India has always been inclined towards cash transactions. However, with the constant development in technology, increase in usage of smartphones, increase in access to the internet, the ‘Digital India’ campaign, and the constant support of the Regulatory Authority i.e. Reserve Bank of India (“RBI”) encouraging the development in the initial years and being the catalyst and facilitator in the later years, the Digital Payment System in India is witnessing tremendous growth.
India is heading towards a cashless economy and a number of innovative technologies in the payments sector such as the introduction of the Unified Payment Interface (“UPI”) have led the people to change their preference from cash to digital means.
The Government of India and the FinTech sector are revolutionizing the digital payment system in India. Further, financial institutions and other financial service providers are entering the field, which makes it essential to have specific and effective guidelines to regulate it.
Therefore, the Reserve Bank of India (“RBI”) in order to further the aim of making India a cashless economy with the help of the National Payment Corporation of India (“NPCI”) and Indian Banks Association (“IBA”) under the provisions of the Payment and Settlement System Act, 2007, introduced procedural guidelines for UPI.
The digital revolution has taken the world by storm. No other sector has witnessed a metamorphosis as has been seen in the payment and settlement arena, resulting in a plethora of payment options for the consumer.
According to the RBI Digital Payments Index of 2021, the index for September 2021 has increased to 304.06 as opposed to that of 207.84 for March 2020, which is mainly facilitated by the rapid increase in the use of Unified Payment Interface (UPI).
In this article, we attempt to discuss what is UPI, How it is different from other platforms, the Framework, Roles and Responsibilities, and how it acts as the catalyst to revolutionize the future of payments in India.
UPI is considered a game-changer in the digital payment scenario currently present in the country. It is a real-time, interoperable system that acts as a common platform for all digital payments. Any person with a bank account can use UPI to transfer money through his phone from one bank account to another user without payment of any transaction fees.
HOW IT WORKS
HOW IT IS DIFFERENT FROM OTHER PAYMENT PLATFORMS
- Unlike Internet Banking, there is no fee levied on transactions through UPI
- Under this mechanism sensitive information such as the Account holders name and Account number is completely secured as a Virtual Payment Address (“VPA”) is created to undertake a transaction, instead of sharing sensitive information.
- Unlike Digital Wallets, which act as an intermediary, under this mechanism the money is directly transferred to and from the bank accounts of the Payer and the Payee.
- The UPI has a robust and secured mechanism as it uses a two-step authentication process, including a PIN and biometrics to complete a transaction.
- Most digital payment systems only support “Push” transactions while UPI supports both “Push and Pull” transactions. Push transactions refer to a user being able to pay or send money and Pull transactions mean the ability to receive the money.
In India, the responsibility of managing the payment systems is entrusted to the RBI, and the RBI keeping in mind the importance of a robust and appropriate regulation for the development of not only the financial system but also the payment system introduced the Payment and Settlement System Act, 2007 (“PSS Act”) under Section 38 of the Reserve Bank of India Act, 1934.
The PSS Act acts as uniform legislation that specifically deals with the Digital Payment system in India. Further, the RBI and the Board for Regulation and Supervision of Payment and Settlement Systems regulate the Digital Payment system in India. Therefore, any rules, regulations, guidelines, or by-laws framed by RBI or any other body for UPI transactions, derive power from this legislation itself.
A. NPCI Guidelines for UPI
In order to facilitate and route safe transactions via UPI, the NPCI has framed exhaustive guidelines, derived from the Payments and Settlements Systems Act. These guidelines work as a prescription for all the companies that use or want to use UPI transactions in their businesses. It aims to simplify and provide a single interface across all NPCI systems besides creating interoperability and superior customer experience.
B. Entities in UPI
The UPI mechanism works on Two, Three, and Four Party models, as in the present mechanism, a maximum of four entities can participate to facilitate the transaction, in which the First two entities will be Payer Payment System Provider (“Payer PSP”) and Payee Payment Service Provider (“Payee PSP”), who will provide Interface to the Customer or Merchant to use the UPI mechanism and other two entities will act as Remitter Bank and Beneficiary Bank to facilitate the transaction.
1. Payer PSP
This Entity will allow the Consumer or Merchant to create his/her UPI ID, on their device, through which they will be able to approve a Financial Transaction or Non-Financial Transaction by entering the UPI Pin created by them. In this mechanism, the device used for transactions will be considered as the first factor for authentication.
