The NPCI AEPS guidelines are the operating and security rules for Aadhaar Enabled Payment System transactions, set by the National Payments Corporation of India (NPCI) and reinforced by the Reserve Bank of India. The change that matters most right now is RBI’s June 2025 direction requiring acquiring banks to run full due diligence on every AEPS touchpoint operator from January 1, 2026.
For a compliance or risk owner at a bank, that single sentence rewrites a workflow. The person who authenticates a villager’s withdrawal at a kirana-shop micro-ATM is no longer a loosely managed agent. Under the NPCI guidelines for AEPS and the RBI direction that sits on top of them, that operator is now a party your bank must verify, monitor, and periodically re-verify to the same standard you apply to an individual customer.

What Is AEPS and Why the Guidelines Changed
AEPS lets a person bank with nothing but their Aadhaar number and a fingerprint. It was built to reach the parts of India that branches and cards never did, and it works. It also created a new attack surface: a network of human operators holding biometric readers in places the bank cannot see. That tension between reach and control is why the rules changed.
AEPS Full Form and How It Works
AEPS, or Aadhaar Enabled Payment System, is NPCI’s rail for Aadhaar-authenticated banking. A customer walks up to a business correspondent, states their bank, gives their Aadhaar number, and places a finger on a scanner. That authenticates the transaction against the Aadhaar database and the linked account, the same identity rail that powers Aadhaar-based eKYC.
The rail supports cash withdrawal, cash deposit, balance enquiry, mini statement, and Aadhaar-to-Aadhaar fund transfer. Four inputs drive every transaction: the bank identifier, the Aadhaar number, the transaction type, and the biometric. No card, no PIN, no smartphone required, which is exactly what makes AEPS the backbone of last-mile financial inclusion.
Why NPCI and RBI Tightened AEPS Rules
The biometric that makes AEPS frictionless is also the thing fraudsters learned to game. Reports of identity theft and compromised customer credentials, where cloned fingerprints or harvested Aadhaar data drained accounts through complicit or careless operators, pushed the regulator to act. RBI issued its direction (RBI/2025-26/63) on June 27, 2025, explicitly citing fraud through identity theft in the AEPS ecosystem.
The stated aim is not to slow AEPS down. It is to keep trust in the rail intact so that financial inclusion does not collapse under the weight of fraud losses. When a first-time digital banking customer in a tier-3 town loses money to a fake withdrawal, the damage is not one account; it is the confidence of a whole segment. That is the risk the new KYC rules are written to contain.
The RBI June 2025 AEPS Guidelines: What Changed
The June 2025 direction reframes who owns AEPS risk. It moves the burden squarely onto the acquiring bank, the bank that onboards and sponsors the operators, and it sets a hard compliance date. The obligations fall into three buckets: due diligence at onboarding, monitoring during the operator’s active life, and a rule for what happens when an operator goes dormant.
Due Diligence of AEPS Touchpoint Operators (ATOs)
An AEPS touchpoint operator is the human running the micro-ATM, and the direction now treats onboarding one as a KYC event. Acquiring banks must carry out due diligence on all ATOs before onboarding them, adopting the same process used for the customer due diligence procedure for individuals under the Master Direction on Know Your Customer. In plain terms, verifying an operator is now held to the same bar as verifying a retail account holder.
There is one sensible carve-out. If an operator was already vetted as a business correspondent or sub-agent, that existing due diligence satisfies the onboarding requirement, so banks are not forced to re-paper relationships they have already documented. The reactivation rule is stricter: an operator inactive for three consecutive months, with no financial or non-financial transactions, must complete fresh KYC before transacting again.
Ongoing Transaction Monitoring and Risk Parameters
Onboarding due diligence is a snapshot; fraud is a moving target, so the direction also mandates continuous oversight. Acquiring banks must monitor ATO activity through transaction monitoring systems on an ongoing basis, setting operational parameters based on each operator’s risk profile and folding them into the bank’s fraud risk management framework.
