Part of the "DeepSeeking Accountability in RBI" report
Cross-reference: See
file chapters/rbi_governance.md(Chapter 3) for the governance analysis built on this survey, andfile annexures/reference-matrix.mdfor source verification.
Context: The IDRBT
.bank.insecurity failure, the IKCON no-tender contract, and Deepak Kumar's appointment pattern are not isolated events. They are expressions of a deeper structural pattern: RBI creates entities, incubates them, then either pulls them back under direct control or populates them with retiring insiders — an institutional revolving door with no external accountability.
RBI currently has 5 wholly-owned subsidiaries under the Companies Act. [1]
| Subsidiary | Established | Acquired by RBI | Mandate | Notes |
|---|---|---|---|---|
| DICGC | 1978 (merger of DIC 1962 + CGCI) | From inception | Deposit insurance & credit guarantee | Statutory corporation under DICGC Act 1961 |
| BRBNMPL | 1995 | From incorporation | Currency note printing | Private limited company |
| ReBIT | 2016 | From incorporation | IT & cybersecurity for RBI | Private limited company (Mumbai) |
| IFTAS | 2015 (by IDRBT) | March 2019 | Financial technology infrastructure | Section 8; clawed back from IDRBT |
| RBIH | 2019 | From incorporation | Innovation hub (Bengaluru) | Wholly owned subsidiary |
Two major institutions were wholly owned by RBI and transferred to the Government of India in 2019: [2]
- NABARD — National Bank for Agriculture and Rural Development (founded 1982, RBI sold stake ₹1,470 Cr in 2019)
- NHB — National Housing Bank (founded 1988, RBI sold entire stake March 2019)
These were deliberate strategic divorces: RBI concluded that development finance institutions should sit with the government, not the central bank.
These are entities RBI birthed, funds, populates with its officers, and effectively controls — yet they exist outside the formal wholly-owned structure.
- Legal form: Society registered under Society Registration Act (not a company)
- Founded: March 1996 by RBI, after the W.S. Saraf Committee (1994) recommendation [3]
- Status: "Autonomous institute" — but fully controlled by RBI
- Governing Council: Chaired by former RBI Deputy Governor N.S. Vishwanathan; includes RBI ED Vivek Deep, RBI CGM R. Vanaraja, NPCI MD Dilip Asbe [4]
- Core role: Certifying Authority for banking sector under IT Act 2000; R&D in banking technology; cyber security drills; domain registrar for .bank.in
The control mechanism: IDRBT is a "society" — neither a company nor a statutory body. This legal form places it outside RTI's full reach (disputed), outside Companies Act governance (no independent board), and outside parliamentary oversight that applies to government departments. Yet it manages critical national infrastructure: digital certificates for all banks, the .bank.in namespace, and cyber security for the BFSI sector.
- Legal form: Section 8 company (not-for-profit), promoted by RBI + IBA in December 2008 [5]
- Ownership: Consortium of banks (not RBI directly), but RBI retains effective control through board representation and the Payment and Settlement Systems Act
- What it runs: UPI, IMPS, RuPay, NACH, AePS, FASTag, BHIM
- RBI influence: RBI EDs sit on NPCI Board. The RBI Governor appoints key members. NPCI was declared a "Public Important Institution" by the government.
Pattern: Like IDRBT, NPCI was set up as a non-company legal form (Section 8) to keep distance from government while retaining central bank control. Unlike IDRBT, NPCI has since been notified under the Aadhaar Act and given a more formal statutory role.
- Founded: 2001, promoted by RBI
- Role: Clearing and settlement for government securities, forex, and money markets
- RBI control: RBI holds stake, appoints board members, and regulates CCIL as a systemically important payment system
- Founded: 1987 by RBI
- Role: Advanced research in development economics
- Status: Deemed university; fully funded and controlled by RBI
| Entity | Relationship | Notes |
|---|---|---|
| IBA (Indian Banks' Association) | RBI EDs sit on governing bodies | Industry body, but RBI sets agenda |
| BCSBI (Banking Codes and Standards Board) | RBI promoted | Consumer protection standards |
| SIDBI | RBI has board representation | MSME financing |
The IFTAS story is the single most important precedent for understanding the IDRBT fiasco. It reveals the pattern: RBI creates, incubates, then pulls back assets and people when they're valuable enough. [6]
```
1996 — IDRBT established by RBI as autonomous society
2001 — IDRBT launches SFMS (Structured Financial Messaging System)
2001 — IDRBT launches INFINET (Indian Financial Network)
2004 — IDRBT becomes "financially independent"
2009 — Rangarajan-led External Expert Review Committee (EERC) recommends
IDRBT shed non-research services and focus on R&D
2015 — IDRBT incorporates IFTAS as a Section 8 subsidiary to hive off
its operational technology services (INFINET, SFMS, IBCC)
2016 — Apr 1: IFTAS takes over INFINET, SFMS, IBCC operations from IDRBT.
