In recent times, there have been reports of fraud perpetrated through the Aadhaar Enabled Payment System (AePS) due to identity theft or compromise of customer credentials. To protect bank customers from such frauds and to maintain trust and confidence in the safety and security of the system, the Reserve Bank of India has issued directions for streamlining the process for onboarding of AePS touchpoint operators and strengthening fraud risk management. These guidelines will come into effect from January 1, 2026.
As per the latest RBI guidelines, the acquiring bank must conduct thorough due diligence on all AePS Touchpoint Operators (ATOs) before onboarding, following the procedures outlined in Master Direction – Know Your Customer (KYC) Direction, 2016, as updated by the RBI from time to time. If the ATO has already undergone due diligence as a Business Correspondent or sub-agent, the same verification may be used. Banks are also required to periodically update the KYC records of all ATOs.
In cases where an ATO has been inactive (has not performed any financial / non-financial transaction for a customer for a continuous period of three months), the acquiring bank must perform fresh KYC verification before re-enabling the operator for transactions.
Risk Management
The acquiring bank must monitor the activities of ATOs through their transaction monitoring systems on an ongoing basis and set operational parameters based on the business risk profile of the ATOs. Aspects such as location and type of the ATO, volume and velocity of transactions must be part of the bank’s fraud risk management framework. The operational parameters regarding ATOs must be reviewed on a periodic basis, reflecting emerging fraud trends.
