Strengthening UPI compliance for secure and sustainable digital payments

UPI has redefined digital payments in India, becoming the backbone of the country's financial ecosystem. Launched in 2016, UPI was designed as a unified platform supporting peer-to-peer (P2P) and peer-to-merchant (P2M) transactions from the outset. Over the years, it has evolved into a versatile system enabling bill payments, credit disbursements and wallet interoperability.

UPI has demonstrated remarkable growth, with 13,116 crore transactions worth INR 200 lakh crore recorded in FY 2023-24. The momentum remained strong with February 2025 recording 1,610 crore transactions valued at INR 21 lakh crore, marking a 33% rise in transaction volume and a 17% increase in transaction value compared to February 2024, which saw 1,210 crore transactions worth INR 18 lakh crore. 

Globally, India's real-time payment dominance is evident — the ACI Worldwide Report 2024 shows that 49% of global real-time payment transactions in 2023 took place in India, solidifying UPI's position as a global leader in digital payments. This underscores the rapid evolution of digital payments in India, which continues to set benchmarks for the rest of the world.

Today, over 40% of all payments in India are digital, with UPI accounting for the majority share. The platform has participation from 652 banks and over 80 apps, integrating seamlessly with debit cards, digital wallets, and even newer products like UPI Lite, UPI 123Pay, autopay, credit card on UPI, and credit line on UPI.

This rapid innovation and expansion reflect the strength of UPI's open architecture, which brings together multiple stakeholders—banks, Third-Party App Providers (TPAPs), merchants, service providers, and payment facilitators—each contributing to its functionality. Any gap in compliance at any level could compromise the security and integrity of the entire ecosystem. As the ecosystem grows in scale and complexity, there is a growing emphasis on strengthening regulatory compliance frameworks, particularly adherence to NPCI guidelines, to support secure and sustainable growth.

Present approach to UPI compliance

NPCI has laid a strong foundation for UPI compliance through a comprehensive set of guidelines, ensuring the ecosystem remains secure and interoperable. These guidelines, issued through multiple circulars, cover:

• Functional and interoperability compliance.
• Risk and Information Security (InfoSec) compliance.
• Technology and operations compliance.
• Pricing, commercial, and transaction limits.
• Settlement, reconciliation, and dispute management.
• Branding and promotional guidelines.

Since its inception, UPI has been shaped by NPCI's proactive approach to evolving trends. Between 2016 and 2025, NPCI has issued over 300 circulars, primarily due to revisions to address continuous product enhancements, version updates, and new use cases. These revisions ensure the platform remains adaptable and aligned with the dynamic needs of the digital payments ecosystem.

However, as UPI's product landscape evolves, there is now a growing need for real-time compliance monitoring driven by several factors, including:

• UPI now powers multiple products, ranging from credit on UPI to autopay, each with distinct operational requirements. As these offerings interact with the existing UPI rails, a unified compliance view is crucial to maintain product consistency and prevent conflicting interpretations.
• With the growing adoption of UPI, the sophistication of fraud techniques has also increased. Fraud cases rose by 85% in FY24, climbing from 7.25 lakh cases in FY23 to 13.42 lakh cases. The total value of fraud doubled, increasing from INR 573 crore to INR 1,087 crore. Strengthening compliance frameworks is essential to mitigate emerging threats and maintain user confidence.
• Given UPI's scale, which processes trillions of transactions annually, even minor operational gaps can affect millions of users. Preemptive compliance checks are necessary to safeguard against systemic risks and ensure business continuity.
• Fintech apps often operate on rapid development cycles. Embedding regulatory technology (RegTech) and real-time compliance monitoring into these cycles ensures new releases align with NPCI's guidelines without sacrificing security.

Grant Thornton Bharat has developed the UPI Adherence Engine Dashboard (UAED), a dynamic solution designed to strengthen UPI compliance across the ecosystem to support this evolving landscape.

The UAED offers:

• Compliance gap analysis: Offering a clear view of existing compliance levels across functional, risk, and operational requirements, aligned with NPCI circulars.
• Competitor benchmarking: Enabling UPI apps and TPAPs to compare their compliance status with peers, identifying areas of strength and vulnerability.
• Business intelligence insights: Helping stakeholders balance compliance and business objectives by understanding how regulatory requirements impact growth strategies.
• Circular integration tracking: Ensuring new NPCI circulars are seamlessly integrated without compromising adherence to previous ones and avoiding partial compliance.

Crucially, UAED transforms compliance into a business enabler by aligning risk management with growth strategies, ensuring UPI platforms can scale securely.

Conclusion

As UPI continues to expand both in transaction volumes and product offerings, ensuring proactive, risk-based compliance is critical. Solutions like the UAED bridge this gap by offering real-time compliance tracking, business intelligence, and dynamic risk assessments. UPI's success will depend on its scale and ability to innovate securely, making compliance both a regulatory necessity and a business advantage.