Source: TOI
Context:
India’s digital payments ecosystem has grown rapidly, but concerns over fraud and cyber risks remain. The Reserve Bank of India (RBI) has issued new digital payment directions, effective April 2026, introducing a risk-based authentication (RBA) framework for banks. The framework aims to strengthen security, reduce consumer friction, and align India’s payment system with international best practices.
Key Highlights:
- Shift from OTP-centric system:
- Maintains mandatory two-factor authentication (2FA).
- Moves away from a static one-time password (OTP) approach to dynamic, risk-based checks.
- Risk-Based Authentication Features:
- Uses signals such as device compromise, transaction behaviour, location, and history to detect anomalies.
- Allows transaction-specific measures, reducing false rejections and enhancing fraud detection.
- Additional verification applied only when transactions appear suspicious (e.g., new device, odd timing, overseas).
- Routine transactions like bill payments and small purchases remain seamless.
- Alternative Authentication Methods:
- Banks can offer biometrics, device-binding, or other methods as one of the two authentication factors.
- Supports a layered, zero-trust approach, improving security without creating friction.
- Implementation Challenges:
- Banks may need to upgrade systems to incorporate AI-driven fraud detection and behavioural analytics.
- Potential rural-urban divide due to limited smartphone access in rural areas; OTPs remain important.
- Legal and regulatory considerations must be addressed alongside technical upgrades.
