RBI's New Payment Rules and DPDPA Create Dual Compliance Challenge for India's Digital Economy

New Delhi – A significant regulatory shift is underway in India's digital landscape as the Reserve Bank of India (RBI) tightens security for digital payments, while simultaneously mandating adherence to the country's new data privacy law. The RBI's 'Authentication Mechanisms for Digital Payment Transactions Directions, 2025', set to take effect for payment system providers by April 1, 2026, are not merely a technical upgrade but a foundational move that embeds data protection principles into the heart of India's financial technology framework. For law firms and their clients in the banking and fintech sectors, this convergence of financial regulation and data privacy creates a complex, dual-compliance challenge that requires immediate and strategic attention.

The new RBI Directions signal an end to the over-reliance on SMS-based One-Time Passwords (OTPs), pushing the industry towards a more robust, multi-factor authentication system. This development is occurring just as the legal and corporate sectors are grappling with the impending implementation of the Digital Personal Data Protection Act, 2023 (DPDPA). The RBI has explicitly linked these two frameworks, creating a new paradigm where security measures must be designed with privacy as a core component, not an afterthought.

The Core Mandate: Weaving Security and Privacy Together

The RBI's new principles-based framework aims to modernize authentication beyond conventional methods. It requires all domestic digital payment transactions to be verified using at least two different factors of authentication (AFA), chosen from three categories: * Something the user knows: A password or PIN. * Something the user has: A physical card, hardware token, or a device-bound OTP. * Something the user is: Biometric identifiers like fingerprints or facial recognition.

Crucially, for transactions where a card is not physically present, at least one of these factors must be "dynamically generated" (like a transaction-specific OTP) or "capable of being proven" (like biometrics). It is this third category—biometrics—that brings the DPDPA into sharp focus.

Biometric data is classified as 'personal data' under the DPDPA, and its collection and processing require explicit consent and adherence to stringent data fiduciary obligations. The RBI's Directions explicitly state that while payment system providers (PSPs) can implement checks beyond the standard AFA, they must ensure these "meet requirements under the Digital Personal Data Protection Act, 2023 (DPDPA)."

As one legal analysis from Bar and Bench notes, "The mandated alignment with the provisions of the DPDPA reflects the RBI’s commitment to embedding privacy considerations directly into security design, ensuring that user rights are preserved alongside enhanced controls." This statement underscores the regulatory intent: PSPs cannot simply choose the most secure authentication method; they must choose one that is both secure and privacy-compliant. This will necessitate a profound shift in product design, legal vetting, and risk assessment for every bank, non-bank, and fintech company operating in India.

Navigating the Jurisprudence of New-Age Rights

The complexities introduced by the DPDPA and RBI's regulations echo another evolving area of Indian law: personality rights. While financial and data regulations are codified, the protection of a celebrity's persona is almost entirely a judge-made domain, and one court has become the undisputed epicentre for its development—the Delhi High Court.

Recent years have seen a parade of India's most famous personalities, from Amitabh Bachchan to Anil Kapoor, bypassing their home jurisdictions to seek protection for their personality rights in Delhi. This trend highlights the critical role specialized judicial forums play in shaping law in emerging and complex fields. According to legal experts, the Delhi High Court's pre-eminence is not accidental but the result of a decades-long cultivation of a robust Intellectual Property (IP) ecosystem.

Pravin Anand, Managing Partner at Anand & Anand, explains that the court developed an early reputation for strong IP protection, attracting cases from across the country. "You want it protected by what you consider to be the most efficient system, and the Delhi High Court has acquired that reputation," he stated.

This reputation is built on landmark rulings. The 2010 decision in DM Entertainment Pvt Ltd v. Baby Gift House & Ors , which recognized singer Daler Mehndi's persona as a "quasi-property right," and the 2012 order in Titan Industries Ltd. vs M/S Ramkumar Jewellers are foundational texts in this area, both originating from the Delhi High Court. This has created a rich body of precedent that lawyers can reliably draw upon. The establishment of the country's first dedicated IP Division in July 2021 further cemented its status, providing a specialized, fast-track mechanism for such disputes.

The Implications for Legal Practice

The convergence of data privacy and financial regulation, coupled with the judicial development of intangible rights, presents both challenges and immense opportunities for the legal profession.

• A New Frontier for Advisory Work: Law firms must now develop inter-disciplinary teams proficient in banking regulation, technology law, and data privacy. Advising a fintech client on a new payment app is no longer just about RBI compliance; it requires a thorough Data Protection Impact Assessment (DPIA) under the DPDPA, drafting of clear and specific consent forms for biometric data, and ensuring data minimization principles are followed. The ambiguity in terms like "robustness" and "capable of being proven" within the RBI Directions will require lawyers to provide nuanced, risk-based advice.

• Litigation and Forum Selection: Just as IP lawyers strategically choose the Delhi High Court for its favourable jurisprudence on personality rights, firms advising on data breaches or DPDPA non-compliance will need to develop a deep understanding of the Data Protection Board's functioning and the appellate procedures. The choice of forum and the ability to cite precedent will be as crucial in this new domain as it is in established fields like IP.

• A Cultural Shift for In-House Counsel: The primary impact will be on in-house legal teams at banks and tech companies. They must transition from a reactive, compliance-checking role to a proactive, 'privacy-by-design' advisory function. Legal counsel will need to be involved at the earliest stages of product development to ensure that authentication mechanisms are built from the ground up to respect both RBI's security mandates and the DPDPA's privacy rights.

As India's digital economy continues its explosive growth, the legal and regulatory frameworks governing it are maturing at an accelerated pace. The RBI's forward-looking Directions and the DPDPA represent a new social contract for the digital age—one where innovation is balanced with security and individual privacy. For the legal professionals tasked with interpreting and implementing these rules, the coming years will be a period of intense learning, adaptation, and opportunity.