RBI/DoS/2026-27/XX
DoS.CO.FMG.XX/23.04.001/2026-27 XXXX XX, 2026 Reserve Bank of India (Payments Banks – Fraud Risk Management) Directions, 2026 Introduction These Directions are issued with a view to providing a framework for prevention, early detection, and timely reporting of incidents of fraud by Payments Banks to Law Enforcement Agencies (LEAs) and Reserve Bank of India (‘RBI’) and dissemination of information by RBI and matters connected therewith or incidental thereto. In exercise of the powers conferred under Section 35-A of the Banking Regulation Act, 1949, and all other provisions / laws enabling RBI in this regard, RBI being satisfied that it is necessary and expedient in public interest so to do, hereby, issues these Directions hereinafter specified. Chapter I - Preliminary A. Short Title and Commencement 1. These Directions shall be called the Reserve Bank of India (Payments Banks - Fraud Risk Management) Directions, 2026. 2. These Directions shall come into effect immediately upon issuance. B. Applicability 3. These Directions shall be applicable to Payments Banks (hereinafter collectively referred to as 'PBs' and individually as 'PB'). C. Definitions 4. In these Directions, unless the context states otherwise, the terms herein shall bear the meaning assigned to them below: (1) ‘Central Fraud Registry (CFR)’ is a web-based searchable database maintained by RBI. Fraud related data, including the updates thereof, directly flow to CFR from online reporting by the PB through Fraud Monitoring Returns (FMRs). (2) ‘Date of Classification’, for the purpose of reporting under FMR, is the date when due approval from the competent authority has been obtained for such classification, and the reasoned order is passed. (3) ‘Date of Detection’ to be reported in FMR, is the actual date when the fraud came to light in the concerned branch / audit / department of the PB, as the case may be, and not the date of approval by the competent authority of the PB. (4) ‘Date of Occurrence’, for the purpose of reporting under FMR, is the date when the actual misappropriation of funds has started taking place, or the event occurred, as evidenced / reported in the audit or other findings. (5) 'Red Flagged Account' is one where suspicion of fraudulent activity is thrown up by the presence of one or more Early Warning Signal (EWS) indicators, alerting / triggering deeper investigation from potential fraud angle and requiring initiation of preventive measures by all banks. Chapter II - Governance and Oversight A. Governance Structure for Fraud Risk Management 5. There shall be a Board approved policy on Fraud Risk Management delineating roles and responsibilities of Board / Board Committees and Senior Management of the PB. The policy shall inter alia contain measures towards prevention, early detection, investigation, staff accountability, monitoring, recovery, and reporting of frauds as well as a framework for Early Warning Signals (EWS) and Red Flagging of Accounts (RFA). In this context, ‘Board’ will refer to ‘Board of Directors’ of the PB. 6. The Policy shall also incorporate measures for ensuring compliance with principles of natural justice1 in a time-bound manner, which at a minimum, shall include: (1) Issuance of a detailed Show Cause Notice (SCN) to the Persons (including Third Party Service Providers and Professionals such as architects, valuers, chartered accountants, advocates, etc.), Entities and their Promoters / Whole-time and Executive Directors against whom allegation of fraud is being examined. The SCN shall provide complete details of transactions / actions / events basis which declaration and reporting of a fraud is being contemplated under these Directions. As non-whole-time directors (like nominee directors and independent directors) are normally not in charge of, or responsible to the company for the conduct of business of the company, the PB may take this into consideration before proceeding against such directors under these Directions. (2) A reasonable time of not less than 21 days shall be provided to the Persons / Entities on whom the SCN was served to respond to the said SCN. (3) The PB shall have a well laid out system for issuance of SCN and examination of the responses / submissions made by the Persons / Entities prior to declaring such Persons / Entities as fraudulent. (4) A reasoned Order shall be served on the Persons / Entities conveying the decision of the PB regarding declaration / classification of the account as fraud or otherwise. Such Order(s) must contain relevant facts / circumstances relied upon, the submission made against the SCN and the reasons for classification as fraud or otherwise. Explanation: The requirement of ensuring compliance to the principles of natural justice is applicable to all Persons / Entities and their Promoters / Whole-time and Executive Directors classified as fraud by the PB. In other words, this requirement is applicable in all cases of fraud classification which may have civil consequences (i.e., penal measures, caution listing) as observed in the Judgement of the Hon’ble Supreme Court dated March 27, 2023 (Civil Appeal No. 7300 of 2022 in the matter of State Bank of India & Ors. Vs. Rajesh Agarwal & Ors.). 