The Reserve Bank of India (RBI) has issued new guidelines mandating two-factor authentication (2FA) for all domestic digital payments from April 1, 2026. The framework allows banks and fintechs to adopt innovative verification methods such as biometrics, device-based tokens, and passphrases, in addition to traditional OTPs. Small-value transactions remain exempt, while issuers will be liable for any losses if norms are not followed. The move aims to strengthen security, build trust, and modernize India’s payment ecosystem.
Core Development
The revised rules apply to all digital transactions, with at least one factor being dynamic and unique to each transaction.
Key directives include:
Mandatory 2FA: OTPs continue as an option, but new methods like biometrics and device tokens encouraged.
Interoperable tokenisation: Services must work across apps and platforms.
High-risk checks: Issuers can flag certain transactions for additional verification and use DigiLocker for confirmation.
Liability clause: If a transaction bypasses norms, issuers must fully compensate customers.
For cross-border payments, the new norms will not apply, though card issuers must validate card-not-present (CNP) transactions by October 1, 2026, when requested by overseas merchants.
Key Drivers / Issues
Rising cases of fraud and phishing in digital transactions.
Need to reduce reliance on SMS OTPs, which are prone to interception.
Growing adoption of UPI, cards, and mobile wallets, demanding scalable security.
Push to align with global payment security standards.
Stakeholder Impact
For consumers, transactions will be more secure, reducing fraud risks. Banks and fintechs must upgrade systems to support biometric and device-based authentication. Merchants may see smoother checkouts with interoperable tokens. For the RBI, the framework strengthens its push for safe digital adoption.
Industry & Policy Reactions
RBI emphasized that the new rules “encourage the use of new authentication methods by leveraging technology.”
Cybersecurity experts welcomed the move, saying it will bring India closer to global standards like PSD2 in Europe.
Industry players highlighted challenges in implementation timelines, especially for smaller fintechs.
Challenges Ahead
Ensuring tech-readiness across banks, fintechs, and merchants before April 2026.
Managing customer transition from OTPs to new methods.
Balancing security with frictionless user experience.
Addressing interoperability issues across platforms.
Strategic Outlook
The shift to stronger authentication marks a critical step in India’s digital payments journey. By combining innovation with regulatory oversight, RBI aims to build a resilient ecosystem that safeguards users while enabling growth in digital commerce.
Why This Matters
With over 20 billion UPI transactions monthly, India’s digital economy hinges on trust and security. Mandatory 2FA ensures consumers remain protected, while pushing banks and fintechs toward next-gen authentication standards.
