RBI Mandates 2FA Authentication for Digital Payments: New Rules and Alternative Methods

With the rise in digital threats and increasingly clever cyber fraud techniques, the Reserve Bank of India (RBI) has stepped up by introducing a new framework to make digital payments more secure. This framework focuses on adopting alternative authentication methods to strengthen transaction safety.

By taking this step, the RBI reinforces its commitment to protecting the integrity of digital payments. While SMS-based One-Time Passwords (OTPs) have been a widely used method for Additional Factor of Authentication (AFA), the RBI now aims to explore more advanced solutions that not only boost security but also offer users greater flexibility. Currently, no particular authentication method has been mandated for authentication. While the current OTP method is working fine, but there have been conversations regarding exploring more Alternative Authentication Factors (AFA).

RBI Press Release: Emphasizing Advanced Authentication for Safer Digital Payments

In a press release dated July 31, 2024, the Reserve Bank of India (RBI) announced its draft framework for Alternative Authentication Mechanisms for Digital Payments. This framework emphasizes RBI's focus on securing digital transactions by emphasizing the requirement of an Additional Factor of Authentication (AFA). While SMS-based One-Time Passwords (OTPs) have been the most commonly used method for AFA, the RBI recognizes the need to leverage advanced technological solutions to enhance both security and convenience.

The draft framework categorizes authentication factors into three primary Multi-Factor Authentication (MFA) Method types:

• Something the user knows: Examples include passwords, PINs, or passphrases.
• Something the user has: This includes hardware tokens, such as YubiKey Token, Display tokens, FIDO2 HOTP, OTP c100, etc.
• Something the user is: This refers to biometrics like fingerprints or facial recognition.

The RBI highlighted that these new guidelines aim to standardize and strengthen digital payment security while adapting to evolving technology. Payment system providers, including banks and non-banking entities, will be required to implement these measures within three months of the framework's issuance.

Exceptions to the RBI's 2FA Rules

While the RBI's new framework emphasizes stricter authentication measures for digital payments, certain transactions have been exempted from the requirement for an Additional Factor of Authentication (AFA). These exceptions aim to maintain user convenience for low-risk or small-value transactions, ensuring a seamless payment experience. The exemptions include:

• Small Value Contactless Card Payments: Transactions up to ₹5,000 per transaction made in contactless mode at Point of Sale (PoS) terminals. The idea is to simplify small transactions like those often made in rural or low-connectivity areas, where authentication challenges could disproportionately hinder the transaction process.
• E-Mandates for Recurring Payments: Recurring payments like subscriptions or insurance premiums, provided the transaction value is within the permissible limits.
• Small Value Offline Digital Payments: Offline payments are capped at ₹500 per transaction, typically used for low-value purchases.
• Utility through select Prepaid Instruments (PPIs) and NETC:
• Prepaid Instruments: These are typically used for specific services like mass transit systems (e.g., metro or bus cards) and gift cards. Transactions using these instruments are streamlined to allow quick access or payment without the need for each transaction to be authenticated, which enhances the speed and ease of use.
• National Electronic Toll Collection (NETC) System: This system is used for automated toll payments. Vehicles registered in the NETC program can pass through tolls without stopping to make payments, as fees are automatically deducted from the registered account linked to the vehicle. This setup bypasses the need for manual authentication at each toll booth, facilitating smoother traffic flow.

These exceptions balance security with user convenience, particularly for frequent, low-risk transactions, while still adhering to RBI's overarching goal of enhancing payment security.

E-Mandates and KYC

The Reserve Bank of India (RBI) has introduced e-mandates to streamline recurring payments while ensuring a secure and hassle-free experience for users. These mandates are particularly beneficial for recurring transactions such as subscriptions, insurance premiums, and credit card bill payments, providing a seamless way to manage payments without repeated manual authorization.

Here’s how e-mandates are structured under RBI’s guidelines:

• High-Value Transactions: Payments for insurance premiums, mutual fund subscriptions, or credit card bills can now be processed seamlessly for amounts up to ₹1,00,000.
• Other Recurring Payments: Transactions in all other categories are capped at ₹15,000, ensuring quick, automated processing for low-value, frequent payments.

To enhance security, the RBI has tied e-mandates to updated Know Your Customer (KYC) protocols. If no digital transaction has been conducted with a particular vendor in the last six months, banks are required to redo the KYC process to ensure the legitimacy of the mandate. This step reinforces safety, reducing the risk of fraud while maintaining user trust.

The combination of e-mandates and updated KYC requirements demonstrates RBI's commitment to balancing convenience and security. This approach fosters a secure and efficient digital payment ecosystem by reducing friction in recurring payments and safeguarding user information.

Conclusion: How miniOrange can help?

miniOrange offers a comprehensive suite of multifactor authentication (MFA) methods, designed to enhance security and comply with RBI’s stringent authentication standards. Among the over 15+ MFA options available are Google Authenticator, YubiKey, and biometric authentication (like fingerprint and facial recognition), along with various other advanced methods.This offers flexibility to cater to diverse security needs.

Being an Indian vendor, there is an understanding of the unique challenges faced by businesses in the region. Our in-depth expertise allows us to craft solutions for every edge case, ensuring seamless integration and unparalleled support. Operating locally makes it easier for organizations to access integration assistance, enabling smoother deployments and faster problem resolution.

By integrating these diverse Multi Factor Authentication (MFA) techniques, miniOrange not only aligns with the latest RBI regulations but also provides flexible, user-friendly security solutions that adapt to various security needs. Choose miniOrange for a trusted partner that adapts to your evolving security requirements while delivering excellence in identity and access management.