On March 23, 2026, the RBI fined Central Bank of India Rs 63.60 lakh for two violations: failing to upload KYC records to the Central KYC Records Registry within the prescribed timeline, and opening duplicate Basic Savings Bank Deposit Accounts for customers who already had one. On March 18, HSBC got hit for Rs 31.80 lakh — for not hosting a searchable database of unclaimed deposits on its website and not generating Unclaimed Deposits Reference Numbers. On January 30, a district co-operative bank in Kanpur, Uttar Pradesh — Jilla Sahkari Bank — was fined Rs 3 lakh for failing to periodically review the risk categorisation of customer accounts.
Why does the RBI fine banks? Because its statutory inspections keep finding the same failures. But read them together and they tell you exactly where Indian banking compliance fails most often — and which RBI directions carry the sharpest teeth. The penalty framework exists because the RBI's supervisory inspections consistently reveal the same gaps — KYC updation failures, deposit management lapses, and governance deficiencies — across every entity type, from global banks to district co-operatives.
The Pattern: KYC and Deposits Are Where Banks Get Caught
The Central Bank of India penalty (RBI imposes monetary penalty on Central Bank of In) hit on two provisions from two different regulatory domains:
KYC violation: The KYC Directions mandate that regulated entities upload customer KYC records to CKYCR within 10 days of commencing an account-based relationship. This requirement was introduced in the 2016 Master Direction (Master Direction - Know Your Customer (KYC) Direct) and carried forward into all ten entity-specific KYC Directions issued in November 2025. Central Bank of India didn't meet this timeline for "certain customers" — a phrasing that usually means a systemic failure, not isolated cases.
BSBDA violation: The Deposit Regulation framework states that a customer holding a BSBDA account "shall not be eligible for opening any other savings bank deposit account in that RRB." Central Bank opened duplicates — either its CBS system didn't prevent it, or branch staff overrode the control.
The HSBC penalty (RBI imposes monetary penalty on The Hongkong and S) traced to the unclaimed deposits framework — HSBC didn't host a searchable unclaimed deposit database or generate UDRNs for deposits transferred to the DEAF Fund. Why did HSBC fail on this? Because the DEAF framework, introduced in 2014, requires proactive database maintenance — not just passive compliance. A compliance gap in a foreign bank — one that should have the resources to build a searchable database.
The Jilla Sahkari Bank penalty (RBI imposes monetary penalty on Jilla Sahkari Bank) hit on a specific KYC provision: periodic risk review of customer accounts. The KYC Directions require risk categorisation to be reviewed at least once every six months. This district co-operative bank in Kanpur — inspected by NABARD, not RBI directly — hadn't done it. Why was a district co-operative bank inspected for KYC risk categorisation? Because the 2016 Master Direction requires it for all regulated entities — and NABARD inspects co-ops on the RBI's behalf. The penalty was Rs 3 lakh — small for a commercial bank, significant for a district co-op.
The Statutory Basis
Every penalty follows the same statutory chain — a chain that was built through successive amendments to the Banking Regulation Act:
- Section 47A(1)(c) of the Banking Regulation Act, 1949 — empowers RBI to impose monetary penalties
- Section 46(4)(i) — specifies the penalty framework for contravention of directions
- Section 56 — extends these provisions to co-operative banks (AACS)
- Section 51(1) — additional penal provisions
The formula is identical across all three penalties: statutory inspection → supervisory finding → show-cause notice → bank's reply → personal hearing → order. The RBI's language is deliberately clinical:
"This action is based on deficiencies in statutory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank with its customers."
Why this disclaimer? Because a penalty is not a finding of fraud — it's a finding of non-compliance. The bank may have legitimate transactions with customers that remain valid even though the bank's compliance framework failed. The penalty punishes the institution's systems, not individual transactions.
What Happens When Big Banks Get Caught
Small co-operative banks aren't the only ones failing compliance. The largest commercial banks in India face the same inspection cycle — and the same consequences when the ISE finds gaps.
State Bank of India was fined Rs 2 crore (PR_51277) in March 2021 for contravening provisions of Section 10(1)(b)(ii) of the Banking Regulation Act regarding employee compensation. Bank of India was fined Rs 5 crore (PR_49868) — the heaviest commercial bank penalty in our 2020 dataset — for three simultaneous violations: NPA divergence, improper current account opening, and fraud classification failures. IndusInd Bank drew Rs 4.50 crore (PR_50530) for exposure norms and asset classification breaches.
