DPI Deep Dive — Sunday | June 14, 2026

Layer L7: Security, Privacy & Trust — This week’s deep dive examines the intersecting threats and regulatory responses shaping India’s digital trust infrastructure. From AI-powered identity fraud to ₹53,000 crore in cumulative cyber losses, from RBI-mandated cyber assessments to spectrum policy as safety infrastructure, the picture that emerges is of a nation simultaneously accelerating its digital ambitions and confronting the security debt that accompanies them.

1. I4C Warns of AI-Driven Deepfake Identity Fraud Targeting Banks and Fintech

The Indian Cyber Crime Coordination Centre (I4C), operating under the Ministry of Home Affairs, issued a formal advisory this week flagging a new frontier in cyber fraud: AI-generated deepfakes and synthetic identities being weaponised to bypass facial authentication, liveness verification, video-KYC processes, and account recovery mechanisms across India’s banking and fintech sector. ¹

The advisory outlines a methodical five-stage fraud model. Attackers first establish contact through social media, job portals, dating platforms, or messaging apps. During these interactions, victims unknowingly share facial data through video calls or fake interviews. Fraudsters then use AI tools to create digital replicas that mimic facial movements, expressions, blinking patterns, and even voice. These synthetic media assets are deployed to defeat identity verification systems, complete KYC formalities, activate digital wallets, open financial accounts, or gain unauthorised access to existing services.

This is not a theoretical risk. The advisory comes amid mounting evidence that AI-powered impersonation is already operational. For a DPI ecosystem where Aadhaar-based eKYC, video verification, and facial authentication are foundational identity rails (connecting L1 Identity directly to L2 Payments), the implications are profound. If biometric verification—the last line of digital trust—can be synthetically replicated, the integrity of downstream financial services is at stake.

The cross-layer connection: This threat sits at the intersection of L1 (Identity & Authentication) and L7 (Security & Trust). Aadhaar’s biometric infrastructure was designed for a pre-AI era. The I4C advisory effectively acknowledges that the verification assumptions underlying India’s digital identity stack need re-examination. Recommended mitigations include integrating deepfake detection into onboarding flows, locking biometric profiles against remote modification, monitoring for unauthorised login notifications, and alerting telecom providers to potential SIM-swap activity. ²

2. Banks Race Against RBI’s End-June Cybersecurity Assessment Deadline

Indian banks are scrambling to complete a Reserve Bank of India-mandated cybersecurity gap review and submit board-approved action plans by the end of June, engaging external consultants including EY and BCG to assess vulnerabilities that advanced AI models could exploit. ³

In April, the RBI directed banks to conduct a comprehensive review of their cybersecurity posture, formulate a time-bound remediation plan, and develop an AI governance and security framework. The exercise has taken on added urgency following the emergence of frontier AI models like Anthropic’s Claude Mythos, which can autonomously discover and chain software vulnerabilities at unprecedented speed. Microsoft’s June 2026 Patch Tuesday alone patched a record 206 CVEs—including three zero-days—partly attributed to AI-accelerated vulnerability discovery. ⁴

EY has reportedly built its own frontier AI-equivalent testing framework to help banks conduct vulnerability assessments, given that most Indian banks lack direct access to advanced AI red-teaming tools. BCG’s assessment underscores that while AI is adept at finding vulnerabilities, the more immediate threat is the dramatic reduction in the cost and sophistication threshold for launching cyberattacks. A single lapse in proactive security can now be exploited at scale.

Why it matters for DPI: Indian banks are custodians of the UPI rail (L2), hold massive volumes of Aadhaar-linked customer data (L1), and process transactions through interconnected digital infrastructure (L3). A systemic breach here cascades across layers. The RBI’s directive signals that India’s financial regulators are treating AI-era cyber risk as an existential governance issue, not merely a technology problem. The Indian Banks’ Association has been directed to form a dedicated committee, suggesting this will become a sustained regulatory expectation rather than a one-time exercise. ³

3. NHRC Flags ₹52,976 Crore in Cyber Fraud Losses, Calls for “Digital Arrest” to Be Made a Distinct Offence

The National Human Rights Commission (NHRC) held an open house discussion on June 10 revealing that India has lost approximately ₹52,976 crore to cyber-enabled frauds over six years, with roughly 8% linked to “digital arrest” scams—where fraudsters impersonate law enforcement to terrify victims into transferring money. ⁵

The discussion, chaired by NHRC Chairperson Justice (retd) V. Ramasubramanian, heard that more than 3,000 digital arrest frauds targeting senior citizens were reported last year alone. The CBI disclosed that large-scale operations originate from cyber scam compounds in Southeast Asia, sustained through mule account networks, telecom infrastructure exploitation, social media intermediaries, and even human trafficking. TRAI noted a significant shift of digital arrest frauds to OTT communication platforms, prompting calls for a regulatory framework for internet-based voice and video calling—a development with direct implications for L6 (Governance) and L7 (Trust) layers.

