Trust your customer: India's financial system should give us what we need to protect our money

The recent Bengaluru fintech heist that lost ₹47 crore should not be mistaken as a ‘fintech-only’ mishap. The anatomy of most digital heists in India follows a depressingly familiar pattern: start with identity fraud, exploit gaps in permission escalation and authentication created by weak processes across intermediaries, and then launder the transactions through mule accounts in banks. Each step exploits an institutional blind spot and is relatively minor, but together they form a systemic breach vector.

The digitally inter-connected system of banks, non-bank financial companies, payment intermediaries and fintech firms operates on shared rails that enable instant money movement. The security of one node depends on the discipline of all. Yet most of these entities will claim global best practices, often certified by global consultants.

For all the claims of ‘app hardening’ and ‘multi-layer authentication,’ the user experience tells another story. Try this simple experiment: Log into your online bank account and see what information you can access about your own digital footprint. Can you tell what devices are attached to your account, when and where they last accessed it, or which IP address or browser they used?

Most likely, you can’t. Now check your Gmail account (this is not an endorsement but an illustration). It’s a free email service by a foreign Big Tech company that offers precisely that visibility—device type, location, browser type, OS used, access time and an option to revoke permissions instantly.

Money is just entries in a series of connected databases and hence digital risk has mutated into a macroprudential concern. Dense interconnection between regulated entities means that cybersecurity, in some cases, is only as good as its weakest link. A weak endpoint in a small-payments intermediary, for example, could become the entry vector for an attack that reverberates through a major bank.

Ironically, fintech firms, often caricatured as risky, have shown greater agility in responding to cyber threats. Their digital-first or digital-only architectures often emphasize observability, modular security and user control. Contrast that with how banks treat customers. Can you restrict your bank account access to India while you are here or set it for exclusive use in the US, say, if you travel there? You cannot. The current assumption is that the bank knows best.

Digital resilience depends on distributed vigilance. Every user, device and login is a node in the system’s security network. True financial literacy today is not just knowing how to manage one’s money, but understanding how to protect digital access to it.

Yet, we seem to have a structure that infantilizes users. The cost of this paternalism is visible in the relentless rise of digital fraud. Instead of providing a series of controls that can be composed and combined based on the end user’s risk profile and informed judgement, controls are often static and hence brittle when exposed to the designs of sentient fraudsters.

Regulation must require institutions to offer customers visibility and configurability of digital access—much like how tech platforms do. Cyber resilience needs to be stress-tested the same way credit exposure and liquidity are. Banks must map their interdependencies, report exposure to third-party systems and share threat intelligence across the ecosystem in real time. Supervisory frameworks must evolve from regulating institutions to regulating digital interdependencies as well.

At the institutional level, boards and risk committees must treat digital security as a fiduciary duty—because the distinction between money and database access with a leaked API key can get blurred in an interconnected digital ecosystem. Just as financial risk indicators are tracked, so should cyber risks be monitored.

The next stage of digital finance in India will demand collective defence mechanisms, not isolated institutional responses. Fraud data, attack signatures and system anomalies must flow as freely between regulated entities as money itself does.

What India needs is a financial ‘immune system,’ one that pools suitably anonymized threat intelligence, incident data and vulnerability disclosures and shares these in real time under regulatory oversight. Only then can the sector respond fast enough to systemic risks.

Most importantly, the system must evolve to trust its users. Give them visibility on their account activity. Give them control over access. Allow them to define risk thresholds for themselves. Educate them continually. Over time, empowered users will not only protect their own assets, but help strengthen the system’s resilience.

The answer will not come from another ‘digital literacy week.’ Rather, it lies in giving users the tools, visibility and control they need to protect themselves. Broadly, the financial sector must reduce its emphasis on protecting users from themselves in favour of equipping them to defend themselves. In a world where every account is a potential target, the first and last line of defence is a user base that’s well informed and empowered.

The authors are, respectively, a corporate advisor and author of ‘Family and Dhanda’; and co-founder and CTO, DeepStrat.