Regulating UPI: Consumer Rights & Privacy

By Anuradha Gandhi and Rachita Thakur

Introduction

On April 12, 2025, the National Payments Corporation of India (hereinafter referred to as ‘NPCI’) posted on its social media handle on ‘X’ acknowledging that the Unified Payments Interface (hereinafter referred to as ‘UPI’) suffered an outage and disruption in services due to ‘intermittent technical issues’.[1] Post these outages, NPCI has taken active steps towards preventing any future outages. It issued a circular directing the Payment System Providers (hereinafter referred to as ‘PSPs’) to limit Application Programming Interface (hereinafter referred to as ‘API’) calls to the UPI system to control server overload. [2] Along with these measures, NPCI also included various directions regarding free, fair and explicit user consent which align with the provisions of different frameworks and guidelines under Indian Law.

NPCI controls Server Overload while mandating Explicit User Consent

Latest Usage guidelines for the APIs used by UPI apps

The NPCI issued a circular dated May 21, 2025 on Guidelines on usage of UPI API (hereinafter referred to as ‘API Guidelines’). Most of the guidelines deal with reducing the vulnerability of the UPI server by limiting the use cases of APIs, however, use of certain APIs require the PSPs to obtain explicit user consent while securing certain consumer interests.

Balance Enquiry API is used to check the balances available through UPI apps. This API can be used on when initiated by the customer.
List Account API allows the customer to find the list of accounts linked to their mobile by a particular account provider. This API can be used only once the customer selects the issuer bank on the UPI app.
Penny drop API is used to initiate transactions to verify the validity and ownership of an account. This shall be initiates only on the basis of explicit customer consent. This initiation shall be in full compliance of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDPA’).
Validate Address API is used for validating UPI IDs or Virtual payment addresses (hereinafter referred to as ‘VPAs’) before initiating a payment or transaction. This is to be used only when the customer intends to pay[3]

Non Compliance Consequences

The API guidelines direct the PSPs to comply with the above guidelines and ensure implementation by July 31, 2025 and in the event of non-compliance to the above guidelines, NPCI may take necessary action including UPI API restriction, penalties, suspension of new customer on-boarding or any other measures deem appropriate.

Mapping the Basic Operational Framework of UPI Transactions[4]

Transaction Initiation: The user initiates a transaction, acting as either a payer or payee. This involves inputting necessary personal and financial details into a UPI-enabled application, which may be provided by a Third-Party Application Provider (hereinafter referred to as ‘TPAP’) or a PSP bank. The user specifies recipient details, such as a VPAs, UPI ID, mobile number, QR code, or bank account information.
Compilation and Transmission by TPAPs – TPAPs serve as service facilitators, integrating UPI functionalities into a singular application. TPAPs interface with UPI servers via their partnered PSP banks. Upon transaction initiation, the TPAP’s application compiles the payment details and transmits this request to its associated PSP. In instances where the application is directly provided by a PSP bank, the details are conveyed to that PSP’s banking servers.
Verification by the PSPs – PSPs are banking institutions authorized to access UPI servers for transaction processing. A PSP may offer UPI services directly to its account holders through a proprietary UPI application or through partnerships with TPAPs. The PSP’s system, via the application, prompts the user for their UPI PIN. This PIN is encrypted by the application and securely transmitted to the PSP. The PSP subsequently conducts initial security protocols, including device binding verification and confirmation of sufficient funds within the linked bank account.
Communication between NPCI and the relevant banks – As the proprietor and operator of the UPI platform, NPCI authorizes the participation of various entities, including Issuer Banks, PSP Banks, TPAPs, and Prepaid Payment Instrument (hereinafter referred to as ‘PPI’) issuers. NPCI grants these participants access to the UPI system for functions such as report generation, chargeback initiation, transaction status updates, and online transaction routing, processing, and settlement. The sender’s PSP forwards the encrypted payment request to NPCI, which functions as the central clearinghouse for all UPI transactions. NPCI identifies both the Remitter and Beneficiary banks based on the provided sender and receiver details, subsequently forwarding a debit request to the Remitter Bank and a credit request to the Beneficiary Bank.
Role of the Remitter Bank – Remitter bank is the banking institution where the sender’s account is maintained. Upon successful validation of all checks, the Remitter Bank debits the specified amount from the sender’s bank account and relays a confirmation message back to NPCI.
Role of the Beneficiary Bank – Beneficiary bank is the banking institution where the receiver’s account is held. Following confirmation from the Remitter Bank, conveyed through NPCI, that funds have been debited, the Beneficiary Bank credits the corresponding amount to the recipient’s bank account and transmits a confirmation back to NPCI.
Confirmation Notification – NPCI receives confirmations from both the Remitter and Beneficiary banks and subsequently relays the final transaction status to both the payer’s PSP and the payee’s PSP. Both PSPs then communicate this status to their respective users via their UPI applications. If the transaction was conducted through a TPAP, the PSP transmits the confirmation message to the TPAP, which then relays the message to the user.[5]

How are User rights safeguarded in the UPI Ecosystem?

