RBI Issues Fresh Guidelines to Strengthen Aadhaar Enabled Payment Systems

The Reserve Bank of India (RBI) has announced a fresh set of regulations designed to bolster the security of the Aadhaar Enabled Payment System (AePS). These guidelines, released on Friday, will officially come into effect from January 1, 2025.

New Guidelines Aim to Safeguard AePS Users from Fraud

“In recent times, there have been reports of frauds perpetuated through AePS due to identity theft or compromise of customer credentials. To protect bank customers from such frauds, and to maintain trust and confidence in the safety and security of the system, a need is felt to enhance the robustness of AePS,”
— RBI Notification

The move follows the release of draft guidelines on July 31, 2024, and comes in response to increasing reports of digital payment frauds involving identity theft and credential compromise.

Understanding AePS and Its Role in Digital Transactions

The Aadhaar Enabled Payment System, run by the National Payments Corporation of India (NPCI), allows interoperable transactions through Aadhaar-based authentication. It enables users to carry out banking transactions such as balance inquiry, cash withdrawal, and fund transfer using biometric verification.

Key Provisions in the New RBI Guidelines

Due Diligence for AePS Touchpoint Operators

Under the new norms, banks are required to conduct thorough due diligence of all AePS touchpoint operators (ATOs) during onboarding. Additionally, periodic Know Your Customer (KYC) updates must be performed to ensure continuous compliance.

“If an operator remains inactive for three consecutive months, the bank must carry out a KYC before allowing them to transact again.”

This provision is expected to reduce the risk of dormant or unmonitored operator accounts being misused for fraudulent activities.

Enhanced Risk Monitoring Measures

In a significant step toward strengthening fraud risk management, the RBI has directed banks to monitor all activities of AePS operators in real-time through robust transaction monitoring systems.

“Aspects such as location and type of the ATO, volume and velocity of transactions, etc. shall form part of bank’s fraud risk management framework.”

Banks will also need to establish clear operational parameters depending on the risk profile of each operator, ensuring that suspicious activity can be flagged and addressed swiftly.

System-Level Controls and API Security

To ensure technological safeguards are in place, the RBI has instructed acquiring banks to implement strict system-level controls.

“The acquiring bank must also establish adequate system-level controls to ensure than any technological integrations like application programming interfaces (APIs) are used only for enabling AePS operations.”

This guideline is expected to help prevent unauthorized access and misuse of APIs, which are increasingly used in fintech integrations.

Conclusion

The Reserve Bank of India's newly issued guidelines represent a pivotal move toward strengthening the security framework of Aadhaar Enabled Payment Systems (AePS), which serve as a cornerstone of India’s broader financial inclusion strategy. As digital transactions continue to surge, so do the risks associated with identity theft, credential compromise, and cyber fraud.

By mandating stricter KYC norms, periodic due diligence of AePS operators, and continuous transaction monitoring, the RBI aims to enhance operational transparency and accountability across the ecosystem. The integration of system-level controls and API restrictions further ensures that only authorized platforms can facilitate AePS transactions, mitigating the threat of technological misuse.

These guidelines are not just regulatory in nature—they are a proactive response to the evolving digital landscape. In doing so, the central bank is reinforcing public confidence in India’s digital payment infrastructure and laying the groundwork for a more secure, inclusive, and fraud-resilient banking future.