Are Banks Missing a Critical Layer in the Fight Against Bank Fraud?

Posted:

01 July 2026

Vaibhav Maniyar

Critical Layer Bank Fraud Prevention

Indian banks reported ₹48,021 crore in fraud during FY26. This is a 46.4% jump in value from ₹32,803 crore the year before, even as the number of fraud cases fell from 23,722 to 10,114.

Fraud is consolidating into fewer, larger, more precisely targeted hits and the category showing the sharpest change tells you where.

Card and internet/digital payments fraud, once the largest single bucket by case count, collapsed to just 293 reported cases worth ₹29 crore in FY26, down from 13,332 cases worth ₹517 crore the year before. On paper, digital-channel fraud looks like a solved problem which it isn't. It's a relocated problem.

The fraud that used to happen after account opening including card skimming, unauthorized transactions which is being replaced by fraud that happens at account opening, before a single rupee moves through a monitored channel.

That relocation exposes a layer banks have quietly under-defended: the moment a bank decides whether the person on the other end of onboarding is real.


V-CIP Vulnerabilities

The RBI's Video-based Customer Identification Process (V-CIP) was built on a simple assumption: a live video call is equivalent to a face-to-face bank visit. An official watches, checks a government ID against a live face, and signs off. For years, that assumption held.

It doesn't anymore.

NBFCs have already absorbed ₹15-20 crore in losses tied to deepfake exploitation of video KYC systems, according to cybercrime authorities tracking the trend. Industry data sourced from KYC technology vendors rather than the RBI itself, so treat the precision with some caution puts the number of daily V-CIP sessions in India in the range of 11 lakh, with a large share facing some form of spoofing attempt using real-time face-swap tools.

Whatever the exact figure, the direction is not in dispute: deepfake volume has scaled from roughly 500,000 files in 2023 to over 8 million by 2025, and fraud attempts using deepfakes have grown by orders of magnitude in that same window.

The uncomfortable part isn't that deepfakes exist. It's what they specifically defeat. A modern deepfake attack doesn't try to trick a liveness check by acting suspicious as it replaces the camera feed entirely, using tools that inject a synthetic or pre-recorded stream so convincingly that the verification system sees exactly what it's been trained to look for. Software-based liveness detection is fighting an opponent that keeps getting cheaper and better at passing the test, not breaking it.

The Video KYC call must be completed by a trained official with informed consent.

The Video KYC call must be completed by a trained official with informed consent.


RBI Master Directions

To be fair to the RBI, the gap isn't from inaction. The KYC Master Direction requires V-CIP applications to carry liveness and spoof-detection components with a high degree of face-matching accuracy, and it obligates the verifying official to independently detect fraudulent manipulation during the session.

The framework also requires that this infrastructure be "regularly upgraded" against emerging fraud patterns, and separately, the IT Act's "reasonable security practices" standard under Section 43A applies to any institution handling sensitive personal data.

What the Master Direction does not do is name deepfakes explicitly. That's not a loophole so much as a moving target since the rule is written to demand institutions keep pace with a threat that mutates faster than any single regulation can enumerate. In practice, that shifts the burden onto banks to prove their defenses are current, not onto the regulator to specify every attack vector.

The RBI's own FY26 annual report shows where its attention is going next: the report devotes dedicated coverage to cyber-enabled fraud and money mules, and highlights MuleHunter.ai, a supervised machine-learning model built by the Reserve Bank Innovation Hub to identify mule accounts in near real time.

That's a meaningful step but it addresses what happens after a fraudulent account exists, not whether a fraudulent identity should have been allowed to open one in the first place.


The Hardware Solution

This is where the conversation usually stops at software. Better liveness algorithms, better face-matching models, better anomaly scoring. All of that helps. None of it closes the gap, because all of it still depends on trusting a video signal that a sufficiently good deepfake is, by design, built to satisfy.

There's a control that doesn't have this problem, because it never ingests a video feed to begin with: hardware-rooted biometric authentication, specifically UIDAI and STQC-certified L1 fingerprint and iris devices with Fake Finger Detection (FFD) built into the sensor.

Next-generation fingerprint sensors move beyond basic 2D scanning to provide three-dimensional mapping, active thermal imaging, and edge-to-edge authentication.

The distinction matters more than it sounds like it should. An L1-certified device encrypts biometric data inside the hardware itself, before it ever reaches a server, a network, or a screen that could be intercepted or spoofed.

FFD algorithms operate at the point of physical contact which includes detecting silicon, gelatin, or synthetic print material at the sensor level, in real time, against a live finger. There is no camera feed to hijack, no video stream to inject, no software liveness model to fool with a generated frame. The trust boundary sits at the point of physical contact, not somewhere downstream in a network packet.

This is precisely why UIDAI has been phasing out older L0 devices in favor of L1 hardware, and why any bank or Business Correspondent running Aadhaar-linked services is required to deploy only certified devices and the uncertified hardware doesn't just risk fraud, it gets rejected by UIDAI's servers outright.


Why This Layer Gets Overlooked

It's not glamorous. Hardware certification doesn't generate the same headlines as an AI-powered fraud detection model, and it doesn't fit neatly into a fintech's roadmap of software releases. But that's exactly why it's the layer most likely to be under-resourced. The kind of investment that only becomes visible in an audit or an incident report, not in a product demo.

Bank fraud in India didn't shrink in FY26. It got more concentrated, more valuable per incident, and more dependent on defeating identity checks rather than transaction monitoring. The advances category alone accounted for 8,640 cases worth ₹40,774 crore which is nearly 85% of all fraud value reported and much of which traces back to how confidently an institution can say it knows who it's lending to.

Software will keep improving. So will the deepfakes built to beat it. The layer that doesn't degrade in that arms race is the one still built into the hardware, where the fight for identity trust never has to depend on whether a video was real.


FAQs

Fraud is consolidating into fewer, higher-value incidents rather than shrinking. RBI data shows fraud cases fell from 23,722 to 10,114 year-on-year, but the value involved rose 46.4% to ₹48,021 crore, driven largely by loan and advances fraud rather than card or digital payment fraud.

The open question is whether liveness detection built for older spoofing methods can reliably withstand deepfake-based attacks, which the Master Direction addresses only through a general "regularly upgraded" requirement rather than deepfake-specific rules.

L1 devices encrypt biometric data inside the hardware itself and use Fake Finger Detection at the point of physical contact, so there's no video stream or network transmission for an attacker to intercept or synthetically replicate which is a fundamentally different trust model than software-based video liveness detection.

Not by name. It requires V-CIP systems to include liveness and spoof-detection components and mandates the infrastructure be regularly upgraded against emerging fraud patterns, which creates a strong compliance expectation around deepfake defenses without listing them as a named requirement.

Comments

Leave A Reply

Captcha