UNIFIED PAYMENTS INTERFACE: MAKING A NEW INDIA

BANKING LAW

Submitted by:

Harshit Malviya

2016039

SEMESTER VI

DAMODARAM SANJIVAYYA NATIONAL LAW UNIVERSITY

Visakhapatnam

1|Page
 ACKNOWLEDGEMENT

I have endeavoured to attempt this project pertaining to the subject of “Banking Law”.
However, it would not have been feasible without the valuable support and guidance of my
professor, Ms.Bushra Quasmi. I would like to extend my sincere thanks to him.

I am also highly indebted to Damodaram Sanjivayya National Law University Library Staff
for their patient co-operation as well as for providing necessary information and also for their
support in completing this project.

My gratitude and appreciations also extend towards my classmates who gave their valuable
insight and help in developing this project.

2|Page
TABLE OF CONTENTS

S. No TOPIC PAGE NO.

1) INTRODUCTION 4
2) BACKGROUND 4
3) UNIFIED PAYMENTS 7
PROTOCOL
4) CORE FEATURES 8
5) ARCHITECTURE 9
6) SOME BASIC CONCEPTS 9
7) SUPPORTING 13
INFRASTUCTURE
8) TRANSACTION 18
AUTHORIZATION
9) TRANSACTION FLOW IN UPI 19
PAYMENTS
10) SECURITY IN UPI 20
11) IMPACT OF UPI 22
12) CONCLUSION 24

1) INTRODUCTION

Unified Payments Interface (UPI) is a next-generation payments platform that facilitates

instant transfer of funds from person to person and person to merchant using a smartphone. It
powers multiple bank accounts into a single mobile application (of any participating bank),

3|Page
merges several banking features, seamless fund routing and merchant payments under one
umbrella. It also caters to the‘Peer-to-Peer’ collect request which can be scheduled and paid
as per requirement and convenience.Over decades, India has made slow but steady progress
in the field of electronic payments. The innovations in payments have leveraged major
technological innovations in each era. However, given the scale of our country, and that so
many are unbanked, we cannot rest on our laurels. Fundamentals of Unified Payment
Interface (UPI) NPCI developed Unified Payment Interface (UPI) as a common interface or a
platform for all digital payment systems in India. NPCI is the owner, network operator,
service provider, and coordinator of the UPI Network. The Unified Payment Interface enables
architecture and a set of standard Application Programming Interface (API) specifications to
facilitate digital payments using a mobile phone.1 UPI leverages high penetration of mobile
phones and growing adoption of smartphones, data and internet to enable mobile based
instant payment system in India. UPI allows users to send or request money instantly from
their bank accounts using a mobile phone, making mobile phone a primary payment device
for the masses. UPI uses IMPS as the switching mechanism to enable instant payments and
settlement between different financial institutions.

2) BACKGROUND

Reserve Bank of India is the regulatory body with Payments and Settlements Systems Act
(2007)2being the primary legislation governing payments systems in India. Making India
“less cash” dependent and promoting digital payments has been a focus area for RBI since
last decade. The five yearly RBI Vision Documents which sets the tone and vision for
achieving key objectives in the payments ecosystem aptly sums up the priority for RBI to
transform the payments landscape in India. “To proactively encourage electronic payment
systems for ushering in a less-cash society in India and to ensure payment and settlement
systems in the country are safe, efficient, interoperable, authorised, accessible, inclusive and
compliant with international standards.”3 The period 2016-17 has been the pivotal period for
payments landscape in India, the country witnessed profound changes in payments ecosystem
with radical policy decisions, introduction of new age payment systems and rapid changes in
user behaviour. Demonetization was introduced during this period whereby 86% of the
1
National Payments Corporation of India (2016) Unified Payment Interface API and Technology Specifications.
National Payments Corporation of India, Mumbai.
2
“Pradhan Mantri Jan-Dhan Yojana”, Ministry of Finance, August 2014,
http://www.pmjdy.gov.in/financial_literacy.aspx.
3
“Report of the Task Force on an Aadhaar-Enabled Unified Payment Infrastructure”, Finance Ministry,
February 2012, http://finmin.nic.in/reports/Report_Task_Force_Aadhaar_PaymentInfra.pdf..

4|Page
currency notes were rendered worthless overnight.4 During demonetization paper money
became scarce and one could witness serpentine queues in banks and ATMs to withdraw
meagre currency that was available. Business and trade almost came to a standstill and the
GDP growth rate decreased in spite of rapid introduction of new currency notes and use of
digital forms of payment. The year preceding demonetization saw the emergence of mobile
based digital wallets which witnessed rapid adoption by a large smartphone using population.
Emergence of mobile based digital wallets was largely driven by new age private technology
companies. During the same period with the clear mandate from Reserve Bank of India to
drive next generation digital payments, National Payments Corporation of India (NPCI) set
out to create a new payment system called Unified Payment Interface (UPI). 5 Unified
Payment Interface (UPI) was formally inaugurated by then RBI Governor on 11 April 2016
and launched for public use on 25 August 2016.6 Reserve Bank of India has been relentlessly
working in the direction of enabling a digital payments ecosystem in the country. In this
direction, RBI under its guidance and with support from Indian Banks Association (IBA)
enabled the formation of National Payments Corporation of India (NPCI) as an umbrella
organization for all retail payments system in India with all leading bank as
stakeholders/shareholders.7 NPCI was formed with the mandate to consolidate and integrate
the disparate systems with varying service levels into nation-wide uniform and standard
business process for all digital payment systems. The clear objective was to create a uniform
and affordable payment system by leveraging technology and enable financial inclusiveness
in the country. UPI was a culmination of a series of developments by NPCI over a period of 8
years since its inception in 2009. The first step taken by NPCI in this direction was the
standardization, simplification and implementation of National Finance Switch (NFS) for all
the banks of the country. NFS set the common standard and enabled digital interoperability
between all banks in the country. NFS is now the backbone which powers the largest
domestic ATM network in the country. The next revolutionary step for NPCI was to enable
Immediate Payment System (IMPS) riding the interoperable layer of NFS. Prior to IMPS the
modes for digital transactions in banks were Real time Gross Settlement System (RTGS) and
National Electronics Funds Transfer System (NEFT). RTGS and NEFT are unsuitable for

