Is SMS OTP the only acceptable AFA?

No. RBI permits any second factor that meets the “independent factor” criterion: SMS OTP, TOTP, biometric in regulated apps, hardware tokens. SMS OTP remains the default because of universal device support.

Are recurring payments exempt from AFA?

Eligible e-mandates have specific exemptions up to defined thresholds. Above threshold, AFA reapplies. Refer to RBI’s e-mandate framework.

Industry & Compliance

RBI AFA Guidelines for OTP (2026 Update)

RBI Additional Factor of Authentication guidelines summarised for OTP developers: scope, exemptions, alternative-factor allowances, and what changed in 2026.

5 May 2026|8 min read

StartMessaging Team

Engineering

RBI’s AFA framework underpins the Indian online-payment experience. OTP is the dominant AFA implementation. The 2026 update clarifies several edges and recognises modern alternative factors.

Overview

AFA mandatory on card-not-present transactions.
Internet banking and mobile banking transactions covered.
UPI transactions above thresholds require AFA.
Specific e-mandate carve-outs.

Scope of AFA

Card payments (CVV is one factor; OTP is the second).
Mobile / internet banking logins and high-value transactions.
UPI transactions above thresholds.
NBFC loan disbursement and EMI changes.

Exemptions and Carve-Outs

Small-value e-mandates (within RBI thresholds).
Tokenised low-value payments at trusted merchants.
Some employer-sponsored corporate-card flows.

Alternative Factors RBI Permits

SMS OTP (default).
TOTP / authenticator apps.
Biometric in regulated mobile apps.
Push approvals on registered devices.
Hardware tokens for corporate banking.

Read our broader RBI 2FA mandate guide.

Production Patterns

Default to SMS OTP for breadth.
Layer biometric for trusted devices.
Step-up to OTP on cross-device or cross-IP risk.
Audit retain 7–10 years.

FAQ

StartMessaging handles application-side OTPs at scale; you remain compliant with AFA on the flows where you control authentication.

OTP & SMS Security

RBI 2026 Mandatory 2FA Rules: What Indian Apps Must Do

Plain-English summary of RBI's April 2026 mandatory 2FA rules for digital payments, what counts as a valid second factor, and how OTP fits in.

StartMessaging Team·3 May 20269 min read

Use Cases

OTP for Fintech: 2FA, KYC, and Transactions

How Indian fintech apps use OTP for two-factor authentication, KYC verification, transaction authorization, and UPI linkage. RBI compliance and security best practices.

StartMessaging Team·29 Jan 202610 min read

Use Cases

OTP for NBFC Loan Apps in India: A Compliance-First Guide

How NBFC and fintech loan apps in India should design OTP flows: RBI digital-lending rules, KYC OTPs, e-mandate authorization, disbursement confirmation, and pitfalls.

StartMessaging Team·29 Apr 20269 min read

Ready to Send OTPs?

Integrate StartMessaging in 5 minutes. No DLT registration required.

Get Started Free Read API Docs