7. The Fraud Risk Management Policy shall be reviewed by the Board at least once in three years, or more frequently, as may be prescribed by the Board. 8. Special Committee of the Board for Monitoring and Follow-up of cases of Frauds: (1) The PB shall constitute a Committee of the Board to be known as ‘Special Committee of the Board for Monitoring and Follow-up of cases of Frauds’ (SCBMF) with a minimum of three members of the Board, consisting of a whole-time director and a minimum of two independent directors / non-executive directors. The Committee shall be headed by one of the independent directors / non-executive directors. (2) SCBMF shall oversee the effectiveness of the Fraud Risk Management in the PB. SCBMF shall review and monitor cases of frauds, including root cause analysis, and suggest mitigating measures for strengthening the internal controls, risk management framework and minimising the incidence of frauds. The coverage and periodicity of such reviews shall be decided by the Board of the PB. The coverage may include, among others, categories / trends of frauds, industry / sectoral / geographical concentration of frauds, delay in detection / classification of frauds and delay in examination / conclusion of staff accountability, etc. (3) The threshold amount of fraud cases to be placed before the SCBMF shall be decided by the Board of the PB, after duly taking into account the scale and complexity of its operations. 9. The Senior Management shall be responsible for implementation of the fraud risk management policy approved by the Board of the PB. A periodic review of incidents of fraud shall also be placed before Board / Audit Committee of Board (ACB), as appropriate, by the Senior Management of the PB. 10. The PB shall put in place a transparent mechanism to ensure that Whistle Blower complaints on possible fraud cases / suspicious activities in account(s) are examined and concluded appropriately under its Whistle Blower Policy. 11. The PB shall set-up an appropriate organisational structure for institutionalisation of Fraud Risk Management within its overall risk management functions / Department. Fraud Risk Management includes prevention, early detection, investigation, staff accountability, monitoring, recovery, analysis and reporting of frauds, etc. and other related aspects under the Board approved Policy. A senior official in the rank of at least a General Manager or equivalent shall be responsible for monitoring and reporting of frauds. Chapter III - Early Detection of Frauds - Framework for Early Warning Signals and Red Flagging of Accounts A. Governance Structure 12. The PB shall have a framework for EWS and Red Flagging of Accounts (RFA) under the overall Fraud Risk Management Policy approved by the Board. 13. The Risk Management Committee of the Board (RMCB) shall oversee the effectiveness of the Board-approved framework for EWS and RFA. The Senior Management shall be responsible for implementation of a robust Framework for EWS and RFA within the PB. 14. The EWS indicators identified for monitoring banking transactions shall be approved by the RMCB. Appropriate Turnaround Time (TAT), preferably not more than 30 days, for examination of EWS alerts / triggers shall be prescribed by the RMCB. 15. RMCB shall review the status of red flagged accounts, including the EWS alerts / triggers, remedial actions initiated by the PB, etc. at periodic intervals as approved by the Board. 16. The EWS / RFA framework shall be subject to suitable validation in accordance with the directions of RMCB so as to ensure its integrity, robustness and consistency of the outcomes. 17. The EWS / RFA Framework shall provide for, among others: (1) A system of robust EWS which is integrated with Core Banking Solution (CBS) or other operational systems; (2) Initiation of remedial action on alerts / triggers from EWS System in a timely manner; (3) Periodic review of internal controls and systems; and (4) Effective use of the CFR. 18. The PB shall put in place / suitably upgrade its existing EWS system on an ongoing basis. B. Early Warning Signals Framework for Banking Transactions 19. The PB shall develop / strengthen its EWS system by identifying suitable indicators and parameterising them in its EWS system for monitoring banking transactions. The PB shall strive to continuously upgrade the EWS system for enhancing its integrity and robustness, monitor banking transactions efficiently and prevent fraudulent activities through the banking channel. Further, the effectiveness of EWS system shall be tested periodically. 