Policy & Regulations

RBI New E-Mandate Rules: No OTP for Recurring Payments Up To ₹15,000

8 min read
AFA = Additional Factor of Authentication (typically OTP). The ₹1 lakh exception applies only to the three specified categories — not to EMIs or other loan repayments.
TL;DR

The RBI's 2026 E-Mandate Framework consolidates eight earlier circulars into one rulebook. Recurring collections under ₹15,000 no longer need OTP per cycle. Insurance premiums, SIPs, and credit card bills get a higher ₹1 lakh no-AFA threshold. Businesses must send 24-hour pre-debit alerts, and post-debit confirmations after every collection.

As a business owner, you know how much can go wrong between a scheduled debit and a successful collection. The due date passes. Your collection team starts calling. The customer has missed the window. Again.

The RBI's 2026 e-mandate rules are designed to eliminate exactly these instances and make digital recurring payments more reliable for both businesses and customers.

On April 21, 2026, the Reserve Bank of India issued the Digital Payments — E-Mandate Framework, 2026. It is a consolidated rulebook governing how recurring auto-debit payments work across every bank, payment app, and platform in India. The directions came into effect immediately.

What Is the RBI E-Mandate Framework, 2026?

An e-mandate is the permission your customer gives to their bank or payment app to automatically debit a recurring amount from their account: an EMI, a subscription renewal, an insurance premium, or any other recurring payment.

You set up the payment once, your customer authenticates it, and from then on the collections run automatically until the mandate is cancelled.

The RBI e-mandate framework is the rulebook governing this process. Specifically, it sets out:

  • What payment instruments businesses can use to collect recurring payments
  • What obligations collecting entities have toward their customers
  • How much notice must be given before a debit is executed
  • What happens, and who is responsible, when a mandate fails or an unauthorised debit occurs

The 2026 framework consolidates eight separate circulars issued by the RBI between 2019 and 2024 into a single, comprehensive set of directions. Fragmented guidelines have been replaced by one clean framework, with a few meaningful changes introduced along the way.

Who Does the RBI E-Mandate Apply To?

The framework applies to all payment system providers and participants processing recurring transactions. If your customer pays any recurring charge through any digital payment method in India, this framework covers it.

It also covers banks, NBFCs, payment gateways, fintech platforms, and the merchants they onboard. Acquirers are specifically required to ensure that merchants on their platform comply with these directions. Compliance responsibility runs all the way down the chain.

Key Changes Introduced in the 2026 Update

The 2026 framework introduces specific, user-facing changes that affect how recurring payments are authenticated, monitored, and controlled.

  1. No AFA for collections up to ₹15,000: Recurring collections within this limit go through without per-cycle OTP authentication.
  2. The ₹1 lakh threshold: For insurance premiums, mutual fund subscriptions, and credit card bill payments, the no-AFA limit is ₹1,00,000.
  3. Mandatory 24-hour pre-debit notifications: Collecting entities must notify customers at least 24 hours before every debit, with full transaction details and an opt-out facility.
  4. Mandatory post-debit confirmations: Every successful collection must be followed by a confirmation alert to the customer.
  5. Zero charges: The e-mandate facility comes at no cost to either business or customer.
  6. Mandate continuity on card reissuance: If a customer's card is reissued, existing mandates carry over automatically.
  7. Standardised liability protection: RBI's existing rules on limiting liability for unauthorised transactions now explicitly extend to e-mandate payments.

The ₹15,000 No-OTP Rule

This is the headline change in the 2026 framework.

The first transaction under any new mandate always requires AFA. But for every subsequent recurring transaction, the rules now work like this:

  1. Recurring payments up to ₹15,000 per transaction go through automatically, without requiring a fresh OTP each cycle.
  2. Payments above ₹15,000 will continue to require authentication every time. The only exception is the ₹1 lakh threshold, which covers three specific payment categories explained below.

