RBI's Official & Unofficial Subsidiaries: A Historical Survey

Part of the "DeepSeeking Accountability in RBI" report

Cross-reference: See file chapters/rbi_governance.md (Chapter 3) for the governance analysis built on this survey, and file annexures/reference-matrix.md for source verification.

Context: The IDRBT .bank.in security failure, the IKCON no-tender contract, and Deepak Kumar's appointment pattern are not isolated events. They are expressions of a deeper structural pattern: RBI creates entities, incubates them, then either pulls them back under direct control or populates them with retiring insiders — an institutional revolving door with no external accountability.


1. RBI's Formal Wholly-Owned Subsidiaries

RBI currently has 5 wholly-owned subsidiaries under the Companies Act. [1]

Subsidiary Established Acquired by RBI Mandate Notes
DICGC 1978 (merger of DIC 1962 + CGCI) From inception Deposit insurance & credit guarantee Statutory corporation under DICGC Act 1961
BRBNMPL 1995 From incorporation Currency note printing Private limited company
ReBIT 2016 From incorporation IT & cybersecurity for RBI Private limited company (Mumbai)
IFTAS 2015 (by IDRBT) March 2019 Financial technology infrastructure Section 8; clawed back from IDRBT
RBIH 2019 From incorporation Innovation hub (Bengaluru) Wholly owned subsidiary

1.1 Former Subsidiaries (Divested)

Two major institutions were wholly owned by RBI and transferred to the Government of India in 2019: [2]

- NABARD — National Bank for Agriculture and Rural Development (founded 1982, RBI sold stake ₹1,470 Cr in 2019)

- NHB — National Housing Bank (founded 1988, RBI sold entire stake March 2019)

These were deliberate strategic divorces: RBI concluded that development finance institutions should sit with the government, not the central bank.


2. The "Unofficial" Subsidiaries: Entities RBI Created & Controls

These are entities RBI birthed, funds, populates with its officers, and effectively controls — yet they exist outside the formal wholly-owned structure.

2.1 IDRBT — Institute for Development and Research in Banking Technology

- Legal form: Society registered under Society Registration Act (not a company)

- Founded: March 1996 by RBI, after the W.S. Saraf Committee (1994) recommendation [3]

- Status: "Autonomous institute" — but fully controlled by RBI

- Governing Council: Chaired by former RBI Deputy Governor N.S. Vishwanathan; includes RBI ED Vivek Deep, RBI CGM R. Vanaraja, NPCI MD Dilip Asbe [4]

- Core role: Certifying Authority for banking sector under IT Act 2000; R&D in banking technology; cyber security drills; domain registrar for .bank.in

The control mechanism: IDRBT is a "society" — neither a company nor a statutory body. This legal form places it outside RTI's full reach (disputed), outside Companies Act governance (no independent board), and outside parliamentary oversight that applies to government departments. Yet it manages critical national infrastructure: digital certificates for all banks, the .bank.in namespace, and cyber security for the BFSI sector.

2.2 NPCI — National Payments Corporation of India

- Legal form: Section 8 company (not-for-profit), promoted by RBI + IBA in December 2008 [5]

- Ownership: Consortium of banks (not RBI directly), but RBI retains effective control through board representation and the Payment and Settlement Systems Act

- What it runs: UPI, IMPS, RuPay, NACH, AePS, FASTag, BHIM

- RBI influence: RBI EDs sit on NPCI Board. The RBI Governor appoints key members. NPCI was declared a "Public Important Institution" by the government.

Pattern: Like IDRBT, NPCI was set up as a non-company legal form (Section 8) to keep distance from government while retaining central bank control. Unlike IDRBT, NPCI has since been notified under the Aadhaar Act and given a more formal statutory role.

2.3 CCIL — Clearing Corporation of India Ltd.

- Founded: 2001, promoted by RBI

- Role: Clearing and settlement for government securities, forex, and money markets

- RBI control: RBI holds stake, appoints board members, and regulates CCIL as a systemically important payment system

2.4 IGIDR — Indira Gandhi Institute of Development Research

- Founded: 1987 by RBI

- Role: Advanced research in development economics

- Status: Deemed university; fully funded and controlled by RBI

2.5 Other RBI-Influenced Entities

Entity Relationship Notes
IBA (Indian Banks' Association) RBI EDs sit on governing bodies Industry body, but RBI sets agenda
BCSBI (Banking Codes and Standards Board) RBI promoted Consumer protection standards
SIDBI RBI has board representation MSME financing

