Two-factor authentication (2FA) will be required for all digital transactions under the new framework, drastically altering how customers pay with cards, mobile wallets, and UPI.
India plans to change its financial landscape as the Reserve Bank of India (RBI) brings new security measures for all electronic payments. The new rules take effect on 1 April 2026. Every digital payment will be verified through a compulsory two-factor authentication process. The new rule aims to address the growing number of cybercrimes and phishing campaigns that have infiltrated India’s mobile wallets and UPI. Traditionally, security relied on text messages, but now, it has started adopting a versatile security model. The regulators are trying to stay ahead of threat actors and scammers.
The shift to a dynamic verification model
The new directive mandates that at least one of the two authentication factors must be dynamic. The authentication has to be generated particularly for a single transaction and cannot be used twice. Fintech providers and banks can now freely choose from a variety of ways, such as hardware tokens, biometrics, and device binding. This shift highlights a departure from the traditional era, where OTPs via SMS were the main line of defence.
Risk-based verification
To make security convenient, banks will follow a risk-based approach.
Low-risk: Payments from authorized devices or standard small transactions will be quick and seamless.
High-risk: Big payments or transactions from new devices may prompt further authentication steps.
The framework with “RBI’s new digital payment security controls coming into force represent a significant recalibration of India’s authentication framework – from a prescriptive OTP-based regime to a more principle-driven, risk-based standard,” experts said.
Building institutions via technology neutrality
The RBI no longer manages the particular technology used for verification. Currently, it focuses more on the security of the outcome.
Why the technology-neutral stance?
The technology-neutral stance permits financial institutions to use sophisticated solutions like passkeys or facial recognition without requiring frequent regulatory notifications. The central bank will follow the principle-driven practice by boosting innovation while holding strict compliance. According to experts, “By recognising biometrics, device-binding and adaptive authentication, RBI has created interpretive flexibility for regulated entities, while retaining supervisory oversight through outcome-based compliance.”
Impact on bank accountability
The RBI has increased accountability standards, making banks and payment companies more accountable for maintaining safe systems.
Institutions may be obliged to reimburse users in situations when fraud results from system malfunctions or errors, which could expedite the resolution of grievances.
The goal of these regulations is to expedite the resolution of complaints pertaining to fraud.
Read the original article: