Understanding the Newly Implemented UPI Rules: The Legal and Practical Ramifications for Modern Finance

The Unified Payments Interface [UPI] is a mobile payment system that consolidates multiple bank accounts into a single application. It allows for immediate 24/7 money transfers using a single click and two-factor authentication. It ensures secure transactions through a virtual payment address, the use of QR codes, and the ability to manage various payments like utility bills, subscriptions [through Autopay], and general merchant transactions.

The Payment and Settlement Systems Act, 2007 [PSS Act] authorises the Reserve Bank of India [RBI] to regulate operational systems like UPI and ensure that it is carried out securely and efficiently. The NPCI manages these platforms under the RBI’s statutory authority and supervision. The National Payments Corporation of India [NPCI] is the body that owns and governs the UPI platform. It is responsible for establishing the rules, regulations, and guidelines for the UPI, as well as defining the roles, responsibilities, and liabilities of all participants and stakeholders.

Launched in 2016, it has undoubtedly been a transformative force in India’s financial landscape, redefining how millions of people transact daily. Its rapid adoption and scale have made it a cornerstone of modern India’s digital economy. Significantly, in July 2025, UPI transactions reached a record high of 19.47 billion, and crossed the 20 billion mark in August 2025, as reported by the Economic Times. Furthermore, recent data from NPCI represents a 35% increase over the same month last year, while the entire transaction value increased by 22% from the previous year to ₹25.08 lakh crore. However, despite shifting operational and regulatory frameworks, this trend demonstrates India's increasing inclination towards digital payment methods.

In July, in fact, the UPI platform reportedly managed an average of 628 million transactions per day. This growth follows June's performance, which saw 18.40 billion transactions for the month, with an average of 613 million transactions daily across more than 675 banks. This reinforces the steady momentum in the digital payments sector. These numbers put a huge demand on the system, which leads to delays and occasional mandate failure. Hence, the purpose of new restrictions is to safeguard and promote UPI’s speed, reliability, and scalability from the continuous growth.

As a result, the NPCI recently introduced a new set of UPI Regulations [hereinafter the “new regulations”], effective from August 1, 2025, reportedly to increase fraud prevention and efficiency. The new Regulations put new restrictions on the number of balance inquiries and requests that don't require customer action. The guidelines for when autopay transactions should be made have also been updated.

Changes Introduced

The guidelines have the effect of bringing out the following changes in the functioning of the UPI system [kindly note that for the purpose of these guidelines, peak hours include the time frames of 10:00 - 13:00 and 5:00 to 21:30 of each day]:

1. Most significantly, the users’ requests to check their bank balances via UPI apps shall be limited to 50 per app per user per day [rolling twenty-four hours]. The concerned UPI app may limit this further. Importantly, seemingly with the objective of reducing any inconvenience caused by this, the Issuer Bank is mandated to state the available balance via communication after every successful UPI transaction.
2. The list of public keys at NPCI can be accessed by the Payment Service Providers [“PSPs”] only once per PSP per day [rolling twenty-four hours]. Further, the same shall be done in non-peak hours, and a minimum page size of 1000 is to be used for the same.
3. The number of times a user can see the list of accounts linked to their mobile number shall be confined to 25 per user per app per day [rolling twenty-four hours]. Moreover, such requests shall be followed only when the user selects the issuer bank in the UPI app, and in case of failure to display the list, any retry shall be done only with the consent of the user.
4. The ‘Check Transaction Status’ API allows PSPs to request the status of a transaction only after the specified period. The limit requests to three per transaction within a two-hour period, with the first check allowed 90 seconds after initiation. This regulation aims to reduce system strain and prevent unnecessary API calls, ensuring better service stability and security.
5. UPI Autopay mandates shall be limited to 1 attempt and 3 retries for every such autopay mandate. Further, these mandates shall be initiated only in non-peak hours, and the initiator PSPs shall ensure that they are executed at a moderated Transactions-per-Second [“TPS”].
6. The “Penny Drop” transactions [test transactions of small amounts made to ensure the ownership and validity of an account] shall be subjected to a queue maintained at the end of the PSP initiating them. This requirement extends only to the entities having a regulatory requirement to that effect.
7. Further, the same shall be done only with the user's explicit consent. Moreover, the entity shall assign a distinct dedicated UPI ID for such transactions, along with the Merchant Category Code 7413, and separate pricing for these kinds of transactions shall be determined when the time comes.
8. Validating customer information for pre-debit notifications, customer activation for FIR, and other valid use cases is possible with the ValCust API. PAN validation for PO will begin only after the mandate has been successfully created. It will start at a moderate TPS with limited attempts for other use cases.
9. PSPs are required to ensure that only the permitted headers [Host, Content-Length, Content-Type/Accept, and User-Agent] are included in UPI API traffic. To reject or eliminate unauthorised headers, preventive measures like reverse proxies or API gateways must be implemented.
10. The ‘Validate Address’ API can only be used when the customer intends to make a payment, and the standalone use thereof is not permissible. The new MCC 7413, used for penny drop transactions, must also be used for validation. Additionally, the payer details API fields must accurately include the initiator's credentials, such as mobile number, UPI ID, MCC, and other relevant information.

