From OTP To Biometrics: Analysing RBI’s Directions On Payment Authentication

Introduction

The Reserve Bank of India ("RBI") issued the RBI (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025 ("Directions"),¹ effective 1 April 2026, applicable to all payment system providers, participants, banks, and non-banks for domestic digital payment transactions.² We examine the reforms and the regulatory concerns associated with the Directions.

Analysis

Key Improvements:

1. Enhanced Authentication Method

In 2009, RBI mandated an additional factor of authentication ("AFA") for online card transactions, without properly defining or explaining the methodology.³ The Directions now fill this gap by classifying AFA as something the user is/has/knows, which may include passwords, one-time passwords ("OTP"), PINs, card hardware, software token, fingerprints, and other forms of biometrics (device-native or Aadhaar-based).⁴ With the adoption of biometric mechanisms (including fingerprint scanners and smartphone facial recognition), a broader definition would enable a move from the outdated OTP system to a more secure and convenient method.

2. Flexible Authentication with Built-in Safeguards

The Directions mandate a minimum of two factors of authentication, unless exempted, for all digital payment transactions, out of which one must be dynamic (i.e., generated or verified specifically for that transaction to ensure proof of identity provided is unique to that particular transaction).⁵ Issuers⁶ may offer their customers a choice of authentication factors.⁷ Furthermore, issuers can incorporate checks beyond the AFA for high-risk transactions, in line with their internal risk management policies.⁸

It may reasonably be concluded that dynamic authentication encompasses mechanisms such as transaction-specific OTPs sent via email or generated through an authenticator application, as well as real-time authentication prompts delivered to a registered device.⁹ In contrast, non-dynamic authentication may be interpreted to encompass authentication methods that lack a dynamic or transaction-specific element, such as biometric methods like fingerprint recognition and facial scans.¹⁰

3. Cross-Border Card Transaction Provisions

Previous regulatory directions were silent on cross-border card transactions. The Directions address this gap directly. By 01 October 2026, card issuers are required to establish mechanisms to validate non-recurring cross-border card-not-present (“CNP”) transactions initiated by an overseas entity.¹¹ A risk-based mechanism for all cross-border CNP transactions must also be in place by the same deadline, with issuers required to register their Bank Identification Numbers with the relevant card networks.¹²  

In effect, this mandates that Indian issuers participate in global authentication protocols, such as EMV 3-D Secure (an international card authentication protocol), thereby reducing both transaction failures and cross-border fraud.

Regulatory Concerns:

1. Transition Friction

Implementation is left to individual issuers, with no prescriptive technical standard from the RBI. A sudden shift to a non-SMS-based OTP may cause inconvenience to some users. Rural and non-tech-savvy individuals are likely to be more affected, as they may not have access to smartphones with biometric features. Checks beyond AFA for high-risk transactions may lock out some users from using these facilities. Financial institutions might require a transition period to implement a new framework effectively.  

2. The Data Protection Gap

The Directions require issuers to comply with the Digital Personal Data Protection Act, 2023 (“DPDP Act”).¹³ Although the DPDP Act was notified on 14 November 2025, the substantive operative provisions will come into force 18 months later, i.e., on 14 May 2027. The Directions are already operative, but the data protection obligations they invoke are not yet enforceable. This creates a tangible regulatory gap.

The concern is amplified by the nature of the data involved. Biometric identifiers are immutable, as a compromised fingerprint cannot be reset like a password. Section 8(4) of the DPDP Act requiresdata fiduciaries to implement “appropriate technical and organisational measures,” but this formulation is vague and leaves the applicable standard to individual issuers, falling short of mandating end-to-end encryption.¹⁴ When the Digital Personal Data Protection Rules, 2025 ("DPDP Rules") take full effect, Rule 6 of the DPDP Rules will introduce minimum safeguards, including encryption, access controls, logging, and a one-year log retention requirement, while Rule 7 of the DPDP Rules will establish breach notification obligations requiring prompt intimation to affected data principals.¹⁵ Until then, the data protection aspects of these Directions remain in a grey area.

Conclusion

The Directions overall mark a significant leap forward for the Indian regulatory regime on digital transactions. Card issuers will have to significantly alter and modernise their systems, which will requireinitial investments and technical expertise. Merchants may notice a slight increase in transaction processing time and a small drop in transaction volume; however, in the long run, this is likely to be offset by fewer instances of fraud and increased consumer trust. Individual consumers stand to benefit the most from a more secure and robust framework. Still, it is incumbent on the RBI, as the sectoral regulator, to remain cognizant of any potential concerns and introduce future amendments in this regard.

‍