The Reserve Bank of India (RBI) on July 31, 2024 issued a draft framework for the alternative authentication mechanism for digital payments. Amid the rapid implementation of digitisation in financial activities and a growing number of digital frauds, RBI has been actively taking system strengthening measures, including issuing directions for the non-bank payment system operators recently to enhance digital security.

Now, it has issued a draft framework for alternative authentication mechanism for digital payments. The draft lays down the alternative authentication measures for the payment system providers as well as participants.

Why An Alternative Authentication Mechanism?

To add to the security of digital payment transactions while utilising technological advancements, RBI decided to provide some broad principles to be adhered to by all the parties (participants) in the payment chain. The payment system providers and participants, including both banks and non-banks, will have to follow this framework within three months from the issue of directions. According to the draft issued, the digital payment transaction is the same as the electronic funds transfer.

Also Read: Should You Take Multiple Health Plans?

Here are the rules laid down in the draft framework.

Principles For Authentication Of Digital Payment Transactions

According to the RBI draft framework notification, the digital payment service providers will need to deploy the following measures in their payment authentication system.

Mandatory AFA:

An additional factor of authentication (AFA) has to be mandatorily implemented for all digital payment transactions. An entity can forgo this principle only if it is specifically exempted.

Dynamic And Robust:

One of the factors should be dynamic, i.e., it should change with every transaction and cannot be reused. This rule is for all digital transactions except the ‘card present transaction’, which specifies the notification.

Also, the first factor of authentication and the AFA should not be from the same category. There are three categories for passwords: first, where users know passwords, PIN, etc., the second category is where users have a hardware token or software token, and third category include details such as fingerprint or other biometrics.

Flexible Risk-Based Approach:

The entity issuing the AFA may use a risk-based approach to decide whatever is appropriate for alternative authentication. They can consider customers’ risk profile, transaction value, etc., for this.

Alert And Consent:

The issuers will need to have a system to send near real-time alerts to customers whenever a digital payment transaction occurs. Further, they also need to obtain customers’ consent before enabling any new authentication factor for them. Issuers need to provide a de-registering facility to customers as well.

Issuers’ Responsibility:

The framework fixes the responsibility on issuers to manage system robustness, process integrity, and the deployed technology. Failing to do so, they will be held liable.

Third-Party Arrangements:

RBI specifies that the issuers will not enter into any exclusivity arrangement with third parties which could limit issuers’ ability to provide alternative authentication solutions. Third parties here include payment and technology service providers.

Also Read: RBI Issues Directions For Non-Bank Payment System Operators To Enhance Digital Security

What Digital Payment Transaction Are Exempted From This Framework

The framework exempts the following digital payment transactions from this framework. These are small value card payments in contactless mode, e-mandate for recurring transactions, such as mutual funds, insurance premiums, etc., utility payments through select prepaid instruments, and small value digital payments in the offline mode.

The draft framework is open for comments till September 15, 2024.