NPCI seeks third-party audit to limit UPI transaction status checks by banks

NPCI issues circular to ensure banks follow its guidelines

The National Payments Corporation of India has asked banks to immediately ensure that they have implemented measures to limit the ‘check transaction’ API usage for UPI transaction status, a circular issued on April 26 said.

The relentless transaction status checks by banks had fuelled the April 12 UPI outage for five hours, the longest in over three years, NPCI had said earlier this month.

“Banks shall audit their systems by CERT-in empanelled auditor on an immediate basis, to review the API usage and existing systems behaviour, and annually hereafter,” NPCI said in the circular.

NPCI runs the country’s most popular digital payments platform, UPI. Application Programming Interface (API) is a technology solution that helps two different software applications communicate.

“Banks shall initiate the first check transaction status API after 90 seconds from the initiation/authentication of the original transaction. Members may initiate the same after 45 to 60 seconds of the initiation/authentication of the original transaction,” NPCI said in the circular.

NPCI has also mandated that banks can initiate a maximum of three check transaction status APIs, preferably within two hours from the initiation/authentication of the original transaction.

As per NPCI operating circulars, the ‘Check Transaction’ API call needs to be used only once in the interval of 90 seconds. Since this was the bank’s responsibility, NPCI did not set a rate limiter at its firewall to stop API calls beyond three requests.

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on a set of rules.

NPCI said that it was also considering implementing rate limiters on select UPI APIs in consultation with the steering committee after obtaining other required approvals in due course.

Banks check whether a transaction was successful or not when they do not get a response from the customer’s beneficiary bank. This could be because the beneficiary bank’s server might have been down, and it could not respond to a transaction success check request from a PSP bank.

A payment service provider (PSP) bank is the UPI app’s banking partner that connects them with the NPCI system. If the PSP bank does not get a response, it tends to check for the transaction success status repeatedly at a fixed time interval so that it can decide whether it should start processing more payments.

On April 28, Finance Minister Nirmala Sitharaman chaired a high-level meeting to review the UPI ecosystem with a focus on strengthening infrastructure, scaling operations, and expanding global reach.

The Finance Minister set an ambitious goal of reaching one billion daily UPI transactions within the next two to three years.

Senior officials from the Finance Ministry, Reserve Bank of India (RBI), and NPCI were present, including Finance Secretary Ajay Seth, DFS Secretary M Nagaraju, RBI Executive Director Vivek Deep, and NPCI MD & CEO Dilip Asbe.

The meeting focused on strengthening UPI's resilience, scalability, and real-time monitoring to maintain uninterrupted services and build user confidence. Finance Minister Sitharaman highlighted the need to quickly address infrastructure shortcomings, bolster cybersecurity measures, and elevate the overall user experience.

UPI faced four outages in three weeks, and while a couple of those were due to banking system overload, two happened because of technical issues at NPCI. The institution has attributed the March 26 outage to a hardware glitch.

There are around 40 crore unique UPI users in India and around 83 percent of all digital transactions happen through the real-time payment system.

UPI registers more than 550 million transactions on average every day and between 17-18 billion transactions a month. Unlike cards, which bunch up payments and use end-of-the-day settlement, UPI is a real-time payment system with the sender and receiver changing money instantly. Hence, continuous uptime is even more important and challenging for NPCI.

Every single one of these payments passes through NPCI switches and these transactions put pressure on the banking system. Around 86 percent of all UPI transactions were below Rs 500. The core banking solutions (CBS) of the banks are not meant to facilitate 500 million microtransactions in a day.