For most of the past decade, India’s payments story has been one of rails racing ahead of rulebooks. Builders shipped first; regulators codified later. That sequence is now inverting. With the Reserve Bank of India’s Authentication Mechanisms Directions, 2025 — which mandate two-factor authentication for every domestic digital payment from 1 April 2026 — the regulator is no longer reacting to the rails. It is redesigning them. For founders, operators, and the lenders riding on top of UPI, the question is no longer whether compliance reshapes product economics, but how much, and who is ready.
Where the rails are today
The scale is staggering, and it is the entire reason these rules matter. UPI processed 21.70 billion transactions worth over Rs.28.33 lakh crore in January 2026 alone, with 691 banks live on the network, according to data published by PIB and IBEF citing NPCI and ACI Worldwide. By that account, UPI represents roughly 49% of global real-time payment volume. No regulatory change anywhere in the world touches as many daily transactions as a tweak to UPI’s plumbing.
But scale has come with concentration. A handful of third-party apps account for the overwhelming majority of UPI volume, a dependency that has kept the proposed market-share cap a recurring policy conversation. Concentration risk is not abstract: an outage or compliance failure at a dominant app is a systemic event, not a single-company problem. That reality colours how the RBI now thinks about authentication, redundancy, and accountability across the stack.
Layered on top of the payments base is the fastest-growing segment of the ecosystem: credit on UPI. Pre-sanctioned credit lines and credit cards linked to UPI handles have turned a payments rail into a distribution channel for lending. That convergence is commercially exciting and regulatorily delicate — it blends the low-friction, zero-MDR world of person-to-merchant UPI with the higher-margin, interchange-bearing world of credit. Which brings us to the two debates that have shadowed the industry: interchange and KYC. The interchange question — who pays, how much, and on which instruments — determines whether credit-on-UPI is a viable business or a loss leader. The KYC question — how customers are verified, re-verified, and monitored — determines the cost of onboarding and the friction of every subsequent interaction. The 2026 rules touch both.
What’s changing in the rules
The headline change is authentication. From 1 April 2026, the RBI’s Authentication Mechanisms Directions, 2025 require two-factor authentication — with at least one dynamic factor — for every domestic digital payment, including UPI, cards, and wallets. This is the regulatory shift at the centre of the story, and it is worth parsing carefully. (Operators should validate the specifics against the RBI primary text rather than relying solely on secondary summaries, but the direction of travel is unambiguous.)
The phrase “at least one dynamic factor” is the operative constraint. A static PIN paired with a static credential will no longer satisfy the requirement on its own; one element of the authentication chain must change with each transaction or session — a time-bound one-time code, a device-bound cryptographic token, or a comparable mechanism. The intent is to move the industry decisively away from anything that can be phished, reused, or replayed. For UPI, which already leans on device binding and a PIN, the practical effect depends on how regulators interpret the existing flow against the new standard — another reason to read the primary directions closely.
The second change cuts in the opposite direction, easing friction rather than adding it. The revised e-mandate framework permits recurring auto-debits of up to Rs.15,000 per transaction without a per-transaction OTP, provided the mandate itself was authenticated at setup and the customer receives advance notification. For subscription businesses, lenders collecting EMIs, insurers, utilities, and any operator built on recurring revenue, this is significant. The regulator is signalling a more mature posture: heavy authentication at the moment of consent, lighter touch on subsequent, pre-authorised pulls. It rewards businesses that get the mandate architecture right and punishes those that treat recurring billing as an afterthought.
The third strand is the tightening of international UPI usage and KYC norms. As UPI expands across borders — for inbound travellers, for outbound payments, for NRI accounts — the RBI is sharpening the verification and monitoring expectations around cross-border flows. Combined with broader KYC tightening, this raises the bar on identity assurance precisely as the customer base internationalises. The net message: friction is being redistributed, not simply removed. Consent and onboarding get heavier; routine recurring payments get lighter; cross-border gets more scrutinised.
