🔒 Our Bank Accounts Are Being Watched From the Inside. This Must Stop.
🔒 Our Bank Accounts Are Being Watched From the Inside. This Must Stop.
The Issue
A petition to the Reserve Bank of India, Ministry of Finance, and the Parliament of India
I Trusted Them With Everything
I hold multiple bank accounts across India. In those accounts sit years of hard work — savings built rupee by rupee, remittances sent home from abroad, fixed deposits meant for my parents' old age, funds set aside for my children's future.
To open those accounts, I surrendered everything. My PAN number. My Aadhaar. My address. My photograph. My nominee details. My entire financial identity — handed over in trust to institutions I believed were bound by law, ethics, and duty to protect it.
Then I discovered something that shattered that trust entirely.
Without my knowledge. Without my consent. Without any legal reason — bank staff accessed my account details. My balance. My transactions. My personal identifiers. Information I had never authorised anyone to see.
I did not receive an alert. I did not receive an apology. I received nothing — because in India today, there is no law that requires a bank to even tell you when someone on the inside has looked into your financial life.
That silence is not an oversight. It is a systemic failure. And it is time we end it.
You Have Felt This Too — Even If You Never Named It
Cast your mind back. Has a bank relationship manager ever called you out of nowhere, somehow knowing your exact account balance, to pitch an investment scheme you never asked about? Has a home loan executive from your own branch quoted your salary, your existing EMIs, your credit behaviour — details no salesperson should have access to — in a cold call you never invited?
Has a credit card agent called you within 48 hours of a large deposit landing in your account, with an offer that seemed tailored to a number only your bank could know?
We have been dismissing these moments as coincidence. As routine. As "just how banks work."
They are not coincidences. They are violations. Quiet, daily, normalised violations of our most sensitive personal information — and we have been absorbing them in silence for years.
What Begins as a Violation Does Not Always End as One — Sometimes It Ends in Devastation
Here is what I have come to understand, and what the data now confirms: the unauthorised access that begins with a marketing call does not always stop there.
Bank employees — the same people with access to your balance, your PAN, your Aadhaar, your transaction history, your nominee's name and phone number — can, and do, pass that information outward. To third parties. To fraudsters. To organised cyber gangs who have turned targeted financial crime into a sophisticated, profitable industry.
This is not speculation. This is documented reality.
The Central Bureau of Investigation arrested three individuals — including a former assistant manager at a private bank — in connection with a ₹1.6 crore digital arrest fraud that deliberately targeted a senior citizen. The ex-bank official is alleged to have played a central role in structuring the fraudulent accounts used to receive and conceal the stolen funds. The420
In Rajasthan, police arrested four accused — including a contractual bank employee — in a ₹1.85 crore cyber fraud that specifically targeted an elderly woman. Investigators found the bank insider had helped fraudsters manage the very accounts used to receive and launder the money extorted from the victim. The420
In both cases, the question investigators must ask — and that regulators have yet to answer — is the same: How did the fraudsters know who to target? How did they know that this particular elderly woman, in this particular city, held funds worth pursuing? How did they know which senior citizen to approach, which NRI family to impersonate, which account to drain?
Someone with access to a banking system gave them a starting point.
The Numbers Tell a Story That Should Alarm Every Indian
This is not anecdotal. The scale of what is happening to Indian banking customers is now officially on record — in the RBI's own published data.
The Reserve Bank of India's Annual Report 2024–25 reveals a staggering 194% jump in bank fraud value — rising from ₹12,230 crore in FY24 to ₹36,014 crore in FY25. Fewer cases were reported, yet the money lost nearly tripled. The RBI's own report acknowledges that insider collusion is an added menace, with several cases reflecting systemic complicity — where officials either looked away or actively assisted in bypassing risk frameworks. The420
A 2025 report by global fraud intelligence firm BioCatch found that Indian banks reported three times more fraud cases in 2024 than in 2023, with social engineering scams now accounting for nearly a third of all reported fraud in India. Biocatch
India's Supreme Court has directly flagged the alarming siphoning of nearly ₹52,000 crore between April 2021 and November 2025 through online fraud — and specifically called out cases where bank personnel failed to act despite unusually large withdrawals from accounts of senior citizens who had long banked with them. Banking Finance
The court said plainly: "Banks must realise they are trustees of public money."
