TL;DR - Everything You Need to Know Right Now
The RBI released the "Authentication Mechanisms for Digital Payment Transactions Directions, 2025" on September 25, 2025. Here is the short version:
Deadline: April 1, 2026, for all domestic digital payment transactions
What changes: SMS OTP remains allowed but can no longer be the only authentication method. At least one factor must now be dynamically generated per transaction
Who must comply: All banks, non-bank entities, UPI apps, wallets, and payment platforms
Three accepted factor types: Something you know (PIN/password), something you have (device token/card), something you are (biometrics)
Cross-border CNP transactions: Separate deadline of October 1, 2026
Penalty for non-compliance: Full customer reimbursement for any losses caused by non-compliant transactions
What is NOT changing: SMS OTP is not being banned. Small-value contactless payments (up to Rs 5,000), recurring e-mandates, and offline small-value transactions remain exempt from the two-factor requirement
Why the RBI Changed the Rules
India's digital payments sector has grown at a pace that few predicted even five years ago. UPI alone now accounts for approximately 80% of all retail digital payments in India, processing over 13.5 billion transactions per month with 35% year-on-year growth. India recorded 208.5 billion total digital transactions in 2024, with UPI representing 83% of that volume.
That scale creates a larger fraud surface. In FY 2024-25, UPI-related fraud alone resulted in losses of approximately Rs 485 crore across 632,000 reported incidents. Cumulatively since FY 2022-23, reported UPI fraud cases have cost users Rs 2,145 crore across 2.7 million incidents. High-value, targeted attacks are rising even as basic low-value fraud attempts show some decline - which means the problem is getting more sophisticated, not less.
SMS OTP - the method most Indians use today - was never designed for the threat environment of 2025. It routes through the telecom network, which can be intercepted via SIM swapping, SS7 attacks, and social engineering. A one-time password delivered by text is also a static credential in the sense that someone who intercepts it has a usable window to act. The RBI's new direction addresses this by requiring that at least one authentication factor be dynamically generated and unique to each transaction.
The regulatory journey started publicly with a draft framework released on July 31, 2024, followed by a second draft on February 7, 2025, specifically covering cross-border card-not-present transactions. Stakeholder comments from both drafts were incorporated before the final directions were issued.
What the RBI's New Directions Actually Say
The formal name of the regulation is the "Authentication Mechanisms for Digital Payment Transactions Directions, 2025", issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems (PSS) Act, 2007. The circular reference is RBI/2025-26/219.
Compliance Deadlines - A Clear Timeline
| Requirement | Deadline |
|---|---|
| Two-factor authentication for all domestic digital payment transactions | April 1, 2026 |
| Migration of all digital banking domains to .bank.in | October 31, 2025 |
| AFA for non-recurring cross-border card-not-present (CNP) transactions | October 1, 2026 |
All Payment System Providers and Participants - banks and non-bank entities alike - must meet the April 1, 2026 deadline for domestic transactions. The extended deadline for cross-border CNP transactions reflects the added complexity of coordinating with international card networks. For that segment, issuers must also register their Bank Identification Numbers (BINs) with card networks and put risk-based controls in place.
Which Transactions Are Exempt
Not every payment requires two-factor authentication under the new directions. The RBI has carved out specific exemptions where the friction of authentication would outweigh the risk:
Small-value contactless card payments up to Rs 5,000 per transaction at Point of Sale terminals
E-mandates for recurring transactions beyond the initial registration payment - this covers EMIs, subscriptions, insurance premiums, credit card payments up to Rs 1 lakh, and other recurring transactions up to Rs 15,000
Small-value offline digital payments
Utility payments through select prepaid instruments
National Electronic Toll Collection (NETC) transactions where vehicles pass through automated tolls
Card-present transactions where the card is physically swiped or tapped
The exemptions are designed to keep everyday, low-risk transactions fast and convenient. The higher the value and the more remote the authentication context, the more the new rules apply.
What Authentication Options Are Now Available
The directions do not prescribe a single method. They set principles and let institutions choose how to meet them. Here is what currently qualifies:
What Banks Need to Do to Comply
-
Audit Your Current Authentication Stack
Start by mapping every customer-facing payment flow and identifying which transactions currently use only a single factor or rely entirely on SMS OTP without any dynamic secondary element. This gap analysis is the foundation of your compliance project.
-
Ensure At Least One Dynamic Factor Per Transaction
Any factor that stays the same across transactions - a static PIN, for example - cannot be the only factor. Your system must generate something unique for each transaction. This is already built into SMS OTP (each code is different), but the new directions push banks toward options where the delivery channel is more secure.
-
Build or Integrate a Risk-Based Authentication Engine
The RBI explicitly supports tiered authentication. Build logic that assesses each transaction against risk signals - value, device, location, user behavior - and applies additional checks when risk is elevated. This is not just good compliance; it keeps friction low for genuine users while creating barriers for fraudsters.
-
Implement the Factor Independence Requirement
Review your architecture to confirm that if one authentication channel is compromised, the other is genuinely independent. If both your OTP and your in-app push notification go through the same server-side session, they are not truly independent from an attack surface perspective.
-
Set Up Real-Time Alert Infrastructure
All eligible transaction notifications must go out in near real-time. For recurring debits above Rs 15,000, a 24-hour advance notification system must be in place. If this infrastructure does not exist or is unreliable, it must be built before April 1, 2026.
