RBI's New Digital Payment Rules from April 1: What Changes for UPI, Cards and e- Wallets

Find out how India's new digital payment security rules affect your UPI, cards, and wallets starting April 1.
SET UP UPI 
RBI's New Digital Payment Rules from April 1: What Changes for UPI, Cards and e- Wallets
3 mins read    
02 April 2026

From 1 April 2026, the Reserve Bank of India (RBI) has enforced a revised authentication framework for all digital payment transactions. The new rules apply to Unified Payments Interface (UPI), credit and debit cards, and mobile wallets. The primary objective is to combat rising instances of cyber fraud and strengthen the security infrastructure underpinning India's digital payments ecosystem.

What are the RBI’s new Digital Payment Rules for April 1, 2026?

Under the RBI's Authentication Mechanisms for Digital Payment Transactions Directions, 2025, all entities in the payment chain are required to implement mandatory two-factor authentication (2FA) for every digital transaction. Single-factor verification, such as an SMS-based OTP alone, is no longer sufficient. At least one of the two authentication factors must be dynamic, meaning it is uniquely generated for each transaction.

How did OTP-based systems become vulnerable?

For years, SMS-based OTPs served as the backbone of digital payment security in India. However, the growing sophistication of cybercriminals has exposed significant weaknesses in this system:

  • Phishing attacks: Fraudsters create fake websites, emails, or messages that trick users into revealing their OTPs. Once shared, the OTP can be used to authorise fraudulent transactions in real time.
  • SIM swap scams: Criminals convince mobile operators to transfer a victim’s phone number to a new SIM card. Once they control the number, they can intercept all OTPs sent to it and take over accounts.
  • Malware and spyware: Malicious software installed on a user’s device can read incoming SMS messages, including OTPs, and forward them to attackers without the user’s knowledge.
  • Social engineering: Scammers impersonate bank officials or customer service agents and manipulate users into sharing their OTPs over the phone.

These vulnerabilities made it clear that a single-factor system based on SMS was no longer sufficient to protect India’s rapidly growing digital economy.

What can be used as a Second Authentication Factor?

The RBI’s framework opens the door to a range of modern authentication technologies that are more secure than traditional OTPs:

  • Biometric verification: Fingerprint scans and facial recognition directly on the user’s device offer a fast and highly secure way to confirm identity.
  • Device binding and passkeys: Linking a user’s identity to a specific, trusted device through cryptographic keys ensures that transactions can only be initiated from that device.
  • App-based tokens: In-app push notifications or software-generated tokens that are unique to each transaction and expire within seconds.
  • Hardware tokens: Physical security devices that generate time-sensitive codes, commonly used for high-value corporate transactions.
  • Behavioural analysis: Advanced systems that analyse typing patterns, device usage habits, and location data to silently verify the user in the background.

OTPs are not being eliminated entirely. They can still serve as one of the two factors, but they can no longer be the sole method of verification.

How will digital payments change from April 1, 2026?

The changes affect three key payment channels, each with updated authentication requirements.

Changes for UPI payments

  • UPI transactions now require two-factor authentication, combining device binding or app-level verification with a UPI PIN or biometric.
  • Low-value or recurring payments on trusted devices may appear seamless, but underlying security layers remain active.
  • Risk profiling determines whether additional verification is triggered, rather than applying the same process to every transaction.
  • In-app encrypted approval notifications are expected to replace traditional SMS codes in many banking and UPI applications.

Changes for card transactions

All domestic card transactions must now pass through two independent verification steps.

  • Cardholders may use a combination of PIN, password, device token, or biometric in place of OTP alone.
  • For non-recurring cross-border card transactions, the 2FA mandate will take effect from 1 October 2026.
  • Banks and card issuers are accountable for ensuring compliance; non-compliance may result in liability for fraudulent losses.

Changes for mobile wallets

  • Prepaid Payment Instruments (PPIs) and mobile wallets are included within the scope of the new framework.
  • Wallet transactions must now be authenticated using at least two factors, with one being dynamic.
  • Wallet providers are required to implement risk-based checks for flagging unusual transaction behaviour.
  • Institutions that fail to meet the authentication standards may be held liable for compensating fraud victims.

Risk-based authentication: What it means for everyday users

A key feature of the new framework is risk-based authentication (RBA), which allows banks and payment platforms to calibrate security checks according to the risk profile of each transaction, rather than applying uniform verification to all payments.

Low-risk transactions

  • Routine small-value payments made from a recognised device are likely to remain quick and seamless.
  • Familiar merchants, consistent spending patterns, and known geographic locations reduce the risk score.
  • Device binding ensures that background security layers are in place even when the user experience appears frictionless.

High-risk transactions

  • Payments initiated from a new or unrecognised device will trigger additional verification steps.
  • Transactions from an unusual geographic location or involving unfamiliar merchants attract heightened scrutiny.
  • High-value transfers are subject to stricter authentication regardless of device familiarity.
  • Any deviation from a user's established spending behaviour may prompt supplementary checks.

