New RBI rules make banks fully liable if payment safeguards fail: Details

RBI on Digital Transactions Fail: Banks will be responsible for compensating customers if fraud occurs due to them not following authentication process

The Reserve Bank of India (RBI) has issued new directions on authenticating digital transactions, seeking to balance consumer safety and ease of use. The rules were notified on Thursday and will apply to banks and non-bank payment system providers from April 1.

 

Two-factor authentication stays central

 

Every domestic digital payment must be verified using at least two distinct factors of authentication, according to the RBI. These could come from:

 

Something you know: Password, PIN, or passphrase

 

Something you have: A card, token, or SMS-based one-time password (OTP)

 

Something you are: Biometric data such as fingerprint or facial recognition

 

One of these factors should be dynamic. For example, an OTP that is unique to a single transaction qualifies, ensuring that even if one credential is compromised, the overall security is not.

 

Risk-based checks for safer payments

 

The guidelines allow issuers to go beyond the minimum requirement, especially when transactions appear unusual. Lenders and payment providers can analyse:

 

• Transaction location 
• Device attributes 
• Spending behaviour 
• Past transaction history

 

Based on risk, issuers may seek extra confirmation, such as a notification via DigiLocker, for high-value or unusual payments.

 

Cross-border safeguards

 

The RBI has set timelines for cross-border card-not-present transactions. By October 1, card issuers will need to implement a risk-based system to validate such transactions. They must also register their Bank Identification Numbers (BINs) with card networks to ensure seamless authentication when requests come from overseas merchants.

 

What it means for consumers

 

For most users, the experience may not change drastically since SMS OTPs and PINs are already standard practice. However, the new framework opens the door for wider use of device-based biometrics and tokenisation, which could make digital payments both safer and smoother.

 

“If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer for the loss in full without demur,” said a RBI notification, implying banks’ responsibility.

 

With fraud risks evolving alongside rising digital adoption, the RBI’s move signals a stronger push to protect consumers while preparing the ecosystem for future technologies.