Home
/
Articles
/
Revised Master Directions From the RBI: 10 Changes You Need To Know

Revised Master Directions From the RBI: 10 Changes You Need To Know

Compliance
Author
Anil Tadimeti
Anil Tadimeti

Expert
Anil Tadimeti
Anil Tadimeti

July 19, 2024

Table Of Contents

Executive Summary

The Reserve Bank of India's updated Master Directions on Fraud Risk Management for Non-Banking Financial Companies (NBFCs), Commercial Banks and Urban Co-operative Banks (UCBs) emphasize strengthened governance with enhanced roles for independent directors and Boards in fraud oversight. Key aspects include implementing Early Warning Signals (EWS) frameworks with qualitative indicators for proactive fraud detection, adhering to recent Supreme Court orders for fraud classification (providing reasonable opportunity for the alleged to respond), and updated reporting guidelines removing the INR 1 lakh threshold. These measures aim to improve fraud prevention, detection, and reporting, ensuring robust financial integrity and compliance. 

It’s important to note that these comprehensive new guidelines will supersede the previous Master Directions/Circulars from 2016, reflecting a thorough review and addressing emerging issues in fraud risk management. 

As a global leader in fraud verification and compliance, we are dedicated to helping financial institutions navigate these new regulations, ensuring compliance, and maintaining the highest standards of financial integrity. Our expertise and solutions are designed to support banks and NBFCs in implementing these guidelines effectively, safeguarding against fraud, and fostering a secure financial environment.  

The updated Directions apply to 

  • Commercial Banks (including Regional Rural Banks) and All India Financial Institutions
  • Cooperative Banks (Urban Cooperative Banks / State Cooperative Banks / Central Cooperative Banks), especially 
  • NBFCs with assets worth INR 500 crore and above


For clarity and cohesion, we will refer to these collectively as FIs (Financial institutions) in the article. 

—--------------

The RBI's annual report released in June unequivocally brings to light the widespread prevalence of fraud in today's financial landscape. Online frauds caused an estimated damage of Rs 1457 crore, growing 5 times year on year. The actual number could be significantly higher (about 8x) considering:

  • There is a significant lag between the date of occurrence of a fraud and its detection
  • All fraudulent transactions below the reporting threshold of Rs 1 lakh have not been included in this number. 
  • These numbers only report the transaction numbers. Multiple types of cyber incidents reported become a source of financial fraud that are not included here. The RBI financial stability report mentioned social engineering as the largest share of cyber incidents, followed by other types such as data leakage, breached application security, and ransomware attacks. 

The RBI's revamped Master Directions indicate that the regulator is looking at a paradigm shift and not an incremental upgrade to the fraud risk management system and wants Regulated Entities to tackle the ever-growing menace in a systematic manner. 

FRM Master Directions: The revisions

Here are the key changes from the preceding circulars on Fraud Risk Management that you should know about: 

  1. The tone from the RBI is clear. The Board and Top Management must be intricately involved in the design, process and upgradation of fraud risk management systems and are accountable for deficiencies/ lapses. Fraud has moved from a back-room function to a board-room function.
  2. The RBI's emphasis on identifying root causes indicates that the regulator is not satisfied with the quality of investigations and reporting and wants the Regulated Entities (REs) to conduct a thorough analysis for pattern identification and setting up deterrence mechanisms. 
  3. As seen in the recent high-level meeting with banking and NBFC leaders and RBI governor Shaktikanta Das, the proliferation of money mules took the highest priority. Not just in banking channels but also in lending ecosystems where mules continue to wreak havoc. Hence, the revised Master Directions ask all REs to take proactive measures to weed out mules.
  4. By focusing on “real-time basis,” the RBI wants to impress upon the REs that there needs to be a concerted effort to shift to from a reactive post-fraud detection to a proactive ‘prevention’ mindset. We see the extent of this reactive nature in the Annual Report where frauds that occurred as far back as 2013-14 were detected in 2023-24. 
  5. Reporting to the RBI in FMR no longer has a threshold, reflecting a focus on small-value loans and transactions for comprehensive fraud detection. Previously, the threshold for reporting was INR 1 lakh. This shows a conscious effort by the apex bank to acknowledge the extent of low-value frauds like small-value delinquent loans or transactions that take place. 
  6. The Central Fraud Registry will act as a consolidated database, though limitations to access (NBFCs and UCBs do not have access) need to be liberalized for effective data sharing and fraud prevention.
  7. RBI has seen its fair share of high-value frauds in the past few years that tend to threaten an individual FI’s stability and possibly, the systemic stability and wants to elevate the value of whistleblower complaints. 
  8. The RBI has emphasized fraud risk management encompassing frauds other than loan frauds in light of growing cybersecurity incidents, data breaches, the easy availability of KYC data online, forgery, and other factors that can result in online payment fraud. 
  9. The Early Warning Signals (EWS) framework* has been strengthened with clear expectations and defined outcomes, promoting a holistic approach rather than a mechanical tool implementation by the REs. The EWS framework is now not a simple tool but involves lifecycle analysis, including monitoring, remedial measures, and review of the sanction process. 
  10. The implementation of EWS now will go beyond just looking at financial data. It also needs to look at ‘qualitative indicators’ that can take the form of borrower conduct, such as their transaction history, interaction with financial services, and behavioral cues that might suggest fraudulent intentions.  

*The EWS framework is only applicable to NBFCs in the Upper and Middle layers and Tier III and Tier IV Urban Co-operative Banks. 

At Bureau, we realized analyzing “intent” was more formidable than just simply catching the fraudster after the deed was done. It is always encouraging to see regulators look at a problem from the same lens as us. 

