Unified Payments Interface (UPI)
The Unified Payments Interface (UPI) is a real-time interbank payment system designed and operated by the National Payments Corporation of India (NPCI) . It enables immediate fund transfers between bank accounts through a mobile application, using a Virtual Payment Address (VPA) as the primary identifier in place of a bank account number and IFSC code. NPCI launched UPI on 11 April 2016 with twenty-one partner banks after a soft launch and testing phase that ran through the preceding months.
By volume, UPI is the dominant retail payment rail in India. In October 2025, the system processed approximately 17 billion transactions, equivalent to roughly 550 million transfers per day. The cumulative value of transactions since inception exceeded 300 trillion Indian rupees by mid-2025. No other payment rail in India, and few globally, carries comparable daily throughput.
UPI operates on top of the Immediate Payment Service (IMPS ) infrastructure for the interbank settlement leg, but adds a layer of abstraction through the VPA addressing scheme, a standardised mobile API, a consent-based collect flow, and a mandate construct. The Reserve Bank of India (RBI) designates UPI as a systemically important payment system under the Payment and Settlement Systems Act, 2007.
Background and launch
Context: fragmented retail payments before 2016
Before UPI, Indian retail banking offered several electronic fund transfer options, each with meaningful constraints. NEFT (National Electronic Funds Transfer) settled transactions in hourly batches and was unavailable after banking hours. RTGS (Real Time Gross Settlement) settled individually but carried a minimum transaction floor of two lakh rupees and was designed for large-value interbank settlements. IMPS , launched by NPCI in 2010, was the first truly real-time retail payment channel but required counterparties to exchange MMID (Mobile Money Identifier) numbers or full account and IFSC details, creating friction in everyday use.
Mobile wallets (Paytm, MobiKwik, Oxigen) had gained traction by 2014-15 but operated as closed-loop systems: money loaded into one wallet could not be transferred directly to a different wallet or to a bank account without workarounds. The resulting fragmentation meant that a customer on one wallet could not pay a merchant registered on another wallet without both parties holding accounts with the same provider.
The RBI and NPCI identified the absence of an open, interoperable, mobile-native payment standard as the principal gap. The solution was a common API layer that would sit above all member banks and wallets, present a unified addressing scheme, and route transactions through existing IMPS settlement rails.
Conception and pilot
NPCI began designing UPI in 2015 under a committee that included representatives from major scheduled commercial banks, the RBI and the Indian Banks’ Association. The core design mandate was:
- A single API specification that any bank or third-party app could implement.
- A VPA (of the form username@bankhandle) that abstracted away account and IFSC details.
- Both push (payer-initiated) and pull (payee-initiated collect request) transaction flows.
- Two-factor authentication using a mobile number-linked device and a UPI PIN set against the debit card.
The pilot ran from October 2015 to April 2016, involving seventeen regulated bank apps. On 11 April 2016, NPCI formally launched UPI with twenty-one member banks. The first public transaction was demonstrated by the then RBI Governor Raghuram Rajan. Retail availability through bank apps followed in August 2016.
Demonetisation and accelerated adoption
Adoption was modest in the first six months, averaging around 100,000 to 300,000 transactions per month. The demonetisation of 500- and 1,000-rupee notes announced on 8 November 2016 created acute demand for cashless alternatives. Daily transaction volumes on UPI spiked within weeks. By January 2017, the monthly count had crossed 4.5 million. The government’s push for a less-cash economy and subsequent Jan Dhan-Aadhaar-Mobile (JAM) policy alignment kept UPI at the centre of official digital payments promotion.
The concurrent launch of the BHIM app in December 2016 as a government-endorsed UPI client gave the platform additional retail visibility. By March 2018, monthly volumes had crossed 178 million.
Technical architecture
The four-party model
Every UPI transaction involves four logical participants:
- Payer PSP (Payment Service Provider bank): The bank whose app or third-party app the payer uses. The payer’s bank authenticates the payer, validates the UPI PIN, and initiates the debit instruction to NPCI.