2. Payee PSP
This Entity will allow the Consumer or Merchant to create his/her UPI ID, on their device, through which they will be able to receive money on the allocated UPI ID or send a collect request to the person from whom your money is pending.
3. Remitter Bank
This is the Entity, which will act as the bank registered with the Payer for Financial as well as Non-Financial Transaction. Therefore, this entity requires the Payer to have a bank account registered with them, so that when they will use the UPI mechanism to transfer money, the user’s account registered with the bank will be debited.
4. Beneficiary Bank
This is the Entity, which will act as the bank registered with Payee, for Financial as well as Non-Financial Transaction. Therefore, this entity requires the Payee to have a bank account registered with them, so that when a person will transfer money to the user through the UPI mechanism, it will be credited into his bank account registered with UPI.
C. Models in UPI
There are two models for the third party, in UPI –
1. Model Dependent on Bank Architecture
In this model, the bank connects with NPCI through NPCI NET and routes the specific transaction for each merchant. The merchant will interact with the bank network through a secure medium as per the bank’s internal policy.
This architecture supports both Collect and Pay requests. Now, in this model, the complete liability lies upon the bank /PSP and it cannot be outsourced to any other entity. Under this, there are five models to enter into the UPI ecosystem that is approved by NPCI –
I. Single PSP Model (SDK or Software Development Kit)
In this Model, The bank shares the Common Library (CL) in a secured wrapper within PSP SDK. Once the common library is shared the PSP bank’s SDK integrated with the app connects to the bank PSP server for UPI-related functions on the secure channels.
Further, if a bank is engaged in deep integration with a third-party app provider, it must note what type of Data is required.
II. Multiple Bank Model (API Approach)
In this model, a large merchant (third party app provider) with access to a large customer base partners with a multi-bank PSP.
In this, the third party connects to the UPI network through the PSP, and to integrate the third-party app provider, NPCI provides the Common Library (“CL”) on behalf of the PSP bank. Then the app connects itself with the PSP system through third-party provider using API on a secure channel
To initiate this arrangement, the third-party provider provides details to the NPCI of the names of the participating banks (maximum 5), the existing user database, and the volume commitment.
III. Service App Model [Using Remote Procedural Call (“RPC”)]
In this Model, RPC helps a merchant to integrate easily with any PSP/UPI compliant app. The client-server-based architecture is deep integration between the merchant app and the PSP app. Therefore, the service app should be hosted within bank premises and TSP could provide tech solutions.
Further, the merchant app interacts with the app on the mobile device and partners up with an acquiring PSP, and gets the secret keys to interact with the PSP apps
Now in this Model, interoperability is necessary and the customer should not be forced to create a UPI id. Further, the liability in these transactions is of the UPI complaint/Service app with Common Library as it is called by the Merchant App. Further, in this Model, the Merchant App is the client and the Service App acts as the server.
IV. Web/Mobile Application Based Collect
The Merchant/ Third Party App interacts with the PSP infrastructure to collect payment through UPI. The customer uses the Merchant App/Website for making payments. The customer selects the payment mode as UPI and enters his id, which will initiate a collect request and the user authorizes the payment.
V. QR/ Intent Based Model
In this model, a unique transaction number is generated when the merchant interacts with the PSP App, and thereafter, a QR/Intent request is initiated by the merchant on its Website/App. Further, in this method, the user can choose among all the UPI complaint Apps being displayed and can proceed with it.
2. Model Independent of Bank Architecture
In this Model, a Third Party can connect to NPCI UPI central switch based on the below-mentioned conditions –
- The third-party processor should have NPCI internet connectivity for other products of NPCI.
- The permitted transactions under this model are only Collect Requests.
- MCC (Merchant Category Codes) Mapping is done according to the nature of the business of the merchant and it has to be approved by the sponsor bank.
- The third party should not initiate the pre-approved debit or pay request transactions. It has to get certified by NPCI and has to submit audit reports.
D. Attaining Membership for operating UPI as a payment method
1. Membership Requirements
a.) In order to operate as a Payment Service Provider (PSP), the service provider should be a regulated entity by the Reserve Bank of India under Banking Regulations Act, 1949.
b.) The service provider must also be authorized by the Reserve Bank of India, for providing mobile banking services.
c.) The member should comply with guidelines provided by NPCI, like certification, efficiency and risk mitigation, etc.
d.) It must ensure that while the bank’s technology platform can be outsourced, its functions as a Payment Service Provider cannot be outsourced.
e.) It must also provide an audit report for the Data Center & PSP App by an auditor equivalent to Certified Information Systems Auditor (“CISA”).
f.) Additionally, the provider must also provide a declaration stating that it has fulfilled the following:
- All the terms and conditions of Unified Payments Interface Procedural Guidelines & Circulars, notifications, directions issued by NPCI from time to time.
