The National Payment Corporation of India (NPCI) has issued an operating circular (NPCI/UPI/OC No 153/2022-23) on 5 July 2022 (OC) stipulating guidelines for capturing customer location on Unified Payments Interface (UPI).

BACKGROUND

UPI runs a set of standard application programming interfaces (API's) to facilitate online immediate payments for both person to person (P2P) and person to merchant (P2M) transactions. The core features of UPI, both financial and non-financial, are delivered using these specific API's. From time to time, NPCI has issued guidelines defining the message specifications and the intended purpose of these API's and the usage of the information retrieved from the API's, which are required to be strictly complied with by all the members participating in the UPI infrastructure. Geo-tagging (location / geo-code) information being part of the said API framework is also captured for the payments made via UPI.

In extension of NPCI's guidelines which permit capturing location details along with other personal details in an encrypted form by the UPI application providers, NPCI has issued guidelines via OC to capture locations / geographical details on UPI applications only with customer / individual consent as the procedure of geo-tagging involves customer centric information.

KEY HIGHLIGHTS OF THE OC

Timeline for compliance with the OC

All the UPI members are required to comply with the guidelines prescribed in the OC by 1 December 2022.

Capturing of location / geographic details with customer consent

UPI applications are permitted to capture location / geographical details of the customer / individuals only with their prior consent. Further, such collection of location / geographical details cannot be mandated by the UPI applications and the option to enable / revoke consent shall be mandatorily provided to the customer.

Revocation of consent by the customer

In cases where a customer has already provided consent to share the location to the UPI applications initially while availing the services, and subsequently wishes to revoke the consent, the same should be permitted without denying UPI services to such customer. Further, the UPI applications should continue providing services to such customer even after the consent for sharing the location / geographical details has been revoked.  

Obligation to transfer correct location / geographic details to UPI

In cases wherein customer has provided consent to capture location / geographical details to the UPI application, such details should be accurately passed to UPI. Sending of inaccurate coordinates in such cases will attract strict action from NPCI.

No denial of UPI services in case customer denies sharing location / geographic details

UPI applications shall not deny / disable the UPI services to such customers who do not give consent to share location / geographical details. 

Applicability of the guidelines only in case of individual customers and domestic UPI transactions

The guidelines provided under the OC shall be applicable only in case of individual customers and domestic UPI transactions.

COMMENT

While it seems like the guidelines stipulated under the OC have been issued by NPCI to ensure the UPI customers can manage their data (pertaining to location / geographical details) and privacy with more control, it can be seen as a setback for UPI application providers who have been mandating collection of such data from customers to use their UPI services for the purpose of detecting suspicious and fraudulent activities and conducting risk based analysis of the transactions made via such applications.

The content of this document do not necessarily reflect the views/position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up please contact Khaitan & Co at legalalerts@khaitanco.com