The Reserve Bank of India (RBI) has proposed a new Framework on Alternative Authentication Mechanisms for Digital Payment Transactions to enhance the security of online payments. This move underscores the central bank’s commitment to safeguarding digital payments, emphasising the necessity of Additional Factor of Authentication (AFA).
Current authentication practices
Authentication Factor Aggregation (AFA) is the process of using multiple factors to verify payment instructions. Currently, the most common method of AFA in digital payments is SMS-based One-Time Passwords (OTPs). However, with advancements in technology, alternative authentication methods have become available, prompting the RBI to reconsider existing practices.
In a press release dated July 31, 2024, the RBI highlighted the importance of AFA, noting that while SMS-based OTPs are effective, other technological solutions can provide enhanced security. The framework categorises authentication factors into three broad groups:
- Knowledge-Based: Information the user knows, such as passwords, passphrases, or PINs.
- Possession-Based: Items the user has, such as hardware or software tokens.
- Inherence-Based: Attributes unique to the user, such as fingerprints or other biometrics.
Risk-based authentication
The new framework allows issuers, such as banks and non-banks, to use a risk-based approach to determine the appropriate AFA for a transaction. Factors to consider include transaction value, origination channel, and the risk profiles of the customer and beneficiary. Issuers are required to notify customers of eligible digital payment transactions almost immediately.
Certain low-risk transactions are exempt from AFA requirements under the new framework. These include:
- Small-value contactless card payments: Transactions up to Rs 5,000 at Point of Sale (PoS) terminals.
- E-mandates for recurring transactions: These mandates are allowed for specific categories and transaction limits, such as:
- Mutual fund subscriptions up to Rs 1 lakh
- Insurance premium payments
- Credit card bill payments
- Other e-mandates up to Rs 15,000
- Utility payments made with select prepaid instruments, including Prepaid Instruments (PPIs) issued under PPI – Mass Transit Service and Gift PPIs. Transactions inside the National Electronic Toll Collection (NETC) System.
- Transactions in the National Electronic Toll Collection (NETC) System.
In its February Monetary Policy Committee (MPC) meeting, the RBI noted the rise of alternative authentication methods driven by technological advancements. There is a growing need for a principle-based framework to authenticate digital payment transactions effectively.
RBI Governor Shaktikanta Das noted, “With technological advancements, alternative authentication mechanisms have emerged in recent years.” To make such mechanisms for digital security more accessible, it is recommended to implement a principle-based ‘Framework for authentication of digital payment transactions’. Instructions on this matter will be delivered individually.”