When onboarding new users, we comb through vast amounts of data using powerful AI/ML models in milliseconds to identify patterns that reflect the “intent” to commit fraud. It could show up as irregular digital behavior, mismatches between personal data and its documentation, excessive SIM switches, presence of emulators and VPNs, etc.  

Instead of a reactive solution like transaction monitoring in isolation, Bureau uses advanced technology to identify the ‘intent to commit fraud’ early on during onboarding itself. 

Schedule a free consultation with us to learn how our low-code, customizable solutions can help banks and FIs. 

Revised FRM Master Directions: A synopsis

Now that you know the main differences from previous circulars, here is a synopsis of the revised Master Directives and why it matters to you: 

1. Board-Approved Policy: The FIs should implement a Board-approved policy on fraud risk management, outlining the roles and responsibilities of the Board, Board Committees, and Senior Management. This policy should be reviewed at least every three years and comply with the principles of natural justice. 

2. Issuing Show Cause Notices (SCN): Upon detecting potential fraud, an SCN detailing the alleged misconduct should be issued. This must comply with the principles of natural justice by giving the accused at least 21 days to respond. The FIs must review these responses impartially before making a decision, which is then communicated in writing with the relevant facts and reasons. 

2. Special Committee: A Special Committee of the Board for Monitoring and Follow-up of Fraud Cases (SCBMF) must be established, comprising at least three Board members, including the CEO and two Independent Directors. A senior official in the rank of at least a general manager or equivalent shall be responsible for monitoring and reporting fraud.

4. Early Warning Signals (EWS) Framework: FIs must integrate an EWS framework with their Fraud Risk Management Policy. This system, overseen by a Board Level Committee and implemented by Senior Management, should monitor credit facilities, loan accounts, and other financial transactions for potential fraud, ensuring timely and effective responses. It’s important to note the significant development where the apex bank in the country has started acknowledging the gravity of frauds beyond credit-related scams. The new RBI Master Directions reflect this shift by outlining wider categories of fraudulent activities. This expanded scope includes a broader range of misconduct - including misappropriation of funds, forgery, manipulation of accounts, cheating, fraudulent credit facilities, cash shortages due to fraud, and fraudulent electronic transactions.

5. Fraud Detection and Accountability Measures: FIs must diligently monitor financial transactions for fraud indicators, conduct internal or external audits as necessary, and adhere to natural justice principles. They must ensure external auditors are competent and timely and include audit clauses in loan agreements. If audits are inconclusive or delayed, internal investigations should proceed. Related borrowal accounts must also be examined, and third-party service providers must be held accountable. Staff accountability should be promptly assessed, with significant fraud cases referred to the Central Vigilance Commission. Fraudulent entities are barred from new credit for five years but may request credit after this period if management changes and resolutions occur.

6. Reporting Fraud to Law Enforcement Agencies (LEAs): Designated officers or nodal points must be established to report fraud incidents to LEAs.

7. Reporting and Closing Fraud Incidents: FIs must report fraud incidents to the RBI using Fraud Monitoring Returns (FMRs) through the FMR Update Application (FUA) within 14 days of classification. These reports should categorize fraud types and include overseas branches and group entities not regulated by financial authorities. Delays in reporting must be addressed, with accountability fixed for responsible staff. Fraud cases can be closed once legal actions and staff accountability reviews are completed or for amounts up to INR 25 lakh if investigations or trials have been pending for over three years. Detailed records must be maintained for audit purposes.

Additional instructions cover the legal audit of title documents for large-value loan accounts, treatment of accounts classified as fraud and sold to other lenders or Asset Reconstruction Companies (ARCs), reporting of theft, burglary, dacoity, and robbery, and treatment of accounts under resolution frameworks.

These updated Directions significantly enhance the risk management system for identifying, monitoring, treating, and reporting fraud incidents. They are principle-based, which means they provide sufficient flexibility to REs to design systems where they will be judged on outcomes and more involvement of senior management for achieving success. This directly strengthens the Board's role in governance and oversight of fraud risk management in banks and NBFCs.  

Now, the most important part -

Why do these matter to you? 

Well - as a leader of an FI, it is your responsibility to help your organization stay compliant and secure. According to the mandate, you have to 180 days from the issuance of the revised directives to comply. 

More than just compliance, you also must uphold the integrity of the financial ecosystem and protect the honor of the crores of people who depend on an economic system based on trust. 

This cannot be done in isolation. Partner with technology companies like Bureau to fortify your defenses against advancing fraud methods. 

You might also like

Decoding RBI’s Payment Vision 2025Compliance

Decoding RBI’s Payment Vision 2025

The core theme of the 'Payment Vision 2025' document is 'E-Payments for Everyone, Everywhere, Every time'. At Bureau, we are working towards ushering in a new era of frictionless and fraud-free transactions that support RBI's vision and will deliver unprecedented trust and security to businesses and consumers alike. 

Decoding RBI's Regulatory Framework for Digital LendingCompliance

Decoding RBI's Regulatory Framework for Digital Lending

To safeguard the digital lending ecosystem, RBI released the digital lending guidelines that aims to regulate digital lending and crack down on the growing incidences of fraud and malpractices. Here's a summary of the guidelines

Decoding KSA's SAMA MandateCompliance

Decoding KSA's SAMA Mandate

The updated SAMA mandate was enacted in October 2022, and the compliance deadline for financial services companies is June 29, 2023. This means all financial services companies operating in Saudi Arabia must fully comply with the updated regulations by the end of the second quarter 2023 to avoid negative consequences.

Learn More

See How Bureau Can Help Fight Fraud
Talk To Us