How UPI and Mobile Wallets Are Regulated in India

general
Learn RBI + NPCI regulations, KYC norms, data-localisation, fees and key case laws shaping UPI and mobile wallet operations in India. Updated 2025 overview.
How UPI and Mobile Wallets Are Regulated in India

There has been a rapid shift from cash to digital payments in our country in the last 6-7 years. Morning tea, grocery store, taxi rides, everywhere one hears the same line – “Scan QR, Send Money.” Does a robust legal framework support the regulatory relaxations introduced by the Reserve Bank of India (RBI), National Payments Corporation of India (NPCI), and other financial regulators? 

Both the Unified Payments Interface (UPI) and mobile wallets - classified by the RBI as 'prepaid payment instruments' (PPIs) - operate under distinct yet overlapping regulatory frameworks that mandate compliance. In this article, we will explain the entire legal journey, latest circulars, data-protection orders, consumer-case judgments, and enforcement examples like Paytm’s.

The regulatory basis – who regulates what?

Payment and Settlement Systems Act 2007 (PSS Act) - This Act empowered the RBI to authorise, regulate and supervise payment systems.

  • RBI - Licenses banks, authorises PPIs, sets cyber security and KYC regulations.

  • NPCI - A non-profit company given the status of "System Provider" by the RBI; it operates the UPI switch, manages the RuPay network, issues circulars etc.

  • Bank - Required for payments; every UPI handle is linked through some bank.

  • Third-party app providers (TPAP) - Apps like Google Pay, PhonePe, BharatPe that operate under NPCI's TPAP agreement; they do not require an RBI license directly but are subject to continuous audits by the sponsor bank and NPCI.

This hierarchy has resulted in a layered compliance model — with the law at the top, RBI and NPCI circulars in the middle, and each entity having its own standard-operating procedures.

UPI Framework - Understand Through the Timeline

  • 2016: NPCI launches UPI; all participating banks get the new feature of real-time money transfer.

  • April 2018: RBI issues data-localisation circular - "Store payment system data only in India." Deadline: six months.

  • November 2020: NPCI announced to fix the market share of TPAP at 30% so that no single app can dominate the market. The deadline was extended repeatedly, the last date till now is December 2026, giving relief to Google Pay and PhonePe.

  • Oct 2021: RBI e-mandate rules- Auto-debit up to ₹15,000 without additional OTP; equivalent amount needs to be topped-up through Additional Factor of Authentication (AFA).

  • Sep 2022: NPCI circular- Linking of RuPay credit cards to UPI handles allowed, Centre to retain limits on merchants.

  • February 2023: UPI-PayNow (Singapore) live remittance link pilot run - money transfer possible in 60 seconds via FEMA reporting banks.

  • January 2024: RBI imposes limits on new top-ups and deposits on Paytm Payments Bank (PPBL); cites technical risks and KYC flaws.

  • March 2024: Full PPI-wallet interoperability finally goes live: Paytm wallet balance can now be sent from PhonePe as well.

RBI and NPCI took every step from the exact technical specifications, settlement timelines, QR-code standards, fraud-reporting window, to issuing the circular.

Data Localisation and Cybersecurity Obligations

RBI’s April 6, 2018 circular clearly states: “The entire payment data – end-to-end transaction details, messages, instructions – will remain on servers in India.” Foreign processing may be limited to mirror copies only, but "primary data" cannot be moved.

Are global companies (Visa, Mastercard, Google Pay, Amazon Pay) being forced to set up on-soil servers in India? For compliance proof:

  • System Audit Report (SAR): It is mandatory to be prepared every year by a panelled auditor of CERT-In.

  • Log-retention: Minimum 10 years for high-value transactions.

  • Reporting of Breach: RBI-CISO Desk will be informed within 24 hours.

Standardisation measures such as tokenisation, device-binding, dynamic-TR (transaction risk) scoring are also part of the NPCI's 2022 advisory.

