NEW DELHI: The Reserve Bank of India (RBI) has released a draft framework on alternative authentication mechanisms to supplement the SMS-based OTP system for digital payment transactions.
The RBI noted, “No specific factor was mandated for authentication, but the digital payments ecosystem has primarily adopted SMS-based OTP as Additional Factor of Authentication (AFA). While OTP is working satisfactorily, technological advancements have made available alternative authentication mechanisms”.
The draft discusses the Additional Factor of Authentication (AFA), which involves using more than one factor to authenticate a payment instruction. It requires that the process validate and confirm the credentials of the customer initiating the payment.
Furthermore, the draft specifies that issuers must obtain explicit consent from customers before enabling any new authentication factor. Customers should also have the option to deregister from using the new authentication method.
The draft states, “All digital payment transactions, other than card present transactions, shall ensure that one of the factors of authentication is dynamically created, i.e., the factor is generated after initiation of payment, is specific to the transaction and cannot be reused”.
Additionally, the draft mandates that issuers must have a system to alert customers in near real-time for all eligible digital payment transactions. It also prohibits transaction issuers from entering into exclusive arrangements with any Payment Service Provider or Technology Service Provider, which could limit their ability to implement alternative authentication solutions.
The RBI has proposed e-mandates for recurring transactions in mutual funds, insurance premiums, credit card bill payments for values up to Rs 1 lakh and in respect of all other categories for value up to Rs 15,000.
The banking regulator also suggests that issuer shall be liable for the process and technology deployed for authenticating digital payments. There should also be a system of alerting the customer in near real time for all digital payment transactions.
The draft notes that small value card present transactions up to Rs 5000 per transaction in contactless mode at Point of Sale (PoS) terminals are exempt from the AFA requirement.
The central bank has invited comments and feedback on the draft framework until September 15, 2024. The proposed alternative authentication mechanisms aim to provide more choices for authentication factors to Payment System Operators and users. (ANI)