Regulation Name: Framework on Alternative Authentication Mechanisms for Digital Payment Transactions
Publishing Date: 31 July 2024
Region:  India
Agency: Reserve Bank of India

The Reserve Bank of India’s (RBI) draft on the Framework on Alternative Authentication Mechanisms for Digital Payment Transactions, issued on July 31st, introduces new guidelines to enhance the security and flexibility of digital payments in India. Here’s a summary of the key points:

Background:

– RBI had mandated the use of an Additional Factor of Authentication (AFA) for all transactions using cards, prepaid instruments, and mobile banking. Traditionally, SMS-based OTPs have been used as AFA.

– In the Statement on Developmental and Regulatory Policies dated February 8, 2024, RBI announced the intent to introduce a framework that leverages technological advancements for alternative authentication methods.

Applicability:

– The framework applies to all Payment System Providers and Payment System Participants as defined under the Payment and Settlement Systems (PSS) Act, 2007.

Key Definitions:

– AFA: The use of more than one authentication factor for payment validation.

– Authentication: Validating the credentials of the customer initiating a payment.

– Digital Payment Transaction: Has the same meaning as “Electronic Funds Transfer” under the PSS Act, 2007.

– Issuer: The entity (bank or non-bank) where the customer’s account is maintained.

– Technology Service Provider (TSP): Providers of technology infrastructure for authentication processes.

– Token Service Provider: Entities that handle the tokenization and de-tokenization of card credentials.

Principles for Authentication:

1. Mandatory AFA: All digital payment transactions require AFA unless exempted.

2. Dynamically Created AFA: For non-card-present transactions, one authentication factor must be dynamically generated, specific to the transaction, and non-reusable.

3. Robust Authentication: The first factor and AFA must be from different categories (e.g., something the user knows, has, or is).

4. Risk-Based Authentication: Issuers can adopt a risk-based approach based on customer profiles, transaction value, etc.

5. Transaction Alerts: Issuers must provide near real-time alerts for eligible digital payment transactions.

6. Customer Consent: Explicit customer consent is required before enabling new authentication factors.

7. Issuer Responsibility: The issuer is responsible for ensuring the robustness of the authentication process.

8. Third-Party Arrangements: Issuers must avoid exclusivity arrangements that limit alternative authentication solutions.

Exemptions from AFA:

Certain transactions are exempt from AFA requirements, including:

– Small value contactless card payments: Transactions up to ₹5000 in contactless mode at PoS terminals.

– E-mandates for recurring transactions: Recurring payments like mutual fund subscriptions, insurance premiums, and credit card bill payments, with values up to specified limits.

– Utility through select PPIs and NETC: Specific prepaid instruments and toll collection systems.

– Small value offline digital payments: Offline transactions up to ₹500.

Compliance:

– Payment System Providers and Participants must comply with this framework within three months of the issuance date.

This draft framework represents RBI’s effort to ensure secure and flexible authentication methods, accommodating the evolving digital payment landscape in India.

Read the draft here.