What Happened
- The Reserve Bank of India's new framework on Authentication Mechanisms for Digital Payment Transactions, 2025 comes into force on April 1, 2026, making two-factor authentication (2FA) mandatory for all digital payment transactions.
- At least one of the two authentication factors must be dynamically created — meaning it is generated after payment initiation, is specific to that transaction, and cannot be reused (e.g., OTP, biometric scan).
- The framework moves away from a prescriptive SMS-OTP-only model to a technology-neutral, principle-based approach; accepted factors include password, PIN, SMS OTP, passphrase, card hardware, software token, fingerprint, or other biometrics (device-native or Aadhaar-based).
- From October 1, 2026, all international (cross-border) card transactions will also require AFA, closing a significant gap where overseas card-not-present transactions had previously bypassed Indian authentication norms.
- Certain transactions are explicitly exempt: small-value contactless card payments up to ₹5,000 at POS terminals, e-mandates for recurring transactions, and small-value offline digital payments.
Static Topic Bridges
Payment and Settlement Systems Act, 2007 — Regulatory Backbone of Digital Payments
The Payment and Settlement Systems (PSS) Act, 2007 is the primary legislation governing payment systems in India. It empowers the Reserve Bank of India to regulate, supervise, and oversee all payment and settlement systems in the country. The RBI's new Authentication Directions 2025 are issued under Sections 18 and 10(2) of this Act, which grant the RBI authority to issue directions to payment system operators and participants. All Payment System Providers and Payment System Participants — including banks, non-bank entities, and fintech platforms — must comply with these directions.
- Enacted in 2007; RBI designated as the regulatory authority under the Act
- Section 4: No person can operate a payment system without RBI authorisation
- Section 18: Empowers RBI to issue directions in public interest or to manage systemic risk
- National Payments Corporation of India (NPCI) operates under this framework
- Covers UPI, NEFT, RTGS, IMPS, card networks, prepaid payment instruments (PPIs)
Connection to this news: The RBI's mandate for mandatory 2FA and dynamic authentication is a direction issued under the PSS Act, 2007 — making compliance legally binding on all payment system participants including banks, fintechs, and card networks.
Additional Factor of Authentication (AFA) — Concept and UPSC Relevance
Additional Factor of Authentication (AFA) refers to the use of more than one factor to verify the identity of a payment initiator. The three recognised authentication categories are: something the user knows (password, PIN), something the user has (card, hardware token), and something the user is (fingerprint, facial biometric). The RBI has mandated AFA for card-not-present (CNP) transactions since 2009, making India an early mover globally. The new 2025 framework extends and modernises this mandate.
- AFA for domestic CNP card transactions mandated by RBI since 2009 — significantly reduced card fraud
- The new 2025 framework adds a "dynamic factor" requirement: at least one factor must be transaction-specific and non-reusable
- Aadhaar-based biometric authentication is now explicitly recognised as a valid AFA factor
- The shift from prescriptive (SMS-OTP only) to principle-based (any secure dynamic factor) allows innovation
- Cross-border CNP transactions will require AFA from October 1, 2026
Connection to this news: The April 1, 2026 go-live represents the full operationalisation of the framework that RBI had issued in draft form in 2024 and finalised through Directions 2025 — upgrading AFA standards for all transaction types.
India's Digital Payments Ecosystem — Scale, Risks, and Regulation
India processes billions of digital transactions monthly through UPI, IMPS, NEFT, and card networks, making it one of the world's largest real-time payment markets. With this scale comes elevated fraud risk — phishing, SIM-swap attacks, and credential theft are significant vectors. The RBI's layered security approach through 2FA, combined with risk-based authentication (RBA) frameworks, reflects global best practices aligned with standards of the Bank for International Settlements (BIS) and Financial Stability Board (FSB).
- India's UPI processed over 17 billion transactions per month in 2025
- Card fraud, especially CNP fraud in online transactions, has been a persistent concern
- RBI's "Payment Vision 2025" document outlined safety, security, and inclusion as key pillars
- Risk-based authentication allows issuers to apply stricter checks for high-value or suspicious transactions
- Digital payment literacy and consumer protection remain focus areas under RBI's regulatory mandate
Connection to this news: The new 2FA mandate is a direct output of RBI's ongoing regulatory efforts to balance payment convenience with fraud prevention — a classic UPSC Mains GS3 question on financial regulation and technological governance.
Key Facts & Data
- Effective date: April 1, 2026 (domestic transactions); October 1, 2026 (international card transactions)
- Legal basis: Sections 18 and 10(2) of the Payment and Settlement Systems Act, 2007
- Dynamic factor requirement: One of the two authentication factors must be transaction-specific and non-reusable
- Exemptions: Contactless card payments up to ₹5,000 at POS; e-mandates for recurring transactions; small-value offline payments
- Authentication methods accepted: Password, SMS OTP, PIN, passphrase, card hardware, software token, fingerprint, Aadhaar biometric
- Issuer obligation for cross-border: Validate AFA whenever requested by overseas merchant or acquirer (from October 2026)
- Risk-based checks: Issuers may apply additional risk-based authentication beyond the mandated 2FA for high-risk transactions