As India’s banking ecosystem becomes increasingly digital and interconnected, trust is being redefined through data integrity, cybersecurity resilience, and continuous assurance frameworks. With evolving regulatory mandates and the rapid adoption of AI-led systems, financial institutions are moving from reactive compliance to proactive, intelligence-driven risk management. Shibu K Thomas, General Manager & Head – IT Assurance & DPO, South Indian Bank, shares insights on how banks can strengthen trust, governance, and security in a complex, data-driven financial landscape in an interaction with Vishwas Sinha of Elets News Network (ENN). Edited Excerpts:
Q.1 With increasing digital adoption, how do you see the role of IT assurance evolving in strengthening trust across banking ecosystems?
With the increasing digital transformation of the Indian banking sector, IT assurance has shifted from being a mere back-office compliance checklist activity to an important pillar of digital trust. We need to augment and support the second line of defense, i.e., compliance function, in the first line itself, since nowadays, trust is no longer built through just one layer but at multiple layers, and ensuring the reliability, security, privacy, and speed of digital interfaces.
The role of IT assurance is evolving across several critical dimensions to strengthen this ecosystem:
1. From Point-in-Time to Continuous Assurance –Traditional cyclic audits are being replaced by continuous controls monitoring through BAS, CTEM, increasing the frequency and variety of traditional audits, regular tabletop exercises, etc., covering the entire gamut of the IT ecosystem, including third parties. IT assurance plays an important role in all these activities by identifying gaps, ensuring proactive compliance, and involving automated systems to the maximum extent such that security deviations or failed controls are instantly flagged.
2. Privacy-Centric Assurance –With the Digital Personal Data Protection (DPDP) Act and its 2025 Rules to be made fully operational by May 2027, IT assurance now has major privacy mandates to be complied with, inside the IT ecosystem.
3. Algorithmic and AI Governance –As Indian banks adopt AI tools/systems for credit underwriting, customer service, fraud risk management etc, IT assurance needs to strengthen the trust on deployed AI systems by affirming that AI-driven models are not discriminatory or baised, that they are explainable, data poisoning risks are taken mitigated etc.
4. Third-Party and Fintech Ecosystem Risk – The banking ecosystem is now an intricate network of APIs involving fintechs, payment aggregators, and cloud providers and supply chain assurance is to be guaranteed by conducting risk-based due diligence on all IT service providers.
- Strengthening Consumer Protection & Liability – Trust is ultimately about what happens when things go wrong. IT assurance also plays a key role in warranting that if a fraud occurs, the bank has the mandatory evidence required by the RBI to prove (or disprove) consumer liability and assuring an adequate foundation for the new “Zero Liability” protocols for consumers.
Q.2 As data becomes central to financial services, how should institutions approach data protection and privacy in a rapidly evolving regulatory landscape?
In 2026, the Indian financial landscape has reached a critical juncture with the Digital Personal Data Protection (DPDP) Act and its rules, having the May 2027 compliance deadline looming large. Data privacy has become a core business risk and a competitive differentiator.
For Indian financial institutions (FIs), the approach must shift from legacy data accumulation to responsible data stewardship. A clear, well-planned strategy is required to navigate this evolving landscape.
1. Governance: From the Server Room to the Boardroom – Cybersecurity and Data privacy are board-level responsibilities, and FIs must establish an appropriate Data Privacy Committee at the board and management level to percolate the message from the top. A culture change of data stewardship and responsibility towards customer data should be created in the organization instead of depending only on technology or IT. A data breach is a breach of fiduciary trust.
- The Rise of the DPO: As Significant Data Fiduciaries (SDFs), larger Fis are now required to appoint a dedicated Data Protection Officer (DPO) based in India. This role must have the independence to audit internal processes without interference from business units.
- Data Protection Impact Assessments (DPIAs): Before launching any new product—be it an AI-driven credit scorer or a neo-banking app—FIs must conduct a DPIA to map how data flows and identify potential privacy risks and leaks. Training data for AI systems containing personal information is a risk area that needs to be carefully assessed.
