Skip to main content

Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions

Reserve Bank of India (RBI) has released draft framework on alternative authentication mechanisms for digital payment transactions.

What is the rationale behind the draft framework?

RBI had mandated additional factor of authentication (AFA) for all transactions undertaken using cards, prepaid instruments and mobile banking channels. No specific factor was mandated for authentication, but the digital payments ecosystem has primarily adopted SMS-based OTP as AFA. While OTP is working satisfactorily, technological advancements have made available alternative authentication mechanisms. Therefore, RBI has released a draft framework on alternative authentication mechanisms for digital payment transactions to enable the ecosystem to adopt alternative authentication mechanisms. 

To whom shall the framework be applicable?

The framework applies to all Payment System Providers and Payment System Participants (banks and non-banks), who shall comply with the framework within 3 months from the date of issue of the directions.

What is Authentication?

Authentication is a process of validating and confirming the credentials of the customer who is originating the payment instruction.

What is factor of authentication?

Factor of Authentication is any credential input by the customer which is verified for confirming the originator of a payment instruction. The factors of authentication are broadly categorised as –

  • Something the user knows (such as password, passphrase, PIN)
  • Something the user has (such as card hardware or software token)
  • Something the user is (such as fingerprint or any other form of biometrics)

What is Additional Factor of Authentication (AFA)?

Additional Factor of Authentication (AFA) refers to use of more than one factor for authentication of a payment instruction.

Who is Issuer?

Issuer is a bank / non-bank where the customer’s account (deposit account / credit line or PPI balance) is maintained. Issuers verify user credentials and provide confirmation of debit to the account on receipt of payment instruction.

Who is Technology Service Provider (TSP)?

Technology Service Provider (TSP) is a provider of technology infrastructure adopted by the Issuer for implementing the authentication process. In addition to software-based solution providers, this will include device manufacturers and hardware solution providers who provide such technology.

Who is Token Service Provider?

Token Service Provider is an entity which tokenises the card credentials and de-tokenises them, whenever required. It includes card networks and card issuers.

What is card present transaction?

Card present transaction is a transaction that is carried out through the physical use of card at the point of transaction. It is also known as a face-to-face or proximity payment transaction.

What are the principles for authentication of digital payment transactions?

The technology and process deployed for authenticating a payment instruction by the Payment System Provider / Payment System Participants shall comply with the following principles –

  • All digital payment transactions shall be authenticated with additional factors of authentication (AFA), unless exempted otherwise.
  • All digital payment transactions, other than card present transactions, shall ensure that one of the factors of authentication is dynamically created, i.e., the factor is generated after initiation of payment, is specific to the transaction and cannot be reused.
  • The first factor of authentication and the AFA shall be from different categories (i.e., something the user knows / something the user has / something the user is).
  • Issuers may adopt a risk-based approach in deciding the appropriate AFA for a transaction, based on the risk profile of the customer and / or beneficiary, transaction value, channel of origination, etc.
  • Issuers shall have a system of alerting the customer in near real time for all eligible digital payment transactions i.e., all digital payment transactions except small offline transactions.
  • Issuers shall obtain explicit consent before enabling any new factor of authentication for the customer. The customer shall also be provided a facility to deregister from using the new factor of authentication.
  • Issuer shall ensure the robustness and integrity of the process or technology of the authentication factor before deploying the same.
  • Issuer shall be liable for the process and technology deployed for authenticating a digital payment transaction.
  • Issuer shall not enter into any exclusivity arrangement with any Payment Service Provider / Technology Service Provider - which could limit its ability to deploy alternative authentication solutions.
  • For transactions involving tokenised cards on various devices, Issuer / Token Service Provider shall ensure that the device environment supports tokenisation on a non-exclusive basis.

Which transactions are exempt from AFA requirement?

The following transactions are exempted from the AFA requirement –

  • Small value card present transactions for values upto ₹5000/- per transaction in contactless mode at Point of Sale (PoS) terminals.
  • E-mandates for recurring (other than the first) transactions in respect of – a) subscription to mutual funds; b) payment of insurance premium and c) credit card bill payments, for values upto ₹1,00,000, and in respect of all other categories, for values upto ₹15,000/-. 
  • Prepaid Instruments (PPIs) issued under PPI – Mass Transit Service and Gift PPIs.
  • Transactions in the National Electronic Toll Collection (NETC) System.
  • Small value digital payments in offline mode up to a value of ₹500/-.


