RBI Tightens AePS Security Norms | New Rules Effective Jan 1, 2026

Notification No. RBI/2025-26/63CO.DPSS.POLC.No.S339/02-01-001/2025-2026 Dated 27-06-2025 (CL/BNF)

The Reserve Bank of India (RBI) has announced a set of new regulatory guidelines aimed at strengthening security and preventing fraud in the Aadhaar Enabled Payment System (AePS). These guidelines will come into effect from January 1, 2026.

1. Overview of AePS

The Aadhaar Enabled Payment System (AePS) is operated by the National Payments Corporation of India (NPCI) and enables interoperable banking transactions through Aadhaar-based authentication. AePS plays a critical role in promoting financial inclusion, especially in underserved and remote areas, by enabling services like cash withdrawal, balance enquiry, and fund transfer using Aadhaar credentials.

2. Key Regulatory Changes Effective January 1, 2026

The revised guidelines focus on enhancing due diligence, monitoring, and system integrity with respect to AePS Touchpoint Operators (ATOs)—individuals or entities facilitating AePS transactions on the ground.

2.1 KYC and Onboarding of ATOs

• Banks must conduct full Know Your Customer (KYC) checks before onboarding any ATO.
• The due diligence process must align with the procedures outlined under the Master Direction – Know Your Customer (KYC) Direction, 2016, applicable for individuals.
• If the ATO has already undergone KYC in the capacity of a Business Correspondent (BC) or sub-agent, the same may be adopted for AePS onboarding.
• Periodic KYC updates of ATOs are also mandatory to ensure the accuracy of information.

2.2 Monitoring and Risk Management

• Banks are required to continuously monitor the activities of ATOs to detect anomalies or suspicious behavior.
• They must implement risk-based controls tailored to the operational scale and profile of the ATO.
• Use of technologies such as APIs must be strictly limited to AePS transactions to avoid misuse or unauthorised access.

2.3 KYC for Inactive ATOs

• If an ATO has not carried out any financial or non-financial transaction on behalf of a customer for a continuous period of 3 months, they will be considered inactive.
• The acquiring bank must re-perform KYC before reactivating such ATOs for further transactions.

3. Objective of the Guidelines

These measures are intended to:

• Enhance the integrity and security of the AePS ecosystem
• Prevent misuse of Aadhaar-based systems for fraudulent activities
• Promote greater accountability and compliance by ATOs and acquiring banks
• Maintain trust in digital and financial inclusion initiatives

4. Conclusion

The RBI’s new framework marks a proactive step towards strengthening the AePS infrastructure by addressing the vulnerabilities in operator onboarding and transaction processing. Acquiring banks and stakeholders must take immediate steps to align their systems and policies with the updated compliance requirements before the January 1, 2026 implementation date.

Click Here To Read The Full Notification