2. The Consent Architecture: Since Blanket “I Agree” checkboxes are obsolete and granular consent is required, institutions must implement consent management systems that allow customers to give (and withdraw) consent for specific purposes. For example, a customer may consent to data usage for a loan application but deny it for general sales purposes.
3. Implementation of Privacy-Enhancing Technologies (PETs) –To balance data utility with privacy, FIs would need to consider adopting PETs. These technologies allow institutions to gain insights from data and even share them, without ever seeing the “raw” personal information.
- Ecosystem & Third-Party Risk Management
In the age of Fintech partnerships, an FI is only as secure as its weakest vendor and data sharing in a supply chain is a risk that can only be mitigated through proper contracts, audits, SBOMs, AIBOMs etc
Data Localisation and Breach Notification: Cross-border payments have to be handled as per guidelines, and any data breach has to be notified to Data Protection, and the data principal vide extant Act and rules.
Q.3 In today’s interconnected financial ecosystem, what are the key challenges in managing cybersecurity risks across multiple platforms and partnerships?
Managing cybersecurity risks in India’s interconnected financial ecosystem involves travelling through a complex web of regulatory mandates, legacy infrastructure, and emerging technological threats. The integration of traditional banking with Fintech partnerships, Unified Payments Interface (UPI), and Open Banking has created a vast, yet vulnerable, digital surface.
1. API and Third-Party Interconnectivity Risks
The Indian financial sector increasingly relies on Application Programming Interfaces (APIs) to facilitate seamless transactions between banks and third-party application providers (TPAPs). This “Open Banking” model introduces significant risks. Weak security in a partner can lead to a chain of attacks across the ecosystem, affecting multiple entities.
- API Vulnerabilities: Attackers exploit weak API security to gain unauthorised access to sensitive data or execute fraudulent transactions.
- Shadow API/ IT: Partners often deploy unmanaged or undocumented systems (“Shadow API/IT”) that fall outside the main security perimeter of the partnering bank, creating “blind spots” for security teams.
2. Regulatory Compliance and Data Sovereignty –
India’s regulatory landscape has become more stringent with the full implementation of the Digital Personal Data Protection (DPDP) Act of 2023 and recent RBI Master Directions.
- Data Localisation: The RBI mandates that all payment data be stored exclusively within India. Managing this across multi-cloud environments in Fintech partnerships is technically challenging.
- Incident Reporting: Organisations must report cyber incidents to CERT-In within 6 hours, a tight window that requires highly automated detection and response capabilities
- Algorithmic Accountability: Under the DPDP Act, Fintechs using AI for credit scoring must ensure “explainability” and avoid algorithmic bias, adding a layer of security governance to their data processing.
Advanced Fraud and AI-Driven Threats
Cyber-enabled fraud has nearly tripled globally, with a heavy concentration in the banking sector
AI-Enhanced Phishing: Attackers use generative AI to create highly sophisticated phishing emails and deepfake audio/video to bypass Multi-Factor Authentication (MFA).
- Identity Theft: Despite mandatory Video-KYC, sophisticated identity spoofing remains a challenge for Fintech startups.
- Ransomware: Financial institutions remain prime targets for ransomware, which can disrupt critical services across multiple platforms simultaneously.
Systemic Concentration and Infrastructure Resiliency – Over-reliance on a few vendors, limited payment ecosystems, legacy systems, etc., could potentially create concentration and infrastructure resiliency risks along with security gaps.
5. Human Factor and Skill Shortages
Despite technological advancements, the “human element” remains the weakest link, and there is a dearth in AI-proficient cybersecurity employees, cloud experts, etc., capable of overseeing such complex automated systems and their security.
Q.4 How can banks move beyond traditional compliance frameworks to build a more resilient and proactive risk management approach?
To move beyond traditional, reactive compliance, banks are shifting toward predictive risk intelligence and cyber-resilient systems. The Reserve Bank of India (RBI) had moved from periodic inspection to risk-focused supervision long before, forcing banks to have a proactive approach towards risk management and making it a core strategic driver. A proactive and resilient risk framework can be built by implementing the following elements :
1. Shift from Siloed Compliance to Enterprise Risk Management (ERM)
Traditional frameworks often treat credit, market, and operational risks as separate silos. A proactive approach creates an integrated view of various risks in the unified ERM framework.
