The original request was to make the account password reset more difficult by going beyond the OTP delivered via Email or SMS. The reset flow currently asks for the customer’s PAN (this only the user knows) and the User ID to trigger the account reset OTP. This flow currently ensures that the attacker has to know the user’s PAN details to request the OTP and also needs to have access to the phone/ email to be able to successfully reset the password and gain access to the account. We have seen that the number of fraud cases drop drastically after the mandatory 2FA implementation.
Further, we have also introduced a feature that allows the user to block his account. This ensures that if the user reports loss of mobile/ loss of access to email, the account will be blocked immediately, and the account reset flow involves mandatorily doing a re-KYC, thus ensuring a tougher reset flow 
. I hope this addresses the concerns raised.