Skip to main content

Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions

Reserve Bank of India (RBI) has released draft framework on alternative authentication mechanisms for digital payment transactions.

What is the rationale behind the draft framework?

RBI had mandated additional factor of authentication (AFA) for all transactions undertaken using cards, prepaid instruments and mobile banking channels. No specific factor was mandated for authentication, but the digital payments ecosystem has primarily adopted SMS-based OTP as AFA. While OTP is working satisfactorily, technological advancements have made available alternative authentication mechanisms. Therefore, RBI has released a draft framework on alternative authentication mechanisms for digital payment transactions to enable the ecosystem to adopt alternative authentication mechanisms. 

To whom shall the framework be applicable?

The framework applies to all Payment System Providers and Payment System Participants (banks and non-banks), who shall comply with the framework within 3 months from the date of issue of the directions.

What is Authentication?

Authentication is a process of validating and confirming the credentials of the customer who is originating the payment instruction.

What is factor of authentication?

Factor of Authentication is any credential input by the customer which is verified for confirming the originator of a payment instruction. The factors of authentication are broadly categorised as –

  • Something the user knows (such as password, passphrase, PIN)
  • Something the user has (such as card hardware or software token)
  • Something the user is (such as fingerprint or any other form of biometrics)

What is Additional Factor of Authentication (AFA)?

Additional Factor of Authentication (AFA) refers to use of more than one factor for authentication of a payment instruction.

Who is Issuer?

Issuer is a bank / non-bank where the customer’s account (deposit account / credit line or PPI balance) is maintained. Issuers verify user credentials and provide confirmation of debit to the account on receipt of payment instruction.

Who is Technology Service Provider (TSP)?

Technology Service Provider (TSP) is a provider of technology infrastructure adopted by the Issuer for implementing the authentication process. In addition to software-based solution providers, this will include device manufacturers and hardware solution providers who provide such technology.

Who is Token Service Provider?

Token Service Provider is an entity which tokenises the card credentials and de-tokenises them, whenever required. It includes card networks and card issuers.

What is card present transaction?

Card present transaction is a transaction that is carried out through the physical use of card at the point of transaction. It is also known as a face-to-face or proximity payment transaction.

What are the principles for authentication of digital payment transactions?

The technology and process deployed for authenticating a payment instruction by the Payment System Provider / Payment System Participants shall comply with the following principles –

  • All digital payment transactions shall be authenticated with additional factors of authentication (AFA), unless exempted otherwise.
  • All digital payment transactions, other than card present transactions, shall ensure that one of the factors of authentication is dynamically created, i.e., the factor is generated after initiation of payment, is specific to the transaction and cannot be reused.
  • The first factor of authentication and the AFA shall be from different categories (i.e., something the user knows / something the user has / something the user is).
  • Issuers may adopt a risk-based approach in deciding the appropriate AFA for a transaction, based on the risk profile of the customer and / or beneficiary, transaction value, channel of origination, etc.
  • Issuers shall have a system of alerting the customer in near real time for all eligible digital payment transactions i.e., all digital payment transactions except small offline transactions.
  • Issuers shall obtain explicit consent before enabling any new factor of authentication for the customer. The customer shall also be provided a facility to deregister from using the new factor of authentication.
  • Issuer shall ensure the robustness and integrity of the process or technology of the authentication factor before deploying the same.
  • Issuer shall be liable for the process and technology deployed for authenticating a digital payment transaction.
  • Issuer shall not enter into any exclusivity arrangement with any Payment Service Provider / Technology Service Provider - which could limit its ability to deploy alternative authentication solutions.
  • For transactions involving tokenised cards on various devices, Issuer / Token Service Provider shall ensure that the device environment supports tokenisation on a non-exclusive basis.

Which transactions are exempt from AFA requirement?

The following transactions are exempted from the AFA requirement –

  • Small value card present transactions for values upto ₹5000/- per transaction in contactless mode at Point of Sale (PoS) terminals.
  • E-mandates for recurring (other than the first) transactions in respect of – a) subscription to mutual funds; b) payment of insurance premium and c) credit card bill payments, for values upto ₹1,00,000, and in respect of all other categories, for values upto ₹15,000/-. 
  • Prepaid Instruments (PPIs) issued under PPI – Mass Transit Service and Gift PPIs.
  • Transactions in the National Electronic Toll Collection (NETC) System.
  • Small value digital payments in offline mode up to a value of ₹500/-.