4
“Role of Biometric Technology in Aadhaar Authentication”, UIDAI, March 2012,
http://uidai.gov.in/images/role_of_biometric_technology_in_aadhaar_authentication_020412.pdf
5
“Micro-ATM Standards”, IBA, March 2013,
http://www.iba.org.in/upload/MicroATM_Standards_v1.5.1_Clean.pdf
6
“Immediate Payment System (IMPS)”, NPCI, http://www.npci.org.in/imps_product.aspx
7
Aadhaar Authentication”, UIDAI, http://uidai.gov.in/auth

5|Page
small ticket digital retail payments due inherent limitations of these systems like high
transaction limits, delayed settlement in batches and fixed operating time hours.

 Mission

To ensure payment and settlement systems in the country are safe, efficient, interoperable,
authorised, accessible, inclusive and compliant with international standards. The Mission
statement indicates RBI’s renewed commitment towards providing a safe, efficient,
accessible, inclusive, interoperable and authorised payment and settlement systems for the
country. Payments systems will be driven by customer demands of convenience ease of use
and access that will impel the necessary convergence in innovative e-payment products and
capabilities. Regulation will channelize innovation and competition to meet these demands
consistent with international standards and best practises.8

 Vision

The vision is to proactively encourage electronic payment systems for ushering in a less-cash
society in India.

It also identifies in this regards NPCI has taken up new initiative of implementing “Unified
Payment Interface” to simplify and provide a single interface across all systems.

Key drivers are:

 Simplicity - Paying and receiving payments should be as easy as swiping a phone

book entry and making a call on mobile phone. Everyone who has an account should
be able to send and receive money from their mobile phone with just an identifier
without having any other bank/account details. All they need to do is to "pay to" or
"collect from" a “payment address” (such as Aadhaar number, Mobile number, RuPay
Card, virtual payment address, etc.) with a single click.
 Innovation - Solution should be minimal, functional, and layerable so that innovations
on both payee and payer side can evolve without having to change the whole
interface. This unified layer should allow application providers to take advantage of
enhancements in mobile devices, provide integrated payments on new consumer
devices, provide innovative user interface features, take advantage of newer
authentication services, etc.

8
“Aadhaar e-KYC API Specification”, UIDAI, http://uidai.gov.in/images/aadhaar_kyc_api_1_0_final.pdf

6|Page
  Adoption - Solution should be scalable to a billion users and large scale adoption.
This should allow gradual adoption across smartphone and feature phone users and
provide full interoperability across all payment players, phones, and use cases. People
using smartphone should be able to send money to others who are not yet using any
mobile application and vice versa. Similarly, it should allow full interoperability
between multiple identifiers such as Aadhaar number, mobile number, and new
virtual payment addresses.
 Security - Solution should provide end to end strong security and data protection.
Considering self-service mobile applications, data capture must be strongly encrypted
at capture. Similarly, solution should allow a mechanism to pay and collect using true
virtual addresses without having to reveal any bank/account details. While providing
convenient, solution should offer 1-click 2-factor authentication, protection from
phishing, risk scoring, etc.9
 Cost - Considering the fact that about 150 million smartphone users exist today and
that number is expected to grow to 500 million in the next 5 years, solution should
offer a mechanism to take full advantage of that. Use of mobile phone as the
authentication (credential capture) device, use of virtual payment addresses, and use
of 3rd party portable authentication schemes such as Aadhaar should allow both
acquiring side and issuing side cost to be driven down. This allows banks and other
payment players to focus on core business and allow half a billion phones to be the
primary payment device in conjunction with other 3rd party authentication.
3) UNIFIED PAYMENTS PROTOCOL

The Unified Payment Interface allows payments to be initiated by the payer, or by the payee.
In the basic payee initiated flows, the payment request is routed by the initiating application
through the NPCI switch to the payer for approval. However, in certain instances, where it is
possible to connect with the payer immediately, it is preferred that the payee sends a payment
request to the payer, who can then initiate the payment request with his credentials.10

This leads to a significantly smoother payment experience. Some examples of these include
in-app payments – where the merchant app, may send the request to the PSP app on the same
device, instead of a collect request via the PSP network. Another example may be for
proximity payments, where the payer and payee are using different devices, but are close

9
“Aadhaar Enabled Payment Systems (AEPS)”, NPCI, http://www.npci.org.in/AEPSOverview.aspx.
10
National Payment Corporation of India”, NPCI, http://www.npci.org.in/home.aspx.

7|Page
enough for the information to be transmitted locally. This chapter introduces the Unified
Payment Interface and its architecture. After introducing the core features, high level
architecture, key concepts, and overall value proposition, a list of possible use cases and real
world usage examples are provided to better understand the proposal. All technical details of
the interface are covered in subsequent chapters.

