The Reserve Bank of India issued new rules on Thursday, September 25th, to make digital payments more secure and reliable. Under these rules, online transactions will no longer be based solely on SMS-based OTPs.

The Reserve Bank of India has taken a major step regarding digital payments. On Thursday, September 25th, the Reserve Bank of India issued new rules to make digital payments more secure and reliable. Under these rules, online transactions will no longer be limited to SMS-based OTPs; customers will also be able to make payments using fingerprint, face recognition, password, PIN, or other biometric options. These new rules will be implemented from April 1st, 2026.

Two-factor authentication will now be stronger.

Currently, most banks and payment apps use only OTPs to confirm transactions. However, even after the new rules, OTPs will continue to be used, but they will not be the only payment option. Under the new RBI rules, three categories of authentication will be valid.

1. An item possessed by the user - such as a mobile phone, a hardware token

2. Information known to the user - such as a password, PIN, or passphrase

3. User identity - such as biometrics, fingerprints, or face recognition

Every transaction will now have unique verification

Regarding the new rules, the RBI has clearly stated that every payment must have at least one authentication factor that is unique and new for that transaction. This means that old or repeatable codes will no longer be accepted, significantly reducing the likelihood of fraud. Following these changes, banks and payment providers will now be able to conduct risk analysis to ensure transaction security. This will include transaction location, user behavior, device information, and previous transactions. Additional verification and secure platforms like digital lockers will be used for high-risk payments.

Violations and compensation

Under the new rules, if a customer loses money to digital fraud due to negligence or non-compliance by a financial institution, the relevant institution will be required to fully compensate for the loss. Additionally, these stricter verification rules will also be implemented for card-not-present type foreign transactions from October 1, 2026. This step will be specifically for transactions that take place outside India.