2. Leverage AI-Driven Predictive Analytics
Leading Indian banks are transitioning or have transitioned from historical data analysis to near real-time or real-time risk scoring.
- Alternative Data: Using non-traditional data (utility bills, social media footprints, and transaction patterns) to assess creditworthiness in the expanding “unsecured” and “gig economy” sectors.
- Early Warning Systems (EWS): Implementing AI models that detect warning signals of distress in corporate borrowers—such as changes in management behaviour or minor supply chain delays—long before a default occurs.
- Transition to Continuous Compliance & “RegTech.”
Instead of preparing for annual audits, banks are adopting Continuous Monitoring Systems (CMS).
- Automated Stress Testing: Moving from quarterly stress tests to automated, scenario-based simulations that run daily or weekly based on global market volatility.
- Workflow-Based Compliance: As per recent RBI mandates, banks are replacing spreadsheets with integrated workflows that track every regulatory obligation in real-time.
4. Focus on the “New Frontiers” of Risk
To ensure improved resilience, requires looking at risks that didn’t exist a few years before:
- Cyber-Resilience: Moving from “firewalls” to Zero-Trust Architectures. With the 2026 mandate for multi-factor authentication (MFA) on all digital transactions, banks must balance security with customer friction.
- ESG and Climate Risk: Indian banks are now factoring “Green Risk” into their lending. A proactive bank assesses the carbon footprint of its portfolio to avoid “stranded assets” as India moves toward its Net Zero goals.
- Fintech Ecosystem Risk: As banks partner with third-party fintechs for lending and onboarding, they must manage Third-Party Risk (TPRM), ensuring the partner’s security is as robust as the bank’s.
5. Cultivating a “Risk-First” Culture
The most sophisticated software cannot fix a broken culture (as seen in recent high-profile regulatory actions against Indian payments banks).
- Tone from the Top: The Board of Directors must move beyond approving policies to actively questioning risk-return trade-offs.
- Front-line Accountability: Training branch managers and loan officers to act as the “first line of defence,” rewarding them not just for volume, but for the quality and risk profile of the business they bring in.
Q.5 With the rise of digital banking and customer-centric platforms, how do you see the importance of data integrity and quality in driving better decision-making?
In today’s landscape of Indian fintech, where UPI has become the global gold standard, and neobanks are the norm rather than the exception, data isn’t just an asset—it’s the actual nervous system of the financial sector.
When we talk about “customer-centric” platforms, we are really talking about the ability to predict what a user needs before they even know they need it. Doing that requires more than just having data; it requires that data to be clean, clear, and have a single source of truth.
1. The Foundation: Integrity vs. Quality
Before diving into decision-making, it’s vital to distinguish between these two pillars. Think of it like a high-end restaurant: Data Quality is the freshness of the ingredients, while Data Integrity is the reliability of the recipe and the kitchen’s process.
Driving Better Decision-Making
In a digital-first economy, high-quality data transforms decision-making from “educated guessing” to “surgical precision” in three major areas:
A. Hyper-Personalisation and Customer Experience (CX)
Modern Indian consumers expect their banking apps to act like a financial concierge.
Should the bank offer a pre-approved home loan or a travel-focused credit card?
If the data shows a user frequently pays for international flights but the “Data Quality” is poor (e.g., outdated income levels), the bank might offer a limit that’s too low, insulting the customer and losing the sale. Clean data allows for NBO (Next Best Offer) engines to work effectively.
B. Credit Democratisation & Alternative Scoring
One of India’s biggest shifts has been moving away from traditional collateral-based lending to flow-based lending.
Can we lend to a small kirana store owner who has no formal credit history?
Banks now need to use high-integrity data to make such decisions (i.e., it cannot be tampered with or corrupted during API transfer). Tampered data will cause the risk models to fail, leading to either unfair rejections or high Non-Performing Assets (NPAs).
Real-time Fraud Detection
In a country processing billions of digital transactions monthly, fraud detection must happen in milliseconds.
