Chapter 7: 25 Years of Governance Patterns — The Entity Lifecycle

Thesis: RBI's technology entities follow a predictable lifecycle — Create → Seed → Operate → Strip → Spin-off → Reabsorb. Over 25 years (1996–2026), this cycle has repeated across at least four generations of entities, each time consolidating control and avoiding external accountability.


7.1 The Timeline: 1996–2026

Generation 1: IDRBT (1996–2009) — The Pioneer

Year Event Significance
1984 Rangarajan Committee Report on computerisation Chaired by Dr. C. Rangarajan; first recommendation for technology in banking — distinct from the 2009 EERC also chaired by Rangarajan
1989 Second Rangarajan Committee Report Strengthened case for a dedicated technology institute
1994 Saraf Committee recommends apex tech institute Direct precursor to IDRBT
1995 RBI Central Board approves IDRBT (Oct 19) Board resolution at Thiruvananthapuram meeting
1996 IDRBT established as a Society under 1860 Act First RBI tech entity — loophole chosen from day one
2001 SFMS launched (Dec 14) India's inter-bank secure messaging standard
2004 IDRBT becomes financially independent Begins earning revenue from services
2004–08 INFINET expands to 5000+ branches Becomes critical national infrastructure
2008 NPCI established (Section 8 company) Payments infrastructure split off from IDRBT's orbit

Pattern at work: RBI created IDRBT as a Society to incubate banking technology under its exclusive control. The legal form (Society) was chosen deliberately — it avoided Companies Act compliance, CAG audit, and Parliamentary oversight from day one. This choice set the template for every subsequent entity.

Generation 2: The Divestiture Wave (2007–2010)

Year Event Significance
2007 Government buys RBI's 59.7% stake in SBI Precedent: RBI exits ownership of regulated entities
2008 Idbi Bank — RBI's remaining IDBI stake transferred Complete exit from industrial development banking
2009 EERC (Rangarajan Committee) recommends IDRBT shed operational services Beginning of IFTAS concept
2010 RBI divests 71.5% of NABARD (₹1,430 crore) Partial exit from agricultural finance regulator
2010–2015 IFTAS creation process underway 6-year gestation

The paradox: While RBI was divesting from development finance institutions (NABARD, NHB, SBI, IDBI) on the principle that a regulator should not own regulated entities, it was simultaneously creating new technology entities (IFTAS, ReBIT) under the same no-divestment exception.

Generation 3: Entity Proliferation (2015–2020)

Year Event Significance
2015 Feb IFTAS established (Section 8) by IDRBT Operational services transferred from IDRBT
2016 ReBIT established (Pvt Ltd Company) IT and cybersecurity for RBI — separate entity for IT management
2017 INFINET, SFMS, Banking Cloud fully transferred to IFTAS IDRBT hollowed out of all operational functions
2019 Jan Amendments to NABARD Act and NHB Act notified Enables government takeover
2019 Mar RBI divests remaining NABARD stake (₹20 cr) Complete exit from agri finance
2019 Mar RBI divests 100% of NHB (₹1,450 cr) Complete exit from housing finance
2019 RBI acquires IFTAS entirely Clawback — assets return to direct RBI control
2020 NPCI International (NIPL) established (Pvt Ltd) For-profit subsidiary for global UPI/RuPay expansion

The pattern crystallises: The 2019 transactions reveal the full strategy:

- RBI exits NABARD and NHB — institutions divested under the Financial Sector Legislative Reforms Commission (FSLRC) process, building on the Narasimham Committee I (1991) and II (1998) recommendations for separation of regulatory and development functions [8]

- RBI acquires IFTAS — the entity it wanted to keep. IFTAS had no public pressure for independence

The 2019 IFTAS clawback is the critical pivot: it proved RBI was comfortable reabsorbing technology entities it had previously spun off, consolidating direct control.

