Digital banking in India is at an inflection point. With the rise of UPI, net banking, mobile apps, and digital wallets, convenience has increased—but so have cyber threats. In response to the growing sophistication of online frauds, phishing attacks, and digital impersonation, the Reserve Bank of India (RBI) has rolled out enhanced cybersecurity guidelines for banks, marking a turning point in the country’s financial security infrastructure.
This article provides a comprehensive breakdown of the new RBI mandates, legal backing, the .bank.in domain requirement, compliance strategies, and a roadmap for implementation.
Cyber threats in the banking sector are no longer isolated events; they are systemic risks. In the last few years, Indian banks have seen:
Rise in phishing websites mimicking real bank domains
Fake mobile apps impersonating banks
Increased ransomware and malware attacks
Data breaches from unsecured vendor access
ATM malware attacks and payment gateway vulnerabilities
RBI now views cyber resilience as a core banking function, not just a support process.
.bank.in Domain MandateRBI has mandated that all regulated entities (REs)—including:
Scheduled Commercial Banks
Cooperative Banks
Small Finance Banks
Payment Banks
Regional Rural Banks (RRBs)
—must migrate their digital assets (websites, email, net banking, mobile portals) to the .bank.in domain by October 31, 2025.
Create a trusted digital identity for each bank
Prevent spoofing and phishing through fake URLs
Establish a standardized verification layer
Facilitate customer trust and regulatory visibility
Register your .bank.in domain via authorized registrar
Migrate official website, apps, customer portals
Redirect old domains to the new address
Update SSL/TLS certificates, DMARC, SPF, DKIM
Train employees and notify customers of the new domain
Enforce a cutoff date after which only .bank.in remains live
This is not optional. Non-compliance will lead to regulatory consequences, customer confusion, and higher exposure to phishing frauds.
The RBI’s enhanced cybersecurity guidelines draw power from multiple laws:
Gives RBI powers to regulate banking operations, including digital transactions.
Empowers RBI to impose technology, operational, and safety standards on banks.
Provides the legal foundation for cybersecurity, digital signatures, and data privacy.
Applicable for digital wallets, payment aggregators, and other fintech players.
Mandate incident reporting within 6 hours for critical events.
Emphasizes privacy-by-design, encryption, and secure user data handling.
Together, these acts provide a strong legal backbone for RBI to impose cybersecurity and digital identity rules.
RBI’s updated cybersecurity framework is multi-layered, covering governance, infrastructure, operations, and incident response.
Each bank must have a Board-approved Cybersecurity Policy
Designate a Chief Information Security Officer (CISO)
Establish a Cybersecurity Committee at board or executive level
Policy to be reviewed annually
Maintain an IT asset inventory including software, hardware, and cloud services
All systems must have real-time patch management and update protocols
Endpoint protection via EDR (Endpoint Detection and Response)
Deployment of Next-Gen Firewalls, IDS/IPS, and SIEM tools
Use Multi-Factor Authentication (MFA) for critical systems
Role-based access via IAM (Identity and Access Management)
Enforce least privilege access rules
Monitor and log all privileged user activity
Banks must vet all third-party vendors for security standards
Signed agreements must include data protection, audit rights, and business continuity
Outsourced tech services must not jeopardize customer data or operational resilience
Background verification is mandatory for third-party staff
Data backup must be encrypted, tested, and geo-redundant
Have a Disaster Recovery (DR) strategy with periodic drills
Build Business Continuity Plans (BCPs) for critical operations
Banks are now required to establish:
Cyber Crisis Management Plan (CCMP)
Dedicated Incident Response Teams (IRT)
Real-time threat intelligence feeds
24x7 Security Operations Center (SOC)
Critical incident (like ransomware, data breach): within 6 hours
Moderate incident (DDoS, phishing): within 24 hours
Monthly and quarterly reports must be sent to RBI
RBI has begun imposing penalties on banks for:
Delay in breach reporting
Weak encryption standards
Absence of SOC
Unsecured outsourcing contracts
These penalties can range from ₹50 lakh to ₹5 crore, and may include public censure and restrictions on onboarding new customers digitally.
Here's how banks can meet RBI’s cybersecurity expectations:
Policy review and approval by Board
Nominate CISO and Cybersecurity Committee
Apply for .bank.in domain
Conduct current-state cybersecurity audit
Begin migration to .bank.in
Set up 24x7 SOC
Implement EDR, SIEM, MFA
Vendor contract revisions
Redesign employee access rules
Run BCP and DR drills
Conduct red team/blue team exercises
Educate staff on phishing and social engineering
Public campaign for customers to trust .bank.in
Ensure full migration to .bank.in
Submit final compliance report to RBI
Establish quarterly audit cycles
With RBI leading the charge, expect the following trends:
Zero Trust Architecture: No user/system is trusted by default
AI-Powered Threat Detection: Behavioral analytics for anomalies
Digital Identity as Infrastructure: .bank.in is just the beginning
Regtech & Suptech Adoption: Automation of compliance and reporting
Secure APIs and Open Banking Standards: For better third-party integrations
RBI’s cybersecurity overhaul is a visionary shift, not just a reaction to threats. By mandating secure domains, strict governance, and advanced technical controls, the central bank is preparing Indian banking for the next era of digital transformation.
Banks that embrace this early will not only ensure compliance—but also inspire trust, reduce fraud, and build long-term digital resilience.