RBI Mandates Two-Factor Authentication for Digital Payments with Limited Exemptions

RBI Mandates Two-Factor Authentication for Digital Payments with Limited Exemptions

Introduction

The Reserve Bank of India (RBI) has issued a notification dated September 25, 2025, notifying the "RBI (Authentication mechanisms for digital payment transactions) Directions, 2025." These directions aim to enhance the security of digital payment transactions by mandating two-factor authentication (2FA) for most digital payments.

Factual Background

The RBI observed that the earlier system mainly relied on SMS-based One Time Passwords (OTPs) as the second factor of authentication. With new technologies emerging, the RBI decided to allow the payments ecosystem to use alternative and advanced authentication methods while keeping customer safety at the center.

Key Provisions of the Directions

Two-Factor Authentication (2FA): Every digital payment must use at least two factors, including:

•  Something the user knows: password, PIN
•  Something the user has: card, phone
•  Something the user is: biometrics
•  One factor must always be dynamic, like an OTP
•  Responsibility of Banks/Issuers:
•  Ensure authentication systems are robust and reliable
•  Refund customers in full if they lose money due to non-compliance
•  Comply with the Digital Personal Data Protection Act, 2023

Issues

Security of Digital Payments: The RBI aims to enhance the security of digital payment transactions by mandating 2FA.

Exemptions from 2FA: Certain payments are exempted from strict 2FA requirements, such as small-value contactless card transactions and recurring payments.

Contentions and Analysis

RBI's Contention: The RBI believes that the new directions will enhance customer safety and allow the use of alternative and advanced authentication methods.

Analysis: The directions provide a risk-based approach, allowing banks to add extra checks for risky transactions. The RBI also suggests using DigiLocker for confirmation in high-risk cases.

Reasoning and Implications

Reasoning: The RBI's decision to mandate 2FA for digital payments is aimed at reducing the risk of unauthorized transactions and enhancing customer safety.

Implications: The directions will have significant implications for banks and payment service providers, who will need to ensure that their authentication systems are robust and reliable.

Exemptions and Cross-Border Transactions

Exemptions: Certain payments are exempted from strict 2FA requirements, such as small-value contactless card transactions and recurring payments.

Cross-Border Transactions: Domestic rules don't directly apply to international payments. By October 1, 2026, issuers must validate cross-border "card-not-present" transactions and implement risk-based monitoring systems.

Conclusion

The RBI's directions on authentication mechanisms for digital payment transactions aim to enhance customer safety and security. The mandate of 2FA for most digital payments will have significant implications for banks and payment service providers. The directions provide a risk-based approach and allow for limited exemptions, striking a balance between security and convenience.