The Central Banking Awards called .bank.in "a key tool in the battle against cyber crime." But there's a darker reading of this infrastructure — one that has little to do with phishing and everything to do with control.
The critique: .bank.in is not a security initiative. It's a whitelist infrastructure purpose-built for surgically precise internet shutdowns.
India already has the technical capacity to block internet access at multiple levels — submarine cable gateways, ISP-level BGP, DNS filtering, app-layer blocks. The problem for the state has always been granularity: how do you shut down social media without shutting down banking?
.bank.in solves that problem elegantly:
| Approach | Before .bank.in | After .bank.in |
|---|---|---|
| Total shutdown | Everything goes dark — ATMs, UPI, NEFT, RTGS, stock markets | Rarely used — too economically destructive |
| DNS-level filter | ISPs maintain ad-hoc whitelists that leak or break | One rule: allow *.bank.in, block * |
| DPI-based block | Expensive, error-prone, can be bypassed with VPNs | Rarely needed — the namespace is self-enforcing |
| Selective social media block | Targeted orders to ISPs, often leaky | .bank.in unaffected — banking stays online by default |
Key insight: .bank.in shifts the compliance burden from every ISP individually to a single, centrally controllable namespace. Any government that controls the .in zone (NIXI) or the .bank.in zone (IDRBT/RBI) can define what "banking" means at the DNS level, and ISPs can implement it with a trivial firewall rule.
India's internet shutdown record gives this critique its weight:
The question is not whether .bank.in could be used as whitelist infrastructure. The question is whether it already is, by design.
Look at the architecture again through the shutdown lens:
Central Banking gave RBI its "Initiative of the Year" award in March 2026, specifically citing .bank.in as a tool against cyber crime. The citation reads:
"By introducing a mandatory domain name for all regulated banks, the Reserve Bank of India has given lenders a key tool in the battle against cyber crime."
There is no mention of the shutdown risk in the award citation. Not a word. This is either:
The most important nuance in this critique is the level of government at play:
| Scenario | Who Orders | RBI Position | Outcome |
|---|---|---|---|
| Jammu & Kashmir-style shutdown | State/Centre | RBI may resist state-level shutdown, keeping bank.in live | Banking works even if state blocks everything else |
| Centre orders RBI to cooperate | Centre (through Financial Stability Board or similar) | RBI as a statutory body cannot refuse a government directive | .bank.in is whitelisted, everything else is blocked |
| State blocks bank.in DNS | State govt | RBI's zone sits above the state — state ISPs can still block | Depends on whether ISPs comply with state or RBI |
| Emergency financial freeze | RBI itself | RBI could de-register individual bank domains | A bank removed from bank.in is effectively invisible online |
The RBI is not the same as "the government" — it is a statutory body with a degree of independence. But that independence is limited, and it can be overridden. The architecture of .bank.in does not distinguish between RBI using it for security and the state using it for control.
Regardless of RBI's intent, the existence of .bank.in creates new risks:
| Risk | Scenario |
|---|---|
| State-level internet shutdowns become cheaper | Instead of ordering a total block or managing leaky DNS filters, a state government simply asks ISPs to "block all but bank.in." Compliance is trivially enforceable and auditable. |
| Financial exclusion becomes a weapon | If a government wants to pressure a community or region, it can selectively block financial services. During the 2023 Manipur violence, financial services were disrupted for weeks. .bank.in could make exclusion more surgical. |
| Bank-specific censorship | A bank that falls out of political favour could have its .bank.in delegation revoked by IDRBT — effectively making it invisible online. This is a de facto kill switch that doesn't exist for non-.bank.in businesses. |
| Surveillance choke-point | All .bank.in DNS queries flow through resolvers that know exactly which bank you're visiting. If RBI or the government mandates logging at NIXI level, they get a complete picture of who is banking where and when. |
A consumer collective that tracks the digital payments industry in India, producing awareness resources, technical analysis, open data, and policy inputs toward a fair cashless society.