No More OTPs for UPI? Why the RBI’s New Digital Payment Rules Starting April 1 Change Everything
Starting April 1, 2026, the RBI is making Two-Factor Authentication (2FA) mandatory for all digital payments, including UPI and credit cards. The new rules move beyond simple SMS-based OTPs, requiring at least one dynamic factor like biometrics or app-based tokens to verify transactions. This risk-based approach aims to curb rising cyber fraud while holding banks liable for security lapses.
- Republic Business
- 2 min read
India’s digital payment landscape is set for a major security overhaul starting April 1, 2026. The Reserve Bank of India (RBI) is implementing a new principle-based framework for transaction authentication. The move, which is aimed at curbing cyber frauds like SIM-swapping and phishing, will fundamentally change how over 400 million UPI users and millions of cardholders authorize their daily payments.
Under the new guidelines, the long-standing reliance on SMS-based One-Time Passwords (OTPs) as the only verification method will end. Instead, every digital transaction, whether via UPI, credit/debit cards, or mobile wallets, must now pass through a mandatory Two-Factor Authentication (2FA) process involving at least one dynamic factor.
The End Of OTP Only Payments
The RBI’s "Authentication Mechanisms for Digital Payment Transactions Directions, 2025" requires that all entities in the payment chain move away from static credentials.
- Mandatory 2FA: Users will now need to provide two different types of verification. This could be a combination of "something you know" (PIN or password), "something you have" (a registered device or token), and "something you are" (biometrics like fingerprint or face ID).
- Dynamic Requirement: At least one of the two factors must be dynamic, meaning it is generated uniquely for that specific transaction. While OTPs still count as a dynamic factor, they can no longer be the only layer of security.
- In-App Approvals: Many banking and UPI apps are expected to transition to secure, encrypted in-app notification approvals to replace traditional SMS codes, which are increasingly vulnerable to interception.
Risk-Based Security
The new framework introduces "Risk-Based Authentication," allowing banks to adjust security levels based on the user's spending patterns and location.
Advertisement
- If a transaction is made from a new device or an unusual geographic location, the system may trigger additional verification layers beyond the standard 2FA.
- In a win for consumer protection, the RBI has shifted the burden of security onto financial institutions. Banks and payment platforms will now be held liable for losses if a fraudulent transaction occurs because they failed to implement these mandated authentication standards.
Changes For International Payments
While the domestic rollout begins tomorrow, the RBI has provided a longer runway for international transactions. Card issuers have until October 1, 2026, to ensure all non-recurring, cross-border "Card-Not-Present" (CNP) transactions meet the same rigorous authentication benchmarks. This ensures that Indian travelers and online shoppers enjoy the same level of protection on global merchant sites as they do within the country.