1.Introduction
The Reserve Bank of India ("RBI") has issued Directions titled 'Aadhaar Enabled Payment System – Due Diligence of AePS Touchpoint Operators' ("Directions"), which are set to come into force from January 01, 2026. These directions mandate banks and authorised entities to strengthen onboarding procedures, conduct enhanced due diligence and implement fraud risk controls for the Aadhaar Enabled Payment System ("AePS") operators.
2. Applicability
These Directions apply to All Scheduled Commercial Banks, including Regional Rural Banks, Urban Cooperative Banks, State Cooperative Banks, District Central Cooperative Banks and National Payment Corporation of India (NPCI). These directions specifically govern the activities of Acquiring Banks and AePS Touchpoint Operators ("ATOs"). The Directions are issued under Section 18, read with Section 10(2) of the Payment and Settlement Systems Act, 2007.
3. Key aspects of the New Directions include:
3.1. Definition of AePS Touchpoint Operators
The Directions introduce ATO as an individual onboarded by the acquiring bank who operates the AePS touchpoint, a terminal deployed by the acquirer banks to facilitate AePS transactions and includes both mobile and fixed points. Before this, individuals or agents enabling AePS transactions were generally the Business Correspondents ("BCs") or sub-agents.
The concept of 'BCs' can be traced back to the RBI Guidelines, 2006. As per the RBI Guidelines, 2010, BCs are individuals/entities (such as NGOs, MFIs, Post Offices, etc., excluding NBFCs) engaged by banks for providing banking services at a location other than a bank branch/ATM.
The Direction does not restrict ATOs to being employees or an independent agent of the bank; therefore, an ATO can be a BC or sub-agent, so long as they meet the due diligence and KYC requirements.
3.2. Mandatory Due Diligence and KYC for ATOs
The Directions mandate acquiring banks to conduct full KYC due diligence ATOs as per RBI's Master Direction- Know Your Customer Direction, 2016. Where due diligence has previously been completed for ATOs in their role as Business Correspondent/sub-agent, the same verification can be adopted. The onus is on the acquiring bank to carry out periodic updation of KYC of ATOs. In the event that an ATO has been inactive for three consecutive months without performing any financial / non-financial transactions for a customer, the acquiring bank must re-verify their KYC before allowing them to operate transactions further.
3.2. Enhanced Monitoring and Risk Management
It is mandatory for acquiring banks to monitor the ongoing activities of ATOs via a transaction monitoring system by setting operational parameters according to the risk profile of the ATOs. The bank's fraud risk management framework comprises factors such as location and type of the ATO, volume and velocity of transactions, etc. These parameters must be periodically reviewed in light of emerging fraud trends. Further, the Direction calls for acquiring banks to mandatorily implement adequate system-level controls to ensure that any technological integrations like APIs are used only for enabling AePS operations.
4. Key Takeaway
The Directions mark a decisive shift in how digital financial infrastructure is regulated, monitored, and trusted. For banks and other implementing bodies, they must assess dependencies on AePS rails, ensure compliance alignment. The directions will impact the existing arrangements of banks and other implementing bodies, as they will need to upgrade their real-time intelligent monitoring systems and review fraud risk frameworks based on factors such as location and transaction volume caps. The RBI direction establishes a much-needed accountability framework for AePS operations, enhancing security and trust in the system.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.