MUMBAI: To ensure robust security and user protection as the digital payments ecosystem grows manifold month after month, the Reserve Bank has issued a comprehensive framework for strengthening the authentication mechanisms in digital payments effective next April.

Currently, most digital payments rely on SMS-based one-time passwords (OTPs) as the additional factor.

The move comes amid rapid growth in the digital payments ecosystem that has seen exponential adoption across UPI, cards, and wallet-based platforms.

Under the new rules, all digital payment transactions must comply with the norm of two-factor authentication. While the RBI has not mandated specific methods, the system must draw from at least two categories among something the user knows (such as a password or PIN), something the user has (such as a card, hardware token, or software token), and something the user is (biometric identifiers like fingerprint or Aadhaar-based verification).

The RBI has clarified that going forward, at least one of the factors should be dynamically created, meaning it must be unique to each transaction and validated in real time.

In a significant shift, the RBI has also asked issuers to adopt risk-based approaches for certain transactions. This means that payment providers can flag and evaluate transactions against behavioural and contextual parameters, such as the user’s location, device details, or past transaction history.

“Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to,” the RBI said in the new circular.

The regulator has also asked the issuers to explore the use of DigiLocker for notifications and confirmations in high-risk transactions.

The new guidelines also address authentication in cross-border payments, which have been particularly vulnerable to fraud. While the rules will not apply to all cross-border digital transactions, the central bank has directed card issuers to implement risk-based mechanisms to handle cross-border card-not-present transactions from October 1, 2026.

Issuers must also establish systems to validate non-recurring card-not-present transactions initiated by overseas merchants or acquirers. To ensure compliance, banks will be required to register their bank identification numbers with card networks.

According to analysts, the move will enhance consumer confidence in digital payments while aligning the country’s payment security ecosystem with global best practices. Payment companies, however, will need to upgrade infrastructure and processes to accommodate dynamic authentication and advanced risk checks.