Particle.news
Download on the App Store
10 ARTICLES
·
2h ago

RBI Finalizes Two-Factor Authentication Rules for Digital Payments From April 2026

The rules require a dynamic factor per transaction, shifting losses from non-compliant payments onto issuers.

Image
Image
The new digital payment regulations, which allow for more options to meet two-factor authentication (2FA) requirements, will take effect from April 1, 2026. Image for Representation. Pixabay

Overview

  • All payment system providers must comply with the new directions for domestic digital transactions by April 1, 2026, with card issuers enabling AFA validation for non‑recurring cross‑border CNP transactions upon request by October 1, 2026.
  • Every domestic digital payment must use two distinct authentication factors, with at least one dynamic and unique to each transaction, while SMS‑based OTPs remain permitted.
  • Issuers may apply additional risk‑based checks using behavioral, device, location, and historical signals, with the RBI suggesting DigiLocker for confirmations on high‑risk transactions.
  • If a transaction is executed without complying with the directions, the issuer must compensate the customer in full without dispute.
  • Exemptions include small‑value contactless card payments, recurring transactions after the first e‑mandate, select prepaid instruments, NETC toll payments, and small‑value offline payments.