From Legacy Cores to Agentic AI: What’s Really Holding Indian BFSI Back

India’s BFSI sector stands at an inflexion point: fintechs are racing ahead in AI adoption while traditional banks tread carefully, weighed down by legacy core systems, fragmented data, and regulatory caution. Only 8% of Indian financial institutions have scaled AI with proper governance frameworks in place a gap that speaks less to reluctance and more to the sheer complexity of modernising decades-old infrastructure. David Porter, Managing Director, Financial Services at Genesys, has a front-row view of this transition, working with banks and insurers as they navigate everything from WhatsApp-led engagement to the compliance demands of India’s DPDP Act. In this conversation with CISO Forum, Porter unpacks why “rip and replace” isn’t always the answer, what production-ready AI governance actually requires, and how far Indian BFSI really is from autonomous resolution workflows.

CISO Forum: FinTechs are at 90% AI adoption for agent productivity — what’s the actual tech stack difference between them and legacy banks?

David Porter: FinTechs are competing with traditional legacy banks and non-banking licensed financial companies in many ways, and that sets the context for the adoption gap that follows.

You find that AI adoption follows a waterfall pattern. The highest adoption is within FinTechs. The next-highest is within non-banking licensed financial institutions. The lowest is within traditional banks.

Now, there are very clear reasons for that. There are historical reasons, size reasons, and, I don’t want to say cultural, but perhaps more conservative practices and more conservative layers of risk management within traditional banks, which, of course, is what we all want. We want to make sure our traditional banks are keeping everyone safe.

They have a duty of fiduciary care to their clients. They need to make sure everything is safe before it’s used. That means more time will be spent kicking the tyres to ensure new technological capabilities are suitable and appropriate for their clients and staff.

FinTechs have more freedom to move faster and experiment for a few reasons. One is that they tend to have founders and infrastructure that are newer to banking and a mindset of “Let’s test things, and let’s do it quickly.” They also tend to have much smaller customer bases, which makes it easier to try things.

And not only in India, but around the world, you see the same pattern.

CISO Forum: 69% cite fragmented data as their top barrier. Is this fundamentally a data architecture problem, or a systems integration problem?

David Porter: It is a problem associated primarily with legacy. Legacy means you’ve stitched together many core systems from different providers over the years to make them work, which creates the issue we are discussing.

There is a second issue: using data properly. Many of the latest AI tools are Ferraris, but a Ferrari needs good gasoline to run. AI tools need good, reliable data to run.

Most large financial services institutions have challenges with data dictionarying. That means understanding all the data fed to them by the disparate systems. Do they really understand whether something is an APR, or annual percentage rate, or an APY or annual percentage yield? Is it an ending balance or an average balance?

You have to have all of that data dictionarying complete to use the data and the tools. That takes time. It’s difficult. It’s hard work.

Those are the two primary reasons data is a challenge to swift AI adoption.

CISO Forum: The report shows that only 8% of Indian BFSI organisations have scaled AI with governance frameworks. What’s technically holding the other 92% back?

David Porter: There are a few reasons. First, there are existing platforms that are usually quite cheap and have been put together over the years to do a single thing well. The regulatory environment in India, as in many markets around the world, is cautious and has developed standards. Those standards must be met before a bank can adopt AI at scale, a process that can be difficult.

For example, disaster recovery. There are rules and regulations around it to ensure that platforms are set up and remain compliant.

The other reason is moving from experimentation. It’s easy for companies to set up QA environments, sandboxes, dev environments, and innovation garages—I hear all of these things. It’s quite easy to do that. Moving from those environments into production is really hard. Some stages have to be met: milestones, risk, audit, and compliance committees. It takes a long time to get out of that innovation environment and into production. So that is a challenge for everyone. Now, I think 8% will change fairly quickly over the next couple of years. I gave you three reasons: economic, regulatory, and the transition from dev environments into production.

CISO Forum: How does Genesys’s Experience Orchestration platform handle real-time data unification across core banking, CRM, and engagement layers simultaneously?