IDRBT Director serves as first Chairman of IFTAS.
2019 — Mar: RBI wholly acquires IFTAS from IDRBT. IFTAS becomes a
direct RBI subsidiary. IDRBT loses its revenue-generating services.
```
1. Stripped IDRBT of operational services — after 2019, IDRBT was left with only R&D, training, and certification (the least profitable functions)
2. Concentrated tech infrastructure under direct RBI control — INFINET, SFMS, and the Banking Community Cloud became RBI's to command
3. Created a parallel tech entity — IFTAS (431+ employees, ~$70M revenue) now competes for resources and talent with IDRBT
4. Set the precedent — If an RBI-created entity builds something valuable, RBI will pull it in-house rather than let it operate independently
Deepak Kumar's career perfectly traces this arc: [7]
1. At RBI: Headed Department of Information Technology (the department that oversaw both IDRBT and IFTAS)
2. On IFTAS Board: Served as Director on the Board of IFTAS (pre-acquisition)
3. On IDRBT Governing Council: Served as CGM-in-Charge, RBI Dept. of IT on IDRBT's Governing Council
4. On ReBIT Board: Served as Director on ReBIT Board
5. On RBIH Board: Served as Director on RBI Innovation Hub Board
6. On NPCI Board: Served as Director on NPCI Board
7. On Indian Overseas Bank Board: Served as RBI-nominated Director
8. Becomes IDRBT Director: May 2, 2024 — appointed to run the institution he previously oversaw from RBI
This is the revolving door in its purest form: the RBI Executive Director who supervised all these subsidiaries from within RBI becomes the Director of one, bringing his relationships at all the others with him.
In February 2025, RBI mandated that all banks migrate to the .bank.in domain suffix — a trust mechanism to combat phishing. The exclusive registrar for this namespace is IDRBT, through its portal at registrar.idrbt.ac.in.
The .bank.in domain registration portal was developed and is operated by IKCON Technologies — a small private company with no prior track record in domain registry management or certificate authority operations. [8]
The contract was awarded without any competitive tender, RFP, or published vendor selection process — a clear violation of IDRBT's own Purchase Manual which mandates competitive bidding above certain thresholds. [9]
Mahesh Jarati, listed on IKCON's leadership team, is a former employee of IFTAS — the very entity that manages technology procurement for cooperative banks, which are the primary targets of the .bank.in mandate. [8]
The revolving-door pattern: A person who understands bank procurement processes (and has relationships with bank decision-makers from their time at IFTAS) now sits at the vendor that landed a no-tender contract from the regulator.
The portal exposed 33+ unauthenticated API endpoints leaking 5,576 bank employee credentials, ₹4.72 crore in invoice records, 1,072 orphan Super Admin accounts, and sensitive PII — for at least 13 months. [10]
The CashlessConsumer investigation documented that [8]:
- No security audit preceded deployment
- No vulnerability disclosure program existed
- The portal's "Security Policy" claimed it was "audited for known application-level vulnerabilities before launch" — yet the vulnerabilities were fundamental
The unverified allegation (from source tip, documented in DeepakKumar.md) is that IDRBT's Governing Council amended procurement byelaws to:
- Raise single-source procurement thresholds
- Relax vendor eligibility criteria
- Enable IKCON — which wouldn't qualify under normal competitive bidding — to get the contract at better-than-market rates [8]
What can be confirmed:
- ✅ IKCON is a private company on IKCON's leadership page
- ✅ No tender exists for the .bank.in portal (confirmed in CashlessConsumer report)
- ✅ Deepak Kumar, as Director, is the final approving authority for all IDRBT procurement
- 🔴 The byelaw amendment itself remains unverified — requires IDRBT Governing Council minutes (which are not public)
IDRBT's leadership timeline in 2024 is itself suspicious: [11]
| Director | From | To | Duration | Background |
|---|---|---|---|---|
| Smt. K. Nikhila | 24-Jan-2024 | 01-May-2024 | ~3 months | RBI Regional Director, Telangana |
| Dr. Deepak Kumar | 02-May-2024 | Present | Ongoing | Former RBI ED, ex-Head of IT Dept |
Nikhila, an RBI Regional Director, served as IDRBT Director for barely 3 months — just long enough to keep the seat warm until Deepak Kumar (who had just retired as RBI ED) was ready to take over. This suggests the appointment was pre-determined, with Nikhila as a placeholder.
