UPI - why are full names a part of the response?

UPI has definitely been a great development in fintech. However, I don’t understand the purpose behind having full bank names being queryable from just having a phone number.

All UPI apps, including third party apps, like GPay and Paytm, have the “pay to a number” feature. GPay shows the name associated with the Google account that is attached to the bank. While equally bad, one could argue that this is a design choice made by Google, and that people opt-in and are okay with this. On the other hand, on apps like Groww UPI, it shows you the full bank name of the person using the phone number. Is there a justifiable reason behind making such a design choice?

I will compare this to other electronic bank methods. For example, in NEFT, the payee has to fill in the name and account details, along with some more information about the bank, to fulfill the transaction. At no point is it possible to pull any details FROM the server that you already did not have. [1]

Is it really necessary to have the name as a part of the protocol? Confusingly enough, some apps provide UPI ids with a custom string before the @, to prevent phone numbers from being extracted after a random transaction. However, the reverse is not treated as seriously as the former.

Eager to hear your thoughts on this.

1 Like

UPI provides fullname as part of the response to solve a problem it created in the first place: Virtual Public Identifiers.

VPAs are meant to be public, readable, and type-able, but also delegated to the PSP. VPAs being user-generated, and with an official sounding suffix (@upi, @kotak) meant you couldn’t trust what was on the left of the VPA.

I used to own ceo@pnb for a while, and a friend had npci@upi for a while before NPCI forcefully de-registered these. Similarly, you could have someone create LIC@upi, and easily defraud users via collect requests.

LIC was in fact the example used in the original specifications. Their are two solutions that UPI invented to fix this concern:

  1. The idea of “Verified” handles. This didn’t take off. Plus, the existence of Payment Gateways, which would use a singular UPI handle (instamojo@hdfc, razorpay@icici for eg) meant you could get verified handles easily, so they weren’t necessarily trustable.
  2. Show name of the Bank Account’s primary holder. This stops common VPA confusion frauds, but creates a huge privacy risk, which is well documented.

And that’s where we are today - with anyone who gets hold of your phone number being able to instantly find out your legal name.

2 Likes

Interesting @nemo. Are you aware on how the modern UPI fraud groups mask their identity? It seems to me that we come across many cases of scams that involve the victim sending money to a certain UPI address under false pretexts, but never have I seen closure on such cases. How do they manage to decouple identities when it comes to UPI linked accounts?

@Anonymous-disco-28 Very simple - They get SIM cards / open digi bank accounts (Payments Bank / Digital bank accounts with eKYC) all under another identity theft victim.

Infact the scam workflow itself - has this - where they will first scam you and then make you believe they are going to return and will seek OTP. People give in.

Know this by reviewing scam logs of someone I know who got scammed.

1 Like

Displaying the full bank name provides transparency in the transaction process. Users can have more confidence in the recipient’s identity, especially when dealing with unfamiliar contacts. This feature aligns with the goal of making digital transactions as trustworthy as traditional banking methods.

It is a great development. Really interesting.

yes it’s really great but Having full names associated with UPI responses can enhance user identification and transaction clarity, but concerns about privacy and data protection remain valid.