David Porter: Yeah. So first of all, you could stand back and say, “Well, what’s experience orchestration, right? What is that?”

Well, if you think of how you did business with your bank 10 or 15 years ago, there were really two ways you could do business. You could call your bank using the 1-800 numbers on a statement or the back of a credit card, or walk into the branch. That was it. Now, of course, you can do many different things. You can use those same channels, plus in-app messaging, WhatsApp, and texting, and there are so many ways to connect. Ensuring those capabilities are seamless, joined up, and work well together is experience orchestration. The beauty of the Genesys platform is that it’s an open-architecture platform, which means we can use all of our technologies with the bank to provide the solutions they might need in the client experience space.

However, many banks, of course, have different technology providers, whether it’s AWS providing a cloud platform, Salesforce, or ServiceNow providing different capabilities.

The unique aspect of our environment is that it’s built on an open architecture, and you can switch on these native integrations. That means you can configure a platform to give you full experience orchestration across these channels, and that is where the pieces come together.

CISO Forum: Only 36% of organisations are redesigning workflows for speed. What does that operational re-engineering actually look like at the infrastructure level?

David Porter: At an infrastructure level, it comes down to the fact that most large institutions and fintechs too use different providers for different things.

Your core banking platforms and deposit engines may come from one provider. Your wealth management brokerage engines may come from another. Your mortgage platform may be provided by somebody else. There are core engines that power the functionalities within a bank. Unless you’re a very small institution, these are all things you buy from other large technology providers.

At a large institution, a complex dispute could require multiple touchpoints, different channels, and distinct workflows to resolve. There are also workflows within systems. A mortgage can take a long time to resolve. As it flows through, multiple platforms can be impacted.

Re-designing these platforms to be more efficient and to work together more smoothly and effectively just takes time. And Banks are looking for less spaghetti anymore. They want lasagna. They want those workflows and platforms to work together in nice, digestible layers built to fit together. If you can excuse the Italian cooking term, that is the idea. It just takes time to build that.

CISO Forum: WhatsApp is expected to become the fastest-growing BFSI engagement channel at 73%. What does enterprise-grade, compliant WhatsApp integration technically require?

David Porter: First of all, it needs a relationship with WhatsApp that Genesys is very pleased to announce. I think we announced that a couple of weeks ago. I’m sure that the other folks on the call here can give you more details of that offline.

But I think, first of all, it needs that. That gives you kind of native integrations that will work.

The second thing it needs, though, is that folks can use WhatsApp in a kind of singular way. You can integrate Genesys with WhatsApp, so a banker can have a call, a text exchange, or even a video exchange with a client on a one-to-one basis. And that’s kind of legal and compliant because it’s recorded, etc. It now fits within the bank’s infrastructure.

To get to kind of even more mass adoption, though, individual touchpoints like that need to turn into more mass WhatsApp-driven campaigns, digital campaigns that kind of make sense. And there are business imperatives, I think, that will drive that.

So if you think of an outbound campaign—outbound in the sense of, say, collections—that are going to be very much campaign-led, I think, in the future.

And there’s a reason for that. If you think about how banks handle collections today, how many Gen Zers or millennials are going to answer their phones from an unknown number? Well, not very many, right?

So they expect to use WhatsApp because that’s a standard communication device.

If they want to do more with WhatsApp, they want the bank to send you a message explaining there’s an issue with your account, then call you, connect with you, and make sure they can fix the problem. That kind of digitally pre-announces a call.

So that type of process, I think, we’re going to see more and more of, and that’s what’s going to drive more adoption in that space.

CISO Forum: Insurance players cite 79% struggling with core system integration. Is ripping and replacing legacy infrastructure inevitable, or can Middleware Bridge the gap?

David Porter: It’s unlikely that middleware can bridge the gap because core insurance platforms are usually claims platforms. I mean, that’s the engine that drives insurance. It’s all about the claim.

Insurance can be a very conservative industry for obvious reasons. In many cases, these core claims platforms have been around for a long time, and middleware can make the output of those systems more flexible and more usable, but it can’t change the more basic operation of those platforms.

