Every scheduled commercial bank in India generates data. Deposit balances change by the second. Loan classifications shift as repayments arrive or fail to. Foreign exchange positions fluctuate with each trade. Priority sector disbursements accumulate through the quarter. Large credit exposures trigger risk thresholds. Cyber incidents occur without warning. Frauds are discovered months after they happen.
The Reserve Bank of India needs all of this information — accurately, on time, in prescribed formats — to supervise a banking system with over Rs 200 lakh crore in deposits and a network of more than 100,000 bank branches. The Master Direction on Filing of Supervisory Returns (RBI_MD_12613), issued February 27, 2024, is the single reference document that tells every supervised entity what to file, when, how, and what happens if they get it wrong. For NBFCs, a parallel framework operates under the Non-Banking Financial Company Returns Directions (RBI_MD_10620), issued September 29, 2016.
Also in this series:
- When the RBI Investigates Your Bank
- What the RBI's Financial Stability Report Actually Tells You
Why Did the RBI Need a Single Master Direction on Returns?
Before the 2024 Master Direction, the RBI's return submission requirements were scattered across dozens of circulars, notifications, and department-specific instructions issued over decades. Different departments — the Department of Supervision, the Department of Banking Regulation, the Department of Statistics — each prescribed their own returns with their own formats, timelines, and platforms. A bank's compliance team might be filing weekly returns on one system, quarterly returns on another, and ad hoc returns through email, without any single document telling them everything they owed.
The August 10, 2023 Statement on Developmental and Regulatory Policies announced the rationalisation, and the RBI followed through with a press release confirming the issuance of the new Master Direction (Master Direction – Reserve Bank of India (Filing o) on February 27, 2024. The result was the 2024 Master Direction — issued under Section 27(2) and Section 35A of the Banking Regulation Act, 1949; Section 56 of the same Act for cooperative banks; Sections 45K and 45L of the RBI Act, 1934 for NBFCs; and Section 12A of the SARFAESI Act, 2002 for Asset Reconstruction Companies.
The scope is sweeping. The Direction applies to all commercial banks excluding Regional Rural Banks, all primary (urban) cooperative banks, select All India Financial Institutions (Exim Bank, NABARD, NHB, SIDBI, and NABFID), all NBFCs excluding Housing Finance Companies, and all Asset Reconstruction Companies. These entities are collectively termed "Supervised Entities" — a deliberate label that establishes their status as institutions under the RBI's direct supervisory scrutiny.
The Timeline Grid: What Gets Filed When
The 2024 Master Direction standardises reporting timelines across all periodicities. The framework is precise:
Weekly returns — reference date is Friday of the week, submission deadline is Wednesday of the following week. This covers CRR and SLR reporting. Every scheduled commercial bank must demonstrate fortnightly that it holds the required percentage of its Net Demand and Time Liabilities in specified government securities (SLR) and as balances with the RBI (CRR). The data must be accurate because the RBI uses it to monitor systemic liquidity in near-real time.
Fortnightly returns — reference dates are the 15th and last day of each month, with submission within 7 days. These capture the basic balance sheet positions that feed into the RBI's monetary and credit aggregates.
Monthly returns — reference date is the last day of the month, submission within 15 days. Monthly returns capture sectoral credit deployment, priority sector lending positions, and branch-level operational data.
Quarterly returns — reference date is the last day of each calendar quarter (March 31, June 30, September 30, December 31), submission within 21 days. Quarterly returns are the workhorse of the supervisory system: NPA data, capital adequacy, asset quality, sectoral exposures, priority sector achievement, CRILC data, BSR returns, and fraud reporting all operate on quarterly cycles.
Half-yearly and yearly returns — reference dates of March 31 and September 30 (half-yearly) or March 31 alone (yearly), with 21-day submission windows. These capture audited financial data, ALM positions, and annual compliance certifications.
Audited returns must be filed within 5 working days from the date of signing of the Auditor's report. Ad hoc returns — called for in specific circumstances like stress events or data verification exercises — must be submitted within timelines specified in the RBI's communication.
The Data Infrastructure: From ORFS to CIMS
The mode of submission is exclusively online. The Master Direction is unambiguous:
Returns submitted in hard copy format through hand delivery/ post/ courier, or in soft copy format through e-mails, shall not be accepted (i.e., would not be deemed to have been submitted by SEs), unless prescribed.