4) CORE FEATURES

Unified Payment Interface provide the following core features via a single payment API and
a set of supporting APIs.

1. Ability to use personal mobile as the primary device for all payments including person to
person, person to entity, and entity to person.

2. Ability to use personal mobile to "pay" someone (push) as well as "collect" from someone
(pull).

3. Ability to use Aadhaar number, mobile number, card number, and account number in a
unified way. In addition, ability to pay and collect using "virtual payment addresses" that are
"aliases" to accounts that may be payee/amount/time limited providing further security
features.11

4. Make payments only by providing an address with others without having ever provide
account details or credentials on 3rd party applications or websites.

5. Ability for sending collect requests to others (person to person or entity to person) with
"pay by" date to allow payment requests to be “snoozed” and paid later before expiry date
without having to block the money in the account until customer is ready to pay.12

6. Ability to pre-authorize multiple recurring payments similar to ECS (utilities, school fees,
subscriptions, etc.) with a one-time secure authentication and rule based access.

7. Ability for all payment system players to use a standard set of APIs for any-to-any push
and pull payments.

11
supra note 9.
12
“Aadhaar Payment Bridge (APB)”, NPCI, http://www.npci.org.in/apbs.aspx.

8|Page
8. Ability to have PSP provided mobile applications that allow paying from any account
using any number of virtual addresses using credentials such as passwords, PINs, or
biometrics (on phone).

5) ARCHITECTURE

Following diagram shows the overall architecture of the unified interface allowing USSD,
smartphone, Internet banking, and other channel integration onto a common layer at NPCI.
This common layer uses existing systems such as IMPS, AEPS, etc. to orchestrate these
transactions and ensure settlement across accounts. Usage of existing systems ensures
reliability of payment transactions across various channels and also takes full advantage of all
the investments so far. This unified layer offers next generation peer-to-peer immediate
payment just by using personal phone.

The 3rd party API integration (merchant sites, etc.) can "collect" payment from “an address”
avoiding the need to share account details or credentials on 3rd party applications or
websites. Within this solution, payment authentication and authorization are always done
using personal phone. Since this layer offers a unified interface, any-to-any (Aadhaar
number, mobile, account, virtual addresses) payments to be done using standard set of APIs.13

6) SOME BASIC CONCEPTS

Every payment has the following core elements:

1. Payer and payee account and institution details for routing and authorization

2. Authentication credentials (password, PIN, biometrics, etc. as required for debit, can be
bank provided or 3rd party provided such as UIDAI)

3. Transaction amount

4. Transaction reference

5. Timestamp

6. Other metadata attributes such as location, product code, mobile number, device details,
etc. as required.

National Payments Corporation of India (2017) BHIM Analytics.National Payments Corporation of India,
13

Mumbai.

9|Page
Out of the above, items 1 and 2 are critical to be abstracted so that single architecture can
handle current and futuristic scenarios of “any payment address” using “any trusted
authentication scheme”.14

 PAYMENT ADDRESS

Every payment transaction must have source (payer) account details (for debit) and
destination (payee) account details (for credit). At the end, before the transaction can be
completed, these must be resolved to an actual account number/ID.

“Payment Address" is an abstract form to represent a handle that uniquely identify an account
details in a “normalized" notation. In this architecture, all payment addresses are denoted as
“account@provider" form. Address translation may happen at provider/gateway level or at
NPCI level.15

 AUTHENTICATION

Authentication is typically done at the account provider domain. Authentication schemes

separately evolved as new payment channels evolved. While numeric or alpha-numeric
PIN/Passwords is the dominant authentication factor, different PINs were issued for different
channels (Internet PIN, ATM PIN, Mobile PIN, etc.). In addition, OTP based authentication
is used heavily these days to offer 2-FA authentication schemes. One authentication is
required to be performed by the Payment Service Provider - for instance, the use of the
correct mobile phone, while the other is performed within the domain of the account
provider.

Traditionally, payment account provider themselves provided the authentication scheme.

Account management (KYC, opening account, managing transactions, etc.) were tightly
coupled with internal authentication schemes. But, conceptually, account management
including KYC etc. should be loosely coupled with authentication. Aadhaar authentication
via NPCI which, in turn, is trusted by banks to conduct payment transactions.16

14
Shubha (25 May 2015) Comprehensive, 2015, U.S. Market Analysis of POS Terminals and EMV & NFC
Status Review. Lets Talk Payments. https://letstalkpayments.com/comprehensive-2015-u-s-market-analysis-of-
pos-ter minals-and-emv-nfc-status-review/
15
Banking Panorama in India, Anil Kumar Upadhyaya, Chapter National Payments Corporation of India, p. 88.
16
“Report of the Technical Committee on Mobile Banking”, RBI, February 2014,
http://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=760#8

10 | P a g e
Digital Signatures, especially proposed Aadhaar enabled DSCs, can also play an important
role to identify the authenticity of the request and bring out new ways of issuing e-Cheques,
ECS mandates, and other payment instruments.

In this unified architecture, objective is to enable multiple authentication schemes (account

provider as well as trusted 3rd party like UIDAI’s Aadhaar authentication) without tightly
coupling with account provisioning and management. This allows future one or multi-factor
authentication schemes to be plugged into the architecture as long as account providers allow
such trusted external authentications.

Today, authentication and authorization are part of the same transaction flow and inline. But,
in newer systems such as AEPS, use of third party authentication is followed where
authorization was still done within the banking system. Adopting 3rd party authentication and
using token less payment scheme allows banks to reduce the overall issuance (card, PIN, etc.)
cost while still keeping authorization and account management within its control.17

 VALUE PROPOSITION

The proposed Unified Payment Interface provides the following values.

