The regulatory structure for recurring digital payments in India reached a definitive milestone on April 21, 2026, when the Reserve Bank of India issued the Digital Payments – E-mandate Framework, 2026, under the reference RBI/DPSS/2026-27/396. This directive represents a major consolidation of the payments ecosystem, designed to streamline the processing of automated transactions across cards, Prepaid Payment Instruments (PPIs), and the Unified Payments Interface (UPI). By formally repealing eight previously issued circulars that spanned from August 2019 to August 2024, the regulator has created a single, authoritative code that eliminates the operational confusion previously caused by a fragmented series of incremental updates.
Statutory Authority and Legislative Context under the Payment and Settlement Systems Act, 2007
The Reserve Bank of India exercises its mandate over the digital payments sector through the powers conferred by the Payment and Settlement Systems (PSS) Act, 2007. The E-mandate Framework, 2026, is specifically promulgated in exercise of the powers conferred by Section 10(2) read with Section 18 of the said Act. Section 10(1) of the PSS Act, 2007, empowers the regulator to prescribe standards for payment systems, including the format of payment instructions and the timing of fund transfers. Section 10(2) extends this authority by allowing the issuance of guidelines necessary for the proper and efficient management of payment systems generally, ensuring that the requirements for e-mandates are legally binding and standardized across the financial sector.
Section 18 of the PSS Act, 2007, provides the overarching power to give directions to any payment system provider or participant if it is satisfied that such action is necessary to regulate the system or protect the public interest. The 2026 Framework utilizes this statutory authority to enforce security measures such as Additional Factor of Authentication (AFA) and mandatory transaction notifications. The Act defines a payment system as any system enabling payment between a payer and a beneficiary, explicitly including credit card, debit card, smart card, and money transfer operations, which ensures that the 2026 Framework applies to the full spectrum of automated standing instructions.
Integration with the 2025 Authentication and Payment Aggregator Directions
The 2026 Framework derives its definitional clarity from being cross-referenced with other contemporary regulations issued by the central bank. Specifically, the framework adopts the definitions for authentication, factor of authentication, issuer, and merchant as provided in the Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025, and the Master Direction on Regulation of Payment Aggregators dated September 15, 2025. This alignment ensures regulatory harmony across the financial environment and prevents terminological contradictions.
Under the 2025 Directions, authentication is defined as the process of validating and confirming the credentials of the customer originating the payment instruction. The directions mandate at least two distinct factors of authentication for domestic digital transactions, which must be drawn from different categories such as something the user knows, something the user has, or something the user is. For digital payments other than card-present transactions, at least one of these factors must be dynamic, meaning it is unique to the transaction and verifiable in real time. The 2026 Framework incorporates these standards to ensure that no standing instruction is created without explicit, multi-factor verified consent.
Registration and Modification Protocols for Customer Autonomy
The legal lifecycle of an e-mandate begins with a mandatory one-time registration process. Clause 4 of the framework stipulates that the registration shall only be completed after the successful validation of an Additional Factor of Authentication in addition to the normal process required by the issuer. This requirement is absolute and ensures that the customer remains the sole arbiter of their payment commitments. Furthermore, the issuer is required to specify a validity period for every registered mandate and provide a facility for the customer to modify or withdraw the mandate at any point in time.
The framework supports both fixed and variable amount e-mandates, subject to an overall cap determined by the regulator. For variable e-mandates, the issuer is legally obligated to provide the customer with a facility to specify the maximum value for any single recurring transaction, which serves as a fundamental protection against unauthorized billing or overcharges. Any modification or withdrawal of an existing mandate also requires AFA validation by the issuer, followed by an immediate intimation to the customer. Additionally, customers are granted the right to choose or change their preferred mode for receiving notifications, such as SMS or email.
Transaction Processing and Tiered Authentication Thresholds
The framework distinguishes between the first transaction and subsequent recurring payments to balance security with user convenience. The first transaction under an e-mandate must always be validated through an Additional Factor of Authentication. If this initial transaction is processed contemporaneously with the mandate’s registration, the authentication for both events may be combined into a single validation step. Subsequent recurring payments are not subject to additional customer-set limits, provided they conform to the framework’s overarching transaction caps.
