A breach of trust has shocked India’s private banking sector. In early June 2025, it emerged that Sakshi Gupta, a 26-year-old relationship manager at ICICI Bank’s Kota branch, had allegedly siphoned off ₹4.58 crore from customers’ accounts over more than two years. The case is staggering not just for the sum involved, but for the brazen methods and systemic lapses it exposed. Gupta is accused of exploiting her privileged access, including forging digital credentials, changing customers’ registered mobile numbers to intercept OTPs, prematurely breaking fixed deposits, and even activating unauthorized loans, all while channeling funds into her own stock-market trades. Shockingly, most victims were senior citizens who never saw the fraud until an innocent customer unraveled the scheme.

The ICICI Bank debacle has provoked an outcry. Customers feel betrayed by a bank long touted for its technology and internal controls. Social media commentators speak of a “trusted bank that betrayed our trust”, questioning how a single employee could violate the system unchecked for years. Bank critics are demanding answers: How did every layer of oversight fail, from branch management and auditors to regulators, allowing this fraud? The answers point to a systemic collapse of controls rather than a lone bad apple. 

How the ICICI Fraud Operated, Unnoticed?

The scam was uncovered only after a customer’s routine FD inquiry. In February 2025, one of Gupta’s victims went to the ICICI branch to check on a fixed deposit, only to learn it had been prematurely liquidated without her knowledge. This customer’s complaint triggered an internal probe, and the Udyog Nagar (Kota) police FIR on February 18, 2025. Gupta was arrested on May 31, 2025, ironically at her sister’s wedding, but by then the damage was done. Investigators found that between 2020 and 2023, Gupta had quietly pilfered funds from more than 110 accounts belonging to 41 customers, most of them elderly people.

Gupta’s methods were sophisticated. Police reports and media accounts reveal she misused the bank’s FD “User FD” portal to break at least 31 fixed deposits, diverting over ₹1.34 crore into accounts she controlled. She also activated unauthorized overdrafts on 40 accounts, netting still more funds. A personal loan of ₹3.4 lakh was fraudulently disbursed in someone else’s name. Gupta then funneled all the proceeds through a “pool” account, even using an unsuspecting senior citizen’s account as a conduit, before transferring the money into her stock-market brokerage accounts. The money was promptly bet on high-risk futures and options, where Gupta lost almost the entire ₹4.58 crore stake.

Fraudsters often tamper with banking devices or credentials to steal money. In this case, the ICICI RM changed customers’ mobile numbers and exploited digital access to divert funds. Astonishingly, Gupta covered her trail. According to police, she changed her victims’ registered mobile numbers to those of relatives (or devices she controlled), so OTPs and alerts never reached the real account holders.

Four of the customers’ debit cards were used for ATM withdrawals and online transfers, without their knowledge. Transactions were carried out through InstaKiosks and digital banking portals, and Gupta even altered entries in the bank’s internal software to hide the fraud. It can be noted that “she changed entries in the bank’s internal software to hide her activities”, suggesting a degree of insider collusion or extremely lax IT controls.

So well did Gupta choke the scheme that even her own managers and colleagues saw nothing amiss for years. It was only a tip-off from a customer that cracked the case. The bank’s official line, echoed in press releases and media interviews, emphasizes the “zero-tolerance” response: ICICI says it immediately filed an FIR and suspended the employee, and will fully compensate affected customers. But critics point out the obvious: if all victims are to be “settled” and made whole, why did it take a missing depositor two years and a private complaint to uncover any fraud at all?

Anatomy of the Scam: Forged Access and Broken Deposits

This was no petty embezzlement. Gupta, a young, presumably tech-savvy banker, abused her official privileges on multiple fronts. Besides altering contact details, she allegedly stole debit cards and PINs, and even accessed customers’ net-banking using OTPs she collected from her own phones. She forged signatures to break fixed deposits and authorize loans. In effect, Gupta impersonated dozens of account holders. Essentially, Gupta built a mini money-laundering racket inside the bank branch, cycling stolen bank funds into her demat accounts.

It is striking that the crime spanned multiple product types, from savings accounts, FDs, OD loans, and even insurance policies. This breadth points to severely fragmented or ineffective controls. A properly monitored bank would have cross-checked, for example, whether 31 out-of-cycle FD breakings were genuine. Or flagged that dozens of OTPs suddenly went to the same few phone numbers. Yet such red flags went unnoticed. In Gupta’s case, investigations revealed that victims “never checked their bank balances”; a telling comment on the vulnerability of elderly depositors. But a prudent bank should not assume customers are vigilant; it should ensure alerts reach them.

