New Authentication Framework in Banking

This article highlights how to build a payments strategy where instant settlement and digital transaction security can effectively coexist as RBI Authentication Directions take effect in April 2026. The new RBI Authentication Mandate represents a significant regulatory shift for India’s payments ecosystem, reflecting the region’s rapid adoption of instant payments and the subsequent acceleration of fraud attacks and losses tied to instant payments.

Fighting digital payment fraud with two-factor authentication

The risk of fraud is 10x higher in instant payments than in regular payments² and estimates show $1.03 trillion was lost to payment fraud in 2024³. Data from the Union Home Ministry shows that in 2023-24, as many as 13.42 lakh incidents of UPI frauds were reported, compared to the 7.25 lakh reported in the previous year⁴. The Reserve Bank of India Directions aim to enhance the security, interoperability and reliability of India’s digital payment systems. The RBI Authentication Mandate centers around robust two-factor authentication (2FA) mechanisms and risk-based authentication protocols designed to increase digital payments security. The mandate’s 2FA protocols require authenticating two independent factors and directs one of the two factors to be dynamic, unique to each transaction, to ensure compliance:

• Possession: Something you have (One time password, Device binding or Card security code)
• Knowledge: Something you know (Password, PIN, Knowledge Based Questioning or memorized swiping paths)
• Inherence: Something you are (Fingerprint Scanning, Voice or Facial Recognition, Behavioral Biometrics or Retina and Iris Scanning)

The requirements of the RBI Authentication Mandate align closely with global authentication standards and best practices, like 3DS and GDPR, while preserving flexibility for issuers and Payment Service Providers (PSPs). The new mandate supports contextual, risk-based checks providing financial institutions and payment issuers with the flexibility to tailor authentication based on transaction behavior, device, location or risk level. This helps organizations control digital payment fraud while also creating strong customer experiences.

Re-evaluating your payments strategy through a risk-based lens

The RBI Authentication Mandate goes into effect April 1, 2026. Assessing the readiness of your payments strategy against these new directions is a valuable way to prepare and help your organization:

• Strengthen fraud prevention across your payments ecosystem
• Protect your brand reputation
• Minimize operational disruptions or loss of payment channels
• Reduce exposure to potential RBI penalties, including full compensation to customers for losses due to non-compliance

An important exercise is defining a risk-based authentication strategy outlining specific policies around transaction types, risk tolerances and escalation paths and then aligning those processes with RBI compliance requirements. This step provides a great place to proactively begin evaluating risk assessment workflows and systems for potential vulnerabilities tied to screening delays, data silos and risk blind spots by:

• Mapping all customer journeys (onboarding, login, transaction and recovery flows)
• Documenting fraud risks such as APP scams, device spoofing, mule behaviour and account takeover
• Implementing secure data minimization consistent with RBI cybersecurity directives and the Digital Personal Data Protection Act (2023)
• Planning for compliant data handling, traceability of authentication events for RBI audits
• Identifying automation solutions to reduce screening times and minimize step-ups and remediation delays

Understanding where there are potential gaps in data coverage, decision processes and technology capacity positions your business to take action to meet the RBI requirements while effectively managing growing digital payments volumes.

Adding the fraud controls and technology tools that enhance competitive advantage

Supporting real-time authentication and account checks prior to payment initiation requires a combination of technology tools, behavior and device insights, multi-layered risk intelligence and historical transaction context. It is important to implement fraud controls and technology tools that work in sync to facilitate a level of risk-based authentication that enables your organization to confidently:

• Stay compliant with the RBI guidelines
• Eliminate unnecessary friction for trusted customers
• Enhance the security and integrity of your entire payments ecosystem

Demand for digital payments continues multiplying. It is essential to balance compliance with the RBI Authentication Mandate against customer expectations for speed and convenience. The goals of reinforcing fraud controls and raising transaction security have to exist within a payments workflow designed to reduce screening times, automate decisions and accelerate throughput. When evaluating payment screening technology tools, it is important to consider solutions that can:

• Support a risk-based strategy that aligns authentication (identity, device, behavioral and location) and payment risk assessment
• Automate core payment and fraud control workflows
• Offer interoperability across multiple payment channels (mobile, web, UPI or app) to enable seamless authentication
• Provide the responsiveness to adjust to changing risk thresholds and fraud controls
• Easily scale to meet growing digital payments demand
• Meet security and privacy compliance requirements

The volume and velocity of digital payments require a dynamic, adaptive and intelligence-based risk assessment strategy. Taking time now to identify opportunities to streamline real-time payment screening helps increase alignment with RBI Authentication Directions and minimize disruptions for your trusted customers as the April 2026 deadline approaches.

Considering new ways to strengthen identity protection? LexisNexis® Risk Solutions offers a full suite of risk decision technology to help your organization complete secure, privacy-compliant identity, device, behavioral and biometric authentication and payment risk assessment. Let us help you build a payments ecosystem that effectively balances confident payment screening with seamless customer experience.

Contact Me


References:

¹ Unified Payments Interface (UPI) Product Statistics | NPCI
² https://www.eba.europa.eu/sites/default/files/2024-04/363649ff-27b4-4210-95a6-0a87c9e21272/Opinion%20on%20new%20types%20of%20payment%20fraud%20and%20possible%20mitigations.pdf
³ International Scammers Steal Over $1 Trillion in 12 Months in New Global State of Scams Report
⁴ Digital Frauds, Including In UPI, Have Doubled: Home Ministry To Parliament