1. Simplifying Authentication - India is the only country in the world to offer trusted 3rd
party biometric authentication as a utility service. With universal coverage of Aadhaar
expected in 2015, PSPs can take advantage of this utility to provide secure, convenient
authentication service to a billion people without having the need to do card/PIN issuance
lifecycle. Similarly NPCI offered centralized MPIN management options via USSD can
allow banking customers with registered mobile to easily set and change MPIN without
having any explicit issuance mechanisms. Unified interface provides significant advantage
from current systems to take mobile payments to next level. Its value lies in using customer’s
mobile phone as the primary device for all authentication and authorization for both “Direct
Pay” (push) and “Collect Pay” (pull) transactions.

2. Simplifying Issuance Infrastructure - Usage of virtual addresses and payment addresses

in conjunction with mobile as the "what you have" factor helps banks to create token-less
infrastructure reducing the costs.

] Reserve Bank of India (2016) Reserve Bank of India Annual Report 2014-15. Reserve Bank of India,
17

Chapter 9, p. 115.

11 | P a g e
3. Simplifying Acquiring Infrastructure - Use of mobile as the primary device for payment
authorization can completely transform the issuance infrastructure to be easy, low cost, and
universal. Considering the fact that India has nearly a billion phones and 150 million
smartphones (expected to be at 500 million in next 4-5 years), massive scale can be achieved
if effective use of mobile is made compared to creating costly physical acquiring
infrastructure.

4. Flexibility for PSPs - Payment system players (RBI regulated entities such as banks,
payment banks, PPIs, and their technology service providers) can offer superior mobile
experience to their customers. In addition, this unified interface still allows a fully on-us
scheme if both payer and payee are on their network.

5. Flexibility for Users - Customers get the ability to make payments securely to their
friends, relatives, pay to merchants, pay bills, etc. all using their mobile phones without
having to share any account details or credentials with others. In addition, innovations such as
reminders, using multiple accounts via single mobile applications, using special purpose
virtual addresses, etc. allow users to enjoy superior experience.

6. Stimulating Innovation - This interface provide a very simple API that is minimalistic,
fully functional, and allowing innovations in various aspects such as user interface,
convenience features, authentication schemes, and mobile devices to be brought in without
having to change the core API structure.18

7. Embracing Mobile Adoption- This interface truly embraces mobile and low cost
smartphone adoption in India allowing phones to be the primary device for all payments and
integrating mobile numbers by allowing paying to/from a mobile number.

8.Embracing Aadhaar Adoption - Universal digital identity is fast becoming a reality with
Aadhaar adoption crossing 730 million. With Aadhaar e-KYC allowing paperless, anytime
anywhere e-KYC services, Aadhaar now a payment destination using APB, usage of Aadhaar
authentication as a trusted 3rd party authentication, large scale electronic payments can be
achieved unlike ever before.

9. Creating National Interoperability - With introduction of new payment service players

such as payment banks, PPIs, and others, it is necessary that India adopt an interoperable

18
Reserve Bank of India (2016) Reserve Bank of India Annual Report 2015-16. Reserve Bank of India, Chapter
9, p. 95.

12 | P a g e
mobile payment strategy to allow customers to send and receive from any other customer
within the PSP or across PSPs in a seamless fashion. Proactively creating this unified
interoperable interface allows all players to innovate and provide superior customer
experience and still provide a secure, standard based, interoperable payment scheme.

7) SUPPORTING INFRASTRUCTURE
 Aadhaar System

One of the key considerations is to keep the Aadhaar system purely focused on identity and
nothing else. The Aadhaar system only collects minimal data just enough to provide unique
identity, issue the Aadhaar number after biometric de- duplication, manage lifecycle changes
of that identity record, and provide a secure Application Programming Interface (API) for
verifying the identity (online authentication) for various applications requiring identity
verification. Designing the Aadhaar system as pure identity platform allows clear separation
of duties and leaves usage of identity to other partners, and their various applications which
may be built on top of the Aadhaar platform.19

 Aadhaar Authentication

Aadhaar authentication is the process wherein Aadhaar number, along with other attributes,
including biometrics, are submitted online via an API to the UIDAI system for its verification
on the basis of information or data or documents available with it. Authentication module
handles online resident authentication from various Authentication User Agencies (AUA).20

Combination of Aadhaar number and biometrics deliver online authentication without

needing a token (such as a smartcard). During biometric authentication, agency collects the
Aadhaar number along with one or more biometric impressions (e.g., one or more
fingerprints, or iris impression alone, or iris impression along with fingerprints) which then
encrypted and sent to Aadhaar authentication server for authenticating the resident.21

 Aadhaar e-KYC

Verification of the Proof of Identity and Proof of Address is a key requirement for access to
financial products (payment products, bank accounts, insurance products, market products,
etc.), SIM cards for mobile telephony, and access to various Central, State, and Local

19
“Aadhaar Authentication”, UIDAI, http://uidai.gov.in/auth.
20
Ibid.
21
“Aadhaar Enabled Payment Systems (AEPS)”, NPCI, http://www.npci.org.in/AEPSOverview.aspx.