References

Reserve Bank of India. (2024, July 31). 'Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions'. Retrieved from https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=58406

Reserve Bank of India. (2024, July 31). 'Framework on Alternative Authentication Mechanisms for Digital Payment Transactions - DRAFT'. Retrieved from https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=4477


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Report of the Committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the Financial Sector

Reserve Bank of India (RBI) has released the report of the committee to develop a framework for responsible and ethical enablement of artificial intelligence (FREE-AI) in the financial sector. Committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the Financial Sector In the financial sector, Artificial Intelligence (AI) has the potential to unlock new forms of customer engagement, enable alternate approaches to credit assessment, risk monitoring, fraud detection, and offer new supervisory tools. At the same time, increased adoption of AI could lead to new risks like bias and lack of explainability, as well as amplifying existing challenges to data protection, cybersecurity, among others. To encourage the responsible and ethical adoption of AI in the financial sector, the committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the Financial Sector (Chairperson: Dr. Pushpak B...
Post a Comment
Read more

Lending against Gold and Silver collateral

Reserve Bank of India (RBI) has issued directions on lending against the collateral of gold and silver. To whom are the directions applicable? The directions are applicable to the following regulated entities (REs) – Commercial Banks (including Small Finance Banks, Local Area Banks and Regional Rural Banks, but excluding Payments Banks). Primary (Urban) Co-operative Banks (UCBs) & Rural Co-operative Banks (RCBs), i.e., State Co-operative Banks (StCBs) and Central Co-operative Banks (CCBs). Non-Banking Financial Companies (NBFCs), including Housing Finance Companies (HFCs). Which loans are covered under the directions? The directions shall apply to all loans offered by an RE for the purpose of consumption or income generation (including farm credit) where eligible gold or silver collateral is accepted as a collateral security. What is eligible collateral? Eligible collateral means the collateral of jewellery, ornaments or coins made of gold or silver. A lender shall not grant any ad...
Post a Comment
Read more

All about RBI Integrated Ombudsman Scheme, 2021

Filed a complaint against a bank / financial institution but haven’t received a reply for more 30 days? Or received a reply but not satisfied with the resolution offered by the bank / financial institution? Or the complaint was rejected by the bank / financial institution? You can approach RBI Ombudsman under the RBI Integrated Ombudsman Scheme, 2021. What is RBI Integrated Ombudsman Scheme (RBI-IOS), 2021? RBI-IOS was launched on November 12, 2021, by integrating the existing 3 Ombudsman schemes of RBI. RBI-IOS adopts ‘One Nation One Ombudsman’ approach by making the RBI Ombudsman mechanism jurisdiction neutral. It provides cost-free redress of customer complaints involving deficiency in services rendered by entities regulated by RBI. Which schemes are integrated in RBI-IOS? RBI-IOS integrates following existing schemes of RBI – Schemes Powers derived from Entities covered Banking Ombudsman Scheme, 2006 Section 35A of BR Act, 1949 S...
Post a Comment
Read more

Investments in Debt Instruments by Non-residents

Reserve Bank of India (RBI) has issued directions on investments in debt instruments by non-residents. What are the channels for investments in debt instruments by non-residents? General Route – for investment in Government securities and corporate debt securities by Foreign Portfolio Investors (FPIs) subject to specified investment limits and macro-prudential limits. Voluntary Retention Route (VRR) – for investments in Government securities and corporate debt securities, free of certain macro-prudential limits applicable to FPI investments in debt markets under the General Route, by FPIs that commit to remain invested for a stipulated retention period. Fully Accessible Route (FAR) – for investments by non-residents in certain specified categories of Central Government securities (‘specified securities’) without any restriction. Scheme for Trading and Settlement of Sovereign Green Bonds (SGrBs) issued by the Central Government by eligible foreign investors in the International Finan...
Post a Comment
Read more

Continuous Clearing and Settlement on Realisation in Cheque Truncation System (CTS)

Reserve Bank of India (RBI) has issued direction on continuous clearing and settlement on realisation in Cheque Truncation System (CTS). What is Cheque Truncation System (CTS)? Cheque Truncation System (CTS) involves halting the physical movement of the cheque and its replacement by images of the instrument and the corresponding data contained in the MICR line.  In CTS, 3 images are taken of each cheque – front Gray Scale, front Black & White and back Black & White. MICR (Magnetic Ink Character Recognition) is a 9-digit code printed at the bottom of cheques using magnetic ink – first 3 digits indicate City Code, middle 3 digits indicate Bank Code and the last 3 digits indicate Bank Branch Code. Only CTS-2010 standards compliant instruments can be presented for clearing through CTS. The presenting banks which truncates the cheques need to preserve the physical instruments for 10 years. From when will the continuous clearing and settlement on realisation in CTS be implemented...
Post a Comment
Read more