Generation 4: Consolidation & New Frontiers (2022–2026)

Year Event Significance
2022 Jan RBI Fintech Department created Internal department for fintech regulation
2022 Mar RBIH established (Section 8, ₹100 cr capital) External innovation hub — parallel to Fintech Department
2023 NPCI surplus crosses ₹1,000 cr For-profit conversion pressure builds
2024 May Deepak Kumar appointed IDRBT Director Former RBI ED (IT Dept) now runs the entity he used to oversee
2024 .bank.in registry goes live (IKCON, no tender) Governance bypass in practice
2022–present IDRBT Governing Council chaired by N.S. Vishwanathan Former Deputy Governor now chairs oversight of institution weakened by EERC recommendations
2025 IDRBT launches .bank.in CA operations Certificate authority added without competitive process
2026 Security vulnerabilities in .bank.in portal exposed 33+ unauthenticated endpoints, 5,576 records leaked

7.2 The Entity Lifecycle: A Repeating Pattern

Across 25 years, every RBI technology entity follows the same cycle:

Phase 1: Incubation (2–6 years)

- RBI identifies a technology function that needs development

- Creates an entity under an opaque legal form (Society → Section 8 → Pvt Ltd)

- Seeds it with RBI personnel (often the ED who proposed it becomes its first head)

- Funds it from RBI budget or mandated bank contributions

- No external oversight, no CAG audit, no RTI

Examples: IDRBT (1996), IFTAS (2015, incubated 2009-2015), ReBIT (2016), RBIH (2022)

Phase 2: Operation (5–10 years)

- Entity develops critical national infrastructure

- Builds assets (networks, software, standards, registries)

- Hires staff outside government pay scales (attracts talent)

- Becomes indispensable to the financial system

- Governing Council/Board is exclusively RBI insiders

Examples: IDRBT built INFINET/SFMS (1996–2009), NPCI built UPI/IMPS (2008–2020)

Phase 3: Extraction (1–3 years)

- A committee (often chaired by a former RBI official) recommends restructuring

- Operational assets are transferred to a new or existing entity

- Staff are moved out along with the assets

- Original entity retains only R&D/teaching functions

- No valuation, no market pricing, no public accounting

Examples: IDRBT → IFTAS transfer (2015–2017), IDRBT → .bank.in outsourced to IKCON (2024)

Phase 4: Reabsorption or Retention (ongoing)

- If the entity is useful to keep: retain under direct control (IFTAS acquired 2019)

- If the entity is politically sensitive to hold: divest (NABARD, NHB divested 2019)

- If the entity generates surplus: push toward for-profit (NPCI conversion debate)

- Always: maintain opaque legal form, avoid external audit, keep leadership in RBI network

The Generational Comparison

Entity created IDRBT NPCI IFTAS, ReBIT RBIH, Fintech Dept
Legal form Society Section 8 Section 8 / Pvt Ltd Section 8 / Internal
RBI control Direct (fully owned) Indirect (member banks) Direct (acquired 2019) Direct
Accountability None (Society) None (Section 8) None None
Lifecycle stage Stripped → surviving For-profit push Reabsorbed New
Infrastructure built INFINET, SFMS UPI, IMPS, RuPay Banking Cloud, IT security Innovation PoCs
Status now Hollowed Growing Captive Incubating

7.3 The Divestment Paradox

The single most revealing data point in the 25-year pattern is the 2019 dual transaction:

Action Entity Amount Rationale
Divested NABARD (100%) ₹1,450 cr "Regulator shouldn't own regulated entity"
Divested NHB (100%) ₹20 cr "Regulator shouldn't own regulated entity"
Acquired IFTAS (100%) Not disclosed "Consolidate technology control"

RBI simultaneously argued:

1. It should not own development finance regulators (NABARD, NHB) — so it sold them

2. It should own financial technology service providers (IFTAS) — so it bought it

The stated principle ("regulator should not own regulated entities") was applied selectively. IFTAS serves cooperative banks that RBI regulates. By the same logic, RBI should have divested IFTAS. Instead, it acquired it.

The real principle: RBI retains entities that give it direct operational control over technology infrastructure, and divests entities that are politically or developmentally sensitive but don't provide direct control. The 25-year record shows this is not policy inconsistency — it's consistent institutional self-interest.


