Author: Anshuli Singh student at Bharati Vidyapeeth, Pune
To the Point
In an age where money moves at the speed of a click, digital banking has revolutionized India’s financial ecosystem. From instant UPI transfers to AI-powered lending apps, convenience has skyrocketed but so has cyber risk. Phishing scams, identity theft, and ransomware attacks now target the very systems built for trust and efficiency.
As innovation races ahead, India’s legal framework struggles to catch up. The article dissects the current legal protections around digital banking, highlights cyber vulnerabilities, and explores what laws must evolve to meet the challenge.
Use of Legal Jargon
Phishing: Fraudulent attempts to obtain sensitive data by impersonating trusted entities.
Social Engineering Attacks: Cyberattacks that exploit human behavior rather than software vulnerabilities.
Deepfake: AI-generated synthetic media that mimic real individuals, used for deception.
IT Act, 2000: India’s primary law governing electronic communication and cybercrime.
RBI Circulars/Guidelines: Regulatory directives issued by the Reserve Bank of India, often enforceable through banking contracts.
KYC: Know Your Customer – a mandatory customer verification process.
Zero Liability Norms: RBI norms that absolve customers from bearing financial loss in unauthorized transactions under certain conditions.
Digital Lending Guidelines (2022): Regulatory framework by RBI to oversee digital loan platforms.
CERT-In: The Indian Computer Emergency Response Team, which functions as the central agency responsible for handling cybersecurity incidents and coordinating cyber threat responses in the country.
The Proof
Digital banking usage in India has grown rapidly in recent years, reaching levels never seen before. Fueled by affordable smartphones, growing internet access, and government-led digital initiatives, consumers are increasingly shifting towards digital platforms for banking. According to RBI statistics, over 45 billion UPI transactions were recorded in 2023, signaling the scale of this transformation.
The Reserve Bank of India (RBI) has played a key role in driving this transformation.. It introduced initiatives such as the Digital Payments Index, supported Regulatory Sandboxes for fintech innovation, and launched the Digital Rupee in 2022. This progressive regulatory strategy is intended to advance the banking sector and enhance financial inclusion. However, as digital infrastructure expands, so do the vulnerabilities exposing gaps in legal protection and regulatory capacity.
Cybersecurity Risks in Banking
1. Phishing Attacks and Social Engineering
Phishing scams have become a persistent threat. In December 2023, over 10,000 customers of a leading private bank fell victim to fraudulent messages that mimicked official bank communication. These messages directed users to fake websites under the pretext of updating KYC information, resulting in massive financial losses.
Such attacks rely on human error rather than software flaws, making even tech-aware users susceptible. The ease with which fraudsters manipulate branding and urgency raises serious questions about whether banks have adequate safeguards and whether legal liability can be shifted to users in such cases.
2. Deepfake Identity Fraud and AI-Driven Scams
The emergence of AI technologies such as deepfakes has introduced an added layer of challenge and intricacy. In a 2024 Mumbai incident, a loan was sanctioned via a deepfaked video KYC , the fraudster used AI to mimic the applicant’s appearance and voice. This highlighted how current digital verification systems fall short when it comes to spotting fake or manipulated content. Since there’s no legal requirement for banks to audit the AI tools they use, they’re left open to serious financial and reputational risks. The law remains silent on accountability in such AI-enabled frauds.
3. Ransomware and Data Breaches
In early 2024, a cooperative bank’s systems were crippled by ransomware, halting operations for 48 hours. The breach took advantage of a security gap in a third-party IT service provider. Not only was customer service affected, but sensitive data was also leaked.
While RBI and CERT-In require banks to report breaches, enforcement is weak, and there’s no standard protocol for informing affected customers. This raises serious concerns about transparency, liability, and the right to be informed which are key pillars of digital trust.
Existing Legal Framework
1. Information Technology Act, 2000
The IT Act, 2000 is India’s foundational cyber law but is broad and technology-neutral, which limits its effectiveness in banking-specific situations.
Section 43A holds organisations, including banks, civilly liable if they fail to safeguard sensitive personal data.
Section 66C and 66D criminalize identity theft and electronic impersonation respectively – key offences in phishing and fake lending apps.
While the law provides a base structure, it is now over two decades old and lacks the granularity needed for AI-driven fraud, blockchain transactions, and real-time banking risks.
2. RBI Circulars and Frameworks
The RBI has taken a proactive approach in plugging regulatory gaps through circulars and operational guidelines.
Cyber Security Framework for Banks (2016): Requires periodic audits, mandatory breach reporting, and top-level governance of cyber risks. It lays emphasis on real-time monitoring systems and internal training.
Digital Lending Guidelines (2022): Aimed at preventing predatory digital lending, it requires banks and NBFCs to clearly disclose their digital partners and restrict data access. It also bans automated deductions without user consent.
Outsourcing of IT Services Circular (2023): This ensures that banks remain accountable for breaches or failures arising from third-party service providers, emphasizing contractual due diligence and technical oversight.
These guidelines are essential, but they are not codified as enforceable statutes. Compliance largely depends on RBI inspections and internal reporting, which can be inconsistent.
