Pursuant to the announcement made in its statement on developmental and regulatory policies dated February 8, 2024, the Reserve Bank of India (RBI) published the draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions for public comments (Draft Framework). The Draft Framework has been published with the objective to enable the digital ecosystem to adopt alternative authentication mechanisms and further the regulator’s intent to prioritise security of digital payments. This Draft Framework will widen the choice of authentication factors available to Payment System Operators and users. All Payment System Providers and Payment System Participants (banks and non-banks) have been mandated to ensure compliance with this framework within three months from the date of issue of these directions. The comments to the Draft Framework were to be provided to the RBI by September 15, 2024.
The key aspects under the Draft Framework include the following aspects:
- Applicability: The framework applies to all Payment System Providers and Payment System Participants, as defined in Payment and Settlement Systems Act, 2007.
- Key definitions: The key definitions under the Draft Framework include the following:
- ‘Additional Factor of Authentication (AFA)’: Use of more than one factor for authentication of a payment instruction.
- ‘Authentication’: Process of validating and confirming the credentials of the customer who is originating the payment instruction.
- ‘Digital Payment Transaction’: shall have the same meaning as “Electronic Funds Transfer” as defined in the Payment and Settlement Systems Act, 2007.
- ‘Factor of Authentication’: Any credential input by the customer which is verified for the purpose of confirming the originator of a payment instruction. The factors of authentication are broadly categorised as below:
- Something the user knows (such as password, passphrase, PIN)
- Something the user has (such as card hardware or software token)
- Something the user is (such as fingerprint or any other form of biometrics)
- Principles for authentication of Digital Payment Transactions: The technology and process deployed for authenticating a payment instruction by the Payment System Provider / Payment System Participant(s) shall comply with certain principles, including the following aspects:
-
- Mandatory additional factor of authentication: All digital payment transactions shall be authenticated with an additional factor(s) of authentication (AFA), unless exempted otherwise in this framework.
-
- Dynamically created: All digital payment transactions, other than card present transactions, shall ensure that one of the factors of authentication is dynamically created, i.e., the factor is generated after initiation of payment, is specific to the transaction and cannot be reused.
-
- Risk based approach to authentication: Issuers may adopt a risk-based approach in deciding the appropriate AFA for a transaction, based on the risk profile of the customer and / or beneficiary, transaction value, channel of origination, etc.
-
- Transaction Alerts: Issuers shall have a system of alerting the customer in near real time for all eligible digital payment transactions.
-
- Customer consent: Issuers shall obtain explicit consent before enabling any new4factor of authentication for the customer. The customer shall also be provided a facility to deregister from using the new factor of authentication.
-
- Responsibility of the issuer: (a) Issuer shall ensure the robustness and integrity of the process or technology of the authentication factor before deploying the same; and (b) Issuer shall be liable for the process and technology deployed for authenticating a digital payment transaction.
-
- Third-party arrangements: (a) Issuer shall not enter into any exclusivity arrangement with any Payment Service Provider / Technology Service Provider – which could limit its ability to deploy alternative authentication solutions; and (b) For transactions involving tokenised cards on various devices in line with RBI directions on “Tokenisation – Card Transactions” dated January 8, 2019, as amended from time to time, Issuer / Token Service Provider shall ensure that the device environment supports tokenisation on a non-exclusive basis.
- Exemption from customer authentication: The following are exempted from the AFA requirement: (i) Small value contactless card payments; (ii) E-mandates for recurring (other than the first) transactions; (iii) Utility through select prepaid instruments / NETC; and (iv) small value digital payments in offline mode.
For more details, kindly refer to these Draft Framework published by the RBI, available by clicking on this link.
Authors & Contributors
Partner(s):
Associate(s):
Keshav Pareek
Ishaan Gupta