On May 21, 2025, IND NPC issued Guidelines on usage of UPI API; UPI members must regulate API usage to control transaction volume and ensure system performance.
Explicit consent, regulatory compliance are required for penny drop, validation APIs.
Restrict non-customer-initiated calls during peak hours (10am-1pm, 5pm-9:30pm).
Only specific API headers are allowed; non-compliant requests will be blocked.
In addition, payment service providers (which are also referred to as PSPs) must queue system-initiated API calls, submit undertaking to NPC by Aug. 31, 2025.
Annual audits by Cert-In auditors are mandatory; IND NPC said first report due Aug. 31, 2025; members must comply by Jul. 31, 2025 or alternatively face penalties.
On May 12, IND NPC issued circular re check transaction usage in UPI.
IND NPC issued circular re situation resulting from initiation of high number of check transaction status APIs by PSP banks at very high transactions per second (TPS) rate.
Ensures UPI system operates per ecosystem expectations with guide for UPI members.
Document dated Apr. 26, 2025, received from IND NPC May 12, summarized May 14.
Outline of Circular
PSP banks/acquiring banks must monitor and moderate all API requests (traffic) sent to UPI in terms of appropriate usage, including restricting high number of repeat APIs for same or older transactions; no batch processing by processing file and converting.
Namely, converting to online request at high TPS of any non-financial APIs sent to UPI online systems; must initiate first check transaction status API after 90 seconds.
From initiation/authentication of original transaction; after timers are changed, members may initiate same after 45 to 60 seconds of initiation/authentication.
Check Transaction Limits
May initiate maximum of 3 check transaction status APIs, preferably within 2 hours from initiation/authentication of original transaction; in case of U48 error (transaction ID not present or not found in UPI system) within first two hours from initiation.
Alternatively, members may initiate maximum of one check transaction status API on unified dispute and issue resolution which checks UPI back office to fetch final status.
Error Handling, Oversight
PSP banks/acquiring banks shall consider transaction failed if they receive error from list mentioned in Annexure 1; shall not initiate further check transaction status API.
PSP banks/acquiring banks shall audit systems by CERT-In empaneled auditor on immediate basis to review API usage and existing systems behavior, annually after.
Remitter bank/PSP shall have visibility over specific UPI APIs and responsible for regularly reviewing usage; any exceptions or anomalies observed to be reported.
Enforcement
IND NPC may consider implementing rate limiters on select UPI APIs in consultation with steering committee and subject to other approvals; stand-alone use of APIs for purposes other than intended is prohibited unless approved per UPI operating rule.
Members requested to comply with guidelines at earliest; failure may attract penalties.
Effectiveness
The circular is effective immediately, i.e., from Apr. 26, 2025.
May 21, 2025 API Usage Guidelines
On May 21, 2025, IND NPC issued Guidelines on usage of UPI API; UPI members must regulate API usage to control transaction volume and ensure system performance.
Explicit consent, regulatory compliance are required for penny drop, validation APIs.
Restrict non-customer-initiated calls during peak hours (10am-1pm, 5pm-9:30pm).
Only specific API headers are allowed; non-compliant requests will be blocked.
In addition, payment service providers (which are also referred to as PSPs) must queue system-initiated API calls, submit undertaking to NPC by Aug. 31, 2025.
Annual audits by Cert-In auditors are mandatory; IND NPC said first report due Aug. 31, 2025; members must comply by Jul. 31, 2025 or alternatively face penalties.
