On March 11, 2026, the RBI issued a direction to Kanaka Pattana Sahakara Bank Niyamita, Davangere under Section 35A of the Banking Regulation Act. The bank was ordered, with immediate effect, to stop granting or renewing any loans, stop making investments, stop accepting fresh deposits, stop disbursing payments, and stop disposing of assets — "except as notified in the RBI Direction." Depositors were told their withdrawals were frozen: "the bank has been directed not to allow any withdrawal from savings bank or current accounts."
That's the nuclear option. Six months earlier, on September 18, 2023, the RBI had fined Nagarik Sahakari Bank, Pune Rs 9 lakh for six simultaneous compliance failures — a slap on the wrist by comparison. Between the Rs 9 lakh fine and the total asset freeze lies the full spectrum of the RBI's enforcement powers. What triggers each level of intervention, what process does the bank get, and what rights does it have?
What powers does the RBI have over banks?
The statutory architecture is layered — different powers, different sections, different consequences:
Section 35A of the Banking Regulation Act, 1949 gives the RBI power to issue directions to any banking company "in the public interest, in the interest of the depositors, for securing the proper management of any banking company, or in the interest of the banking company." For co-operative banks, Section 56 extends this power through the "As Applicable to Co-operative Societies" provision. This is the broadest discretionary power — the RBI can restrict any aspect of a bank's operations.
Section 47A(1)(c) empowers monetary penalties for contravention of directions — the provision cited in every single one of the 623 penalty orders in our records.
Section 46(4)(i) specifies the penalty framework for contravention of provisions of the Act, rules, or directions.
Section 22 governs licensing — the RBI can cancel a bank's licence, which is the final enforcement action. A bank without a licence ceases to be a bank.
For NBFCs, the equivalent powers sit in Sections 45JA, 45K, 45L, and 45M of the RBI Act, 1934. The NBFC Registration Direction (Reserve Bank of India (Non-Banking Financial Compa) cites all four. The RBI can cancel an NBFC's Certificate of Registration under Section 45-IA(6) — in July 2025, ten NBFCs had their registrations cancelled in a single order.
What triggers an inspection?
Two types, triggered differently.
The Statutory Inspection for Supervisory Evaluation (ISE) is the routine cycle. Every penalty press release identifies it: "The Statutory Inspection for Supervisory Evaluation (ISE 2024) of the bank was conducted by RBI with reference to its financial position as on March 31, 2024." The reference date matters — the compliance position as of that date is what gets examined.
The ISE covers everything: asset classification, capital adequacy, KYC compliance, governance, IT security, customer service, interest rate direction compliance, priority sector achievement. The inspection team produces a report with specific findings of non-compliance.
For co-operative banks and RRBs, the inspection may be conducted by NABARD rather than the RBI. The Jilla Sahkari Bank penalty explicitly states: "The statutory inspection of the bank was conducted by National Bank for Agriculture and Rural Development (NABARD)." But the penalty was imposed by the RBI — NABARD inspects, the RBI enforces.
Targeted inspections are triggered by specific intelligence — abnormal financial indicators, complaints, market reports, or information from other regulators. These aren't publicly disclosed but can be inferred when the inspection reference date doesn't follow the routine ISE cycle.
What exactly does the penalty process look like — step by step?
Every penalty press release follows the same six-step template. Let me trace it through the Mehsana Urban Co-operative Bank penalty (PR_58284, July 2024) — a case with six distinct charges, making it one of the most instructive in the entire enforcement record.
Step 1 — Inspection. The ISE was conducted with reference to the bank's financial position as on a specified date. The inspection team reviewed the bank's books, tested transactions, verified asset classification, and checked compliance with every applicable direction.
Step 2 — Findings documented. The inspection report identified six specific violations:
(i) sanctioned or renewed multiple director related credit facilities (both fund and non-fund based) to companies/concerns, where the directors or their relatives were interested, despite having been penalised for the same earlier; (ii) not implemented certain basic cyber security control measures and requirements under the Cyber Security Framework prescribed by RBI; (iii) not classified certain loan accounts as Non-Performing Assets... (iv) failed to ensure that the sum total of its investments in subsidiaries and companies in the group... does not exceed twenty per cent of its owned fund; (v) failed to carry out periodic review of risk categorisation of accounts...; (vi) failed to correctly compute the revised limits for granting of loans and advances... (PR_58284)
Six charges cutting across director lending norms, cyber security, NPA recognition, investment limits, KYC risk categorisation, and exposure norms — six different regulatory domains violated by one bank. And the note that the bank had been "penalised for the same earlier" — meaning it was a repeat offender on director lending.
