On September 23, 2019, the Reserve Bank of India placed the Punjab and Maharashtra Cooperative Bank under directions, restricting withdrawals to Rs 1,000 per account. Within days, the limit was raised — first to Rs 10,000, then to Rs 25,000, then to Rs 40,000. But the damage was done. Depositors had been locked out of their own money, and the reason was a fraud that had been concealed for years. PMC Bank had disguised Rs 6,500 crore in loans to a single real estate group — HDIL — by creating fictitious accounts in its core banking system. The bank's own management knew. The auditors should have known. But the RBI did not know, because the fraud was never reported through the channels designed to catch exactly this kind of failure. The PMC Bank collapse became the most powerful argument for why fraud reporting rules exist, and why the penalties for non-reporting must be severe enough to make concealment more dangerous than disclosure.
Also in this series:
- How PMC Bank Failed: A Regulatory Autopsy
- Non-Performing Assets & Loan Recovery: Complete Timeline
- Securitisation & Asset Reconstruction: Complete Timeline
How Did India's Fraud Reporting Framework Develop?
The framework did not arrive fully formed. It grew in layers, each one a response to a failure the previous layer did not catch.
The earliest Master Circular on fraud classification and reporting dates to August 13, 2001, when the RBI consolidated its fraud-related instructions for all commercial banks:
"Reserve Bank of India has, from time to time, issued a number of guidelines/instructions/directives to banks in regard to matters relating to classification and reporting of frauds, dacoities, robberies etc." (Fraud Classification Master Circular, RBI_361)
This was a manual, paper-based system. Banks filled out forms, mailed them to the RBI, and the regulator maintained records. For NBFCs, the approach was separate and later-developed, reflecting the fact that NBFC regulation lagged behind bank regulation in almost every domain.
The system was updated annually through Master Circulars — 2003, 2005, 2007, 2008, 2009, 2010, 2011 — each incorporating incremental changes but preserving the basic architecture of classification and periodic reporting.
The real transformation came in January 2016, when the RBI operationalised the Central Fraud Registry:
"Along with early detection mechanisms for frauds, a Central Fraud Registry is also proposed to be created simultaneously as a searchable centralised database for use by banks." (CFR Operationalisation, RBI/2015-16/295)
Why does the CFR matter? Because before it existed, a fraudster who defrauded one bank could walk into another bank and do the same thing. There was no shared database. Each bank maintained its own records, and no bank could check whether a borrower had been involved in fraud at another institution. The CFR created that shared database — a searchable registry that any bank could query before extending credit.
What Changed in 2016 and 2017 with the Master Directions?
The 2016 Master Directions on Frauds — Classification and Reporting replaced the annual Master Circular approach with a permanent, updatable framework:
"These Master Directions, being issued under Section 35 A of the Banking Regulation Act, 1949, consolidate and update all the instructions issued on the subject." (Master Directions on Frauds 2016, RBI_10477)
Simultaneously, separate directions were issued for NBFCs (since withdrawn) and UCBs, each adapted to the regulatory context of the entity type.
The 2011 forensic scrutiny guidelines had already highlighted the systemic weaknesses:
"In the recent past, we had conducted forensic scrutinies at certain identified banks due to occurrence of large value frauds or sharp increase in number of frauds at such banks. The scrutinies were undertaken to primarily identify the policy gaps, if any, and adequacy of controls." (Forensic Scrutiny Guidelines, RBI/2010-11/555)
Why were forensic scrutinies necessary? Because the regular reporting framework was catching frauds after the damage was done, not while they were happening. The scrutinies revealed systemic failures: inadequate internal controls, poor segregation of duties, lax monitoring of large-value accounts, and — critically — a culture of delayed reporting that gave fraudsters time to widen the damage.
What Does the 2024 Fraud Risk Management Framework Require?
On July 15, 2024, the RBI issued comprehensive new Master Directions on Fraud Risk Management, superseding the 2016 directions and representing the most significant overhaul of fraud regulation in two decades. Separate directions were issued simultaneously for UCBs and cooperative banks and for NBFCs including Housing Finance Companies.
