In late April 2025, the Reserve Bank of India (RBI) released a memorandum advising its constituent banks to migrate to the domain “.bank.in” by October 31, 2025. The guidance is based on a statement released in February regarding the introduction of the “.bank.in” and “fin.in” domains.
But what is the RBI hoping to accomplish?
In short, they’re attempting to guide Indian banks to enhance their cybersecurity by adopting a “.bank.in” domain. However, the announcements from RBI lack specifics to demonstrate a serious commitment towards this objective.
Namely, there are no outlines on how “.bank.in” will be managed, verified, or the levels of security it would require or provide to participating banks making it a concept without substance behind it.
Meanwhile, fTLD Registry (“fTLD”) has been operating .Bank for over a decade, taking great pride in helping banks secure their online presence.
Further, as a part of fTLD’s commitment to operating .Bank, it verifies all banks and ensures banks comply with mandatory security requirements which make .Bank more secure against common cyber threats.
In this article, we’ll review the implications of the RBI’s announcement, and explain why “.bank.in” is not being managed in a way that thwarts attacks targeting Indian banks. As a starting point, without stringent verification and security mandates, there is no clear improvement in cybersecurity for Indian banks.
The Rising Threat of Cybersecurity Breaches in India
A 2024 Digital Threat Report from MeitY on cybersecurity revealed alarming trends for malicious attacks.
In H12024, the report found a 175% increase in phishing accounts compared to 2023, with the average cost of a data breach in India running north of $2.18 million.
The report also covered some of the key phishing tactics used by hackers, including:
- Diverse file formats to bypass email security filters
- Abuse of legitimate internet services to gain unauthorized access
- Third-party exploits
- Exploiting open-source vulnerabilities
- Ransomware attacks
The report also warned that the damage from these attacks is spreading:
“Cyberattacks are no longer confined to external breaches or malware infections; they now infiltrate the entire BSFI (banking, financial services, and insurance) value chain—from core financial application platforms and payment gateways to cloud infrastructure and customer-facing applications.”
The RBI’s mandate is based on plenty of evidence that the Indian BSFI industry is in urgent need of more and better tools to combat hackers and protect consumers.
Given the rise in cyber threats, it’s clear that only domains with the most stringent verification and layered security can truly protect financial institutions.
The Goals for “.bank.in” Are Clear. The Methods Are Not.
The RBI had previously released a memorandum about the “.bank.in” domain.
Now, a new memorandum includes the domain adoption deadline for October 31, 2025.
Registration will be managed exclusively by the Institute for Development and Research in Banking Technology (IDRBT), thanks to authorization from the National Internet Exchange of India (NIXI) and the Ministry of Electronics and Information Technology (MeitY).
The institutions behind the “.bank.in” domain appear to mean well and certainly have a long reach.
The issue is that Indian banks could trust them blindly and fail to gain the intended protection in cybersecurity, as there is a lack of specifically outlined security requirements and verification measures. A domain name on its own isn’t enough.
What banks need from a secure domain is a comprehensive, layered system that protects data and end-users from hackers.
Craig Schwartz, President of fTLD, said it succinctly: “While the RBI’s intention for “.bank.in” sounds interesting and could create value for the banking sector in India, the offering is extremely light on details to demonstrate how the initiative will reduce cybersecurity threats and malicious activities.”
Conversely, Schwartz shared, “.Bank continues to be the global standard for secure and trusted online channels for banks.”
How .Bank Sets the Global Standard for TLD Security
There’s an obvious similarity between the intent behind RBI’s “.bank.in” domain and fTLD’s “.bank” domain, but the underlying cybersecurity and built-in safeguards couldn’t be more different.
To begin with, the RBI’s domain lacks robust verification processes and mandatory security requirements, so plans for “reduc[ing] cyber security threats and malicious activities like phishing” seem unfounded without mandates to support them.
Plus, when a large Indian bank has already moved to a branded top-level domain for cybersecurity (e.g., State Bank of India uses .SBI) why would they want or need to use a .bank.in domain where they would lose the autonomy and technical control they enjoy today?
fTLD’s .Bank domain, on the other hand, is backed by robust verification and mandatory security requirements with proactive compliance monitoring, and more than a decade of first-hand experience verifying, educating, and collaborating with the global banking sector in the fight against cyber threats facing the sector.
