On August 2, 2024, the Reserve Bank of India (RBI) unveiled a new framework mandating additional factor authentication (AFA) for all digital payment transactions, aiming to enhance security and reduce fraud. This initiative is a step forward from the traditional reliance on SMS-based one-time passwords (OTPs), incorporating a broader range of authentication methods. The draft “Framework on Alternative Authentication Mechanisms for Digital Payment Transactions” outlines principles for payment system providers to implement various forms of authentication.
The proposed framework requires that all digital transactions, except card-present ones, use a dynamically created authentication factor that is specific to each transaction and non-reusable. The RBI categorizes authentication factors into three types: something the user knows (such as passwords or PINs), something the user has (such as cards or software tokens), and something the user is (such as biometrics). This approach is designed to improve the security of digital payments by making them more resistant to fraud.
Under the new rules, certain transactions will be exempt from AFA requirements. These include small-value contactless card payments up to ₹5,000, e-mandates for recurring transactions like mutual fund subscriptions and insurance premiums, and offline transactions up to ₹500. This ensures that while security is enhanced, the new measures do not unduly burden everyday transactions.
The RBI has set a deadline of September 15, 2024, for stakeholders to provide comments on the draft framework. Once finalized, all payment system providers and participants will have three months to comply with the new regulations. This initiative reflects the RBI’s ongoing commitment to strengthening the security of digital payments in India, addressing the rise in both digital transactions and related fraud.
Reference: