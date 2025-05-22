The National Payments Corporation of India (NPCI) is strengthening its oversight of India’s real-time payments system, Unified Payments Interface (UPI), to prevent future disruptions stemming from stress on the core network.
In a circular published on Wednesday, the apex payments body outlined operating guidelines for the usage of 10 application programming interfaces (APIs) associated with UPI. It has directed payment service providers (PSPs) and acquiring banks to monitor and moderate the use of these APIs.
NPCI may also implement rate limiters on how frequently an API can be used.
The move follows a root cause analysis conducted last month, which found that banks were generating an excessive number of “check transaction status” API calls. These were placing strain on the UPI infrastructure and contributing to system downtime.
“In the event of non-compliance with the above guidelines, NPCI may take necessary action, including UPI API restrictions, penalties, suspension of new customer onboarding, or any other measures deemed appropriate,” the circular stated.
Business Standard has reviewed a copy of the circular.
All UPI members and their partners are required to implement the new guidelines by 31 July this year.
Sources familiar with the matter noted that back-end system updates at banks could take two to three months.
“After the initial outage, it looks like more work is being done to ensure disruptions do not occur henceforth for users, which mirrors a customer-first approach. For instance, mandate executions and other utility APIs are pushed to low traffic hours,” said an executive at a fintech firm.
NPCI has also defined peak hours — periods when UPI financial transactions reach the highest number per second — typically between 10 am and 1 pm, and 5:30 pm to 9:30 pm.
Some common use cases for UPI APIs include transaction status checks, balance enquiries, execution of autopay mandates, and account verification.
APIs are protocols that enable secure data exchanges between banking systems and the UPI network.
Additionally, NPCI has directed acquiring banks to audit their systems through a Cert-In empanelled auditor to review API usage. Audit reports must be submitted to NPCI by 31 August. Banks will be required to conduct these audits annually.
Last month, NPCI also issued circulars to reduce response times for four APIs and to prevent their misuse.
In one directive, NPCI instructed banks to initiate the “check transaction status” API call only after 90 seconds from the original transaction’s authentication.
Following revised timing instructions, NPCI has now stated: “After the timers are changed, members may initiate the same after 45–60 seconds of the initiation or authentication of the original transaction.”