Those parameters are meant to reflect real signals: location, transaction type, and transaction volume or velocity, reviewed regularly as fraud patterns shift. The direction also closes a technical door, requiring system-level controls so that the APIs behind an operator’s device are used solely for AEPS operations and cannot be repurposed for unauthorized access. This is where a generic agent app becomes a governed, single-purpose integration.
Effective Date and Who Must Comply
The direction comes into effect on January 1, 2026, and the party on the hook is the acquiring bank. Business correspondent network managers and fintech ATO aggregators feel it downstream, because the sponsoring bank will push these obligations into its contracts with them. If your institution sponsors AEPS operators, the clock is already running.
The practical read for a compliance lead is that the operator base needs to be treated as a customer book. Every active operator should have a verifiable identity record, a risk tier, and a monitoring profile before the effective date, not after the first fraud complaint lands. Banks that already run tight KYC for NBFC and agent networks have a head start; the rest are rebuilding a process under a deadline.
AEPS Transaction Limits and Authentication Requirements
Compliance teams often ask for the AEPS transaction limit 2026 figure as if a single number settles the risk question. It does not. Limits on AEPS are set through NPCI’s operating framework and each bank’s own risk-based caps, and the direction of regulation is toward dynamic, risk-tiered controls rather than one static ceiling that applies to every operator equally.
Two-Factor Authentication for AEPS
For years, the biometric was the whole authentication story. AEPS two-factor authentication changes that by pairing the fingerprint with an additional factor, so a single compromised biometric is no longer enough to move money. The regulatory and network trend is clearly toward layering a second factor onto higher-risk transactions rather than trusting biometrics alone, mirroring how video KYC pairs liveness with human review for remote onboarding.
The reasoning is straightforward once you accept that biometrics can be spoofed. A silicone fingerprint or a replayed template defeats a system that treats a match as proof of presence. Adding a second, independent factor raises the cost of that attack, which is why face authentication and one-time factors are becoming standard companions to fingerprint-based flows.
Fraud Risk Management and Operational Controls

Beyond authentication, the direction expects banks to run AEPS inside a live fraud risk management framework rather than a set-and-forget rulebook. That means alerting on anomalous operator behaviour, tiering operators by risk, and reviewing thresholds as new fraud typologies appear. Static controls age badly against adversaries who adapt weekly.
In practice, the parameter that surfaces a mule operator first is rarely transaction value. It is velocity against geography: the same operator authenticating withdrawals across locations a single person could not physically travel between in the elapsed time. Building that logic into monitoring, and studying common AML typologies, catches organized abuse that a simple per-transaction cap never will.
What AEPS Fraud Looks Like, and Where Verification Fits
To design controls that work, it helps to name the attacks the direction is responding to. AEPS fraud is not one thing; it is a small family of techniques that exploit the gap between a biometric match and a genuine, consenting person standing at the counter. Verification technology closes that gap at two distinct moments.
Common AEPS Fraud Vectors
The most damaging vector is biometric spoofing: cloned fingerprints made from lifted prints, silicone or latex fakes, or replayed digital templates that satisfy the scanner without a real finger. A second vector is credential harvesting, where Aadhaar numbers and demographic data are collected and paired with a compromised or complicit operator. The third is the mule operator, an onboarded ATO who knowingly runs fraudulent withdrawals.
What ties these together is a single weakness: static biometrics prove a match, not a live presence or a lawful intent. If the system cannot tell a real finger from a cast of one, the strongest-looking authentication in the flow is the easiest to fake. That is the specific hole liveness detection is built to plug.
Where Identity Verification Strengthens the Chain
Verification does its work at two moments the direction cares about. At onboarding, the operator is put through document verification, a face match to the identity document, a passive liveness check, and screening against sanctions and PEP lists, which is exactly the customer-grade due diligence the rule now demands. This is the same document and identity verification discipline banks already apply to account holders, pointed at the agent instead.