Yet the trustee is looking through the safe — and no one is watching them do it.
The Most Vulnerable Among Us Are Being Hunted
Here is what makes this a crisis of conscience, not just regulation.
The people most at risk from insider data leaks are not the wealthy and well-connected — people who have advisors, lawyers, and the resources to fight back. The people most at risk are your parents. Your elderly relatives. Your sibling working abroad whose NRI account holds years of foreign savings. Your retired father with a fixed deposit he has never touched because it is "for emergencies."
Cyber fraud gangs now deliberately select their victims based on vulnerability and predictable pressure points — NRIs managing Indian finances from abroad, unable to intervene quickly, and senior citizens who can be isolated and psychologically manipulated over extended calls. India Observers
They know who to call. They know how much the account holds. They know the account holder is elderly, lives alone, and has a son or daughter abroad who cannot arrive in time to stop the transfer.
That level of targeting does not come from guesswork. It comes from data. It comes from inside.
In January 2026, an elderly NRI couple in Delhi was defrauded of approximately ₹14.84 crore in a 16-day digital arrest trap — one of the most precisely executed targeting operations seen in recent memory. India Observers The fraudsters knew enough to sustain the deception across sixteen days. That is not cold calling. That is profiling — built from data that should never have left a bank's system.
A Pattern Written Across India's Biggest Banking Scandals
The insider access problem is not new. It is a wound that has been left unstitched for decades.
In the Punjab National Bank fraud — still one of the largest in Indian banking history — employees used their internal access to bypass the bank's own core banking system and issue fraudulent Letters of Undertaking worth over ₹12,000 crore through the SWIFT network, enabling a fraud that went undetected for years. Wikipedia A deputy manager confessed to using unauthorised access to a Level-5 system password — a level of privilege that should have triggered immediate alerts, but instead operated in complete silence for years. BankInfoSecurity
In April 2026, an Axis Bank branch manager in Hyderabad was arrested for embezzling ₹6.5 crore from the account of an NRI customer living in Australia. The fraud used forged signatures and 42 illegally issued loose-leaf cheques — instruments that should have been impossible for staff to issue without the account holder's physical presence. The victim spent nearly two years fighting for justice, escalating to the bank's CEO, receiving no meaningful response. etvbharat
When Cyberabad Police arrested a data thief in Faridabad, he was found to be holding and selling the personal and financial data of over 60 crore individuals — with customer information from State Bank of India, Axis Bank, and Bank of Baroda among the stolen records. The Wire
In every case, the entry point was the same: unchecked, unlogged, unaccountable access to data that belonged to customers — not to the bank.
The Law Exists. The Enforcement Does Not.
India is not without legal frameworks. The Digital Personal Data Protection Act, 2023 — fully operationalised through the DPDP Rules notified in November 2025 — mandates explicit consent before data collection, requires organisations to maintain access logs, and establishes a Data Protection Board of India to handle complaints. Ujjivansfb
The RBI's own Digital Banking Framework 2025 requires banks to implement privacy-by-design principles, maintain audit trails, and establish strict data encryption and access controls across all customer data systems. Bhattandjoshiassociates
The RBI has explicitly directed that no customer should be coerced or misinformed, and has mandated that banks establish risk-based, real-time transaction monitoring to detect suspicious behaviour. The420
The directives are there. What is missing is the mechanism for you — the account holder — to verify whether any of this is actually being followed on your behalf. You cannot request an access log. You cannot see who viewed your account. You cannot file a complaint directly with the RBI without first going through the bank that wronged you. The law protects you on paper. The infrastructure to enforce it does not yet exist.
This petition is a demand to build that infrastructure — now, before more savings are stolen, before more elderly parents are trapped, before more NRI families discover that the money they sent home has quietly disappeared.
-----------------------------------------------------------------------------------
What We Are Demanding
We call upon the Reserve Bank of India, the Ministry of Finance, the Data Protection Board of India, and the Parliament to enact the following with immediate effect:
1. A statutory right to an Account Access Log. Every instance of any bank employee accessing a customer's balance, PAN, Aadhaar, transactions, or personal identifiers must be automatically logged and made available to the account holder on demand — without requiring a legal process or bank approval.
