RBI's Initiative of migrating digital presence to the domain ".bank.in" - Consumer Perspective

Executive Summary

The Reserve Bank of India (RBI), through Circular No. RBI/2025-26/28 dated 22 April 2025, has directed all commercial banks, cooperative banks, and district cooperative banks operating in India to migrate their digital presence to the exclusive ".bank.in" domain framework on or before 31 October 2025.

The initiative is said to be part of RBI's broader strategy to strengthen cybersecurity resilience, curb phishing and online fraud, establish a trustworthy digital identity ecosystem for regulated entities, and enhance public confidence in digital banking channels.

The migration to the exclusive ".bank.in" domain is not merely a technical or administrative exercise. It represents a significant regulatory intervention aimed at protecting customers from illusive/deceptive digital practices, email spoofing, fraudulent websites, and other cyber threats.

Accordingly, every regulated bank was expected not only to undertake domain migration but also to ensure transparent customer communication and the implementation of robust authentication mechanisms.

Failure to effectively implement these requirements in their entirety would expose customers to confusion, misinformation, fraudulent activities, and potential financial losses.

Promise of a Safer Digital Banking Ecosystem

India's banking sector is experiencing an unprecedented digital transformation. Crores of customers now conduct banking transactions through internet banking portals, mobile applications, emails, UPI platforms, and digital payment systems. While digital banking has brought convenience, it has also created fertile ground for cyber fraudsters, identity thieves, and impersonators.

Recognising these risks, the Reserve Bank of India (RBI) introduced a significant cybersecurity and customer protection initiative in April 2025 by directing banks to migrate their digital infrastructure to the exclusive ".bank.in" domain ecosystem.

The intention behind this move was simple yet powerful:

If every legitimate bank communication originated from a standardised and RBI-recognised ".bank.in" domain, customers could easily identify genuine banking communications and distinguish them from fraudulent messages.

The initiative was widely welcomed by cybersecurity experts, banking professionals, and consumer rights advocates because it promised to establish a trusted digital framework for the Indian banking sector.

However, an important question now arises:

After 7 months, has the initiative been fully implemented in the spirit intended by the RBI?

For many customers, the answer appears to be uncertain.

What was RBI's intent?

The RBI's domain migration initiative was not merely about changing website names.

Its broader objectives included:

• Creating a uniform and trusted banking identity.
• Reducing phishing and impersonation attacks.
• Strengthening digital trust among customers.
• Enhancing cybersecurity.
• Simplifying identification of genuine bank communications.
• Protecting customers from increasingly sophisticated cyber frauds.

In theory, a customer receiving an email from:

customercare@xyz.bank.in

would immediately recognise it as authentic.

Conversely, suspicious communications from unrelated domains could be easily identified and ignored. Such standardisation would reduce the number of successful phishing attempts via email.

The Ground Reality: Multiple Domains Continue to Exist

More than a year after the RBI initiative was announced (seven months from expiry of the deadline to migrate to a new domain) , many banking customers continue to encounter email communications originating from a variety of domain structures, including:

• .com
• .co.in
• .in
• .bank
• Other legacy domains

In several cases, banks may have migrated selected customer-facing portals (including core banking) to ".bank.in" while continuing to operate other critical communication systems on older domains.

Customers continue receiving:

• OTP communications
• Transaction alerts
• Account notifications
• Promotional emails
• Service updates
• Authentication messages

from a mixture of different domain formats.

A Promotional message coming as an email from a non “.bank.in” domain could also lead to fraud if the receiver acts on it, assuming it is authentic.

This creates confusion rather than certainty.

Why This Matters to Ordinary Consumers like us

Many banking customers are not cybersecurity experts.

The average customer cannot be expected to understand:

• Domain authentication protocols
• Email security standards
• DNS records
• SPF and DKIM validation
• SSL certificates
• Anti-phishing mechanisms

When banks communicate from multiple domains simultaneously, customers are forced to make difficult judgments regarding authenticity.

This defeats one of the primary objectives behind the RBI initiative.

Example 1: The OTP Email from a domain other than the ".bank.in" domain

Imagine a customer receives an OTP email from:

otp@securebank.com

while the bank's website prominently advertises:

www.securebank.bank.in

The customer may legitimately wonder:

"Is this OTP genuine, or is somebody trying to steal my credentials?"

This uncertainty may cause either:

• Avoidance of legitimate banking transactions, or
• Acceptance of fraudulent communications.

Both are undesirable. However, this is a very common situation.

Example 2: The Phishing Trap

Suppose a fraudster sends an email from:

support@secure-bankindia.com

claiming :

" Your account will be blocked within 24 hours due to ______ . “Click here immediately to avoid blocking of account."

If legitimate bank communications already originate from several different domains, customers may find it difficult to distinguish between genuine and fraudulent messages.

Fraudsters thrive in such ambiguity. Despite the passage of over 1 ¼ years of issuance of directives and 7 months from the expiry of the deadline to implement the directives, many banks have not moved their net banking to the domain advised. Several banks have not moved the emails to the new domain.

The entire purpose of a standardised domain framework and announcing a cut-off line was to eliminate this confusion and associated uncertainty.

