Additional Factor Authentication (AFA)

The Reserve Bank of India, the central bank of the country, recently asked all the banks to use additional factor authentication (AFA) for the auto-debit transactions on both debit and credit cards of their customers. This is to protect the interest of the consumers from various fraudulent card-related transactions. 

(October 1, 2021), banks will not approve any standing instruction (for recurring payments) given at merchant websites or mobile applications without the approval of their customers. This means the standing instruction or the auto-debit facility enabled across various platforms including insurance (premium) payment, your subscription to platforms such as Netflix and Hotstar, and other billers will be disabled or declined. This is provided if the card-issuing bank and merchants do not meet the new conditions prescribed by RBI. 

Additional Factor Authentication (AFA)

Additional Factor Authentication (AFA)

RBI released a draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions.

  • Framework will be applicable to all Payment System Providers and Payment System Participants, as defined in the Payment and Settlement Systems (PSS) Act, 2007.

About AFA Framework

  • All digital payment transactions shall be authenticated with an additional factor(s) of authentication (AFA), unless exempted.
  • All digital payment transactions, other than card present transactions, shall ensure that one of the factors of authentication is dynamically created, i.e., the factor is generated after initiation of payment, is specific to the transaction and cannot be reused.

RBI’s new rules for two-factor authentication of digital payments

According to an RBI press release issued on July 31, 2024, “ the Reserve Bank of India has prioritised security of digital payments, in particular the requirement of Additional Factor of Authentication (AFA) for making payments. No specific factor was mandated for authentication, but the digital payments ecosystem has primarily adopted SMS-based OTP as AFA. While OTP is working satisfactorily, technological advancements have made available alternative authentication mechanisms.”

As per the draft, “Factor of Authentication: Any credential input by the customer which is verified for the purpose of confirming the originator of a payment instruction.
The factors of authentication are broadly categorised as below:

 
    • Something the user knows (such as password, passphrase, PIN)
    • Something the user has (such as card hardware or software token)
    • Something the user is (such as fingerprint or any other form of biometrics).”
    Unless otherwise specified in this framework, all digital payment transactions will be verified through the use of an additional factor of authentication (AFA). When determining the proper AFA for a transaction, issuers such as banks, non banks can use a risk-base ..

What is the new rule?

The RBI has issued a framework for processing recurring online transactions. Under the new rules, all these recurring transactions mandatorily require additional authentication, if the value is more than Rs 5,000. It means that you as a customer must approve your auto-debit transaction via OTP. This is applicable for all cards both debit and credit cards with standing instructions of monthly/quarterly/half-yearly or yearly. 

FAQs

What is Additional Factor Authentication (AFA)?

Additional Factor Authentication (AFA) is a security process that requires users to provide more than one form of verification to access an account or system. This enhances security by ensuring that only authorized users can gain access.

How does AFA work?

AFA works by combining two or more different types of authentication factors, such as something you know (password), something you have (security token or smartphone), and something you are (fingerprint or facial recognition).