At transaction time, the defence shifts to detecting spoofed biometrics and synthetic presence in real time. Passive liveness confirms a live person, and deepfake and presentation-attack detection catches the cast fingerprints and replayed templates that static matching waves through. Running deduplication across the operator network then surfaces one person quietly controlling many touchpoints, the pattern that precedes most large AEPS losses.
An ATO Onboarding and Compliance Checklist for Banks
The direction tells banks what to achieve, not how to operationalize it. The following two-stage checklist maps the obligations to concrete controls a risk team can configure, splitting the work into what happens before an operator goes live and what runs for as long as they stay active.
Onboarding-Stage Controls
Before an operator authenticates a single transaction, five controls establish that they are who they claim to be and safe to sponsor:
- Verify a government identity document and extract its data, rejecting tampered or forged documents.
- Match the operator’s live selfie to the document photo, confirming the person and the ID belong together.
- Run a passive liveness check so the enrolment cannot be completed with a photo or a mask.
- Screen the operator against sanctions, PEP, and adverse-media lists before approval.
- Store the full due-diligence record to the customer-due-diligence-for-individuals standard, so onboarding is auditable on demand.
Each control maps to a clause in the direction, and each produces an artifact a supervisor or auditor can inspect. The point is not to collect paperwork; it is to make the onboarding decision defensible if that operator is ever implicated in fraud.
Ongoing-Monitoring Controls
Once live, the operator moves into continuous monitoring, where four controls keep risk visible:
- Assign a risk tier at onboarding and adjust it as behaviour and location data accumulate.
- Set velocity and location parameters, alerting on transaction patterns that a single genuine operator could not produce.
- Enforce the dormancy rule, flagging any operator inactive for three months for fresh KYC before reactivation.
- Restrict API scope so the operator’s integration serves AEPS alone, with monitoring for any attempt to use it otherwise.
Treating the operator base as a living customer book, rather than a static agent list, is what turns these controls from a compliance checkbox into actual fraud prevention. A bank onboarding programme that already verifies customers this way can extend the same rails to its AEPS operators without building from scratch.
Getting AEPS right after January 2026 comes down to treating operators as a verified population, not a loose network. HyperVerge helps banks and NBFCs run customer-grade onboarding and biometric fraud detection, with document verification, passive liveness, and presentation-attack detection built for exactly this kind of last-mile risk. Talk to our team to see how it fits your AEPS operator base.
FAQs
What is the full form of AEPS?
AEPS stands for Aadhaar Enabled Payment System. It is NPCI’s payment rail that lets customers perform basic banking, including cash withdrawal, deposit, balance enquiry, and fund transfer, using their Aadhaar number and a fingerprint at a business correspondent’s micro-ATM, without a card, PIN, or smartphone.
What are the new NPCI and RBI AEPS guidelines for 2026?
The central change is RBI’s June 2025 direction, effective January 1, 2026. It requires acquiring banks to conduct customer-grade due diligence on every AEPS touchpoint operator, monitor their transactions on an ongoing basis, restrict APIs to AEPS use only, and re-run KYC for operators inactive for three months.
What is an AEPS touchpoint operator (ATO)?
An AEPS touchpoint operator is the person who runs the micro-ATM device where customers authenticate AEPS transactions, usually a business correspondent or their agent. Under the 2025 RBI direction, the acquiring bank that sponsors an operator must verify and monitor them to the same standard applied to an individual banking customer.
How does the RBI direction reduce AEPS fraud?
It targets the weak points fraudsters exploit. By forcing identity verification and screening of operators at onboarding, ongoing transaction monitoring, and API restrictions, it makes it harder for cloned biometrics, harvested credentials, or complicit operators to move money undetected through poorly governed touchpoints.
What KYC is required for AEPS agents?
Acquiring banks must apply the customer-due-diligence procedure for individuals to AEPS operators before onboarding: document verification, identity confirmation, and screening. Operators previously vetted as business correspondents can rely on that existing due diligence, but any operator dormant for three consecutive months needs fresh KYC before resuming.