Indeed, one core failure was that customers were deprived of basic alerts. The Bombay High Court later scolded HDFC Bank in a similar fraud where an employee siphoned 3 crores from FDs. “She did not receive any SMS or email alerts about these transactions”; this was the court’s damning note on the bank’s security. In ICICI’s case, the branch manager himself says Gupta “changed the mobile number of customers to her own close relative’s numbers so that they don’t know about these transactions”. How was this possible without triggering an OTP to the original number?

Industry experts told LinkedIn commentators that this is simple negligence: in modern banking, changing a customer’s contact should never bypass OTP/email verifications on existing registered devices. Yet Gupta apparently had the power to rewrite contact data at will. A LinkedIn finance expert fumed: “How come a branch manager has so much power to change contact details without verifying it through OTP on existing phone or email id? This is a problem of lack of internal control which gave an opportunity to a branch manager to take advantage”.

It’s not just one enraged observer. Another industry veteran on LinkedIn bluntly called out the “inadequacy of processes”, urging auditors to review and fix them. Public commentators point out that banks boast “robust audit systems” and “multilayer fraud checks,” yet here, every layer failed: branch supervision, internal audit, statutory audit, and even RBI/SEBI oversight seemingly saw nothing.

Did the bank’s internal audit actually “crack” the case, as one report claims, or did it merely follow up a whistle-blower tip? And what of the bank’s statutory auditors and the Reserve Bank of India, which routinely inspects branches and enforces compliance? The silence from ICICI top management is telling, no prior action or fine was reported before the case broke. This raises serious questions about regulatory vigilance over internal fraud.

Recurring Patterns: Other Banks Racked by Insider Scams

Shock at ICICI quickly turned to dread recognition. Other recent cases suggest this is not an isolated phenomenon but part of a recurring pattern of internal fraud in Indian banking. In December 2024, the Bombay High Court publicly blasted HDFC Bank over a very similar crime. There, a 27-year-old RM Payal Kothari allegedly broke her elderly client’s FDs worth ₹3 crore and re-routed the money into fake accounts.

The victim, a 53-year-old woman, discovered the theft only when she was mistakenly told she had an overdraft, and learned her FDs had vanished. The courtroom exchange is chillingly relevant: Justice Revati Mohite-Dere asked, “Is there no accountability of any bank when money is siphoned off under their nose?”. In that hearing, the court also ordered RBI to appear and explain how such basic security lapses occurred, which is a stark indictment of oversight.

The striking similarities cannot be ignored. In both ICICI and HDFC incidents, an RM gained a depositor’s trust, collected signed blank checks or mandates, and promised higher returns. Both RMs changed contact info to silence alerts. Both crimes spanned years, relying on customer obliviousness. In every case, the fraud was detected only when an outsider, a customer complaint or court intervention forced action. Neither bank’s internal mechanisms pre-empted the fraud. Even after discovery, banks’ reflexive press lines (“zero tolerance…customers’ interests paramount”) sound hollow when courts are compelled to drag them into accountability hearings.

And it’s not just private banks. State-run PNB’s infamous ₹13,500-crore LoU fraud (Nirav Modi) and the smaller Navratna cases of employees aiding loan fraud show that rogue staff can and do exploit bank systems. While Nirav’s case was an external ring with some staff collusion, it similarly revealed that no one in hierarchy questioned a cascade of red flags. Closer to the retail-banking model, even earlier ICICI cases highlight the menace: in early 2024, a branch manager in Pratapgarh (Rajasthan) was exposed for “withdrawing depositors’ money, to create an illusion of new FD, current and savings accounts” to meet targets. Over crores of rupees vanished in that scheme, which only came to light after a police probe.

Axis Bank has seen its share. In late 2024, Odisha police arrested an Axis RM accused of defrauding a 65-year-old widow of ₹2.3 crore. He allegedly persuaded her to move money into an FD, obtained signatures, then covertly created an overdraft and siphoned the FD funds into his own accounts. Like the ICICI case, the fraud only emerged when the loan department informed the victim of a mysterious overdraft. Investigators found the manager had used some stolen money to buy insurance policies for cronies. These scams all share a script: Relationship managers, seen as trusted aides, exploit vulnerable older customers to hit sales targets, then hide the crime in the shadows of the bank’s systems.

