When the National Payments Corporation of India experienced a brief UPI processing disruption in January 2026, the ripple effect was immediate. Banks that had built their entire payment infrastructure on NPCI’s rails had no fallback. Customers couldn’t transact for roughly 40 minutes during peak hours.

The incident was contained quickly, but it exposed a deeper structural issue: concentration risk. Too many banks depend on too few technology providers, and that dependence is getting harder to unwind.

The Core Banking Bottleneck

India’s scheduled commercial banks overwhelmingly run on a small number of core banking solutions. Infosys Finacle and TCS BaNCS together power the majority of public sector and large private sector banks. Oracle’s Flexcube holds a smaller share. A few newer banks run on cloud-native platforms, but they remain exceptions.

These are proven platforms with decades of development. The problem is what happens around them. Core banking systems become deeply embedded in every bank function — deposits, lending, compliance reporting, customer management, treasury operations. Once a bank is running on Finacle, switching to BaNCS is a multi-year, multi-hundred-crore project with significant operational risk. In practice, it almost never happens.

This creates a vendor relationship where the vendor holds structural power. Licence renewals, upgrade timelines, integration pricing — the bank’s negotiating position weakens with each year of dependence.

The Fintech Layer Compounds It

On top of core banking, banks have added fintech partnerships for digital onboarding, video KYC, payment processing, loan origination, fraud detection, and wealth management. Each partnership creates another dependency.

Unlike core banking vendors, many fintech partners are startups with limited track records. If a fintech partner fails, pivots its business model, or gets acquired, the bank faces a sudden integration gap. The acquisition pattern in Indian fintech is intensifying this risk — when a large company acquires a fintech provider, the acquiring company’s priorities may not align with the bank’s needs.

Cloud Migration Creates New Dependencies

Cloud migration is supposed to reduce vendor lock-in by making infrastructure more modular. In theory, a bank running on AWS can more easily swap out application components than one running proprietary on-premise systems.

In practice, cloud migration creates new forms of lock-in. Banks that build extensively on AWS-specific services find it difficult to move workloads to Azure or Google Cloud. The infrastructure may be rented rather than owned, but the dependencies are just as sticky.

Some banks are working with specialists in this space to develop multi-cloud strategies and avoid deep dependency on a single cloud provider. But multi-cloud adds operational complexity and requires sophisticated architecture decisions that many banks aren’t equipped to make independently.

The RBI’s 2025 guidance on cloud adoption emphasises that banks should maintain the ability to migrate between providers. But maintaining that ability in practice requires deliberate architectural choices from the start.

NPCI: Critical Infrastructure, Single Point

The UPI ecosystem presents the most concentrated technology risk in Indian banking. NPCI operates as a single entity managing the backbone infrastructure for UPI, IMPS, RuPay, and several other payment systems.

NPCI has been remarkably reliable, and its technology team is among the best in Indian financial infrastructure. But reliability isn’t the same as resilience. A systemic failure — whether from a cyberattack, software bug, or infrastructure failure — would affect virtually every bank and financial institution simultaneously.

The RBI directed NPCI in 2024 to create backup arrangements and develop contingency plans for extended outages. But a true alternative for UPI processing doesn’t exist, and building one would take years.

What Should Change

Vendor concentration reporting. Banks should report technology vendor dependencies to the RBI as part of regular supervisory submissions, giving the regulator visibility into systemic concentration patterns.

Interoperability standards. The RBI could mandate that core banking and critical fintech systems support standard APIs and data formats, making vendor switches more feasible. India’s Account Aggregator framework demonstrates that interoperability mandates can work.

Stress testing for vendor failure. Banks should be required to stress-test for critical technology vendor failures — what happens if your core banking vendor can’t deliver updates for six months, or your fraud detection partner goes offline?

Technology vendor lock-in isn’t unique to Indian banking. But the speed of India’s digital banking transformation has compressed the timeline. Banks that might have gradually diversified dependencies over a decade have instead built deep, concentrated ones in just a few years. The first step is honest assessment. The second is acting before a major vendor failure forces the issue.