Master Directions on Fraud Risk Management in Non-Banking Financial Companies (NBFCs) (including Housing Finance Companies) - ಆರ್ಬಿಐ - Reserve Bank of India
Master Directions on Fraud Risk Management in Non-Banking Financial Companies (NBFCs) (including Housing Finance Companies)
RBI/DOS/2024-25/120 July 15, 2024 The Chairman / Managing Director / Chief Executive Officer Madam / Dear Sir, Master Directions on Fraud Risk Management in Non-Banking Financial Companies (NBFCs) (including Housing Finance Companies) Please find enclosed as Annex ‘Reserve Bank of India (Fraud Risk Management in NBFCs) Directions, 2024’ issued in exercise of the powers conferred by Sections 45K, 45L and 45M of the Reserve Bank of India Act, 1934 (Act 2 of 1934) and Sections 30A, 32 and 33 of the National Housing Bank Act, 1987. These Directions shall supersede the earlier Directions on the subject, namely, the Master Direction – Monitoring of Frauds in NBFCs (Reserve Bank) Directions, 2016 dated September 29, 2016. Yours faithfully (Rajnish Kumar) Encl.: as above. Master Directions (MD) on Fraud Risk Management in Non-Banking Financial Companies (NBFCs) (including Housing Finance Companies) In exercise of the powers conferred by Sections 45K, 45L and 45M of the Reserve Bank of India Act, 1934 (Act 2 of 1934), and Sections 30A, 32 and 33 of the National Housing Bank Act, 1987, the Reserve Bank of India being satisfied that it is necessary and expedient in the public interest and in the interest of banking policy to do so, hereby, issues the Directions hereinafter specified. 1.1 Short Title and Commencement These Directions shall be called the Reserve Bank of India (Fraud Risk Management in NBFCs) Directions, 2024. The provisions of these Directions shall, unless otherwise provided, apply to: 1.2.1 All Non-Banking Financial Companies1 (including Housing Finance Companies) in the Upper Layer, Middle Layer and in the Base Layer2 (with asset size of ₹500 crore and above3). 1.2.2 These NBFCs shall hereinafter collectively be referred to as ‘Applicable NBFCs’ for the purpose of these Directions. These Directions are issued with a view to providing a framework to Applicable NBFCs for prevention, early detection and timely reporting of incidents of fraud to Law Enforcement Agencies (LEAs), Reserve Bank of India (RBI) and National Housing Bank4 (NHB) and matters connected therewith or incidental thereto. 2. Governance Structure in Applicable NBFCs for Fraud Risk Management 2.1 There shall be a Board5 approved Policy6 on fraud risk management delineating roles and responsibilities of Board / Board Committees and Senior Management of the Applicable NBFC. The Policy shall also incorporate measures for ensuring compliance with principles of natural justice7 in a time-bound manner which at a minimum shall include: 2.1.1 Issuance of a detailed Show Cause Notice (SCN) to the Persons8, Entities and its Promoters / whole-time and Executive Directors against whom allegation of fraud is being examined9. The SCN shall provide complete details of transactions / actions / events basis which declaration and reporting of a fraud is being contemplated under these Directions. 2.1.2 A reasonable time of not less than 21 days shall be provided to the Persons / Entities on whom the SCN was served to respond to the said SCN. 2.1.3 Applicable NBFCs shall have a well laid out system for issuance of SCN and examination of the responses / submissions made by the Persons/Entities prior to declaring such Persons / Entities as fraudulent. 2.1.4 A reasoned Order shall be served on the Persons / Entities conveying the decision of the Applicable NBFCs regarding declaration / classification of the account as fraud or otherwise. Such Order(s) must contain relevant facts / circumstances relied upon, submission made against the SCN and the reasons for classification as fraud or otherwise. 2.2 The Fraud Risk Management Policy shall be reviewed by the Board at least once in three years, or more frequently, as may be prescribed by the Board. 2.3 Special Committee of the Board for Monitoring and Follow-up of cases of Frauds: Applicable NBFCs shall constitute a Committee of the Board to be known as ‘Special Committee of the Board for Monitoring and Follow-up of cases of Frauds’ (SCBMF) with a minimum of three members of the Board, consisting of the Chief Executive Officer10 and two Independent Directors. The Committee shall be headed by one of the Independent Directors. Applicable NBFCs categorised as Middle Layer and Base Layer for regulatory purposes11, shall have the option of constituting a Committee of the Executives (CoE) with a minimum of three members, at least one of whom shall be a Whole-time director or equivalent rank Official for the purpose of performing the roles and responsibilities of SCBMF as required under these Directions. 