- All guidelines issued by relevant authorities from time to time with respect to payment system operations.
- AML/KYC guidelines, other stipulations of RBI, as well as guidelines of NPCI issued from time to time.
2. Discontinuance of Membership
UPI Membership of any Service Provider can be ended in two ways:
a.) Cessation of Membership
- Cancellation of Bank License by the Reserve bank of India.
- When it suspends payment of its debts.
- When it ceases to continue its business or goes into liquidation.
- When it is put into a moratorium or prohibits any fresh deposit.
b.) Termination of Membership
- When it fails to comply with or violates the NPCI or UPI guidelines.
- It commits a breach of such guidelines and remains unresolved for 30 days after giving notice
- When its Real-time gross settlement (RTGS) account is the Reserve Bank of India is either frozen or closed.
- It is amalgamated or merged with another bank.
- The Mobile Banking Approval by the Reserve Bank of India is either suspended or canceled.
3. Process of Suspension of the UPI Membership
a.) The NPCI provides a written reason for the suspension of membership of the PSP.
b.) The NCPI can terminate the membership with immediate effect or upon completion of some time, depending upon the reason for the termination.
c.) When the membership is terminated with immediate effect, the member would be given an opportunity to appeal and post a decisional hearing within thirty days.
d.) If the violation is capable of cure, within thirty days and the member is successful in implementing such a cure, the termination or suspension will be not effective. The member must also make sure that it diligently pursues such a cure to the completion within sixty days of such notice of violation.
e.) After the termination or suspension is revoked, the membership of the entity is not restored automatically. It must apply for a fresh application of such revocation.
4. Procedure of Withdrawal of Membership
If any PSP wished to withdraw its membership, it must:
a.) submit a letter of withdrawal with mention of the reason for withdrawal and must give a notice of at least 90 days.
b.) From the date of receipt of the notice of withdrawal, UPI will take fifteen days to process the request.
c.) After ninety days of the date of withdrawal, the amount deposited with NDC would be refunded to the entity with the settlement of all dispute amounts, if any.
d.) UPI would inform this withdrawal all the members so that they can adjust any amount pending within themselves.
ROLES AND RESPONSIBILITIES OF ENTITIES OF UPI
A. Roles and Responsibilities of NPCI
- It has the power to frame rules, regulations, guidelines, and the respective roles, responsibilities, and liabilities of the participants, with respect to UPI. This also includes transaction processing and settlement, dispute management, and clearing cut-offs for settlement.
- The participation of Issuer Banks, PSP Banks, Third-Party Application Providers (TPAP), and Prepaid Payment Instrument issuers (PPIs) in UPI is approved by NPCI.
- It has the responsibility to provide a safe, secure, and efficient UPI system and network in the country.
- It also provides online transaction routing, processing, and settlement services to members participating in UPI.
- It has the power to conduct audits on UPI participants and call for data, information, and records, in relation to their participation in UPI.
- It also provides the banks participating in UPI access to a system where they can download reports, raise chargebacks, update the status of UPI transactions, etc.
B. Role and Responsibilities of Payment Service Providers (PSP)
Payment Service Providers are the entities that provide front-end applications to the customers for payment and must be authorized by RBI for mobile banking services. They are regulated by RBI under Banking Regulation Act 1949. Regardless of the bank where the account is, the customer has the freedom to choose which application to download and use.
- Data security and integrity are the PSP/Bank’s responsibility even when the TSP is outsourced. Therefore, PSPs must observe due diligence while deciding upon a TSP to deal with sensitive customer data.
- In cases where the Bank/PSP embeds the NPCI Common Library (CL) in the Merchant App through a Software Development Kit (SDK) and the CL is compromised, the PSP has the full liability.
- PSP will be responsible for verifying the first step of authentication, i.e. customer credentials, including fingerprints or any other information. After the validation, the PSP shall allow the customer to use UPI services.
- Loss/ Corruption of data- Breach of data even when it is foreseeable, loss from the breach of data due to negligence or misconduct of PSP’s representatives, PSP is liable in all such cases as they pose significant risk. There is no liability for NPCI. In such cases, NPCI is indemnified by PSP against all costs, damages, expenses, liabilities, and losses, including but not limited to, loss of reputation, penalties, legal costs, etc.
