UPI 101: The Basics
30 Jun 2020 — PRODUCT — THE OTHER SIDE
In this article, we will learn about India's Unified Payments Interface. A young payment scheme that has been accounting for 60-65% of digital payments across India. In December 2019, Google recommended the Federal Reserve to follow the model of UPI for the design of FedNow.
It is going to be a 3 part series.
Part 1 (this article): We will cover the background and basics. We will learn about the different participants and their roles in the UPI ecosystem.
Part 2: We take a deep-dive into UPI by tracing a UPI transaction from the beginning through the end.
Part 3: We will look at settlements and understand how money exchanges hands.
Since its inception in 2016, UPI has grown tremendously over the last 4 years. It has enabled a whole new set of individuals to transact digitally for the first time.
There were multiple attempts towards making India a cashless society. Earlier solutions were not simple to use and relied heavily on Netbanking facilities provided by the banks. The experience was not standard. Because of all these reasons, it was mostly used only by the tech-savvy population. India being a diverse country needed a system that has a plethora of payment apps that are optimised for different cohorts.
The growth of UPI
The primary objective of UPI was to build an open payment system that is mobile-first, fast, and interoperable across different banks.
For a developing country like India, going mobile-first was almost a no brainer. Mobile Phones and Mobile Data were getting cheaper and the trend was clear.
Interoperability simply puts the user’s needs at the center. The users can opt for any payment app, link it with their bank account to engage in commerce with anyone across India.
Think about it, all of us want to use payment apps that we like, instead of being limited to a poorly designed app that’s provided by the bank where we keep our money. We should let banks do what they do best (which is managing money) and let tech companies handle building intuitive user interfaces for transacting money.
UPI was built on this principle to let private players innovate on top of public digital infrastructure.
So, What exactly is UPI?#
UPI is a payment markup language and a standard for interoperable payments in India.
To make the process of transacting money simple, UPI introduced the concept of human friendly unique IDs called UPI Virtual Payment Addresses (or VPAs). The VPAs are usually of the form <unique_identifier>@<address_provider>.
The UPI VPAs are similar to email addresses. They are interoperable. A gmail user can send an email to a yahoo user.
Some simple examples UPI VPAs are alice@ybl and bob@axis. Here, ybl and axis are two banks that provide virtual payment addresses. And, alice and bob are the unique identifiers in respective address providers.
Just like how domains get resolved to IP addresses, every VPA needs to be linked to a bank account. The UPI handles get resolved to bank accounts and IFSC during the payment (we will see how).
In short, a UPI Virtual Payment Address serves as the addressing layer for a bank account.
There are mainly two types of transactions in the UPI realm.
Direct Payment The payer (the sender) initiates the transaction. Typical examples would be, you paying a shopkeeper at the checkout by scanning a QR code or you sending money to your friends and family.
Collect Request The payee (the receiver) initiates the transaction. A simple example is a scenario where your landlord creates a collect request asking you to pay the monthly rent.
There are three types of participants in the UPI ecosystem.
Banks hold your money. UPI works directly with the bank accounts, unlike Paytm, Venmo, or CashApp. The bank account will be debited from or credited to whenever you send money or receive money.
The banks that hold your money are also called Issuing Banks.
Every bank uses a system called Core Banking System (CBS) to manage its user’s accounts. At the core, CBS is a simple CRUD system built around user accounts.
Debit and Credit are the two fundamental operations of core banking software.The debit is when you’re taking money out of your account. The amount involved is subtracted from your balance. On the other hand, when you’re getting paid, its a credit. The money is added to your account.
Banks also maintain another UPI specific database. We will discuss more on that later.
The Payment Apps#
Payment Apps are consumer-centric products that can be used to link a bank account and transact in the real world. Some major apps are Google Pay, PhonePe, BHIM, etc. Almost all the banks have their own versions of UPI Apps. There is a wide variety of options to chose from.
Payment Apps allow users to create handles to make everyday transactions easier. However, not everyone can start creating UPI handles. Reserve Bank of India (RBI) regulates who can create UPI handles. Currently, only the member banks of the UPI ecosystem are allowed to do so.
That’s why all the payment apps will have to tie up with banks. These banks not only allow payment apps to create and manage UPI handles for their users, but they are also the interface to the UPI ecosystem.
These banks are called Acquiring Banks.
Google Pay has tied up with HDFC Bank, Axis Bank, and SBI. PhonePe has a tie-up with Yes Bank and ICICI Bank.
Banks provide separate APIs to allow payment apps to create and manage the UPI handles.
National Payments Corporation of India (NPCI) is a non-profit set up by the Government of India to facilitate digital payments. They facilitate many payment schemes (like IMPS, BBPS, FASTag, etc.)
If we reflect back on the original objective of UPI, it was to build an interoperable system. An interoperable means anyone could download a payment app, link any bank (that they own), and transact with anyone else from any other bank.
One primitive way of building such an interoperable network would be to connect every payment app with every bank. As you’re probably guessing, that’s a very inefficient way of doing it, even if we assume something like that is possible. It practically not possible.
And, the only thing that’s constant in the software realm, is the fact that systems keep changing and breaking. Imagine the pain that everyone has to go through in reaching a consensus when configurations or infrastructures change. It would be chaos.
This approach is the same as building an Internet where your browser has to remember the IP address of every possible website on the planet, otherwise, you wouldn’t be able to access it.
Of course, the Internet is not built in this fashion. The job of resolving every web address into an IP address is taken out as a separate protocol called DNS. Our browsers trust the IP address resolved by the DNS servers used by our Internet Service Providers.
Introducing standardization and a trusted third party will result in a completely different architecture.
That’s the route UPI creators took, they made NPCI as the trusted switch and they standardized the protocol. NPCI makes sure that data flow between banks and payment apps are routed to the correct and verified destinations.
The end result, the payment apps, and banks talk just to NPCI and can be assured by NPCI that they are really interacting with who they intend to.
To make this easy to understand, we made a GIF.
Apart from being the trusted router, NPCI also hosts non-financial meta APIs to serve everyone in the ecosystem.
Some examples of meta API are listAccountProviders (returns all details of all banks), validateAddress (helps in validating VPAs), requestOtp (for 2FA), etc.
NPCI has one more important role to play. It’s something to do with settlement. We will cover in the last part of the series.
Before we wrap the first series, let's quickly visit authentication.
UPI uses 2-factor authentication. Commonly used factors are the possession factor and the knowledge factor.
UPI being mobile-first, the possession factor (“what a user has”) is the user’s phone. It’s validated using the device fingerprint.
The knowledge factor (“what a user knows”) is the 4 digits or 6 digits UPI PIN.
The authentication scheme is designed to be flexible and can use different authentication factors in the future.
We will learn how these authentication factors are verified in the upcoming articles.
That’s a wrap of the first part of the series.
We hope you enjoyed it. Share it with the intellectually curious folks in your circle. If you have any questions regarding UPI or anything related to Fintech in general, feel free to reach out to us here.
In the next part of the series, we will take a detailed look into how UPI transactions work.