Fraud Risk Management- RBI Master Direction 16 July 2024

By

 The Reserve Bank of India issued three revised Master Directions dated 16 July, 2024 on Fraud Risk Management for the Regulated Entities, namely for:


§  Commercial Banks (including Regional Rural Banks) and All India Financial Institutions;

§  Cooperative Banks (Urban Cooperative Banks / State Cooperative Banks / Central Cooperative Banks);

§  Non-Banking Finance Companies (including Housing Finance Companies).

The purpose of these directives is to encourage improved fraud risk management frameworks and systems in regional rural banks, housing finance companies, and rural cooperative banks

These master directions have been prepared based on a comprehensive review of the earlier Master Directions, circular and emerging issues. These Master Directions are principle-based and strengthen the role of the Board in overall governance and oversight of fraud risk management in the Regulated Entities (REs).

 

It aim to provide a robust framework for the prevention, early detection, and timely reporting of frauds in regulated entities (REs). The revised guidelines aim to strengthen the role of boards in overseeing fraud risk management, enhance internal audit and control frameworks and ensure compliance with principles of natural justice. Following the adjustments, the RBI dropped 36 previous circulars on the topic in an effort to simplify regulations and lessen the burden of compliance, according to the regulator.

 

The revised MD-Banks and revised MD-NBFCs (these are together referred to as the revised MD) are principle-based and strengthen the role of the board of directors in the overall governance and oversight of fraud risk management in REs. The revised MD provide a framework for prevention, early detection and timely reporting of incidents of fraud to Law Enforcement Agencies (LEAs), Reserve Bank of India (RBI), National Housing Board (NHB) and National Bank for Agriculture and Rural Development (NABARD), wherever applicable.

 

The applicability of the revised MD-Banks has been extended to all banking companies and All India Financial Institutions (AIFI) (collectively referred to as ‘banks’ in this document). Therefore, this is applicable to all foreign banks, local area banks, small finance banks, payments bank, corresponding new banks, Regional Rural Banks (RRBs), etc. In AIFI, this includes Export-Import Bank of India, NABARD, National Bank for Financing Infrastructure and Development, NHB and Small Industries Development Bank of India.

The revised MD-NBFCs is applicable to NBFCs (including HFCs) in the Upper Layer, Middle Layer and in the Base Layer (with asset size of INR 500 crore and above

 

Organisational structure

Banks RBI requires banks to follow a more structured approach to govern the fraud risk management, as compared to the erstwhile requirement, where responsibility for fraud risk management was assigned towards a bank's CEO, Audit Committee and the Special Committee of the Board.

NBFCs (including HFCs) RBI has imposed governance requirements on NBFCs (including HFCs) for the first time

REs should have a Board approved policy on fraud risk management which should ensure compliance with the principles of natural justice in a time bound manner and require a periodic review of the principles. The Fraud Risk Management Policy should be reviewed by the board of directors at least once in three years, or more frequently. The revised MD-banks and revised MD-NBFCs have stipulated the time period within which the following activities should be undertaken to uphold the principles of natural justice:

a. Issuance of Show Cause Notice (‘SCN’)

b. Reasonable time of at least 21 days to revert to SCN

c. Process for issuance and examination of SCNs

d. Orders to be issued against SCNs with details on conclusion about fraud and its classification.

 

Special Committee:

 

                                i.            Banks are required to constitute a ‘Special Committee of the Board for Monitoring and Follow-up of cases of Frauds’ (“SCBMF”) comprising of minimum three members, (including a whole-time director and a minimum of two independent directors / non-executive directors).

                              ii.            The role of the SCBMF is to monitor, review and propose risk management framework for reducing cases of fraud.

                            iii.            The Senior Management is accountable for implementing the Board-approved fraud risk management policy. They are also required to periodically report incidents of fraud to the Board or its Audit Committee as necessary.

                            iv.            Additionally, Banks must establish a transparent mechanism to handle Whistleblower complaints related to potential fraud or suspicious activities, ensuring compliance with their Whistleblower Policy.

Further, requirement for Data Analytics and Market Intelligence Unit for strengthening risk management systems have been mandated. These Directions have now been made applicable to Regional Rural Banks, Rural Cooperative Banks and Housing Finance Companies as well. The intent is to promote better fraud risk management systems and framework in such REs.

 

In order to maintain uniformity and consistency when banks report fraud incidences to RBI via the web portal by filing Fraud Monitoring Returns (FMRs), they must select the most relevant category from the list below:

(i) Misappropriation of funds and criminal breach of trust;
(ii) Fraudulent encashment through forged instruments;
(iii) Manipulation of books of accounts or through fictitious accounts, and conversion of property;
(iv) Cheating by concealment of facts with the intention to deceive any person and cheating by impersonation;
(v) Forgery with the intention to commit fraud by making any false documents/electronic records;
(vi) Wilful falsification, destruction, alteration, mutilations of any book, electronic record, paper, writing, valuable security or account with intent to defraud;
(vii) Fraudulent credit facilities extended for illegal gratification;
(viii) Cash shortages on account of frauds;
(ix) Fraudulent transactions involving foreign exchange;
(x) Fraudulent electronic banking / digital payment related transactions.