This digital-only mandate exists because the RBI needs machine-readable, timestamped data that can be validated automatically — paper returns cannot feed into the analytical infrastructure that modern supervision requires. The only exception is a contingency provision — if online portals are unavailable, email submission is permitted temporarily, but the entity must re-submit through the online portal once it becomes available.
The platforms have evolved significantly. The older Online Returns Filing System (ORFS) served the banking system for years but was limited in its data architecture. The RBI has been transitioning to CIMS — the Centralised Information Management System — which is designed as a comprehensive platform for return submission, data dissemination, and related purposes. CIMS represents a fundamental shift from return-by-return filing to an integrated data architecture where the RBI can query, aggregate, and analyse data across entities, geographies, and time periods.
The Master Direction's data governance requirements read more like an IT systems directive than a banking regulation. Supervised entities must design, build, and maintain data architecture and supporting IT infrastructure for accurate, complete, and timely data aggregation — not just in normal times but during stress or crisis. Data aggregation and reporting must be part of the entity's business continuity planning. Roles and responsibilities between business owners and IT teams must be clearly established. Resources and IT infrastructure must be adequate to meet not just routine reporting but on-demand, ad hoc requests — including during supervisory queries where the RBI might ask for exposure data for a particular period for a specific industry cluster in a specific district.
What the RBI Actually Collects: The Return Universe
The categories of data flowing from supervised entities to the RBI cover every dimension of banking activity.
CRR and SLR Returns
The most time-sensitive returns. CRR (Cash Reserve Ratio) and SLR (Statutory Liquidity Ratio) compliance is monitored fortnightly. Banks must maintain CRR as a percentage of their Net Demand and Time Liabilities (NDTL) as balances with the RBI. SLR requires holding specified percentages of NDTL in government securities and other approved instruments. The fortnightly reporting ensures the RBI can track liquidity conditions across the system in near-real time. A bank falling below the CRR minimum faces penalty interest; persistent non-compliance triggers supervisory action.
BSR Returns (Basic Statistical Returns)
The BSR system captures granular credit data. BSR-1 covers the annual survey of all credit accounts, providing loan-level data on every outstanding advance — amount, sector, interest rate, borrower category. BSR-2 captures deposit data. These returns feed into the RBI's statistical publications and are used by researchers, policymakers, and the RBI's own analytical teams to understand credit allocation patterns across the economy.
NPA and Asset Quality Data
Quarterly returns on non-performing assets are the foundation of the RBI's asset quality monitoring. Banks report the gross NPA ratio, net NPA ratio, movement in NPAs during the quarter (fresh slippages, upgradations, write-offs, recoveries), sectoral distribution of NPAs, and provisioning levels. This data feeds directly into the Financial Stability Report and into the RBI's supervisory risk assessment model (SPARC/ISE) that determines which banks receive enhanced supervisory attention.
CRILC: The Large Credit Repository
The Central Repository of Information on Large Credits is one of the RBI's most powerful supervisory tools. All lenders — banks, NBFCs, and financial institutions — must report all exposures of Rs 5 crore and above to the CRILC database. The reporting is borrower-level, not aggregate: each individual exposure above the threshold is reported with the borrower's identity, outstanding amount, asset classification, SMA (Special Mention Account) status, and other risk indicators.
CRILC enables something that was previously impossible: network analysis of the Indian credit system. The RBI can see which borrowers have taken loans from multiple banks, identify concentration risk across the system, detect early signs of stress through SMA classifications, and monitor whether stressed borrowers are borrowing from other lenders to service existing debts. The creation of CRILC was announced through the January 30, 2014 framework on "Early Recognition of Financial Distress, Prompt Steps for Resolution and Fair Recovery for Lenders" — the framework that preceded and laid the groundwork for the Insolvency and Bankruptcy Code.
