RBI’s new framework is just around the corner. Here’s what this initiative means for India’s banks and fintech companies.
Digital transactions have become increasingly prevalent in India — and with them comes the growing threat of fraud. The Reserve Bank of India (RBI), the country’s central bank and regulatory body, acknowledges these trends and has highlighted the urgent need for stronger authentication measures.
To safeguard India’s banking customers, RBI has introduced a proposed framework that mandates an additional factor of authentication (AFA) for most digital transactions. In this post, we’ll discuss the rising concerns that have driven this initiative and explore what the new framework means for financial institutions throughout India.
What’s Wrong With India’s Current Authentication Methods?
The authentication methods currently used by banking customers throughout India aren't equipped for tomorrow's challenges.
India’s digital payment system has traditionally relied on SMS-based one-time passwords (SMS OTPs) as the primary means of authenticating transactions. Today, authentication via SMS OTPs is considered an outdated and unreliable method due to higher costs, low user convenience, and insufficient regulatory compliance in certain regions — but most importantly, for practical security reasons.
More specifically, the simplicity of SMS OTPs makes them susceptible to a range of security issues, including SIM swapping, interception, and phishing attacks. These vulnerabilities have led to a significant increase in payment fraud plaguing Indian banking customers.
The Rise of AePS Fraud
Cybercriminals have been finding new ways to exploit India’s Aadhaar-enabled Payment System (AePS), a platform that allows banking customers to access various banking services as well as authenticate transactions using their Aadhaar biometrics.
Although AePS utilizes biometric authentication, it doesn’t incorporate two-factor authentication (2FA). This fundamental security issue has led to a rise in so-called AePS fraud, which accounted for 11% of online financial scams in India during 2023.
Fraudsters have resorted to rudimentary tactics to carry out AePS fraud, such as using “dummy” or “rubber” fingers to clone fingerprints and illegally withdraw money from AePS accounts.
What Does RBI’s New Framework Mean for Banks in India?
On July 31, 2024, RBI announced a draft framework for alternative authentication mechanisms to bolster the security of payment transactions.
The RBI’s guidelines specify that in addition to using SMS OTPs, a dynamic authentication factor must be used for all digital payment transactions. Importantly, this factor must be generated during a transaction, unique to the transaction, time-sensitive, and non-reusable.
The exceptions to this rule apply to small-value contactless card payments up to 5,000 rupees (approximately $60) at point-of-sale terminals, e-mandates for recurring transactions, and small-value digital payments made through offline mode.
The RBI framework allows financial institutions to choose the form of the additional authentication factor, which can fall under one of three categories:
- Something the user knows (such as a password or PIN code)
- Something the user has (such as a mobile device or hardware token)
- Something the user is (such as a fingerprint scan or voice recognition)
How Wultra Can Help Indian Banks Stay Compliant
Although RBI’s framework remains a proposal for the time being, financial institutions will soon need to comply with the new rules. RBI mandates that all payment system providers and participants — including both banks and non-banks — must ensure compliance with the new authentication requirements within three months from the date the directions are issued.
This is where Wultra comes in — our authentication solutions are specifically designed to help financial institutions quickly and efficiently implement the changes necessary to comply with RBI’s rules without compromising on security or user experience. Moreover, our team has extensive experience in helping banks achieve compliance with regulatory frameworks like PSD2, elements of which are incorporated in RBI’s new framework.
Here’s what our solutions can help you achieve:
- Modern authentication with dynamic linking: Our Mobile-First Authentication comes equipped with multi-factor authentication as well as dynamic linking to safeguard your digital services while ensuring a positive experience for your users.
- Push notifications for real-time alerts: Banking customers can easily sign in or approve payments using push notifications for seamless, secure authentication.
- Secure, fast, and user-friendly digital onboarding: Our solution ensures a secure user onboarding flow, provides robust identity verification, and establishes an authentication mechanism for easy, secure access.
- Robust in-app protection for mobile banking applications: Our In-App Protection safeguards customers' mobile devices by detecting and neutralizing malware and unauthorized access.
By adopting Wultra’s solutions, Indian banks and fintech companies can steer through the ever-changing regulatory landscape with confidence while providing customers with unmatched security and convenience.