Deepak Kumar's profile on IDRBT's website lists his simultaneous directorships: [7]
| Entity | Role | Relationship to RBI |
|---|---|---|
| IDRBT | Director (himself) | RBI society — he now runs it |
| Indian Overseas Bank | Director on Board | Public sector bank — RBI nominates |
| NPCI | Director on Board | Payments umbrella — RBI-controlled |
| IFTAS | Director on Board (former) | RBI wholly-owned subsidiary |
| ReBIT | Director on Board | RBI wholly-owned subsidiary |
| RBIH | Director on Board | RBI wholly-owned subsidiary |
| IDRBT Governing Council | Member Secretary | Sets IDRBT policy |
This means a single individual simultaneously sat on the boards of every major technology entity in India's banking ecosystem — the regulator's own IT subsidiaries (IFTAS, ReBIT, RBIH), the payments infrastructure (NPCI), a public sector bank (IOB), and the institute that certifies all banking technology (IDRBT).
There is no separation of duty. There is no independent oversight. There is only RBI — speaking to itself through interchangeable Executive Directors.
RBI identifies a need — technology research, payments infrastructure, innovation — and creates an entity. It funds it, staffs it with RBI officers, and maintains control through board representation.
Examples:
- IDRBT (1996) — banking technology R&D
- NPCI (2008) — retail payments
- IFTAS (2015) — financial technology services
- RBIH (2019) — innovation
Once the entity has developed valuable assets, domain expertise, and operational capacity, RBI moves to consolidate control.
- IFTAS: Created by IDRBT, ran INFINET/SFMS/IBCC for 3 years, then RBI wholly acquired it in 2019, stripping IDRBT of its core services
- NPCI: Developed UPI, RuPay, IMPS — now a quasi-monopoly, with RBI pushing for "NPCI for-profit" conversion and tighter control
- IDRBT's .bank.in registry: Built and operated by IDRBT, but the mandate came from RBI directly, and the contract was awarded without IDRBT's usual procurement process
Retiring RBI Executive Directors routinely land in the entities they once supervised:
| Name | Former RBI Role | Post-RBI Position |
|---|---|---|
| Deepak Kumar | ED, RBI (Head of IT Dept) | Director, IDRBT |
| T. Rabi Sankar | ED/DG, RBI | Chairman, IFTAS |
| N.S. Vishwanathan | Deputy Governor, RBI | Chairman, IDRBT Governing Council |
| Vivek Deep | ED, RBI | Member, IDRBT Governing Council |
This is not a bug — it's the system. The regulatory- industrial complex ensures that no one who has ever been in a position to scrutinize RBI's subsidiaries will later sit at an arm's length from them.
Each subsidiary uses a different legal structure that minimizes external scrutiny:
| Entity | Legal Form | RTI Applicable? | Parliamentary Oversight? |
|---|---|---|---|
| RBI | Statutory corporation | ✅ Yes (limited) | ✅ Via Finance Ministry |
| DICGC | Statutory corporation | ✅ Yes | ✅ |
| BRBNMPL | Pvt Ltd company | ⚠️ Disputed | ❌ |
| ReBIT | Pvt Ltd company | ⚠️ Disputed | ❌ |
| IFTAS | Section 8 company | ⚠️ Disputed | ❌ |
| RBIH | Pvt Ltd company | ⚠️ Disputed | ❌ |
| IDRBT | Registered Society | 🔴 Disputed/No | ❌ |
| NPCI | Section 8 company | ❌ (except Aadhaar matters) | ❌ |
IDRBT as a "society" is the most opaque structure — neither a company (no MCA filings), nor a statutory body (no parliamentary accountability), nor a government department (no RTI by default). Yet it manages the digital certificate infrastructure for India's entire banking system and the exclusive national banking domain registry.