3. The IFTAS Clawback: The Template for Everything

The IFTAS story is the single most important precedent for understanding the IDRBT fiasco. It reveals the pattern: RBI creates, incubates, then pulls back assets and people when they're valuable enough. [6]

Timeline

```

1996 — IDRBT established by RBI as autonomous society

2001 — IDRBT launches SFMS (Structured Financial Messaging System)

2001 — IDRBT launches INFINET (Indian Financial Network)

2004 — IDRBT becomes "financially independent"

2009 — Rangarajan-led External Expert Review Committee (EERC) recommends

IDRBT shed non-research services and focus on R&D

2015 — IDRBT incorporates IFTAS as a Section 8 subsidiary to hive off

its operational technology services (INFINET, SFMS, IBCC)

2016 — Apr 1: IFTAS takes over INFINET, SFMS, IBCC operations from IDRBT.

IDRBT Director serves as first Chairman of IFTAS.

2019 — Mar: RBI wholly acquires IFTAS from IDRBT. IFTAS becomes a

direct RBI subsidiary. IDRBT loses its revenue-generating services.

```

What the Clawback Achieved

1. Stripped IDRBT of operational services — after 2019, IDRBT was left with only R&D, training, and certification (the least profitable functions)

2. Concentrated tech infrastructure under direct RBI control — INFINET, SFMS, and the Banking Community Cloud became RBI's to command

3. Created a parallel tech entity — IFTAS (431+ employees, ~$70M revenue) now competes for resources and talent with IDRBT

4. Set the precedent — If an RBI-created entity builds something valuable, RBI will pull it in-house rather than let it operate independently

The Deepak Kumar Connection

Deepak Kumar's career perfectly traces this arc: [7]

1. At RBI: Headed Department of Information Technology (the department that oversaw both IDRBT and IFTAS)

2. On IFTAS Board: Served as Director on the Board of IFTAS (pre-acquisition)

3. On IDRBT Governing Council: Served as CGM-in-Charge, RBI Dept. of IT on IDRBT's Governing Council

4. On ReBIT Board: Served as Director on ReBIT Board

5. On RBIH Board: Served as Director on RBI Innovation Hub Board

6. On NPCI Board: Served as Director on NPCI Board

7. On Indian Overseas Bank Board: Served as RBI-nominated Director

8. Becomes IDRBT Director: May 2, 2024 — appointed to run the institution he previously oversaw from RBI

This is the revolving door in its purest form: the RBI Executive Director who supervised all these subsidiaries from within RBI becomes the Director of one, bringing his relationships at all the others with him.


4. The IDRBT Fiasco: Deepak Kumar & the IKCON No-Tender Award

Background

In February 2025, RBI mandated that all banks migrate to the .bank.in domain suffix — a trust mechanism to combat phishing. The exclusive registrar for this namespace is IDRBT, through its portal at registrar.idrbt.ac.in.

The Procurement Irregularity

The .bank.in domain registration portal was developed and is operated by IKCON Technologies — a small private company with no prior track record in domain registry management or certificate authority operations. [8]

The contract was awarded without any competitive tender, RFP, or published vendor selection process — a clear violation of IDRBT's own Purchase Manual which mandates competitive bidding above certain thresholds. [9]

The Mahesh Jarati Connection

Mahesh Jarati, listed on IKCON's leadership team, is a former employee of IFTAS — the very entity that manages technology procurement for cooperative banks, which are the primary targets of the .bank.in mandate. [8]

The revolving-door pattern: A person who understands bank procurement processes (and has relationships with bank decision-makers from their time at IFTAS) now sits at the vendor that landed a no-tender contract from the regulator.

The Security Failure

The portal exposed 33+ unauthenticated API endpoints leaking 5,576 bank employee credentials, ₹4.72 crore in invoice records, 1,072 orphan Super Admin accounts, and sensitive PII — for at least 13 months. [10]

The CashlessConsumer investigation documented that [8]:

- No security audit preceded deployment

- No vulnerability disclosure program existed

- The portal's "Security Policy" claimed it was "audited for known application-level vulnerabilities before launch" — yet the vulnerabilities were fundamental

The Byelaw Amendment Allegation

The unverified allegation (from source tip, documented in DeepakKumar.md) is that IDRBT's Governing Council amended procurement byelaws to:

- Raise single-source procurement thresholds

- Relax vendor eligibility criteria

- Enable IKCON — which wouldn't qualify under normal competitive bidding — to get the contract at better-than-market rates [8]

What can be confirmed:

