Top
Begin typing your search above and press return to search.

RBI Mandates Two-Factor Authentication for Digital Payments, Allows Limited Exemptions [Read Judgement]

RBI mandated two-factor authentication for digital payments from April 1, 2026, with limited exemptions for low-risk transactions

By -  Kavi Priya |
Digital Payments
X

RBI

The Reserve Bank of India (RBI) issued a notification dated September 25, 2025, notifying the “RBI (Authentication mechanisms for digital payment transactions) Directions, 2025.” The directions make two-factor authentication (2FA) compulsory for most digital payments, while allowing limited exemptions for low-risk cases.

According to the RBI, the need for these directions arose because the earlier system mainly relied on SMS-based One Time Passwords (OTPs) as the second factor of authentication.

With new technologies emerging, RBI decided that the payments ecosystem must be allowed to use alternative and advanced authentication methods, while still keeping customer safety at the center. The new rules have been issued under the Payment and Settlement Systems Act, 2007, and all banks and payment service providers have to follow them by April 1, 2026.

Understanding Common Mode of Tax Evasion with Practical Scenarios, Click Here

Key Rules in the Directions

  • Two-factor authentication (2FA):
  • Every digital payment must use at least two factors.
  • Factors can include:
    • Something the user knows (password, PIN).
    • Something the user has (card, phone).
    • Something the user is (biometrics).
  • One factor must always be dynamic (like an OTP).
  • Responsibility of Banks/Issuers:
  • Ensure authentication systems are robust and reliable.
  • If a customer loses money due to non-compliance, the issuer must refund in full.
  • Must follow the Digital Personal Data Protection Act, 2023
    .
  • Risk-Based Approach:
  • Banks can add extra checks for risky transactions.
  • Examples: unusual location, suspicious device, or strange behavior patterns.
  • RBI suggested DigiLocker may be used for confirmation in high-risk cases.
  • Cross-Border Transactions:
  • Domestic rules do not directly apply to international payments.
  • By October 1, 2026, issuers must:
    • Validate cross-border “card-not-present” transactions.
    • Put in place risk-based monitoring systems.

Exemptions from 2FA (Annexure 1)

Some payments don’t require strict 2FA, such as:

  • Small-value contactless card transactions.
  • Recurring payments (after the first, under e-mandates).
  • Certain prepaid instruments (gift cards, etc.).
  • NETC toll payments.
  • Small-value offline digital payments.
  • Corporate travel bookings via global systems.

Replacement of Old Rules

  • The 2025 Directions repeal earlier RBI circulars on card authentication and security issued between 2009-2016.
  • This creates a single updated framework for digital payment safety.

Support our journalism by subscribing to Taxscan premium. Follow us on Telegram for quick updates

Subscribe Taxscan Premium to view the Judgment
Kavi Priya

Kavi Priya

Content writer at Taxscan with a passion for clear, engaging legal content. I simplify tax and law topics while sharpening my research and communication skills.

Reserve Bank of Indiadigital payments
Next Story

Related Stories

Quick Links

Know More

© 2025 Taxscan. All rights reserved.

Powered by  Blink CMS

All Rights Reserved. Copyright @2019
Powered By Hocalwire
X