Why do these big-bank penalties matter? Because they demonstrate that the ISE process doesn't discriminate by bank size. A Rs 50,000 penalty on a Walchandnagar co-operative bank (PR_62372) and a Rs 5 crore penalty on Bank of India follow the same six-step process. The proportionality changes — the penalty amount reflects the bank's size and the severity of the violation — but the process is identical.
The 2025 penalty cycle brought cyber security into sharper focus. On April 29, 2025, the RBI fined ICICI Bank Rs 97.80 lakh for non-compliance with directions on the Cyber Security Framework in Banks — the 2016 framework that requires banks to maintain a Board-approved cyber security policy, a Security Operations Centre, and immediate incident reporting. On the same date, Axis Bank drew Rs 29.60 lakh for a separate set of compliance failures. These are not small co-operative banks struggling with technology budgets — ICICI and Axis are among India's largest private sector lenders, and the cyber security framework has been in force since 2016. Nine years is long enough to implement a security operations centre.
Two months earlier, in February 2025, the RBI imposed a penalty on The South Indian Bank (PR_59397) — again on compliance deficiencies found during statutory inspection. The pattern across 2025-2026 reveals a shift: while KYC and deposit management failures continue to dominate co-operative bank penalties, commercial bank penalties are increasingly driven by cyber security and IT governance failures. The Cyber Resilience and Digital Payment Security Master Direction of July 2024 has extended these obligations to non-bank payment system operators as well — meaning the next wave of penalty orders will likely include payment aggregators and prepaid instrument issuers alongside banks.
The Repeat Offender Problem
The most damning phrase in any penalty order is "despite having been penalised for the same earlier." The Mehsana Urban Co-operative Bank penalty (PR_58284) used exactly this language:
"The bank had sanctioned or renewed multiple director related credit facilities (both fund and non-fund based) to companies/concerns, where the directors or their relatives were interested, despite having been penalised for the same earlier."
Six charges across director lending, cyber security, NPA recognition, investment limits, KYC risk categorisation, and exposure norms. The total penalty: Rs 5.93 crore. Because repeated non-compliance signals governance failure — the board knows the rule, was penalised for breaking it, and broke it again. That's why repeat offences trigger escalation from monetary penalty toward Section 35A operational restrictions and eventually board supersession.
NBFCs face the same repeat-offender scrutiny. Bajaj Finance was fined Rs 2.50 crore (PR_50918) because of "persistent/repeat complaints about recovery and collection methods adopted by the company" — the fair practice framework violations had been flagged before, and Bajaj Finance hadn't fixed the root cause.
What the Penalties Tell You
The enforcement actions from early 2026 cluster around three themes that cut across the KYC, deposit, and co-operative bank regulatory domains:
- CKYCR upload failures — the Central KYC Registry is only as good as the data banks feed into it. Delays in uploading mean the "verify once, use everywhere" principle doesn't work.
- Unclaimed deposit management — the DEAF scheme requires banks to maintain searchable databases. Foreign banks and large commercial banks that don't do this leave depositors unable to find their own money.
- KYC risk review at small banks — the periodic review framework (high-risk: every 2 years, medium: 8 years, low: 10 years) requires functioning systems. District co-operative banks, many still on basic CBS, struggle with automated risk categorisation.
Each of these provisions traces back through a regulatory chain: the CKYCR upload mandate was introduced when the Central KYC Records Registry was established in 2015 RBI/2015-16/251, carried forward into the 2016 Master Direction (Master Direction - Know Your Customer (KYC) Direct), and then superseded by the entity-specific KYC Directions (Reserve Bank of India (Commercial Banks – Know You) in November 2025. The unclaimed deposit database requirement came from the DEAF Scheme of 2014 RBI/2013-14/614. The risk categorisation review mandate was part of the risk-based approach framework in the 2016 Master Direction. The penalties enforce provisions that are years — sometimes decades — old.
These are not exotic failures. They're bread-and-butter compliance — upload your data, maintain your databases, review your risk categories. The fact that a global bank (HSBC), a public sector bank (Central Bank of India), and a rural co-operative all failed on basics tells you the problem is systemic, not institutional. The full enforcement chain — from ISE inspection to monetary penalty to Section 35A direction to licence cancellation — exists because financial regulation only works when violations have consequences.
Last updated: April 2026