Full Title: DeepSeeking Accountability in India's Central Bank: Governance Failures in RBI's Entity Network — The
.bank.inDebacle, the Revolving Door, and the Systemic Bypass Template
The Reserve Bank of India controls a dense network of at least seven distinct entities — IDRBT, IFTAS, ReBIT, RBIH, NPCI, and its own IT and Fintech Departments — that operate critical national payments, banking, and cybersecurity infrastructure. These entities share personnel, board seats, and institutional culture with no external accountability mechanism.
The .bank.in domain registry fiasco — where a portal managing the internet identity of every Indian bank was built by an untendered vendor, operated with 33+ critical vulnerabilities, and had no security audit or disclosure mechanism — is not a security incident. It is a governance debacle that expresses a structural pattern: RBI creates entities, incubates them, staffs them with rotating insiders, and reabsorbs them at will, all through opaque legal forms that evade Parliament, CAG, RTI, and competitive procurement.
This report documents that pattern through three lenses: the IKCON single-source award (Chapter 1), the IDRBT revolving door (Chapter 2), and the systemic governance bypass template that entity proliferation enables (Chapter 3).
Methodology: This chapter reconstructs the chain of events leading to IKCON Technologies being awarded the
.bank.indomain registry contract without competitive tender. The conclusion — that the no-tender award represents a governance failure with high probability of byelaw manipulation — is a logical inference from verified source data, not a proven judicial finding. Each claim is graded.
The .bank.in domain registry portal at registrar.idrbt.ac.in is the exclusive gateway for all ~1,500+ banks in India to register under the RBI-mandated .bank.in namespace. It handles authentication, PII (email, phone, addresses), domain registration authorization, and certificate issuance for the entire banking sector's internet-facing domains.
Confirmed facts [1]:
- 33+ unauthenticated API endpoints discovered
- 5,576 user records exposed (email, phone, addresses)
- 1,072 orphan Super Admin accounts
- No security.txt vulnerability disclosure mechanism
- No evidence of pre-deployment security audit
IKCON Technologies (https://www.ikcontech.com/) is a small private company with:
- No prior domain registry management track record
- No certificate authority (CA) operational history
- Leadership team of ~3 individuals including Mahesh Jarati [4]
- No published public sector contracts comparable to the .bank.in mandate
The portal was awarded to IKCON without any published tender, RFP, or vendor selection process. [2]
Confirmed: IDRBT's own tender page (https://www.idrbt.ac.in/tenders/) lists all published procurement notices — from modular furniture to HSMs — but contains no entry for the .bank.in domain registry. This negative evidence is consistent with the CashlessConsumer report's finding. [11]
Appointed 2 May 2024. Formerly RBI's Executive Director, Department of Information Technology — the same department that oversees IDRBT on RBI's behalf. [3]
Directorship map (confirmed from IDRBT Director page and cross-referenced against entity websites):
| Entity | Role | Since |
|---|---|---|
| IDRBT | Director + Governing Council member | May 2024 |
| NPCI | Board member | Concurrent |
| IFTAS | Board member | Concurrent |
| ReBIT | Board member | Concurrent |
| RBI Innovation Hub | Governing Council member [^8] | Concurrent |
| Indian Overseas Bank | Board member | Concurrent |
| RBI (earlier) | Executive Director, IT Dept | Pre-2024 |
This creates a self-oversight paradox: Deepak Kumar sits on the boards of IFTAS (which took over IDRBT's built infrastructure), ReBIT (RBI's cybersecurity arm that should audit IDRBT), NPCI (which IDRBT's .bank.in registry interacts with), and is simultaneously a member of IDRBT's own Governing Council — the body meant to oversee him. [3][5]
Confirmed: Mahesh Jarati is listed on IKCON Technologies' Executive Leadership Team alongside Divakar Talagadadeevi and Madhu Kiran Boindala. [4] ZoomInfo records confirm current employment at IKCON.
High confidence: Source investigation reports Mahesh Jarati as ex-IFTAS (Indian Financial Technology and Allied Services). [Annexure A] IFTAS manages technology infrastructure for the cooperative banking sector — exactly the banks that are primary targets of the .bank.in domain migration mandate.
The logical chain: Mahesh Jarati moved from:
1. IFTAS → cooperative bank technology procurement (knows requirements, budgets, vendors)
2. IKCON Technologies → the vendor that received a no-tender contract from IDRBT to build the .bank.in portal serving those same cooperative banks
This is a textbook revolving-door conflict pattern. The byelaw amendment allegation — that IDRBT's Governing Council raised single-source procurement thresholds specifically to accommodate IKCON — would explain why a small company with no relevant track record could qualify for a contract that would normally require competitive bidding. [5]
Alleged (unverified): IDRBT's Governing Council amended procurement byelaws to:
- Raise single-source procurement thresholds
- Relax vendor eligibility criteria
- Enable IKCON to qualify without competitive tender
What is confirmed:
- ✅ No tender was published for the .bank.in portal
- ✅ IDRBT's IT Vendor Management guide (ITVM_Final.pdf) [12] describes competitive bidding as best practice, but IDRBT's actual internal procurement thresholds are not publicly documented
- ✅ Deepak Kumar, as Director, is the approving authority for procurement
- ✅ The Governing Council (including Deepak Kumar) sets procurement policy [5]
- ✅ IDRBT held its 80th Governing Council meeting on 21 June 2024 — after Deepak Kumar's appointment — where procurement policy could have been amended [IDRBT 2023-2024 page]
| Safeguard | Expected | Actual | Source |
|---|---|---|---|
| Procurement policy | Competitive tender above threshold | No tender published | [^2][^11] |
| Governing Council oversight | Independent review of awards | Council members are RBI network | [^3][^5] |
| CAG audit | Statutory audit of public-funded entity | Society exempts from CAG | Legal analysis |
| RTI oversight | Public can question procurement | IDRBT claims exemption | [Annexure D] |
| Security audit | Pre-deployment VAPT per CERT-In | No audit; 33+ endpoints exposed | [^1] |
| Disclosure mechanism | security.txt, reporting channel |
None present | [^1] |
| Claim | Grade | Evidence |
|---|---|---|
| Mahesh Jarati at IKCON | ✅ Confirmed | IKCON leadership page [^4]; ZoomInfo |
| Mahesh Jarati ex-IFTAS | ⚠️ High confidence | Source claim + ZoomInfo cross-refs; IFTAS contextual fit [Annex A] |
| No tender for IKCON contract | ✅ Confirmed | CashlessConsumer .bank.in report [^2]; tender page absence [^11] |
| Deepak Kumar = approving authority | ✅ Confirmed | IDRBT Director has procurement authority [^3] |
| Byelaw amendment for vendor rates | 🔴 Allegation only | Source claim; no public document found yet |
| Rate rigging / better rates | 🔴 Unverified | Requires pre/post contract pricing data |