2. Real-time access alerts for high-risk profiles. NRI accounts, senior citizen accounts, and accounts flagged as high-value must trigger an immediate SMS or email notification to the account holder when any internal access occurs outside of a transaction initiated by the customer.
3. Criminal prosecution — not internal enquiry — for unauthorised data access. Accessing a customer's financial data without documented, legitimate reason must be treated as a criminal offence under the DPDP Act and the IT Act, carrying mandatory prosecution. HR memos are not accountability.
4. An independent, direct grievance channel to the RBI — bypassing the accused institution entirely — with a legally mandated 30-day resolution period and interim relief provisions for defrauded customers.
5. A dedicated Insider Threat Audit mandate. The RBI must require all scheduled commercial banks to conduct annual independent audits of internal data access patterns, with results submitted to the regulator and accessible to the public in aggregate form.
6. Enhanced protections for NRI and senior citizen account holders, including mandatory next-of-kin alerts for unusual access patterns and a verified, branch-independent escalation line that connects directly to the banking ombudsman.
7. Full whistleblower protection under law for bank employees who report internal data misuse — with guaranteed employment security and legal immunity for good-faith disclosures.
Sign This — Because Trust Is Not a Product to Be Sold Back to You
Your parents spent their working lives trusting Indian banks with their savings. Your relatives abroad built an NRI account because they believed it was safe. You submitted your Aadhaar, your PAN, your photograph, your entire financial identity — because you had no choice, and because you believed the institution would honour that trust.
That trust is being violated — daily, quietly, and without consequence.
India's banking system holds the financial futures of over a billion people. It deserves — and its citizens demand — a privacy standard that matches that responsibility. Not promises. Not circulars that sit unread. Real accountability. Real transparency. Real protection.
Sign this petition. Share it with your parents, your siblings abroad, your colleagues, your neighbours. Because the next account accessed without permission, the next elderly person targeted, the next NRI family devastated — could be yours.
1
The Issue
A petition to the Reserve Bank of India, Ministry of Finance, and the Parliament of India
I Trusted Them With Everything
I hold multiple bank accounts across India. In those accounts sit years of hard work — savings built rupee by rupee, remittances sent home from abroad, fixed deposits meant for my parents' old age, funds set aside for my children's future.
To open those accounts, I surrendered everything. My PAN number. My Aadhaar. My address. My photograph. My nominee details. My entire financial identity — handed over in trust to institutions I believed were bound by law, ethics, and duty to protect it.
Then I discovered something that shattered that trust entirely.
Without my knowledge. Without my consent. Without any legal reason — bank staff accessed my account details. My balance. My transactions. My personal identifiers. Information I had never authorised anyone to see.
I did not receive an alert. I did not receive an apology. I received nothing — because in India today, there is no law that requires a bank to even tell you when someone on the inside has looked into your financial life.
That silence is not an oversight. It is a systemic failure. And it is time we end it.
You Have Felt This Too — Even If You Never Named It
Cast your mind back. Has a bank relationship manager ever called you out of nowhere, somehow knowing your exact account balance, to pitch an investment scheme you never asked about? Has a home loan executive from your own branch quoted your salary, your existing EMIs, your credit behaviour — details no salesperson should have access to — in a cold call you never invited?
Has a credit card agent called you within 48 hours of a large deposit landing in your account, with an offer that seemed tailored to a number only your bank could know?
We have been dismissing these moments as coincidence. As routine. As "just how banks work."
They are not coincidences. They are violations. Quiet, daily, normalised violations of our most sensitive personal information — and we have been absorbing them in silence for years.
What Begins as a Violation Does Not Always End as One — Sometimes It Ends in Devastation
Here is what I have come to understand, and what the data now confirms: the unauthorised access that begins with a marketing call does not always stop there.
Bank employees — the same people with access to your balance, your PAN, your Aadhaar, your transaction history, your nominee's name and phone number — can, and do, pass that information outward. To third parties. To fraudsters. To organised cyber gangs who have turned targeted financial crime into a sophisticated, profitable industry.