Is this ₹50,000 transfer at 3 AM a legitimate emergency or a cyber-attack?
AI models require high-velocity, high-quality data to distinguish between an anomaly and a pattern. Poor quality data (like lagging timestamps) creates “false positives,” which frustrate customers and erode trust.
3. Regulatory Compliance and Trust
The RBI’s focus on Data Sovereignty and Digital Personal Data Protection (DPDP) means that data integrity is now a legal mandate.
Decision-making in Governance: Boards now make decisions based on “Compliance Dashboards.” If the data feeding these dashboards is faulty, the institution faces massive fines and reputational damage. In the digital age, Trust is the ultimate currency, and trust is built entirely on the integrity of the ledger.
The “Garbage In, Garbage Out” Reality
As we lean more on Generative AI to handle customer service and wealth management, the stakes have never been higher. An AI trained on “dirty” data won’t just give a wrong answer; it will give a confidently wrong answer, which is far more dangerous in a financial context.
Ultimately, data integrity and quality move the needle from reactive banking (responding to what happened) to predictive banking (anticipating what will happen).
Q.6 Looking ahead, what will define trust and governance in banking, as institutions increasingly rely on advanced technologies and data-driven systems?
In 2026, the bedrock of Indian banking has shifted from “brand trust” (inherited from legacy and physical presence) to “systemic trust” (built on the reliability of algorithms and data privacy). As institutions move from experimenting with AI to full-scale deployment, governance is no longer just about compliance—it’s about traceability and ethics.
The following four pillars now define trust and governance in the Indian financial landscape:
1. Algorithmic Accountability (The “FREE-AI” Era)
The Reserve Bank of India’s Framework for Responsible and Ethical Enablement of AI (FREE-AI), issued in late 2025, has made AI oversight a board-level responsibility.
Explainable AI (XAI): Banks are now required to demystify “black box” decisions. If a loan is rejected by an AI, the institution must be able to explain the specific data points—such as cash flow patterns or spending habits—that led to that outcome.
The AI Governance and Economic Group (AIGEG): Established in April 2026, this apex body coordinates AI policy across ministries. It ensures that banking AI doesn’t just chase efficiency but also prevents “algorithmic bias” against underserved demographics.
2. Data Sovereignty and the DPDPA
With the Digital Personal Data Protection Act (DPDPA) now in its mature phase, the power dynamic has shifted toward the customer (the “Data Principal”).
Consent-First Architecture: Trust is now earned through “purpose-driven” data controls. Banks can no longer use your data for “marketing” if you only consented to “credit assessment.”
- Account Aggregator (AA) Ecosystem: This framework has become the standard for secure data sharing. By May 2026, a large number of financial entities will be live on the AA network, allowing customers to share their financial DNA with a single “tap” without ever sharing their login credentials.
Friction as a Security Feature
Paradoxically, in 2026, “instant” isn’t always seen as better. To combat the ₹23,000+ crore lost to cyber-fraud in 2025, the RBI has introduced “Intelligent Friction.”
- The 1-Hour Safety Window: For digital transfers exceeding ₹10,000, banks have introduced a mandatory 1-hour “provisional debit” period. This allows users a window to cancel the transaction if they realise they’ve been scammed.
- Vulnerability-Based Authentication: Senior citizens and “divyang” (persons with disabilities) now have the option for “trusted person” authentication, where a high-value transaction requires a secondary nod from a designated family member.
- Note on the Future: The ultimate goal of these changes is to move toward “Zero-Trust Architecture,” where the system assumes every transaction is a risk until verified by multiple, decentralised data points.
While these technologies provide the “muscle,” it’s the AI Safety Institute and the Digital India Trust Agency (DIGITA) that provide the “conscience,” ensuring that as we digitise, we don’t dehumanise.
Elets The Banking and Finance Post Magazine has carved out a niche for itself in the crowded market with exclusive & unique content. Get in-depth insights on trend-setting innovations & transformation in the BFSI sector. Best offers for Print + Digital issues! Subscribe here➔ www.eletsonline.com/subscription/
