RBI Suggests New Ways to Authenticate Digital Payments Beyond SMS OTP
The Reserve Bank of India (RBI) has put forth a new draft framework exploring alternative ways to authenticate digital payment transactions, beyond the commonly used SMS-based OTP (One-Time Password) system.
The RBI acknowledges that while SMS-based OTPs have been the primary method for Additional Factor of Authentication (AFA), there are now more advanced technologies available that could provide new options. This draft framework seeks to expand the tools available for verifying the identity of someone making a payment.
A key point in the draft is that issuers, like banks or payment providers, must get explicit permission from customers before implementing any new authentication methods. Customers should also have the ability to opt out of these new methods if they choose.
The draft highlights that for all digital payment transactions, except those where a physical card is used, one of the authentication factors must be dynamically generated during the transaction process. This means it should be created specifically for each transaction and not be reusable.
The RBI also emphasizes the importance of notifying customers almost immediately for all significant digital transactions. Additionally, it prohibits issuers from making exclusive deals with any Payment Service Provider or Technology Service Provider that could limit the adoption of new authentication methods.
For recurring transactions like mutual fund investments, insurance premium payments, and credit card bill payments, the RBI proposes using e-mandates. The draft suggests limits for these transactions, such as up to Rs 1 lakh for certain categories and Rs 15,000 for others. The RBI also points out that small-value contactless card transactions up to Rs 5000 at Point of Sale (PoS) terminals are exempt from the AFA requirement.
The RBI is seeking feedback on this draft framework until September 15, 2024. The goal is to give both Payment System Operators and users more choices in how transactions are authenticated, aiming for a balance between security and convenience.