As UPI 2.0 Is Unveiled, It Remains Very Much a Transaction in Progress

While the update comes with a bunch of new features, it's still missing what a digital consumer truly needs: an efficient grievance redressal system.

After a delay of over six months, version 2.0 of the Unified Payments Interface (UPI) was unveiled last week by Reserve Bank of India governor Urjit Patel in the presence of Nandan Nilekani at a closed-doors event organised by the National Payments Corporation of India (NPCI) for banking and payment industry executives.

Users, however, will need to wait till at least early September to see these features on their apps, as banks are still testing the same. What’s new though is support for overdraft accounts, account blocking (or one-time mandate), increased overall transaction limits, invoice in inbox and signed QR/intent.  

The much awaited feature of e-Mandates (standing instructions for recurring debits) has been put on hold and fin-tech companies, particularly digital lending firms, will need to wait longer – probably until banks develop confidence in the system.

While UPI is often referred to as a digital public good by its makers – the government has used taxpayer money for subsidising and incentivising transactions on the platform – the development of UPI 2.0 did not go through any form of public consultation or comments process.

The technical specifications for the new version are also not available publicly. If they were, citizens would be able to see the direction that the payments platform is taking and would be able to understand the changes being made and how it would impact their rights as consumers.

What adds to this frustration is that the Indian government is yet to establish a separate payments regulator under the RBI, despite it being announced 18 months ago.

Consequently, what has essentially happened is that a private payments platform with the blessing of the state has upgraded its proprietary platform. This upgraded version naturally slants towards banking and fin-tech lobbies which have fought hard to bring in specific features, stop various others and overall protect and advance their interests.

This leaves the Indian consumer voiceless. Below, we look at each of the enhancements proposed through the fine print and try to analyse the upsides and downsides.  

What is included in UPI 2.0

One-time mandate with block functionality: This feature lets a user pre-authorise a transaction, creating a mandate wherein the transaction amount is blocked by the bank, but the actual debit from the account happens only when the merchant exercises to complete the transaction, allowing the user to earn interest till the time.

The amount blocked is available automatically if the merchant does not chose to exercise the mandate or cancels the same. This functionality adds a fully backed, pre-authorised delayed debit feature to UPI, narrowing the gap with card networks. Besides enabling UPI to be compete in travel and hotel reservations, rental guarantees, debit on delivery for e-commerce use cases, this feature will be closely watched by capital markets regulator SEBI, which has planned to include UPI as a payment mode for initial public offerings (IPOs).

Credit: https://www.bhimupi.org.in/

While technically the feature might reduce friction in IPOs and speed the process, there are risks of retail investor sentiment measurement, price discovery post-allotment before trade in case of IPOs that needs to be studied carefully in detail as transaction data from UPI is available with host of entities and NPCI holds a superset of all transaction data.

OD accounts: Users may now possibly link their overdraft accounts/savings account with overdraft on their UPI apps and can also transact within the applicable pre-approved overdraft limits on the account.

While the intent seems to be offering short-term credit at ease through UPI, the bank is responsible for getting an agreement with customers, along with consent on terms and conditions, communicate about due dates, outstanding amount, interest charges.

This could potentially lead to the consumer unknowingly overspending and banks could then pose charges.

Invoice in inbox: A feature that allows merchants to attach an invoice along with the transaction for users to view them before approving the payment. The link to the invoice, which is to be hosted by the merchant, is also stored along with transaction history and is to be made available for two months from the transaction date.

At the outset, this this appears to be a convenient feature to access a ticket or view the content of an invoice. However, there are deeper privacy risks involved as the invoice might be accessible to anyone with a link to it. This could lead to increased and unnecessary data harvesting, both at the PSP and NPCI-level as more metadata related to the transaction is collected.

With there being growing concern about data protection, and as approaches of privacy-by-design are becoming the norm, this feature seems to harvest data by design and masquerade it in the form of convenience.

This feature should ideally be requested by the user, which will restrict data collection.

Signed QR/Intent: Payment instructions can pre-filled with transaction details including merchant VPA. The amount can be composed and transmitted to payee’s mobile phone through a QR code or other contactless modes like audio, bluetooth signals which users of a UPI app can read.