13 | P a g e
Government services. The Aadhaar e-KYC service provides a convenient mechanism for
agencies to offer an electronic, paperless KYC experience to Aadhaar holders. The e-KYC
service provides simplicity to the resident, while providing cost-savings from processing
paper documents and eliminating the risk of forged documents to the service agencies. This
service is offered via an Application Programming Interface (API) that allows organizations
to integrate Aadhaar e-KYC within their applications.22

Aadhaar e-KYC service is now approved by the RBI as a valid KYC process. PSPs can
become authentication and e-KYC user agencies (AUA/KUA) by signing up with UIDAI and
can easily integrate these services within their application to provide low cost, paperless, and
convenient KYC and authentication services to their customers.

 Aadhaar Enabled Account

In order to facilitate disbursements, remittances or any financial transaction using Aadhaar as

the financial address, a resident is required to link their Aadhaar number with his/her bank
account number. Customers have the option of either linking their existing bank account or
opening a new bank account.

 Aadhaar Payment Bridge

The Aadhaar Payments Bridge (APB) offers a simplified payment mechanism to Government
user departments to electronically transfer subsidies and benefit payments to individuals on
the basis of their Aadhaar number. APB system enables payments to be credited to end
beneficiaries’ Aadhaar-enabled accounts (AEA) on the basis of Aadhaar number being
unique identifier.23

The Aadhaar Payments Bridge will facilitate the processing of payments file from the
Government departments received via the sponsor banks (assigned bank), and subsequently
routing of the payments file to the beneficiaries bank. The beneficiary’s bank has the Aadhaar
number mapping to the beneficiary’s bank account number to credit the amount in the end
beneficiary’s account. Aadhaar Payments Bridge (APB) is a payments service offered by
National Payments Corporation of India and the process for on-boarding of banks has also
been defined by NPCI.

22
Reserve Bank of India (2009) Payment Systems In India Vision 2009-12. Department of Payment and
Settlement Systems. Reserve Bank of India, Part 6, Section 6.4.1, p. 8.
23
Reserve Bank of India.https://rbidocs.rbi.org.in/rdocs/ATM/PDFs/ATM072017B116CE3C8542429A8252F
4C42D717773.PDF.

14 | P a g e
Currently APB system has about 120 million Aadhaar to bank mappings in its database. 24 As
part of large scale adoption of Direct Benefits Transfer (DBT) across all subsidy systems, it
isexpected that APB mapping database will have about 200-250 million Aadhaar mappings
within next 12-18 months.

 Aadhaar Enabled Payment System

Aadhaar Enabled Payments System (AEPS) enables banks to route the financial transactions
through a switching and clearing agency to empower the resident to use Aadhaar as his
identity to authenticate and subsequently operate his respective Aadhaar enabled account and
perform basic financial transactions.

A vital building block in this endeavour is developing a standard platform that will become
cost effective with scale and provide real time authentication, even in remote areas. For this,
standards for on-line, interoperable devices termed microATMs were finalized by a
committee consisting of members from RBI, Indian Banks Association (IBA), Banks,
Institute for Development and Research in Banking Technology (IDRBT), and UIDAI. A
Proof of Concept was done in Jharkhand in partnership with Bank of India, Union Bank of
India and ICICI Bank for these microATM-based transactions in early 2011. The pilot project
for payments started in December 2011 in Jharkhand.25

MicroATMs allow customers to perform basic financial transactions (Deposit, Withdrawal,

Funds Transfer, Balance Enquiry and Mini Statement) using the Aadhaar number and their
fingerprint as identity proof (along with a Bank Identification Number for inter-bank
transactions). The cash-in / cash-out functions of the microATMs are performed by an agent
of the bank. This would not only offer convenience to the resident but would also reduce
credit and operational risks for the banking system apart from reducing transaction costs.

The interoperable Aadhaar-enabled payments architecture is an overlay on the existing

payment architecture, where authentication information is routed to UIDAI.

UPI is a real time inter-bank payment system with send or request money. Any UPI client
app may be used and multiple bank account may be linked to single app. Money can be sent
or requested with following methods

Supra note 19.

24

“Committee on Comprehensive Financial Services for Small Businesses and Low Income Households”, RBI,
25

January 2014, http://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=727.

15 | P a g e
  Virtual Payment Address- Send or request money from/to bank account mapped
using VPA.
 Mobile number: Send or request money from/to bank account mapped using mobile
number.
 Account number&IFSC:Send money to bank account.
 Aadhaar:Send money to bank account mapped using Aadhaar number.
 QR code:Send money by QR code which has enclosed VPA, Account number and
IFSC or Mobile number.

With UPI everyone with a bank account in India can create their Virtual Payment Address
(VPA or UPI ID) and start transacting using a mobile phone. This Virtual Payment Address
for e.g. abc@xyzbank becomes a person’s unique payment identity and abstracts the need to
share bank details while transacting. UPI considerably simplifies digital payments, instead of
issuing cards to a large population which is costly and time consuming UPI enables mobile
phone a primary device for authorizing and making payments. Also a mobile phone
combined with a unique payment ID makes it a low cost payment acceptance device thus
making digital payments universal, easy and low cost.

 The UPI Ecosystem

Payment Service Players Customers can access UPI payment facilities through UPI Apps
provided by Payment Service Players (PSP). These PSPs consist of Banks, Payments Banks
and other third party software providers of banks which acquire customers and provide UPI
payment services through their UPI PSP mobile apps. These PSP UPI apps use UPI libraries
and utilities to facilitate customer registration, creation of Virtual Payment Address (UPI ID)
and provide payment services to the customers. Customers are not bound to use the PSP UPI
App of their own bank and can chose to use PSP UPI App of any bank. Moreover, the Payer
and Payee PSP UPI app can be different. PSP UPI App enable following type of transactions
for users; 1) Non-Financial Transactions include customer registration on UPI platform,
Virtual Payment Address creation, Set and Change MPIN, OTP requests and bank balance
check. Customers can also raise dispute or check status of a transaction from the PSP UPI
App incase of any issue. 2) Financial Transactions include Push and Collect payments based
on Virtual Payment Address, Push transactions based on Account Number and IFSC Code
and Push transactions based on Aadhaar Number.

