The safety gaps in UPI payments — and how to plug them

The safety gaps in UPI payments — and how to plug them

Despite the ‘openness’ of the UPI architecture, a concentration of market power in the UPI ecosystem is no secret.

Authors: Deepro Guha and Aishwarya Viswanathan
Published: September 28, 2022 in the Livemint

Clocking volumes as large as 10,000 transactions per second, the Unified Payments Interface (UPI) has revolutionized real-time payments in India.

Launched in April 2016, a few months before demonetization and the arrival of new telecom players, initial UPI adoption was driven primarily by the state’s clampdown on the cash economy and dramatic crash in telecom data plan prices.

Subsequently, its open architecture model, which allowed for interoperability across banks and payment service providers, steadily endeared itself to India’s mobile-first consumer economy by offering unparalleled transactional convenience. Today, the country has over 100 million monthly active users of UPI. So, what sets UPI apart? At the forefront of its story is a strategy spearheaded by National Payments Corporation of India (NPCI), which, as UPI’s chief architect and custodian, has been dismantling barriers and incentivizing UPI adoption at two levels: local and global.

Going ‘Glocal’: Recent estimates suggest that a sizable section of India’s poor households have started using digital payment tools. Much of this increase in adoption can be attributed to UPI’s popularity, while NPCI continues its efforts to widen access to UPI by offering products such as UPI 123Pay, a voice-based payment service for feature phone users, and services like DigiSaathi, a 24-by-7 helpline, and UPI Lite for offline transactions. Although perhaps insufficient to address India’s challenges of digital literacy, access and connectivity, these efforts have nudged users to go digital and move away from the informal cash economy.

Similarly, in an era of great power politics being shaped increasingly by developments in the digital realm, NPCI’s partnerships with international networks are noteworthy. For instance, recent announcements of linking UPI with Singapore’s PayNow, Dubai’s NeoPay and the UK’s PayXPert may not only encourage adoption, they may also prove critical in bringing down remittance fees while decreasing India’s dependence on other cross-border payment systems. Remittances are not only an important source of household income, but also a critical source of financial inflows for countries, often higher than foreign direct investment (FDI). In 2021, India received $45 billion as FDI and $87 billion in remittances. Therefore, driving down the cost-of-transfer may magnify the platform’s benefits at the household level.

Overall, the adoption of UPI is a success story that needs to be applauded. However, this ubiquity and relentless rise is not without its risks and critical questions that relate to UPI’s functioning and future need answers.

What are the risks of UPI infrastructure that users should be wary of?: Despite the ‘openness’ of the UPI architecture, a concentration of market power in the UPI ecosystem is no secret. GooglePay and PhonePe still dominate it. While they deserve credit for their critical role in driving UPI’s spread, their dominance of this ecosystem is starting to preclude the meaningful participation of others in this market. To keep it contestable, NPCI had in its role as a quasi-regulator decided to issue a cap of 30% on transaction volume clocked by any single player. However, the deadline for compliance with this diktat has been pushed forth several times, with little clarity on how it will be enforced. These concerns have also been recognized by the Reserve Bank of India (RBI), which is studying regulations in other jurisdictions to find an effective solution to a problem that is not easy to solve.

More ominously, UPI currently accounts for a whopping 50% of all online financial fraud. Various devices old and new, such as phishing, malicious QR codes, etc, are being used to trick consumers. Part of the problem stems from the ease and newness of UPI; users are yet to fully understand and adapt to it. While card systems have over time developed robust systems for fraud prevention, this is yet to be addressed in UPI’s case. However, given its furious growth and user-base being more inclusive than those of card networks, a lot more needs to be done. To improve the security and reliability of the interface, UPI service providers would need to tweak their digital architecture, which in turn would entail additional expenditure. Hence, the next question.

What is the cost of the UPI infrastructure and who will bear it? RBI recently estimated that for a ₹ 800 merchant transaction, various stakeholders enabling a UPI swipe incur a collective cost of ₹2 per transaction, which suggested that the cost of infrastructure may not be sustainable in the long run. A few days later, the ministry of finance intervened with assurances that UPI will remain available free of cost. However, details of what fiscal support will be offered to keep UPI swipes free of cost are yet to be seen. Until then, questions of who will bear the cost of UPI, and for how long, will continue to loom.

Separately, given the involvement of multiple private stakeholders in the UPI payments chain, it is important to ensure the sustainability of their operations and alignment of their incentives with public good objectives. In this context, while many solutions have been suggested by experts, a tiered system of charges for ensuring UPI sustainability could be considered.

Overall, the time has come for us to look beyond UPI adoption. Identifying workable solutions to questions around competition and cost of operation will be critical in ensuring that India’s unique experiment in online payments continues to look up for years to come.