User Control over Personal data

On July 20^th, 2021, NPCI issued the Numeric UPI ID resolution (hereinafter referred to as ‘Resolution’) publishing guidelines for enabling UPI Numbers for UPI based transaction. The Resolution directed the PSPs must implement user support for the entire lifecycle management of a UPI number through registration, updating, deletion or deregistration in the UPI ID Mapper.[6]

Explicit User Consent Requirements

The Resolution classifies generation of UPI number as voluntary and the PSP is mandated to take explicit consent of the user for the same. Such consent can be taken as part of the general terms and conditions of the PSP. The user can choose to send and receive money through the linked mobile number or UPI ID if the UPI number is not generated and seeded to the UPI ID mapper. The deadline for this compliance was set as January 1^st, 2022.

What is Seeding and Porting of UPI Numbers?

Seeding refers to the process of linking your bank-verified mobile number or custom generated UPI Number to your UPI ID. Such number then acts as a simplified identifier for your UPI ID, allowing people to send money to you using just this number, regardless of which UPI app is being used. On the other hand, Porting in the context of UPI, refers to transferring of your UPI number from one PSP to another.

Explicit User Consent necessary for Seeding and Porting of UPI Numbers

This scope of User Consent requirement was extended vide addendum to the resolution dated March 3^rd, 2025, (hereinafter referred to as ‘Resolution Addendum’) making it mandatory to obtain explicit user consent for both seeding and porting of UPI ID. Initially this was required only for seeding of UPI number.[7] This change is important after incidents of PSPs were porting UPI IDs of users without obtaining their consent. A leading PSP, in April 2024, transitioned the UPI handles of the user to different PSP banks. Many users termed this as invasion of privacy by the PSP. The new user consent requirements would bar the PSPs from indulging in such actions.[8]

How does RBI regulate UPI?

PPI Issuers are PSPs for the purpose of UPI Transactions

RBI’s master direction on Prepaid Payment Instruments (hereinafter referred to as ‘PPI Guidelines’) released on August 27, 2021, defines the concept of Interoperability as the technical compatibility that enables a payment system to be used in conjunction with other payment systems. It directs the Prepaid Payment Instrument issuer (hereinafter referred to as ‘PPI issuer’) to be guided by the technical specifications, standards and requirements for achieving interoperability through UPI and card networks as per the requirements of NPCI and the respective card networks.[9] Further, the PPI guidelines direct that PPI issuer shall act as PSPs for UPI based transactions and facilitate all basic and standard features of interoperability of UPI with PPI instruments. This essentially streamlines the process of regulatory enforcement by limiting the operations of both PPI issuer and PSP to a single entity.[10]

Guidelines on Data Localization

On April 6^th, 2018, RBI released a circular regulating the storage of payment system data which directed all PSPs to ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered, transmitted or processed as part of a payment.[11] This may also include Customer data, Payment sensitive data, Payment Credentials, and, Transaction data. This directive is applicable on PSPs providing UPI based payment facilities as well. [12]

Obligation to disclose terms on which Personal data is processed

When issuing PPI’s, issuers must clearly disclose all important terms and conditions in simple language, ideally in English, Hindi, and the local language. This includes detailing all associated charges and fees, as well as the instrument’s expiry period and related terms.

Implementation of Grievance Redressal Mechanism

Furthermore, PPI issuers are required to establish a formal, publicly accessible customer grievance redressal framework. This framework must designate a nodal officer for complaints, outline an escalation matrix and resolution timelines, and ensure complaint facilities on websites or mobile apps are clear and accessible. Issuers must also disseminate their customer protection and grievance redressal policy in simple language, clearly display customer care contact details on all platforms, and ensure agents exhibit proper signage with these details.

Promoting Consumer Awareness

PPI issuers must display a detailed list of their authorized agents and educate customers on secure PPI use, including password confidentiality and procedures for loss, theft, or fraud detection.[13]

Data Security Measures and Data Management Practices

To enhance security, PPI issuers (PSPs for the purpose of UPI) must establish a robust framework encompassing several key areas and ensure:

Application Life Cycle Security through source code audits by competent personnel or by obtaining assurance from application providers that their applications are free from malicious code.
Integrating of a Security Operations Centre with system and application level logs from mobile PPIs for centralized monitoring and management of security incidents.
Subscribe to Anti-Phishing services to identify and remove phishing websites and rogue applications to combat online threats.
Implementing Risk-based Transaction Monitoring for effective fraud risk management.
Agreements with service providers granting regulators audit rights and ensuring RBI access to information resources, adherence to data localization laws, regular review of service provider security, and inclusion of security breach disclosure clauses in service agreements.
Establishment of a Disaster Recovery facility with defined Recovery Time Objectives and Recovery Point Objectives to rapidly recover from cyber-attacks and other incidents, ensuring the security of processes and data during recovery.[14]

How does the Data Protection Framework apply to the UPI Ecosystem?