In practice: if you're collecting a ₹5,000 monthly subscription fee, a ₹8,000 EMI instalment, or a ₹12,000 recurring vendor payment, once the mandate is registered, these collections will go through automatically without authentication failures or manual intervention.

The ₹1 Lakh Limit for Insurance, SIPs, and Credit Card Bills

The RBI has carved out a higher threshold for three specific categories of recurring payments:

  • Insurance premiums
  • Mutual fund subscriptions
  • Credit card bill payments

For these three categories, the no-AFA limit is ₹1,00,000 per transaction. Insurance premiums for term life or health cover, SIP instalments, and credit card full-bill payments routinely run above ₹15,000 per cycle. The ₹1 lakh threshold removes the per-cycle OTP requirement for these categories only.

EMI collections above ₹15,000 are not covered by this exception. Loan repayments above ₹15,000 per cycle continue to require OTP each time.

Running mandate-based collections above ₹15,000?

RocketPay handles per-cycle AFA automatically. No manual follow-up, no missed debits. Built for NBFCs and lenders.

Book a Demo →

Mandatory Pre-Debit Notifications

The framework places compliance accountability on acquirers and the merchants they onboard. As a business collecting recurring payments, you are required to send customers a notification at least 24 hours before every debit.

The pre-debit notice must contain:

  • Merchant's name
  • Transaction amount
  • Date and time of debit
  • Mandate reference number
  • Reason for debit

Additionally, the notification must include an option to opt out of that specific transaction or withdraw the mandate entirely. If a customer opts out, the debit is immediately stopped. The mandate itself remains active for future cycles unless explicitly withdrawn.

Mandate withdrawal stops the automatic collection. The underlying debt remains. A borrower who cancels a mandate still owes the money, and lenders can pursue recovery through other means.

Post-Debit Confirmations

After every debit under an RBI e-mandate, businesses must send a post-transaction notification to their customers. The notification must contain:

  • Merchant's name
  • Amount debited
  • Date and time of debit
  • Transaction reference number
  • Mandate reference number
  • Reason for debit
  • Grievance redressal details

As a business, this documented trail works in your favour too. Every post-debit confirmation creates a verified record of the collection, reducing the time and effort involved in resolving payment disputes.

Charges for E-Mandate Services

The framework is explicit: no charges can be levied on the customer for using the e-mandate facility for recurring transactions.

For businesses, the RBI has deregulated service charges levied by sponsor banks on user institutions. While processing charges for ECS were previously waived, sponsor banks may now charge businesses fees for infrastructure setup. Payment gateways or acquiring banks may charge a small per-transaction processing fee for managing e-mandates. Some banks also charge a one-time validation fee for creating a new mandate, typically between ₹50 and ₹200. This varies by bank.

How Auto-Payment Registration Works Under the New Framework

The registration process for auto-payments under the 2026 framework remains consistent with earlier rules. Before any recurring auto-debit can begin, your customer must complete a one-time registration. The mandate activates only after a successful AFA (typically an OTP), along with the issuer's standard verification process.

As the collecting entity, you initiate registration by sending the customer a mandate request. They authenticate it, and from that point, collections run automatically within the agreed terms.

What These Changes Mean for Your Business

In practice, this is what changes for lenders and businesses:

  • Subscriptions and recurring payments under ₹15,000 go through automatically, with no per-cycle OTP needed.
  • Insurance premiums, SIPs, and credit card bill payments up to ₹1,00,000 also go through without per-cycle AFA.
  • EMI collections above ₹15,000 continue to require per-cycle authentication.
  • Pre-debit and post-debit notifications are mandatory compliance requirements, not optional communications.

Conclusion

Most businesses running mandate-based collections factor in a certain percentage of failed payments into their monthly P&L, due to multiple reasons.

The 2026 RBI e-mandate framework addresses these gaps directly. Fewer authentication failures, fewer disputes through mandatory payment reminders, and a documented trail for every transaction. The framework also gives businesses standardised liability protection when something goes wrong.

