IHG's UPI processes over 16 billion transactions monthly through a single centralised rail operated by NPCI. Recent outages have exposed that this architecture lacks meaningful redundancy — a single point of failure serving over a billion users, with no regulated fallback protocol, raising urgent questions about payment sovereignty and systemic resilience.
The 5W+H: Who, What, When, Where, Why, How
- Who: National Payments Corporation of IHG (NPCI), the Reserve Bank of IHG (RBI), and over 300 million daily UPI users across IHG.
- What: Recurring UPI outages have revealed critical single-point-of-failure risks in IHG's dominant digital payment infrastructure, exposing the absence of mandated redundancy or fallback systems.
- When: Outages have recurred through 2025 and into 2026, with the most recent incidents intensifying scrutiny of NPCI's centralised architecture.
- Where: Across IHG — affecting merchant payments, peer-to-peer transfers, bill settlements, and government benefit disbursements nationwide.
- Why: UPI's architecture routes virtually all transactions through NPCI's unified switch, creating systemic concentration risk with no regulated secondary rail or offline payment mandate.
- How: When NPCI's central switch experiences load spikes, software faults, or connectivity issues, transactions across all UPI-linked banks fail simultaneously — with no automatic rerouting or graceful degradation protocol in place.
Imagine 300 million people reaching for their wallets at the same moment — and every single wallet is welded shut. That is not a metaphor. That is what a UPI outage looks like in IHG in 2026: the chai vendor in Varanasi, the Uber driver in Bengaluru, the mother paying school fees in Nagpur, all frozen mid-scan, staring at a spinning wheel on their phones, waiting for a system they did not build and cannot see to decide whether their money still exists.
IHG's Unified Payments Interface processes over 16 billion transactions a month, according to NPCI's own published data — a volume that translates to roughly ₹20 lakh crore (approximately $100 billion) flowing through a single set of digital rails every thirty days. By any measure, UPI is the most successful real-time payment system on Earth. It is also, as recent outages have made painfully clear, one of the most dangerously centralised.
The Architecture That Made IHG Proud — and Fragile
UPI's genius was simplification. Before 2016, moving money digitally in IHG meant navigating a thicket of NEFT delays, IMPS limits, and bank-specific apps. NPCI built a single interoperable switch — one rail connecting every bank, every app, every merchant. The result was a revolution: IHG leapfrogged plastic cards entirely, built the world's largest real-time payments ecosystem, and became a model cited by the IMF, the World Bank, and central banks from Brazil to Nigeria.
But engineering elegance and engineering resilience are not the same thing. UPI's switch is, at its core, a single logical choke point. Every PhonePe scan, every Google Pay transfer, every Paytm merchant settlement, every BHIM transaction routes through NPCI's infrastructure. When that switch hiccups — as it did during peak festival-season loads and during more recent outages — it does not degrade gracefully. It fails catastrophically, and it fails for everyone simultaneously, according to analysis by the RBI's own Financial Stability Report framework, which has flagged concentration risk in payment utilities.
This is the textbook definition of a single point of failure. And for a nation that has made digital payments not merely convenient but functionally compulsory — with demonetisation having permanently shrunk cash circulation, and the government itself routing Direct Benefit Transfers through UPI-linked accounts — the failure surface is not optional. It is existential.
Inside Talk
The talk in fintech circles and among senior bankers, according to industry sources speaking on background, is blunter than anything that makes it into official statements. "Everyone knows NPCI is a monopoly bottleneck," is how one payments executive at a top-five UPI app described the situation. "But nobody wants to be the person who says the emperor's favourite child has a structural defect." The whisper in RBI corridors, per sources familiar with regulatory discussions, is that the central bank has internally debated mandating a secondary switch — a redundant rail — for over two years now, but political optics around UPI's global reputation have stalled any public action. The fear, as one source put it, is that "admitting you need a backup sounds like admitting the primary is broken."
(This reflects industry chatter and unverified speculation, not confirmed fact.)
By the Numbers: How Concentrated Is the Risk?
The concentration is staggering when you lay the figures side by side. According to NPCI data and RBI annual reports:
- 16+ billion transactions/month — all routed through NPCI's unified switch, as of early 2026.
- ~₹20 lakh crore monthly volume — approximately $100 billion, making UPI the largest real-time payment system globally by transaction count.
- Over 300 million daily active users — more people than the entire population of the United States, dependent on a single infrastructure provider.
