What is changing?
Under the updated rules, all digital transactions will require two-factor authentication (2FA), incorporating at least one dynamic element such as a one-time password (OTP), biometric verification, or device-based authentication. This is a step up from the current OTP-only approach, which experts say is vulnerable to phishing and SIM-swap attacks.
Earlier when the rule was announced Sanjay Tripathy, CEO & Co-Founder, BRISKPE, a cross-border payments platform told Economic Times, “RBI by mandating risk-based checks has formalised a framework that encourages a variety of authentication mechanisms beyond just SMS-based OTPs. The requirement for an Additional Factor of Authentication (AFA) in cross-border card-not-present transactions is a critical step to increase trust and reduce risks, benefiting both businesses and customers. It aligns India with global best practices and strengthens the country’s position in the international digital payments space, fostering a more secure and compliant ecosystem.”
The RBI’s new framework represents a shift from rigid rule-based compliance to principle-driven regulation, promoting innovation while establishing a strong baseline for payment security.