On June 2, 2026, in Phnom Penh, NPCI International Payments Limited (NIPL) and Cambodia's ACLEDA Bank switched on Phase 1 of a cross-border link between India's Unified Payments Interface and KHQR, the national QR standard built on Cambodia's Bakong system. The ceremony drew H.E. Dr. Chea Serey, Governor of the National Bank of Cambodia, alongside officials from the Reserve Bank of India. The practical effect is narrow but real: Indian travellers can now scan KHQR at over 4.5 million Cambodian merchants and pay from their existing UPI apps. A Phase 2, letting Cambodians pay in India, is promised next.
Cambodia becomes the ninth country to accept UPI, joining Bhutan, Nepal, Singapore, France, Mauritius, Sri Lanka, Qatar and the UAE. The milestone is modest in transaction terms — tourist spending, not trade settlement — but it is a useful test of a question that matters far beyond travel money: how should a sovereign payment network expand across borders without dragging incompatible rulebooks along with it?
The strongest case for caution
The instinct to regulate cross-border UPI heavily is not unreasonable, and it deserves a fair hearing. As a May 2026 analysis by the law firm Cyril Amarchand Mangaldas set out, real-time rails create genuine supervisory strain. UPI settles in roughly ten to fifteen seconds, but anti-money-laundering and KYC checks cannot meaningfully complete in that window, pushing compliance toward pre-screening rather than review. Foreign-exchange law adds friction: a cross-border payment must be classified under FEMA — current-account spend, or a remittance counting against the $250,000 Liberalised Remittance Scheme cap — and, the authors warn, "real-time payments do not pause for regulatory reclassifications" if a partner lands on a FATF grey list. Layer on conflicting data-localisation regimes and competing claims to supervisory authority, and the worry is coherent: a network that finalises money faster than any regulator can react.
Those are real risks. The wrong response is to treat them as reasons to bolt heavyweight mandates onto every linkage before it launches.
Bilateral QR is the proportionate design
What the Cambodia link actually demonstrates is a lighter, smarter architecture. India is not exporting its rulebook; it is exporting interoperability. KHQR stays Cambodian, supervised by the National Bank of Cambodia and settled through Bakong. UPI stays Indian, under RBI and NPCI. The two systems agree on a QR handshake and a settlement arrangement between named institutions — here, NIPL and ACLEDA — rather than merging compliance regimes. "ACLEDA Bank is proud to launch Phase 1 of our cross-border interoperability initiative," said its president Dr. In Channy; NIPL's Ritesh Shukla framed it as extending "India's digital payment innovations" abroad. Each regulator keeps jurisdiction over its own leg of the transaction.
This is the proportionate-regulation principle in practice. The AML and FEMA concerns are addressed where they belong — at the regulated bank intermediating each side — not by inventing a supranational rulebook or freezing the rollout until every edge case is litigated. Phasing matters too: starting with inbound tourist payments, where amounts are small and the flow is one-directional, lets both central banks observe live behaviour before opening the two-way corridor. That is iterative regulation, not regulatory abdication.
The scale that makes restraint worth it
The reason to get this model right is the size of what UPI has become. In May 2026 the network processed 23.2 billion transactions worth ₹29.9 trillion in a single month, a record, according to NPCI data. A system at that scale is precisely the kind of critical infrastructure regulators are tempted to wrap in pre-emptive controls. But UPI's domestic success came from low friction, open participation and a near-zero merchant-discount-rate model — design choices that mandates can easily smother. The same restraint should govern its international expansion.
The RBI's own posture has, encouragingly, leaned this way. Its Payments Vision documents name internationalisation as an explicit pillar, and the central bank is pursuing varied models — the bilateral QR links like Cambodia's, the UAE's AANI interlink, and a planned connection to the Eurosystem's TIPS platform for real-time remittances. India has signed more than 20 digital-public-infrastructure MOUs. The diversity is the point: different partners get different depths of integration, calibrated to each jurisdiction's risk and readiness, rather than one maximalist template imposed everywhere.
Where over-regulation would actually bite
The live danger is data-localisation absolutism. India requires payment data to be stored domestically; the EU's GDPR limits transfers to jurisdictions it deems adequate; other partners impose their own constraints. Read rigidly, these rules are mutually exclusive and would make any cross-border QR link impossible. The workable path is mutual recognition and mirrored-data arrangements negotiated bilaterally — not each country insisting its own localisation rule travels with every transaction. Regulators who treat data sovereignty as non-negotiable will simply ensure the corridors never open, ceding the rails to card networks whose data governance Indian users control even less.
The Cambodia linkage will not move macro numbers. But as a governance template it is close to ideal: two sovereign systems, two regulators, one agreed interface, phased deployment, and compliance anchored at the bank rather than mandated from above. If India wants UPI to become genuinely global, the export that matters is not the rulebook. It is the rails — and the discipline to let partner regulators run their own end.