- PSP’s liability is unlimited in case of claims of breach of data or compromise of authentication process against NPCI.
- The PSPs are required to give in writing their transaction capacity of 150 transactions per second, 5 lakhs transactions per day, and an uptime of 99.9%.
- The PSP is prohibited from sharing data with any third party unless mandated by law. In the case of data being required by a regulatory authority, it shall first inform the NPCI and the bank in writing.
- If the PSP app is not capable of capturing sensitive data like passwords, the application will integrate NPCI libraries to deal with such data.
- PSP shall follow the rules and regulations in NPCI UPI/IMPS Settlement Procedure for any dispute settlement.
- It is strictly prohibited for the PSP to publish, disclose, and reveal any information about software, hardware, IP, etc. of NPCI without its prior consent, except to the extent of the normal course of business.
- NPCI shall have access to all records maintained by the PSP, including but not limited to, transaction records or any dispute resolution within 2 days of the request by NPCI.
- The PSP shall make sure that its communication with UPI is always encrypted and shall not, at any cost, be stored or disclosed by its employees, and service providers.
- PSPs shall be responsible for TSP/sub members for compliances by NPCI, RBI, the Government of India, and other regulatory authorities. If and when the membership of a TSP/ sub-member is terminated, the NPCI has to be informed by the PSP at least three months prior through necessary communication channels.
- Due diligence must be observed by the PSP before adding a TSP/ sub-member to the UPI network and the report must be sent to NPCI when requesting permission to add them to the network. The due diligence shall be conducted either annually or as directed by the board.
- The PSP has to make sure that while it is allowed to outsource its technology platform (TSP), it is not allowed to outsource its functions as a PSP.
C. Role and Responsibilities of Technology Service Providers (TSP)
- TSP is required to conduct its own audits and audits of its processing agents annually, in compliance with UPI procedural guidelines.
- Around the clock connectivity with 99.9% uptime shall be maintained by the TSP through its PSP.
- Every TSP shall comply with the data integrity laws applicable in India. They must also comply with any and every guideline or regulation issued by NPCI and RBI.
- It is required of every TSP to submit reports, statements, certificates, etc., as the NPCI may ask from time to time.
D. Role and Responsibilities of Sub-members
Sub-member banks are those, which are sponsored by a main member bank of the centralized system.
- Every sub-member bank engaging in UPI must sign a non-disclosure agreement with the NPCI.
- Every sub-member must sign a tripartite agreement with the main member and NPCI to comply with UPI rules and regulations.
- Sub members are prohibited from disclosing any confidential information or documents without the prior consent of the NPCI in writing.
- Every sub-member bank shall comply with data integrity laws applicable in India.
- If any sensitive information is disclosed to any party not associated with the UPI network, it will be considered a breach of trust and will attract legal action against the sub-member. It can also lead to the termination of service with the UPI network. However, a sub-member has the freedom to share or disclose such information to its employees, officers, and agents that are within their rights and to perform their obligations.
- Every sub-member shall comply with statutory and RBI regulations. NPCI has the right to obtain assurance from these banks for such compliance.
India is witnessing exponential growth in the use of digital payment systems in India and the growing reliance of customers on digital payment systems calls for an adequate legal framework.
Although the UPI Procedural Guidelines were framed within the ambit of the PSS Act with the intention to regulate the UPI payment system in India, it mainly deals with the procedural framework and transaction flows and there still remains a lacuna and a requirement for enacting a robust regulatory framework for governing UPI in India.
At present, the framework for maintaining the confidentiality of data of users is regulated by the RBI guidelines and in accordance with the Information Technology Act, 2000 (“IT Act”). However, the IT Act is generic legislation, which is two decades old, and given the increase in digital payment and to achieve the agenda of becoming a cashless society a dedicated law is required.
Therefore, RBI as the central authority responsible for handling the payment systems in India has introduced Master Direction on Digital Payment Security Controls, with the agenda of providing a robust framework and minimum standard of security to be maintained for digital payments in India.
Furthermore, the government of India recently has proposed to introduce a Digital India Act, comprising data governance, cybersecurity, and data protection policies, with the intention to bring in a robust, secured and exhaustive regulation able to cope with the rapid advancement in technology, with the intention to replace the old IT Act, 2000.
For any query or feedback, please feel free to get in touch with email@example.com or firstname.lastname@example.org.