Rebuilding Confidence in BFSI: How cybersecurity can move beyond compliance and into trust

Think about banking before digitization. “Trust” was the original product banks sold. Not loans. Not accounts. Trust. The promise that your money was safer with them than under your mattress. 

That promise held for decades because it was backed by people you could see, branches you could visit, relationships you could rely on.

Digital transformation brought enormous benefits: 24/7 access, global reach, faster transactions, services that would’ve been impossible in the branch-only era. But it changed the trust equation. As we moved relationships online and automated processes, the personal connection that originally built confidence got replaced by different mechanisms. Call centers instead of familiar faces. Legal language instead of plain conversation. Efficiency instead of relationship.

The industry response was to point at compliance. Look at our certifications. See our audit results. We meet every regulatory requirement. As if regulatory approval and customer trust were the same thing. 

If I were to sum everything up,

“BFSI found itself optimizing for two different outcomes. Regulatory frameworks pushed us toward certifications and compliance metrics. Customer expectations pulled us toward transparency and plain communication. The industry allocated more resources to regulatory compliance because those requirements came with defined standards and measurable outcomes, expecting trust to develop organically alongside compliance. The two didn’t correlate as assumed.”

I’ve watched this play out over two decades, first at HDFC Bank managing fraud risk verticals, then building Difenz, and now at Signzy working with 540+ institutions. The pattern repeats: institutions demonstrate strong compliance execution through rigorous audit performance, yet customer trust demands additional capabilities beyond regulatory adherence.

We are finally seeing the signs of migration towards alternatives like Peer-to-Peer lending (P2P), Buy Now Pay Later (BNPL), Digital Lending Apps (DLAs) and more which operate with different principles.

I am going to start by sharing a little about me before explaining the scale of the problem.

State of BFSI industry: People now want honesty more than they want perfection

Banking trust among 16-24 year-olds dropped from 44% in 2024 to 32% in 2025. That 12-point drop in one year matters more than it looks. 

This demographic won’t start neutral with traditional banks anymore. 

The data leakage concern isn’t abstract for them. They watched enough breaches play out the same way. The institution gets compromised, goes quiet for weeks while legal reviews everything, then releases statements that say almost nothing. 

During my time at previous organizations, implementing a single new security rule took 30-60 days minimum. By the time we responded to emerging threats, customer perception had already shifted. That operational lag between identifying risks and addressing them is what taught younger customers not to trust institutional responses.

And now 61% of consumers consider trustworthy information more crucial than service speed or convenience. That number surprised me honestly. Customers would rather have clarity than efficiency. Growth of DLAs prove this point.

While customers actually deserve efficiency and transparency both, it seems they have lowered expectations which is not a good sign. Yet still, even now when something goes wrong, the default response is still minimal disclosure and maximum legal review.  

Closing the trust gap without abandoning compliance

Compliance isn’t going away, and it shouldn’t. Regulatory frameworks exist for good reasons. But meeting compliance requirements and earning customer trust aren’t the same thing, and pretending they are is why we’re in this position.

1. Run two scorecards: One for regulators, one for customers

Regulatory metrics matter. They prove you’re meeting baseline requirements and managing risk appropriately. But they don’t tell you whether customers trust you, and most institutions only track what auditors ask for.

1. For regulators, track: Audit findings closed, framework maturity levels, certification timelines, examination results, control testing completion. These demonstrate compliance with regulatory standards and show you’re managing institutional risk properly.
2. For customers, track: How fast you detect compromised accounts, how long it takes to give clear answers about incidents, whether customers understand what your security protects, if they’d recommend you after experiencing your incident response. These indicate whether your security program translates into actual confidence.

Most institutions built one scorecard and assumed the other would follow. The gap between them is where credibility gets lost.

2. Replace compliance narratives with demonstrable security

Compliance frameworks serve their purpose. They create baseline standards and ensure institutions meet regulatory requirements. But certifications prove you passed an audit at a specific point in time. They don’t prove customers should trust you today, especially after watching certified institutions fumble breaches and go silent.

Instead, show the actual work rather than just pointing to badges. Let customers see real-time security activity on their accounts. Explain what controls protect their data in language that makes sense. 

3. Let customers opt into more security visibility

Security operations have always run in the background. Monitoring, blocking threats, managing access. Most customers never see any of it until something breaks. That approach worked when trust was higher. Now it creates questions about what you might be hiding.

The solution is giving customers options. 

• Build dashboards showing login locations and devices accessing accounts. 
• Send notifications about unusual activity patterns. 
• Provide visibility into what data exists where and who’s accessed it recently. 
• Take the same indicators your SOC monitors and translate them into understandable terms.

These are just top of my head suggestions. You can always find and experiment more.

Most importantly, if I were to implement it I would keep it as an opt-in so you’re not overwhelming people who prefer simplicity, but available for customers who want to verify your protection instead of just accepting claims. 

Offering that visibility demonstrates confidence in your systems.

 I’m actually optimistic

Not because technology improved or regulations got better. I’m optimistic because the gap between compliance and trust is finally visible. A few institutions are proving this approach works. The blueprint exists. What’s needed is execution.

Working with hundreds of institutions at Signzy has shown me both ends of this spectrum. The banks rebuilding trust aren’t the most technically sophisticated. They’re the ones that stopped optimizing for audit scores and started communicating clearly. After Signzy acquired Difenz in 2024, that vantage point became even clearer. I see which institutions treat security as something they do with customers, not to them.

Thanks for sticking with me. I sat down after a long time and just poured out what’s been on my mind about this trust gap we’ve created. Felt overdue.

Continue reading…

If you liked reading my perspective and want to dig deeper, here’s what’s been sitting on my desk:

• How Building and Sustaining Trust Has Become Paramount in the Digital Age by The Financial Brand – Study revealing 61% of consumers prioritize trustworthy information; explores why transparency became non-negotiable.
• India’s Digital Threat Report 2024 (CERT-In, CSIRT-Fin, SISA) – Comprehensive view of what institutions are actually facing on cybersecurity. 
• Thales Digital Trust Index 2025 – Consumer expectations around data privacy and what actually drives trust. The generational divide in banking trust is striking.