# IDRBT & Procurement — The Expertise Gap

**Last updated:** 2026-06-08
**Files:** `IDRBT/angular-app/IDRBT-PROCUREMENT.md`

## IDRBT Literally Wrote the Book on Procurement

In 2015, IDRBT published a 32-page handbook titled **"IT Vendor Management: Principles & Practices"** (ITVM_Final.pdf). The foreword was written by then-Director Dr. A.S. Ramasastri. The handbook was authored by:

- **Dr. G.R. Gangadharan** — Assistant Professor, IDRBT
- **Shri B. Shandilya** — Senior Domain Expert, IDRBT

This document is a comprehensive procurement manual meant for the Indian banking sector. It explicitly covers:

### What the Handbook Says vs What IDRBT Did

| Principle from IDRBT's Own Handbook | What IDRBT Did for .bank.in |
|---|---|
| "Global/open tender for purchases above cut-off amount" | **No tender found** — no open, limited, or single tender publicly traceable |
| "Notice inviting tender must be given wide publicity — at least one national daily and bank's website" | **Zero public notice** — no advertisement, no website posting |
| "Financial and technical capabilities must be evaluated" | IKCON: 6-year-old company with **zero prior banking application development** projects |
| "A purchase manual approved by board must exist and be followed" | Either no purchase manual or manual was bypassed |
| "Deviation from laid down procedures must be documented with logical reasons" | **No documentation** of procurement decision publicly available |
| "Requirements must be need-based, not want/wish/fancy" | Portal cost ~₹4.7 crore in domain fees alone — portal development cost unknown |
| "Single tender only in exceptional cases with recorded justification" | Single-source to IKCON with no documented justification visible |
| "Empanelment of vendors must be through open/global tender" | No empanelment process found for software development vendors |
| "Proof of Concept recommended before large projects" | No evidence of POC — test domains (ikcontest-aug12.bank.in) in production billing data suggest otherwise |

## Procurement Pattern Analysis

### IDRBT's Published Tenders (2020-2026)

From IDRBT's own tender archives (90+ entries), here is the complete categorization:

| Category | Count | Examples |
|---|---|---|
| Hardware procurement | ~30 | Servers, desktops, laptops, switches, HSM |
| Infrastructure/civil works | ~20 | Renovation, painting, electrical, solar, kitchen |
| Software licenses (renewal) | ~10 | MySQL, RHEL, VMware, WebEx |
| AMC/maintenance | ~10 | Network devices, facility management |
| Security audit/VAPT | ~3 | VAPT, CERT-In audit |
| Catering/security/electrical services | ~8 | Facility services tenders |
| **Custom software development** | **0** | **No tender ever published for any custom-built application** |

IDRBT operates multiple digital systems:
- **IBCART 3.0** (sachet.idrbt.ac.in) — Bankruptcy filing portal
- **Domain Registrar** (registrar.idrbt.ac.in) — .bank.in/.fin.in registry
- **Certifying Authority** (idrbtca.org.in) — DSC issuance
- **Staff Mail** (pravah.idrbt.ac.in) — Internal email
- **Hunar** (hunar.idrbt.ac.in) — Training registration

**None of these have any associated public tender for their development.**

### What IDRBT DOES Tender Competitively

When IDRBT needs something standard, they use GeM or MSTC properly:

| Tender | Platform | Process |
|---|---|---|
| "Supply, Installation and Maintenance of Web Application Firewall and Load Balancer" | IDRBT website | Detailed RFP published |
| "Hardware Security Modules (Network HSM)" | MSTC ecommerce | Pre-bid meeting, corrigendums |
| "Annual Maintenance Contract of Network devices" | GeM | GeM bid number in tender notice |
| "Supply, Installation and Maintenance of GPU Server and 2 Laptops" | GeM | Open competitive bidding |

These properly tendered procurements are all for **off-the-shelf hardware or software licenses**. None are for **custom software development**.

## The Critical Gap

IDRBT has never publicly tendered for custom software development. Every digital system they operate appears to have been developed either:

1. **In-house** by IDRBT's own IT team (under Chief Technology Officer Dr. Abhishek Thakur)
2. **Single-source** awarded to a vendor without competitive bidding
3. **Through a "limited RFP"** process with no public visibility

The .bank.in portal — arguably IDRBT's most critical public-facing digital infrastructure, handling bank identity verification for an RBI-mandated security initiative — was procured through a process that:

- Violates IDRBT's own published procurement principles
- Left no public audit trail
- Selected a vendor with zero relevant prior experience
- Resulted in 26 unauthenticated API endpoints leaking 5,576 user records
- Cost banks ~₹4.7 crore in domain fees with no visible security compliance framework

## Why This Happened

The most likely explanation is not corruption but **capability gap**:

1. IDRBT is primarily a **research and training institute**, not a software development shop. Their core expertise is banking technology research, not procurement of large-scale software systems.

2. The IT team (led by Dr. Abhishek Thakur, CTO) is likely sized and skilled for **infrastructure maintenance** (servers, networks, security), not for managing a multi-vendor competitive software development procurement.

3. The compressed timeline (RBI announcement Feb 2025 → launch Apr 2025) made proper procurement impossible — an open tender would take 3-6 months minimum.

4. The path of least resistance was to find a vendor who could deliver quickly. IKCON was already working with IDRBT on cooperative bank advisory (domain migration guidance), making them the obvious choice for a timeline-constrained project.

## The Irony

IDRBT published a vendor management handbook teaching banks how to procure IT. They then failed to follow their own teachings for their highest-profile IT project. The handbook itself warns:

> "If the buyer knows neither his/her requirements nor about vendors' capabilities or products, then the IT project is certain to fail."

The .bank.in portal is operational, but the security gaps documented in this investigation suggest the project has indeed failed on its core promise: providing a trustworthy, secure domain infrastructure for Indian banking.