Step 3 — Show-cause notice. The RBI issues a written notice to the bank specifying each charge and inviting the bank to explain why a penalty should not be imposed. This is the point where the bank first formally knows it's facing enforcement action.
Step 4 — Bank's written reply. The bank responds in writing to each charge — denying the violation, explaining the circumstances, arguing mitigating factors, or accepting the finding and describing corrective action taken.
Step 5 — Personal hearing. The bank gets to make oral submissions before the decision-maker. The press releases confirm this: "After considering the bank's reply to the notice, additional submissions and oral submissions made during the personal hearing." This is the due process that makes the penalty defensible in court.
Step 6 — Order. The decision-maker — typically the Chief General Manager or an Executive Director — determines which charges are "sustained" and which are not. In many cases, some charges are dropped after considering the bank's defence. The penalty amount reflects the sustained charges only.
The final order includes the standard disclaimer: "This action is based on deficiencies in statutory and regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank with its customers."
What does a Section 35A direction actually look like?
The Kanaka Pattana Sahakara Bank direction (PR_62373, March 2026) shows the maximum intervention short of licence cancellation:
"The bank shall not, without prior approval of RBI in writing, grant or renew any loans and advances, make any investment, incur any liability including borrowal of funds and acceptance of fresh deposits, disburse or agree to disburse any payment whether in discharge of its liabilities and obligations or otherwise, enter into any compromise or arrangement and sell, transfer or otherwise dispose of any of its properties or assets." (PR_62373)
Then the depositor impact: "Considering the bank's present liquidity position, the bank has been directed not to allow any withdrawal from savings bank or current accounts or any other account of a depositor."
This is a total freeze — the bank cannot lend, invest, borrow, accept deposits, disburse payments, or dispose of assets without the RBI's written permission. Depositors cannot withdraw. The direction is required to be "displayed on the bank's website/premises for perusal by interested members of the public."
The PMC Bank case started exactly this way in September 2019 — initial withdrawal restrictions at Rs 1,000, progressively raised as the investigation revealed the scale of the fraud. The difference with the November 2025 framework: the Banking Regulation Amendment Act 2020 now gives the RBI power to supersede the board and initiate reconstruction, powers it lacked during the PMC crisis.
214 Section 35A directions in our records. The overwhelming majority target co-operative banks — because co-operative banks have historically the weakest governance, and the dual regulation problem meant the state Registrar controlled board appointments while the RBI controlled banking operations. The 2020 Amendment partially bridged this gap.
What's the escalation ladder?
The enforcement spectrum has evolved over decades — from a system where the RBI could only issue advisories, to the current framework where it can freeze operations and supersede boards. The spectrum, from lightest to most severe:
Level 1 — Advisory letter. The inspection report finds minor deficiencies. The RBI writes to bank management directing corrective action. No public disclosure.
Level 2 — Show-cause and monetary penalty. Specific direction violations found. The six-step process described above. Public disclosure through press release. Penalty amounts range from Rs 1 lakh (small co-operative banks) to Rs 2 crore+ (large commercial banks). The 623 penalty orders in our records show this is by far the most common enforcement action.
Level 3 — Section 35A direction (operational restrictions). The bank's financial health or governance is deteriorating. Restrictions on lending, deposit acceptance, branch expansion, dividend payments, management changes. 214 instances, predominantly co-operative banks.
Level 4 — Board supersession. Available for co-operative banks since the 2020 Amendment Act. The RBI removes the elected board and appoints an administrator. This was the power the RBI lacked during the PMC crisis and obtained specifically because of it.
Level 5 — Moratorium and resolution. Section 45 of the BR Act. The bank is placed under moratorium, deposits are frozen, and the RBI initiates resolution — amalgamation with another bank, reconstruction, or liquidation. DICGC interim payments within 90 days are now mandatory under the 2021 DICGC Act amendment.
Level 6 — Licence cancellation. Section 22 of the BR Act. The bank ceases to exist as a banking entity. For NBFCs, the equivalent is cancellation of the Certificate of Registration under Section 45-IA(6) of the RBI Act.
Each level preserves the right to escalate: "Imposition of monetary penalty is without prejudice to any other action that may be initiated by RBI against the bank." A penalty at Level 2 doesn't preclude a Section 35A direction at Level 3 if the violations persist.
Can a bank challenge the penalty?
