The Reserve Bank of India (“RBI”), in exercise of powers conferred under of Section 18 read with Section 10(2) of the Payment and Settlement Systems (PSS) Act, 2007, vide Notification No. CO.DPSS.POLC.No.S339/02-01-001/2025-2026,[1] dated June 27, 2025, revised the due diligence norms of Aadhaar Enabled Payment System(“AePS”) Touchpoint Operators.
Background:
The AePS, operated by the National Payments Corporation of India (NPCI), allows interoperable banking transactions using Aadhaar authentication. While it supports financial inclusion, AePS has also seen a rise in frauds due to identity theft and compromised credentials. To address these concerns, RBI has issued new guidelines focusing on strengthening onboarding, due diligence, and risk management practices for AePS Touchpoint Operators (“ATOs”).
Key Highlights:
I. Mandatory Due Diligence Before Onboarding:
- Acquiring banks must follow the Customer Due Diligence (CDD) process (as per RBI KYC Directions, 2016).
- Existing KYC done for ATOs as Business Correspondents (BCs) or sub-agents may be reused.
- Periodic KYC updation shall be mandatory for all ATOs.
II. KYC for Inactive ATOs: If an ATO remains inactive for 3 (three) continuous months, fresh KYC must be conducted before reactivation.
III. Enhanced Risk Management by Banks:
- Banks must monitor transactions of ATOs on an ongoing basis.
- Operational parameters (location, volume, transaction velocity) must be based on risk profiling.
- Parameters must be reviewed periodically to reflect emerging fraud trends.
IV. System-Level Controls: Acquiring banks must ensure technological integrations are strictly used for AePS operations only, with no misuse.
[1]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12877&Mode=0