16 | P a g e
  Virtual Payment Address

Every payment transaction requires source (remitter) account details to make the debit and
destination (beneficiary) bank details to make the credit. UPI enables the users to create their
Virtual Payment Address (UPI ID) for their bank accounts. This Virtual Payment Address is
an abstract form to represent and uniquely identify the bank account details in a normalized
notation. Thus for any transaction to take place it is vital to resolve the Virtual Payment
Address into the actual bank accounts to make the debit and credit transactions. In current
UPI architecture the Virtual Payment Address is denoted as “xyz@psp” form where xyz can
be any unique name and psp is the name of the Payment Service Player whose application the
user uses to create the VPA. The Virtual Payment Address is created by the PSP UPI App
and is stored in the PSP database while the bank account number and IFSC Code (Global
Address) is stored in the NPCI Mapper. PSPs expose their Address translation algorithms
with NPCI to enable it to decode the VPA into valid bank account details. Thus, The Virtual
Payment Address is resolved by the respective PSP UPI Apps while the Account Number and
IFSC Code is resolved against the Virtual Payment Address by the NPCI Central Mapper.
This is a unique feature in UPI since it removes the need to know the full bank details of
parties making a transaction. Users can exchange their Payment Address which is sufficient
to make the transaction.26

 NPCI Central Mapper

NPCI is the central repository and maintains a central mapper of association between
customers Mobile Number, Bank Accounts, Aadhaar number and Virtual Payment Address.
This central repository is used to route payment instructions based on mobile number. Thus,
central mapper allows anyone to send/receive money from a mobile number without knowing
the destination account details. Apart from UPI, Aadhaar Payments, National USSD Platform
(NUUP) and IMPS also use this central repository for routing payments. In fact, Aadhaar
Payments Bridge System (APBS) uses this NPCI central mapper to transfer direct benefit
transfers to individuals on the basis of their Aadhaar number. With linkage of Aadhaar
number with Bank Account in the central mapper allows Aadhaar Number to become a
payment address in itself.27

 Transactions in UPI

26
Ibid.
27
www.npci.org.in

17 | P a g e
As mentioned above UPI allows a set of Non-Financial and Financial Transactions. Financial
transactions include two types of transactions:

1) Pay Request (Push Payment): This transaction is initiated by the user in which money is
pushed into the bank account of the beneficiary. This Push Payment can be done using the
Account Number and IFSC Code, Aadhaar Number or the Virtual Payment Address of the
beneficiary.

2) Collect Request (Pull Payment): A Collect Request transaction is initiated by the

beneficiary to pull funds from the payer by using Virtual Address. The user can also define
an expiry time limit of the Collect Request. The payer will receive the collect request on his
PSP UPI App which is to be authenticated using 4 - 6 digit MPIN to complete the transaction.

8) TRANSACTION AUTHORIZATION

All digital transactions in India must adhere to two factor authentication. In case of UPI,
transactions are authorized and authenticated on the personal mobile phone of the user
without the need of any external device. The first factor is the hardbound mobile device
fingerprint which is authenticated by the PSP UPI App. The second factor to authenticate the
transaction is a four to six digit MPIN which is created by the user and captured on the NPCI
libraries embedded in the PSP UPI App. These libraries are available for all major mobile
operating systems viz. Android, iOS & Windows. These libraries allow secure capture of
credentials like OTP and MPIN. The secured credentials are captured by the NPCI libraries
which use PKI Encryption. These secured credentials (MPIN) are sent to the issuer bank for
authentication and upon successful authentication a transaction is complete.

9) TRANSACTION FLOW OF UPI PAYMENTS

1) Customer Registration

a) Users can download any PSP UPI application from app discovery platforms like Google
Play or Apple App Store on mobile phone with mobile number registered with their bank.

b) The PSP UPI application will send an encrypted outward SMS from the user’s mobile
phone automatically to check the authenticity of the mobile number registered with user’s

18 | P a g e
bank and to enable hard binding of the mobile device with the mobile number. This hard
binding of the device acts a device fingerprint.

c) User can now create unique Virtual Payment Address which will be unique payment ID for
the users.

2) Bank Account Registration

a) Users can register their bank accounts on the PSP UPI App. The Issuing Bank
authenticates the mobile number registered with the bank and, it provides list of all bank
accounts registered against the mobile number which is displayed to the user on PSP UPI
App.

b) The PSP stores the account details received by the Issuer Bank in its database. At this
stage, the PSP Database contains the information such as Registered Mobile Number, Virtual
Payment Address, Name of User on PSP UPI App and Bank Name, Account number and
IFSC code.

c) User now needs to create a Mobile Personal Identification Number (MPIN) to authenticate
the transactions. An OTP Request is generated by the PSP UPI App to NPCI for the newly
added account. NPCI requests an OTP from the Issuer Bank and the Issuer banks sends the
OTP over SMS on the registered mobile number of the user.

d) To establish the personal bona fide of the user, the user is asked to enter the last 6 digits of
Debit card number, expiry date, OTP received on the registered mobile number. In order to
create the MPIM, user enters the desired MPIN on NPCI library embedded in the PSP UPI
app.