References

Reserve Bank of India. (2024, July 31). 'Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions'. Retrieved from https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=58406

Reserve Bank of India. (2024, July 31). 'Framework on Alternative Authentication Mechanisms for Digital Payment Transactions - DRAFT'. Retrieved from https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=4477


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Comments

Popular Posts

RBIDATA Mobile App by RBI

Reserve Bank of India (RBI) has launched RBIDATA Mobile App. What is RBIDATA Mobile App? RBIDATA Mobile App offers macroeconomic and financial statistics relating to the Indian economy in a user-friendly and visually engaging format. This app offers quick access to the Database on the Indian Economy (DBIE – https://data.rbi.org.in ) portal and aims to serve the researchers, students, and the general public.  The key features of the app include – Access to over 11,000 different series of economic data to give a comprehensive view of the Indian economy. Users can view time series data in graphs / charts and download data for analysis. The app includes details such as data source, unit of measurement, frequency, recent updates. Additional notes are also provided to help users understand the graphs / charts better. The ‘Popular Reports’ section features a series of frequently viewed reports. ‘Search’ option allows users to access data directly from home screen, without the need to navi...

Exposure Norms for UCBs

Reserve Bank of India (RBI) has issued guidelines on exposure norms and statutory / other restrictions for primary (urban) co-operative banks (UCBs). What is exposure? Exposure shall include both credit exposure (Loans and Advances) and investment exposure (Non- SLR securities). What are the exposure ceiling for individual / group borrowers? Primary (urban) co-operative banks (UCBs) shall fix exposure ceiling in relation to their Tier-I capital. Borrower Exposure ceiling Individual borrower 15% of Tier-I capital Group of connected borrowers / parties 25% of Tier-I capital What is the thresholds for value of loans? The definition of small value loans has been revised as below –  Extant guidelines Revised guidelines (updated on February 24, 2025) UCBs shall have at least 50% of their aggregate loans and advances comprising small value loans i.e., loans of not more than ₹25 lakh or 0.2% of their...

Financial Literacy Week (FLW) 2025

Reserve Bank of India (RBI) has observed financial literacy week from February 24 to 28, 2025. Financial Literacy and Financial Education Organization for Economic Co-operation & Development (OECD) defines ‘financial literacy’ as a combination of financial awareness, knowledge, skills, attitude and behaviour necessary to make sound financial decisions and ultimately achieve individual financial well-being.  OECD defines ‘financial education’ as the process by which financial consumers / investors improve their understanding of financial products, concepts and risks and through information, instruction and / or objective advice, develop the skills and confidence to become more aware of financial risks and opportunities, to make informed choices, to know where to go for help and to take other effective actions to improve their financial well-being. Financial Literacy Week (FLW) Reserve Bank of India (RBI) has been observing Financial Literacy Week (FLW) every year since 2016 to p...

Digital Payments Awareness Week 2025

Reserve Bank of India (RBI) has observed digital payments awareness week from March 10 to 16, 2025. Digital Payments Awareness Week (DPAW) Digital Payments Awareness Week (DPAW) is an initiative to highlight the impact and importance of digital payments and to create awareness about safe usage of digital payment products.  Digital Payments Awareness Week (DPAW) 2025 Reserve Bank of India (RBI) has observed DPAW 2025 from March 10 to 16, 2025.  Under the mission ‘Har Payment Digital’, the theme for the current year is ‘India Pays Digitally’. This theme reflects India’s transformative journey toward a digitally empowered citizenry, with the ubiquity and convenience of digital payments. ‘Har Payment Digital’ mission RBI had launched the mission ‘Har Payment Digital’ on the occasion of the DPAW 2023. This is part of RBI’s endeavour to make every person in India a user of digital payments. Previous Digital Payments Awareness Weeks (DPAWs) Year Theme 202...

Forward Contracts in Government Securities

Reserve Bank of India (RBI) has released directions on forward contracts in government securities. What is Bond Forward? Bond forward means a rupee interest rate derivative contract in which one counterparty (buyer) agrees to buy a specific government security from another counterparty (seller) on a specified future date and at a price determined at the time of the contract. Which transactions shall be covered under the directions? The directions shall apply to forward contracts in government securities (referred to as bond forwards) undertaken in the Over-the-Counter (OTC) market in India. Who are market participants? The following persons shall be eligible to undertake bond forward transactions – A resident A non-resident who is eligible to invest in Government Securities Who are market-makers? Market-maker means an entity which provides prices to users and other market-makers. The following entities shall be eligible to undertake transactions in bond forwards as market-makers – Sche...