The National Payments Corporation of India (NPCI) is stepping up its supervision of the Unified Payments Interface (UPI) to prevent future disruptions caused by stress on the core network.

Kindly note the image has been posted only for representational purposes. Photograph: Kind courtesy SerenityArt and Simon/Pixabay.com and NPCI/wikipedia.org/Creative Commons

In a circular issued on Wednesday, the payments authority outlined operational guidelines for 10 application programming interfaces (APIs) linked to UPI.

It has asked payment service providers and acquiring banks to monitor and moderate their use of these APIs.

The body may also impose rate limits on the number of times an API can be called.

The move follows a root cause analysis conducted last month, which found that banks overloaded the system by sending too many “check transaction status” API calls, contributing to system downtime.

“In the event of non-compliance with the above guidelines, NPCI may take necessary action including UPI API restrictions, penalties, suspension of new customer onboarding or any other measures deemed appropriate,” the circular said.

Business Standard has reviewed a copy of the circular.

UPI members and their partners are required to implement the guidelines by July 31.

Sources familiar with the matter said the changes to back-end integrations and systems at banks may take two to three months.

“After the initial outage, it looks like more effort is being put into preventing future disruptions for users, which reflects a customer-first approach.

“For instance, mandate executions and other utility APIs are now scheduled for low-traffic hours,” an executive at a financial technology firm said.

The body has defined peak hours as periods when UPI transactions hit their highest volume per second, typically from 10 am to 1 pm and 5.30 pm to 9.30 pm.

Common use cases for UPI APIs include checking transaction status, balance enquiries, executing autopay mandates, and verifying account details.

APIs are protocols that enable secure data exchange between banking systems and the UPI network.

NPCI has also asked acquiring banks to conduct a system audit by a CERT-In (Indian Computer Emergency Response Team) empanelled auditor to review API usage.

Audit reports are due by August 31. Banks have been instructed to carry out these audits annually.

Last month, NPCI issued circulars aimed at cutting response times for four APIs and curbing their misuse.

It also directed banks to initiate the “first check transaction status API” only after 90 seconds from the authentication of the original transaction.

“After the timers are changed, members may initiate the same after 45–60 seconds of the initiation or authentication of the original transaction,” it added.