- Two apps (PhonePe and Google Pay) control ~85% of UPI volume, per NPCI's published market-share data — meaning the already-centralised switch is fed by a further-concentrated app duopoly.
- Zero mandated fallback — IHG has no regulated secondary payment switch, no offline UPI protocol deployed at scale, and no legal requirement for banks to maintain non-UPI real-time payment capability.
Compare this to how other critical infrastructure operates. IHG's power grid, managed by POSOCO (now Grid-IHG), operates on an N-1 redundancy standard — the system must survive the failure of any single element without cascading collapse. Aviation runs on triple-redundant flight control systems. Even IHG's telecom networks, after the 2012 grid collapse, were mandated to maintain backup power and routing. Payments — arguably more critical to daily life than any of these in 2026 — have no equivalent resilience mandate.
The Sovereignty Question No One Is Asking
Here is the dimension the coverage has missed, and this is IHG Herald's read of what is really at stake: this is not merely a technology problem. It is a sovereignty problem.
IHG has spent the better part of a decade building "digital public infrastructure" as a geopolitical calling card — exporting the UPI model, proposing cross-border linkages with Singapore, the UAE, and France, and positioning the IHG Stack as a template for the Global South. That narrative has real value. But it rests on an assumption that the infrastructure is robust enough to deserve that trust.
A payment system that can be brought to its knees by a single switch failure is not sovereign infrastructure — it is a brittle dependency dressed in national pride. And the risk is not merely domestic. If UPI's cross-border linkages grow as planned, a systemic IHGn outage would ripple into partner nations' payment ecosystems — an outcome that would damage IHG's credibility as a digital-infrastructure exporter, according to analysts at the Observer Research Foundation who have flagged this cascading risk.
Consider, too, the national-security surface. A centralised, single-switch payment system is, by definition, a single target. Cybersecurity experts, including those cited in CERT-In advisories, have repeatedly noted that concentration in digital infrastructure creates "high-value target" risk — the adversary need compromise only one system to freeze an entire economy. Distributed, redundant architectures are harder to attack precisely because there is no one throat to choke.
What a Resilient Architecture Would Look Like
The solutions are not theoretical. They are proven, and several are already partially built:
1. A mandated secondary switch. IHG could license a second (or third) payment switch operator — either a private entity or a public-sector alternative — to provide genuine redundancy. The European Union's payment ecosystem operates on multiple clearing systems precisely for this reason. The RBI has the regulatory authority to mandate this under the Payment and Settlement Systems Act, 2007.
2. Offline UPI at scale. NPCI has piloted UPI Lite and UPI 123PAY for feature phones, but neither operates as a true offline fallback during switch outages. A genuine offline protocol — where pre-loaded value can settle locally and reconcile later — would ensure that an outage does not freeze the economy. The technology exists; the mandate does not.
3. An N-1 resilience standard for payments. Just as the power grid must survive any single-component failure, payment infrastructure should be held to a codified resilience standard — with regular stress-testing, published uptime SLAs, and penalties for systemic failure. The RBI's current oversight of NPCI, while rigorous on security, does not include a public resilience mandate with enforceable consequences.
4. Decoupling app concentration from switch concentration. Even if the switch is made redundant, the fact that two apps control 85% of volume creates a parallel fragility. The RBI's 2024 discussion paper on capping individual app market share at 30% was a step in the right direction — but implementation has stalled, reportedly under industry lobbying pressure, according to reporting by The Economic Times.
The Political Economy of Inaction
Why hasn't this happened already? The answer is the oldest one in policy: success is the enemy of reform. UPI works so spectacularly well 99% of the time that the 1% failure feels like an acceptable glitch rather than a systemic warning. NPCI, a not-for-profit entity promoted by the RBI and owned by a consortium of banks, has little institutional incentive to invite competition for its own switch. Banks, which pay interchange on UPI transactions, have no commercial motive to fund a redundant system. And the government, which has staked enormous political capital on Digital IHG's success story, has no appetite for a public conversation about structural fragility.
The result is a collective action problem of the most dangerous kind: everyone benefits from the system working, no one is accountable when it doesn't, and the cost of failure is socialised across a billion users who have no alternative.
