The Reserve Bank of India (RBI) has issued sweeping new rules to tighten authentication standards for digital payments, in a bid to curb rising fraud in the sector. The guidelines, released on September 25, 2025, under the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, mandate stronger security protocols across all domestic digital transactions. RBI Mandates Dynamic Authentication for All Digital Payments by April 2026 All payment system providers, including banks and non-bank entities, are required to comply with the rules by April 1, 2026. The measures build on the long-standing two-factor authentication norm but go further by requiring at least one dynamic factor of authentication for all digital transactions, excluding card-present payments. This means that credentials such as SMS-based one-time passwords (OTPs), biometric data, or hardware tokens must be unique to each transaction, preventing reuse or compromise. The RBI said the framework is designed to help the payments ecosystem adapt to new technologies while maintaining consumer protection and market integrity. The directions also extend safeguards to cross-border transactions using cards issued in India. From October 1, 2026, card issuers will be required to validate non-recurring cross-border “card-not-present” transactions and introduce risk-based checks for all such payments, in line with anti-fraud standards. Issuers will bear direct responsibility for ensuring the robustness of authentication systems. In cases where losses occur due to non-compliance, issuers must fully compensate affected customers. The RBI also instructed that all authentication mechanisms must adhere to the provisions of the Digital Personal Data Protection Act, 2023. The framework emphasizes interoperability, requiring system providers to ensure that tokenization and authentication services are accessible across devices, applications, and storage mechanisms. This open-access approach is expected to standardize security across the fast-expanding payments market. In addition, the RBI has encouraged issuers to adopt a risk-based approach to authentication. Transactions may be assessed against behavioral and contextual parameters such as user location, device attributes, and historical spending patterns. High-risk transactions could face additional layers of verification, with DigiLocker proposed as a platform for customer notification and confirmation. While the new directions primarily cover domestic payments, they also establish a timeline for cross-border compliance, requiring issuers to register their Bank Identification Numbers (BINs) with global card networks by October 2026. The RBI described the rules as a milestone in its effort to address growing risks in digital transactions, noting that fraud and unauthorized access have become a major concern as digital payment adoption continues to surge in India. With digital transactions now accounting for the majority of retail payments in the country, the central bank’s latest crackdown shows the increasing priority regulators are placing on securing the financial system against cyber threats. India Tops Global Crypto Adoption Index but Faces Rising Fraud Cases India now leads the world in cryptocurrency adoption, topping the 2025 Chainalysis Global Crypto Adoption Index across all four sub-indices. Yet the surge in grassroots use and financial integration has been accompanied by a wave of fraud cases and enforcement actions. On August 6, the Enforcement Directorate (ED) raided 11 locations in Delhi and other cities in connection with a $29 million Bitcoin fraud. Investigators say scammers posed as police, government agents, and even tech support staff from Microsoft and Amazon to extort money from victims at home and abroad. Illicit funds were allegedly laundered through USDT and hawala networks in the UAE. The raids came just a day after the ED began probing a $4.7 million scam involving a spoofed Coinbase website. India’s crypto-related crime has also reached the courts. On August 31, an anti-corruption court sentenced 14 men, including 11 current and former police officers and one ex-legislator, to life in prison over the 2018 abduction of businessman Shailesh Bhatt. The group forced him to transfer Bitcoin and cash, with prosecutors calling it one of the most high-profile crypto extortion cases in the country. Despite adoption, regulatory caution remains. A government document dated September 10 indicated India will not pursue a comprehensive crypto law but will maintain partial oversight through taxation and compliance. Authorities noted risks tied to speculative trading and stablecoins, warning their growth could disrupt India’s payments system. India’s approach has dampened exchange volumes through a 30% tax on gains and a 1% levy on transactions, though global platforms continue to operate under Financial Intelligence Unit registration. Officials estimate Indians hold around $4.5 billion in digital assets, showing the paradox: world-leading adoption alongside systemic skepticism and recurring fraudThe