- NPCI switch: The central routing and clearing infrastructure operated by NPCI. It validates VPAs, routes instructions to the correct remitter and beneficiary banks, and maintains the settlement record.
- Payee PSP bank: The bank whose UPI handle the payee holds. It receives the credit instruction from NPCI and credits the payee’s account.
- Payer’s bank (remitter bank) and payee’s bank (beneficiary bank): The actual account-holding banks that execute the debit and credit entries. In many cases the payer PSP and the remitter bank are the same entity; similarly for the payee side.
The payer and payee communicate through their respective PSP apps; they never exchange raw account details. The NPCI switch translates VPAs to account-IFSC combinations, routes the instruction, and confirms settlement.
For detail on the issuer-bank role in UPI ASBA (the capital-markets application), see Payment Service Provider (PSP) bank .
Virtual Payment Address
A VPA takes the form localpart@handle, where the handle corresponds to a bank or third-party app registered with NPCI. Examples: username@okicici (PhonePe on ICICI Bank), username@ybl (PhonePe), username@paytm (Paytm Payments Bank), username@upi (BHIM). A single bank account can have multiple VPAs across different apps; a single VPA can be linked to one account at a time.
VPA registration is initiated through the PSP app. The user links a bank account by selecting it from a list retrieved via NPCI’s bank account inquiry API, then sets a UPI PIN using debit card credentials (last six digits of the debit card number and expiry date) and a one-time password sent to the registered mobile number.
Transaction flows
Push (pay) flow: The payer enters the payee’s VPA in their UPI app, specifies the amount and remarks, and confirms with a UPI PIN. The payer’s PSP routes the instruction to NPCI, which queries the payee VPA mapping and forwards a credit instruction to the payee’s PSP. The entire round-trip typically completes in under ten seconds. Funds are immediately available to the payee.
Pull (collect) flow: The payee’s PSP sends a collect request to the payer’s VPA. The payer receives a push notification, reviews the request (payee VPA, amount, remarks), and approves with a UPI PIN. The pull flow is the basis for the UPI mandate construct and for ASBA applications in capital markets.
Scan and pay (QR): The payee displays a QR code encoding their VPA and optionally a fixed amount. The payer scans the code through any UPI app, confirms the payee details, and authorises the payment. Both static (merchant) and dynamic (one-time) QR codes are supported.
Settlement
UPI uses multilateral net settlement across all member banks, batched at intervals defined by NPCI. The settlement is completed through the RBI’s RTGS system, ensuring finality. The individual transaction is credited in real time from the payee’s perspective, but the interbank settlement is net, not gross. NPCI guarantees settlement to the payee PSP; credit risk on individual payers is borne by the payer PSP.
Two-factor authentication
UPI authentication combines:
- Possession factor: the registered SIM card in the device (verified at VPA registration via SMS OTP to the mobile number on record with the bank).
- Knowledge factor: the UPI PIN, a four- or six-digit secret set by the payer and stored in hashed form at the payer’s bank. The PIN is never transmitted to NPCI or to the payee PSP; it is verified locally at the payer PSP and then confirmed cryptographically via NPCI’s SDK.
This two-factor structure means UPI payments are resistant to phishing scenarios where only account credentials are stolen, the attacker would also need the registered device. However, social engineering attacks (convincing a user to reveal their PIN and approve a collect request) remain the principal fraud vector.
UPI versions and product extensions
UPI 1.0 (2016)
The original specification supported push and pull transfers, VPA-based addressing, and basic QR-code payments. The per-transaction limit was initially set at one lakh rupees (subsequently raised).
UPI 2.0 (August 2018)
UPI 2.0 introduced several significant extensions:
- Mandate construct: A future-dated authorisation that allows a payer’s bank to pre-authorise a debit of up to a specified amount on a specified date or recurring schedule. See UPI mandate for the full lifecycle.