A tiered approach to authentication is established based on transaction values to ensure that higher-risk fund movements receive more scrutiny. Recurring transactions may be authorized without additional authentication up to a limit of fifteen thousand rupees per transaction. For transactions exceeding this threshold, the issuer must obtain fresh Additional Factor of Authentication from the customer. To facilitate essential financial services, an enhanced limit of one lakh rupees per transaction is provided for insurance premiums, mutual fund subscriptions, and credit card bill payments. Despite these exemptions, any modification to the underlying mandate still requires active customer intervention through AFA.
Transparency Standards and Notification Mandates
Transparency is enforced through rigorous notification requirements that place the burden of disclosure on the issuer. Issuers are mandated to send a pre-transaction notification to the customer at least twenty-four hours prior to the actual charge or debit. This notification must include critical details such as the merchant’s name, the transaction amount, the scheduled date and time, the e-mandate reference number, and the specific reason for the debit. A temporary exception to this requirement is granted for e-mandates registered to auto-replenish balances for FASTag and National Common Mobility Cards, where real-time processing is essential for transportation services.
Beyond pre-transaction alerts, the issuer must provide an opt-out facility for any particular transaction or the entire mandate. Any such opt-out must be validated using AFA to ensure it was initiated by the account holder. Upon the successful completion of a transaction, a post-transaction notification is required, which must contain merchant details, the debited amount, and information regarding the grievance redressal mechanism. These continuous feedback loops are vital for maintaining trust and ensuring that customers can dispute unauthorized charges the moment they occur.
Dispute Resolution and Limited Liability Protections
The 2026 Framework integrates established customer protection norms regarding unauthorized transactions. Clause 9 explicitly states that the instructions on limiting the liability of customers are applicable to all recurring transactions under e-mandates. Under the existing framework, customers enjoy zero liability if an unauthorized transaction occurs due to bank negligence or deficiency. For third-party breaches where the fault lies with neither the bank nor the customer, zero liability is maintained if the transaction is reported within three working days.
If an unauthorized transaction is reported within four to seven working days, the customer’s liability is capped based on the account type, with maximum limits ranging from five thousand rupees for basic savings accounts to twenty-five thousand rupees for current accounts or credit cards with high limits. The burden of proving customer negligence, such as the sharing of credentials or passwords, lies squarely with the issuer. Furthermore, the regulator has proposed new draft guidelines to enhance protection for small-value frauds up to fifty thousand rupees, suggesting a compensation mechanism that could reimburse victims for a significant portion of their losses starting in July 2026.
Operational Constraints and Ethical Business Conduct
The framework includes specific operational prohibitions to protect the financial interests of the consumer. Clause 10 prohibits issuers from levying any charges on customers for availing the e-mandate facility for recurring transactions, ensuring that secure payment methods remain accessible without financial barriers. For the card sector, the framework allows existing e-mandates to be mapped to reissued cards, which prevents the disruption of essential services when a physical card is replaced due to expiry or damage.
Responsibility for compliance is distributed across the payment chain, with acquirers held legally accountable for ensuring that the merchants they onboard adhere to these directions. This oversight includes verifying that merchants provide the necessary opt-out facilities and adhere to the 24-hour notification window. Non-bank payment aggregators are further required to maintain customer funds in separate escrow accounts with scheduled commercial banks to prevent commingling with operational funds. These layers of accountability ensure that the entire ecosystem functions within a standardized and secure framework governed by the PSS Act.
Conclusion
The Digital Payments – E-mandate Framework, 2026, serves as a comprehensive blueprint for the future of automated transactions in India. By centralizing disparate regulations under the Payment and Settlement Systems Act, 2007, the Reserve Bank of India has provided a robust legal foundation that prioritizes consumer control and data security. The shift toward a consent-driven environment, supported by tiered authentication and mandatory transparency through pre-transaction alerts, effectively addresses the challenges of subscription management. As financial institutions align with these directives and the evolving customer liability norms, the framework ensures that India’s digital payment ecosystem remains secure, resilient, and globally benchmarked.
For a foundational understanding of authentication requirements, refer to RBI Directions, 2025 on Digital Payment Authentication, which directly informs the compliance framework discussed in the RBI digital payments e-mandate analysis for 2026.