Until just yesterday, there was a cloud of speculation around possible updates to RBI digital payments. But as of September 25, 2025, the Reserve Bank of India (RBI) has cleared the air by releasing an official notification, not about savings account rules, but about something just as important: authentication mechanisms for digital payment transactions.
So, were the reports true? Not exactly. But here’s what has actually changed, and why it matters for every Indian digital payment user.
What Has RBI Actually Announced in September 2025?
On September 25, 2025, the RBI released a new regulatory framework titled:
Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025
This notification lays down new standards for authenticating all digital payment transactions in India, aiming to enhance security, customer protection, and fraud prevention.
While there have been no major changes to savings account rules, this new direction directly impacts how you make payments online, through cards, UPI, net banking, or wallets.
What Are the New RBI Authentication Rules for Digital Payments?
Here are the highlights from the new notification:
- Two-Factor Authentication is mandatory for all domestic digital payment transactions
- At least one dynamic authentication factor must be used (e.g., OTP or biometric specific to that transaction)
- Applies to banks and non-bank payment entities
- Effective from April 1, 2026
- Covers card, UPI, net banking, and wallet transactions
Why Is Two-Factor Authentication Still Mandatory?
As per the new directions, all digital payment transactions must continue to be authenticated using a minimum of two factors. These can be chosen from:
- Something the user knows (password, PIN)
- Something the user has (OTP, card, token)
- Something the user is (biometrics – fingerprint, face ID)
This reinforces the existing security model that has already protected millions of online transactions in India.
What Does “At Least One Dynamic Factor” Mean?
RBI has now mandated that at least one of the two factors used for authentication must be dynamic, which means it should be unique to each transaction.
Examples include:
- SMS-based OTP
- Token-based authentication
- Biometric approval
- Device-specific signatures
This eliminates the risk of static passwords being reused or stolen.
Who Needs to Follow These New Guidelines?
These new RBI rules apply to:
- All Payment System Providers (PSPs)
- Payment System Participants (banks & fintech companies)
- Card issuers and network providers
Basically, any entity involved in facilitating digital payments in India, whether you’re using UPI, a debit card, or a mobile wallet, must comply with these directions.
When Will These Guidelines Come Into Effect?
The guidelines will be effective from April 1, 2026, giving all service providers time to implement and test the upgraded authentication infrastructure.
What About Cross-Border Transactions?
RBI has made a special provision for cross-border card-not-present (CNP) transactions. Here’s what’s new:
- Card issuers must set up a verification mechanism for international CNP transactions by October 1, 2026
- BIN (Bank Identification Number) registration with card networks is mandatory
- A risk-based authentication system is advised for overseas purchases
This ensures additional security for Indian cards used on global platforms.
What Happens If a Payment Provider Doesn’t Comply?
As per the directions:
“If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer for the loss in full without demur.”
This is a strong stance by RBI to hold banks and fintechs accountable for digital payment frauds due to weak authentication systems.
What Are the Exceptions to These Rules?
Some use cases are exempted from mandatory two-factor authentication. These include:
| S. No. | Use Case | Existing Circular Reference |
| 1 | Small-value contactless card transactions | Dec 04, 2020 |
| 2 | Recurring payments after first e-mandate | Aug 21, 2019; Dec 04, 2020; Dec 12, 2023 |
| 3 | Prepaid instruments like gift cards | Aug 27, 2021 |
| 4 | NETC transactions (FASTag) | Dec 30, 2019 |
| 5 | Small-value offline digital payments | Jan 03, 2022 |
| 6 | GDS/IATA bookings via commercial/corporate cards | April 17, 2012 |
These exemptions are subject to change and further clarification by the RBI.
What Circulars Have Been Repealed?
To streamline the compliance framework, the following older RBI directions have been officially repealed:
- Credit/Debit card security guidelines from 2009 to 2017
- Notifications related to card-not-present (CNP) transaction rules
- Relaxations for transactions under ₹2,000
This move eliminates outdated norms and consolidates everything under the 2025 direction.
What Does This Mean for Savings Account Holders?
So far, the RBI savings account rules, especially for BSBDA or minimum balance, remain unchanged.
However, as more savings account holders move to digital payments (UPI, cards), the new authentication rules indirectly affect them by making their online transactions safer.
What Should Digital Users Do Now?
Here’s what you can do:
- Stay alert for app or OTP changes by your bank or payment app
- Don’t ignore messages about authentication updates or settings
- Avoid clicking suspicious links asking to “update” authentication manually
- Check with your bank if unsure about any recent notifications
- Enable biometric or token-based authentication if supported
Conclusion
The RBI Digital Payments Authentication Rules 2025 aim to strengthen the security and transparency of digital transactions across India.
These guidelines are designed to protect users from fraud while encouraging wider adoption of digital payment systems. With multi-factor authentication and stricter verification processes, users can now transact with greater confidence.
Staying informed and following the RBI’s official guidelines will help ensure a safe and seamless digital payment experience for all consumers and businesses alike.
FAQs
Are OTPs Still Required for Online Payments?
Yes. At least one factor of authentication must be dynamic, and OTP is the most common option.
Can I Use UPI Without Two-Factor Authentication Now?
No. Two-factor authentication remains mandatory for all UPI transactions.
What Happens If a Payment App Doesn’t Follow the Rules?
The issuer must compensate the user in full for any losses due to non-compliance.
Do These Rules Apply to International Card Payments?
Yes, for card-not-present transactions made abroad, new mechanisms will be required by October 1, 2026.
How Do I Know If My Bank Is Complying?
Look for app updates, SMS/email communications, or visit the bank’s website. You can also refer to the RBI website.