Experts say these frauds expose wrong intent in bank controls. A padlock might symbolise security, but when insiders control the keys (contacts, OTPs, databases), even a “locked” system is open to attack. These revelations are fueling anger across customer forums. On LinkedIn and Twitter, commentators note with bitter irony that banks’ yearly audits and RBI inspections had not caught any of these scams. One remarked that banks respond to such scandals with a mechanical “boilerplate text” about zero tolerance, while in reality “a branch manager has so much power” to override controls. Another called it “inadequacy of processes” that only auditors, often hailed as fraud-watchdogs, ever notice.

The public anguish is magnified by the social media echo chamber. On X (formerly Twitter), hashtags like #ICICIBankScam and #BankFraud trended as posts shared news reports with shock. One viral post by Logical Indians summed up the sentiment: “Former ICICI Bank Manager Steals ₹4.58 Crore from 110 FDs of 41 Customers, Loses Entire Amount in F&O Trades”, followed by outraged replies demanding explanations. On Reddit and Facebook, victim-support threads multiply, with frustrated accounts of banks offering only apology letters and legal complaints. The constant refrain: How can ‘robust bank systems’ fail so utterly?

Regulatory and Audit Oversight: Who Failed to Check?

These cascades of fraud compel a harsh question: Why did regulators and auditors miss all this? Indian banking has layered controls on paper, from daily branch head audits to quarterly statutory audits by Chartered Accountants, and periodic RBI inspections. But recent events suggest these mechanisms are either toothless or circumvented.

Take RBI, for instance. If city branches of ICICI and HDFC repeatedly endured years-long thefts, what does RBI’s supervisory regime actually verify? It’s hardly reassuring that the HDFC case ended with the Bombay High Court summoning RBI to explain its lack of action. In fact, RBI was specifically grilled by judges: “Why does an arrest have to be made only when a complainant comes to the court?” the court demanded.

Critics point to recent RBI penalty statistics for clues. In 2024–25, RBI hit dozens of cooperative banks with sanctions, many for frauds and governance lapses. But private banks mostly escape such scrutiny. RBI’s inspections often certify books as clean unless blatant misreporting is found. However, in these insider scams, it seems nothing in the books triggered alarm.

For example, Gupta’s withdrawals would show up as broken FDs and overdrafts and legitimate bank activities if logged. Unless an inspector specifically cross-checks signatures or customer consents, an ID management fraud can slip by. In the NICB cooperative-bank fraud (Rs122 crore) exposed in 2023, RBI inspectors missed a general manager walking out with cash in bags; a glaring red flag. NICB’s collapse after RBI oversight suggests the regulator is ill-suited to catch ‘inside jobs’ in large banks either.

Statutory auditors have similar blind spots. They review transaction trails and balance sheets, but might not verify each FD break or contact change. If an employee falsifies internal records, auditors only see documents “in order.” Only a forensic audit, which rarely happens unless a whistleblower demands it, would surface such a scheme. Theoretically, the Reserve Bank’s Fraud Monitoring Cell should detect unusual patterns (like many FDs broken in one branch), but in practice, nothing alerts unless a fraud is reported by the bank. In the ICICI case, the bank itself only reported the fraud after discovery, and RBI only hears of such cases through those FIRs; which is too late to prevent customer harm.

SEBI’s role is tangential. In the Axis Mutual Fund scandal of 2023, regulators did step in to punish a dealer for front-running (Rs30 crore of illicit gains), but that was a market manipulation story, not a bank-robbing one. SEBI has no jurisdiction over bank deposit security. Even in Gupta’s case, her stock trades via Zerodha/ICICI Direct, while suspicious, fell outside SEBI’s purview as long as they were legitimate trades. It’s telling that SEBI scrutiny seems irrelevant to this saga; the oversight gap is between RBI-style banking supervision and internal bank audits.

In short, “RBI and the government seem to have found an easy way to deflect attention” whenever such frauds surface. There’s talk of raising deposit insurance, but those are after-the-fact fixes. The root issue is governance. Even former RBI Governor Shaktikanta Das’ reforms after the PMC/Yes Bank crises are focused on preventing bank collapses, not policing branch-level malfeasance. Until India mandates compulsory forensic audits after any significant fraud, or holds RBI inspectors formally accountable for misses, bank frauds will keep resurfacing like weeds.

ICICI’s Response and Accountability

Facing a storm of criticism, ICICI Bank has been on the defensive. In public statements, its spokesperson insists “customers’ interests are of paramount importance” and repeats the standard lines about FIRs and claim settlements. But the bank’s other actions speak louder. First, it quietly suspended Gupta on discovering the scam, implying at least some immediate internal action. Next, ICICI claims to have reimbursed all “genuine claims” of affected customers. However, independent reporting suggests some victims are still fighting to get full recoveries. In previous cases, banks have often dragged their feet compensating all customers.

