The Reserve Bank of India (RBI) has proposed a new set of rules to bolster safety in digital payments in their latest Press Release on July 31, 2024.  Due to the remarkable spike in digital transactions in the past few years, RBI aims to add a stronger safety shield to these payments. So, RBI proposes some authentication methods as new norms, considering safety and security as the topmost priority for digital payments.

Highlights of the New Set of Rules on Digital Payments

The highlights of this PR are:

1. Technical advancements in the authentication process of digital payments
2. A draft framework with alternative authentication methods

Though RBI has not specified any particular authentication till now; and, digital payment ecosystem works satisfactorily with SMS-based OTPs for authentication, yet, the PR shows a handful of authentication methods as Additional Factor Authentication (AFA), so that the operators and users get a wider choice. The draft framework on alternative authentication mechanism is up for comments via mail or post by September 15, 2024.

Let us check it in detail:

Beyond OTP Authentication for Digital Payments

The press release specifies that the current authentication method through SMS-based OPTs works just fine, yet, the technical advancements bring some more methods.

These include authentication through 3 different factors:

1. User-known factors (factors that users know) such as passwords, PIN
2. User-owned factors (factors that users have) such as card details
3. Identity elements of users (factors that users are) such as fingerprint, or other biometric factors

On acceptance of the proposal, the digital transactions will be authenticated by any of these factors, unless the RBI specifies anyone.

The press-release also mentions that the payment issuers can use risk-based methodologies like:

1. Transaction value
2. Transaction channel
3. Remitter and beneficiary risk profiles

Exempts

On the draft framework, RBI mentioned that small-value card present payments (up to INR 5,000 through PoS), eMandates, utility payments, and small-value digital payments will not require this AFA.

The permissible categories of eMandates (post the initial payment) that are not subjected to additional factor authentication are:

1. Credit card bills
2. Insurance premiums
3. Subscription on mutual funds up to INR 1,00,000

For other eMandates, valuing up to INR 15,000 can also avoid additional authentication.

Digital payments in offline mode up to INR 500 are exempted as well.

Rest, all digital payments must go through two-factor authentication. Not just that! There are new guidelines for PSOs, too.

Guidelines for PSOs for Safer Transactions

Non-bank PSOs need to automatically terminate a transaction due to inactivity for a certain duration. Users, on the other hand, need to re-login to continue the session. It further says that PSOs will implement a control mechanism to detect remote access on a device and prohibit access to a payment page during that time. 

Card issuers will also get 24x7 notifications about suspicious payment requests; however, the sensitive information will be masked in the notifications. The apps/websites can also report suspicious activities.

For card transactions with PSOs, the terminals must be at the merchant's location, so that it can capture and validate the card data flawlessly. For PIN entry, approval from PCI-PTS is a must.

From April 2025 onwards, these guidelines will come into effect.

Note: these directives are applicable to all the authorised non-bank PSOs and their unregulated entities like payment gateway, third-party service providers, and vendors.

What Do RBI's New Rules for Digital Transactions Aim For?

Altogether, through these new norms, RBI aims

1. Enhancing the encryption protocol
2. Identifying and controlling the risks
3. Safeguarding transactions from frauds

Additional announcements

On the same day, RBI made draft guidelines for AePS or Aadhaar-enabled Payment System in another press-release. These guidelines are for the banks

Banks have to

1. Perform the due diligence as per the KYC Norms 2016
2. Update KYC during a transaction after consecutive 6 months of gap
3. Monitor activities of AePS touchpoint operators

As RBI specified, 37 crore+ users have used AePS over the years, but recently many users have locked their Aadhaar due to fear of monetary loss. Hence, RBI aims to rebuild users' trust in AePS, so that going forward, users don't need to rethink before transacting through Aadhaar.

Wrapping up…

Shaktikanta Das, the governor of RBI furthermore mentioned that advanced technology has unlocked some stronger authentication methods. So, the digital payment ecosystem can have double protection by utilizing these technologies and enabling two-factor authentication. With these, detecting and preventing fraud will be easier and digital payments will remain safe with the new rules. The final decision on this draft framework will only come after it receives comments on the specified date. Undoubtedly, the decision will encourage more digital payments in future.