NPCI Guidelines On UPI And API Usage

Introduction

On May 21, 2025, the NPCI introduced new guidelines to streamline the Unified Payments Interface ("UPI") and its Application Programming Interface ("APIs"), effective August 1, 2025. These rules aim to reduce system congestion, enhance security, and improve user experience for over 14 billion monthly transactions. Below, we outline the key provisions and their specific impacts on end users, banks, payment service providers ("PSPs"), and fintech companies.

Key Provisions and Their Impact

1. Balance Enquiry Restrictions:
   
   • Provision: Limited to 50 balance checks per user per day per UPI app. Banks must display updated account balances with transaction notifications.
   • Impact on End Users: Users who frequently check balances (e.g., small business owners or gig workers) may hit the 50-check limit, facing temporary restrictions. Transaction notifications with balance updates reduce the need for manual checks, improving convenience.
   • Impact on Banks/PSPs: Must update apps to display balances with notifications, requiring system upgrades. Reduces server load from excessive non-financial API calls.
   • Impact on FinTechs: Must integrate balance display features into apps and educate users to rely on notifications to avoid hitting limits.
2. Linked Account Views:
   
   • Provision: Capped at 25 requests per app per customer per day, with explicit user consent for retries.
   • Impact on End Users: Users linking multiple bank accounts may encounter restrictions after 25 attempts, requiring consent for further tries. This may cause slight delays for users managing multiple accounts but enhances security.
   • Impact on Banks/PSPs: Must implement consent mechanisms and monitor API usage, increasing compliance costs but reducing system strain.
   • Impact on FinTechs: Need to redesign account-linking workflows to include consent prompts, ensuring compliance with NPCI and data protection laws.
3. Transaction Status Checks:
   
   • Provision: Minimum 90-second delay before each status check; maximum three checks within a two-hour window.
   • Impact on End Users: Users checking transaction status (e.g., for high-value payments) may experience slight delays due to the 90-second wait. The three-check limit may inconvenience users awaiting confirmation, but it ensures faster system-wide transactions as it prevents apps from hammering the system with rapid-fire retries during network delays.
   • Impact on Banks/PSPs: Must adjust systems to enforce delays and limits, reducing server congestion but requiring technical updates.
   • Impact on FinTechs: Must update user interfaces to reflect delayed status checks and educate users on new limits to manage expectations.
4. AutoPay Mandate Execution:
   
   • Provision: Restricted to non-peak hours (before 10:00 AM, 1:00 PM–5:00 PM, or after 9:30 PM), with maximum one execution attempt and up to three retries.
   • Impact on End Users: Users with recurring payments (e.g., subscriptions, utility bills) may notice payments processing at different times, potentially affecting budgeting. Improved system stability ensures more reliable AutoPay execution.
   • Impact on Banks/PSPs: Must schedule AutoPay during off-peak hours, requiring system reconfiguration but reducing peak-time outages.
   • Impact on FinTechs: Need to adjust AutoPay schedules and notify users of timing changes, ensuring transparency to avoid confusion.
5. Other API Controls:
   
   • Provision: APIs like List Keys and List Verified Merchants limited to once daily during off-peak hours. The Guideline mandates that the List Verified Merchants API can be accessed only once daily during non-peak hours, with a minimum of 1,000 entries per call to avoid frequent server hits. Penny Drop (for account verification) and ValCust (customer validation) APIs require user consent and Digital Personal Data Protection Act, 2023 compliance. This will enhance data privacy.
   • Impact on End Users: This will enhance data privacy of the users amidst growing cybercrimes and chargeback frauds and identity thefts.
   • Impact on Banks/PSPs: Must restrict API usage to off-peak hours and implement consent mechanisms, increasing compliance efforts but improving system performance.
   • Impact on FinTechs: Must update backend systems for API restrictions and integrate consent workflows, aligning with data protection regulations.
6. Compliance Requirements:
   
   • Provision: Banks and PSPs must submit compliance undertakings by August 31, 2025, and undergo annual CERT-In empanelled audits. Non-compliance may lead to penalties, API restrictions, or suspension of new user onboarding.
   • Impact on Banks/PSPs: Face significant compliance burdens, including system audits and undertaking submissions. Non-compliance risks financial penalties and operational restrictions.
   • Impact on FinTechs: Must invest in audit preparation and compliance frameworks, increasing costs but ensuring long-term operational stability.

Broader Implications

• End Users: Most changes are seamless, with apps auto-implementing restrictions. Enhanced system stability reduces transaction delays, but users may need to adapt to limits on balance checks, status inquiries, and AutoPay timing. Consent prompts strengthen data privacy.
• Banks and PSPs: Must prioritize system upgrades and compliance by August 31, 2025, to avoid penalties. Reduced system strain improves service reliability.
• FinTech Companies: Need to update API integrations, user interfaces, and consent mechanisms to comply with NPCI and data protection laws, ensuring user trust and system efficiency.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.