New UPI operational rules under NPCI

Alongside the RBI’s authentication overhaul, the National Payments Corporation of India (NPCI) has introduced several operational changes to improve the stability and efficiency of the UPI network. These changes are designed to manage the growing volume of UPI transactions and reduce system load during peak hours:

  • Balance check limit: Users can now perform a maximum of 50 balance checks per app per day, preventing excessive automated queries that strain the system.
  • Account linking limit: No more than 25 bank accounts can be linked to a single UPI app in a day.
  • Transaction status checks: Pending transaction status checks are now restricted to three attempts, with a mandatory 90-second gap between each check.
  • Recurring payment scheduling: Recurring payments such as EMIs and subscription debits will be processed during off-peak hours (before 10 AM or after 9:30 PM) to reduce congestion.
  • Inactive number deactivation: UPI services linked to mobile numbers that have been inactive for more than 90 days may be deactivated by NPCI to prevent fraud and keep the ecosystem clean.
  • Market share cap: NPCI has proposed capping any single third-party UPI app at 30% of total transaction volume to promote competition, with a compliance deadline extended to December 31, 2026.
  • Institutional accountability: Banks and payment platforms are now held liable for losses if a fraudulent transaction occurs due to a failure in their security systems, shifting the burden of protection onto the institutions.

What about international payments? Cross-border 2FA rules

The RBI has recognised that international digital transactions carry their own set of fraud risks and has extended the authentication mandate to cover cross-border payments as well. However, the timeline for international compliance is more generous:

  • Card issuers must implement two-factor authentication for all non-recurring, cross-border Card-Not-Present (CNP) transactions by October 1, 2026.
  • To ensure compliance, card issuers are required to register their Bank Identification Numbers (BINs) with international card networks.
  • This means that Indian travellers and online shoppers making purchases on overseas merchant websites will enjoy the same level of security protection as they do for domestic transactions.
  • For international UPI transactions, NPCI has already tightened rules by removing the option to pay using saved or shared QR codes outside India. Payments abroad now require a live, in-person QR code scan to prevent misuse.

The phased approach gives banks and payment networks a transition window to align their international systems with the new domestic standards, while ensuring that security is eventually uniform across all channels.

Conclusion

The RBI's April 2026 digital payment rules mark a significant shift from outcome-neutral compliance to principle-driven security regulation. By mandating two-factor authentication, introducing risk-based checks, and increasing institutional accountability, the framework addresses the weaknesses inherent in OTP-only verification. For users, most routine transactions will remain largely seamless, whilst higher-risk payments will undergo additional scrutiny. The broader objective is to build a more secure, trustworthy, and fraud-resistant digital payments infrastructure across India.

Disclaimer

1. Bajaj Finance Limited (“BFL”) is a Non-Banking Finance Company (NBFC) and Prepaid Payment Instrument Issuer offering financial services viz., loans, deposits, Bajaj Pay Wallet, Bajaj Pay UPI, bill payments and third-party wealth management products. The details mentioned in the respective product/ service document shall prevail in case of any inconsistency with respect to the information referring to BFL products and services on this page.

2. All other information, such as, the images, facts, statistics etc. (“information”) that are in addition to the details mentioned in the BFL’s product/ service document and which are being displayed on this page only depicts the summary of the information sourced from the public domain. The said information is neither owned by BFL nor it is to the exclusive knowledge of BFL. There may be inadvertent inaccuracies or typographical errors or delays in updating the said information. Hence, users are advised to independently exercise diligence by verifying complete information, including by consulting experts, if any. Users shall be the sole owner of the decision taken, if any, about suitability of the same.
For customer support, call Personal Loan IVR: 7757 000 000

Bajaj Finserv app for all your financial needs and goals

Trusted by 50 million+ customers in India, Bajaj Finserv App is a one-stop solution for all your financial needs and goals.

You can use the Bajaj Finserv App to:

  • Apply for loans online, such as Instant Personal Loan, Home Loan, Business Loan, Gold Loan, and more.
  • Invest in fixed deposits and mutual funds on the app.
  • Choose from multiple insurance for your health, motor and even pocket insurance, from various insurance providers.
  • Pay and manage your bills and recharges using the BBPS platform. Use Bajaj Pay and Bajaj Wallet for quick and simple money transfers and transactions.
  • Apply for Insta EMI Card and get a pre-qualified limit on the app. Explore over 1 million products on the app that can be purchased from a partner store on Easy EMIs.
  • Shop from over 100+ brand partners that offer a diverse range of products and services.
  • Use specialised tools like EMI calculators, SIP Calculators
  • Check your credit score, download loan statements and even get quick customer support—all on the app.

Download the Bajaj Finserv App today and experience the convenience of managing your finances on one app.

Do more with the Bajaj Finserv App!

UPI, Wallet, Loans, Investments, Cards, Shopping and more

GET THE APP

Frequently asked questions   

Will 2FA slow down my UPI payments?

For routine, low-value transactions on recognised devices, the experience remains largely seamless as risk-based authentication operates in the background. Additional steps are triggered only for high-value or suspicious transactions. 

Do these rules apply to small transactions too?

Yes, 2FA applies to all digital transactions. However, small payments from trusted devices may not require visible extra steps, as the underlying security layers work silently through device binding and app-level verification.

When will 2FA apply to international payments?

Cross-border card-not-present transactions are not covered by the April 2026 rollout. Card issuers have until 1 October 2026 to implement full two-factor authentication compliance for all non-recurring international card payments

Videos