Priority Sector Returns
Banks must report their priority sector lending achievement quarterly — total PSL, agriculture lending (with sub-categories for small and marginal farmers), MSME lending (micro, small, medium), lending to weaker sections, housing, education, export credit, renewable energy, and other eligible categories. This data is used to verify compliance with the 40% target (for domestic SCBs), compute shortfalls, and determine the amount to be deposited with NABARD's RIDF. The district-level credit data also feeds into the PSL weight system that was introduced in September 2020 — assigning 125% weight to loans in underbanked districts and 90% weight to loans in overbanked ones.
Fraud Reporting
Banks must report frauds above specified thresholds to the RBI, following the detailed procedures in the Master Directions on Frauds — Classification and Reporting (RBI_MD_10477). The returns capture the nature of fraud (advance-related, deposit-related, forex, cyber), the amount involved, the department responsible, the stage at which the fraud was detected, and the action taken. This data feeds into the RBI's fraud monitoring and analysis, and into aggregate statistics published in the Financial Stability Report and Annual Report. Delays in fraud reporting attract severe supervisory attention because the RBI has repeatedly flagged late reporting as an indicator of weak internal controls — and because delayed detection allows fraud losses to compound before containment measures can be deployed.
Cyber Incident Reporting
Since the RBI's cybersecurity framework was introduced — most comprehensively through the Master Direction on IT Governance, Risk, Controls and Assurance (RBI_MD_12562) — supervised entities must report cyber incidents within prescribed timelines. The reporting covers the nature of the attack, systems affected, data compromised, containment measures taken, and root cause analysis. This data is critical for the RBI's systemic risk monitoring because a cyber attack on one large bank can have cascading effects across payment systems, correspondent banking networks, and customer confidence.
The NBFC Returns Framework
For NBFCs, the Master Direction on NBFC Returns (RBI_MD_10620) prescribes a parallel but distinct set of returns, reflecting the different risk profiles and regulatory requirements of non-bank lenders.
The returns include NBS-1 (financial indicators for deposit-taking NBFCs, quarterly), NBS-2 (prudential norms compliance for deposit-taking NBFCs, quarterly), NBS-3 (liquid assets for deposit-taking NBFCs, quarterly), NBS-7 (prudential norms for systemically important non-deposit taking NBFCs, quarterly), and ALM returns at various frequencies — quarterly for short-term dynamic liquidity, half-yearly for structural liquidity and interest rate sensitivity, and annually for asset-liability mismatch data.
The NDSI 500cr return captures financial details for all NBFCs-ND-SI (non-deposit taking systemically important) — assets, liabilities, profit and loss components, exposure to sensitive sectors, and sectoral credit deployment. Branch information returns for deposit-taking and systemically important NBFCs capture geographical spread. FDI compliance certificates are submitted half-yearly by NBFCs with foreign direct investment.
Every NBFC must submit a Statutory Auditor's Certificate (SAC) annually — a certification from the auditor that the entity is engaged in the business of non-banking financial institution requiring a Certificate of Registration. The SAC is submitted in a prescribed format through the COSMOS platform. This annual certification serves as a compliance checkpoint: the auditor must confirm the NBFC's principal business criteria, regulatory compliance, and financial position.
The Direction is explicit about consequences: NBFCs that fail to adhere to prescribed timeframes are liable for penal action under Chapter V of the RBI Act. Incorrect information is treated with "serious view."
Board and Senior Management Accountability
The 2024 Master Direction places data quality squarely at the Board level. This is not a back-office compliance function. The Direction states:
The Board and Senior Management shall include the identification, assessment, and management of data quality risks as part of its overall risk management framework. The framework should include standards for both outsourced and in-house risk data-related processes, policies on data confidentiality, integrity and availability, as well as risk management policies.
The reason data governance sits at the Board level is that inaccurate reporting does not just attract penalties — it undermines the RBI's ability to detect stress across the system before it becomes a crisis.
The Board must ensure that risk data aggregation capabilities and reporting practices are fully documented and subject to high standards of validation, conducted using staff with specific IT, data, and reporting expertise. When the entity considers any acquisition, divestiture, new product development, or IT change initiative, the due diligence must consider the impact on data aggregation and reporting capabilities. If a bank acquires another bank, it cannot take years to integrate the reporting systems — the Master Direction expects integration within a defined timeframe.
