Reserve Bank of India (RBI), through circular RBI/2025-26/63 dated June 27, 2025, has issued new directions to enhance security and fraud risk management within the Aadhaar Enabled Payment System (AePS). The move follows reports of fraud involving identity theft and misuse of customer credentials in AePS transactions. These directions focus on due diligence and risk oversight of AePS Touchpoint Operators (ATOs)—individuals who facilitate transactions using Aadhaar authentication at designated points. Banks onboarding ATOs are now required to follow the Customer Due Diligence (CDD) procedure as per RBI’s KYC guidelines. If the ATO has already undergone CDD as a Business Correspondent or sub-agent, that record may be used. Inactive ATOs, with no transactions for three consecutive months, must undergo a fresh KYC process before resuming operations. Additionally, acquiring banks must continuously monitor ATO activity using risk-based parameters such as transaction volume and location. Operational guidelines must be reviewed regularly to align with evolving fraud patterns. Technological integrations like APIs must be strictly limited to AePS-related functions. These directions are issued under the Payment and Settlement Systems Act, 2007 and will take effect from January 1, 2026.
**
Reserve Bank of India
Date : Jun 27, 2025
RBI issues directions on Due Diligence of Aadhaar Enabled Payment System (AePS) Touchpoint Operators
The Reserve Bank of India (RBI) has today issued Reserve Bank of India [Aadhaar Enabled Payment System (AePS) – Due Diligence of AePS Touchpoint Operators] Directions, 2025.
RBI had issued draft directions on due diligence of AePS on Bank’s website on July 31, 2024, for stakeholder comments. The draft directions introduced the concept of AePS Touchpoint Operator (ATO) and aimed at streamlining the process for onboarding of ATOs by acquiring banks.
Feedback received on the draft has been examined and suitably incorporated in the final directions. The Directions, inter alia, cover the following:
- Due diligence requirements applicable to ATOs
- Risk Management instructions governing the activities of ATOs
These directions shall come into effect from January 01, 2026.
(Puneet Pancholy)
Chief General Manager
Press Release: 2025-2026/619
Reserve Bank of India.
India’s Central Bank
Aadhaar Enabled Payment System – Due Diligence of AePS Touchpoint Operators
RBI/2025-26/63
CO.DPSS.POLC.No.S339/02-01-001/2025-2026 Dated: June 27, 2025
The Chairman / Managing Director / Chief Executive
All Scheduled Commercial Banks including RRBs /
Urban Cooperative Banks / State Cooperative Banks / District Central Cooperative Banks / National Payments Corporation of India (NPCI)
Madam / Dear Sir,
Aadhaar Enabled Payment System – Due Diligence of AePS Touchpoint Operators
Aadhaar Enabled Payment System (AePS) is a payment system operated by National Payment Corporation of India (NPCI) that facilitates interoperable transactions using Aadhaar enabled authentication. AePS plays a prominent role in enabling financial inclusion.
2. In recent times, there have been reports of frauds perpetuated through AePS due to identity theft or compromise of customer credentials. To protect bank customers from such frauds, and to maintain trust and confidence in the safety and security of the system, a need is felt to enhance the robustness of AePS. Accordingly, as announced in Statement on Developmental and Regulatory Policies dated February 08, 2024, it has been decided to issue directions for streamlining the process for onboarding of AePS touchpoint operators and strengthening fraud risk management. Detailed instructions are placed in the Annex.
3. These directions are issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems (PSS) Act, 2007 (Act 51 of 2007) and shall come into effect from January 01, 2026.
Yours faithfully,
(Gunveer Singh)
Chief General Manager-in-Charge
Encl.: Annex
Annex
CO.DPSS.POLC.No.S339/02-01-001/2025-2026
June 27, 2025
Aadhaar Enabled Payment System –
Due Diligence of AePS Touchpoint Operators
1. Definitions
I. In these directions, the terms herein shall bear the meanings assigned to them below:
a. Aadhaar Enabled Payment System (AePS): It is a Payment System in which transactions are enabled through Aadhaar number and biometrics or OTP authentication providing financial services such as cash withdrawal, cash deposit, fund transfer, and non-financial services such as mini statement and balance enquiry. etc.
b. Acquiring bank: The bank which onboards the AePS touchpoint operators.
c. AePS Touchpoint: The terminal deployed by acquirer banks to facilitate AePS transactions, which shall include both mobile and fixed points.
d. AePS Touchpoint Operator (ATO): The individual onboarded by the acquiring bank who operates the AePS touchpoint.
II. Terms pertaining to Aadhaar, Aadhaar biometric authentication, etc., shall have the same meaning as assigned to them in the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016), and the rules made thereunder.
III. Words and expressions used but not defined in I and II above and defined in the Payment and Settlement Systems Act, 2007 shall have the meanings assigned to them in that Act.
2. Due diligence of AePS Touchpoint Operators
2.1 The acquiring bank shall carry out due diligence of all ATOs before onboarding them, adopting the same process as indicated in the Customer Due Diligence procedure for individuals, stipulated in paragraph 16 of Part-I, Chapter-VI of the Master Direction – Know Your Customer Direction, 2016 (as updated from time to time), issued by the Reserve Bank. However, if the due diligence of ATOs has already been done in their capacity as Business Correspondent / sub-agent, then the same may be adopted. The acquiring bank shall also carry out periodic updation of KYC of ATOs.
2.2 In cases where an ATO has remained inactive, i.e. has not performed any financial / non-financial transaction for a customer for a continuous period of three months, acquiring bank shall carry out KYC of ATO before enabling him / her to transact further.
3. Risk Management
3.1 The acquiring bank shall monitor the activities of ATOs through their transaction monitoring systems on an ongoing basis and set operational parameters, based on business risk profile of the ATOs. Aspects such as location and type of the ATO, volume and velocity of transactions, etc. shall form part of bank’s fraud risk management framework.
3.2 The operational parameters regarding ATOs shall be reviewed on a periodic basis, reflecting emerging fraud trends.
3.3 The acquiring bank shall put in place adequate system level controls to ensure than any technological integrations like APIs are used only for enabling AePS operations.
