Deconstructing Unified Payments Interface (UPI)

tl;dr versionUPI is a VIP party right now. The PSP is the real protagonist in this story. Consumers will only talk to PSPs through their apps. Feature-rich PSPs can have big impact on economy. Unfortunately, only banks are PSPs right now and their track-record on innovation is questionable. There needs to be a way for startups and third-party players to be PSPs for the average Joe to see benefits of UPI.

National Payments Corporation of India (NPCI)’s UPI program is slated to go live in April and there’s a lot of buzz around it. In this article, I attempt to deconstruct what UPI means and what sort of impact we can foresee in the near future. This post is based on my reading of UPI docs and other articles and I present a developer’s take on it. The technical spec doc, by the way, is well written and makes for a nice evening read.

The Basics

There are 5 important actors in this game, so let’s call them out:

  • Payer — someone who needs to pay
  • Payee — someone who should receive the money
  • Bank account — payer or payee have a bank account where money can be held, debited from or credited to. These are RBI regulated.
  • Payment System Player (PSP) —new concept in the UPI world. This is not the same thing as a Payment Bank. This is someone who facilitates payments i.e. can move money. More on this in a bit.
  • PSP App — this is an app provided by a PSP where the user can authenticate and authorize actions

Every payer and payee have a virtual address in this world. This virtual address has to be ultimately resolved into a physical address — which is their bank account. Multiple virtual addresses may be mapped to the same physical address. The resolution of virtual address happens by a PSP or by NPCI (in certain cases). A customer (payer or payee) would have to register with a PSP to establish this mapping. The virtual address could look like ‘siva@icicibank’.

The payee would provide their virtual address to payer and the payer would initiate money transfer using the PSP app. UPI is the middleman that routes the payment to destination bank after resolving the virtual address of the payee.

There is also a collect workflow where payee can request a certain amount and the request is routed to payer’s PSP application. The payer authenticates and makes payment.

PSP — The Real Protagonist

The PSP is the real protagonist in this entire new scheme. In fact, as a consumer, you’ll never see UPI directly. You will only interact with PSPs and their apps. Feature rich PSPs will have a huge impact on user behavior and enable a variety of use-cases. A PSP can implement recurring billing, automatic payments among other things. Unfortunately, as it stands, only banks are allowed to be PSPs — this doesn’t bode very well as banks are not known to be technology innovators.

Why am I skeptical about banks’ abilities to pull off being a good PSPs? Their track record isn’t great. Most Indian banks don’t have any APIs — RBL is an exception. ICICI Bank has just started testing out some APIs via a hackathon. This shows that banks could’ve done a whole lot more even if UPI wasn’t in place and they didn’t.

NPCI needs to find a way to bring third-party PSPs into the mix to take this to the next level.

Once you start thinking of third party PSPs, things get very murky. The PSP is supposed to resolve virtual address into a physical bank account. Banks have established authentication/authorization schemes (goddamn OTPs). If the PSP is a third party, how can it resolve a virtual address to a bank account? The user has to tell the PSP that. How does the PSP trust the user? As an example, I can claim that ‘siva@icici’ maps to a random bank account and use it to pay my bills. To solve this problem, Banks will have to implement schemes like OAuth2 so that the PSP can verify a user’s identify and act on behalf of the user.

A more familiar example is an app that can post to your (and only your) Twitter account on your behalf. The app needs to make sure you’re who you say you are and you need to be able to disable the app if it starts posting spam on your behalf. This aspect is inadequately addressed by the technical specifications.

The specifications need to call out the authorization scheme involving user, PSP and user’s bank.

I hope this aspect is addressed soon because it will form the basis of very useful automation. As an example, I don’t want to manually confirm a collect request if its under Rs. 200 and my daily limit of Rs. 1000 hasn’t been exceeded. This means that small transactions like cab fares, restaurant bills can be super quick. I need a mechanism to tell the PSP app that it is ok to handle such transactions on my behalf.

This article suggests that 29 banks have signed up as PSPs. There are about 170 banks in India with ~128000 bank branches across India. If these are the top 29 banks, then this would cover accounts ~108000 bank branches which would cover a large portion of banking population. The one catch is that this impact will be realized when all PSPs come online — it’s not clear where all the different PSPs are w.r.t their implementation.

I hope this post was useful — welcome comments, bouquets and brickbats.