- ✅ IKCON is a private company on IKCON's leadership page

- ✅ No tender exists for the .bank.in portal (confirmed in CashlessConsumer report)

- ✅ Deepak Kumar, as Director, is the final approving authority for all IDRBT procurement

- 🔴 The byelaw amendment itself remains unverified — requires IDRBT Governing Council minutes (which are not public)

The Nikhila Interregnum

IDRBT's leadership timeline in 2024 is itself suspicious: [11]

Director From To Duration Background
Smt. K. Nikhila 24-Jan-2024 01-May-2024 ~3 months RBI Regional Director, Telangana
Dr. Deepak Kumar 02-May-2024 Present Ongoing Former RBI ED, ex-Head of IT Dept

Nikhila, an RBI Regional Director, served as IDRBT Director for barely 3 months — just long enough to keep the seat warm until Deepak Kumar (who had just retired as RBI ED) was ready to take over. This suggests the appointment was pre-determined, with Nikhila as a placeholder.


5. The Revolving Door: Deepak Kumar's Web of Control

Deepak Kumar's profile on IDRBT's website lists his simultaneous directorships: [7]

Entity Role Relationship to RBI
IDRBT Director (himself) RBI society — he now runs it
Indian Overseas Bank Director on Board Public sector bank — RBI nominates
NPCI Director on Board Payments umbrella — RBI-controlled
IFTAS Director on Board (former) RBI wholly-owned subsidiary
ReBIT Director on Board RBI wholly-owned subsidiary
RBIH Director on Board RBI wholly-owned subsidiary
IDRBT Governing Council Member Secretary Sets IDRBT policy

This means a single individual simultaneously sat on the boards of every major technology entity in India's banking ecosystem — the regulator's own IT subsidiaries (IFTAS, ReBIT, RBIH), the payments infrastructure (NPCI), a public sector bank (IOB), and the institute that certifies all banking technology (IDRBT).

There is no separation of duty. There is no independent oversight. There is only RBI — speaking to itself through interchangeable Executive Directors.


6. The Institutional Pattern

Phase 1: Incubation (RBI creates)

RBI identifies a need — technology research, payments infrastructure, innovation — and creates an entity. It funds it, staffs it with RBI officers, and maintains control through board representation.

Examples:

- IDRBT (1996) — banking technology R&D

- NPCI (2008) — retail payments

- IFTAS (2015) — financial technology services

- RBIH (2019) — innovation

Phase 2: Value Extraction (Key assets mature)

Once the entity has developed valuable assets, domain expertise, and operational capacity, RBI moves to consolidate control.

- IFTAS: Created by IDRBT, ran INFINET/SFMS/IBCC for 3 years, then RBI wholly acquired it in 2019, stripping IDRBT of its core services

- NPCI: Developed UPI, RuPay, IMPS — now a quasi-monopoly, with RBI pushing for "NPCI for-profit" conversion and tighter control

- IDRBT's .bank.in registry: Built and operated by IDRBT, but the mandate came from RBI directly, and the contract was awarded without IDRBT's usual procurement process

Phase 3: Leadership Capture (Retiring EDs populate subsidiaries)

Retiring RBI Executive Directors routinely land in the entities they once supervised:

Name Former RBI Role Post-RBI Position
Deepak Kumar ED, RBI (Head of IT Dept) Director, IDRBT
T. Rabi Sankar ED/DG, RBI Chairman, IFTAS
N.S. Vishwanathan Deputy Governor, RBI Chairman, IDRBT Governing Council
Vivek Deep ED, RBI Member, IDRBT Governing Council

This is not a bug — it's the system. The regulatory- industrial complex ensures that no one who has ever been in a position to scrutinize RBI's subsidiaries will later sit at an arm's length from them.

Phase 4: Accountability Evasion (Legal forms matter)

Each subsidiary uses a different legal structure that minimizes external scrutiny:

Entity Legal Form RTI Applicable? Parliamentary Oversight?
RBI Statutory corporation ✅ Yes (limited) ✅ Via Finance Ministry
DICGC Statutory corporation ✅ Yes
BRBNMPL Pvt Ltd company ⚠️ Disputed
ReBIT Pvt Ltd company ⚠️ Disputed
IFTAS Section 8 company ⚠️ Disputed
RBIH Pvt Ltd company ⚠️ Disputed
IDRBT Registered Society 🔴 Disputed/No
NPCI Section 8 company ❌ (except Aadhaar matters)

IDRBT as a "society" is the most opaque structure — neither a company (no MCA filings), nor a statutory body (no parliamentary accountability), nor a government department (no RTI by default). Yet it manages the digital certificate infrastructure for India's entire banking system and the exclusive national banking domain registry.