Reserve Bank of India (RBI) has issued sweeping new rules to tighten authentication standards for digital payments, in a bid to curb rising fraud in the sector. The guidelines, released on September 25, 2025, under the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, mandate stronger security protocols across all domestic digital transactions. RBI Mandates Dynamic Authentication for All Digital Payments by April 2026 All payment system providers, including banks and non-bank entities, are required to comply with the rules by April 1, 2026. The measures build on the long-standing two-factor authentication norm but go further by requiring at least one dynamic factor of authentication for all digital transactions, excluding card-present payments. This means that credentials such as SMS-based one-time passwords (OTPs), biometric data, or hardware tokens must be unique to each transaction, preventing reuse or compromise. The RBI said the framework is designed to help the payments ecosystem adapt to new technologies while maintaining consumer protection and market integrity. The directions also extend safeguards to cross-border transactions using cards issued in India. From October 1, 2026, card issuers will be required to validate non-recurring cross-border “card-not-present” transactions and introduce risk-based checks for all such payments, in line with anti-fraud standards. Issuers will bear direct responsibility for ensuring the robustness of authentication systems. In cases where losses occur due to non-compliance, issuers must fully compensate affected customers. The RBI also instructed that all authentication mechanisms must adhere to the provisions of the Digital Personal Data Protection Act, 2023. The framework emphasizes interoperability, requiring system providers to ensure that tokenization and authentication services are accessible across devices, applications, and storage mechanisms. This open-access approach is expected to standardize security across the fast-expanding payments market. In addition, the RBI has encouraged issuers to adopt a risk-based approach to authentication. Transactions may be assessed against behavioral and contextual parameters such as user location, device attributes, and historical spending patterns. High-risk transactions could face additional layers of verification, with DigiLocker proposed as a platform for customer notification and confirmation. While the new directions primarily cover domestic payments, they also establish a timeline for cross-border compliance, requiring issuers to register their Bank Identification Numbers (BINs) with global card networks by October 2026. The RBI described the rules as a milestone in its effort to address growing risks in digital transactions, noting that fraud and unauthorized access have become a major concern as digital payment adoption continues to surge in India. With digital transactions now accounting for the majority of retail payments in the country, the central bank’s latest crackdown shows the increasing priority regulators are placing on securing the financial system against cyber threats. India Tops Global Crypto Adoption Index but Faces Rising Fraud Cases India now leads the world in cryptocurrency adoption, topping the 2025 Chainalysis Global Crypto Adoption Index across all four sub-indices. Yet the surge in grassroots use and financial integration has been accompanied by a wave of fraud cases and enforcement actions. On August 6, the Enforcement Directorate (ED) raided 11 locations in Delhi and other cities in connection with a $29 million Bitcoin fraud. Investigators say scammers posed as police, government agents, and even tech support staff from Microsoft and Amazon to extort money from victims at home and abroad. Illicit funds were allegedly laundered through USDT and hawala networks in the UAE. The raids came just a day after the ED began probing a $4.7 million scam involving a spoofed Coinbase website. India’s crypto-related crime has also reached the courts. On August 31, an anti-corruption court sentenced 14 men, including 11 current and former police officers and one ex-legislator, to life in prison over the 2018 abduction of businessman Shailesh Bhatt. The group forced him to transfer Bitcoin and cash, with prosecutors calling it one of the most high-profile crypto extortion cases in the country. Despite adoption, regulatory caution remains. A government document dated September 10 indicated India will not pursue a comprehensive crypto law but will maintain partial oversight through taxation and compliance. Authorities noted risks tied to speculative trading and stablecoins, warning their growth could disrupt India’s payments system. India’s approach has dampened exchange volumes through a 30% tax on gains and a 1% levy on transactions, though global platforms continue to operate under Financial Intelligence Unit registration. Officials estimate Indians hold around $4.5 billion in digital assets, showing the paradox: world-leading adoption alongside systemic skepticism and recurring fraud