Digital payments to see new safety rules from April 1: What changes

Check out the "Work Opportunities for CA Firms" on CA-Link

Introducing Tech Zone – Simplifying Technology for CAs

Digital payments to see new safety rules from April 1: What changes

New Delhi, Mar 23, 2026

New RBI norms aim to curb fraud, widen authentication methods, and fix accountability on banks

India’s digital payments system will see tighter security from April 1, 2026, with the Reserve Bank of India (RBI) making two-factor authentication (2FA) compulsory for all transactions. This move shifts more responsibility on banks while aiming to curb rising fraud.

What changes for users

Under the new framework, every digital payment, whether via cards, UPI, or wallets, must be verified using at least two different authentication factors. These include:

• Something you know: password, PIN, passphrase

• Something you have: card, device, or OTP

• Something you are: biometric identifiers such as fingerprint or facial recognition

At least one of these factors must be dynamic, meaning it is generated uniquely for each transaction, such as an OTP.

In practice, most users may not see a dramatic shift immediately, as OTPs and PINs are already widely used. However, the rules formally standardise this across all payment modes and providers.

Why RBI is tightening norms

The regulatory push comes amid a sharp rise in digital transactions, and a parallel increase in fraud risks such as phishing, SIM swap attacks, and unauthorised access.

The earlier system relied heavily on OTP-based verification. While effective initially, OTPs are increasingly seen as vulnerable due to:

• Social engineering scams

• Malware and phishing attacks

• Delays or interception of SMS messages

The new guidelines move towards a more layered and risk-based approach, allowing banks and payment companies to deploy stronger, technology-driven authentication tools.

Risk-based checks and added safeguards

Beyond the basic 2FA requirement, issuers, banks and payment service providers can apply additional checks if a transaction appears suspicious. These may include analysing:

• Location of the transaction

• Device used

• Spending patterns

• Past transaction history

For high-risk or high-value payments, users may be asked for extra verification.

Banks liable if safeguards fail

A key consumer protection feature is that banks and payment providers will be held fully liable if a transaction occurs without complying with these authentication norms.

This effectively shifts the burden of security implementation onto issuers, strengthening accountability in cases of fraud.

Cross-border rules to follow

The RBI has also set a deadline of October 1, 2026, for implementing similar authentication standards in cross-border, card-not-present transactions. This will ensure overseas payments meet the same security benchmarks.

What it means overall

The new framework signals a shift from an OTP-centric system to a more flexible, technology-neutral model. For users, payments could gradually become safer and more seamless, especially with wider adoption of biometrics and device-based authentication.

At the same time, the rules tighten compliance expectations for banks — marking a clear push towards stronger consumer protection in India’s fast-growing digital payments ecosystem.

[The Business Standard]

Read more on: