Cybersecurity And AI Risks Are Redefining Banking Supervision, Says RBI Deputy Governor

Banking supervision requires a fundamental shift due to financial systems which are more digital, interconnected, and technology-dependent, said Swaminathan J, deputy governor of the Reserve Bank of India (RBI) at a global conference held in Mumbai on Friday.

He said traditional supervisory methods that focus a lot on balance sheets and periodic inspections are no longer sufficient in the digital era. Banks may seem financially sound on paper, but they can still be seriously disrupted by cyber attacks, technology failures or issues at third-party service providers.

Digitalisation Has Changed The Risk Panorama

Swaminathan said the biggest change brought by digital banking is speed. Customer acquisition, spread of misinformation, and fund outflows can now happen within hours rather than weeks. As a result, things that once took time to accumulate as risks can now appear and escalate very rapidly.

Another important issue is the risk of concentration. Many banks rely on the same cloud service providers, payment platforms, data vendors, and cybersecurity tools. A tiny failure at any one of these shared service providers can affect multiple institutions simultaneously. These risks may not be reflected in traditional financial metrics, yet they can pose a risk to overall financial stability.

He also noted the growing application of artificial intelligence (AI) and machine learning (ML) in fields like lending decisions, fraud monitoring, and customer support. While these technologies provide greater efficiency, they also raise important questions about responsibility and oversight. Supervisors, he said, must be clear on who is accountable when decisions are based on algorithms.

The cyber risk is a major challenge. Swaminathan said that cyber threats are no longer restricted to isolated hackers. Attackers are often organised, well-funded, and persistent. Even if a bank has good internal controls, if there are weaknesses at the vendors or partners, it can result in widespread disruption.

Principles Should be Used for Supervision

According to Swaminathan, the supervision should be technology-neutral and risk-based. Regulators need to be concerned about the dangers created by activities, not the technologies being used. He added that there is still an important role for human judgment in supervision.

He additionally emphasised proportionality. While banks vary in size and complexity, minimum standards relating to cybersecurity, data protection and governance should apply across the system.

Another priority is clear accountability. Even in cases where banks are relying on fintech firms or technology partners, responsibility cannot be outsourced. The regulated entity remains responsible for all of the activities that are pursued on its platforms.

Swaminathan demanded a more future-oriented supervision. While compliance checks are still important, supervisors also need to be able to spot early warning signs and act before weaknesses turn into major incidents.

New Areas of Supervisory Attention

Operational resilience has moved to the centre of banking stability, he said. Technology outages or cyber events can take down critical services in a short period of time. This requires closer engagement with bank boards and the senior management on crisis preparedness and recovery planning.

Third-party dependencies are another area of focus. Many key banking operations are outsourced to other providers, sometimes cross-border. Such arrangements risk spreading disruptions quickly between institutions and jurisdictions.

Governance of data and AI models is also becoming important. The issue is not whether banks are using AI, but whether they have the ability to demonstrate control, fairness, and accountability in its application.

Finally, the concept of supervision itself needs to change, says Swaminathan. As banking becomes more continuous and technology-driven, supervisory processes must also move towards ongoing monitoring supported by better data and analytics.

Customer Complaints as Early Warning Signs

Swaminathan said the grievances of customers should be taken as early warning signals. In a digital world, unaddressed grievances can rapidly develop into distrust and possible liquidity stress. Supervisors should observe the effectiveness of complaint resolution and whether banks address the causes of recurring problems.

He concluded that while innovation should not be restricted, it should be built on trust, resilience, and customer fairness. In the digital age, banking supervision needs to become more vigilant, more aware of risks from an ecosystem-wide perspective, and more focused on outcomes.