These regulations introduce significant changes aimed at enhancing system reliability and security for all stakeholders. The new framework shifts UPI from a volume-oriented model to a velocity-controlled system, prioritising authentic transactions while throttling less critical API requests. This “traffic management” is a direct response to past outages, aiming to prevent system overloads during peak hours.

Why the Change? A Look at the Regulatory Intent

The NPCI's decision to segment transactions is rooted in several key regulatory objectives. First and foremost is risk mitigation.

Small-value transactions, while individually low-risk, collectively represent a massive volume of financial movement. A blanket policy for all transaction sizes could leave the system vulnerable to a variety of risks, including fraud, money laundering, and data breaches. By creating a separate, more secure framework for smaller transactions, the NPCI can improve protection for both consumers and the broader financial ecosystem.

Further, the new regulations are designed to address the challenges posed by the interoperability of credit and UPI. The integration of credit lines and credit cards with the UPI platform, while a significant step forward, requires careful regulation to prevent over-leveraging and maintain financial stability. The ₹2000 limit serves as a control mechanism, ensuring that the majority of UPI credit transactions, which tend to be for smaller, day-to-day purchases, are handled within a low-risk environment.

The Legal and Technical Ramifications

From a legal perspective, these new rules introduce a new layer of complexity to the contractual relationships between all parties involved in a UPI transaction: the bank, the PSP, and the end-user. That being said, it is pertinent to note that these changes will require the terms and conditions of service for UPI-linked credit products to be redrafted to reflect the new transaction limits and security protocols. This will, in turn, necessitate a thorough review by legal and compliance teams to ensure adherence to the new regulatory framework.

Furthermore, the new regulations have shifted the burden on the Payment Service Providers [PSPs] and banks to develop and implement the necessary technological infrastructure to differentiate and process transactions based on their value. This will involve significant software updates and system changes to enforce the ₹2000 limit automatically.

On one hand, the rules create a more equitable backend operation by evenly distributing the system load, which reduces the risk of server outages. But on the other hand, it places increased pressure on them to meet compliance deadlines, requiring extensive technical modifications and IT enhancements by July 31, 2025. The legal responsibility to comply with these rules lies squarely with the PSPs, and any failure to do so could result in penalties and regulatory action. For law students, this presents a fascinating case study in how new regulations drive technological and legal compliance in the fintech sector.

Impact on Stakeholders and Participants

The new regulations are largely designed to enhance security and transaction reliability for the general population. While minor inconveniences are expected for transactions exceeding ₹2000, the overall benefit of a more secure payment system outweighs this. The new rules also provide greater clarity on how UPI credit can be used, which is a big positive for financial literacy. At the same time, merchants with higher-value transactions are likely to be impacted and may need to adjust their payment acceptance methods and clearly communicate the new rules to their customers.

While necessary for system health, the new restrictions on balance checks and status queries may frustrate frequent users, like merchants and traders, who rely on timely payment information. There is also the risk of merchant resistance, as seen in Bengaluru, Karnataka, where some vendors have reverted to cash payments due to increased tax oversight and general distrust associated with UPI. This signifies the need for clear communication from the NPCI and financial institutions to help users and businesses navigate the changes and understand their benefits.

Banks, fintech companies and PSPs are responsible for implementing the new rules, which will require substantial investment in technology and compliance. Banks, the heart of the UPI ecosystem, would now be required to work closely with PSPs to ensure seamless integration and compliance. For these organisations, the new regulations are a test of their ability to innovate while adhering to a strict regulatory environment. That being said, the new regulations also open up new opportunities for them to design innovative credit products tailored to the small-value segment.

The new UPI regulations clearly indicate the NPCI's commitment to building a robust, secure, and sustainable digital payments infrastructure. By underscoring the critical role of compliance and technology in modern finance, they lay the groundwork for a more secure and sophisticated digital payments system in India. At the same time, they pave the way for future innovations, including voice-enabled payments, NFC-based transactions, enhanced AI-driven fraud detection, and the integration of UPI with investment and credit services. By addressing the current systemic risks, the NPCI is preparing UPI for its continued growth both within India and on the global stage.