From AI to Cyber Risk: RBI Flags New Threats in Digital Banking

The rapid digitalisation of banking is fundamentally reshaping financial risks, forcing regulators and banks to rethink how stability, governance and customer protection are ensured, the Reserve Bank of India has warned.

Speaking at the Third Annual Global Conference of the College of Supervisors in Mumbai, RBI Deputy Governor Swaminathan J said that traditional metrics such as capital adequacy and liquidity are no longer sufficient to assess the health of banks operating in a technology-driven ecosystem.

“Many jurisdictions are navigating similar challenges—rapid digitalisation, first-time customers, platform-based delivery, and fast-changing threat landscapes,” Swaminathan said, adding that sharing supervisory experiences across countries is critical to improving oversight effectiveness.

The Deputy Governor underlined that risks in the digital era evolve far faster than in conventional banking. In a world of instant payments and online platforms, both growth and stress can materialise within hours.

“In the digital world, customer acquisition can be exponential—but so can misinformation, panic and outflows. Risks that once took weeks to build can now crystallise in hours,” he said, calling for tighter supervisory feedback loops, earlier warning triggers and faster escalation mechanisms.

Swaminathan also flagged a new and less visible source of systemic risk: shared digital dependencies. Many banks today rely on the same cloud service providers, payment rails, data vendors and cybersecurity tools. While these dependencies may not show up in traditional balance-sheet ratios, they create significant common exposures across the financial system.

“For supervision, we need to map dependencies more actively and assess concentration risk at the ecosystem level, not just at the individual institution level,” he said.

Artificial intelligence and machine learning are another growing area of concern. These technologies are increasingly embedded across banking functions—from credit underwriting and fraud detection to customer service, treasury and internal controls. While they improve efficiency, they also raise complex questions around accountability, explainability and fairness.

“Supervisors need to be able to ask, and entities need to be able to answer, a simple question: who owns the outcome when a model drives a decision?” Swaminathan said.

Cybersecurity risks are also intensifying. Digital banking has multiplied points of entry, and threats are no longer limited to isolated hackers. “The adversary is often organised, well-funded and persistent,” he said, warning that even strong internal controls can be undermined by vulnerabilities at vendors, partners or shared technology components.

As a result, resilience and recovery can no longer be treated as back-office functions. “They must be treated as core capabilities,” the Deputy Governor stressed.

Swaminathan acknowledged that digital lending, embedded finance and platform-based distribution have significantly expanded access and convenience. However, he cautioned that these models have also amplified risks such as mis-selling, opaque charges, aggressive recovery practices and data misuse.

“In a digital environment, customer harm can quickly become a confidence issue—and that can then transform into a liquidity issue,” he warned.

Summing up, Swaminathan said supervision in the digital age must become more vigilant, ecosystem-aware and outcome-focused. “The objective is not to slow innovation, but to ensure it is built on trust, resilience and fairness,” he said.

(ANI and yMedia are content partners for this story)