Yes — through writ jurisdiction of the High Court or the Supreme Court. The grounds:
Procedural fairness: Was the show-cause notice specific enough? Was the personal hearing genuinely conducted? Were the bank's submissions considered in the reasoned order?
Proportionality: Is the penalty amount justified by the nature of the violation?
Interpretation of direction: Did the bank's conduct actually violate the specific direction cited? If the direction is ambiguous, the bank may argue its interpretation was reasonable.
In practice, challenges are uncommon. The process — written notice, written reply, oral hearing, reasoned order with charges sustained/not sustained — is designed to survive judicial scrutiny. The RBI routinely notes in penalty orders that certain charges were "not sustained" — evidence that the bank's defence is actually considered.
What violations draw the most penalties?
Across 623 penalty press releases in our data, analysed by violation type:
KYC/AML leads with 97 penalty actions. The most common failures: not periodically reviewing customer risk categorisation, not uploading KYC records to CKYCR within the prescribed timeline, and not implementing sanctions screening systems. These are basic compliance obligations — and the fact that HDFC Bank (Rs 75 lakh), J&K Bank (Rs 99.30 lakh), and Central Bank of India (Rs 63.60 lakh) all got caught suggests the failure is systemic, not idiosyncratic.
Banking Regulation Act statutory violations follow with 34 actions — primarily Sections 19 and 20 (restrictions on holding shares and granting loans to directors' companies).
Unclaimed deposits/DEAF compliance: 20 actions. Banks failing to transfer unclaimed deposits to the Depositor Education and Awareness Fund or to maintain searchable databases. HSBC was fined Rs 31.80 lakh for this in March 2026.
NPA/IRAC recognition: 19 actions. Banks misclassifying non-performing assets as standard — the exact fraud mechanism that PMC Bank used to conceal Rs 6,500 crore in bad loans.
Gold loan LTV violations: 9 actions. NBFCs breaching the loan-to-value ratio ceilings on gold collateral — connecting to the PSL classification rules where gold loans must be classified by activity, not collateral.
Cyber security failures: 8 actions. Banks not implementing the Cyber Security Framework prescribed by the RBI — including the Mehsana UCB case above where cyber was one of six charges.
What does the Sonali Bank case tell us about foreign bank enforcement?
Foreign banks operating in India face the same enforcement framework as domestic banks. Sonali Bank PLC (Bangladesh) — a foreign bank with Indian branches — was penalised in June 2024 for six violations:
"The bank had failed to (i) put in place a system of periodic review of risk categorisation of accounts, (ii) put in use a robust software throwing alerts for transactions inconsistent with risk categorisation and updated profile of the customers, (iii) implement certain SWIFT-related operational controls within the stipulated timelines and (iv) become a member of all the CICs within the stipulated timelines." (PR_58103)
The KYC risk categorisation failure is the same as domestic banks face. But the SWIFT operational controls violation is distinctive — it connects to the global SWIFT security framework that the RBI mandated after the Bangladesh Bank heist of 2016, where attackers used compromised SWIFT credentials to steal $81 million. The RBI required all banks operating SWIFT infrastructure to implement specific controls — and Sonali Bank (a Bangladeshi bank, notably) hadn't met the timelines.
What does this mean for bank compliance officers, board members, and their lawyers?
For compliance officers: The ISE is not a surprise — it follows a known cycle. Your compliance position as of March 31 is what gets examined. Fix problems before the reference date, not after. The six-step process gives you two bites: the written reply and the personal hearing. Use both — charges do get dropped.
For board members: Director lending violations are the most personally consequential. The Mehsana UCB case shows the RBI penalises director lending "despite having been penalised for the same earlier" — repeat offences signal governance failure, which escalates the response from Level 2 (penalty) toward Level 4 (board supersession). The Board of Management requirement for UCBs with deposits above Rs 100 crore exists precisely because of these governance failures.
For lawyers: The statutory chain is Section 47A(1)(c) read with Section 46(4)(i) of the BR Act. For co-ops, add Section 56. For NBFCs, substitute Section 45L of the RBI Act. The penalty is "without prejudice to any other action" — meaning it doesn't preclude criminal prosecution if the violation involves fraud, or a Section 35A direction if the violation threatens depositor safety. Challenge on proportionality and interpretation, not on procedural grounds — the process is robust.
For depositors: If you see a Section 35A direction press release naming your bank, your deposits may be frozen. The DICGC covers up to Rs 5 lakh, and the 2021 amendment mandates interim payment within 90 days of a moratorium. If your bank is an NBFC, there is no DICGC coverage at all.
Last updated: April 2026