Example 3: Senior Citizens at Risk

Senior citizens are among the most vulnerable banking customers.

A retired pensioner may receive:

• A transaction alert from one domain.
• A promotional email from another.
• A credit card communication from a third.
• An internet banking alert from a fourth.

Expecting such customers to determine which communication is genuine is unrealistic.

A fully implemented ".bank.in" ecosystem would greatly simplify trust verification.

However, currently, in 5-10% of cases, all customer-centric communication comes from “ .bank.in” domain.

Partial Compliance Can Create False Comfort

Perhaps the greater concern is not outright non-compliance but partial compliance.

Some institutions may have:

• Migrated their primary core banking website.
• OTP from or Transaction failure/success notification from other than ".bank.in".
• Introduced selected communications from ".bank.in" portals.

However, if customer communication systems continue operating through legacy domains, customers may wrongly assume that complete migration has occurred.

This creates what may be described as an "appearance of compliance" rather than actual realisation of the security objectives of RBI behind the new framework.

In some cases, customers may even visit a ".bank.in" website only to be redirected to older domain structures during transactions. While technically appears functional, such arrangements dilute the intended security benefits. In such cases internet banking customers are able to log in using both domains. I am not sighting names of such banks that have carried out an ‘eye wash exercise’ to satisfy the RBI.

Cyber Fraud Is Becoming More Sophisticated

The urgency of this issue becomes apparent when viewed against the backdrop of rapidly evolving cybercrime.

Fraudsters use:

• Artificial intelligence-generated content.
• Spoofed email addresses.
• Fake websites.
• Voice cloning technologies.
• SMS impersonation.
• Social engineering attacks.

Fraudulent communications increasingly resemble genuine banking correspondence.

As criminals become more sophisticated, customers need not more complicated methods of verifying authenticity.

The ".bank.in" framework offers exactly such a mechanism, only if implemented strictly and comprehensively.

Why RBI Must Look Beyond Websites

Compliance assessment should not be restricted to checking whether a bank has migrated its homepage.

A meaningful review should examine whether the following systems have also migrated:

Email Infrastructure: Customer service emails, account communications, service notices, and regulatory disclosures.

OTP Systems: Authentication and transaction verification messages.

Transaction Alert Platforms: Debit alerts, credit alerts, card transactions, and account activity notifications.

Push Notifications: Push notifications and digital communication systems.

Customer Authentication Frameworks

Password resets, login verification, and identity confirmation processes.

Only then can regulators determine whether migration has been completed in substance rather than merely in appearance.

What Customers Deserve

Banking customers deserve clarity.

They should not have to wonder:

• Which domain is genuine?
• Which email can be trusted?
• Whether an OTP message is authentic?
• Whether a transaction alert is legitimate?

A customer should be able to understand:

"If it originates from the authorised “ .bank.in” ecosystem, can it be trusted?"

Measures RBI Could Consider

To fully realise the benefits of the initiative, the RBI may consider the following:

1. Compliance Audit: A comprehensive review of actual implementation status across all regulated entities.

2. Public Compliance Certification: Banks should compulsorily disclose their full migration to “ .bank.in” publicly, as mandated by the RBI. Banks should specify that Migration of All Customer-Facing Systems has taken place. Not merely websites, but all communication infrastructure.

3 . Customer Awareness Campaigns: Educating customers about how to identify genuine bank domains and e-communications (emails, also SMS of different types, namely service, publicity, transaction, etc.

4. Enforcement Action/Levy of penalty: Where implementation timelines have expired without satisfactory compliance.

A Consumer Protection Issue, Not Merely a Technology Project

The ".bank.in" initiative should not be viewed as a routine technology migration.

It is fundamentally a:

• Consumer protection, Cybersecurity and Trust-building initiative.

Its success must be measured not by the number of websites migrated but by whether customers can confidently identify authentic banking communications.

Conclusion

The Reserve Bank of India deserves credit for conceiving a forward-looking initiative aimed at strengthening trust and security in India's digital banking.

However, the true value of any regulatory reform lies not in the issuance of directives but in their effective implementation.

As cyber frauds continue to rise and fraudsters become increasingly sophisticated, incomplete implementation risks weaken the very protection that the initiative was designed to provide.

For crores of Indian banking customers, a fully yet quickly implemented and uniformly enforced ".bank.in" ecosystem could become a powerful shield against digital fraud.

The time has come for rigorous implementation of the directive, ensuring transparent (not eye-wash) compliance and coordinated regulatory oversight to ensure that the promise of the ".bank.in" framework translates into meaningful protection for every internet banking customer in India.

I have listed some banks that have not complied, those that have complied partially, who did an eye-wash exercise and so on. Since the object of this article is not to specify the names of banks that are non-compliant (as of the date). I have sent RBI a separate communication highlighting associated aspects.

Like few other initiatives, I am afraid that due to supervisory failure, lack of coordination between RBI’s departments, absence of proper guidance, absence of strict oversight of RBI, and considerable dependence on IDRBT, the intended object of creating a safer, more trustworthy, and more secure digital banking environment should not fail.