The Indian digital payment lithosphere has been thriving but of late, frauds such as phishing and SIM swaps have been increasingly exposing the vulnerability of OTP. As of April 1, 2026, the Reserve Bank of India (RBI) needs to have stricter authentication to offer security under UPI, cards, and wallets.
The RBI came up with the Framework on Alternative Authentication Mechanisms on digital payment transactions based on previous requirements of Additional Factor of Authentication (AFA).
Any online business now requires a minimum of 2 independent factors of different types: something you know (PIN/ password ), something you have (token ), or something you are (biometrics). It has to be dynamically generated after initiation, transaction specific and non-reusable doing away with standalone SMS-OTP dependency.
Why were the Digital Payment Rules Altered?
OTP weaknesses are based on phishing scams in which criminals deceive users to provide codes and SIM-swap attacks in which criminals steal mobile numbers.
The principles approach that was set by RBI makes sure that different solutions like biometrics and app tokens are used to react to such threats and utilize the technological advances that were declared in February 2024.
The issuers are in full liability to assure the strength of authentication and the lapses are liable which makes the banks even more responsible.
New Authentication Requirements
| Requirement | Description | Examples |
| Mandatory AFA | Two factors from different categories for all digital payments (except exemptions). | OTP + biometrics; PIN + hardware token. |
| Dynamic Factor | One factor generated after payment start, single-use. | Time-bound OTP or push notification. |
| Risk-Based | Tailored checks by transaction value, device, or profile. Low-risk: minimal; high-risk: extra steps. | Trusted device skips biometrics; large transfers need full verification. |
| Alerts & Consent | Real-time transaction notifications; explicit opt-in for new methods. | SMS/push alerts; easy deregistration. |
Some low-risk transactions do not go through AFA: contactless PoS up to 5000, e-mandate subscription/insurance up to limits, offline payments less than 500, and certain PPIs/NETC.
The framework encompasses all Payment System Providers /Participants to the PSS Act, 2007, and the compliance must be within three months of issuance. Cross-border card-not-present transactions get AFA by October 1, 2026.
User and Bank Implications
Users experience slightly extended processes and have safer payments, having choices such as biometrics when speed is required on trusted devices. Banks need to no longer make exclusive technology deals, they need to support tokenization, and they need to speed up the resolution of fraud complaints, and possibly compensate victims.
According to the industry leaders, there is a balance between security and innovation and that there will be less fraud in the Indian high-volume UPI ecosystem.
Comments
All Comments (0)
Join the conversation