RBI Proposes New Framework On Additional Factor Of Authentication For Digital Payments

The Reserve Bank of India (RBI) has proposed alternate methods of additional factor of authentication (AFA) for digital transactions, including PIN, passwords, cards, and biometrics such as fingerprints, among others.

The central bank’s draft “Framework on Alternative Authentication Mechanisms for Digital Payment Transactions” released on Wednesday (July 31) aims to widen the choice of authentication factors available to payment system operators and users. 

“Over the years, the Reserve Bank of India has prioritised security of digital payments, in particular the requirement of Additional Factor of Authentication (AFA) for making payments. No specific factor was mandated for authentication, but the digital payments ecosystem has primarily adopted SMS-based OTP as AFA. While OTP is working satisfactorily, technological advancements have made available alternative authentication mechanisms,” said the RBI.

An AFA requires the use of more than one factor for authentication of a payment instruction.

The release of the draft framework is in line with the central bank’s announcement in February to adopt a principle-based “Framework for authentication of digital payment transactions” for digital security.

The central bank terms any credential input by the customer that is verified for the purpose of confirming the originator of a payment instruction as the factor of authentication. These factors are broadly categorised as something the user knows (such as password, passphrase, PIN), something the user has (such as card hardware or software token), and something the user is (such as fingerprint or any other form of biometrics).

The central bank has proposed that all digital payment transactions, other than card present transactions, ensure that one of the factors of authentication is created dynamically. This means that the factor should be generated after initiation of payment, be specific to the transaction, and cannot be reused.

It said that the issuers –  bank or non-bank where the customer’s account is maintained – can decide the appropriate AFA for a transaction based on the risk profile of the customer and/ or beneficiary, transaction value, channel of origination, among others.

The following transactions will be exempted from customer authentication: 

• Small value card present transactions for values up to INR 5,000 per transaction in contactless mode at point-of-sale (PoS) terminals. 
• Transactions in respect of subscription to mutual funds, payment of insurance premiums, and credit card bill payments up to certain values 
• Digital toll payments
• Offline payment transactions up to a value of INR 500

The RBI has sought comments and feedback on the draft framework by September 15, 2024.

“All Payment System Providers and Payment System Participants (banks and non-banks) shall ensure compliance with this framework within three months from the date of issue of these directions,” the central bank said.

The development comes at a time when the number of digital transactions as well as digital frauds are on the rise in the country. A recent report by Amazon Pay said that Indian merchants process 69% of their transactions via digital payments. Meanwhile, the central bank said in its annual report that the number of online frauds in the country surged 334% year-on-year to 29,082 in FY24.

Earlier today, the RBI also proposed tighter norms for Aadhaar-enabled Payment System (AePS) touchpoint operators to curb frauds.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.