Private sector lender Yes Bank has reported unauthorised transactions amounting to approximately $0.28 million on its Multi-Currency Prepaid Forex Card, prompting immediate containment measures and regulatory scrutiny. The transactions, carried out on behalf of nearly 5,000 customers, were detected in the early hours of February 24, 2026, after the bank’s fraud monitoring systems flagged an unusual spike in transaction declines.

In a regulatory filing, the bank said that while transactions equivalent to $0.28 million were approved during the incident window, 688 additional unauthorised attempts were blocked, preventing further exposure of roughly $0.1 million. The bank has stated that affected customers will not bear financial losses and that chargeback processes have been initiated.

While the quantum involved appears limited in absolute terms, the episode has drawn regulatory attention because it raises broader questions about cross-border authentication standards, card data protection, and operational resilience within India’s expanding digital payments ecosystem.

What Happened

According to the bank, the fraudulent activity occurred between 3:30 AM and 8:30 AM (IST) on February 24 across 15 merchants located in a Latin American country. The jurisdiction in question does not mandate two-factor authentication (2FA) for e-commerce transactions – a key detail in understanding how the transactions were processed.

The unauthorised attempts were concentrated on specific Bank Identification Numbers (BINs) associated with the forex card portfolio issued in partnership with BookMyForex. BIN-level targeting typically suggests that fraudsters may have had access to a defined card range rather than engaging in random card number testing.

The irregular transaction pattern – particularly the spike in declines – triggered alerts within the bank’s fraud monitoring systems. According to the filing, containment protocols were initiated shortly thereafter.

Why the Absence of 2FA Matters

India mandates two-factor authentication for domestic online card payments. This means that even if a fraudster possesses a card number and CVV, a second layer of verification – such as an OTP sent to the registered mobile number – is required to complete the transaction.

However, authentication standards vary significantly across jurisdictions. In several international markets, especially for cross-border transactions, mandatory 2FA is not uniformly enforced. This creates a structural asymmetry: cards issued in highly regulated environments may be used in lower-authentication ecosystems where only basic card credentials are required.

If card details are exposed, such jurisdictions become vulnerable processing points for unauthorised transactions. The Yes Bank episode appears to have exploited precisely this gap.

Immediate Containment Measures

As a precautionary measure, Yes Bank has restricted e-commerce transactions originating from the identified geography. The lender has also enhanced monitoring across the affected BIN ranges and intensified transaction surveillance within its forex card portfolio.

The bank stated that it is working with the relevant card network to raise chargebacks to ensure that impacted customers do not face financial loss. Dispute resolution mechanisms have been activated, and additional safeguards have reportedly been implemented to prevent recurrence.

Replacement cards are being issued where necessary.

The speed of detection and restriction appears to have limited the financial exposure window to a few hours. That containment may prove significant in shaping regulatory assessment.

Regulatory Scrutiny Intensifies

The development has drawn the attention of the Reserve Bank of India (RBI), which has reportedly sought a comprehensive explanation from senior officials of the bank.

According to media reports, the central bank has requested detailed clarification on:

• The root cause of the incident
• Whether card data, including CVV details, was compromised
• The adequacy of encryption and data storage standards
• The timeline of detection and regulatory reporting
• Internal accountability mechanisms
• Steps being taken to prevent recurrence

The RBI’s involvement signals that the matter is being evaluated not merely as a transactional fraud incident, but as a test of cybersecurity architecture and third-party risk governance.

In recent years, the RBI has tightened norms around digital operational resilience. Banks are required to adhere to stricter cybersecurity frameworks, conduct regular vulnerability assessments, and report incidents within defined timelines. Vendor partnerships – particularly in fintech-linked products – have also come under sharper regulatory focus.

Fraud Attempt or Data Compromise?

At present, Yes Bank has described the episode as unauthorised transactions concentrated on specific BIN ranges. The bank has not publicly characterised the matter as a systemic data breach.

However, reports suggest that card details, including CVV numbers of certain customers, may have been exposed. If confirmed, this would elevate the issue beyond transaction-level fraud into a broader data security event.

BookMyForex, the fintech partner involved in issuing the forex cards, has reportedly denied any breach within its own systems.

The distinction matters. A transaction-level fraud exploiting leaked credentials differs materially from a breach of core banking infrastructure or partner systems. Regulatory consequences, reputational impact, and remediation measures vary significantly depending on that classification.

For now, the precise origin of the data exposure, if any, has not been publicly disclosed.

Scale and Proportionality

In financial terms, the $0.28 million exposure is modest relative to the scale of India’s banking system and Yes Bank’s retail operations. There is no indication of system-wide compromise at this stage.

However, cyber incidents are often assessed not purely by quantum, but by structural implications. Concentrated activity within a short time window suggests coordinated exploitation rather than isolated misuse.

From a governance perspective, even contained events invite scrutiny if they reveal authentication gaps or third-party vulnerabilities.

Market reaction has remained measured so far, suggesting that investors view the incident as operational rather than systemic – at least based on currently available information.

Not the First Card Security Incident in India

India’s banking sector has faced significant card-related breaches before. In 2016, nearly 3.2 million debit and credit cards across multiple banks – including State Bank of India, HDFC Bank, ICICI Bank, Axis Bank and Yes Bank – were compromised in one of the country’s largest card data incidents. The breach was linked to malware in a third-party payment processing system and resulted in widespread card blocking and reissuance after fraudulent overseas transactions surfaced.

That episode prompted regulators to tighten cybersecurity guidelines, strengthen authentication mandates, and increase oversight of payment intermediaries.

Since then, India has emerged as one of the stricter jurisdictions globally in terms of card authentication norms, particularly with its mandatory two-factor requirement for domestic transactions.

The present forex card episode is far smaller in magnitude. Yet it shows a persistent challenge: global interoperability means that domestic security standards can be diluted when transactions are processed in jurisdictions with weaker authentication requirements.

The Cross-Border Security Challenge

Forex cards are designed for international usability. Their core appeal lies in seamless cross-border acceptance. However, that very feature exposes them to varying regulatory and authentication standards across markets.

As outbound travel and international online spending grow among Indian consumers, cross-border card exposure naturally increases. Fraud patterns often shift toward markets where authentication barriers are lower.

This creates a delicate balance for banks: enabling frictionless global usage while maintaining robust security. 

The Yes Bank incident illustrates the operational complexity of that balance.

The Last Bit, 

For now, Yes Bank maintains that affected customers will be fully protected through chargeback mechanisms and that monitoring controls have been strengthened.

The RBI’s review will likely determine whether additional supervisory directions or system-level advisories follow.

Even if financially contained, the episode reinforces a broader reality in digital finance: cybersecurity risks evolve quickly, and cross-border payment systems operate at the intersection of uneven global standards.

For banks expanding fintech partnerships and prepaid card offerings, authentication asymmetries across jurisdictions remain an ongoing structural risk — one that requires constant monitoring, adaptive controls, and regulatory coordination.