Get in Touch
2026-06-19

UPI Autopay and Recurring Payments: Compliance Checklist Under RBI’s E-Mandate Framework 2026

Introduction

If you have ever had a subscription auto-renew unexpectedly, a streaming service quietly debit your account, or an EMI go through without any warning, you have experienced the gap that India’s e-mandate framework was supposed to fill. That gap is now being closed.

On April 21, 2026, the Reserve Bank of India issued the Digital Payments E-Mandate Framework, 2026, exercising its powers under Sections 10(2) read with Section 18 of the Payment and Settlement Systems Act, 2007. The framework, effective immediately, consolidates eight separate circulars issued between 2019 and 2024 into a single, unified set of directions governing recurring transactions processed through cards, Prepaid Payment Instruments (PPIs), and UPI.

This is not merely a housekeeping exercise. The 2026 Framework introduces material changes to how e-mandates are registered, processed, modified, and communicated, with direct compliance obligations for issuers, acquirers, and merchants. For

The Old Framework: Eight Circulars, One Problem

India’s regulatory architecture for e-mandates evolved incrementally. Between 2019 and 2024, the RBI issued eight separate circulars attempting to standardise recurring digital payments:

  1. August 2019: Framework for e-mandates on cards for recurring transactions.
  2. January 2020: Extension to UPI-based recurring transactions.
  3. December 2020: Consolidation attempt covering recurring transactions broadly.
  4. March 2021: Master framework for recurring online transactions.
  5. October 2021: Clarification to IBA on recurring transaction processing.
  6. June 2022: Further amendments to the processing framework.
  7. December 2023: Additional modifications.
  8. August 2024: Most recent update before the 2026 Framework.

Each circular was built on the last, correcting deficiencies, adding exemptions, and responding to industry feedback. The result was a patchwork. Compliance teams at payment aggregators had to read across multiple documents to determine their obligations. Issuers interpreted the stack differently. Merchants operated with limited guidance on what their acquirers expected of them.

What is an E-Mandate

An e-mandate is a standing instruction given by a customer to an issuer (a bank or card provider) authorizing recurring debits from their account or instrument in favour of a merchant. Common examples include subscription payments for streaming platforms, SIP instalments for mutual funds, insurance premium auto-payments, utility bill debits, and loan EMI processing.

Under the 2026 Framework, e-mandates apply to recurring transactions processed through cards, PPIs, and UPI, covering both domestic and cross-border transactions. The mandate is registered once and then governs subsequent periodic debits without requiring the customer to authenticate each individual transaction, subject to the limits and controls described below.

Key Changes Under the 2026 Framework

The Key changes under the framework are as follows:

  1. Unified Registration and Revocation: Registration of an e-mandate now requires one-time authentication using an Additional Factor of Authentication (AFA), in addition to the issuer’s normal processes. Every mandate must specify a validity period, and the issuer is required to give the customer a facility to modify that validity period or withdraw the mandate at any point. Critically, any modification or withdrawal of an existing mandate also requires AFA validation. This closes the earlier gap where mandates could be altered or revoked without adequate authentication.
  2. Mandatory 24-Hour Pre-Transaction Notification: This is the most consequential change for end consumers. Every issuer must now send a pre-transaction notification to the customer at least 24 hours before any debit occurs. At a minimum, this notification must disclose:
  • The merchant’s name
  • The transaction amounts
  • The date and time of the debit
  • The reference number of the e-mandate
  • The reason for the debit, i.e., that an e-mandate registered by the customer is being executed
  1. Post-Transaction Notification: Following each debit, the issuer must send a post-transaction notification covering the merchant’s name, transaction amount, date and time of debit, reference numbers for both the transaction and the e-mandate, reason for debit, and, crucially, details of the issuer’s grievance redressal mechanism. The inclusion of grievance redressal information in the post-transaction notification is a new addition under the 2026 Framework, introduced based on regulatory feedback.
  2. Customer Control Over Variable Mandates: Where an e-mandate is for a variable amount, as opposed to a fixed recurring charge, the issuer must now provide the customer with a facility to specify the maximum value of any individual recurring transaction. This is a meaningful consumer protection measure: it prevents merchants from debiting amounts beyond what a customer has authorised as their ceiling, without requiring the customer to cancel the mandate entirely.
  3. Transaction Limits and AFA Requirements: The 2026 Framework rationalizes the transaction limit structure:
  • Recurring transactions up to Rs. 15,000 per transaction may be processed without AFA.
  • Recurring transactions above Rs. 15,000 are subject to AFA.
  • Payment of insurance premiums, subscription to mutual funds, and credit card bill payments may be processed without AFA up to Rs. 1,00,000 per transaction.
  1. Reissued Card Mapping: Existing e-mandates can now be mapped to reissued cards. This addresses a longstanding operational friction: when a bank reissued a card to a customer, whether due to expiry, loss, or fraud, the customer’s existing mandates would often lapse, requiring re-registration with each merchant. The 2026 Framework expressly permits issuers to carry forward existing mandates to the reissued card, significantly reducing disruption to recurring payment arrangements.
  1. No Charges to Customers: No charges shall be levied to the customer for availing the e-mandate facility for recurring transactions. This is a codified protection, ensuring that the convenience of autopay is not monetized against the very customer it is meant to serve.
Compliance Obligations: Who Does What

