RBI's New Rules For Enhanced Digital Payment Security Move Beyond SMS-based OTPs All payment system providers and participants are mandated to ensure compliance with the latest RBI directions by April 1, 2026

India's digital payments industry has received much-needed security enhancements, thanks to new rules from the Reserve Bank of India (RBI).

Even as India's digital payment ecosystem has continued to thrive, thanks to faster and affordable internet access and an easy-to-use UPI payment infrastructure, payment frauds have continued to be a significant challenge.

To put things in perspective, UPI surpassed 20 billion transactions in August 2025, marking its highest monthly volume. While debt collection was among the highest in terms of UPI spending at INR 77,007 crore, groceries and fuel followed at INR 68,116 crore and INR 34,547 crore, respectively. UPI spending on digital goods stood at INR 7,441 crore.

On the other side, digital payment frauds have continued to grow exponentially. According to 2024 data by the RBI, digital payment frauds in India saw a more than fivefold jump to INR 1,457 crore in the fiscal year ending March 2024. Another report says that UPI fraud cases surged 85% in FY24. These fraud cases were of a total value of INR 1,087 crore, compared to INR 573 crore in the previous year.

The growth in digital payment frauds is despite several security measures being in place. One of the most commonly used security measures is SMS-based OTPs. Essentially, you make an online payment and verify it through a one-time password sent to your registered phone number, mostly via SMS.

The RBI also notes in its circular: "All digital payment transactions in India are required to meet the norm of two-factor authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor."

What are RBI's New Framework and Mandates

The central bank earlier this week released 'Authentication mechanisms for digital payment transactions' Directions, 2025. These directions aim to leverage technological advancements for implementing alternative authentication mechanisms, even as more payment-focused security features are now available to common people.

Note that all Payment System Providers and Payment System Participants, including banks and non-bank entities, are mandated to ensure compliance with the latest directions by April 1, 2026.

All digital payment transactions shall be authenticated through at least two distinct factors of authentication. These factors now include: SMS-based OTPs, Passphrases, PINs, Card hardware, Software tokens, Fingerprints, or any other form of biometrics (device-native or Aadhaar-based).

The RBI states that it "shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction." Furthermore, the central bank says the factor of authentication shall be such that the compromise of one factor does not affect the reliability of the other.

The bank has also stressed on risk management. It says that stakeholders can identify transactions for evaluation against behavioral/contextual parameters such as transaction location, user behavior patterns, device attributes, historical transaction profile, etc.

An integration with machine learning and AI tools, the service providers can actually identify different patterns of user's payment behavior. For instance, if someone buys groceries from his neighborhood but at the same time a transaction is made in another city for a large amount, banks can now use the above mentioned tools to quickly flag them and verify with the user for the payment. The verification can seek things like a biometric scan for the final approval of the payment instead of relying on SMS-based OTPs.

Moreover, the central bank has also sought to explore using DigiLocker as a platform for notification and confirmation for high-risk transactions.

Progressive Move and Industry Effort

RBI's directions on enhanced digital payment security appear to be timely and progressive, given the increasing number of digital payment frauds. Moreover, modern devices, including handhelds and accessories, do provide optional security layers, and it's right to make the most of them. Most importantly, it may help reduce over-dependence on SMS-based OTPs, which have been a target for cybercriminals for a while.

Furthermore, the central bank has been quite liberal, giving ample time for industry stakeholders to integrate newer features. Though it depends on how soon these features can be integrated into the ecosystem, given the diversity of platforms and the need to solve the challenge of interoperability.

Moreover, it's certainly going to be an effort from the payment system participants and others to integrate these advanced authentication methods and ensure their security, especially for critical and sensitive information such as biometrics. It is pertinent to mention here that the payment industry stakeholders, such as fintechs, neobank, and conventional banking systems will have to also align with the Digital Personal Data Protection Act which does stress on the need for the secure handling of sensitive biometric and device data.

This also brings India on par with the security mechanisms being implemented on the global scale. For instance, the European Union is experimenting with something called 'PSD2' (Payment Services Directive 2). It is essentially a regulation that aims to promote secure, efficient, and innovative payment services as well as more secure and a stronger multi-step payment verification framework.