NPCI directs UPI members to follow new API guidelines to avoid disruptions

For instance, this includes restricting a high number of repeat APIs for the same or older transactions

The National Payments Corporation of India (NPCI) has directed members of the unified payments interface (UPI) network to adhere to its guidelines on application programming interface (API) calls, whose overuse resulted in an outage of the real-time payments system earlier this month. 

 

APIs are sets of protocols and tools that enable secure data exchanges between banking systems and the UPI network.

 

The retail payments body, in a circular, said that payment service provider (PSP) banks and acquiring banks should ensure that API requests to UPI should be monitored and moderated for appropriate use. This includes restricting  too many repeat APIs of the same or older transactions.

 

Members have been directed to comply with the latest guidelines, failing which they may face action, including penal provisions.

 

Further, the NPCI has directed banks to initiate “first check transaction status API” after 90 seconds from the authentication of the original transaction. “After the timers are changed, members may initiate the same after 45-60 seconds of the initiation or authentication of the original transaction,” it said in the circular.

 

Business Standard has reviewed the copy of the circular sent to UPI members.  

 

PSP banks or acquiring banks have been asked to initiate a maximum of three “check transaction status” APIs, preferably within two hours from the initiation or authentication of the original transaction. 

 

NPCI may also consider implementing rate limiters on select APIs in consultation with the steering committee and subject to other approvals. The circular further said that banks should consider a transaction to have failed if they receive an error from a list of conditions, and not initiate any further “check transaction status” API calls.

 

Banks are required to get their systems audited by a Cert-in empanelled auditor immediately and annually to review API use and existing systems behaviour, NPCI said in its circular. The payments body has requested members to reach out if they have suggestions within the next four weeks. It added that the “standalone use of APIs for purposes other than intended is prohibited, unless approved.”

 

The circular follows a surge in “check transaction status” API calls by PSP banks to the real-time payments system at a high transactions-per-second rate repeatedly. 

 

On April 12, UPI services suffered their fourth disruption in three weeks. A root-cause analysis by NPCI revealed that banks had been sending an excessive number of “check transaction status” API calls that put a strain on the system that contributed to the outage.