Key recommendations from the discussion include:

• Recognising “digital arrest” as a distinct criminal offence
• Criminalising the renting of mule accounts and trafficking for forced cybercrime
• Introducing transaction “circuit breakers” for high-value transfers
• Mandatory call-duration alerts for unusually long calls
• Trusted-person authentication for vulnerable customers
• A single government verification portal for authenticating law enforcement communications
• A dedicated victims’ compensation fund

The data protection angle: NHRC Secretary General Bharat Lal emphasised that cybercriminals are “increasingly exploiting personal data obtained through data leaks”—a direct reference to the inadequacy of India’s current data protection enforcement under the DPDP Act, 2023. While the Act’s core provisions remain to be fully enforced, the gap between legislation and operational protection continues to widen as fraud actors become more sophisticated. ⁵

4. CERT-In’s AI Cybersecurity Blueprint and IFSCA’s Frontier AI Advisory

Two significant regulatory documents this week signal that India’s cybersecurity establishment is systematically preparing for an AI-altered threat landscape.

CERT-In’s AI Cybersecurity Blueprint (released May 25, with extensive coverage this week) outlines how AI-enabled threats could reshape India’s cyber defence posture. The blueprint warns that threat actors may use advanced AI to automate reconnaissance, discover software vulnerabilities, generate exploits, conduct large-scale phishing, and attack APIs, cloud environments, and interconnected systems. It recommends continuous governance, monitoring, and operational readiness—language that, while non-binding, signals evolving compliance expectations. ⁶

Separately, the International Financial Services Centres Authority (IFSCA) issued Circular No. IFSCA-CSD/MSC/3/2026-DCS on June 4, advising all regulated entities in IFSCs to address heightened cybersecurity risks from frontier AI models. Required actions include reassessing cybersecurity frameworks, maintaining Software Bills of Materials (SBOMs), enforcing multi-factor authentication, prioritising timely vulnerability patching, and incorporating human oversight of AI-generated security code. ⁷

Cross-layer significance: These advisories demonstrate a coordinated regulatory push across CERT-In, RBI, and sectoral regulators—mirroring the April 2026 inter-agency meetings involving the Finance Ministry, MeitY, RBI, and CERT-In. The consistent thread is that AI-driven cyber risk preparedness is transitioning from best practice to baseline compliance expectation. For India’s DPI stack, this means every layer—from identity verification to payments processing to document exchange—must account for AI-era threats in their security architectures.

5. DoT Delicences V2X Spectrum for Vehicle Safety; TRAI Consultation Exposes Telco-Auto Industry Turf War

In a move with significant implications for safety-critical digital infrastructure, the Department of Telecommunications issued twin gazette notifications delicensing spectrum bands for automotive radar (77–81 GHz) and vehicle-to-everything (V2X) communications (5875–5905 MHz) on June 10. The V2X notification permits in-car on-board units to operate in the 5.9 GHz band without licensing, subject to non-interference, non-protection, and non-exclusive use conditions. ⁸

Simultaneously, TRAI’s ongoing consultation on V2X framework has exposed a sharp divide between telecom operators and the automotive industry. Reliance Jio, Bharti Airtel, and Vodafone Idea (through COAI) argue that V2X spectrum should be auctioned commercially under existing telecom licences, contending that future V2X services will rely on 4G/5G networks. Technology and automotive groups, including the Broadband India Forum and 5G Automotive Association, advocate for shared, licence-exempt access to enable rapid safety-focused deployment. ⁹

Minister Nitin Gadkari has separately announced that MoRTH is preparing a formal notification for mandatory V2V communication in vehicles, including two-wheelers. India reported over 177,000 road accident deaths in 2024.

Why spectrum policy is a trust issue: V2X represents a new category of safety-critical digital infrastructure. The spectrum allocation model—licensed vs. licence-exempt—determines who controls the communication layer, what reliability guarantees exist, and how quickly life-saving technology reaches Indian roads. This is fundamentally a Layer 7 (Trust) decision disguised as a telecom policy debate. The outcome will shape whether India’s connected vehicle ecosystem is built on telecom-controlled infrastructure (with associated costs and latency) or on a decentralised, safety-first model. With India’s road fatality crisis as the backdrop, the stakes extend well beyond spectrum economics. ⁸⁹

This Week’s Thread: AI as the Great Amplifier

A common theme across all five stories this week is the amplifying effect of AI on existing vulnerabilities. Deepfakes exploit the biometric trust assumption in Aadhaar eKYC. Frontier AI models compress the attack-development cycle, overwhelming traditional patch management. Digital arrest scams leverage data leaks and OTT platform gaps that predate AI but are rendered far more effective by it. Cybersecurity blueprints now assume AI-capable attackers as the baseline threat. Even in spectrum policy, the question of who controls safety-critical communications is being debated in the shadow of AI-driven network complexity.

India’s digital public infrastructure was built on assumptions of linear technological evolution. AI has shattered that assumption. The regulatory responses documented this week—advisories, assessments, consultations, and delicensing actions—represent the early innings of what will be a protracted redesign of India’s security and privacy foundations for an AI-native threat environment.

The question is no longer whether India’s DPI stack can keep pace, but whether the iterative, consultation-heavy regulatory model can move fast enough to matter.