Welcome to the 201st edition of The Pattern, a weekly newsletter on the latest in finance, technology, and the economy. 

I want to talk about something that happened this week that hasn't gotten nearly enough attention from the lending industry. 

Finance Minister Nirmala Sitharaman called heads of banks into a room to discuss the risks that AI poses to the financial sector. The meeting included RBI officials and MeitY. Banks were told to assess the risks and take pre-emptive measures to ensure their systems don't get compromised. This wasn’t a seminar. The FM doesn't pull bank CEOs away from earnings season for a theoretical conversation. So what's going on? 

The trigger 

On April 7, Anthropic launched an AI model called Mythos — built for defensive cybersecurity — that can autonomously discover and exploit zero-day software vulnerabilities. During its preview, it found thousands of high-severity flaws in every major operating system and every major web browser. It builds working exploits on 83% of first attempts, and can chain them together— it finds one vulnerability, and uses it to get to the next one.

The response from regulators has been fast. Over the past fortnight, RBI officials have held consultations on Mythos-related risks with counterparts at the US Federal Reserve and the Bank of England. Japan's financial watchdog met banks the same week. Australia's central bank said it's monitoring the situation. Four central banks responded to the same model within two weeks of its launch. That should tell you something. 

Why this is a lending story 
Most of the coverage so far is framing this as a tech or cybersecurity story. Fair enough. But if you work in Indian lending, this one's yours too. 

Think about what happened to credit infrastructure over the last few years. UPI, Account Aggregator, digital lending apps, credit-on-UPI, co-lending platforms — the systems that move money and data between borrowers, lenders, and regulators now run on software. And that software was built to defend against humans. Not against something that can find and exploit thousands of vulnerabilities on its own. 

In Edition #187, I wrote about how fraud had evolved — from individual scams to automated, synthetic attacks targeting borrowers. Forged identities, credit washing, bust-outs. That was about the edges of the system: onboarding, identity, the points where a borrower enters the lending chain. 

Mythos is about the centre. The operating systems. The payment rails. The core banking platforms that everything runs on. Edition #187 was about bad actors pretending to be borrowers. This is about bad actors going after the systems that process every borrower's data and money.  

What the regulator is doing — and why it's complicated 

The RBI's instinct is right. NPCI is trying to secure early access to Mythos alongside a small number of banks, to identify vulnerabilities and day-zero cyber risks in India's payment infrastructure before anyone else does. 

But there's a catch. Mythos is hosted on strictly controlled servers in the US, and running tests on Indian data in foreign jurisdictions could prove challenging. RBI's 2018 data localisation rule requires all payment data to be stored exclusively on servers in India. The very framework India built to protect its financial data now stands between the regulator and the tool it needs to test that data's defences. 

The RBI is also preparing broader guidelines for how banks enter enterprise partnerships with advanced AI models and will insist that any analytics involving Indian customer data complies with domestic data localisation. This is new regulatory territory — nobody's had to figure out what to do when AI can pick apart your own infrastructure before your security team has had their morning coffee. 

The planning question 

Meanwhile, banks are spending heavily on tech — but the question is what kind. HDFC Bank's management said on its Q4 earnings call last week that tech investments have more than quadrupled to around $1 billion, and the bank has built an AI platform with five use cases in production and fourteen in development. That's one bank. They're all doing this — AI platforms, digital products, customer-facing automation. 

But how much of that spend is going toward defending against AI-speed attacks on the foundations those products run on? 

That's the gap Wednesday's meeting was about. If you're running a lending platform today — bank, NBFC, fintech — the race to find vulnerabilities in your own systems just got a new competitor. And it works faster than anyone you can hire. 

Reading list: 

1. India’s home loan boom runs into a paperwork wall. 

2. RBI highlights mixed economic trends in India as West Asia crisis impacts demand, supply 

3. Indian rupee’s big swings under Central Bank Chief Malhotra’s watch 

4. Gold loan fintech companies build own loan books as RBI tightens norms 

 
Thank you for reading. If you liked this edition, forward it to your friends, peers, and colleagues. You can also connect with me on X here and follow FinBox on LinkedIn to get the latest updates. 

See you next week.   

Cheers,
Mayank