Mumbai: The Reserve Bank of India has summoned senior officials of Yes Bank following concerns over a possible security lapse in the bank’s forex card system. The action comes after complaints regarding the Yes Bank–BookMyForex multi-currency forex card, where customer card numbers and CVV details are suspected to have been exposed.
Sources said the central bank has sought a detailed explanation from the bank’s management regarding the incident. The RBI wants clarity on how the system breach may have occurred, which security controls failed, and the extent to which sensitive customer data might have been affected.
Reports suggest that card details of several users, particularly CVV numbers, may have been compromised. The regulator has asked Yes Bank to provide a complete timeline of the incident, including when the risk was detected and what immediate containment measures were taken.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
An internal investigation by the bank detected suspicious transactions on February 24 involving merchants reportedly linked to 15 businesses in a Latin American country. The probe found that transactions worth approximately ₹2.54 crore were approved across more than 5,000 customer accounts, while about 688 unauthorised attempts amounting to nearly ₹90 lakh were blocked.
Yes Bank stated that it is working with the card network to initiate chargeback processes to protect affected customers from financial losses. The bank also assured that users connected to the security incident would not suffer any monetary damage.
In its statement, BookMyForex said it does not store sensitive customer card information and that there was no evidence of system intrusion on its platform. The company further claimed that its infrastructure remained secure during the period under investigation.
The RBI’s investigation is primarily focused on how sensitive card data, particularly CVV details, was stored and encrypted. The central bank is also examining whether the bank and the third-party platform followed established cybersecurity protocols.
Regulators are additionally assessing third-party risk management frameworks, monitoring mechanisms and the overall effectiveness of security controls. The RBI is also reviewing the time taken to detect and report the incident and the remedial measures implemented to prevent further misuse.
Banking experts believe such incidents highlight the cybersecurity challenges associated with digital payment systems. The growing use of forex cards and international online payment services has created new potential targets for cyberattacks.
Authorities have indicated that accountability within the organisation will be evaluated after identifying security vulnerabilities, followed by corrective measures. The RBI is also reviewing what technological and administrative safeguards are required to prevent recurrence of similar incidents in the future.
Experts emphasise that banking institutions should adopt multi-layer cybersecurity architecture, real-time monitoring systems and stronger encryption standards, especially when collaborating with third-party payment platforms, to ensure customer data protection in the rapidly expanding digital financial ecosystem.