This is not speculation. This is documented reality.
The Central Bureau of Investigation arrested three individuals — including a former assistant manager at a private bank — in connection with a ₹1.6 crore digital arrest fraud that deliberately targeted a senior citizen. The ex-bank official is alleged to have played a central role in structuring the fraudulent accounts used to receive and conceal the stolen funds. The420
In Rajasthan, police arrested four accused — including a contractual bank employee — in a ₹1.85 crore cyber fraud that specifically targeted an elderly woman. Investigators found the bank insider had helped fraudsters manage the very accounts used to receive and launder the money extorted from the victim. The420
In both cases, the question investigators must ask — and that regulators have yet to answer — is the same: How did the fraudsters know who to target? How did they know that this particular elderly woman, in this particular city, held funds worth pursuing? How did they know which senior citizen to approach, which NRI family to impersonate, which account to drain?
Someone with access to a banking system gave them a starting point.
The Numbers Tell a Story That Should Alarm Every Indian
This is not anecdotal. The scale of what is happening to Indian banking customers is now officially on record — in the RBI's own published data.
The Reserve Bank of India's Annual Report 2024–25 reveals a staggering 194% jump in bank fraud value — rising from ₹12,230 crore in FY24 to ₹36,014 crore in FY25. Fewer cases were reported, yet the money lost nearly tripled. The RBI's own report acknowledges that insider collusion is an added menace, with several cases reflecting systemic complicity — where officials either looked away or actively assisted in bypassing risk frameworks. The420
A 2025 report by global fraud intelligence firm BioCatch found that Indian banks reported three times more fraud cases in 2024 than in 2023, with social engineering scams now accounting for nearly a third of all reported fraud in India. Biocatch
India's Supreme Court has directly flagged the alarming siphoning of nearly ₹52,000 crore between April 2021 and November 2025 through online fraud — and specifically called out cases where bank personnel failed to act despite unusually large withdrawals from accounts of senior citizens who had long banked with them. Banking Finance
The court said plainly: "Banks must realise they are trustees of public money."
Yet the trustee is looking through the safe — and no one is watching them do it.
The Most Vulnerable Among Us Are Being Hunted
Here is what makes this a crisis of conscience, not just regulation.
The people most at risk from insider data leaks are not the wealthy and well-connected — people who have advisors, lawyers, and the resources to fight back. The people most at risk are your parents. Your elderly relatives. Your sibling working abroad whose NRI account holds years of foreign savings. Your retired father with a fixed deposit he has never touched because it is "for emergencies."
Cyber fraud gangs now deliberately select their victims based on vulnerability and predictable pressure points — NRIs managing Indian finances from abroad, unable to intervene quickly, and senior citizens who can be isolated and psychologically manipulated over extended calls. India Observers
They know who to call. They know how much the account holds. They know the account holder is elderly, lives alone, and has a son or daughter abroad who cannot arrive in time to stop the transfer.
That level of targeting does not come from guesswork. It comes from data. It comes from inside.
In January 2026, an elderly NRI couple in Delhi was defrauded of approximately ₹14.84 crore in a 16-day digital arrest trap — one of the most precisely executed targeting operations seen in recent memory. India Observers The fraudsters knew enough to sustain the deception across sixteen days. That is not cold calling. That is profiling — built from data that should never have left a bank's system.
A Pattern Written Across India's Biggest Banking Scandals
The insider access problem is not new. It is a wound that has been left unstitched for decades.
In the Punjab National Bank fraud — still one of the largest in Indian banking history — employees used their internal access to bypass the bank's own core banking system and issue fraudulent Letters of Undertaking worth over ₹12,000 crore through the SWIFT network, enabling a fraud that went undetected for years. Wikipedia A deputy manager confessed to using unauthorised access to a Level-5 system password — a level of privilege that should have triggered immediate alerts, but instead operated in complete silence for years. BankInfoSecurity
In April 2026, an Axis Bank branch manager in Hyderabad was arrested for embezzling ₹6.5 crore from the account of an NRI customer living in Australia. The fraud used forged signatures and 42 illegally issued loose-leaf cheques — instruments that should have been impossible for staff to issue without the account holder's physical presence. The victim spent nearly two years fighting for justice, escalating to the bank's CEO, receiving no meaningful response. etvbharat
When Cyberabad Police arrested a data thief in Faridabad, he was found to be holding and selling the personal and financial data of over 60 crore individuals — with customer information from State Bank of India, Axis Bank, and Bank of Baroda among the stolen records. The Wire
In every case, the entry point was the same: unchecked, unlogged, unaccountable access to data that belonged to customers — not to the bank.
