In a significant move to protect user data and uphold regulatory standards, the National Payments Corporation of India ( NPCI ) has issued a stern warning to banks and fintech companies against the unauthorised use of Unified Payments Interface ( UPI ) IDs for purposes beyond payment settlements and account validation.
This crackdown follows the discovery that some fintech firms were using UPI IDs to verify customer details, including names, bank account statuses, and mobile numbers, which goes against NPCI and Reserve Bank of India (RBI) guidelines.
The Future of Tax and Finance: Upskill with Us
NPCI recently sent a letter to these firms, urging them to cease using UPI application processing interfaces (APIs) for services that extend beyond UPI payments. These APIs, while crucial for facilitating payments and fraud prevention, were being misused by certain fintechs to offer services such as user authentication and profile creation without proper authorization.
Fintech firms like Idfy and Cashfree, along with third-party payment platforms such as PhonePe and Paytm, were reportedly offering such services by leveraging NPCI’s API system.
The Future of Tax and Finance: Upskill with Us
The letter explicitly stated that “the UPI APIs provided by NPCI are strictly for the purpose of facilitating UPI payments for customers and for required verification of users for fraud prevention” and must not be used independently for other purposes. NPCI also warned that any violations of these guidelines would result in severe penalties, including the potential termination of UPI services for non-compliant firms.
This move comes amidst growing concerns over the unauthorised collection and use of sensitive data by fintech companies. While this does not represent a data leak, the collection of data through UPI IDs, such as the customer’s name and account status, has raised concerns about privacy and regulatory compliance. According to industry insiders, some fintech firms have already stopped these services following NPCI’s intervention, while others continue to operate.
The Future of Tax and Finance: Upskill with Us
NPCI’s letter, which has been distributed to all member banks and third-party payment providers, has made it clear that participating members are prohibited from entering into commercial agreements to provide APIs as a service to third parties.
This regulatory action highlights the growing scrutiny fintech companies face, especially as many of their business practices are being challenged by regulatory bodies.
Support our journalism by subscribing to Taxscan premium. Follow us on Telegram for quick updates