RBI Makes Two-Factor Authentication Mandatory for All Digital Payments From April 1, 2026

From April 1, 2026, the Reserve Bank of India has made two-factor authentication mandatory for all digital payment transactions in India. The directive covers UPI payments, debit and credit card transactions, and mobile wallet operations. The change represents one of the most significant overhauls to India's digital payment security framework in recent years, and it carries compliance obligations for every bank, payment aggregator, fintech company, and merchant that processes digital payments.

What Has Changed: OTP Alone Is No Longer Enough

Until now, a one-time password sent via SMS was treated as sufficient authentication for most digital transactions. The RBI's revised framework changes that position fundamentally. Under the new rules, OTP alone cannot complete a transaction. Every digital payment must be verified through at least two distinct authentication layers. One of those layers must be dynamically generated, meaning the authentication factor must be unique to the specific transaction and cannot be reused or replicated across different transactions. The RBI has clarified that SMS-based OTPs are not being discontinued. They can still function as one authentication factor. However, a second independent factor, such as a PIN, a password, a biometric scan, or a hardware token, must accompany it before a transaction is authorised.

Scope of the Mandate: Who and What It Covers

The mandate applies to all payment service providers operating in India, including scheduled commercial banks, small finance banks, payment banks, non-bank payment system operators, prepaid payment instrument issuers, and UPI app providers. Every system through which a customer initiates a digital payment must now support and enforce two-factor authentication. Card-present transactions at POS terminals, card-not-present transactions for online purchases, UPI transfers, and wallet-to-bank transfers are all within scope. Merchants and payment gateways that rely on single-factor authentication to process customer payments will need to upgrade their systems. The compliance obligation falls on the payment service provider, not on the individual customer, though customers will experience the practical effect of the additional verification step during each transaction.

Why the RBI Has Acted: The Fraud Context

The directive comes in direct response to a sustained rise in digital payment fraud across India. Phishing attacks, SIM swap frauds, and social engineering schemes have demonstrated repeatedly that OTP-based systems carry significant vulnerabilities. In SIM swap fraud, a criminal convinces a telecom operator to reassign a victim's mobile number to a SIM card under the criminal's control, allowing interception of all OTPs sent to that number. Against that threat, an OTP delivered by SMS provides no meaningful security if the number itself has been compromised. The addition of a second, independent authentication factor, particularly one based on something the genuine user possesses or is biometrically, substantially raises the barrier for unauthorised access. The RBI has noted that the objective is to build lasting trust in India's digital payment infrastructure, which now processes billions of transactions monthly.

International Transactions: The Next Phase

The April 1 mandate addresses domestic digital payments. The RBI has indicated that similar two-factor authentication norms will be extended to international transactions, including cross-border card payments and e-commerce purchases made on foreign platforms, with full implementation targeted by October 2026. This extension will require coordination with international card networks and foreign payment processors, which adds a layer of complexity beyond the domestic rollout. Indian businesses that operate internationally or process payments from overseas customers should begin assessing how their current authentication flows handle cross-border transactions in anticipation of the October deadline.

Practical Takeaways

For banks and payment service providers, non-compliance with the April 1 deadline exposes the institution to regulatory action by the RBI, including directions to suspend payment services. For customers, transactions may now take slightly longer as the additional authentication step is processed. Businesses that integrate payment gateways into their websites or apps should confirm with their payment processor that 2FA has been enabled and that their checkout flow supports it correctly. Merchants should also be aware that the additional step can marginally affect checkout conversion rates, and that a smooth, clearly communicated authentication experience will be essential to maintain customer confidence. From a legal standpoint, a payment service provider that processes a fraudulent transaction without complying with the 2FA framework will face difficulty arguing that it exercised reasonable care, which has direct implications for consumer dispute resolution and liability under the RBI's chargeback and fraud resolution frameworks.