The signing of the QR and intent will protect the integrity of such instructions that are either scanned or received by the app from malware which could otherwise tamper such messages.

While this could help mobile app and online transactions, there seem too little effort in pushing QR codes in face-to-face payments. It has been two years since UPI was launched, and very few places have UPI QR stickers.

NPCI itself came up with what it calls Bharat QR, which included support for card networks and later an upgrade that integrated UPI support in BharatQR. However, Bharat QR stickers are not be seen either. Lack of incentives for banks to acquire merchants is cited as reason behind this poor penetration, even as wallets have aggressively placed their stickers. Adding complexity besides lacking clear QR standards make QR-driven payments on UPI a non-starter.

Increased transaction limits: The overall daily transaction limit per user  has now been increased to Rs 2 lakh a day. While this is good news for users, of late several banks have placed sub-limits much lower than the pre-existing limit of Rs 1 lakh. Individual apps too have limits within themselves. BHIM has Rs 40,000 limit, Whatsapp has Rs 5,000.

The average transaction value has been less than Rs 2,000 indicating many people use it only for low-value transactions. A factor that could be attributed to this is poor support from the ecosystem after transaction failures as this erodes trust. UPI could do well in improving reliability and support increasing the trust to let people perform high value transactions before raising limits.

Features dropped for UPI 2.0

What’s more interesting is what isn’t included. One media report suggested that the initial specification that was shared with UPI ecosystem participants proposed two features that were eventually dropped.

eMandates and UPI: This feature allows standing instructions for recurring debits to be processed through UPI apps. Once authorised, it allows automatic recurring payments which could power whole range of use-cases like subscription billing, cab rides, one-click payments with trusted merchants. Although in its first phase, it was proposed to add cancelable mandates (which meant that digital lenders can’t use them), the ultimate goal was to enable creation of mandates digitally signed by Aadhaar-based eSign by the user to support digital lenders.

eMandates are electronically obtained preauthorisation or standing instruction requests that can be used for recurring debits from an account.

  • One-time e-Mandate with blocked amount = digital demand draft, except interest can be earned till payee processes mandate instruction. No legal consequences/lower risk concerns over implementation.
  • One-time e-Mandate = digital post dated cheque. Availability of funds needs to ensured by payer on future date or be liable under Negotiable instruments act if the mandate is digitally signed by the individual.
  • Recurring e-Mandates = Digital ECS/standing instruction based on which recurring debits are pre-authorised as per agreed terms.

eMandates on UPI were a much-debated feature with risk -verse banks wanting to go slow, while fintech companies wanted it for their business cases and finally it appears a middle ground of one-time mandate with account blocking was opted for.

Aadhaar authentication:  The other feature that was planned was adding biometric authentication and allow users to choose it over a UPI PIN.

While current mobile devices do not have biometric scanners with device-embedded encryption that UIDAI regulations require, the idea of introducing the feature was to nudge mobile manufacturers to build such devices by luring them in with the promise of the UPI’s user base. Mobile manufacturers are not very keen to make additional investments though.

It should also be noted that NPCI, through a recent circular, suspended its ‘Pay 2 Aadhaar’ feature on IMPS and UPI – which was infamously used to credit one rupee into the bank account of telecom regulator boss RS Sharma – citing privacy and data protection concerns, amidst other uncited reasons.

Most importantly, UPI 2.0 also doesn’t come with what a digital consumer truly needs: an efficient grievance redressal system that refunds failed transactions in a reasonable period of time. Imagine paying for a SMS that never got delivered and your ability to send it is blocked until you get back the message from the telecom service provider. This is norm in UPI, where money is instantly debited along with charges (smaller banks charge Rs 5 unless you’re a premium account holder) even if it doesn’t reach the person you wanted to send it to.

There has been zero transparency from the NPCI on failure rates, grievance redress service levels and UPI 2.0 contains no mention of improvements to these aspects.

Srikanth Lakshmanan is part of CashlessConsumer, a consumer collective working on digital payments to increase awareness, understand technology, represent consumers in digital payments ecosystem to voice perspectives, concerns with a goal of moving towards a fair cashless society with equitable rights.