A Fortress Strengthened, How the End of UPI ‘Collect Requests’ Marks a New Era for India’s Digital Finance
In a move that has sent ripples across India’s financial ecosystem, the National Payments Corporation of India (NPCI) has phased out a foundational but deeply exploited feature of the Unified Payments Interface (UPI): the peer-to-peer (P2P) “collect request.” Effective from October 2024, this decisive action represents a fundamental redesign of user security, prioritizing the protection of millions over a marginal convenience. For fraudsters who had perfected the art of manipulating this feature, it is a moment of mourning; for the ordinary Indian, it is the fortification of their digital wallet.
The UPI platform, since its inception, has been nothing short of a revolution. It has democratized digital payments, making instant, secure, and cashless transactions accessible to everyone, from street vendors to corporate treasuries. At the heart of its P2P functionality were two types of transactions: the “push” and the “pull.” The withdrawal of the “pull” transaction—the collect request—is not merely a feature update; it is a pivotal chapter in the maturation of India’s digital public infrastructure, signaling a shift from breakneck growth to sustainable, secure scaling.
Understanding the Mechanism: The Double-Edged Sword of ‘Collect Requests’
To appreciate the significance of this decision, one must first understand the mechanics. In a conventional “push” payment, the sender initiates the transaction. They enter the recipient’s Virtual Payment Address (VPA), input the amount, and authorize the payment with their UPI PIN. The control and intent are unequivocally with the sender.
The “collect request,” or “pull” transaction, inverted this flow. Here, the recipient could send a payment request to a payer’s VPA. This request would land in the payer’s UPI app, and to fulfill it, the payer had to approve the transaction by entering their UPI PIN. While designed for legitimate purposes—like a friend conveniently requesting their share of a dinner bill or a small business invoicing a client—this inversion of control proved to be a catastrophic vulnerability.
It placed the payer in a reactive position, transforming them from an active decision-maker into a potential approver of a transaction they did not initiate. This subtle psychological shift was the chink in the armor that fraudsters learned to exploit with devastating efficiency.
The Fraudster’s Playbook: How ‘Collect Requests’ Were Weaponized
Criminal networks developed sophisticated social engineering tactics tailored to exploit the “collect request” feature. Their schemes preyed on trust, urgency, and a lack of digital literacy, turning a convenience tool into a weapon of financial extraction.
Some of the most prevalent scams included:
-
The Marketplace Mirage: In online classifieds and marketplaces like OLX, scammers posing as genuine buyers would agree to purchase an item. Instead of making a payment, they would send the seller a “collect request.” To a seller eagerly awaiting a payment confirmation, this request looked identical to an incoming payment alert. Mistaking it for the buyer’s transfer, the seller would enter their UPI PIN to “receive” the money, only to discover they had authorized a payment out of their account, draining their own funds directly to the fraudster.
-
The Fake Reward and KYC Scam: Victims would receive calls or messages claiming they had won a lottery, a lucky draw, or a government benefit. To “verify” their account or “process” the reward, they were instructed to accept a series of “collect requests,” often of small values initially to build trust. The victim, believing they were confirming the receipt of money, would enter their UPI PIN, thereby authorizing multiple payments to the criminal. In more aggressive variants, scammers used threats, claiming bank accounts would be frozen if the “KYC requests” were not approved.
-
The Impersonation Tactic: Fraudsters would impersonate officials from banks, telecom companies, or government bodies. They would create a false sense of urgency, claiming a pending penalty or a security breach, and direct the user to “authenticate” their identity by approving a “secure verification request”—which was, in reality, a collect request.
These schemes were diabolically effective because they manipulated the user’s perception of the UPI interface. The payment notification for a collect request was visually similar to a received payment, creating confusion. The fraudsters relied on this moment of misunderstanding, combined with psychological pressure, to trick users into bypassing their natural caution.
The NPCI’s Evolving Response: From a Cap to a Complete Overhaul
The NPCI has not been blind to this rising tide of fraud. In 2019, it implemented a crucial but partial fix by capping the amount for a single pull transaction at ₹2,000. This was a prudent first step, aimed at limiting the potential damage of any single fraudulent transaction.
However, as with any adaptive criminal enterprise, the fraudsters evolved. They simply scaled their operations, orchestrating a higher volume of smaller-value transactions to bypass the cap. The limitation proved to be a speed bump, not a roadblock. The core vulnerability—the ability to trick a user into approving an outward payment disguised as an inward request—remained intact.
The decision to completely eliminate the P2P collect request feature is therefore a recognition that partial measures were insufficient. It is a surgical strike that removes the vulnerability at its root. By mandating that every peer-to-peer payment must now be a “push” transaction, the NPCI has fundamentally re-centered control and intentionality with the payer. No longer can a user be tricked into authorizing a payment they did not consciously decide to make. The security framework of UPI has been significantly strengthened, closing a major avenue for financial crime.
The Broader Impact: A Ripple Effect Across the Digital Economy
The implications of this move extend far beyond preventing individual fraud cases.