- Invoice in the inbox: Payees can attach an invoice to a collect request, allowing the payer to verify the bill before paying.
- Overdraft account linking: Customers can link an overdraft account in addition to a savings or current account.
- Signed intent and QR: Merchant QR codes can carry a digital signature, allowing the payer’s app to verify authenticity before displaying the payee details.
UPI Lite (2022)
UPI Lite introduced an on-device wallet for small-value offline transactions. A user loads up to 2,000 rupees into an on-device wallet; payments of up to 500 rupees per transaction can then be made without a UPI PIN or real-time bank connectivity. The on-device balance is debited locally and the NPCI settlement is batched. UPI Lite is designed to improve reliability in areas with intermittent connectivity and to reduce server load for low-value micropayments.
An extension, UPI Lite X (2023), allows UPI Lite transactions even when both payer and payee devices are offline, using near-field communication (NFC) or Bluetooth proximity exchange.
UPI 123Pay (2022)
UPI 123Pay extends UPI access to feature phones (non-smartphone handsets) through four interaction modes: interactive voice response (IVR), missed call, proximity sound-based payment, and app-on-feature-phone. The initiative targets the approximately 400 million feature phone users in India who had no prior path to UPI participation. Transaction limits are lower than standard UPI.
UPI One World (2023)
UPI One World allows foreign nationals visiting India to link a prepaid wallet to UPI without requiring an Indian bank account. The wallet is issued at the port of entry or through partner fintech firms and can be loaded with foreign currency converted to rupees. It is aimed at tourists and business travellers.
UPI Circle (2024)
UPI Circle (also called UPI Delegated Payments) allows a primary account holder to delegate limited UPI payment authority to a trusted secondary user (for example, a family member or household employee). The primary user defines spending limits and merchant categories; the delegate can initiate payments within those bounds. The primary user retains full visibility and revocation rights.
Transaction limits
Limits are set by NPCI and vary by category. As of 2025:
| Category | Per-transaction limit |
|---|---|
| Standard P2P and P2M | ₹1,00,000 |
| Capital markets (ASBA, mutual funds) | ₹5,00,000 |
| Insurance premium | ₹5,00,000 |
| Healthcare and education | ₹5,00,000 |
| IPO application mandate | ₹5,00,000 |
| Government and tax payments | ₹5,00,000 |
Banks and PSP apps may impose lower limits at the PSP or account level. RBI can revise category limits through circular; the capital-markets limit was raised from one lakh to two lakh in 2021 and to five lakh in 2023.
Comparison with other Indian payment rails
| Rail | Real-time | 24×7 | Minimum | Maximum | Primary use |
|---|---|---|---|---|---|
| UPI | Yes | Yes | ₹1 | ₹5,00,000 (category) | Retail P2P, P2M, ASBA |
| IMPS | Yes | Yes | ₹1 | ₹5,00,000 | Retail interbank transfer |
| NEFT | Near real-time (30-min batches) | Yes (2019 onwards) | ₹1 | No cap | Salary, vendor payments |
| RTGS | Real-time gross | Yes | ₹2,00,000 | No cap | Large-value interbank |
| Debit card | Near real-time | 24×7 | ₹1 | Bank-set | POS, e-commerce |
UPI subsumes most use cases that previously required IMPS, because UPI’s VPA addressing is simpler than IMPS’s account+IFSC or MMID schemes. NEFT remains the standard for payroll and recurring bulk disbursements where transaction volume is high but timing urgency is low. RTGS is used exclusively for high-value single transactions where gross settlement is necessary.
Participants and ecosystem
NPCI as the scheme operator
NPCI sets the UPI scheme rules, maintains the central switch, manages VPA namespace allocation, and certifies member PSPs. Membership is governed by a Product Implementation Circular. Banks pay NPCI a per-transaction interchange fee for switch services; since 2020 UPI P2P transactions have carried zero merchant discount rate (MDR).
