DeepSeeking Accountability in RBI

Full Title: DeepSeeking Accountability in India's Central Bank: Governance Failures in RBI's Entity Network — The .bank.in Debacle, the Revolving Door, and the Systemic Bypass Template

Executive Summary

The Reserve Bank of India controls a dense network of at least seven distinct entities — IDRBT, IFTAS, ReBIT, RBIH, NPCI, and its own IT and Fintech Departments — that operate critical national payments, banking, and cybersecurity infrastructure. These entities share personnel, board seats, and institutional culture with no external accountability mechanism.

The .bank.in domain registry fiasco — where a portal managing the internet identity of every Indian bank was built by an untendered vendor, operated with 33+ critical vulnerabilities, and had no security audit or disclosure mechanism — is not a security incident. It is a governance debacle that expresses a structural pattern: RBI creates entities, incubates them, staffs them with rotating insiders, and reabsorbs them at will, all through opaque legal forms that evade Parliament, CAG, RTI, and competitive procurement.

This report documents that pattern through three lenses: the IKCON single-source award (Chapter 1), the IDRBT revolving door (Chapter 2), and the systemic governance bypass template that entity proliferation enables (Chapter 3).


Chapter 1: The IKCON Award — A High-Probability Governance Failure

Methodology: This chapter reconstructs the chain of events leading to IKCON Technologies being awarded the .bank.in domain registry contract without competitive tender. The conclusion — that the no-tender award represents a governance failure with high probability of byelaw manipulation — is a logical inference from verified source data, not a proven judicial finding. Each claim is graded.

1.1 The Contract

The .bank.in domain registry portal at registrar.idrbt.ac.in is the exclusive gateway for all ~1,500+ banks in India to register under the RBI-mandated .bank.in namespace. It handles authentication, PII (email, phone, addresses), domain registration authorization, and certificate issuance for the entire banking sector's internet-facing domains.

Confirmed facts [1]:

- 33+ unauthenticated API endpoints discovered

- 5,576 user records exposed (email, phone, addresses)

- 1,072 orphan Super Admin accounts

- No security.txt vulnerability disclosure mechanism

- No evidence of pre-deployment security audit

1.2 The Vendor

IKCON Technologies (https://www.ikcontech.com/) is a small private company with:

- No prior domain registry management track record

- No certificate authority (CA) operational history

- Leadership team of ~3 individuals including Mahesh Jarati [4]

- No published public sector contracts comparable to the .bank.in mandate

The portal was awarded to IKCON without any published tender, RFP, or vendor selection process. [2]

Confirmed: IDRBT's own tender page (https://www.idrbt.ac.in/tenders/) lists all published procurement notices — from modular furniture to HSMs — but contains no entry for the .bank.in domain registry. This negative evidence is consistent with the CashlessConsumer report's finding. [11]

1.3 The Key Actors

Deepak Kumar — Director, IDRBT

Appointed 2 May 2024. Formerly RBI's Executive Director, Department of Information Technology — the same department that oversees IDRBT on RBI's behalf. [3]

Directorship map (confirmed from IDRBT Director page and cross-referenced against entity websites):

Entity Role Since
IDRBT Director + Governing Council member May 2024
NPCI Board member Concurrent
IFTAS Board member Concurrent
ReBIT Board member Concurrent
RBI Innovation Hub Governing Council member [^8] Concurrent
Indian Overseas Bank Board member Concurrent
RBI (earlier) Executive Director, IT Dept Pre-2024

This creates a self-oversight paradox: Deepak Kumar sits on the boards of IFTAS (which took over IDRBT's built infrastructure), ReBIT (RBI's cybersecurity arm that should audit IDRBT), NPCI (which IDRBT's .bank.in registry interacts with), and is simultaneously a member of IDRBT's own Governing Council — the body meant to oversee him. [3][5]

Mahesh Jarati — The IFTAS→IKCON Link

Confirmed: Mahesh Jarati is listed on IKCON Technologies' Executive Leadership Team alongside Divakar Talagadadeevi and Madhu Kiran Boindala. [4] ZoomInfo records confirm current employment at IKCON.

High confidence: Source investigation reports Mahesh Jarati as ex-IFTAS (Indian Financial Technology and Allied Services). [Annexure A] IFTAS manages technology infrastructure for the cooperative banking sector — exactly the banks that are primary targets of the .bank.in domain migration mandate.

The logical chain: Mahesh Jarati moved from:

1. IFTAS → cooperative bank technology procurement (knows requirements, budgets, vendors)

2. IKCON Technologies → the vendor that received a no-tender contract from IDRBT to build the .bank.in portal serving those same cooperative banks

This is a textbook revolving-door conflict pattern. The byelaw amendment allegation — that IDRBT's Governing Council raised single-source procurement thresholds specifically to accommodate IKCON — would explain why a small company with no relevant track record could qualify for a contract that would normally require competitive bidding. [5]

1.4 Byelaw Amendment: The Allegation

Alleged (unverified): IDRBT's Governing Council amended procurement byelaws to:

- Raise single-source procurement thresholds

- Relax vendor eligibility criteria

- Enable IKCON to qualify without competitive tender

What is confirmed:

- ✅ No tender was published for the .bank.in portal

- ✅ IDRBT's IT Vendor Management guide (ITVM_Final.pdf) [12] describes competitive bidding as best practice, but IDRBT's actual internal procurement thresholds are not publicly documented

- ✅ Deepak Kumar, as Director, is the approving authority for procurement

- ✅ The Governing Council (including Deepak Kumar) sets procurement policy [5]

- ✅ IDRBT held its 80th Governing Council meeting on 21 June 2024 — after Deepak Kumar's appointment — where procurement policy could have been amended [IDRBT 2023-2024 page]

1.5 Safeguards That Failed

Safeguard Expected Actual Source
Procurement policy Competitive tender above threshold No tender published [^2][^11]
Governing Council oversight Independent review of awards Council members are RBI network [^3][^5]
CAG audit Statutory audit of public-funded entity Society exempts from CAG Legal analysis
RTI oversight Public can question procurement IDRBT claims exemption [Annexure D]
Security audit Pre-deployment VAPT per CERT-In No audit; 33+ endpoints exposed [^1]
Disclosure mechanism security.txt, reporting channel None present [^1]

1.6 Source Grading

Claim Grade Evidence
Mahesh Jarati at IKCON Confirmed IKCON leadership page [^4]; ZoomInfo
Mahesh Jarati ex-IFTAS ⚠️ High confidence Source claim + ZoomInfo cross-refs; IFTAS contextual fit [Annex A]
No tender for IKCON contract Confirmed CashlessConsumer .bank.in report [^2]; tender page absence [^11]
Deepak Kumar = approving authority Confirmed IDRBT Director has procurement authority [^3]
Byelaw amendment for vendor rates 🔴 Allegation only Source claim; no public document found yet
Rate rigging / better rates 🔴 Unverified Requires pre/post contract pricing data