There are new providers out there offering core engine functionalities in the insurance space that are super interesting. I’m sure that in India they’re being looked at as well.

It’ll just take time. You don’t mess with your insurance. It needs to work well. It’s going to take some time.

But I think middleware is useful in the short run. But in the medium- to long-term, no, it can’t bridge the gap. There will need to be modernisation.

CISO Forum: With India’s DPDP Act tightening, how does Genesys architect AI models that stay compliant without degrading real-time performance?

David Porter: It’s a continual development process.

At Genesys, we view India’s Digital Personal Data Protection Act as a pragmatic step toward aligning data protection with global standards. With frameworks like the EU GDPR, we’ve already addressed many of these compliance areas. The DPDP’s shift away from rigid data localisation allows us to maintain agile, scalable cloud services while meeting regulatory expectations.

The AI we employ is either our own, sourced from other leaders in the space, or we test new approaches. So we have a very open-architecture approach to building new capabilities.

We then have a very stringent vetting process within our own environments. We then have a very stringent testing and QA process and work closely with regulators worldwide.

To support secure, compliant CX operations, we offer regional data storage via AWS, globally recognised security certifications including ISO/IEC 27001 and SOC 2, and contractual terms aligned with evolving regulations, including fixed customer-controlled data processing instructions. Even as the DPDP awaits full implementation, we are proactively adapting our governance to stay ahead.

That’s kind of in the development process.

We then find that if we want to introduce a piece of AI with a client who asks for it—that client could be from a highly regulated industry like banking, in a highly regulated market somewhere in the EU—we’ll have to go through a whole series of stages and steps with them and the regulators to ensure that other aspects of AI governance are all met.

So, of course, the beauty for us is that once we do that with one, the learnings don’t go away. They’re then kind of incorporated into other rollouts with other clients.

So there’s a continual learning process in that space.

CISO Forum: What does a production-ready AI governance framework look like technically — KPIs, monitoring layers, audit trails?

David Porter: I think you just named it. That’s what it looks like, right? And that is what it looks like.

Now, obviously, it’s that plus kind of experts. So don’t forget the people. You need people with expert skills in this space. And they come from technology backgrounds, other tech companies, or regulators. So you need to have them in that environment as well.

The people, plus the factors you just outlined, result in a very stringent development environment.

And, of course, you have to have some scale to be able to do that, to be able to, of course, have the kind of institutional knowledge, the balance sheet strength to be able to afford these people, and, of course, the kind of business imperatives to drive progress in this space.

I feel pretty confident that Genesys does a great job in this space today.

CISO Forum: Where does agentic AI fit into Genesys’s BFSI roadmap — and how far are Indian financial institutions from deploying fully autonomous resolution workflows?

David Porter: If we looked a year ago, the number of organisations using agentic virtual agents in production would be zero. Around the world, for us, zero.

That number is not zero today, right? It’s a three-digit number. Most of them are early stage.

In the agentic virtual agent space, it means the use case is king. You’ve got to have really, really focused use cases that make sense, and that means they have to be very precise.

For example, you can’t talk about an agentic virtual agent improving the retirement experience, right? You’ve got to talk very specifically, in a use case, about how you’re going to use an agentic virtual agent to handle the rollover process from one retirement institution and account to another, which is what happens when people near retirement age. I just used that example as it seems to work.

So the agentic virtual agent has to be highly focused on a specific use case. That use case has to, of course, then be tested to ensure that the full understanding of it, in terms of what creates pain points today, is understood and that the agentic virtual agent can solve that pain point. Not just kind of put lipstick on a pig, but really solve and automate the pain point.

Once you’ve done that, then, of course, you need to ensure the governance is kind of appropriate, that the agentic virtual agent evaluation processes are correct, that you have the real ability to monitor the outcomes, make sure the outputs are right, make sure that the model is performing the way that you want it to perform, and that gets you to production and rollout.

Most of our clients, obviously, are still in the early stages here. But as I said, the use cases are king. And I’m always wary of kind of generalities in this space. You’ve got to be really, really specific to make these things work.

Author