The 2026 Framework distributes compliance obligations clearly across the payment chain.

  1. Issuers (Banks and Card Providers): Bear the primary operational burden. They must implement the pre-transaction and post-transaction notification systems, provide AFA-validated modification and opt-out facilities, maintain the mandate registry with validity periods, and offer customers control over variable mandate caps. Issuers are also responsible for mapping mandates to reissued cards.
  2. Acquirers: The 2026 Framework imposes an express obligation on acquirers to ensure that the merchants they have onboarded comply with these directions. This is a significant development. Under the previous framework, the accountability chain between acquirers and merchants was not clearly articulated. Acquirers who fail to exercise adequate oversight of merchant compliance are now squarely within the regulatory crosshairs.
  3. Merchants: Must operate within the mandate parameters registered by the customer. For variable mandates, merchants cannot debit amounts exceeding the cap set by the customer. Merchants must also cooperate with acquirers to ensure compliant mandate registration and processing flows.
What Payment Aggregators and Fintechs Must Do Now

The 2026 Framework took effect immediately on April 21, 2026. There is no transition period. Entities that have not already aligned their systems and merchant agreements to the new framework are technically non-compliant. The following steps are critical:

  1. Audit merchant onboarding agreements to ensure they reflect the 2026 Framework’s requirements, including variable mandate caps and pre-notification obligations.
  2. Review and update merchant contracts to include express compliance obligations aligned with the new directions, with consequences for non-compliance.
  3. Build or upgrade pre-debit notification infrastructure to ensure 24-hour advance notification capability across all recurring transaction channels.
  4. Implement AFA-validated opt-out mechanisms accessible to customers via SMS, email, or other preferred channels registered at the time of mandate creation.
  5. Review grievance redressal processes to ensure they are disclosed in post-transaction notifications and are operationally functional for recurring transaction disputes.
  6. Coordinate with issuer partners on reissued card mapping protocols to eliminate mandate lapsing on card reissuance.
  7. Train compliance and operations teams on the unified framework, retiring reliance on the eight now-repealed circulars.
AMLEGALS Remarks

The Digital Payments E-Mandate Framework, 2026, reflects a deliberate regulatory philosophy that consent must be informed, ongoing, and revocable. The RBI has moved from a model where customers were largely passive recipients of autopay debits to one where they have real-time visibility, meaningful control, and a clear remedial path when things go wrong. For the fintech ecosystem, the framework represents both a compliance obligation and an opportunity.

Platforms that invest in transparent pre-notification systems, robust opt-out mechanisms, and customer-centric mandate management will build deeper trust in their recurring payment offerings. Those that treat the framework as a box-ticking exercise risk regulatory action and, more consequentially, customer attrition.

For any queries or feedback, feel free to connect with Dhwani.tandon@amlegals.com or Mayur.punjabi@amlegals.com

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Disclaimer & Confirmation

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:

    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.

However, the user is advised to confirm the veracity of the same from independent and expert sources.

I Agree I Disagree