3. CERT-In Directions
CERT-In, the Indian Computer Emergency Response Team, oversees national cybersecurity incident management. Its directions apply to all entities, including banks.
Mandatory 24-hour reporting of cyber incidents.
Log retention for at least 180 days.
Coordination with law enforcement and submission of incident updates.
However, its guidelines are not banking-specific and often overlap with or contradict RBI timelines and procedures. Banks are thus burdened with dual obligations that sometimes conflict.
Emerging Legal Challenges
1. Lack of a Banking-Specific Cybersecurity Law
While the IT Act and RBI circulars offer fragmented protection, India lacks a dedicated cybersecurity statute tailored to banking operations. Real-time fraud detection, AI-based decision-making, and fintech integrations require granular regulation that goes beyond generic cyber law.
2. Cross-Border Jurisdiction Issues
Digital banking often involves cloud storage, international payment gateways, and third-party APIs hosted abroad. This creates challenges in prosecuting frauds involving entities beyond Indian jurisdiction, with no clear framework for cross-border data enforcement or extradition.
3. Incomplete Enforcement of the DPDP Act, 2023
India’s long-awaited Digital Personal Data Protection Act, 2023 has not been fully implemented yet. Until then, privacy norms in banking remain driven by RBI advisories, which lack the force of binding law. The absence of a functional Data Protection Authority further weakens consumer rights.
4. Lack of AI Oversight in Banking
With AI being used in everything from fraud detection to loan approvals, there’s no law that mandates fairness testing, transparency, or audits of AI systems. This opens banks to algorithmic bias, false positives, and potential liability without clarity on legal standards.
5. Ambiguity in Cyber Insurance
Many banks offer cyber insurance to customers, but policy language is vague, coverage is inconsistent, and claims are often denied citing “negligence.” There’s no regulatory standard for such insurance, leaving consumers confused and vulnerable in case of loss.
Abstract
India’s banking sector is rapidly digitizing but cyber threats are evolving just as fast. From phishing and ransomware to AI-driven frauds, banks are facing new-age risks that traditional law struggles to address. Although frameworks like the IT Act, RBI’s cybersecurity directives, and CERT-In guidelines offer partial protection, they leave major gaps. The absence of sector-specific cyber laws, weak AI regulation, and jurisdictional uncertainty make digital banking a legal minefield. The article evaluates the current legal architecture and outlines the reforms needed for a secure digital banking future.
Case Laws
HDFC Bank Ltd v. Jasmeet Singh (2022)
The Delhi High Court held that banks bear the burden of proof in unauthorized online transaction claims. Customers cannot be held accountable unless banks demonstrate negligence on their part.
RBI v. Jayantilal N. Mistry (2015)
The Supreme Court emphasized transparency in RBI operations, ruling that inspection reports should be disclosed under RTI. It raised questions about the balance between confidentiality and accountability relevant in digital contexts too.
Conclusion
India’s legal infrastructure for cybersecurity in the banking sector is supported by the Information Technology Act, 2000 (as amended in 2008), along with regulatory guidelines issued by the Reserve Bank of India and CERT-In. While these instruments collectively offer important safeguards, they are designed to apply broadly across sectors. As a result, digital banking with its unique integration of fintech platforms, real-time payments, and AI-driven processes operates in a landscape where certain legal dimensions remain undefined.
To its credit, the Reserve Bank of India has issued a range of advisories, circulars, and operational frameworks addressing cybersecurity including mandatory cyber audits, IT governance structures, and breach reporting protocols. Banks are also increasingly deploying technical safeguards such as end-to-end encryption, two-factor authentication, biometric verification, and fraud detection algorithms. These tools are undeniably valuable and have raised the baseline of digital security.
However, as cyber threats continue to evolve in both scale and sophistication with incidents involving deepfake-enabled KYC frauds, cross-border ransomware attacks, and algorithmic decision-making risks it becomes evident that technical defences and general compliance are not enough. The existing legal and regulatory apparatus, though active, lacks the precision and statutory authority required to address banking-specific vulnerabilities comprehensively.
There is now a compelling case for a dedicated legal framework that complements existing statutes while setting clear and enforceable standards for liability, consumer protection, cross-jurisdictional cooperation, and oversight of emerging technologies in banking. As India continues to lead in financial digitization, its legal framework must evolve in tandem.
FAQ’s
Q1. What laws protect digital banking users in India?
The Information Technology Act, 2000 and RBI guidelines form the primary framework. The Digital Personal Data Protection Act, 2023 is expected to enhance protections once fully enforced.
Q2. Are banks liable for online fraud?
Yes. Under RBI’s 2017 norms, banks are liable if the customer reports fraud promptly and has not acted negligently.
Q3. What role does RBI play in cybersecurity?
RBI regulates cybersecurity through circulars, frameworks, and compliance audits. It oversees digital lending, IT outsourcing, and breach reporting mechanisms.
Q4. How can banks improve digital security legally?
By complying with RBI and CERT-In norms, conducting regular cyber audits, using encrypted systems, and implementing transparent AI mechanisms in risk management.