Member banks and PSPs
As of late 2025, over 600 banks are live on UPI. Banks can participate as:
- PSP banks: Operate a UPI app or API and hold PSP certification from NPCI. They authenticate payers, route transactions, and bear liability for fraudulent transactions on their platform.
- Remitter/beneficiary banks only: Banks that allow accounts to be linked to UPI through other PSPs’ apps but do not operate their own UPI interface.
Third-party application providers (TPAPs) such as PhonePe, Google Pay and Paytm operate UPI apps under the sponsorship of a licensed PSP bank. PhonePe is sponsored by Yes Bank (and later ICICI Bank); Google Pay by Axis Bank and HDFC Bank; Paytm by Axis Bank. The TPAP is responsible for the app experience; the sponsor PSP bank is responsible for regulatory compliance and NPCI interface.
Market concentration
By 2022, two TPAPs, PhonePe and Google Pay, together accounted for approximately 80-85 per cent of UPI transaction volume. Paytm held roughly 10-13 per cent. BHIM, despite being government-sponsored, fell to less than 1 per cent of volume. NPCI introduced a market-share cap of 30 per cent per TPAP in January 2021, with a compliance deadline originally set for January 2023. The deadline was repeatedly extended; implementation remained contested as of 2025, because enforcement would require capping transaction volumes at the two dominant players.
International expansion
NPCI International (a wholly-owned subsidiary of NPCI established in 2020) handles cross-border UPI expansion through bilateral and multilateral frameworks.
Bilateral acceptance corridors
- Singapore: The Monetary Authority of Singapore and RBI enabled UPI-PayNow linkage in February 2023. Indian travellers to Singapore can make QR payments at merchants accepting PayNow; Singapore residents can receive UPI transfers from India.
- UAE: NPCI International and the UAE’s Magnati launched UPI acceptance at UAE merchant terminals in February 2022. The corridor was extended through the NEOPAY network in 2023.
- France and Europe: An acceptance agreement with Lyra Network (a French payment gateway operator) enabled UPI QR payments at select European merchants from 2023.
- Bhutan, Nepal, Mauritius, Sri Lanka, Malaysia, Bahrain, Oman: Varying degrees of UPI acceptance at tourist-facing merchant points, primarily through point-of-sale integrations operated by local banks partnered with NPCI International.
G20 and cross-border framework
India held the G20 presidency in 2023 and used that platform to advocate for UPI as a model for cross-border payment interoperability. The Financial Stability Board and BIS included UPI as a case study in fast payment system interoperability analysis. NPCI International is in active discussions with payment system operators in several African, Middle Eastern and South-East Asian markets for multilateral frameworks.
Zero MDR and the monetisation debate
The central policy controversy around UPI is the merchant discount rate. MDR is the fee charged to merchants for accepting card or digital payments, part of which flows to the payment network and part to the issuing bank. NPCI originally charged an MDR of 0.25-1.0 per cent on UPI merchant transactions.
The Finance Ministry directed NPCI to waive MDR on UPI P2P (person-to-person) and UPI P2M (person-to-merchant, below a threshold) transactions with effect from 1 January 2020. The waiver was implemented as a policy directive, not through a legislative change, and has been renewed annually since. The government compensates NPCI and member banks through a budget allocation (₹2,485 crore in 2022-23; the allocation has grown year-on-year).
The consequence is that UPI is free for end users and merchants but imposes a cost on the banking system that must be offset by government subsidy or absorbed as a cross-subsidy from other revenue lines. PSP banks and TPAPs have lobbied through industry bodies for a modest MDR restoration. The RBI and Finance Ministry have resisted, citing financial inclusion objectives. The sustainability of the zero-MDR model at 17 billion monthly transactions is an active policy debate.