20. The design and specification of EWS system shall be robust and resilient to ensure that integrity of system is maintained, personal and financial data of customers are secure and transaction monitoring for prevention / detection of potential fraud is on real-time basis or with a minimum time lag without compromising the effectiveness of the outcome of EWS system in prevention / detection of potential frauds. The PB shall remain vigilant in monitoring transactions / unusual activities, specifically in the non-KYC compliant and money mule accounts etc., to contain unauthorised / fraudulent transactions and to prevent misuse of banking channel. 21. The Data Analytics and MI Unit or other dedicated analytics set up in the PB shall extensively monitor and analyse banking transactions, more specifically the transactions through digital platforms and applications, in order to identify unusual patterns and activities which could alert the PB timely in initiating appropriate measures towards prevention of fraudulent activities. Chapter IV - General Instructions A. Independent Confirmation from Third-party Service Providers including Professionals 22. The PB may incorporate necessary terms and conditions in its agreements with third-party service providers to hold them accountable in situations where wilful negligence / malpractice by them is found to be a causative factor for fraud. 23. The PB shall, after complying with the principles of natural justice, report to Indian Banks’ Association (IBA) the details of such third parties or professionals involved in frauds. Indian Banks’ Association (IBA) would, in turn, prepare caution lists of such third parties for circulation among banks. B. Staff Accountability 24. The PB shall initiate and complete the examination of staff accountability in all fraud cases in a time-bound manner in accordance with its internal policy. 25. In cases involving very senior executives of the PB (MD & CEO / Executive Director / Executives of equivalent rank), the ACB shall initiate examination of their accountability and place it before the Board. Such executives shall not participate in the meeting of the Board / ACB / SCBMF in which their accountability is to be considered. C. Penal Measures 26. Persons / Entities classified and reported as fraud by the PB and also Entities and Persons associated with such Entities, shall be debarred from raising of funds and / or seeking additional credit facilities from financial entities regulated by RBI, for a period of five years from the date of full repayment of the defrauded amount / settlement amount agreed upon in case of a compromise settlement. Explanation: (1) If it is an Entity, another Entity will be deemed to be associated with it if that Entity is (i) a subsidiary company as defined under clause 2 (87) of the Companies Act, 2013 or (ii) falls within the definition of a ‘joint venture’ or an ‘associate company’ under clause (6) of Section 2 of the Companies Act, 2013. (2) In case of a Natural Person, all entities in which she / he is associated as promoter, or director, or as one in charge and responsible for the management of the affairs of the entity shall be deemed to be associated. Chapter V - Reporting of Frauds to Law Enforcement Agencies 27. The PB shall immediately report the incidents of fraud to LEAs, subject to applicable laws, as indicated below2: | Category of bank | Amount involved in the fraud | LEA to whom complaint should be lodged | Remarks | | Payments Banks | Below ₹1 crore | State / Union Territory (UT) Police | | | ₹1 crore and above | In addition to State / UT Police, Serious Fraud Investigation Office (SFIO), Ministry of Corporate Affairs, Government of India | Details of fraud are to be reported to SFIO in Fraud Monitoring Return (FMR) format. | Note: (1) As the thresholds for reporting to LEAs vary across the States / UTs, these reporting requirements have been prescribed after due consultation with Central Vigilance Commission, Department of Financial Services, Government of India and select LEAs. 28. The PB shall establish suitable nodal point(s) / designate officer(s) for reporting incidents of fraud to LEAs and for proper coordination to meet the requirements of the LEAs. Chapter VI - Reporting to Reserve Bank of India A. Reporting of Incidents of Fraud 29. To ensure uniformity and consistency while reporting incidents of fraud to RBI through Fraud Monitoring Returns (FMRs) using online portal, the PB shall choose the most appropriate category from any