7. Why This Matters

7.1 Systemic Risk

When every technology entity in Indian banking reports through the same small pool of former RBI EDs, there is no diversity of perspective, no challenge function, and no independent verification. IDRBT's security failure was inevitable not because of technical incompetence but because of structural failure — no one outside the RBI network was watching.

7.2 The IFTAS-IFTAS-IKCON Triangle

The Mahesh Jarati pattern (IFTAS → IKCON → IDRBT contract) is the commercial expression of the same revolving door. When procurement decision-makers at IDRBT, IFTAS, and RBI are the same people who have worked with each other for decades, competitive tendering becomes a formality that can be waived when convenient.

7.3 No Sibling Rivalry

IFTAS and IDRBT now compete for the same technology mandates. IFTAS wants to build the IFS Cloud; IDRBT wants to remain relevant. But both answer to the same RBI masters. The result is structural inefficiency without competitive pressure — the worst of both worlds.

7.4 The 2019 Divestiture Pattern

RBI divested NABARD and NHB in 2019 but simultaneously acquired IFTAS and created RBIH. It gave up development finance (which belongs to government) while tightening its grip on technology infrastructure (which gives it power over the financial system). This is a strategic consolidation: RBI is becoming a technology powerhouse disguised as a central bank.


8. Sources

[1] RBI officially recognizes five wholly-owned subsidiaries: DICGC, BRBNMPL, ReBIT, IFTAS, RBIH. See RBI Organisation page and multiple competitive exam sources https://gyansanchay.csjmu.ac.in/wp-content/uploads/2021/11/IFSRESERVE-BANK-OF-INDIA.pdf

[2] RBI divested its entire stake in NABARD and NHB to the Government of India in March-April 2019. https://www.thehindu.com/business/Industry/rbi-sells-entire-stake-in-nhb-nabard-to-govt-for-1470-cr/article26934631.ece

[3] IDRBT was established in March 1996 following the W.S. Saraf Committee 1994 recommendation, as a Society under the Society Registration Act. https://www.idrbt.ac.in/the-journey-of-idrbt/

[4] IDRBT Governing Council chaired by former RBI Deputy Governor N.S. Vishwanathan, includes RBI ED Vivek Deep, RBI CGM R. Vanaraja, NPCI MD Dilip Asbe. https://www.idrbt.ac.in/governing-council/

[5] NPCI was established in December 2008 as a Section 8 company under the Payment and Settlement Systems Act, promoted by RBI and IBA. https://en.wikipedia.org/wiki/National_Payments_Corporation_of_India

[6] The IFTAS clawback timeline: IDRBT created IFTAS in 2015 to run INFINET/SFMS/IBCC. Effective April 1, 2016, IFTAS took over operations. RBI wholly acquired IFTAS in March 2019. https://www.idrbt.ac.in/iftas/, https://www.idrbt.ac.in/the-journey-of-idrbt/

[7] Deepak Kumar's simultaneous directorships — ED at RBI overseeing IT Dept, Director on boards of NPCI, IFTAS, ReBIT, RBIH, IOB, and Governing Council of IDRBT — before becoming IDRBT Director. https://www.idrbt.ac.in/director/

[8] CashlessConsumer .bank.in investigation: IKCON awarded the .bank.in registrar contract without competitive tender. Mahesh Jarati ex-IFTAS listed on IKCON leadership. https://bankin-report.cashlessconsumer.in

[9] IDRBT's Purchase Manual ITVM_Final.pdf prescribes competitive bidding thresholds that the IKCON award appears to circumvent. https://www.idrbt.ac.in/wp-content/uploads/2022/07/ITVM_Final.pdf

[10] Medianama coverage of the .bank.in security vulnerabilities: 33+ unauthenticated endpoints, 5,576 records, no tender, no security audit. https://www.medianama.com/2026/06/223-security-vulnerabilities-rbi-bank-in-registry-sensitive-data

[11] IDRBT Former Directors page shows Nikhila served Jan 24 – May 1, 2024 3 months before Deepak Kumar took over. https://www.idrbt.ac.in/former-directors/


Compiled: 2026-07-11. This is a living document. Sources are cited for each major claim; unverified allegations are explicitly marked. The file IDRBT/DeepakKumar.md in this repository contains the raw investigation notes that underpin Section 4.