Applicability of the Data Protection Framework, 2023

For the purpose of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDP Act’), the role adopted by PPI issuers, PSPs, TPAPs and NPCI is altered on the basis of the data transaction taking place. Following use cases may explain the attribution of liability within the UPI ecosystem based on the DPDP Act.

Users/ Customers – They are ‘data principles’ for the purpose of all Data transactions within the UPI ecosystem.
TPAPs – They are ‘data processors’ for the purpose of all data transactions within the UPI ecosystem. The scope and purpose of the collection of data by TPAPs is controlled and regulated by the PSPs. Their role within the ecosystem is to transmit encrypted information about UPI transactions entered by the User to the PSP and transmit the PSP’s confirmation message back to the user.
NPCI – It acts as the central clearing house of UPI transactions, and therefore, determines the scope and purpose of processing personal data by all entities within the UPI ecosystem including PSPs, TPAPs, Remitter bank, and Beneficiary bank. Therefore, NPCI shall be considered as the data fiduciary for all data transactions it is involved in within the UPI ecosystem.
Remitter Banks – They are ‘data processors’ for their role in validating and verifying UPI transaction data and, based on that, sending the ‘debit transaction confirmation’ to NPCI.
Beneficiary banks – They are ‘data processors’ for their role in validating and verifying UPI transaction data and, based on that, sending ‘credit transaction confirmation’ to NPCI.

Determining the applicability of DPDP Act on PSPs

The DPDP Act may apply on the PSPs in the capacity of either a data fiduciary or a data processor:

TPAP – PSP data transactions – For the purpose of data transactions happening with the TPAP, a PSP shall be considered as ‘data fiduciaries’ as it determines the purpose for which the TPAP collects and processes the personal data on its behalf.
PSP – NPCI data transactions – NPCI acts as the central clearing house for all UPI transactions and for the purpose of data transactions between PSPs and NPCI, a PSP shall be considered as a ‘data processor’ as it is guided by the scope and purpose of processing personal data as determined by the NPCI.
Where user transacts directly through PSP’s Application – When a user uses the relevant PSPs own app to make a UPI transaction, there is no involvement of a TPAP. In this case, the PSP shall remain the data fiduciary for purposes of data transactions between itself and the user as the ‘data processor’, i.e., TPAP, ceases to exist.

Obligations of PSPs as Data Fiduciaries under DPDP Act

Some of the main obligations of the Data Fiduciaries under the DPDP Act are as follows:

The data fiduciary should ensure the completeness, accuracy, and consistency of personal data when it is likely to be used to make a decision that affects the data principal or to be disclosed to another data fiduciary.
A data fiduciary should implement appropriate technical and organizational measures to ensure effective compliance with the DPDP Act and the rules
A data fiduciary should protect personal data in its possession or under its control by implementing measures including directing the data processors to take reasonable security safeguards to prevent personal data breaches
In the event of a personal data breach, the data fiduciary should notify the data protection board and the affected data principals about such breach in the prescribed format.
The data fiduciary should publish the contact details of the personnel who can answer the questions raised by the data principal on behalf of the data fiduciary.
The data fiduciary should establish an effective mechanism to redress grievances of data principles
The data fiduciary should delete the personal data upon the earlier of either the data principal withdrawing her consent or if the specified purpose for the processing of personal data is no longer being served.[15]

Prateek Chandgothia, Assessment Intern at S.S.Rana & Co. has assisted in the research of this article.

[1]https://www.hindustantimes.com/india-news/upi-down-for-several-users-across-india-third-outage-in-30-days-101744443888662.html

[2]https://timesofindia.indiatimes.com/business/financial-literacy/banking/key-upi-transactions-may-face-restrictions-from-august-1-under-npcis-new-api-guidelines-to-prevent-outages/articleshow/121443387.cms

[3]https://www.npci.org.in/PDF/npci/upi/circular/2025/UPI-OC-No-215-A-FY-2025-26-Guidelines-on-usage-of-UPI-APIs.pdf

[4]https://www.npci.org.in/what-we-do/upi/roles-responsibilities

[5]https://www.npci.org.in/PDF/npci/knowledge-center/partner-whitepapers/Unified-Payments-Interface-(UPI)-A-payment-solution-designed-to-transform-economies-of-the-21st-Century.pdf

[6]Pg.1, Para 3, https://www.npci.org.in/PDF/npci/upi/circular/2021/NPCI-UPI-OC-115-Rollout%20of-Numeric-UPI-ID-Mapper-to-enable-UPI-Number.pdf

[7]https://www.npci.org.in/PDF/npci/upi/circular/2025/UPI-OC-No-115-E-FY-2024-25-Addendum-to-circular-on-the-Numeric-UPI-ID-resolution.pdf

[8]https://www.medianama.com/2025/03/223-npci-says-upi-number-porting-needs-clear-user-opt-in/

[9]Para 11, https://rbi.org.in/scripts/BS_ViewMasDirections.aspx?id=12156

[10]Para 11.6, https://rbi.org.in/scripts/BS_ViewMasDirections.aspx?id=12156

[11]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0