3) Transaction Flow

a) To make a Push Payment (Pay Request) the user needs to enter either the Virtual Payment
Address or the Account number and IFSC Code or Aadhaar Number of the beneficiary.

b) User enters the MPIN on NPCI Libraries embedded in the PSP UPI App. MPIN is
encrypted using NPCI public key and sent to UPI which is decrypted using NPCI private key.
NPCI again encrypts the MPIN using Issuer Bank’s Public key and sends it to the Issuer
Bank which then decrypts the MPIN using its own Private Key. Issuer Bank then

19 | P a g e
authenticates the MPIN and debits the Remitter’s bank account and credits the Beneficiary’s
bank account.

10) SECURITY IN UPI

In India it is mandatory to enable two factor authentications to make any digital transaction.
Two factor authentication means one component is required to establish the bona fide identity
of a person and second component is password/ credentials known only to the user. UPI
uniquely employs one-click-two-factor authentication system whereby in a single click user
is able to authenticate both the factors of authentication. The mobile device fingerprint is
used as the first factor of authentication and to establish the bona fide identity of the user. The
most critical aspect of security is to bind the mobile number with the device at the time of
profile creation of user on PSP UPI App. 28 This is done by sending an encrypted outward
message from the bank registered mobile number of the user. This message creates a device
fingerprint of the mobile phone by binding the mobile number with the Device ID, IMEI ID,
SIM Number and PSP App ID. In case there are any changes in the mobile fingerprint i.e.
Mobile Number, Device ID, IMEI ID, SIM Number and PSP App ID are changed, the user is
required to re-authenticate the mobile device. The second factor of authentication is 4 - 6
digits MPIN that the user creates and uses to authenticate the transaction.29

For data security, data has been classified into different classes of information:

1) Sensitive data: Such data is not to be stored and can only be transported in encrypted
format. Sensitive data includes passwords, PIN and biometrics etc.

2) Private Data: Data such as bank account number. Private data can be stored by the PSP but
only in encrypted format.

3) Non-sensitive data: Data such as Name, transaction history i.e. amount; timestamp,
response code, location, etc. can be stored in unencrypted form.

In the current UPI architecture security is handled in following ways:

 Identity and Account Validation: Veracity of personal identity and bank account is
validated as a first step during User Registration which is done by sending an outward

28
Committee on Digital Payments, Ministry of Finance—Government of India 2006, Chapter 3, Section 3.1, p.
29.
29
Government of India (2007) Payments and Settlements Systems Act.Gazette of India, Government of India,
New Delhi.

20 | P a g e
 SMS by the PSP UPI App automatically without any customer intervention. This
outward SMS is sent in encrypted form from Mobile number is then authenticated by
the issuer bank to ensure that it is the registered mobile number of the user holding a
valid bank account with the bank.
 The PSP UPI App enables device fingerprinting through this automated outward
encrypted SMS which hard binds the Mobile number with the device. To authenticate
each transaction user has to input 4 - 6 digit MPIN which is authenticated by the
Issuing Bank. Any transaction can only go through if the device fingerprint and the
MPIN are validated. User is fully in control to prevent any unsolicited and malicious
payment requests. The user needs to personally input the MPIN to authenticate the
transaction and initiate any debit from his bank account.
 MPIN Security: The MPIN can only be captured on the NPCI library i.e. on NPCI
interface embedded in the PSP UPI App. This interface is invoked while entering the
MPIN for an interoperable transaction. The MPIN is communicated by NPCI to the
Issuer Bank over a secure channel. Using Public Key Infrastructure (PKI) encryption
system UPI encrypts the MPIN using the Public key and the MPIN is decrypted by
the Issuing Bank using its Private Key. To ensure message security, trust, non-
reputability it is mandatory that all APIs communicate over HTTPS layer, every
message is digitally signed and has unique message id for each request response paid
and unique transaction id. To prevent phasing, Payer’s UPI PSP application should
mandatorily show verified payee’s name to the payer in any payment request.

UPI is significantly safer than any Cards or e-Wallet transaction since any payment is tightly
tied to your mobile hardware and checks all devices. In case of Cards and e-Wallets the
biggest security threat is lack of second factor of authentication (i.e. password) while making
a transaction. This makes the cards and wallets vulnerable to system level breaches since
transactions can be system generated by a hacker without the need of a password, thus
technically a hacker can make thousands of fraudulent transactions simultaneously.

11) IMPACT OF UPI ON PAYMENTS INDUSTRY

UPI has witness rapid growth since its launch in August, 2016 in terms of number of users,
volume and value of transactions. Currently 55 banks are live on UPI platform with more
than 60 PSP UPI apps available on app discovery platforms. 30 Within 12 months of launch of

30
Reserve Bank of India (2017) Electronic Payment Systems—Data Dissemination.Reserve Bank of India.

21 | P a g e
UPI, more than 20 million users have downloaded various UPI PSP apps. Total value of
transactions on UPI has grown 82% month on month since its launch with total transacted
amount of Rs. 227 billion till August 2017.31The monthly value of transactions on UPI has
already overtaken monthly transactions of all e-wallets put together in India. The value of
transactions on UPI is currently is less as compared to value of credit and debit cards
transactions which constitute about Rs. 2700 billion per month but UPI is growing at a much
faster rate.32 Currently person-to-person money transfers constitute majority of UPI
transactions while person-to-merchant transactions are currently very less. This is due to lack
of merchant acceptance infrastructure at merchant payment points to accept UPI payments.
UPI usage for merchant payments is expected to increase with more businesses enabling UPI
payments for their customers. Current POS machines accepting payments through debit and
credit cards need to be reconfigured and updated to accept UPI payments. Also, POS
machines should be able to get the confirmation status of UPI transactions. As a payment
mode, UPI has the potential to make debit cards redundant since with UPI there will be no
need to carry your debit card as your mobile phone will work as your debit card. However,
UPI in the current form does not support credit cards hence UPI as a product does not
compete with the credit cards. For online payments UPI clearly offers better user experience
vis-à-vis debit cards or net banking payments.