Mobile Wallets (PPI) - License, KYC, Inter-operability

License and net worth: Non-bank wallet issuers are required to have a paid-up capital of ₹10 crore; this is mandatory to be increased to ₹15 crore within five years. RBI's 2021 master direction applies to PPIs.

KYC Stages:

  • Minimum-KYC wallet limit ₹10,000 lifetime load; Video-KYC allowed at par with full-KYC within 24 months.

  • Full-KYC Wallet: No balance limit, cash withdrawal allowed at POS.

Inter-operability: All full-KYC PPIs should be open for UPI QR, RuPay Card Rail, and wallet-to-wallet payments from March 31, 2022. This reduced user lock-in and increased competition. RBI has prescribed a penalty of ₹10,000 per instance for failure in Surat.

Customer funds protection: Wallet issuer must maintain an escrow account in a scheduled commercial bank; daily reconciliation T+1.

Dispute Refund Rules: Automatic refunds for failed PPI transactions must be credited within a maximum of five working days; failing which the issuer will be charged an annual “penal non-compliance fee”.

TPAP Identity PIL - Court Test of Google Pay

In Abhijit Mishra vs RBI and NPCI (Delhi High Court, 7 August 2023), the petitioner argued that Google Pay is not an authorised operator by the RBI, making it illegal. The court observed:

  • "Google Pay is only a third party app provider; NPCI approval + oversight by sponsor banks meets the regulatory intent."

  • The decision also clarified that TPAPs do not require authorisation under Section 4 of the Payment and Settlement Systems Act; they only need to comply with the NPCI framework. This example presents a clear roadmap for fintech companies to launch their own UPI apps – there is no immediate stress of an RBI license, but there are stringent audit and SLA obligations that cannot be ignored.

Consumer Protection and Fraud Liability - Approach of the Courts

The Supreme Court, upholding the order of the Guwahati High Court, asked SBI to refund the entire amount of Rs 94,204.80 to a victim of cyber fraud. The bank argued that the user had shared the OTP, but the court asked the RBI to put the burden on the bank, citing its circular "zero liability if informed within 3 days".

The main recommendation: banks should maintain a "strong identification system"; otherwise consumer compensation will become inevitable.

The commission said- If the bank receives the fraud report within 2 days and still initiates a chargeback, it is not a “deficiency in service”. The customer was fined ₹64 000 + interest + mental harassment.

These decisions show that consumer forums and the Supreme Court are taking a pro-consumer stance in cases of digital fraud. TPAPs and wallet issuers should incorporate the SOP in their decisions.

Enforcement Spotlight - The Paytm Payments Bank Saga

  • January 31, 2024: RBI directive- PPBL will not accept new deposits, wallet top-ups, Fastag recharges. Reason: Significant supervisory concerns, KYC gaps and “persistent non-compliance” in IT audits.

  • February-September 2024: NPCI approved Paytm UPI handle migration plan but imposes daily limit; users forced to do bank-account mapping.

  • 3 March 2025: Enforcement Directorate issues ₹611 crore FEMA notice to One 97 Communications; allegation: Investment information by Singapore subsidiary not given to RBI on time

Has this bad episode reminded the fintech industry of the dual regulation – RBI for domestic operations, FEMA for cross-border flows – it has to manage simultaneously. Policy violations can result in anything from “operation freeze” to “show cause notice”.

Cross-Border UPI & FEMA Compliance

PayNow-UPI link is launched in February 2024. Money is sent in 60 seconds. Currently the limit is SGD 1 000 (~ ₹ 62 000) per day, and the money is deposited into the INR bank account. NPCI International Payments Limited (NIPL) has tied up with markets like France, UAE, Mauritius for QR acceptance.

But the important thing is that outward remittance is still under FEMA. RBI has imposed a “Liberalised Remittance Scheme” limit of $250 000 per financial year. Any TPAP providing outward scan-to-pay service must comply with AD-bank sandbox and monthly return filing (Form A2 equivalent). Violation = ED notice, as revealed in Paytm case.

