In a move aimed at curbing identity fraud and enhancing security in Aadhaar-based banking transactions, the Reserve Bank of India (RBI) has introduced a fresh compliance framework for Aadhaar Enabled Payment System (AePS) operators. The new norms, issued via circular on 27 June 2025, will come into effect from 1 January 2026.
Under the new guidelines, banks must carry out full KYC and risk assessment of AePS Touchpoint Operators (ATOs) the agents responsible for delivering last-mile Aadhaar-based financial services. The directive comes amid rising concerns around biometric spoofing and unauthorised withdrawals, particularly in rural and semi-urban regions.
Mandatory KYC and Periodic Revalidation
According to the RBI, acquiring banks (those that onboard AePS agents) are now required to conduct complete KYC verification of all ATOs as per the Master Direction on KYC, 2016. If an ATO is already engaged as a Business Correspondent or sub-agent, existing KYC records may be used after due verification.
In addition, ATOs who remain inactive for three consecutive months performing neither financial nor non-financial transactions must undergo fresh KYC verification prior to reactivation.
Stronger Risk Monitoring and System Controls
Apart from KYC, banks must also implement real-time surveillance mechanisms to monitor AePS agent activity. This includes setting risk-based operating limits based on transaction size, geography, and volume.
Banks are also expected to ensure that all technological integrations (such as APIs) used for AePS delivery are restricted to core AePS functions and do not support ancillary or unregulated services. RBI has directed that these controls be regularly updated to reflect evolving fraud trends.
Implications Across the Ecosystem
The directive significantly raises the compliance bar for banks, fintechs and AePS platform providers:
- Banks will need to revisit AePS agent onboarding processes, review contractual terms with BCs and enhance internal monitoring capabilities.
- Fintech partners and white-label AePS integrators are expected to align their systems, training and onboarding workflows with the revised RBI framework. Lapses in fraud detection or misuse of APIs could lead to regulatory repercussions.
- Compliance officers and legal teams must ensure that provisions under the Payment and Settlement Systems Act, the KYC Master Direction and the Aadhaar Act are uniformly implemented across AePS operations.
Background and Policy Context
AePS, which allows interoperable banking using Aadhaar number and biometric authentication, has seen sharp growth in recent years, particularly for DBT-linked cash withdrawals. However, the system has also become a target for fraudsters using spoofed fingerprints and cloned Aadhaar credentials.
In its February 2024 policy statement, the RBI had flagged security vulnerabilities in AePS and indicated that further guardrails would be introduced. The June 2025 circular is seen as a formal execution of that policy roadmap.
Looking Ahead
With the compliance deadline set for 1 January 2026, regulated entities have less than six months to adapt. Industry experts say the move will lead to improved consumer protection but could initially slow down agent onboarding in low-literacy geographies.
The RBI has not issued penalties or enforcement mechanisms as yet, but the compliance framework underscores the regulator’s intent to bring agent-based Aadhaar banking at par with mainstream digital channels in terms of KYC, monitoring, and security.