 IMPACT ON PAYMENTS IN PHYSICAL WORLD

Payments in the physical world include cash and debit or credit card transactions. UPI has the
potential to transform payments in the offline world as it offers a cost effective alternative to
both cash and cards transactions. With UPI merchants do not require expensive POS
machines to collect digital payments through cards, a merchant will be able to display a
unique UPI QR Code which the customer can scan with mobile phone and make the payment
with the amount being credited instantly into merchant’s bank account. Merchant can receive
payment confirmation over their mobile phones. Most cash transactions at merchant point
happen due to lack of digital acceptance mechanisms with merchants. The customers can also
directly pay the merchant at merchant’s UPI ID and merchant will receive payment
confirmation on the mobile phone.
 IMPACT ON ONLINE PAYMENTS:

31
National Payments Corporation of India (2017) BHIM Analytics.National Payments Corporation of India,
Mumbai.
32
Reserve Bank of India. https://rbidocs.rbi.org.in/rdocs/ATM/PDFs/ATM072017B116CE3C8542429A8252F
4C42D717773.PDF

22 | P a g e
 Currently majority of online transactions are enabled by payment gateways with Debit/Credit
Cards and Net-banking being the primary modes of payments. Users are required to input all
the sensitive details including Card Numbers, Card Verification Value, Net-banking
usernames and passwords etc. This makes digital payments vulnerable to data leaks and
frauds. Also, there are a number of network hops between card networks, issuer and
acquiring bank to enable a transaction which leads to high failure rates of transactions. With
UPI customers need not provide any information, a customer can simply scan a QR code
displayed on the website using a mobile phone and payment can be completed in seconds
with a few network hops. This can not only avoid data leaks of any sensitive data but also
increases transaction success rates.
 IMPACT OF UPI ON BUSINESSES
Apart from being the most cost effective, fast and seamless payment method UPI enables
digital payments for an entire spectrum of businesses both for brick and mortar and online
merchants. For physical businesses, each employee can be enabled to collect digital payments
since there is no need of any POS machine, each employee can be provided a unique UPI ID
and QR Code which the employees can present to the customer to collect payments. Apart
from proximate payments where the customers is physically present at the billing counters,
UPI opens unique opportunities for businesses to collect payments where customers are not
physically present for example. Insurance premium collection, school fee and electricity bill
payments etc. where payment request can be sent to the customer and customer can pay
remotely using mobile phones. Another important use case for businesses can be to enable
payment at the time of delivery. In India there is a large prevalence of cash on delivery,
almost 60% of ecommerce sales happen with cash payment being made at the time of
delivery.33 Such payment at time of delivery can be converted into digital payment at the time
of delivery using UPI whereby a customer can easily pay through UPI at the time of delivery.

12) CONCLUSION

UPI has enabled mobile phone to be used as a primary payment device for making and
accepting payments. UPI leverages high tele-industry in India to enable every bank account
holder to make digital transactions using a mobile phone. India, which has a poor merchant
payment acceptance infrastructure UPI, enables even the smallest merchant to start accepting

33
National Payments Corporation of India (NPCI) (2016) NPCI Presents Unified Payments Interface (UPI)
System, NPCI Press Release. 11 April 2016, National Payments Corporation of India (NPCI), Mumbai.

23 | P a g e
digital payments without the need for any POS machine. UPI has done away with the need to
know the complicated payment details of the transacting parties, which makes payments easy
and seamless for transacting parties. Compared to all other payment systems it would not be
misplaced to say that UPI is the most advanced payment system in the world. With its
standard set of APIs, UPI has allowed different banks to communicate with each other and
has enabled inter-operability between disparate bank payment systems. In UPI there are no
intermediaries like in card networks, which allows for low transaction costs and instant
settlement. While all other digital modes of payments like cards etc. take days to complete
the transaction and settlement process, UPI allows payment to be completed in seconds. UPI
works on a safe, secure and robust platform with ample security features to make it more
secure than any extant payment systems. Introduction of biometric authentication in UPI will
not only make payments more secure but will also take a huge leap towards integrating next
generation technology with current payments system. UPI can be a great enabler for financial
inclusion in India and allow a huge set of population to be a part of digital economy.

BIBLIOGRAPHY

1. WEBSITES
 www.rbi.org.in
 www.npci.org.in
 www.wikipedia.org
 www.cashlessindia.gov.in
 http://uidai.gov.in/auth

2. ARTICLES AND PUBLICATIONS

 Electronic Payment Systems—Data Dissemination. Reserve Bank of India.

24 | P a g e
  BHIM Analytics. National Payments Corporation of India

 Committee on Digital Payments, Ministry of Finance—Government of India

 Committee on Comprehensive Financial Services for Small Businesses and Low

Income Households
 Aadhaar Authentication -UIDAI,
 Reserve Bank of India (2009) Payment Systems In India Vision 2009-12. Department
of Payment and Settlement Systems. Reserve Bank of India

25 | P a g e