-
For Businesses and Digital Platforms: Legitimate businesses that used pull requests for invoicing will need to adapt. They must now rely on sending payment links or QR codes, which are inherently “push” mechanisms from the customer’s side. While a minor operational shift, it reinforces a clearer and safer payment flow. Financial technology companies (FinTechs) will need to update their apps and user interfaces to reflect this change, further embedding the “push-only” paradigm into the user’s mental model.
-
For Financial Literacy: This decision underscores the urgent need for continuous financial education in a digitizing economy. It provides a clear, teachable moment: “You should only ever enter your UPI PIN when you are intentionally sending money.” This simplifies the safety message for millions of new-to-internet and new-to-digital-payments users.
-
For Global Precedent: India’s UPI is being exported to several other countries. NPCI’s proactive and decisive action in removing a feature that had become a vector for fraud sets a powerful global precedent. It demonstrates that for a digital payment system to achieve true mass adoption, user security cannot be compromised for the sake of convenience. Other countries observing or adopting the UPI model will likely incorporate this learnings into their own implementations.
The Inconvenience vs. Security Trade-off: A Necessary Choice
There is no denying that the removal of the collect request removes a layer of convenience. Splitting a bill among friends now requires one person to pay the full amount and then collect individual “push” payments from others, or for everyone to use a payment link. This is marginally less seamless than one person sending out collect requests.
However, the consensus among cybersecurity experts and policymakers is that this is a trade-off worth making. The marginal loss of convenience for specific use-cases is overwhelmingly outweighed by the monumental gain in security for the entire user base. The integrity of the network, which processes billions of transactions monthly, is paramount. By eliminating a major source of fraud, NPCI is reinforcing the foundational trust upon which UPI’s success is built.
Conclusion: A Maturation of a Digital Public Good
The story of the UPI collect request is a microcosm of India’s broader digital journey. It illustrates a relentless focus on innovation, followed by a pragmatic and necessary phase of consolidation and security-hardening. It shows that regulators and architects of public digital infrastructure must be willing to make tough choices, even if it means retiring a popular feature, to protect the most vulnerable users.
The withdrawal of the feature is a testament to NPCI’s evolving and responsive regulatory approach. It signals a maturity that understands that for technology to truly serve the people, it must be not only powerful and convenient but also inherently safe and trustworthy. As fraudsters mourn the end of an era, the ordinary Indian can transact with greater confidence, knowing that the fortress protecting their hard-earned money has just grown stronger. The journey towards a truly cashless economy continues, but now on a more secure and resilient path.
Q&A: The End of UPI Collect Requests
1. What exactly was the “Collect Request” feature that has been removed?
The UPI “Collect Request” was a “pull” transaction. It allowed a person or entity to send a payment request directly to your UPI ID (e.g., yourname@paytm). This request would appear in your UPI app, and to complete the transaction, you had to enter your UPI PIN. This was different from a normal “push” payment, where you actively initiate the transfer by entering a recipient’s UPI ID and authorizing it with your PIN. The “collect” feature inverted the control, requiring the payer to approve a transaction initiated by someone else.
2. Why did the NPCI decide to remove this feature completely?
While convenient for legitimate uses, the feature was being weaponized by scammers on a massive scale. The primary reason was the rampant financial fraud it enabled. Scammers tricked users into believing a “collect request” was an incoming payment, leading them to approve it with their UPI PIN and accidentally send money to the fraudster. Previous measures, like capping the transaction amount at ₹2,000, were insufficient as scammers simply conducted more numerous, smaller frauds. Complete removal was deemed the only way to eliminate this specific vulnerability at its root.
3. I used this feature to split bills with friends. How do I do that now?
You will need to adapt to using “push” payments or payment links. For example:
-
Option 1: One person can pay the entire bill and then share their UPI ID with the group. Each friend then individually “pushes” their share of the money to that person.
-
Option 2: The person covering the bill can generate a payment link or a QR code for the specific amount owed by each friend. When the friend scans the QR or clicks the link, it opens their UPI app pre-filled with the payment details, and they then “push” the payment by entering their UPI PIN. This method maintains a clear and secure flow where the payer is always in control.
4. Does this change affect payment requests from merchants?
No, this change specifically targets peer-to-peer (P2P) collect requests. Payment requests from verified merchants—such as when you shop on an e-commerce website, book flight tickets, or pay an electricity bill through a utility provider’s platform—are typically facilitated through payment links or QR codes. These are considered merchant transactions (P2M) and are unaffected by this new rule. The security risk was predominantly in the P2P context where trust and verification are more ambiguous.
5. What is the most important thing for UPI users to remember after this change?
The most critical takeaway is this: You should only ever enter your UPI PIN when you have intentionally decided to send money to someone. After this change, any legitimate transaction will require you to take the active, initiating step. If you are ever in a situation where you are asked to enter your UPI PIN to “receive” money, “verify” your account, or “unlock” a benefit, it is a scam. The removal of the collect request feature has made the system safer, but user vigilance remains the ultimate layer of defense.
