RBI’s New Digital Payment Rules Effective April 1 Explained
The new system will also use something called risk-based checks. This means not every transaction will be treated the same way: Reports
MUMBAI: Starting this month, the Reserve Bank of India (RBI) has introduced stricter rules for digital payments like UPI, cards, mobile wallets to reduce fraud.
Till now, you could complete a transaction using just one time password i.e OTP but now you will need an additional step like entering a PIN or password or using fingerprint or face scan. The new system will also use something called risk-based checks. This means not every transaction will be treated the same way.
According to Shams Tabrej, Co-founder and CEO of Ezeepay, authentication restrictions for small-value transactions, typically up to ₹2,000, may be loosened while larger-value transactions (usually
in the range of ₹5,000 and higher) or those marked as higher risk, such as first-time payees or atypical patterns are more likely to require explicit two Factor Authentication (2FA) to maintain
security, even if thresholds may differ slightly between banks and use cases.
Under the new framework, from April 1, digital payments need to be verified using at least two independent factors with at least one being dynamic.
These factors may come from three categories: something the user has (such as a card, hardware token or software token), something the user knows (such as a password, PIN or passphrase) or something unique to the user (such as a fingerprint or any other biometric, whether device-native or Aadhaar-based)
According to the RBI Authentication Mechanism for Digital Payment Transactions Directions, 2025, issuers may, at their discretion, offer customers a choice of authentication factors.
Says Tabrej, “The current regulations focus more on standardising risk-based authentication. Because of device binding and app-level verification, many UPI transactions, particularly low-value or
recurring payments, may seem ‘single-step’ to users, but underlying security layers are still in place. The shift to a more seamless yet secure framework, where transactions are verified using risk profiling rather than a consistent OTP need each time, is what has changed.”
Experts say that a majority of large banks and regulated payment companies have already synchronised their systems with the RBI's directives, however smaller firms may make slight operational tweaks.
The directions also make banks fully accountable for authentication failures. If a fraud happens because of weak security, banks may have to compensate customers.
The RBI has indicated that similar authentication requirements will be extended to cross-border transactions, including international card payments. Full implementation for such transactions is expected by October 2026, bringing global payments in line with domestic security Standards.