Many users have faced difficulties in removing old or inactive mobile numbers linked to their UPI ID, leading to security risks and potential fraud. However, a new directive from the National Payments Corporation of India (NPCI) will simplify this process. By March 31, 2025, all banks and Payment Service Providers (PSPs) offering UPI services must update their databases to automatically remove inactive or recycled mobile numbers. The new rule is aimed at reducing errors and fraud that may arise from mobile number churn. Mobile number churn occurs when inactive numbers are reassigned to new subscribers, posing a significant risk if linked to sensitive financial accounts like UPI IDs. To ensure compliance with this rule, NPCI has instructed banks and PSPs to leverage the Mobile Number Revocation List (MNRL) or Digital Intelligence Platform (DIP) to update their databases regularly. As per the directive issued on March 3, 2025, banks and PSPs must refresh their mobile number databases at least once a week. This continuous update process ensures that old and inactive numbers are delinked from UPI IDs promptly, significantly lowering the risk of financial fraud. By maintaining accurate records, the potential for errors caused by recycled numbers will be minimized.
 

Why is this Update Important?

The Department of Telecommunications (DoT) guidelines state that if a mobile number remains inactive for 90 days with no outgoing calls, messages, or data usage, it is deactivated. After this period, the number may be reassigned to a new subscriber. Many users fail to update their mobile number details for crucial services like bank accounts or UPI IDs when they stop using a number. This negligence creates potential security vulnerabilities. For instance, if a user’s old mobile number is reassigned, the new subscriber may unintentionally receive sensitive banking or payment information. In some cases, scammers may exploit this opportunity to gain unauthorized access to financial services. The Telecom Regulatory Authority of India (TRAI) has previously warned about the dangers of mobile number churn, citing that it can lead to financial fraud and identity theft if inactive numbers are not delinked from digital services.
 

How Does the New NPCI Rule Protect Users?

To enhance security and prevent unauthorized linking of recycled numbers, NPCI has introduced stricter guidelines for UPI apps.

Under the new rule:

• UPI apps must now obtain explicit user consent before linking or updating a mobile number to a UPI ID.
• The consent prompt will include an opt-in feature that is disabled by default, ensuring that users must actively approve the linking process.

This is a major change from the previous system where mobile numbers could be updated automatically without user confirmation. The new process places more control in the hands of users, reducing the risk of unauthorized access to their UPI-linked accounts.
 

How Will This Impact Users?

The updated NPCI guidelines aim to:

• Protect users from fraud linked to recycled mobile numbers.
• Ensure that inactive numbers are automatically removed from UPI IDs to prevent errors.
• Enhance user control by requiring explicit consent for mobile number linking.

If you have recently changed your mobile number or stopped using an old number, it’s important to update your contact details with your bank and UPI service provider to ensure uninterrupted access and security. The NPCI's proactive step ensures that digital payments remain secure while offering users greater control over their financial data. With the March 31, 2025 deadline in place, banks and PSPs are expected to implement these changes soon, ensuring a safer and more efficient digital payments ecosystem.