RBI Announces Stricter AePS Rules to Strengthen KYC and Curb Fraud from January 2026.

The Reserve Bank of India (RBI) has issued new guidelines to enhance the security framework of the Aadhaar-enabled Payment System (AePS). Effective from January 1, 2026, these rules aim to combat growing fraud risks by mandating robust KYC compliance, operator verification, and real-time monitoring of banking touchpoints.

      - To prevent identity theft and fraud in Aadhaar-enabled financial services, the RBI has mandated that all AePS Touchpoint Operators (ATOs), including Bank Mitras and BC agents, undergo full Know Your Customer (KYC) and Customer Due Diligence (CDD) checks before being onboarded. Acquiring banks must comply with the KYC norms notified under the 2016 RBI Master Direction, thereby standardizing identity verification practices across rural and semi-urban financial networks.

      - Operators who remain inactive for three consecutive months will be required to complete fresh KYC verification before resuming AePS services. This policy is designed to prevent misuse of dormant IDs and to tighten control over non-operational agents, which has been a major loophole exploited in previous fraudulent transactions. It will ensure only actively monitored agents continue service delivery.

      - RBI has also clarified that each AePS operator may be associated with only one acquiring bank. This move prevents multiple registrations under different banking partners, thereby simplifying audit trails and reducing duplication of operator identities. It improves transparency in the system and allows banks to implement focused supervision on each registered operator.

Main Point :-   (i) In addition to onboarding compliance, acquiring banks are directed to establish risk-based transaction monitoring systems. These systems must include transaction limits based on the agent’s risk profile, geographic location, and operational history. Real-time alerts and regular review of activity thresholds will enable banks to flag suspicious patterns and prevent large-scale frauds.

      (ii) RBI has also called for strong technical and API safeguards, including access controls and endpoint monitoring. APIs used for AePS must be isolated from other core banking operations and used strictly for permitted activities. These measures follow a surge in AePS-related cyber frauds, which contributed to over 11% of India’s financial cybercrime in 2023.

(iii) These reforms, issued under the Payment and Settlement Systems Act, 2007, reflect RBI’s proactive approach in securing digital payment infrastructure. With over 1,100 crore AePS transactions annually, particularly in rural India, the 2026 guidelines aim to restore trust in Aadhaar-linked banking by making it safer, more transparent, and accountable.
About RBI