RBI Publishes Directions for Due Diligence of Aadhaar Enabled Payment System Touchpoint Operators

The Reserve Bank of India (RBI) has recently issued directions vide notification dated June 27, 2025, for due diligence of Aadhaar Enabled Payment System (AePS) touchpoint operators in order to streamline the process for onboarding AePS touchpoint operations and strengthening fraud risk management (AePS Directions). These directions shall come into effect from January 1, 2026.

The AePS Directions have been issued in light of recent reports of fraud perpetuated through AePS due to identity theft or compromise of customer credentials.

The key aspects of the AePS Directions, include inter alia the following:

• Key Definitions: The key definitions include inter alia the following:
• AePS: It is a payment system in which transactions are enabled through Aadhaar number and biometrics or OTP authentication providing financial services such as cash withdrawal, cash deposit, fund transfer, and non-financial services such as mini statement and balance enquiry; and
• AePS Touchpoint:The terminal deployed by acquirer banks to facilitate AePS transactions, which shall include both mobile and fixed points.

• Due Diligence of AePS Touchpoint Operators (ATOs)
  The acquiring bank shall carry out due diligence of all ATOs before onboarding them, adopting the same process as indicated in the customer due diligence procedure for individuals, stipulated in the Master Direction – Know Your Customer Direction 2016. However, if the due diligence of ATOs has already been done in their capacity as business correspondent / sub-agent, then the same may be adopted. The acquiring bank shall also carry out periodic updation of KYC of ATOs. Further,, in cases where an ATO has remained inactive, i.e. has not performed any financial / non-financial transaction for a customer for a continuous period of three months, acquiring bank shall carry out KYC of ATO before enabling him / her to transact further.

• Risk Management by the Acquiring Bank
  The acquiring bank shall monitor the activities of ATOs through their transaction monitoring systems on an ongoing basis and set operational parameters, based on the business risk profile of the ATOs. Aspects such as location and type of the ATO, volume and velocity of transactions, etc. shall form part of bank’s fraud risk management framework. The operational parameters regarding ATOs shall be reviewed on a periodic basis, reflecting emerging fraud trends. Further, the acquiring bank shall put in place adequate system level controls to ensure that any technological integrations like APIs are used only for enabling AePS operations.

For more details, kindly refer to the AePS Directions notified by the RBI, available by clicking on this link.