one of the following: (1) Misappropriation of funds and criminal breach of trust; (2) Fraudulent encashment through forged instruments; (3) Manipulation of books of accounts or through fictitious accounts, and conversion of property; (4) Cheating by concealment of facts with the intention to deceive any person and cheating by impersonation; (5) Forgery with the intention to commit fraud by making any false documents / electronic records; (6) Wilful falsification, destruction, alteration, mutilations of any book, electronic record, paper, writing, valuable security or account with intent to defraud; (7) Cash shortages on account of frauds; (8) Fraudulent transactions involving foreign exchange; (9) Fraudulent electronic banking / digital payment related transactions committed on banks; and (10) Other type of fraudulent activity not covered under any of the above. B. Central Fraud Registry 30. The PB shall put in place systems and procedures to ensure that the information available in Central Fraud Registry (CFR) is used for credit risk and fraud risk management effectively. 31. The PB is required to report payment system related disputed / suspected or attempted fraudulent transactions to Central Payments Fraud Information Registry (CPFIR), as required in terms of Circular Ref.CO.DPSS.OVRST.No.S1619/06-08-005/2022-23 dated December 26, 2022, maintained by RBI. However, such transactions, if subsequently concluded as fraud committed on the PB, shall invariably be reported through FMR so as to be reflected in CFR. C. Modalities of Reporting Incidents of Fraud 32. The PB shall furnish FMR in individual fraud cases, irrespective of the amount involved, immediately, but not later than 14 days from the date of classification of an incident / account as fraud. Updates to the FMR shall be provided through FMR Update Application (FUA). Further, filing / reporting of Monthly Certificate on Frauds, Monthly CFR Certificate and Flash Report by the PB to RBI is not required. 33. The PB shall also report frauds perpetrated in its group entities to RBI separately [the FMR shall be furnished through e-mail (doscofrmc@rbi.org.in) only], if such entities are not regulated / supervised by any financial sector regulatory / supervisory authority. The group entities will have to comply with the principles of natural justice before declaration of fraud (refer to Paragraph 6 above). ‘Group entities’, in this context, mean both the domestic and overseas subsidiaries, affiliates, joint ventures etc. as defined under applicable accounting standards, whether engaged in financial or non-financial services. 34. The PB shall adhere to the timeframe prescribed in these Directions for reporting of fraud cases to RBI. Delay in reporting of frauds, and the consequent delay in alerting other banks and dissemination of information through CFR could result in similar frauds being perpetrated elsewhere. The PB shall examine and fix staff accountability for delays in identification of fraud cases and in reporting to RBI. 35. While reporting frauds, the PB shall ensure that persons / entities who / which are not involved / associated with the fraud are not reported in the FMR. 36. The PB may, under exceptional circumstances, withdraw FMR / remove name(s) of perpetrator(s) from FMR. Such withdrawal / removal shall, however, be made with due justification and with the approval of an official at least in the rank of a whole-time director. 37. In cases where withdrawal of FMR / removal of name(s) of perpetrator(s) is necessitated due to Court directions, the PB may arrange to withdraw FMR / remove name(s) of perpetrator(s) immediately. Such cases shall subsequently be placed before the official in the rank of WTD for information. D. Closure of Fraud Cases Reported 38. The PB shall close fraud cases using ‘Closure Module’ where the actions as stated below are complete: (1) The fraud cases pending with LEAs / Court are disposed off; and (2) The examination of staff accountability has been completed. 39. The PB is allowed, for limited statistical / reporting purposes, to close those reported fraud cases involving amount up to ₹1 crore, where examination of staff accountability and disciplinary action, if any, have been taken and (1) The investigation is going on or charge-sheet has not been filed in the Court by LEA for more than three years from the date of registration of First Information Report (FIR); or (2) The charge-sheet is filed by the LEAs in trial court and the trial in the court has not commenced or is pending before the court for more than three years from the date of registration of FIR. 40. In all closure cases of reported frauds, the PB shall maintain details of such cases for examination by auditors. Chapter VII - Cheque Related Frauds - Reporting