Security model and fraud
Threat surface
The principal fraud vectors on UPI are:
- Collect request fraud: An attacker masquerades as a legitimate payee (bank, NPCI, government) and sends a collect request with a narrative that induces the victim to approve with PIN. UPI does not transfer money to anyone when a PIN is entered for an incoming collect request, approval of a collect request authorises a debit, not a credit, a distinction that fraudsters exploit through narrative confusion.
- SIM swap: An attacker obtains a SIM swap from the victim’s operator, recovers the UPI handle linked to the old SIM, and attempts to set a new UPI PIN using a stolen debit card. Countered by bank-level additional authentication for PIN reset.
- QR code spoofing: A static merchant QR code is replaced with the attacker’s VPA. Countered by signed QR codes under UPI 2.0.
- Screen sharing / remote access: Victims are tricked into installing remote-access apps (TeamViewer, AnyDesk) during fake customer-support interactions, allowing the attacker to capture PIN entry on screen.
Dispute resolution
The NPCI Dispute Resolution System (UMANG portal) allows a complainant to raise a transaction dispute within 30 days of the transaction. Disputes are classified as:
- Credit not received: Payer debited but payee not credited.
- Fraudulent transaction: Transaction not authorised by the account holder.
- Amount mismatch: Amount debited differs from amount agreed.
Resolution timelines are set by NPCI circular. The payer PSP is the first point of contact; escalation to the banking ombudsman (integrated under the RBI Integrated Ombudsman Scheme from November 2021) is available if the PSP does not resolve within the defined timeline.
Regulatory framework
UPI operates under:
- Payment and Settlement Systems Act, 2007 (PSS Act): The primary legislation governing payment system authorisation in India. NPCI operates UPI under a system authorisation granted by the RBI under this Act.
- Payment Aggregator and Payment Gateway Guidelines (RBI, March 2020): Apply to e-commerce platforms and payment aggregators that integrate UPI as a payment method.
- Master Direction on Prepaid Payment Instruments (RBI, 2017, as amended): Applies to wallet-linked UPI flows.
- RBI Circular on Charges in Payment Systems (August 2022): Formalised the zero-MDR position on UPI P2P and UPI P2M up to ₹2,000.
- SEBI Circular on ASBA (2019, 2022, 2023): Governs UPI ASBA for IPO applications, including the five-lakh per-transaction limit and mandate expiry rules.
For NPCI’s own governance structure and regulatory status, see National Payments Corporation of India (NPCI) .
Key milestones
| Date | Milestone |
|---|---|
| April 2016 | Public launch with 21 banks |
| August 2016 | First retail app integrations |
| December 2016 | BHIM app launched |
| August 2018 | UPI 2.0 and mandate construct introduced |
| January 2020 | Zero MDR on UPI P2P and small-ticket P2M |
| September 2020 | NPCI International incorporated |
| January 2021 | 30 per cent market-share cap for TPAPs announced |
| February 2022 | UPI acceptance live in UAE |
| September 2022 | UPI Lite and UPI 123Pay launched |
| February 2023 | UPI-PayNow bilateral linkage with Singapore |
| 2023 | UPI One World (foreign national wallet) launched |
| 2024 | UPI Circle (delegated payments) introduced |
| October 2025 | Monthly volume reaches approximately 17 billion transactions |
Operational reliability and uptime
SLA framework
NPCI publishes service level agreements that PSP banks and TPAPs must meet. Key SLAs include:
- Transaction response time: The end-to-end UPI transaction must complete (success or failure response returned to the initiating app) within 30 seconds. In practice, median transaction times are 3-7 seconds under normal load.
- Availability: The NPCI switch is required to maintain 99.9 per cent monthly availability. Planned maintenance windows are communicated to PSP banks in advance.
- Decline rate cap: PSP banks whose decline rates (transactions that fail due to technical reasons at the PSP, not due to insufficient balance or authentication failure) exceed a defined threshold are subject to penalties and corrective-action obligations.
Peak load management
IPO subscription windows, particularly for heavily anticipated issues, generate extraordinary UPI mandate volumes. During the Hyundai India IPO in October 2024, NPCI processed over 60 million mandate requests across a three-day subscription period. NPCI manages peak load through:
- Pre-issue capacity scaling communicated to PSP banks.
