Reserve Bank of India (RBI) has released broad new directions for increasing the security and integrity of the Aadhaar Enabled Payment System (AePS) with a focus on onboarding and surveillance of AePS Touchpoint Operators (ATOs). The directions are to come into effect from January 1, 2026, and are meant to counter rising frauds related to identity theft and credential misuse, and to regain public confidence in digital payment systems.
Key Highlights
Compulsory Due Diligence: The acquiring banks are required to conduct extensive due diligence and KYC authentication of all AePS Touchpoint Operators before onboarding, as per RBI's guidelines prescribed. In case a due diligence has already been conducted by an ATO as a Business Correspondent or sub-agent, the same may be utilized.
Regular Monitoring: Banks are required to monitor ATO activities regularly with the help of transaction monitoring systems. The operational parameters—risk profile, location, and transaction volume—should be regularly reviewed and updated to reflect emerging trends of fraud.
KYC Update for Dormant Operators: In case an ATO is in a dormant condition (no financial or non-financial activities) for three successive months, their KYC will need to be refreshed prior to resuming operations.
Single Bank Onboarding: One acquiring bank may onboard a single ATO in a bid to have clear responsibility and reduce gaps in oversight.
Risk-Based Controls: Transactional limits and operating parameters shall be set in accordance with the respective operators' risk profiles. Transactions must be within the operator's expressed location and business scope.
Advanced Fraud Risk Management: Banks' fraud risk management systems should consider operator type, location, transaction speed, and other risk factors. Controls at the system level must be implemented to ensure APIs and other integrations are used only for AePS transactions.
Industry Feedback and Timeline of Compliance: The RBI had already released draft guidelines for public comments. NPCI and banks will have a grace period of three months from the date of release to adopt the new guidelines.
Why This Matters
AePS is a critical digital payment platform, particularly in rural and semi-urban India, enabling basic banking services via Aadhaar authentication. The recent fraud cases have highlighted the requirement for stronger controls. RBI's new framework is a firm move to protect customers, build confidence, and prepare India's digital payment system for the future.
Source: Economic Times, Business Standard, Banking Frontiers, AuthBridge, TaxGuru
