Decoding NPCI's 2025 UPI Mandates: A Guide for Banks on Fraud Detection, Prevention and Compliance
Introduction
In recent years, India’s digital payment ecosystem, especially UPI, has grown exponentially. This massive adoption has brought transformative changes, both in how we transact and how we operate. By bridging the gap between convenience and speed, UPI is now primed for smarter, more structured digital financial journeys.
However, with all these perks on its side, UPI has also become a powerful tool in the hands of fraudsters. Its speed, simplicity, and widespread reach, once considered its strengths, are now exploited for fraud. To combat this, the National Payment Commission of India (NPCI) has issued new circulars in 2025 that specify regulations and highlight measures to curb UPI frauds from its roots.
This blog serves as an essential guide for understanding the new directives from NPCI. By breaking down security measures, mandatory compliance requirements, and other best practices, it provides banks with actionable insights to prevent UPI frauds, safeguard customers, and adhere to evolving regulations.
NPCI’s Regulations to Prevent UPI Frauds
The UPI usage soared to an all-time high, crossing over 18.3 billion transactions in 2025. Following this nationwide adoption, fraud related to UPI accounted for a staggering 485 crores in just six months of the financial year 2025. In the wake of this major concern, NPCI has released a series of circulars pertaining to UPI frauds. Let’s break down these mandates and discern their implications.
Mandate: CBS-Verified Beneficiary Name Display
Implementation date: June 30, 2025
This circular specifies the mandatory display of beneficiary names in all the UPI applications. Through integration with the Core Banking System (CBS), all UPI applications should display the bank-registered names of recipients during every active transaction. Pseudo names and other derived names will not be displayed in applications, leading to clarity and transparency in ongoing transactions.
Active Issue Addressed: Social engineering and impersonation frauds are some of the prevalent techniques used to commit UPI scams. This mandate specifically addresses the issue and standardises the procedure for verifying identities in the pre-transaction phases.
Implications: With this implementation, financial institutions can tackle fake merchant scams, identity spoofing, and QR frauds. Additionally, banks can validate recipients without any hassle.
Mandate: Restriction on Non-financial API Use
Implementation date: August 1, 2025
This specific mandate notifies the restrictions placed on APIs to curb financial crimes. With hard-use limits on balance checks, account listings, and autopay executions, NPCI has taken strategic steps to safeguard customers and protect banking infrastructure. The circular states a limit on balance checks to 50 per day in an application per user; it curbs account listings to 25 per day in an application per user and allows autopayments only during non-peak hours.
Active Issue Addressed: Non-financial APIs like balance checks and account listings are constantly exploited by fraudsters. The new directive has limited these API misuses, which are usually used to test stolen credentials, overload banking infrastructure, and find gaps in the financial ecosystem.
Implications: This directive aims to reduce the fraudster’s ability to scrape or probe bank accounts and their details. Moreover, it also aids in protecting critical banking infrastructure from overloading abuse and reduces DoS-style attacks on banks.
Mandate: Reduction in UPI Response Time
Implementation date: June 16, 2025
NPCI’s new directive aimed at reducing the UPI response time is another addition in the series to secure payment operations from UPI frauds. This circular states that all UPI transactions are to be made faster, including the processing time being reduced to 15 seconds and the status check and reversal being reduced to under 10 seconds. These changes aim to facilitate quicker and more secure operations while providing a reliable user experience to customers.
Active Issue Addressed: Delayed UPI processing time was an ideal scenario for risk exposure and fraud interception. By expediting the process and cutting down on the window of vulnerability for transactions, this circular intends to enhance the security posture of the UPI ecosystem.
Implications: The consequences of this directive are profoundly positive for banks and financial institutions. It has an extended effect on operations, security and customer satisfaction. From reducing surface-level fraud attacks to improving security posture, this mandate is a powerful enhancement in terms of user experience and security.
Mandate: Disabling International UPI via Shared QR codes
Implementation date: April 4, 2025
As a startling update, NPCI has disabled international QR share and pay. At a time when UPI is expanding in international corridors, this comes as a strategic effort to curb international UPI Frauds. This update restricts international users from making payments through shared QR codes and allows only live location and physical access UPI scanning. Additionally, loading digital wallets with collected requests is also restricted in the wake of a significant surge in UPI frauds.
Active Issue Addressed: This regulation is an effective step to mitigate high-risk international payment scenarios. As a proactive approach, this eliminates prevalent vendor attacks and forces transactions into more secure, verifiable channels.
Implications: The most critical implication is that this curbs cross-border UPI frauds and reduces QR code manipulation, phishing, and impersonation. It also augments UPI’s security for international usage, which is crucial for global acceptance of UPI and its reputation.
BANKiQ—Built to Secure Your Instant Payment Operations
The recent mandates by the NPCI for UPI protection highlight the robust efforts by the government of India to secure payments, improve customer experiences, and provide a structured framework for financial institutions to curb rising UPI threats. In this series of regulations, NPCI aims to build a reliable and secure UPI ecosystem that fosters innovation and actively safeguards against evolving UPI threats.
Recognising these significant efforts, we at BANKiQ offer a modern FRM platform to fight against UPI threats. Purpose-built to secure digital payments, protect customers, and ensure compliance, our solution equips financial institutions with real-time capabilities to detect threats, respond to frauds and report suspicious activities to regulators.
As a technology provider for financial risk mitigation, we empower banks and financial institutions to proactively defend against sophisticated fraud schemes and maintain trust in their payment infrastructure.