The 2024 framework shifts the emphasis from reporting after the fact to preventing and detecting before the fact:
"These Directions are issued with a view to providing a framework to banks for prevention, early detection and timely reporting of incidents of fraud to Law Enforcement Agencies (LEAs), Reserve Bank of India (RBI) and NABARD and dissemination of information by RBI." (Fraud Risk Management Directions 2024, RBI/2013-14/601)
The sequence — prevention, early detection, timely reporting — is deliberate. It reverses the historical priority, which was reporting first and prevention as an afterthought.
How Does the Early Warning Signals Framework Work?
Chapter III of the 2024 directions mandates that every bank have a framework for Early Warning Signals (EWS) and Red Flagging of Accounts (RFA):
"Banks shall have a framework for Early Warning Signals (EWS) and Red Flagging of Accounts (RFA) under the overall Fraud Risk Management Policy approved by the Board. A Red Flagged Account is one where suspicion of fraudulent activity is thrown up by the presence of one or more EWS indicators, alerting/triggering deeper investigation from potential fraud angle and initiating preventive measures by the banks." (EWS Framework, RBI/2013-14/601)
The framework requires:
Board-level governance. The Risk Management Committee of the Board must oversee the EWS framework. This is not a compliance department function — it is a board-level responsibility. Why? Because fraud risk is existential risk, as PMC Bank demonstrated.
Integrated EWS systems. The EWS must be integrated with the Core Banking Solution or other operational systems — not a separate, manual process. This reflects the lesson of PMC Bank, where the fraud was concealed by manipulating the CBS itself. An EWS that sits outside the CBS can detect manipulation of the CBS.
A dedicated Data Analytics and Market Intelligence Unit. Banks must set up specialised units that process information to detect potentially fraudulent activities:
"Banks shall set up a dedicated Data Analytics and MI Unit keeping in view their size, complexity, business mix, risk profile, etc. Such Unit shall facilitate collection and processing of relevant information to enable an early detection and prevention of potentially fraudulent activities." (Data Analytics Unit, RBI/2013-14/601)
The 7-day reporting trigger. Once an account is red-flagged, the bank must report it to the RBI through the CRILC platform within seven days:
"An account meeting the CRILC reporting threshold by the reporting entity, once red flagged, shall be reported to the Reserve Bank within seven days of being red flagged." (7-Day Reporting, RBI/2013-14/601)
Why seven days? Because PMC Bank demonstrated what happens when reporting is delayed indefinitely — the fraud grows, the damage compounds, and by the time the regulator learns about it, recovery is impossible. Seven days is tight enough to limit damage and loose enough to allow a bank to conduct preliminary verification before reporting.
A 30-day investigation turnaround. The Risk Management Committee must prescribe a turnaround time — preferably not more than 30 days — for examining EWS alerts. This prevents alerts from languishing in a queue while the underlying fraud continues.
What Are Fraud Categories and Reporting Thresholds?
The 2024 framework classifies frauds into categories based on the nature of the fraud (advance-related, deposit-related, cheque and demand draft, forex, cyber) and the amount involved. Different amounts trigger different levels of reporting and investigation:
The Fraud Monitoring Return (FMR) remains the primary reporting instrument. The RRA 2.0 in February 2022 had recommended discontinuing the quarterly FMR-2 return, streamlining the reporting burden while maintaining the core FMR-1 for individual fraud reporting.
Staff accountability is explicitly addressed. Banks must examine and fix accountability for delays in fraud identification and reporting:
"Banks shall examine and fix staff accountability for delays in identification of fraud cases and in reporting to RBI." (Staff Accountability, RBI/2013-14/601)
Why is this provision necessary? Because in many fraud cases, the delay in reporting is not accidental — it is deliberate concealment by staff who were complicit in or negligent about the fraud. Making accountability mandatory converts passive tolerance of delays into an active compliance obligation.
What Is the Connection Between Fraud and Connected Lending?
The most damaging banking frauds are rarely committed by outsiders. They are committed — or enabled — by insiders: directors who approve loans to their own companies, officers who override credit limits for favoured borrowers, and boards that look the other way when a single group accounts for a disproportionate share of the loan book.