- Mandate request queuing at the switch level during sustained high load.
- Rate limits on individual PSP banks that exceed their allocated capacity.
Ordinary retail payment flows are segregated from capital-markets mandate flows at the switch level to prevent cross-contamination during peak IPO windows.
Failure classification
UPI transaction failures are classified into three categories:
- Technical declines: Failures caused by system errors, timeouts, or connectivity issues at the PSP bank, NPCI switch, or beneficiary bank. These do not result in funds movement and are reversible.
- Business declines: Failures caused by insufficient balance, blocked accounts, incorrect PIN, or exceeded transaction limits. These reflect a valid system response to a business condition.
- Deemed declines: Cases where the payer’s account has been debited but the payee has not received credit. These trigger automatic reversal under NPCI’s deemed settlement rules within a defined time window.
UPI in capital markets
UPI ASBA for IPO applications
The application of UPI mandates to IPO subscription is the most regulated use of the UPI platform. SEBI introduced UPI as a payment mechanism for retail ASBA applications in May 2019 (Circular SEBI/HO/CFD/DIL1/CIR/P/2019/62) and made it mandatory for retail individual investors from May 2022.
In the UPI ASBA flow:
- Retail investors apply through a broker, exchange platform, or RTA investor portal.
- The broker submits the bid to the exchange bidding system.
- The exchange instructs the issue’s sponsor bank to create a UPI one-time block mandate.
- The mandate is routed via NPCI to the investor’s PSP bank.
- The investor approves the mandate in their UPI app.
- The PSP bank places a lien on the bid amount.
- On allotment, the lien is converted to a debit for allotted shares.
The UPI mandate construct and the Payment Service Provider (PSP) bank role are central to this flow. The Self Certified Syndicate Bank (SCSB) retains relevance for HNI and QIB applications that use bank ASBA rather than UPI ASBA.
For the IPO-specific mandate lifecycle, see UPI 2.0 mandate explained .
Mutual fund SIPs
The Association of Mutual Funds in India (AMFI) integrated UPI mandates into the SIP (Systematic Investment Plan) registration process. An investor can set up a recurring UPI mandate for monthly SIP debits through any AMFI-registered mutual fund platform or broker. The asset management company’s collecting bank executes the mandate on each SIP date without requiring the investor to authenticate each debit. UPI-based SIP mandates coexist with the older NACH (National Automated Clearing House) mandate mechanism; both are valid.
Insurance premium collection
IRDA (Insurance Regulatory and Development Authority of India) permitted insurers to collect recurring premiums through UPI recurring mandates from 2020 onwards. The investor sets up a one-year or multi-year recurring mandate; the insurer’s collecting bank executes the debit on each premium due date.
Mobile application ecosystem
TPAP market structure
Third-party application providers (TPAPs) operate UPI apps under the sponsorship of licensed PSP banks. As of 2025, the principal TPAPs and their approximate market shares (by transaction volume) were:
| TPAP | Approximate share (2025) | PSP bank(s) |
|---|---|---|
| PhonePe | ~48% | Yes Bank; ICICI Bank |
| Google Pay | ~37% | Axis Bank; HDFC Bank |
| Paytm | ~8% | Axis Bank |
| BHIM | <1% | Multiple (government reference app) |
| Others (Amazon Pay, CRED, WhatsApp Pay, etc.) | ~6% | Various |
This level of concentration, two TPAPs controlling approximately 85 per cent of volume, prompted NPCI’s 30 per cent market-share cap announcement in January 2021. Implementation of the cap remained deferred as of 2025.
Bank-own UPI apps
Every major scheduled commercial bank also operates its own UPI app. SBI YONO, HDFC PayZapp, ICICI iMobile Pay, Axis Mobile, and Kotak 811 are among the most widely used. Bank-own apps are often preferred by users who want a tighter integration with their account management features (fixed deposits, loan repayments, account statements) and by users who prefer direct-bank push notification chains over TPAP middleware, particularly during IPO mandate approval windows.