For banking groups with complex structures, the data aggregation and reporting capability must work at the consolidated level, any sub-consolidated level, and any relevant jurisdiction. The entity's legal organisation and geographical presence should not hinder its ability to report accurately. This requirement targets banks with IFSC Banking Units (IBUs) and Overseas Banking Units (OBUs), which must report data on both domestic and overseas operations.
Penalties and Enforcement
The penalties framework is deliberately open-ended. The Master Direction states that violations may attract necessary action including imposition of penalty or fine under the Banking Regulation Act, 1949, the Reserve Bank of India Act, 1934, or the SARFAESI Act, 2002, as applicable.
In practice, penalties for late or inaccurate returns range from monetary penalties (imposed under Section 47A of the BR Act or Section 58B of the RBI Act) to supervisory restrictions (enhanced monitoring, restrictions on business expansion) to ratings downgrades in the RBI's own supervisory assessment. For CRR shortfalls, the penalty is automatic — interest at the bank rate plus 3% for the first default, and bank rate plus 5% for subsequent defaults.
The implicit penalty is arguably more severe than the explicit one. Supervisory returns are the starting point for the RBI's on-site inspection teams. When the Integrated Supervisory and Evaluation (ISE) teams arrive at a bank for an annual or targeted inspection, they begin with the returns data. Inconsistencies between reported data and actual books immediately flag risk areas for deeper investigation. A bank that reports clean asset quality data but is found during inspection to have mis-classified loans faces not just the penalty for mis-reporting but the far larger consequences of the underlying asset quality problem — additional provisioning, capital adequacy impact, potential restriction on dividend distribution.
How Reporting Feeds Into Supervision
The returns data does not sit passively in RBI databases. It feeds into multiple supervisory processes.
The off-site surveillance function uses returns data for continuous monitoring of all supervised entities. Trend analysis — comparing a bank's NPA trajectory, capital adequacy movement, sectoral concentration changes across quarters — generates early warning signals that determine supervisory attention allocation. A bank whose gross NPA ratio is rising faster than peer averages, or whose exposure to a particular sector exceeds prudential norms, receives enhanced off-site scrutiny and potentially a targeted on-site inspection.
The Financial Stability Report, published by the RBI every six months, draws heavily on aggregated returns data. The macro stress test results that estimate banking system NPAs under adverse scenarios use the granular loan-level data from BSR and CRILC returns. The network analysis that identifies systemically important borrowers and inter-bank exposure concentrations is built entirely on CRILC data.
The supervisory rating process — whether through the CAMELS framework for banks or the CRAR-based assessment for NBFCs — uses returns data as the quantitative foundation. Qualitative assessments from on-site inspections are overlaid on this quantitative base, but the base itself comes from the returns.
The Digital Transformation of Regulatory Reporting
The evolution from paper returns to XBRL (eXtensible Business Reporting Language) to CIMS represents a fundamental transformation in the relationship between the regulator and the regulated. XBRL, adopted by the RBI for certain returns in the mid-2010s, introduced taxonomised reporting — each data element is tagged with a standardised identifier, enabling automated validation, aggregation, and analysis. CIMS takes this further by creating a unified data warehouse where the RBI can perform cross-entity, cross-time, cross-geographic analysis on demand.
The practical implication for banks: the cost and complexity of regulatory reporting has increased substantially. Large banks typically maintain dedicated teams of 50 to 100 people for regulatory reporting, operating return-specific workflows with multiple levels of validation. The investment in data infrastructure — data warehouses, ETL (extract-transform-load) pipelines, reconciliation engines, audit trails — runs into crores of rupees annually.
For smaller entities — particularly urban cooperative banks and smaller NBFCs — the reporting burden is proportionally heavier. The Master Direction acknowledges this implicitly through the differential application of returns: not all returns apply to all entity types. The comprehensive list in Annex III of the Direction specifies which returns are required from which entity category, creating a proportional reporting framework.
The direction toward granular, automated, real-time reporting is irreversible. The Master Direction's requirements on data architecture, IT infrastructure, business continuity, and Board-level accountability signal that the RBI views data quality not as a compliance checkbox but as a fundamental component of financial stability supervision. In a banking system where a single large borrower's default can cascade through multiple lenders via the CRILC network, the accuracy and timeliness of reporting is not bureaucratic overhead — it is systemic infrastructure.