The Law Exists. The Enforcement Does Not.
India is not without legal frameworks. The Digital Personal Data Protection Act, 2023 — fully operationalised through the DPDP Rules notified in November 2025 — mandates explicit consent before data collection, requires organisations to maintain access logs, and establishes a Data Protection Board of India to handle complaints. Ujjivansfb
The RBI's own Digital Banking Framework 2025 requires banks to implement privacy-by-design principles, maintain audit trails, and establish strict data encryption and access controls across all customer data systems. Bhattandjoshiassociates
The RBI has explicitly directed that no customer should be coerced or misinformed, and has mandated that banks establish risk-based, real-time transaction monitoring to detect suspicious behaviour. The420
The directives are there. What is missing is the mechanism for you — the account holder — to verify whether any of this is actually being followed on your behalf. You cannot request an access log. You cannot see who viewed your account. You cannot file a complaint directly with the RBI without first going through the bank that wronged you. The law protects you on paper. The infrastructure to enforce it does not yet exist.
This petition is a demand to build that infrastructure — now, before more savings are stolen, before more elderly parents are trapped, before more NRI families discover that the money they sent home has quietly disappeared.
-----------------------------------------------------------------------------------
What We Are Demanding
We call upon the Reserve Bank of India, the Ministry of Finance, the Data Protection Board of India, and the Parliament to enact the following with immediate effect:
1. A statutory right to an Account Access Log. Every instance of any bank employee accessing a customer's balance, PAN, Aadhaar, transactions, or personal identifiers must be automatically logged and made available to the account holder on demand — without requiring a legal process or bank approval.
2. Real-time access alerts for high-risk profiles. NRI accounts, senior citizen accounts, and accounts flagged as high-value must trigger an immediate SMS or email notification to the account holder when any internal access occurs outside of a transaction initiated by the customer.
3. Criminal prosecution — not internal enquiry — for unauthorised data access. Accessing a customer's financial data without documented, legitimate reason must be treated as a criminal offence under the DPDP Act and the IT Act, carrying mandatory prosecution. HR memos are not accountability.
4. An independent, direct grievance channel to the RBI — bypassing the accused institution entirely — with a legally mandated 30-day resolution period and interim relief provisions for defrauded customers.
5. A dedicated Insider Threat Audit mandate. The RBI must require all scheduled commercial banks to conduct annual independent audits of internal data access patterns, with results submitted to the regulator and accessible to the public in aggregate form.
6. Enhanced protections for NRI and senior citizen account holders, including mandatory next-of-kin alerts for unusual access patterns and a verified, branch-independent escalation line that connects directly to the banking ombudsman.
7. Full whistleblower protection under law for bank employees who report internal data misuse — with guaranteed employment security and legal immunity for good-faith disclosures.
Sign This — Because Trust Is Not a Product to Be Sold Back to You
Your parents spent their working lives trusting Indian banks with their savings. Your relatives abroad built an NRI account because they believed it was safe. You submitted your Aadhaar, your PAN, your photograph, your entire financial identity — because you had no choice, and because you believed the institution would honour that trust.
That trust is being violated — daily, quietly, and without consequence.
India's banking system holds the financial futures of over a billion people. It deserves — and its citizens demand — a privacy standard that matches that responsibility. Not promises. Not circulars that sit unread. Real accountability. Real transparency. Real protection.
Sign this petition. Share it with your parents, your siblings abroad, your colleagues, your neighbours. Because the next account accessed without permission, the next elderly person targeted, the next NRI family devastated — could be yours.
1
Petition Updates
Share this petition
Petition created on 25 April 2026