The key aspects andimplications of these Master Directions 2024 are as follows:


1.      Scope of these directives:

 

                                  i.            Persons (including Third Party Service Providers and Professionals such as Architects, Valuers, Chartered Accountants, Advocates etc.) Entities and its Promoters / Whole-time and Executive Directors can be investigated for alleged fraud.

                                ii.            The 2024 Guidelines clarifies as regards to Non- Whole-time Directors (such as Nominee Directors and Independent Directors) are normally not in charge of, or responsible for the conduct of the business of the Company, Banks may take into the consideration before proceeding against such Directors.

                              iii.            Thus, for roping such Nominee Directors / Independent Directors, Banks will have to provide substantial proof against them.

2.      Treatment of accounts under Resolution:

 

                                i.            The Directives provide that, in case an entity has undergone resolution, as a consequence of which there is a change in the management / control of the entity, it will be at discretion of the Bank whether to retain the entity classified as fraud or otherwise.

                              ii.            However, the penal measures shall not be applicable to the entities after the implementation of the Resolution Plan under the IBC.

                            iii.            The Penal Measures and Criminal action shall continue against erstwhile promoter(s) / director(s) / person(s) who were in charge and responsible for the management of the affairs of the entity / business enterprise.

3. Penal Measures:

Persons / Entity classified as fraud are debarred from raising funds / availing any further credit facilities for five years.

3.      Governance Structure for Fraud Risk Management:

 

                                i.            RBI mandates the Banks to adopt Board approved Fraud Risk Management Policy for Fraud prevention and detention to be reviewed by the Board at least once in three years. The said Policy should detail therein the roles and responsibility of the Board of Directors of the Bank and should ensure adherence to the principles of natural justice.

                              ii.            The Show Cause Notice (“SCN”) shall comprise of detailed information regarding transactions, actions and events forming the basis for considering fraud declaration and providing reasonable period of at least 21 days for the recipients to respond to the SCN.

                            iii.            Banks must maintain a systematic process for issuing SCNs and for evaluating responses from individuals / entities under investigation before making any determination of fraudulent activity.

                            iv.            Upon review, a reasoned order incorporating relevant facts, responses to SCNs, and the rationale behind the classification should be issued to convey by the Bank’s decision regarding the classifying accounts as fraudulent.

4.      Framework for Early Detection of Frauds:

 

                                i.            A significant focus of the new Guidelines is the early detection of frauds through a robust framework for Early Warning Signals (EWS) and Red Flagging of Accounts (RFA).

                              ii.            Banks are required to integrate EWS with their Core Banking Solutions to monitor transactions effectively.

                            iii.            The Guidelines stipulate a systematic approach to identifying, investigating, and acting upon suspicious activities, thereby mitigating potential risks at an early stage.

5.      Red-flagged Account and Reporting of Fraud:

 

                                i.            External and Internal Audit can be conducted on red-flag accounts.

                              ii.            The decision to classify any account, either standard or NPA, as a red-flagged account shall be at the individual bank level and such bank(s) shall report the status of the account on the RBI’s Central Repository of Information on Large Credits (“CRILC”) platform within seven days.

                            iii.            After an account is red flagged, the decision to classify the same as fraud or otherwise should be done within 180 days.

                            iv.            Banks shall, after complying with the principles of natural justice, report to Indian Banks’ Association the details of such third parties or professionals involved in frauds.

6.      Reporting of Incidents of Fraud:

 

                                i.            The Directives provide categories for reporting fraud to maintain uniformity such as misappropriation of funds and criminal breach of trust; fraudulent encashment through forged instruments amongst others as prescribed under Clause 6.1 of the Master Directives.

                              ii.            Fraudulent electronic banking / digital payment related transactions committed on banks; and other type of fraudulent activity not covered under any of the above.

                            iii.            Instances of payment system related disputes suspected or attempted fraudulent transactions are to be reported to Central Payments Fraud Information Registry (“CPFIR”).

                            iv.            Banks shall adhere to the timeframe prescribed in these Master Directions for reporting of fraud cases to RBI such as individual fraud cases, fraud at overseas branches, amongst other as prescribed under Clause 6.3 of the Directives.

                              v.            In exceptional circumstances, the Bank upon such approval can withdraw the Fraud Monitoring Return.

                            vi.            Banks are obligated to lodge complaint to law enforcement agency.

7.      Reporting and Investigation:

 

                                i.            The updated Guidelines provide detailed instructions on reporting frauds to the RBI and other relevant authorities.

                              ii.            Banks are required to establish a governance structure that ensures effective oversight and implementation of the EWS and RFA frameworks. The Risk Management Committee of the Board (“RMCB”) assumes responsibility for supervising aforesaid frameworks.

                            iii.            Banks are also required to establish dedicated Data Analytics and Market Intelligence (MI) Units tailored to their operational needs, enhancing their ability to detect and prevent potential fraudulent activities across diverse banking operations.