UPI on feature phones: UPI 123Pay
The UPI 123Pay product, launched in 2022, extends UPI to non-smartphone users through:
- IVR (Interactive Voice Response): The user calls a dedicated IVR number, selects the payee VPA and amount using keypad input, and authenticates with a numeric UPI PIN.
- Missed call: The user makes a missed call to a registered merchant’s number and receives a callback with a payment confirmation prompt.
- Sound-based proximity payment: A sound-based cryptographic token is exchanged between the user’s feature phone and the merchant’s device.
- App-on-feature-phone: Simplified UPI client running on feature phones with limited display capabilities.
UPI 123Pay carries lower per-transaction limits than standard UPI and is restricted to a subset of use cases. It extends financial inclusion to the approximately 400 million feature phone users who previously had no UPI access.
UPI and financial inclusion
Jan Dhan integration
UPI’s launch coincided with the government’s Pradhan Mantri Jan Dhan Yojana (PMJDY) financial inclusion programme. Jan Dhan accounts, basic savings accounts for unbanked households, were linked to UPI through the AePS (Aadhaar-enabled Payment System) and later through standard UPI VPA registration. By 2025, over 500 million Jan Dhan accounts had been opened, a large proportion of which were linked to some form of digital payment.
Direct Benefit Transfer
The government’s Direct Benefit Transfer (DBT) scheme uses NPCI infrastructure (NACH for bulk disbursements, AePS for biometric authentication at banking correspondents) to transfer welfare payments directly to beneficiaries’ bank accounts. UPI provides a complementary channel for beneficiaries in urban and semi-urban areas to spend or transfer these disbursements.
Women and rural uptake
Data from NPCI and the RBI’s annual report on currency and finance indicate that UPI adoption in rural areas, while lower in absolute transaction counts than metropolitan areas, grew faster proportionally between 2020 and 2025. The availability of UPI 123Pay and UPI Lite (for areas with intermittent connectivity) specifically targeted the geographic and income segments where traditional smartphone UPI faced barriers.
Privacy and data
Transaction data held by NPCI
NPCI processes and stores UPI transaction metadata (VPA, timestamp, amount, transaction ID) at the central switch. NPCI’s privacy policy limits use of this data to settlement, fraud monitoring, and regulatory reporting. Actual account-holder identity is mapped at the PSP bank level; NPCI’s switch sees VPAs, not names or account numbers.
TPAP data practices
TPAPs collect additional data beyond what NPCI sees: device identifiers, location data (if permissions granted), transaction history within the app, and linked merchant categories. PhonePe and Google Pay have each been the subject of data localisation debates with the Indian government. Both companies maintain India-resident servers in compliance with RBI’s data localisation circular (April 2018, requiring that all payment data relating to India be stored within India).
Data for financial services upsell
Commercial TPAPs use anonymised transaction data to offer credit products (buy-now-pay-later, pre-approved personal loans) to users. This creates a tension between data minimisation principles and the commercial sustainability model of TPAPs that operate UPI for zero direct revenue.
Comparison with global fast payment systems
UPI is frequently compared with similar national real-time payment systems in other jurisdictions:
| System | Country | Launch | Settlement model | Monthly volume (2024-25) |
|---|---|---|---|---|
| UPI | India | 2016 | Multilateral net | ~17 billion (Oct 2025) |
| PIX | Brazil | 2020 | Instant gross | ~4-5 billion |
| FPS | United Kingdom | 2008 | Multilateral net | ~400 million |
| PayNow | Singapore | 2017 | Multilateral net | ~80-100 million |
| Zelle | United States | 2017 | Bank-level gross | ~2-3 billion |
| SEPA Instant | Eurozone | 2017 | Gross (per transaction) | ~1-2 billion |
UPI’s scale significantly exceeds that of comparable systems in developed markets, driven by India’s large population, smartphone penetration, and the absence of established credit-card infrastructure for a large portion of the population.