Winners and pressure points
Begin with the payment aggregators, payment gateways, and consumer payment apps. They sit closest to the authentication change and absorb its cost first. Every PA/PG must now ensure that the flows it orchestrates carry a compliant dynamic factor, that fallback paths do not quietly degrade to single-factor authentication, and that the customer experience does not collapse under the added step. The winners here will be the players who have already invested in tokenisation, device binding, and risk-based authentication infrastructure — they can absorb the mandate as a configuration change rather than a rebuild. The pressure falls hardest on apps that have competed primarily on slickness and speed, where any added authentication step directly threatens conversion.
Lenders and neobanks face a more nuanced picture. The e-mandate relaxation is, on balance, a gift: collecting EMIs and subscription fees up to Rs.15,000 without per-transaction OTP friction materially improves collection success rates and reduces failed-payment churn. But credit-on-UPI providers also live inside the authentication regime, and the interchange economics that make their model work remain unsettled. Neobanks that have outsourced their compliance posture to partner banks will discover that the partner’s readiness is now their readiness — and a partner’s authentication gap becomes the neobank’s product gap.
The broader, more important point is this: compliance-readiness is becoming a moat. For years, the competitive edge in Indian fintech was distribution, design, and capital. Increasingly, the durable advantage is the ability to ship compliant flows quickly, to adapt to a new RBI direction in weeks rather than quarters, and to demonstrate auditability to partner banks and the regulator. Firms that built compliance as a core engineering discipline — rather than a legal afterthought bolted on before each deadline — will out-execute better-funded rivals who treated it as overhead. In a regulated market, the regulation itself becomes a barrier to entry, and the incumbents best at navigating it pull ahead.
What founders should plan for
The honest planning conversation starts with cost. Two-factor authentication with a dynamic factor is not free: it implies investment in token infrastructure, OTP delivery or device-binding systems, fraud and risk engines that decide when step-up authentication is warranted, and the engineering time to retrofit existing flows. Founders should model this as a recurring operating cost, not a one-time project, and should price compliance into unit economics now rather than discovering it as margin erosion in mid-2026. The teams that budget for it early will not be scrambling in the first quarter of the new financial year.
Second, infrastructure readiness. The practical work is unglamorous but decisive:
- Audit every payment flow — including edge cases, retries, and fallback paths — to confirm at least one dynamic factor is present and cannot silently degrade.
- Re-architect recurring billing around the e-mandate framework, capturing strong authentication at mandate setup so you can take advantage of the per-transaction OTP exemption up to Rs.15,000.
- Strengthen KYC and identity pipelines, especially for any cross-border or international UPI use, where the bar is rising.
- Pressure-test partner banks and PA/PG vendors on their own readiness; their timeline becomes yours.
- Instrument for auditability so that compliance can be demonstrated, not merely asserted.
Third, distribution shifts. As authentication friction increases on one-off payments and decreases on authenticated recurring flows, the economics tilt toward business models built on durable, consented relationships rather than impulsive single transactions. Expect subscriptions, mandates, and embedded recurring credit to become more attractive relative to high-friction one-time checkouts. Expect the dominant apps and the best-prepared infrastructure providers to capture more of the value, because smaller players will lean on them to stay compliant. And expect the cross-border tightening to slow some of the more aggressive international UPI expansion plans until the KYC machinery catches up.
The larger lesson for operators is one of posture. The era when Indian fintech could treat regulation as something that happened to it — a periodic interruption to be lobbied or weathered — is ending. The RBI has demonstrated that it will redesign the rails with detailed, prescriptive directions, and that it will move both toward more friction and less, depending on where it judges risk and convenience to lie. The founders who thrive in this environment will be the ones who read the directions before the deadline, who build compliance into the architecture rather than the changelog, and who recognise that on rails this large, the rulebook is now a product spec. April 2026 is not a finish line. It is a sign of how the next decade of Indian payments will be built.
