RBI flags rising digital fraud in BFSI: Why identity controls can no longer be an afterthought

By Abhishek Gupta, GVP – India, SailPoint

In India, some of the biggest digital frauds in recent years didn’t start with a breach. They started with a login. From compromised credentials to over-extended partner access, fraudsters are increasingly operating from inside the system, blending in with normal activity until it’s too late.

This is precisely why the Reserve Bank of India has repeatedly cautioned banks and NBFCs that fraud risk is increasingly tied to identity governance, access hygiene and accountability, not just perimeter security.

Modern financial fraud is identity-led. Excessive access, weak account governance and compromised credentials create silent pathways through critical systems. Since the activity appears authorised, it frequently evades detection until losses have already occurred.

The problem is access, not technology alone
Most banks and financial institutions already spend heavily on cybersecurity. Firewalls, monitoring tools and endpoint protection are now table stakes. Yet fraud continues to rise. The reason is complexity. Modern BFSI environments involve employees, and non-employees such as contractors, fintech partners and service providers, all needing access to systems and data. That access spans hundreds, sometimes thousands, of applications across on-premises infrastructure and the cloud.

In many cases, access decisions are still manual, fragmented or based on outdated role definitions. Privileges accumulate over time. Orphaned accounts remain active. Separation-of-duty conflicts go unnoticed. These gaps create ideal conditions for both insider misuse and external attacks.

Regulators are paying close attention. Under India’s Digital Personal Data Protection Act and global frameworks like GDPR, organisations are expected to clearly demonstrate who has access to sensitive data and why. Without strong visibility and control, compliance becomes difficult to prove and even harder to maintain.

Why identity has become a regulatory priority
The logic is straightforward: if institutions cannot control access at the identity level, no amount of downstream monitoring can fully mitigate risk. This is why compliance efforts are becoming more demanding and more expensive. Manual access reviews are time-consuming and prone to error. Audit cycles stretch teams thin. And when visibility is incomplete, organisations are forced into reactive remediation rather than proactive risk reduction.

Identity-led fraud is not a theoretical risk. It is already playing out across the BFSI sector, often quietly and often at scale.

Moving from Periodic Checks to Continuous Governance
Addressing this challenge requires a shift in mindset. Identity security cannot be treated as a periodic compliance exercise, but it must be continuous, automated and risk-aware. An identity-first approach focuses on governing access throughout the user’s lifecycle, from onboarding to role changes to exit. It enforces least-privilege access, flags anomalies early and reduces reliance on manual processes that simply do not scale.

Artificial Intelligence is now playing an important role. By analysing access patterns and user behaviour, AI-driven identity security can highlight outliers, recommend corrective action and help organizations focus attention where risk is highest. This makes compliance more efficient and fraud prevention more effective.

Strengthening Trust in a Digital BFSI Ecosystem
The RBI’s message is clear. Digital growth without strong identity governance is unsustainable. As financial services continue to expand their digital footprint, the ability to control and audit access will determine not just compliance outcomes, but long-term cyber resilience.

In a sector built on trust, it is critical to know exactly who has access and keep that access under control with modern identity security strategies that are continuous, dynamic, and context-aware.