India’s central bank announced that it would introduce a new web domain, .bank.in, which is designed to promote trust in the domains that banking customers in the country use, much like .gov domains promote trust in the domains used by U.S. government entities.
The move aligns — and potentially clashes — with industry-led efforts in North America and Europe to standardize the online real estate that banks use. The efforts are meant to undercut fraudsters and scammers, who can register legitimate-looking domain names and use them to impersonate banks.
“This initiative aims to reduce cybersecurity threats and malicious activities like phishing and streamline secure financial services, thereby enhancing trust in digital banking and payment services,” said Puneet Pancholy, chief general manager at the Reserve Bank of India, or RBI, in
RBI’s effort is not the first to try to undercut fraudsters and phishers by using domain names. fTLD Registry Services governs the top-level domain .bank. It reserves the domain for retail banks, savings associations, and their holding or parent companies. fTLD also issues .insurance domain names.
While many of the 878 banks that have registered a .bank domain are in the U.S., fTLD also has registrants in Mexico, Europe, Australia and beyond — including one registrant in India.
While .bank.in domains will be controlled by a government entity, .bank domains are governed by fTLD, whose policies are closely overseen by industry groups including the American Bankers Association, Bank Policy Institute, Independent Community Bankers Association, Canadian Bankers Association, European Banking Federation and others.
The Internet Corporation for Assigned Names and Numbers, or ICANN, is the primary authority for top-level domains such as .com, .org and .net. For these and other domains, including .in and .bank, ICANN delegates domain name registration to registrars that can then sell domain names to registrants.
For example, google.com is registered to Google by registrar MarkMonitor. ICANN has accredited MarkMonitor to issue .com domains, meaning the company can sell unclaimed .com domains and manage ones that have already been claimed.
Countries control their own country code top-level domains. For example, India controls .in and the domains under it, including .bank.in.
The Reserve Bank of India has delegated registration authority for .bank.in domains to the Institute for Development and Research in Banking Technology, or IDRBT, meaning any Indian bank hoping to register a .bank.in domain will need approval from IDRBT.
While RBI said .bank.in will be “exclusive” to banks, according to the press release, neither the central bank nor IDRBT have yet detailed what policies will be in place to prevent illegitimate registrants from purchasing .bank.in domains. These policies will prove critical to the efficacy of the effort to promote .bank.in domains as safe and legitimate.
RBI said registrations will begin April 2025, and detailed guidelines for banks will be “issued separately,” though it was unclear whether registrations would be optional or mandatory for banks.
IDRBT did not immediately respond to a request for comment.
For its part, fTLD requires .bank registrants to submit a verification application, which the company then reviews to ensure the applicant is eligible. After this, the applicant must choose a registrar from which to purchase a .bank domain. This registrar also plays a role in the security of the domain itself.
Once the registrant secures a .bank domain, fTLD requires the registrant to deploy specific domain security measures to prevent cybercriminals from hijacking the domain name or intercepting unencrypted traffic.
The registrant must also implement email authentication measures, which prevent fraudsters from spoofing, say, the CEO or an email address associated with the .bank domain.
While these measures help to secure the .bank domain, they do not apply to .com domains, which are far more common for banks and many other businesses.
To ensure customers are aware of the new protections they have, fTLD also recommends new registrants promote the move to the new .bank domain in email and website marketing.
This ensures that customers who interact with the bank online are familiar with the change, why it happened and what makes the new domain name more secure. It also ensures they avoid phishing and impersonation scams that use .com or other, less secure domains.
The president of fTLD, Craig Schwartz, emphasized the lack of publicly disclosed security features meant to safeguard the .bank.in as a contrast with his own company’s practices, adding that fTLD has been issuing .bank domains securely for a decade.
“As the global leader in establishing security standards in the financial services domain name space, fTLD believes that its private sector, industry-led approach remains the best way to respond to the ever evolving online threat environment,” Schwartz said.