India’s rapid digital acceleration — powered by UPI, mobile banking, and telecom-led innovation — has brought both convenience and complexity. But with this growth comes an unavoidable challenge: cyber risk. Fraud, data breaches, and increasingly sophisticated attacks are eroding trust at a time when consumers and enterprises alike are relying more than ever on digital platforms.
Against this backdrop, the Reserve Bank of India’s (RBI) new authentication guidelines, slated for rollout in 2026, could mark a turning point. By encouraging banks and fintechs to move beyond the traditional one-time password (OTP) and explore alternative, risk-based authentication models, the regulator is signaling a shift toward layered, contextual security.
RBI’s move to mandate two-factor authentication beyond SMS is a clear signal that India’s digital payments ecosystem is maturing into a zero-trust architecture. “The real innovation lies in risk-based authentication — adaptive, context-aware, and invisible unless something looks suspicious. This is a chance for banks and fintechs to reimagine trust; not as a static checkpoint, but as a continuous, intelligent process. The winners will be those who embed security into the user journey without adding friction; think biometric approvals, device binding, behavioural analytics, and even silent AI-driven fraud scoring. India’s high-volume, low-value transaction landscape demands that security be ambient, not intrusive. Globally, we have seen that rigid authentication can backfire, causing drop-offs and user fatigue. RBI’s framework avoids that trap by encouraging flexibility and innovation. If implemented well, this could become a global benchmark for balancing scale, security, and simplicity in digital finance. It’s not just about stopping fraud but building a future where trust is earned in milliseconds, not demanded through OTPs,” says Sundareshwar Krishnamurthy, Partner and India Cyber Leader, PwC.
From OTPs to Risk-Based Security
For years, the SMS-based OTP has been the bedrock of digital transactions. But fraudsters have kept pace, finding ways to intercept and exploit OTPs. RBI’s approach keeps OTPs in play but adds flexibility: banks can now apply additional checks based on context.
For instance, if a customer who usually makes UPI transfers between 8–10 a.m. suddenly initiates a transaction at 4 a.m., the system can trigger an additional layer of authentication. This could be an app-based prompt, biometric scan, or risk-based transaction review. Consumers also gain more control — with the option to set personal thresholds for when stronger authentication is required.
According to Sundareshwar, this framework could significantly boost user confidence. “It allows me, as a user, to set my own comfort levels. If I’m comfortable risking ₹100 without an extra check, I can choose that. But for ₹50,000, I want additional layers of security. This flexibility is what builds real trust in the system.”
Cost of Compliance — and the Business Reality
While consumer trust grows, banks and fintechs face the challenge of reengineering systems to align with these mandates. This requires investments not just in new authentication mechanisms but in backend risk engines and fraud detection.
Rising Cybersecurity Budgets
PwC’s latest research shows that cybersecurity budgets in India are rising faster than organizational growth rates — a clear signal of urgency. While earlier spending largely focused on confidentiality (protecting data from leaking), the new frontier is resilience and integrity.
This shift means enterprises are now investing in quantum-safe cryptography, data quality monitoring, and rapid recovery playbooks. One of the automotive majors, where systems remained crippled for weeks, has become a cautionary tale.
“Resilience means accepting that you’ll get bitten, but building the capability to withstand the blow, recover swiftly, and stay in the fight. It’s not about avoiding every setback, but ensuring you’re never knocked out,” Sundareshwar adds.
The AI Blind Spot
“Responsible AI isn’t just about managing risk; it’s about harnessing cutting-edge technologies like AI in a secure and trustworthy way,” said Sundareshwar Krishnamurthy. “As enterprises accelerate their adoption of AI and agentic systems, new risks inevitably emerge. That’s why responsible AI must begin with clean, anonymized, high-quality data, which is the foundation for both security and reliability. By evaluating AI across dimensions like accuracy, fairness, and safety, and triggering pre-defined actions when trust scores fall, enterprises can ensure that machine-led decisions remain secure, accountable, and aligned with real-world expectations.”
Cybersecurity will continue to evolve from a technical safeguard to a core business enabler. In a world where attackers are already leveraging AI, enterprises must prepare for a game of “snakes and ladders,” where the goal is not to avoid every bite, but to climb back quickly when setbacks strike.
