In late April 2025, the Reserve Bank of India (RBI) released a memorandum advising its constituent banks to migrate to the domain “.bank.in” by October 31, 2025. The guidance is based on a statement released in February regarding the introduction of the “.bank.in” and “fin.in” domains.
But what is the RBI hoping to accomplish?
In short, they’re attempting to guide Indian financial institutions to enhance their cybersecurity by adopting a “.bank.in” domain.
At .Bank, we’re in full support of regional and global efforts to enhance cybersecurity for banks and financial institutions—after all, that’s our mission.
However, this particular announcement is somewhat confusing, as it leads organizations into a decision that looks meaningful but lacks substance. Namely, it doesn’t outline how the domain is managed, or the levels of security it provides to participating institutions and companies.
Ultimately, the announcement could bring on the opposite effect: Expose new vulnerabilities to malicious actors, instead of improving protections.
In this article, we’ll review the implications of the RBI’s announcement, and explain why it currently seems insufficient to help improve cybersecurity for the Indian banking ecosystem.
The Rising Threat of Cybersecurity Breaches in India
A 2024 Digital Threat Report from MeitY on cybersecurity revealed alarming trends for malicious attacks.
In H12024, the report found a 175% increase in phishing accounts compared to 2023, with the average cost of a data breach in India running north of $2.18 million.
The report also covered some of the key phishing tactics used by hackers, including:
- Diverse file formats to bypass email security filters
- Abuse of legitimate internet services to gain unauthorized access
- Third-party exploits
- Exploiting open-source vulnerabilities
- Ransomware attacks
The report also warned that the damage from these attacks is spreading:
“Cyberattacks are no longer confined to external breaches or malware infections; they now infiltrate the entire BSFI (banking, financial services, and insurance) value chain—from core financial application platforms and payment gateways to cloud infrastructure and customer-facing applications.”
The RBI’s mandate is based on plenty of evidence that the Indian BSFI industry is in urgent need of more and better tools to combat hackers and protect consumers.
Given the rise in cyber threats, it’s clear that only domains with the most stringent verification and layered security can truly protect financial institutions.
The Goals for “.bank.in” Are Clear. The Methods Are Not.
The RBI had previously released a memorandum about the “.bank.in” domain.
Now, a new memorandum includes the domain adoption deadline for October 31, 2025.
Registration will be managed exclusively by the Institute for Development and Research in Banking Technology (IDRBT), thanks to authorization from the National Internet Exchange of India (NIXI) and the Ministry of Electronics and Information Technology (MeitY).
Clearly, the institutions behind the “.bank.in” domain mean well and have a long reach. The issue with this is that Indian banks could trust them blindly and fail to see that the intended protection falls rather short in cybersecurity measures. A domain name on its own isn’t enough.
What banks and fintech companies actually need from secure domain services is comprehensive, layered systems that protect data and end-users from hackers.
Craig Schwartz, President of fTLD, said it succinctly: “While the RBI’s intention for “.bank.in” sounds interesting and could create value for the banking sector in India, the offering is extremely light on details, demonstrating how the initiative will reduce cybersecurity threats and malicious activities.”
Conversely, Schwartz shared, “.Bank continues to be the global standard for secure and trusted online channels for banks.”
How .Bank Sets the Global Standard for TLD Security
There’s an obvious similarity between the IDRBT’s “.bank.in” domain and fTLD’s “.bank” domain, but the underlying technology couldn’t be more different.
To begin with, the IDRBT’s domain is undocumented and unproven. fTLD’s domain, on the other hand, is backed by robust technology infrastructure and more than a decade of battle-hardened experience against global cyber threats.
.Bank offers financial institutions a cybersecurity regime that uses mutually reinforcing layers of protection:
1. Top-Level Domain (TLD) Verification and Control
To ensure the highest level of security and trust, .Bank domains are restricted to legitimate banking entities.
Every application is subject to strict enforcement of eligibility criteria.
2. Enhanced Domain Name System (DNS) Security
We mandate DNS Security Extensions (DNSSEC) to prevent unauthorized changes to domain data or unauthorized use of the domain.
If you visit a website ending in .bank, you can rest assured that it’s not an accident or a spoof.
3. Digital Identity and Data Security
Access to change or update a client’s domain data is protected by multi-factor authentication (MFA) to ensure that only approved users gain entry.
This reduces the opportunity for unauthorized changes and protects against credential stuffing attacks.
4. Robust Encryption
Any entity using a .Bank domain must use TLS (Transport Layer Security) 1.2 and is encouraged to use TLS 1.3 if possible, to create secure web connections.
Our clients also use HTTP Strict Transport Security (HSTS) Preload to encrypt all their communications.
5. Email Security
As a defense against phishing and spoofing attacks, .Bank also requires the use of:
- Sender Policy Framework (SPF), which verifies the server of the email sender.
- DomainKeys Identified Mail (DKIM), which verifies the email hasn’t been compromised.
- Domain-Based Message Authentication, Reporting, and Conformance (DMARC), which provides the reporting protocol and framework for all messages.
Together, these protocols limit the likelihood of users receiving lookalike emails and attackers hijacking your email system in the first place.
6. Adaptive Compliance and Security Monitoring
fTLD conducts daily monitoring activities and compliance checks to defend against emerging threats and active attacks against .Bank domains.
This unique approach to domain registration and maintenance allows us to collaborate with the global banking community and sovereign banking regulators to ensure that the protection and reputation of .Bank remains impeccable.
You can learn more about our technology and processes in this report on how we build a multi-layered domain strategy.
Why Cybersecurity Best Practices Matter
Indian banks are working hard to deliver a globally competitive level of service and security, as confirmed in a recent report by the International Monetary Fund.
The RBI’s focus on better cybersecurity protocols shows the depth of its commitment and willingness to enact system-wide changes. In this sense, the rollout of “.bank.in” is certainly a step in the right direction.
Unfortunately, the lack of details in the RBI’s announcement leaves many unanswered questions:
- What standard will IDRBT use to verify applicants and ensure ongoing eligibility for a “.bank.in” domain?
- What monitoring and auditing protocols will IDRBT use? Continuous monitoring? Independent auditors? How will they report incidents or breaches to the public?
- What measures will they use to protect against phishing and spoofing? Are DNSSEC, SPF, DMARC, and DKIM mandatory?
- Will the global banking community and the public have transparency into these processes?
The RBI and IDRBT may already have internal guidance on these issues, but the current lack of transparency or international cooperation is concerning.
The threat landscape for financial institutions is evolving at breakneck speed because of AI-powered hacking tools and strategies. While individual standards can and will change, the most important thing is to embrace best practices that are adaptable, resilient, and hardened against real-world threats.
That’s the difference between a simple change of domain, and a shift to an established provider such as fTLD and the .Bank service. We aim to provide tools and security that can uphold universal standards when it comes to cybersecurity.
Leave Nothing up To Chance
fTLD already serves two client banks headquartered in India, with another in neighboring Bhutan.
Our service is recognized globally as the gold standard for financial domain security. Our layered strategy provides technological redundancy, accountability, and standardization in a world rocked by the rapid increase in sophisticated cyber attacks.
Indian banks deserve the best domain security on the planet, as do Indian consumers.
If you’d like to learn more about how a .Bank domain can strengthen your institution, schedule a meeting today.
