RBI mulls new ways to authenticate digital payments besides OTP. Check proposed options to verify online transactions

Thanks to a series of online frauds and scams that led to the massive loss of money of gullible investors, the Reserve Bank of India (RBI) is taking tangible steps to make sure that digital payments remain safe.

For the unversed, the RBI has, over the years, prioritised the security of digital payments, in particular, the requirement of an Additional Factor of Authentication (AFA) for making payments. No specific factor was mandated for authentication, but the digital payments ecosystem has primarily adopted SMS-based one-time password (OTP) as AFA.

While OTP is working effectively, technological advancements have made alternative authentication mechanisms available.

It is worth remembering that the RBI released a ‘Statement on Developmental and Regulatory Policies’ on February 8 this year, which was a precursor to the draft framework released now. You can read this article for more details on this. 

The RBI has now released a draft ‘Framework on Alternative Authentication Mechanisms for Digital Payment Transactions’. The primary aim of this framework is to enable the ecosystem to adopt alternative authentication mechanisms. This will widen the choice of authentication factors available to Payment System Operators and users.

These are some of the key details of framework:

In order to authenticate payment instruments by the payment system providers, these are the principles to be followed:

I. All digital payment transactions will be authenticated with an additional factor(s) of authentication (AFA), unless exempted otherwise.

II. All digital payment transactions, other than card-present transactions, have to ensure that one of the factors of authentication is dynamically created. This practically means the factor is generated after initiation of payment, is specific to the transaction and cannot be reused.

III. The first factor of authentication and the AFA will be from different categories.

IV. Besides, the issuers may adopt a risk-based approach in deciding the appropriate additional factor of authentication for a transaction, which will be based on the risk profile of the customer and / or beneficiary, transaction value, channel of origination, etc.

V. Issuers to also have a system of alerting the customer in near real time for all eligible digital payment transactions.

VI. Issuers will obtain explicit consent before enabling any new factor of authentication for the customer. The customer will also be provided a facility to deregister from using the new factor of authentication.

Stakeholders are urged to send comments or feedback on the draft framework by email or post to the Chief General Manager-in-Charge, Department of Payment and Settlement Systems, Reserve Bank of India, Central Office, fourteenth floor, Shahid Bhagat Singh Marg, Mumbai-400001, on or before September 15, 2024.