Critique & Governance

.bank.in: Security Sanctuary or Shutdown Whitelist?

CashlessConsumer  ·  July 1, 2026
← Back to main investigation

The Central Banking Awards called .bank.in "a key tool in the battle against cyber crime." But there's a darker reading of this infrastructure — one that has little to do with phishing and everything to do with control.

The critique: .bank.in is not a security initiative. It's a whitelist infrastructure purpose-built for surgically precise internet shutdowns.

The uncomfortable question: What happens when the same namespace that protects citizens from phishing is the same namespace that keeps banking running while the rest of the internet goes dark? Is .bank.in a shield, a choke-point, or both?

1. The Shutdown Mechanics

India already has the technical capacity to block internet access at multiple levels — submarine cable gateways, ISP-level BGP, DNS filtering, app-layer blocks. The problem for the state has always been granularity: how do you shut down social media without shutting down banking?

.bank.in solves that problem elegantly:

ApproachBefore .bank.inAfter .bank.in
Total shutdown Everything goes dark — ATMs, UPI, NEFT, RTGS, stock markets Rarely used — too economically destructive
DNS-level filter ISPs maintain ad-hoc whitelists that leak or break One rule: allow *.bank.in, block *
DPI-based block Expensive, error-prone, can be bypassed with VPNs Rarely needed — the namespace is self-enforcing
Selective social media block Targeted orders to ISPs, often leaky .bank.in unaffected — banking stays online by default

Key insight: .bank.in shifts the compliance burden from every ISP individually to a single, centrally controllable namespace. Any government that controls the .in zone (NIXI) or the .bank.in zone (IDRBT/RBI) can define what "banking" means at the DNS level, and ISPs can implement it with a trivial firewall rule.

2. India's Shutdown Track Record

India's internet shutdown record gives this critique its weight:

The question is not whether .bank.in could be used as whitelist infrastructure. The question is whether it already is, by design.

3. The Design Pattern: RBI as Gatekeeper

Look at the architecture again through the shutdown lens:

  1. All banking domains end in .bank.in — mandatory, not optional. There is no legitimate non-.bank.in banking website after the migration deadline.
  2. Registration is centralised — IDRBT (wholly owned by RBI) is the sole registrar. No bank can join the namespace without RBI's approval.
  3. The zone is monitored daily — Our own daily audit feed at bank-in-domains publishes DNS and HTTPS status for every registered domain. If RBI runs a similar audit, it knows exactly which domains are live.
  4. Delegation can be revoked — Individual banks have their own NS zones, but the parent zone (bank.in) controls the delegation. IDRBT can remove a bank's delegation at any time by removing its NS records from the parent zone.
  5. One rule, one block — Firewall at NIXI gateway, ISP level, or DoT SDN controller: allow .bank.in, deny *. That's it. A single submarine cable-level ACL.
Bottom line: The infrastructure for a "banking stays on while the rest goes dark" shutdown model already exists. The registry knows every domain. The registrar is a single institution. The namespace rules are mandatory. The only missing ingredient is a government order.

4. The Award Controversy

Central Banking gave RBI its "Initiative of the Year" award in March 2026, specifically citing .bank.in as a tool against cyber crime. The citation reads:

"By introducing a mandatory domain name for all regulated banks, the Reserve Bank of India has given lenders a key tool in the battle against cyber crime."

There is no mention of the shutdown risk in the award citation. Not a word. This is either:

The award is not wrong — .bank.in does help fight phishing. The problem is that fighting phishing is the best-case use. The worst-case use — enabling state control over internet access to financial services — is equally well-served by the same architecture.

5. The Tension: RBI as Shield vs State as Sword

The most important nuance in this critique is the level of government at play:

ScenarioWho OrdersRBI PositionOutcome
Jammu & Kashmir-style shutdown State/Centre RBI may resist state-level shutdown, keeping bank.in live Banking works even if state blocks everything else
Centre orders RBI to cooperate Centre (through Financial Stability Board or similar) RBI as a statutory body cannot refuse a government directive .bank.in is whitelisted, everything else is blocked
State blocks bank.in DNS State govt RBI's zone sits above the state — state ISPs can still block Depends on whether ISPs comply with state or RBI
Emergency financial freeze RBI itself RBI could de-register individual bank domains A bank removed from bank.in is effectively invisible online

The RBI is not the same as "the government" — it is a statutory body with a degree of independence. But that independence is limited, and it can be overridden. The architecture of .bank.in does not distinguish between RBI using it for security and the state using it for control.

6. What This Means for Citizens

Regardless of RBI's intent, the existence of .bank.in creates new risks:

RiskScenario
State-level internet shutdowns become cheaper Instead of ordering a total block or managing leaky DNS filters, a state government simply asks ISPs to "block all but bank.in." Compliance is trivially enforceable and auditable.
Financial exclusion becomes a weapon If a government wants to pressure a community or region, it can selectively block financial services. During the 2023 Manipur violence, financial services were disrupted for weeks. .bank.in could make exclusion more surgical.
Bank-specific censorship A bank that falls out of political favour could have its .bank.in delegation revoked by IDRBT — effectively making it invisible online. This is a de facto kill switch that doesn't exist for non-.bank.in businesses.
Surveillance choke-point All .bank.in DNS queries flow through resolvers that know exactly which bank you're visiting. If RBI or the government mandates logging at NIXI level, they get a complete picture of who is banking where and when.
This is not hypothetical. The infrastructure described here already exists. The .bank.in zone is live. The registry is complete. The enforcement mechanism — exclusion from the namespace — is codified. What we don't know is whether this use was intended, whether RBI has internal safeguards against it, or whether those safeguards would survive a real crisis.

CashlessConsumer

A consumer collective that tracks the digital payments industry in India, producing awareness resources, technical analysis, open data, and policy inputs toward a fair cashless society.