When every technology entity in Indian banking reports through the same small pool of former RBI EDs, there is no diversity of perspective, no challenge function, and no independent verification. IDRBT's security failure was inevitable not because of technical incompetence but because of structural failure — no one outside the RBI network was watching.
The Mahesh Jarati pattern (IFTAS → IKCON → IDRBT contract) is the commercial expression of the same revolving door. When procurement decision-makers at IDRBT, IFTAS, and RBI are the same people who have worked with each other for decades, competitive tendering becomes a formality that can be waived when convenient.
IFTAS and IDRBT now compete for the same technology mandates. IFTAS wants to build the IFS Cloud; IDRBT wants to remain relevant. But both answer to the same RBI masters. The result is structural inefficiency without competitive pressure — the worst of both worlds.
RBI divested NABARD and NHB in 2019 but simultaneously acquired IFTAS and created RBIH. It gave up development finance (which belongs to government) while tightening its grip on technology infrastructure (which gives it power over the financial system). This is a strategic consolidation: RBI is becoming a technology powerhouse disguised as a central bank.
[1] RBI officially recognizes five wholly-owned subsidiaries: DICGC, BRBNMPL, ReBIT, IFTAS, RBIH. See RBI Organisation page and multiple competitive exam sources https://gyansanchay.csjmu.ac.in/wp-content/uploads/2021/11/IFSRESERVE-BANK-OF-INDIA.pdf
[2] RBI divested its entire stake in NABARD and NHB to the Government of India in March-April 2019. https://www.thehindu.com/business/Industry/rbi-sells-entire-stake-in-nhb-nabard-to-govt-for-1470-cr/article26934631.ece
[3] IDRBT was established in March 1996 following the W.S. Saraf Committee 1994 recommendation, as a Society under the Society Registration Act. https://www.idrbt.ac.in/the-journey-of-idrbt/
[4] IDRBT Governing Council chaired by former RBI Deputy Governor N.S. Vishwanathan, includes RBI ED Vivek Deep, RBI CGM R. Vanaraja, NPCI MD Dilip Asbe. https://www.idrbt.ac.in/governing-council/
[5] NPCI was established in December 2008 as a Section 8 company under the Payment and Settlement Systems Act, promoted by RBI and IBA. https://en.wikipedia.org/wiki/National_Payments_Corporation_of_India
[6] The IFTAS clawback timeline: IDRBT created IFTAS in 2015 to run INFINET/SFMS/IBCC. Effective April 1, 2016, IFTAS took over operations. RBI wholly acquired IFTAS in March 2019. https://www.idrbt.ac.in/iftas/, https://www.idrbt.ac.in/the-journey-of-idrbt/
[7] Deepak Kumar's simultaneous directorships — ED at RBI overseeing IT Dept, Director on boards of NPCI, IFTAS, ReBIT, RBIH, IOB, and Governing Council of IDRBT — before becoming IDRBT Director. https://www.idrbt.ac.in/director/
[8] CashlessConsumer .bank.in investigation: IKCON awarded the .bank.in registrar contract without competitive tender. Mahesh Jarati ex-IFTAS listed on IKCON leadership. https://bankin-report.cashlessconsumer.in
[9] IDRBT's Purchase Manual ITVM_Final.pdf prescribes competitive bidding thresholds that the IKCON award appears to circumvent. https://www.idrbt.ac.in/wp-content/uploads/2022/07/ITVM_Final.pdf
[10] Medianama coverage of the .bank.in security vulnerabilities: 33+ unauthenticated endpoints, 5,576 records, no tender, no security audit. https://www.medianama.com/2026/06/223-security-vulnerabilities-rbi-bank-in-registry-sensitive-data
[11] IDRBT Former Directors page shows Nikhila served Jan 24 – May 1, 2024 3 months before Deepak Kumar took over. https://www.idrbt.ac.in/former-directors/
Compiled: 2026-07-11. This is a living document. Sources are cited for each major claim; unverified allegations are explicitly marked. The file IDRBT/DeepakKumar.md in this repository contains the raw investigation notes that underpin Section 4.