PMC Bank is the canonical example. The bank's management had extended loans worth Rs 6,500 crore to HDIL and its related entities — far exceeding the bank's exposure norms — and then concealed the exposure by creating fictitious loan accounts in the CBS. The RBI's directions restricting PMC Bank remained in force for years:
"Punjab and Maharashtra Cooperative Bank Limited, Mumbai, Maharashtra, a Multi-State Urban Cooperative Bank was placed under All-Inclusive Directions under sub-section (1) of Section 35 A read with Section 56 of the Banking Regulation Act, 1949 with effect from close of business on September 23, 2019." (PMC Bank Directions, RBI_PR_50830)
The 2024 fraud risk management directions address this connection by requiring banks to adhere to principles of natural justice before classifying an account as fraud — while also ensuring that the classification process cannot be delayed indefinitely:
"The bank (in case of sole lending) or the individual banks (in case of multiple banking arrangement or consortium lending) shall ensure that the principles of natural justice are strictly adhered to before classifying/declaring an account as fraud." (Natural Justice, RBI/2013-14/601)
This balances two competing needs: the bank's obligation to report fraud promptly, and the borrower's right to be heard before being labelled a fraudster. Why does this balance matter? Because a fraud classification has severe consequences — it goes into the Central Fraud Registry, it triggers enhanced scrutiny across the banking system, and it can lead to criminal prosecution. Getting it wrong in either direction — false positive or delayed detection — has real costs.
What Happens When Banks Fail to Report?
The RBI has two enforcement levers for fraud reporting failures.
Supervisory action. The RBI's Department of Supervision can initiate action against banks that fail to comply with fraud reporting requirements, including imposing restrictions on business operations.
Monetary penalties. Under Section 47A of the Banking Regulation Act, 1949, the RBI can impose penalties on banks for non-compliance with directions. Fraud reporting delays and classification failures have been among the grounds for penalties imposed on multiple banks.
The Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds established in 2010 had already highlighted the growing threat of cyber fraud — a category that barely existed when the original fraud classification framework was created in 2001.
The 2024 framework also covers the treatment of accounts classified as fraud and sold to Asset Reconstruction Companies, the role of auditors in detecting fraud, and the distinction between "date of occurrence," "date of detection," and "date of classification" — three different dates that determine reporting obligations and provisioning timelines.
Why Does the Three-Entity Architecture of 2024 Matter?
The simultaneous issuance of three separate fraud risk management directions — for commercial banks, cooperative banks, and NBFCs — reflects the entity-specific approach that would later characterise the November 2025 consolidation. Each entity type faces different fraud risks, has different institutional structures, and needs different governance provisions.
A large commercial bank with a dedicated data analytics unit and a sophisticated CBS faces different fraud challenges than a small urban cooperative bank with 15 branches and a basic CBS. The directions recognise this by scaling requirements to institutional capacity while maintaining the same core principles: prevention, early detection, timely reporting.
Why three directions instead of one with entity-specific carve-outs? Because the experience of the previous two decades showed that one-size-fits-all directions — with footnotes saying "for UCBs, read X as Y" — created confusion. Separate, self-contained directions are longer but clearer. A UCB compliance officer reads the UCB fraud risk management direction and knows exactly what applies to their institution without parsing exemptions and carve-outs from a general direction.
The Larger Lesson: What Fraud Reporting Reveals About Regulatory Design
The evolution of India's fraud reporting framework — from annual Master Circulars mailed on paper in 2001, through the Central Fraud Registry in 2016, to the comprehensive EWS-based prevention framework of 2024 — reveals a consistent pattern in Indian financial regulation. The RBI learns from failures. Each major fraud — PMC Bank, the Nirav Modi-PNB fraud, the IL&FS collapse — produces regulatory changes designed to prevent recurrence.
The question is whether the regulatory response is fast enough. The seven-day reporting trigger is an acknowledgement that speed matters. The EWS framework is an acknowledgement that detection before classification matters even more. And the requirement for Board-level governance of fraud risk is an acknowledgement that none of it works unless the institution's leadership treats fraud prevention as a core business function, not a compliance checkbox.
The framework is in place. Whether it prevents the next PMC Bank depends on whether banks implement it with the seriousness the regulation demands — and whether the RBI enforces it with the consistency that deterrence requires.
Last updated: April 2026