For businesses managing recurring collections, the practical outcome is straightforward. Payments that should run automatically will now actually do so, with fewer failures, fewer delays, and a clear compliance structure behind every transaction.

Quick recap
Five things to remember about the 2026 e-mandate rules
  1. Recurring collections under ₹15,000 no longer require OTP per cycle. Only the first mandate registration does.
  2. The ₹1 lakh no-AFA exception covers only insurance premiums, SIPs, and credit card bills. EMIs are not included.
  3. The 24-hour pre-debit notification with an opt-out option is a mandatory compliance requirement, not a courtesy.
  4. Post-debit confirmations must be sent after every automated collection. They also protect you in disputes.
  5. E-mandate is free for customers. Businesses may pay per-transaction processing fees depending on their payment partner.

Ready to automate your recurring collections?

Go live with eNACH + UPI Autopay in 48 hours. Pre-integrated with NPCI, 30+ banks live, 92%+ mandate success rate.

Book a Demo →

Frequently asked questions

Common questions on the RBI 2026 E-Mandate Framework and recurring collections compliance.

Is the business or the payment aggregator responsible for e-mandate compliance?
Both parties are equally responsible. The acquirer or payment aggregator must ensure that the merchants they onboard comply with these directions. Collecting entities are directly obligated to send mandate notifications, opt-out facilities, and grievance redressal details before and after every payment is debited.
For collections under ₹15,000 per transaction, subsequent recurring debits go through automatically without fresh authentication each cycle. This directly reduces the number of failed collections caused by missed OTPs.
Insurance premium collections, mutual fund subscription debits, and credit card bill payments can be processed without AFA for amounts up to ₹1,00,000 per transaction. EMI collections above ₹15,000 are not in this category. They continue to require AFA per cycle.
You must send customers a notification at least 24 hours before every debit. The notification must include the merchant name, transaction amount, date and time of debit, mandate reference number, and reason for debit, along with an option to cancel that specific transaction or withdraw the mandate entirely.
The specific transaction is blocked immediately. The mandate remains active for future cycles unless the customer explicitly withdraws it. The opt-out stops the automatic debit but does not cancel the debt. The customer still owes the amount. Your collections workflow should account for opt-outs each cycle, since a failed debit due to opt-out is distinct from a technical collection failure.
Yes. After every automated debit, issuers must send a confirmation containing the merchant's name, amount debited, date and time, transaction and mandate reference numbers, reason for debit, and grievance redressal details.
Yes. The framework applies to all recurring transactions, including domestic and cross-border transactions processed through cards, UPI, and prepaid payment instruments.
Existing mandates can be automatically mapped to the reissued card. This eliminates a common source of collection failures where a card changes due to expiry, loss, or replacement.
The RBI's existing instructions on limiting customer liability for unauthorised transactions extend to e-mandate payments. If a customer reports an unauthorised debit promptly, the liability framework requires the issuer to address it. As the collecting entity, having a robust grievance redressal mechanism in place protects you from disputes.
Topics
eNACH RBI Regulations Recurring Payments E-Mandate Mandate Compliance NPCI

Keep reading

More on Policy & Regulations →
eNACH
eNACH: Meaning, Registration Process, Benefits and Features
Everything you need to know about India's digital mandate system — how it works, how to register, and why it's become the default for recurring payments.
12 Apr 2026 · 11 min read
Payments
UPI Autopay vs eNACH: which should you use in 2026?
A head-to-head on mandate success rates, use-case fit, and the operational trade-offs for lenders.
08 Apr 2026 · 8 min read
Collections
Why mandate approval rates drop in Q4 (and how to fix it)
Seasonal patterns in mandate success, and three configuration changes we recommend for Q4.
15 Mar 2026 · 7 min read

Let's build your collections infrastructure.

Mandate-based collections and device locking — pre-integrated with NPCI, 30+ banks live. Go live in 48 hours.

Book a Demo View All Articles