.Bank offers banks a cybersecurity tool that provides layers of protection to their online presence, including:
1. Top-Level Domain (TLD) Verification and Control
To ensure the highest level of security and trust, .Bank domains are restricted to legitimate banking entities. Every application is subject to strict enforcement of eligibility criteria.
In addition, fTLD provides safeguards to prevent domain impersonation and cybersquatting, which are common abuses in public domains and TLDs without domain name verification requirements.
2. Enhanced Domain Name System (DNS) Security
We mandate DNS Security Extensions (DNSSEC) to prevent unauthorized changes to domain data or unauthorized use of the domain.
If you visit a website ending in .Bank, you can rest assured that it’s not an accident or a spoof.
3. Digital Identity and Data Security
Access to change or update a .Bank domain’s data is protected by multi-factor authentication (MFA) to ensure that only approved users gain entry.
This reduces the opportunity for unauthorized changes and protects against credential stuffing attacks.
4. Robust Encryption
Any entity using a .Bank domain must use TLS (Transport Layer Security) 1.2 and is encouraged to use TLS 1.3 when possible, to create secure web connections.
We also ensure your .Bank mail channel is using strong encryption to prevent data breaches, and provide confidence and trust to banks and their customers so banks can tell their customers “if it’s not .Bank, it’s not your bank!”
Our clients also use HTTP Strict Transport Security (HSTS) Preload to remove the potential for man-in-the-middle attacks that could intercept the initial connection and downgrade it.
5. Email Security
As a defense against phishing and spoofing attacks, .Bank also requires the use of email authentication:
- Domain-Based Message Authentication, Reporting, and Conformance (DMARC), which provides the reporting protocol and framework for all messages.
- Sender Policy Framework (SPF), which verifies the server of the email sender. Your SPF record is your authorized senders.
- DomainKeys Identified Mail (DKIM), which verifies the email hasn’t been compromised. We recommend the use of DKIM as a best practice.
Together, these protocols increase email deliverability, and provide trust and transparency to the bank and its customers.
6. Adaptive Compliance and Security Monitoring
fTLD conducts daily monitoring activities and compliance checks to help banks defend against common cyber threats and to keep their digital front door secure.
This unique approach to domain registration and maintenance allows us to collaborate with the global banking community and government banking regulators to ensure that the protection and reputation of .Bank remains impeccable.
You can learn more about the .Bank cybersecurity features, processes, and commitment to providing banks a secure online presence in this report on our multi-layered approach to .Bank domain security.
Why Cybersecurity Best Practices Matter
Indian banks are working hard to deliver a globally competitive level of service and security, as confirmed in a recent report by the International Monetary Fund.
The RBI’s focus on better cybersecurity protocols shows a commitment to enact system-wide changes.
However the rollout of “.bank.in” has not been well-defined to provide any tangible cybersecurity advantage to move the India banking and financial sector in the right direction.
The lack of details in the RBI’s announcement leaves many unanswered questions:
- What standard will IDRBT use to verify applicants and ensure ongoing eligibility for a “.bank.in” domain?
- What monitoring and auditing protocols will IDRBT use? Continuous monitoring? Independent auditors? How will they report incidents or breaches to the public?
- What measures will they use to protect against phishing and spoofing? Are DNSSEC, DMARC, SPF, and DKIM mandatory?
- Will the global banking community and the public have transparency into these processes and any technical requirements not yet announced?
The RBI and IDRBT may already have internal guidance on these issues, but the current lack of public transparency or international cooperation is concerning. fTLD has reached out to the RBI and IDRBT to offer our collaboration and expertise, but have not had any response as of the writing of this article.
The threat landscape for financial institutions is evolving at breakneck speed because of AI-powered hacking tools and strategies. While individual standards can and will change, the most important thing is to embrace best practices that are adaptable, resilient, and hardened against real-world threats.
Leave Nothing To Chance
fTLD already serves two client banks headquartered in India, with another in neighboring Bhutan.
Our service is recognized globally as the gold standard for financial domain security. Our layered strategy provides technological redundancy, accountability, and standardization in a world rocked by the rapid increase in sophisticated cyber attacks.
Indian banks deserve the best domain security on the planet, as do Indian consumers.
If you’d like to learn more about how a .Bank domain can strengthen your institution, schedule a meeting today.
