Fresh Trouble for Yes Bank: RBI Probes ₹2.5 Cr Forex Card Fraud and Data Breach Amid Court Heat

The Reserve Bank of India (RBI) has summoned senior officials of Yes Bank after the recent data breach involving the bank's co-branded multi-currency forex card issued in partnership with BookMyForex.

This comes after the private lender on Thursday informed that card details, including CVV numbers of several customers, were allegedly compromised. According to Yes Bank, fraudulent transactions worth more than ₹2.5 crore were approved on behalf of nearly 5,000 customers on Tuesday, February 24.

The bank said it also blocked 688 unauthorised transaction attempts, preventing additional losses of around ₹90 lakh. Yes Bank is working closely with the card network to initiate chargebacks to ensure affected customers do not suffer financial losses, according to an exchange filing.

Where Did the Fraud Originate?

The lender added that the fraudulent transactions were attempted on specific Bank Identification Numbers (BINs) and originated from a Latin American country where two-factor authentication is not mandatory for online transactions.

"These fraudulent transactions were carried out on 15 merchants that are based out of Latin American Country," the bank said without specifying the name of the country.

As a precaution, Yes Bank has restricted e-commerce transactions originating from that region.

BookMyForex, meanwhile, clarified that it does not store customers' sensitive card details such as CVVs and maintained that its systems were neither breached nor compromised during the period in question.

What RBI Is Investigating?

The RBI has sought a detailed explanation from Yes Bank on how sensitive card data was stored and protected, whether encryption and mandated cybersecurity protocols were followed, and why existing safeguards failed to prevent the breach, Economic Times reported.

The central bank is also examining the timeline of detection and reporting, the extent of customer impact, the steps taken to block compromised cards and limit losses, as well as the bank's oversight of third-party service providers. According to the report, the regulator has additionally asked for clarity on internal accountability and the corrective measures being implemented to prevent a recurrence, according to reports.

Ongoing Legal Battle Over AT1 Bonds

The latest development comes at a time when Yes Bank is already facing legal scrutiny. The Supreme Court of India is scheduled to hear petitions challenging a 2023 ruling by the Bombay High Court that struck down the bank's decision to write off Additional Tier 1 (AT1) bonds in March 2020.

The write-off, amounting to about ₹8,400 crore, was carried out as part of an RBI-led rescue plan after Yes Bank ran into severe financial distress due to mounting bad loans and governance concerns.

Under that resolution plan, AT1 bondholders were fully written down before equity investors faced similar losses. Bondholders challenged the move in the Bombay High Court, which ruled in their favour. Yes Bank and the RBI appealed the decision, and the matter has been pending before the Supreme Court since 2023.

If the verdict ultimately goes against the bank, Yes Bank could be required to repay bondholders in full along with 9% annual interest from the date of the write-off. Beyond the immediate financial implications, the ruling is expected to have wider consequences for how regulatory capital instruments are treated during bank rescues.

Point to note: Following its 2020 rescue, a consortium of lenders led by the State Bank of India had infused capital into Yes Bank. Other participating banks included Axis Bank, HDFC Bank and ICICI Bank.

In late 2025, Japan's Sumitomo Mitsui Banking Corporation (SMBC) acquired a 24% stake in Yes Bank in a deal valued at over $1.9 billion. The acquisition involved share sales by SBI and other lenders after the mandatory lock-in period ended.

With the bank having stabilised its balance sheet and returned to profitability in recent quarters, the original rescuing lenders had gradually reduced their holdings. However, the latest cybersecurity incident has once again placed Yes Bank under intense regulatory scrutiny.