                            iv.            Additionally, Banks must extend their EWS frameworks to monitor non-credit related transactions, including digital channels, ensuring these systems are continually tested and improved to maintain integrity and adaptability against emerging fraud risks. Compliance with reporting requirements, particularly concerning accounts meeting CRILC thresholds, is crucial to align with regulatory mandates and mitigate fraud risks effectively. Banks are required to implement or upgrade their EWS systems within six months from the issuance of regulatory directives.

8.      Closure of Fraud Cases:

 

                                i.            Banks shall close cases of fraud reported, post the completion of necessary actions and legal proceedings.

                              ii.            Banks are directed to maintain records of all the closed cases of fraud for future audit purposes.

      9.      Staff Accountability:

 
                                i.            Banks have to examine the staff accountability of their senior management in fraud cases, as per their Internal Policy.

                              ii.            Examination of staff accountability as per the guidelines issued by the Central    Vigilance Commission is required.

10.  Additional Directives:

 

                                i.            Banks to frame policy to avail information from Central Fraud Registry for credit risk and fraud risk.

                              ii.            Banks to report payment system related disputed to Central Payments Fraud Information Registry maintained by RBI.

                            iii.            Banks are required to periodically carry out legal audit of the title deeds and other related documents in respect of credit facility amounting to Rs. 5 Cr and above till repayment / closure.

                            iv.            Prior to transferring of loan account / credit facility to other lenders, due diligence for fraud must be conducted and the same has to be reported to RBI and NABARD.

                              v.            In the cases, the auditor appointed comes across fraudulent transactions the same has to be notified to the senior management of the Bank

                            vi.            Banks have to report instances of theft, burglary, dacoity and robbery (including attempted cases), to Fraud Monitoring Group (FMG), Department of Supervision, Central Office, RBI within seven days and also submit quarterly report covering all such cases.

The RBI’s new master directions on fraud risk management represent a comprehensive effort to strengthen the banking sector’s against fraud by emphasizing early detection, stringent reporting and robust governance structures, to safeguard the integrity of the financial system. 


Other requirements of the RBI Guidelines on fraud risk management

A.    Criteria for Classification of Accounts as Fraud

▪ Early Warning Signals (EWS) and Red Flagging of Accounts (RFA):

− EWS Framework: Banks must establish a framework for identifying early warning signals, integrating with Core Banking Solutions (CBS) for real-time monitoring (Clause 8.3).

− Red-Flagged Account (RFA): An account with one or more EWS indicators that suggest fraudulent activity requires deeper investigation and preventive measures (Clause 8.3.1).

− Reporting: Accounts meeting the CRILC (Central Repository of Information on Large Credits. It is a Database maintained by Reserve Bank of India by collection of Loan and Investment data of borrowers from all Financial Institutions) threshold and identified as RFA must be reported to the RBI within seven days (Clause 8.3.3).

▪ Independent Confirmation:

− Banks must ensure third-party service providers involved in the fraud are held accountable, with their details reported to the Indian Banks' Association (IBA) (Clause 8.12.4).

▪ Staff Accountability:

− Banks must examine staff accountability in fraud cases promptly. For public sector banks (PSBs) and AIFIs, this includes referring cases to the Advisory Board for Banking and Financial Frauds (ABBFF) (Clause 8.10.1).

▪ Penal Measures:

− Persons/Entities classified as fraud by banks are debarred from accessing credit facilities for five years post repayment or settlement (Clause 8.12.1).

B.     Reporting Mechanism

▪ Reporting to Law Enforcement Agencies (LEAs):

− Private Sector/Foreign Banks: Report frauds below INR 1 crore to State/UT Police; INR1 crore and above to SFIO and Police (Clause 8.11.1).

− Public Sector Banks/RRBs: Report frauds below INR 6 crore to State/UT Police; INR 6 crore and above to CBI (Clause 8.11.1).

▪ Reporting to RBI:

− Fraud Monitoring Returns (FMRs): Banks must report individual fraud cases immediately but no later than 14 days from classification (Clause 8.4.2).

− Central Fraud Registry (CFR): Banks must utilize the CFR for effective fraud risk management (Clause 3.1).

▪ Closure of Fraud Cases:

− Fraud cases can be closed upon completion of LEA actions and staff accountability examination (Clause 5.1).

− In this context, it is important to note the requirements of RBI Guidelines on settlement of fraud cases in the light of RBI Circular dated June 08, 2023.

▪ Filing of FIR and Other Legal Actions

▪ FIR Filing: Banks must report fraud incidents to relevant LEAs and file FIRs promptly, ensuring coordination with LEAs for investigation and further legal action (Clause 8.11.1).




Happy Reading,



Those who read this, also read:









Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Periodic Updation of Customer Risk Profile

By
1. Preparation of Customer Profile from KYC Data In the initial years of KYC, RBI has been following a handholding approach as can be seen from their circular dated July 2009 and that of Feb 25, 2016 as updated on Jan 04, 2024. RBI requires REs to conduct risk profiling and risk categorization and periodic updation.  Extracts from RBI MD dated July 01, 2009 under Customer Acceptance Policy a)ii) Parameters of risk perception are clearly defined in terms of the nature of business activity , location of customer  and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III). Customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorised even higher; b). Banks should prepare a profile for each new customer based on risk categorisatio...
Read more