In a crucial move to enhance the security and integrity of the Aadhaar Enabled Payment System (AePS), the Reserve Bank of India (RBI) has issued fresh guidelines to regulate the onboarding and operations of AePS Touchpoint Operators (ATOs). The new norms, aimed at curbing fraud and improving risk management, will come into force from January 1, 2026.
These guidelines hold special relevance for Urban Cooperative Banks, State Cooperative Banks, and District Central Cooperative Banks, which play a significant role in extending financial services to underserved regions.
AePS, managed by the National Payments Corporation of India (NPCI), allows banking transactions through Aadhaar-based biometric or OTP authentication. However, the increasing number of frauds involving identity theft and misuse of customer credentials has raised concerns about system vulnerability.
Under the new directive, cooperative banks acquiring AePS services must ensure comprehensive Customer Due Diligence (CDD) before onboarding ATOs. While existing KYC of Business Correspondents or sub-agents may be accepted, banks must ensure periodic updates of such information.
Significantly, if an ATO remains inactive for three consecutive months, without performing any transactions, the bank must carry out fresh KYC verification before reactivating them. This is expected to reduce misuse of dormant AePS terminals.
RBI has also instructed cooperative banks to adopt robust transaction monitoring systems, analyzing operator activity based on location, transaction volume, type of touchpoint, and velocity. These parameters must be reviewed regularly to align with emerging fraud patterns.
Further, banks must implement strict API controls, ensuring all integrations are used solely for AePS functions.
Issued under the Payment and Settlement Systems Act, 2007, these guidelines aim to fortify the digital infrastructure of cooperative banks and reinforce public confidence in secure, Aadhaar-linked financial services.
