India's digital payments ecosystem is set for a major security overhaul as the Reserve Bank of India (RBI) introduces new authentication guidelines , effective April 2026.
The new framework will require banks to adopt a risk-based model for verifying transactions — a move aimed at strengthening fraud prevention while keeping the payment experience smooth for users.
Under the new system, two-factor authentication will remain mandatory, but banks will no longer rely solely on one-time passwords (OTPs). Instead, they will assess transaction risk using multiple signals such as device behaviour, location, and transaction history.
“Risk-based authentication uses signals like device compromise, behaviour, location, and transaction history to detect anomalies,” Anand Venkatraman, partner at Deloitte India told ET.
“This reduces false rejections and helps detect fraud early. There’s no single fix because fraudsters evolve constantly. But a layered approach improves customer safety far more effectively than static two-factor authentication” Venkatraman added.
The new model allows banks to offer alternatives to OTPs — including biometric verification , device binding, or a combination of both. For transactions flagged as suspicious, such as those made from new devices or at unusual hours, banks may add extra layers of verification. Meanwhile, routine payments like bill payments or small purchases will remain quick and seamless.
Industry leaders have hailed the move as progressive and aligned with global best practices.
“By moving beyond blanket checks to dynamic, transaction-specific measures, the RBI raises the bar for fraud prevention while keeping convenience in focus,” said Ajay Trehan, founder of AuthBridge.
According to Sundareshwar Krishnamurthy, Partner and India Cyber Leader at PwC India, “The new framework signals that India’s payment ecosystem is maturing into a zero-trust architecture, where checks happen silently and only come into focus when something seems suspicious.”
He added that “the winners will be those who embed security into the user journey without adding friction – think biometrics, device binding, and behavioural analytics.”
However, experts also cautioned that implementing these upgrades will not be easy. Many banks will need to modernise their infrastructure to support behavioural analytics and AI-driven fraud detection systems.
Venkatraman of Deloitte told ET that, “significant upgrades are needed to enable modern authentication, all without creating latency in the system.” He also warned that OTPs would still be crucial in rural areas due to limited smartphone access.
The RBI’s framework will also enforce interoperability across platforms and introduce compliance norms for cross-border transactions. Card issuers will be required to register bank identification numbers (BINs) with networks and validate non-recurring international transactions by October 2026.
Legal experts noted that the changes will increase banks’ liability. “Issuers are required to compensate customers if transactions fail to meet authentication standards,” said Smrithi Nair, Partner at Juris Corp. She added that using contextual data for risk assessment will fall under the Digital Data Protection Act (DPDP), potentially raising compliance challenges for foreign merchants.
According to Anu Tiwari, Partner at Cyril Amarchand Mangaldas, “Grievance redressal mechanisms must evolve to protect users from wrongful denial. Safeguards against misuse of consumer data in risk profiling will also be critical.”
Cybersecurity professionals agreed that adaptive authentication is an important step forward — but not a complete solution. “Data shows 36% of incidents begin with social engineering, and two-thirds target privileged accounts,” said Huzefa Motiwala, Senior Technical Director at Palo Alto Networks. “Adaptive checks help, but must be backed by tighter recovery processes.”
As India — the world’s largest digital payments market — moves toward smarter, context-aware authentication, experts believe the RBI’s model could set a new global benchmark for balancing convenience, compliance, and security in digital finance.
The new framework will require banks to adopt a risk-based model for verifying transactions — a move aimed at strengthening fraud prevention while keeping the payment experience smooth for users.
Under the new system, two-factor authentication will remain mandatory, but banks will no longer rely solely on one-time passwords (OTPs). Instead, they will assess transaction risk using multiple signals such as device behaviour, location, and transaction history.
“Risk-based authentication uses signals like device compromise, behaviour, location, and transaction history to detect anomalies,” Anand Venkatraman, partner at Deloitte India told ET.
“This reduces false rejections and helps detect fraud early. There’s no single fix because fraudsters evolve constantly. But a layered approach improves customer safety far more effectively than static two-factor authentication” Venkatraman added.
The new model allows banks to offer alternatives to OTPs — including biometric verification , device binding, or a combination of both. For transactions flagged as suspicious, such as those made from new devices or at unusual hours, banks may add extra layers of verification. Meanwhile, routine payments like bill payments or small purchases will remain quick and seamless.
Industry leaders have hailed the move as progressive and aligned with global best practices.
“By moving beyond blanket checks to dynamic, transaction-specific measures, the RBI raises the bar for fraud prevention while keeping convenience in focus,” said Ajay Trehan, founder of AuthBridge.
According to Sundareshwar Krishnamurthy, Partner and India Cyber Leader at PwC India, “The new framework signals that India’s payment ecosystem is maturing into a zero-trust architecture, where checks happen silently and only come into focus when something seems suspicious.”
He added that “the winners will be those who embed security into the user journey without adding friction – think biometrics, device binding, and behavioural analytics.”
However, experts also cautioned that implementing these upgrades will not be easy. Many banks will need to modernise their infrastructure to support behavioural analytics and AI-driven fraud detection systems.
Venkatraman of Deloitte told ET that, “significant upgrades are needed to enable modern authentication, all without creating latency in the system.” He also warned that OTPs would still be crucial in rural areas due to limited smartphone access.
The RBI’s framework will also enforce interoperability across platforms and introduce compliance norms for cross-border transactions. Card issuers will be required to register bank identification numbers (BINs) with networks and validate non-recurring international transactions by October 2026.
Legal experts noted that the changes will increase banks’ liability. “Issuers are required to compensate customers if transactions fail to meet authentication standards,” said Smrithi Nair, Partner at Juris Corp. She added that using contextual data for risk assessment will fall under the Digital Data Protection Act (DPDP), potentially raising compliance challenges for foreign merchants.
According to Anu Tiwari, Partner at Cyril Amarchand Mangaldas, “Grievance redressal mechanisms must evolve to protect users from wrongful denial. Safeguards against misuse of consumer data in risk profiling will also be critical.”
Cybersecurity professionals agreed that adaptive authentication is an important step forward — but not a complete solution. “Data shows 36% of incidents begin with social engineering, and two-thirds target privileged accounts,” said Huzefa Motiwala, Senior Technical Director at Palo Alto Networks. “Adaptive checks help, but must be backed by tighter recovery processes.”
As India — the world’s largest digital payments market — moves toward smarter, context-aware authentication, experts believe the RBI’s model could set a new global benchmark for balancing convenience, compliance, and security in digital finance.
You may also like
Pub-goers spot man drinking in bustling bar and then realise who it is
'Lightweight Shark cordless vac 'selling fast' in eye-catching deal
Stop boiling broccoli - it's tastier and better if cooked without a pan
By-elections on 8 Assembly seats in 7 states/UT to be held on Nov 11; results on Nov 14
Aagama Ventures Floats INR 400 Cr Fund To Back Fintech Startups
