Presently, certain fintech firms are offering a service through which a business entity or a third party body can authenticate users through their UPI IDs, which is however unauthorised by NPCI and the Reserve Bank of India as per rules for entities operating on the retail payment network, said two people in the know.
In a letter to fintechs earlier this month, NPCI instructed these firms to shut down such services. ET has seen a copy of the letter.
“NPCI has observed instances of unauthorised use of UPI APIs by certain participants. In accordance with the guidelines set forth…the UPI APIs provided by NPCI are strictly for the purpose of facilitating “UPI payments” for customers and for required verification of users for fraud prevention. These APIs must not be used independently for any other purposes other than the above mentioned,” the letter read.
Identity verification platforms like Idfy, payment aggregators like Cashfree and other fintechs offer this service by using UPI application processing interfaces (APIs) offered by NPCI, either directly or through their partner entities like banks and third party payment applications like PhonePe, Paytm and such. APIs allow different businesses to integrate their backend systems through software networks and facilitate flow of information.
Discover the stories of your interest
NPCI did not respond to ET’s queries. Queries to Cashfree and Idfy went unanswered too.
Participating members with access to these APIs are prohibited from entering into commercial arrangements with third parties for the provision of “APIs as a service”, NPCI said in its letter.
Also Read | 75% consumers unaware of masked Aadhaar as identity proof: survey
“Any violation of these compliance guidelines will be dealt with the utmost severity, including the imposition of penalties or cessation of UPI services,” the letter added. All member banks and third party payment applications have also received a copy of the letter.
By using the NPCI network for UPI payments, these platforms can verify data for any user against their UPI ID, like their name, bank account status, mobile number, and if the customer is holding any alternate UPI ID.
Such services are used by consumer-facing brands to authenticate a genuine user, weed out frauds and also to create a stronger profile of customer base.
“This is not a case of data leak, but it is unauthorised use of certain sensitive data which is held by banks and NPCI,” said a chief executive of a fintech firm.
A senior payment industry insider told ET that payment firms create a profile of its users, based on parameters like transaction data, and spending patterns. This profile is very useful for any digital lender, non-banking financial company and even large consumer brands to understand their users better.
“While some service providers have halted this service, others are continuing to offer it,” he said.
ET could not independently ascertain the exact status of this service across multiple firms.
Overall fintechs have been under tremendous regulatory scrutiny as many of their business avenues have been struck down by regulatory bodies. From stopping the issuance of credit lines on prepaid cards to outsourcing core technology functions to third party entities along with any sidestepping of regulatory boundaries, all factors are being scrutinised by the regulatory bodies.