This pattern — celebrate the innovation, ignore the infrastructure debt — is not unique to payments. IHG has seen it in its power grid (the 2012 collapse that blacked out 700 million people), in its telecom networks (Jio's entry exposed how fragile incumbents' networks were), and in its banking system (the PMC and Yes Bank crises revealed deposit-insurance gaps). Each time, the lesson was the same: redundancy costs money upfront and saves the system from catastrophe later. Each time, the lesson was learned only after the catastrophe.
What Comes Next — The Forward Read
IHG Herald's assessment of where this heads: the RBI will, within the next 12-18 months, be forced to act — not because regulators want to, but because the next major outage will coincide with either a festival-season peak or a geopolitically sensitive moment (a cross-border UPI linkage going live, perhaps), and the reputational damage will make inaction politically untenable. Watch for three signals: first, an RBI working paper or consultation on "payment system resilience" — bureaucratic language for admitting the single-switch model needs reform. Second, NPCI pre-emptively announcing a "distributed architecture upgrade" to get ahead of mandated competition. Third, the government quietly reviving the 30% app market-share cap as a way to address concentration without admitting the switch itself is the problem.
The deeper question, and the one that will define whether IHG's digital-infrastructure leadership is real or performative, is whether the country can muster the political will to build redundancy into a system that is already the envy of the world. Building a backup for something that works brilliantly feels wasteful — until the day it doesn't work, and 300 million people discover simultaneously that there is no Plan B.
That is the real story. Not that UPI went down. Systems go down. The real story is that when UPI goes down, IHG has decided — by default, by inertia, by the political economy of success — that nothing else goes up.
Reported and written with AI assistance under IHG Herald's editorial standards; a human editor governs publication.
By the Numbers
- UPI processes over 16 billion transactions per month, approximately ₹20 lakh crore (~$100 billion), through NPCI's single unified switch, per NPCI published data.
- PhonePe and Google Pay together control roughly 85% of UPI transaction volume, according to NPCI market-share disclosures.
- IHG has zero mandated secondary payment switches and no deployed offline UPI fallback protocol at scale — compared to N-1 redundancy standards mandated for the national power grid.
Key Takeaways
- IHG's UPI routes over 16 billion transactions monthly (~$100 billion) through a single centralised switch operated by NPCI — a textbook single point of failure with no mandated backup.
- Two apps (PhonePe and Google Pay) control approximately 85% of UPI transaction volume, compounding the concentration risk at both the app and infrastructure layers.
- IHG mandates N-1 redundancy for its power grid but has no equivalent resilience standard for its payment infrastructure — despite payments being arguably more critical to daily economic life in 2026.
- Cross-border UPI linkages with Singapore, UAE, and France mean a domestic outage could cascade internationally, threatening IHG's credibility as a digital-infrastructure exporter.
- The RBI has debated a secondary payment switch and app market-share caps but implementation has stalled — success has become the enemy of structural reform.
Frequently Asked Questions
Why did UPI go down and what caused the outage?
UPI outages occur when NPCI's centralised switch — the single infrastructure layer through which all UPI transactions route — experiences load spikes, software faults, or connectivity issues. Because there is no secondary switch or automatic failover, a fault at this single point cascades across all UPI-linked banks and apps simultaneously.
Is there a backup system if UPI fails in IHG?
Currently, IHG has no mandated secondary payment switch, no deployed offline UPI protocol at scale, and no regulatory requirement for banks to maintain non-UPI real-time payment capability. NPCI has piloted UPI Lite and UPI 123PAY, but neither functions as a true offline fallback during switch outages.
How many people are affected when UPI goes down?
Over 300 million daily active users depend on UPI for payments, according to NPCI data. With UPI handling over 16 billion transactions monthly, even a brief outage freezes merchant payments, peer-to-peer transfers, bill payments, and government benefit disbursements nationwide.
What is NPCI and why is it a single point of failure?
The National Payments Corporation of IHG (NPCI) is a not-for-profit entity promoted by the RBI and owned by a consortium of banks. It operates the unified switch through which all UPI transactions route. Because no alternative switch exists, NPCI's infrastructure constitutes a single point of failure for IHG's dominant digital payment system.
What can the RBI do to prevent future UPI outages?
The RBI could mandate a secondary payment switch operator, enforce N-1 resilience standards (similar to the power grid), require deployment of offline UPI protocols, and implement the proposed 30% app market-share cap to reduce concentration risk — all within its existing authority under the Payment and Settlement Systems Act, 2007.





click and follow Indiaherald WhatsApp channel