The Reserve Bank of India (“RBI”) has issued the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025 (“Directions”), which lay down broad principles to be followed by all payment system providers and participants when implementing authentication mechanisms for digital payment transactions.

While existing regulations mandated two-factor authentication, it did not specify the type of authentication factor that ought to be implemented. In contrast, these Directions detail out what a “factor of authentication” ought to be and require that at least one factor be dynamic in nature. These Directions reflect the RBI’s intent to facilitate the adoption of advanced technologies by payment system participants through a framework that supports the implementation of alternative and innovative authentication methods.

Key Highlights:

1. Timeline: All payment system providers and participants to ensure compliance by April 01, 2026.

2. Scope: The Directions apply to all domestic digital payment transactions, except the following:

a. Small-value contactless card transactions: Transactions of a value upto INR 5000

b. Recurring transactions (other than the first) under the e-mandate framework:

• AFA is required for each transaction exceeding INR 15,000.
• Exceptions: For mutual fund subscriptions, insurance premium payments, and credit card bill payments, AFA is only required if the transaction amount exceeds INR 1,00,000.

c. Small value digital payments in offline mode: 

• Offline transactions are allowed without AFA up to INR 500 per transaction, with a cumulative cap of INR 2,000 per instrument.
• For UPI Lite, the limits are INR 1000 per transaction and INR 5,000 being the total limit; and 

d. Other transactions like payments made through select Prepaid Instruments such as PPI-MTS and Gift PPIs, NETC transactions, and payments for travel booking involving Global Distribution System / IATA through commercial / corporate cards.

3. Distinct authentication factors: The guidelines mandate the players to adopt two distinct authentication factors, i.e., these factors must each fall under different categories: “something the user knows,” “something the user is,” or “something the user has.”

4. Requirement for One Dynamic Authentication Factor: Unlike the earlier draft guidelines, the RBI now clarifies that a factor can either be dynamically created or dynamically proven – i.e., the proof of possession must be unique to each transaction. It remains to be seen whether the widely used method of device binding will qualify as a dynamic authentication mode and continue to operate without disruption or if the players will turn to newer technologies like FIDO to meet these requirements.

5. Risk-based approach: Issuers are permitted to adopt a risk-based approach, allowing them to conduct additional checks beyond the required two-factor authentication. Furthermore, issuers can explore the use of DigiLocker as a platform for notification and confirmation of high-risk transactions.

6. Cross-border transactions: While the guidelines exclude cross-border digital payment transactions, card issuers must, by October 1, 2026, implement a mechanism, to validate non-recurring, cross border card-not-present (CNP) transactions, if required by an overseas merchant or acquirer. As part of this, issuers must register their Bank Identification Number with the card networks.

7. Liability to the customers: The issuers will be held fully liable for any losses incurred by their customers arising from transactions that fail to comply with these Directions.

8. Interoperability: The Directions require system participants and service providers to offer authentication and tokenisation services that are accessible across all applications and token requestors within the same operating environment, covering all use cases, channels, and token storage mechanisms.