7.4 The 2008 Pattern: NPCI and the "Idea" Transfer

NPCI's creation in 2008 follows a subtler pattern — the idea transfer:

- The concept of a national payments corporation originated from IDRBT's research in the early 2000s

- The Rangarajan Committee on Payment Systems recommended it

- NPCI was established as a separate Section 8 company owned by 65 member banks, not as an RBI subsidiary

- RBI retained control through board nominations — but legally NPCI was independent

What this achieved for RBI:

- Payments infrastructure was insulated from government audit (NPCI isn't a govt entity)

- RBI could set policy without being operationally responsible

- NPCI's surplus (₹1,552 cr in FY25) stayed outside government accounts

- If questions are asked in Parliament, RBI can say "NPCI is an independent company"

The pattern repeats: Every entity creation adds distance between RBI and operational accountability, while RBI maintains de facto control through personnel and board appointments.


7.5 The 2022 Split: RBIH vs Fintech Department

The 2022 creation of two parallel entities doing the same work reveals the governance architecture:

Dimension RBI Fintech Department RBIH
Type Internal department External Section 8 company
Created January 2022 March 2022
Mandate Fintech regulation, sandbox, innovation Fintech innovation, incubation, PoCs
RTI applicable Yes (RBI is under RTI) No
Parliament oversight Yes (through RBI) No
Staff RBI employees Contract/private hires
Budget RBI internal ₹100 cr capital + ongoing

The dual-track strategy: The Fintech Department handles regulatory functions (must be transparent, can be RTI'd). RBIH handles operational/innovation functions (wants opacity, avoids RTI). When RBI wants to do something that might not withstand scrutiny, it routes it through RBIH. When it wants to issue a regulation, it goes through the Fintech Department.

This is the structural firewall: same institution, two legal forms, different accountability levels.


7.6 The 25-Year Pattern Summary

What Changed

Dimension 1996 (IDRBT) 2026 (Ecosystem)
Number of tech entities 1 8+ (IDRBT, IFTAS, ReBIT, NPCI, NIPL, RBIH, Fintech Dept, IT Dept)
Total employees ~50 ~5,000+ estimated
Annual technology spend ~₹10 cr ~₹10,000 cr+ estimated
Legal forms used 1 (Society) 4 (Society, Section 8, Pvt Ltd, Internal Dept)
RTI coverage Contested All contested or evaded
CAG audit No No (all entities)
Systems operated INFINET, SFMS + UPI, IMPS, RuPay, AePS, NACH, BBPS, .bank.in, CA, IBCART
Oversight mechanism Governing Council 8 separate boards/councils — all RBI-insiders

What Stayed the Same

Feature 1996 2026
Legal form chosen for opacity Society Society / Section 8 / Pvt Ltd
Board composition All-RBI All-RBI (or RBI-nominated)
Procurement transparency Not required Not required (evaded)
RTI applicability Contested Contested (all entities)
CAG audit No No
Independent directors None None
Conflict of interest register None None
Whistleblower mechanism None None
Director term limits None None
Cooling-off before vendor roles None None

The Acceleration

The pace of entity creation has accelerated:

Period New Entities Gap
1996–2008 (12 years) 2 (IDRBT, NPCI)
2009–2016 (7 years) 2 (IFTAS, ReBIT) Faster
2017–2022 (5 years) 3+ (RBIH, Fintech Dept, NIPL) Faster still
2023–2026 (3 years) 0 new, but .bank.in/IKCON creates shadow entity Consolidation phase

Each new entity is less accountable than the last. The trend line points to a complete ecosystem of critical national infrastructure operating without meaningful external oversight.


7.7 The Comparative Dimension

Dimension India (RBI) UK (BoE) US (Fed) EU (ECB)
Tech arm legal form Society/Section 8/Pvt Ltd Wholly-owned subsidiary (Bank of England) Internal divisions + FRS Internal divisions + NCB coordination
Entity examples IDRBT, IFTAS, ReBIT, RBIH BoE PSR, BoE RTGS FedNow, FedWire T2S, TIPS
Independent board ✅ (PSR has independent board) ✅ (Fed Board has congressional oversight) ✅ (ECB Governing Council)
CAG-equivalent audit ✅ (NAO audits BoE) ✅ (GAO audits Fed) ✅ (ECA audits ECB)
Procurement transparency ❌ (IKCON case) ✅ (OJEU/TED procurement) ✅ (FAR procurement) ✅ (EU procurement directives)
RTI equivalent ❌ (contested) ✅ (FOI applies) ✅ (FOIA applies to Fed) ✅ (EU transparency regulation)

India is an outlier among major economies — its central bank's technology arms operate with less external accountability than any comparable institution in the G20. [12]

Sources for international comparison: BoE PSR governance structure [13]; FedWire/FedNow oversight under FRB Act [14]; ECB T2S governance and ECA audit mandate [15]; UK FOI applicability to BoE [16]; US GAO audit authority over Fed [17]; EU transparency regulation applicability to ECB [18].


