# IDRBT Portal Timeline -- Built Before Procurement

**Compiled:** 2026-06-08

## Executive Summary

The evidence strongly indicates that the .bank.in domain registration portal was **built and deployed to production before formal procurement processes were completed**, and certainly before IKCON was formally on-boarded as a department in the portal's own database.

## Timeline: The Gap Between Reality and Process

### Phase 1: Pre-Announcement (Late 2024)

- **Late 2024**: RBI internally decides on .bank.in initiative. IDRBT, as RBI's technology arm, begins work on the portal.
- **No evidence of any public RFP, EOI, or tender notice** for the development of the portal appearing before or during this period.
- IDRBT's publicly listed tenders for 2024-25 show only: HSM procurement, server procurement, revamping IT infrastructure, solar systems, renovation work, and auditor empanelment. **No software development tender.**

### Phase 2: Policy Launch (Feb 2025)

- **Feb 7, 2025**: RBI Governor Sanjay Malhotra announces .bank.in in the "Statement on Developmental and Regulatory Policies" -- one paragraph, no technical details.
- **Feb 21, 2025**: TOI article quotes IDRBT Director Dr. Deepak Kumar: portal will pilot Feb 24 with 20 banks, launch April 2025.
- **Feb 24 - Mar 7, 2025**: Pilot runs with 20 major banks.

**Key inference:** For a pilot to run on Feb 24, the portal must have been functional by at least mid-February 2025. That means the Angular application with DSC integration, SBI ePay, NIXI integration, JWT auth, 70+ routes, and 150+ API endpoints was **already built and deployed**.

### Phase 3: Formal Launch (Apr 2025)

- **April 22, 2025**: RBI circular (RBI/2025-26/28) officially mandates migration to .bank.in by Oct 31, 2025. Circular is 3 paragraphs and specifies **zero** technical security requirements.

### Phase 4: IKCON Formalized (Jun 2025) -- The Smoking Gun

- **June 20, 2025**: First invoice created in the billing system (Admin department modified this date).
- **June 25, 2025**: IKCON department formally created in the portal database.
  - Created by: `venkatesh.udaru@ikcontech.com` (IKCON employee)
  - Department code: "00000" -- the FIRST/PRIVILEGED department slot
  - This is **4 months after the portal was already operational** (Feb pilot)
- **Dec 3, 2025**: IKCON department deactivated (5 months after creation).

**Implication:** IKCON was added as a department to manage a system that was already built and running. The "00000" department code suggests it was inserted as the first privileged department, possibly to grant IKCON employees administrative access to the existing system.

### Phase 5: Operation & Migration (Jun 2025 - Jun 2026)

- 1,497 unique .bank.in domains registered
- 1,122 organizations billed (total ~Rs 4.7 crore)
- 100 test/UAT domains in the production database alongside real banks
- Portal still showing "envName: UAT" in production configuration

## Smoking Guns

### 1. The Department Gap (4 Months)

```
[Feb 24, 2025] Portal pilot launches with 20 banks
                                         [Jun 25, 2025] IKCON dept created
                                         [Dec 3, 2025] IKCON dept deactivated
    |------------------------------------|----------------------|
    0                                   4 months               ~11 months
```

The portal was operational for **4 months** before IKCON formally existed in its database.

### 2. No Public Tender

IDRBT's published tender archive covers 2020-2027 and includes:
- WAF and Load Balancer procurement
- HSM (Hardware Security Module) procurement
- Server and desktop procurement
- Renovation and construction contracts
- VAPT of IT infrastructure
- Auditor empanelment

**No tender for:**
- "Software development"
- "Web portal development"
- "Domain registration portal"
- "Application development" or any similar category

The closest match is the VAPT (Vulnerability Assessment and Penetration Testing) tender from April 2026 -- conducted over a year after the portal was already live.

### 3. IKCON's First User Had OrgId=605

The earliest IKCON user in the system has email `1977mahesh@ikcon.com` and is assigned to **Organisation ID 605**. This is NOT orgId=0 (Super Admin/global). It means the first IKCON user was set up as an employee of a SPECIFIC organisation -- not as a global administrator. The Super Admin access (orgId=0) was granted later through the "00000" department code.

### 4. Production Configuration = UAT

The production Angular environment file still has:
- `envName: "UAT"` -- identifies as UAT in production
- `disabledUat: "fff"` -- UAT configuration flag

This is not just a cosmetic issue -- it means the production deployment was never cleanly separated from the development/UAT configuration.

### 5. 100 Test Domains in Production Billing

The production billing dataset contains 100 test/UAT domain registrations interleaved with real bank data:
- `sbiuat.bank.in`, `hdfcuat.bank.in`, `iciciuat.bank.in` -- UAT versions of major banks
- `ikcontest-aug12.bank.in` -- IKCON's own test domain
- `testhana.bank.in`, `datatest98.bank.in`, `test16may.bank.in`, `testtest23.bank.in` -- generic tests
- `pollp.bank.in`, `devgadurban.bank.in`, `devigayatri.bank.in` -- miscellaneous

### 6. Wayback Machine Gap

The Wayback Machine's first capture of the portal is **August 8, 2025** -- 6 months after the Feb pilot, 4 months after the Apr launch. While this could indicate the site wasn't crawled earlier, it's also consistent with the portal initially being hosted on a different (possibly temporary) infrastructure.

## Summary

The timeline gap between operational launch (Feb 2025) and formal vendor on-boarding (Jun 2025) is **approximately 4 months**. During this period, the portal was built, piloted with 20 banks, and officially launched -- all before IKCON was formally added as a department with department code "00000".

This pattern is consistent with:
1. A rushed implementation driven by RBI's policy deadline
2. Informal vendor selection (the contractor worked on the system first, formalized later)
3. No competitive tender process
4. Post-hoc legitimization of an existing arrangement

The practical consequence: critical security gates (penetration testing, code review, vendor assessment, security requirements specification) were either skipped entirely or performed after the system was already in production.