to Law Enforcement Agencies and Reserve Bank of India 41. To ensure uniformity and avoid duplication, reporting of frauds involving forged instruments, including fake / forged instruments sent in clearing in respect of truncated instruments, shall continue to be done by the paying banker and not by the presenting banker. In such cases the presenting bank shall immediately handover the underlying instrument to the drawee / paying bank, as and when demanded, to enable them to inform LEAs for investigation and further action under law and to report the fraud to RBI. 42. However, in the case of presentment of an instrument which is genuine but payment has been made to a person who is not the true owner; or where the amount has been credited before realisation and subsequently the instrument is found to be fake / forged and returned by the paying bank, the presenting bank which is defrauded or is put to loss by paying the amount before realisation of the instrument shall file the fraud report with RBI and inform the LEAs for investigation and further action under law. Chapter VIII - Other Instructions A. Role of Auditors 43. During the course of the audit, auditors may come across instances where the transactions in the account or the documents point to the possibility of fraudulent transactions in the account. In such a situation, the auditor should immediately bring it to the notice of the senior management and if necessary, to the ACB of the PB for appropriate action. 44. Internal Audit in the PB shall cover controls and processes involved in prevention, detection, classification, monitoring, reporting, closure and withdrawal of fraud cases, as well as weaknesses observed in the critical processes in the fraud risk management framework of the PB, including delay in reporting, non-reporting, conduct of staff accountability examination, prudential provisioning, etc. Chapter IX - Reporting Cases of Theft, Burglary, Dacoity and Robbery 45. The PB shall report instances of theft, burglary, dacoity and robbery (including attempted cases), to Fraud Monitoring Group (FMG), Department of Supervision, Central Office, Reserve Bank of India, immediately (not later than seven days) from their occurrence, in the prescribed format Report on Bank Robbery, Theft, etc. (RBR) through e-mail (doscofrmc@rbi.org.in). The format is available on RBI website. 46. The PB shall also submit a quarterly Return (RBR) on theft, burglary, dacoity and robbery to RBI using online portal, covering all such cases during the quarter. This shall be submitted within 15 days from the end of the quarter to which it relates. Chapter X - Repeal and Other Provisions A. Repeal and Saving 47. With the issue of these Directions, the existing directions, instructions, and guidelines relating to Fraud Risk Management as applicable to Payments Banks stand repealed, as communicated vide circular no. XX dated XXXX XX, 2026. The directions, instructions, and guidelines already repealed vide any of the directions, instructions, and guidelines listed in the above circular shall continue to remain repealed. 48. Notwithstanding such repeal, any action taken or purported to have been taken, or initiated under the repealed directions, instructions, or guidelines shall continue to be governed by the provisions thereof. All approvals or acknowledgments granted under these repealed lists shall be deemed as governed by these Directions. Further, the repeal of these directions, instructions, or guidelines shall not in any way prejudicially affect: (1) any right, obligation or liability acquired, accrued, or incurred thereunder; (2) any penalty, forfeiture, or punishment incurred in respect of any contravention committed thereunder; (3) any investigation, legal proceeding, or remedy in respect of any such right, privilege, obligation, liability, penalty, forfeiture, or punishment as aforesaid; and any such investigation, legal proceedings or remedy may be instituted, continued, or enforced and any such penalty, forfeiture or punishment may be imposed as if those directions, instructions, or guidelines had not been repealed. B. Application of Other Laws not barred 49. The provisions of these Directions shall be in addition to, and not in derogation of the provisions of any other laws, rules, regulations, or directions, for the time being in force. C. Interpretations 50. For giving effect to the provisions of these Directions or to remove any difficulties in the application or interpretation of the provisions of these Directions, RBI may, if it considers necessary, issue necessary clarifications in respect of any matter covered herein and the interpretation of any provision of these Directions given by RBI shall be final and binding. (C. Saravanan)
Chief General Manager
|