NPCI Implements Stricter Controls on UPI API Usage to Prevent System Overload

NPCI has issued a circular (accessible here) introducing tighter regulations on UPI API usage to mitigate system overloads caused by excessive “check transaction status” requests. Payment Service Providers (PSPs) and acquiring banks are now required to make such API calls only after a specified cooling period—initially 90 seconds, subsequently reduced to 45–60 seconds post-authentication—and limit these calls to a maximum of three per transaction within a two-hour timeframe. Unauthorized or standalone API calls are prohibited without prior approval. Additionally, all banks must carry out immediate and annual audits through CERT-In empanelled auditors. Non-compliance may lead to penalties, and NPCI is also considering implementing rate limiters to ensure the stability of the UPI system.