Reinforcing Trust in India’s Rapidly Expanding Payment System

The RBI released its Payments Vision 2028 on March 27, setting out where it wants India's payments sector to be by December 2028. The headline theme is "E-payments for Everyone, Everywhere, Every time," supported by five goals: integrity, inclusion, innovation, institutionalisation, and internationalisation. They reflect a recognition that the next leg of growth will depend less on expanding access and more on strengthening confidence in the system.

India’s digital payments ecosystem has reached what can reasonably be described as structural maturity. The RBI’s Digital Payments Index, which tracks the extent of digitisation, stood at 516.76 as of September 2025. From a base of 100 in March 2018, the index took four years to reach 350, and then crossed 500 in just three and a half years. The pace of change is compounding, with transaction density rising sharply across use cases.

The harder question is what comes with scale. While the efficiency of people and digital infrastructure remains at the epicentre, it is more important to protect users against cybersecurity threats that constantly haunt digital payment systems, given the lack of adequate digital literacy. Users with varying levels of familiarity may compromise security protocols, leading to fraud.

The RBI has been vocal about customer centricity for years, pushing regulated entities to communicate safety norms and earn user trust. At some point that translated into something more concrete: an internal shift in how the regulator measures success, away from institutional metrics and towards citizen satisfaction. The two policy measures below are probably the clearest expression of that yet.

Authentication Reset
The first is the reworking of two-factor authentication. For years, 2FA has been the backbone of digital payment security, typically combining a static factor such as a PIN with a dynamic OTP. While effective in its time, this model has shown its limits in the face of increasingly sophisticated frauds, including SIM swaps and phishing attacks.

The RBI’s move towards a principles-based framework for authentication marks an important transition. From April 1, 2026, banks will have to verify digital transactions using at least two different factors, unless specifically exempted. These can be a password or PIN, something linked to the customer’s device or SIM, or a biometric check like fingerprint or face recognition.

The bank's technology systems must capture customer intelligence data to deploy one known security check and a second, dynamic factor drawn from behavioural patterns: transaction habits, frequency, typical payment recipients, and similar signals the customer may not even be aware of. Banks will need AI/ML tools to build and deploy these models effectively.

What makes this a genuine shift is the move away from standardised, outcome-neutral authentication towards a principles-based framework. An OTP alone is no longer the gold standard, given the documented rise in SIM-swap scams and phishing attacks. 

While banks and payment service providers have used two-factor authentication for years, typically a PIN plus an SMS-based OTP, the new rules change the underlying logic. The second dynamic factor will vary by institution and must be calibrated to transaction volume and customer behaviour over time. The stronger the customer intelligence data, the more robust the second authentication layer becomes.

Liability Shift
The second big step is a new framework to compensate victims of small-value digital fraud. From July 1, 2026, on a pilot basis, customers can be reimbursed up to 85% of their loss or ₹25,000, whichever is lower. It is a one-time relief per customer, designed to protect first-time or vulnerable victims without creating incentives for abuse.

This moves beyond older liability rules to a direct compensation model, and crucially, it applies even where the customer was partially at fault, such as sharing an OTP under deception. That is provided specific conditions are met: the fraud must be reported to the bank and the National Cyber Crime Portal (1930) within five days, and the loss must be verified through the bank's internal process. Coverage extends to UPI, mobile banking, internet banking, and card-based payments. Banks must credit the compensation to the customer's account within five business days of receiving the claim.

Perhaps the most consequential aspect of the framework is the move from an issuer-centric liability model to one of shared responsibility. The RBI contributes 65% funded through the Deposit Education and Awareness Fund; the remitter bank bears 10%; the beneficiary bank, which hosted the fraudster's or mule account, also carries a share of 10 %; and the customer bears 15%. This is a direct push for beneficiary banks to monitor mule accounts more aggressively, something the earlier issuer-only model gave them little reason to do.

Way Forward
Among others, these two strategic protective policy measures reflect regulators' growing concern for the safety of digital payment users as digital banking penetration increases exponentially, alongside a simultaneous rise in potential cyber risks.

While these policy reinforcements are necessary, digital literacy is the part that regulation cannot fully solve. Users who understand what phishing looks like, or why they should not share an OTP, are harder to defraud than any policy can make them.

Banks need to keep upgrading their systems, but the sector as a whole needs to invest in making people less easy to deceive. In the end, this works only if both sides keep up. The system can do a lot, but user awareness will always be part of the defence.