Aadhaar Enabled Payment System – Due Diligence of AePS Touchpoint Operators - RBI - Reserve Bank of India
Aadhaar Enabled Payment System – Due Diligence of AePS Touchpoint Operators
|
RBI/2025-26/63 June 27, 2025 The Chairman / Managing Director / Chief Executive Madam / Dear Sir, Aadhaar Enabled Payment System – Due Diligence of AePS Touchpoint Operators Aadhaar Enabled Payment System (AePS) is a payment system operated by National Payment Corporation of India (NPCI) that facilitates interoperable transactions using Aadhaar enabled authentication. AePS plays a prominent role in enabling financial inclusion. 2. In recent times, there have been reports of frauds perpetuated through AePS due to identity theft or compromise of customer credentials. To protect bank customers from such frauds, and to maintain trust and confidence in the safety and security of the system, a need is felt to enhance the robustness of AePS. Accordingly, as announced in Statement on Developmental and Regulatory Policies dated February 08, 2024, it has been decided to issue directions for streamlining the process for onboarding of AePS touchpoint operators and strengthening fraud risk management. Detailed instructions are placed in the Annex. 3. These directions are issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems (PSS) Act, 2007 (Act 51 of 2007) and shall come into effect from January 01, 2026. Yours faithfully, (Gunveer Singh) Encl.: Annex CO.DPSS.POLC.No.S339/02-01-001/2025-2026 Aadhaar Enabled Payment System - 1. Definitions I. In these directions, the terms herein shall bear the meanings assigned to them below:
II. Terms pertaining to Aadhaar, Aadhaar biometric authentication, etc., shall have the same meaning as assigned to them in the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016), and the rules made thereunder. III. Words and expressions used but not defined in I and II above and defined in the Payment and Settlement Systems Act, 2007 shall have the meanings assigned to them in that Act. 2. Due diligence of AePS Touchpoint Operators 2.1 The acquiring bank shall carry out due diligence of all ATOs before onboarding them, adopting the same process as indicated in the Customer Due Diligence procedure for individuals, stipulated in paragraph 16 of Part-I, Chapter-VI of the Master Direction – Know Your Customer Direction, 2016 (as updated from time to time), issued by the Reserve Bank. However, if the due diligence of ATOs has already been done in their capacity as Business Correspondent / sub-agent, then the same may be adopted. The acquiring bank shall also carry out periodic updation of KYC of ATOs. 2.2 In cases where an ATO has remained inactive, i.e. has not performed any financial / non-financial transaction for a customer for a continuous period of three months, acquiring bank shall carry out KYC of ATO before enabling him / her to transact further. 3. Risk Management 3.1 The acquiring bank shall monitor the activities of ATOs through their transaction monitoring systems on an ongoing basis and set operational parameters, based on business risk profile of the ATOs. Aspects such as location and type of the ATO, volume and velocity of transactions, etc. shall form part of bank’s fraud risk management framework. 3.2 The operational parameters regarding ATOs shall be reviewed on a periodic basis, reflecting emerging fraud trends. 3.3 The acquiring bank shall put in place adequate system level controls to ensure than any technological integrations like APIs are used only for enabling AePS operations. |
Share this page:
Install the RBI mobile application and get quick access to the latest news!
