RBI issues final guidelines on due diligence of AePS touchpoint operators

RBI's new AePS guidelines, effective January 2026, require acquiring banks to perform due diligence, monitor transactions, and update KYC of inactive operators

Don't want to miss the best from Business Standard?

The Reserve Bank of India (RBI) on Friday issued final guidelines for the due diligence of operators managing Aadhaar Enabled Payment System (AePS) touchpoints, aimed at streamlining their onboarding process and strengthening fraud risk management.

 

These directions will come into effect from January 1, 2026.

 

Acquiring banks are required to carry out due diligence of all AePS Touchpoint Operators (ATOs) in accordance with the Know Your Customer (KYC) norms prescribed by the banking regulator before onboarding them.

 

If an ATO remains inactive for three consecutive months—meaning no financial or non-financial transactions have been carried out for a customer—the acquiring bank must update their KYC before permitting them to resume operations.

 

“If the due diligence of ATOs has already been done in their capacity as a Business Correspondent or sub-agent, the same may be adopted. The acquiring bank shall also carry out periodic KYC updation of ATOs,” the RBI said.

 

AePS touchpoints are terminals deployed by acquiring banks to facilitate AePS transactions, which can include both mobile and fixed service points. ATOs are the individuals or entities that operate these touchpoints. 

 

Acquiring banks must monitor ATO activities through their transaction monitoring systems on an ongoing basis and set operational parameters based on risk profiles.

 

The bank’s fraud risk management framework should consider factors such as location, type of ATO, volume and velocity of transactions, among others.

 

“The operational parameters regarding ATOs shall be reviewed on a periodic basis, reflecting emerging fraud trends. The acquiring bank shall put in place adequate system-level controls to ensure that any technological integrations, such as APIs, are used solely for enabling AePS operations,” the RBI added.

 

The central bank had issued draft guidelines on AePS due diligence in July last year, which were opened for public and stakeholder feedback.

 

AePS is a payment system that enables transactions using an individual’s Aadhaar number and biometric or OTP (One-Time Password) authentication.

 

It allows access to basic banking services such as cash withdrawal, balance enquiry, mini statements, cash deposit, and fund transfers.

 

AePS is operated by the National Payments Corporation of India (NPCI) and facilitates interoperable transactions using Aadhaar-enabled authentication.