prompts, PINs, passphrases, and hardware or software tokens. The framework categorizes these into knowledge factors, possession factors, and inherence factors, requiring at least two distinct categories for standard transactions.
A key innovation is the introduction of risk-based authentication calibration. Issuers can evaluate transactions against behavioral and contextual parameters including user behavior patterns, transaction location, device attributes, and historical transaction profiles. For transactions assessed as higher risk, institutions can apply additional authentication steps beyond the minimum two-factor requirement. Conversely, lower-risk transactions may be subject to streamlined authentication within the prescribed bounds.
For cross-border card-not-present transactions, financial institutions have until October 1, 2026, to establish compliant processes including registering Bank Identification Numbers with card networks to ensure all international transactions are properly authenticated.
The framework also strengthens consumer protections with clearer liability rules. If a bank or issuer fails to implement the prescribed authentication standards and a fraudulent transaction succeeds, the customer is entitled to full compensation. This shifts greater responsibility onto financial institutions to maintain robust authentication infrastructure.
The new rules apply across all digital payment channels including UPI, NEFT, RTGS, card transactions, internet banking, and mobile banking. The shift from prescriptive SMS OTP mandates to a principles-based approach gives financial institutions flexibility to implement authentication methods appropriate to the transaction risk level, while maintaining a minimum security baseline that reflects modern threat landscapes.