Even more concerning is ICICI’s delayed FIR filing and customer notification. It is reported that ICICI only lodged a formal police complaint in February 2025, after the FD inquiry, and went public in June. Why not notify all potentially affected clients immediately? The bank’s PR claims “no customer has suffered any financial loss,” but if that’s true, why didn’t ICICI itself meet the victims and verify their balances? Past banking scandals suggest banks sometimes wait for statutory timelines (72 hours to report frauds to RBI, for example) or for cases to become media-worthy before acting.

Delaying the FIR seems especially egregious given the scale. If money “lost” can be reimbursed, swift police action could have halted Gupta earlier. One ICICI insider told media that the branch manager only alerted headquarters after the fraud grew too big to ignore. This implies branch staff either didn’t notice or were complicit. ICICI’s management at Kota must explain: How did the branch manager (no less) fail to supervise a high-performing RM generating huge loan disbursements and deposit closures? How did she amass 110 accounts to exploit without any tallying? The bank has not detailed any management-level inquiry or accountability for its branch or regional heads.

Critics on social media have been scathing. One LinkedIn commenter mimicking many said, “I too got a boilerplate comment from ICICI Bank” and asked why “a branch manager has so much power to change contact details” in the first place. Another noted that ICICI’s public statement is as scripted as any crisis press release; “we filed an FIR… zero tolerance”, and questioned whether any real lessons would be learned. In the HDFC case, the judge threatened departmental action against negligent police officers; in ICICI’s case, one wonders if RBI or SBI’s board will demand internal reforms or if it will be swept under the corporate rug.

Meanwhile, the customers who trusted ICICI now have lingering fears. Every senior citizen in Kota who had a fixed deposit is triple-checking their statements. Industry analysts expect a surge in FD break requests as people panic and insist on face-to-face verification for any change in their accounts. The reputational damage is real: ICICI’s rating of bank safety and trustworthiness will surely take a hit. Just days before the scam broke, ICICI itself boasted in filings that its “asset quality is robust” and loss contingencies low; now the credibility of such claims is in doubt.

This saga is about more than numbers; it’s about betrayed trust. For elderly victims, bank officials were like family confidantes. Sakshi Gupta’s elderly clients likely waved her off as they waved goodbye to their banking routine. It is profoundly unsettling that the very institutions meant to safeguard retirements can be turned into personal ATMs.

Why is a private bank with multibillion-dollar balance sheets still so weak at the basic job of protecting depositors?

Public anger has been palpable. Social media polls and comments show a bleak picture: users express shock and cynicism (“Amazing how RBI inspections missed all of this”), resignation (“Same story, different bank”), and demand for change. Hashtags like #EndBankFraud and #SafeYourFD trended briefly as customers vowed to push for stricter penalties and compensation. Even politicians in opposition have seized on the issue, calling it evidence that “Modi government’s deregulation has left banking vulnerable to predators.” (The ruling party retorts that private banks self-regulate too much; RBI and law enforcement should do their jobs better.)

Experts have offered concrete fixes. The YesPunjab report quotes analysts urging RBI to mandate “tokenisation for fixed deposits”, meaning only the FD-holder’s unique token (like Aadhaar or DIGILOCKER key) can authorize any change. They also want real-time surveillance systems that flag any cluster of OTP changes or FD breaks. Right now, banks mostly rely on static checks (signature, thumbprint) that insiders can forge. Perhaps a dynamic, cross-channel alert, e.g., OTP to both old and new phones, or an independent confirm via branch call, should be compulsory. The RBI could direct all banks to implement such measures immediately.

Finally, the law must catch up. The Mumbai bench’s pointed rebuke to HDFC showed that courts are willing to chastise banks in such frauds. Will courts treat ICICI’s lapse with similar gravity? Will they compel the bank and RBI to explain? Or is another settlement looming behind closed doors, with customers quietly promised their money back while executives move on? Given the public fury, regulators must ensure full accountability: penalize those who ignored warnings (if any), force systemic audits of the branch, and maybe fine the bank for supervisory lapses. Otherwise, such crimes will only repeat.

Betrayal like this should not become routine. Indian banking cannot maintain public faith if scandals emerge annually, each wilder than the last, and every bank’s PR machines churn out identical apologies. Customers are asking hard questions: If their life savings can vanish under official noses, why trust any bank? The answer lies in tangible action, not mere words. RBI, SEBI, and bank boards must overhaul controls, not just after-the-fact promises. Only then can the next ICICI, Axis, or HDFC scandal be prevented, or at least, be caught before crores are lost.