Context:
The National Payments Corporation of India (NPCI) has issued a circular to strengthen its supervisory framework over Unified Payments Interface (UPI) operations. This follows a root cause analysis of a recent outage that revealed excessive API calls by banks as the cause of core network stress.
Key Measures Introduced
- NPCI has outlined operational guidelines for 10 critical APIs linked to UPI.
- These APIs handle operations such as:
- Check transaction status
- Balance enquiry
- Autopay mandate execution
- Account detail verification
Compliance Requirements
- Payment Service Providers (PSPs) and acquiring banks must:
- Monitor and moderate their API usage.
- Adhere to API rate limits to prevent overload.
- Implement guidelines by July 31, 2025.
- System audits must be conducted by a CERT-In empanelled auditor and submitted by August 31, 2025.
- These audits will now be mandatory annually.
Rate Limiting and Timing Rules
- NPCI may impose rate limiters on API call frequency.
- It has mandated low-traffic execution windows for certain APIs like mandate execution.
- Defined peak hours:
- 10:00 AM – 1:00 PM
- 5:30 PM – 9:30 PM
- API timing update:
- “Check transaction status” API can now be triggered after 45–60 seconds, compared to 90 seconds previously.
Enforcement and Penalties
- Non-compliance may lead to:
- API restrictions
- Penalties
- Suspension of new customer onboarding
- Any other measure deemed appropriate by NPCI
