UPI Apps Now Require User Consent for Seeding or Porting UPI Numbers: NPCI

The National Payments Corporation of India (NPCI) has issued an addendum to its earlier circular NPCI/UPI/OC-115/2021-22, reinforcing guidelines for implementing Numeric UPI IDs. This directive aims to enhance interoperability and user convenience in UPI-based transactions. Compliance with these new regulations is mandatory for all UPI member banks, payment service providers (PSPs), and third-party application providers (TPAPs) before March 31, 2025.

Implementation of Mobile Number Revocation List (MNRL) and Digital Intelligence Platform (DIP)

NPCI has emphasized the importance of using the Mobile Number Revocation List (MNRL) and Digital Intelligence Platform (DIP) by banks and PSPs. These measures ensure that mobile numbers that are recycled or reassigned are accurately reflected in databases, reducing transaction errors caused by outdated user information.

Key Requirements for Banks and PSPs:

• Banks and PSPs must update their databases weekly using MNRL and DIP.

• The goal is to prevent incorrect transactions due to outdated mobile numbers.

• This measure enhances accuracy and security in UPI transactions.

User Consent for Seeding or Porting UPI Numbers

A crucial aspect of the directive is obtaining explicit user consent before seeding or porting UPI Numbers.

Consent Collection Guidelines:

• UPI applications must obtain clear user consent.

• The default option should be "unchecked," requiring users to manually opt-in.

• Consent collection should be transparent, without misleading or forceful messaging.

Restrictions on Consent Timing

NPCI has also imposed restrictions on when users can be asked for consent.

Key Restrictions:

• Users cannot be prompted to provide consent before or during a transaction.

• Communication about seeding or porting must not mislead users into believing they will stop receiving payments if they do not act.

• Transparency must be maintained throughout the process.

Fallback Measures for NPCI Mapper Response Delays

In cases where NPCI’s mapper response time does not meet the required standards, PSPs are permitted to resolve UPI numbers locally. However, such occurrences must be documented and reported to NPCI.

Fallback Reporting Requirements:

• PSPs must report all instances of local UPI number resolution to NPCI monthly.

• Reports should detail the frequency and nature of the issue.

• This ensures that NPCI can monitor and address potential system inefficiencies.

Mandatory Monthly Reporting from April 1, 2025

Starting April 1, 2025, all PSPs and UPI applications must submit monthly reports to NPCI. These reports will provide critical insights into the functioning and compliance of UPI number seeding and transactions.

Reporting Requirements:

• Total number of UPI number seedings.

• Active users registered on the NPCI mapper.

• Total UPI transactions processed.

• Number of locally resolved transactions.

• Total deregistered UPI numbers.

• Submission of raw transaction data to NPCI.

Impact on Digital Payment Security and User Experience

NPCI’s updated directive is focused on enhancing security and efficiency in digital payments. By ensuring transparent user consent, frequent database updates, and robust reporting mechanisms, the new guidelines aim to provide a seamless transaction experience for UPI users.

Benefits for Users and Stakeholders:

• Users: Enhanced security and transparency in UPI transactions.

• Banks & PSPs: Improved compliance, reduced transaction errors.

• NPCI: Better oversight and monitoring of the UPI ecosystem.

Compliance Deadline and Further Information

Stakeholders must implement these guidelines before March 31, 2025, to ensure compliance with NPCI’s regulations. Failure to comply could result in penalties or operational restrictions.

For more details and official guidelines, stakeholders can visit the NPCI website at www.npci.org.in.