-
Update the Customer Onboarding and Re-Onboarding Process
If a customer has had no digital transaction with a vendor in the last six months, the bank must redo KYC for any mandate linked to that relationship. Build this trigger into your mandate management system.
-
Review Third-Party and Outsourced Providers
The RBI's Master Direction on Outsourcing applies here. Any authentication service operated by a third party must be subject to your due diligence, audit rights, and security controls. Cloud-based authentication vendors must meet RBI's standards for confidentiality and data availability.
-
Address the AePS Ecosystem Separately
For banks operating in the Aadhaar-enabled Payment System (AePS) space, additional requirements apply. These include stricter API usage controls, alignment with SIEM systems, and periodic KYC updates for all AePS operators. Given that India's Aadhaar authentication volumes exceeded 2.11 billion in a single month as of May 2025, the security stakes in this segment are significant.
-
Migrate Domains to .bank.in
The October 31, 2025 deadline for moving all digital banking operations to the .bank.in domain has already passed or is imminent depending on when you are reading this. If your bank has not yet completed this migration, it is overdue. This is part of the same security perimeter that the 2FA directions address.
What Fintech Companies Need to Do
Fintech companies and non-bank payment system participants face the same April 1, 2026 deadline. The practical steps differ slightly from banks given the architecture differences.
The Liability Question - What Happens If You Do Not Comply
The RBI has put financial responsibility directly on issuers. If a customer suffers a loss from a transaction that did not comply with the authentication directions, the issuer must reimburse the full amount. There is no apportionment or shared liability - the institution is on the hook entirely.
This financial exposure should be the primary driver of urgency for compliance teams. A single high-value fraud incident in a non-compliant transaction flow could cost far more than the engineering investment required to meet the standards.
Key Numbers at a Glance
| Metric | Figure | Source |
|---|---|---|
| UPI share of retail digital payments | ~80% | Astra Security / RBI data |
| UPI monthly transactions | 13.5 billion+ | Astra Security, 2025 |
| UPI year-on-year transaction growth | 35% | Astra Security, 2025 |
| Total India digital transactions in 2024 | 208.5 billion | Business Standard |
| UPI fraud losses in FY 2024-25 | Rs 485 crore | Astra Security |
| UPI fraud incidents in FY 2024-25 | 632,000 | Astra Security |
| Cumulative UPI fraud losses (FY22-FY25) | Rs 2,145 crore | Astra Security |
| Aadhaar authentication volume (May 2025) | 2.11 billion | Corbado / RBI data |
| Compliance deadline (domestic) | April 1, 2026 | RBI Directions, 2025 |
| Compliance deadline (cross-border CNP) | October 1, 2026 | RBI Directions, 2025 |
| Recurring transaction notification threshold | Rs 15,000 | RBI Directions, 2025 |
| Contactless payment AFA exemption limit | Rs 5,000 | RBI Directions, 2025 |
Summary
RBI's new rules for two-factor authentication mark a shift from a system that defaulted to SMS OTP toward one that accepts a wider range of authentication methods - provided they meet clear principles around independence, dynamic generation, and factor diversity.
The core message for banks and fintechs is this: the SMS OTP you use today may still be part of your authentication flow after April 1, 2026, but it cannot be the whole story. You need a second factor from a different category, and at least one of the two factors you use must be unique to each transaction.
The compliance window is not short, but it is not long either. Building or integrating a risk-based authentication engine, ensuring factor independence, setting up real-time alert infrastructure, and addressing data protection requirements under the DPDP Act 2023 all take time. Institutions that start their gap analysis now will be in a far better position than those that wait for Q1 2026.
The financial risk of non-compliance is concrete: full customer reimbursement for any loss from a non-compliant transaction. The reputational risk is equally real in a payments market where trust drives adoption.
Frequently Asked Questions
No. The RBI has explicitly clarified that the new directions do not call for the discontinuation of SMS OTP as an authentication factor. SMS OTP remains a valid possession factor. What changes is that it cannot be the only means of authentication, and at least one factor used must be dynamically generated for each specific transaction.
April 1, 2026, for all domestic digital payment transactions. For non-recurring cross-border card-not-present transactions, the deadline is October 1, 2026.
All Payment System Providers and Participants operating in India - including commercial banks, small finance banks, payment banks, non-banking financial companies, UPI apps, wallet providers, and payment aggregators.
Small-value contactless card payments up to Rs 5,000, e-mandates for recurring transactions beyond the initial payment, small-value offline digital payments, certain utility payments via prepaid instruments, and NETC toll collection transactions.
Yes. Issuers may offer customers a choice of authentication factors, provided the combination chosen still complies with the two-factor, dynamic-factor principles in the directions.
The issuer is fully liable and must compensate the customer for the entire loss. There is no shared liability provision.
Primarily, no. The directions cover domestic digital payment transactions. However, for non-recurring cross-border card-not-present transactions where Indian-issued cards are used, issuers must implement AFA mechanisms by October 1, 2026, when requested by the overseas merchant or acquirer.
A dynamic factor is one that is uniquely generated for a specific transaction and cannot be reused. A standard SMS OTP is dynamic in this sense - each code is different and expires after use. The key is that the factor cannot be replayed or recycled from a previous transaction.
Passkeys built on FIDO2/WebAuthn standards are considered among the strongest options aligned with the RBI's directions. They are device-bound, phishing-resistant, and generate a cryptographic proof unique to each transaction - meeting the dynamic factor requirement. The FIDO Alliance submitted formal input to the RBI in December 2024 in support of these standards.
Comments