7.8 Conclusion: The 25-Year Trajectory

The 25-year pattern reveals:

1. Entity proliferation is a control strategy — more entities = more places to hide functions, more boards to pack, more legal forms to exploit

2. Divestment is selective — RBI divests development banks it doesn't need, acquires technology entities it wants to control

3. The IFTAS clawback is the signature move — build in a Society, spin off to a Section 8, reabsorb into direct control. This has now been demonstrated once and can be repeated

4. No entity has ever been made more accountable — every "reform" has reduced accountability (Society → Section 8 → Pvt Ltd → internal department) rather than increasing it

5. The .bank.in fiasco was predictable — given 25 years of governance pattern, a no-tender award to a connected vendor at a regulator-owned entity with no procurement oversight was not a failure of the system. It was a success of it.


References

[1] IDRBT Journey page — Establishment timeline from Saraf Committee recommendation 1994 to IDRBT 1996, preceded by Rangarajan Committee reports on computerisation 1984, 1989. https://www.idrbt.ac.in/the-journey-of-idrbt/

[2] IDRBT Milestones page — Chronological development 1994–2026. https://www.idrbt.ac.in/milestones/

[3] RBI divestment of NABARD/NHB — The Hindu, April 2019. https://www.thehindu.com/business/Industry/rbi-sells-entire-stake-in-nhb-nabard-to-govt-for-1470-cr/article26934631.ece

[4] IFTAS creation from IDRBT — IDRBT Journey page; subsidiary surveys. File: annexures/reference-matrix.md

[5] RBI acquisition of IFTAS 2019 — Subsidiaries survey. File: chapters/iftas-deep-dive.md

[6] RBIH through time — RBIH chronicle PDF. https://rbih-website-assets.s3.ap-south-1.amazonaws.com/resources/rbih-through-time-a-chronicle-of-innovation.pdf

[7] RBI Fintech Department established January 2022 — Medianama. https://www.medianama.com/2022/01/223-rbi-fintech-department-established/

[8] NPCI surplus FY25 — Entrackr. https://entrackr.com/fintrackr/npci-profit-jumps-42-to-rs-1552-cr-in-fy25-9408857

[9] NIPL incorporation — CompanyCheck. https://www.thecompanycheck.com/company/npci-international-payments-limited/U67190MH2020PLC339220

[10] RBI stake in SBI 2007 divestment — Narasimham Committee implementation timeline. *Referenced in multiple sources*

[11] RBI subsidiaries list — Raaj Academy overview. https://raajacademy.com/subsidiaries-of-the-reserve-bank-of-india-comprehensive-overview

[12] Deepak Kumar appointment timeline — IDRBT Director page / Former Directors page. https://www.idrbt.ac.in/director/

[13] Bank of England — Payment Systems Regulator: Governance structure, independent board, accountability to Parliament. https://www.psr.org.uk/about-us/governance/

[14] Federal Reserve Financial Services — FedWire and FedNow oversight; GAO audit authority under 31 U.S.C. § 714. https://www.frbservices.org/

[15] European Central Bank — T2S governance and European Court of Auditors mandate under TFEU Article 287. https://www.ecb.europa.eu/paym/target/t2s/html/index.en.html

[16] UK Freedom of Information Act 2000 — BoE designated as public authority under Schedule 1. https://www.legislation.gov.uk/ukpga/2000/36/schedule/1

[17] U.S. Government Accountability Office — GAO audit authority over Federal Reserve under 31 U.S.C. § 714. https://www.gao.gov/about/what-gao-does/

[18] EU Transparency Regulation EC No 1049/2001 — Applicability to ECB documents. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32001R1049