Volume Caps, Credit-on-UPI and Next-Gen Features

  • Market-Share Cap: NPCI had planned to cap the market share of each TPAP to 30% of UPI transaction volume in its November 2020 circular. The major players (PhonePe 48%, Google Pay 37%) now get a transition time till December 31, 2026.

  • RuPay Credit Card-on-UPI: Credit-rail on UPI QR gets a boost with the September 2022 circular; MDR limit set at 0.5% to accelerate adoption by merchants.

  • Credit line on UPI: Draft guidelines for February 2025; proposes Rs 2 lakh limit per transaction, allows risk-based pricing, but bank will have to classify it as digital overdraft for reporting.

  • Offline UPI (“UPI-Lite”): Small ticket (₹500) transactions without network, value stored on the device, risk limit ₹2 000; suitable for rural areas.

  • CBDC Retail Pilot: RBI aims to reach 15 lakh users by the end of 2024; aims to accept digital rupee on UPI merchant QR in future.

Compliance Checklist for 2025

  • License renewal: RBI will check suitability in every five-year cycle. Last three SAR reports and net worth certificate must be submitted before renewal.

  • Interoperability Testing: Quarterly NPCI sandbox runs; QR dynamic-testing passing score ≥ 95% success.

  • Customer Grievance Redressal: 24×7 IVR, Complaint Ticket Escrow Refund T+5 Tracking.

  • AML/CFT Screening: PAN name + ban list matching on each new VPA creation; suspension of suspicious VPAs within 5 hours.

  • Cross-border reporting: Auto-file Form 15CC for remittances processed from PayNow, UAE IPS, etc; here's how to stay safe from ED.

The future - Where is the Digital Payments Vehicle Headed

  • Account Aggregator + UPI Merge: Loans available with seamless consent flow; Fintechs to democratize MSME finance by bringing “One-Click Credit”.

  • Voice-enabled UPI: NPCI has started testing “Hello UPI” where feature phone users will transfer money with voice commands.

  • Global QR Standard: NIPL plans to introduce ISO 20022 compliant QR, which will be accepted by foreign tourists without local SIM.

  • Reg-Tech Automation: RBI will enhance real-time API audits through Intelligent IDF (Intelligent Data Framework), manual inspections will be required but lapses in compliance will be flagged immediately.

Conclusion – Ease of Use, Ease of Compliance

UPI and mobile wallets have made India the world's largest real-time payments platform. But along with innovation, legal expectations are also rising. Data-localisation, interoperability, fraud accountability, FEMA filings - these are no longer necessary check-boxes. The message from court judgments (Google Pay PIL dismissed, SBI refund order) is clear: user safety first, zero tolerance for lack of compliance.

Businesses must keep their technology infrastructure compliant with statutory circulars, identify suspicious areas through regular SAR audits, and assure prompt refunds to customers. Only then will Digital India’s dream of “scan and pay” become sustainable, secure, inclusive and globally respected.


Subhash Ahlawat
Subhash Ahlawat
Jun 11
5 min read
Recommended Articles
Subhash Ahlawat
Subhash Ahlawat
Apr 03 2024
5 min read
Understanding Heir Disqualification Criteria Under the Hindu Succession Act
general
Dive deep into the heir disqualification criteria within the Hindu Succession Act, including legal implications, societal impacts, and how reforms shape inheritance rights. Discover the balance between tradition and modernity in Indian succession laws.
Subhash Ahlawat
Subhash Ahlawat
Jun 25 2023
5 min read
The 11-Month Rule: Why Short-Term Rent Agreements?
general
Discover the logic behind the 11-month rental agreements predominant in India. This comprehensive guide will elucidate the legal aspects involved, the purpose behind the standard practice, and the implications for both landlords and tenants.