Controversies and criticism
Zero MDR sustainability
The zero-MDR mandate is widely regarded as the central commercial tension in the UPI ecosystem. PSP banks and TPAPs cannot charge merchants for UPI transactions, which means the cost of operating and investing in the payment infrastructure must be recovered from other sources. Critics argue that:
- The zero-MDR model creates perverse incentives: PSPs and TPAPs have no commercial incentive to invest in reliability, fraud prevention, or new features beyond the minimum required by NPCI.
- The government subsidy (approximately ₹2,500-3,000 crore per year) is insufficient to cover the actual infrastructure cost at scale.
- The model disadvantages domestic payment operators relative to credit-card networks (which do charge MDR) and makes it difficult for new entrants to build commercially viable businesses on UPI.
Proponents of zero MDR argue that MDR on small-value transactions would disproportionately burden small merchants and would reverse the financial inclusion gains achieved by making digital payments universally accessible.
Market concentration risk
The concentration of 85 per cent of UPI volume in two TPAPs (PhonePe and Google Pay) creates systemic risk: an outage or security incident at either TPAP would affect the majority of the UPI ecosystem. The 30 per cent market-share cap was designed to address this but has been deferred repeatedly due to the practical difficulty of capping volume at operational TPAPs without disrupting users.
Interoperability with credit
UPI originally operated only on debit (bank account-linked transfers). The introduction of UPI-linked credit products, UPI-linked credit cards (RuPay credit cards on UPI) and credit-line-on-UPI, extended the reach of formal credit to UPI transactions. However, this raised concerns about:
- Regulatory perimeter: whether UPI credit-line products require NBFC or bank licensing for the credit facility.
- Consumer protection: whether the ease of UPI credit access increases household debt stress.
- MDR: credit card transactions typically carry MDR; the extension to UPI credit transactions created inconsistency in the zero-MDR framework.
Fraud trends
As UPI volumes have scaled, so have social engineering fraud incidents. The NPCI and RBI have published repeated consumer awareness advisories. Reported UPI fraud amounts grew from approximately ₹1,000 crore in 2021-22 to over ₹2,000 crore in 2023-24 (RBI Annual Report figures), though as a percentage of total transaction value, the fraud rate remained below 0.01 per cent.
Related articles
- NPCI
- UPI mandate
- UPI 2.0 mandate explained
- BHIM app
- Payment Service Provider (PSP) bank
- Self Certified Syndicate Bank (SCSB)
- How to approve a UPI mandate for an IPO application
- ASBA
- IMPS
References
- NPCI, Unified Payments Interface, Product Overview, https://www.npci.org.in/what-we-do/upi/product-overview (accessed May 2026).
- Reserve Bank of India, Annual Report on Currency and Finance 2023-24, Chapter 4, Payment and Settlement Systems.
- NPCI, UPI Monthly Product Statistics, October 2025, https://www.npci.org.in/what-we-do/upi/upi-ecosystem-statistics .
- RBI Circular RBI/2020-21/35, Merchant Discount Rate (MDR) on transactions through UPI and RuPay, July 2020.
- SEBI Circular SEBI/HO/CFD/DIL2/CIR/P/2022/45, Streamlining of Application Process in Public Issues, UPI Mechanism, April 2022.
- NPCI, UPI 2.0 Product Specification, August 2018.
- BIS-CPMI, Achieving Greater Convergence in Payments, Report, July 2022 (includes UPI as a case study).
- Ministry of Finance, Budget Speech 2023-24, Allocation for Digital Payments Incentive Scheme.
- RBI, Monetary Policy Report, April 2023, Section 4.3, Payment System Developments.
- NPCI International, Press Release: UPI-PayNow Bilateral Linkage, February 2023.