2.3.1 SCBMF shall oversee the effectiveness of the fraud risk management in the Applicable NBFC. 2.3.2 SCBMF shall review and monitor cases of frauds, including root cause analysis, and suggest mitigating measures for strengthening the internal controls, risk management framework and minimising the incidence of frauds. The coverage12 and periodicity of such reviews shall be decided by the Board of the Applicable NBFC. 2.4 The Senior Management shall be responsible for implementation of the fraud risk management policy approved by the Board of the Applicable NBFC. A periodic review of incidents of fraud shall also be placed before Board / Audit Committee of Board (ACB), as appropriate, by the Senior Management of the Applicable NBFC. 2.5 Applicable NBFCs shall put in place a transparent mechanism to ensure that Whistle Blower complaints on possible fraud cases / suspicious activities in account(s) are examined and concluded appropriately under their Whistle Blower Policy. 2.6 Applicable NBFCs shall set-up an appropriate organisational structure for institutionalisation of fraud risk management13 within their overall risk management functions / Department. A sufficiently senior official shall be responsible for monitoring and reporting of frauds. 2.7 Applicable NBFCs shall disclose the amount related to fraud reported in the company for the year in their Financial Statements – Notes to Accounts. CHAPTER III14 3.1 Framework for Early Warning Signals for Detection of Frauds 3.1.1 NBFCs in the Upper Layer and Middle Layer (NBFCs – UL & ML) shall have a framework for Early Warning Signals (EWS) under the overall Fraud Risk Management Policy approved by the Board. 3.1.2 A Board Level Committee15 shall oversee the effectiveness of the framework for EWS. The Senior Management shall be responsible for implementation of a robust Framework for EWS within the NBFCs – UL & ML. 3.1.3 NBFCs – UL & ML shall identify appropriate early warning indicators for monitoring credit facilities / loan accounts and other financial transactions. These indicators shall be reviewed periodically for their effectiveness. Suspicion of fraudulent activity thrown up by the presence of one or more EWS indicators shall alert / trigger deeper investigation from potential fraud angle and initiating preventive measures. 3.1.4 The EWS framework shall be subject to suitable validation in accordance with the directions of the Board Level Committee so as to ensure its integrity, robustness and consistency of the outcomes. 3.2 The EWS Framework shall provide for, among others: (i) A system of robust EWS which is integrated with Core Banking Solution (CBS) or other operational systems; (ii) Initiation of remedial action on triggers / alerts from EWS System in a timely manner; and (iii) Periodic review of credit sanction and monitoring processes, internal controls and systems. 3.3 EWS Framework for Credit Facilities / Loan Accounts 3.3.1 The EWS system shall be comprehensive and designed to include both the quantitative and qualitative indicators to make the framework robust and effective. The broad indicators which the EWS system may illustratively capture could be based on the transactional data of accounts, financial performance of borrowers, market intelligence, conduct of the borrowers, etc. 3.3.2 Generation of EWS alert(s) / trigger(s) shall necessitate examination whether the account needs to be investigated from potential fraud angle. 3.4 EWS Framework for other financial / non-credit related transactions16 3.4.1 NBFCs – UL & ML shall develop / strengthen their EWS system by identifying suitable indicators and parameterising them in their EWS system for monitoring other financial / non-credit related transactions. NBFCs – UL & ML shall strive to continuously upgrade the EWS system for enhancing its integrity and robustness, monitor other financial / non-credit related transactions efficiently and prevent fraudulent activities. Further, the effectiveness of EWS system shall be tested periodically. 3.4.2 The design and specification of EWS system shall be robust and resilient to ensure that integrity of the system is maintained, personal and financial data of customers are secure and transaction monitoring for prevention / detection of potential fraud is on real-time basis17. NBFCs – UL & ML shall remain vigilant in monitoring transactions / unusual activities, specifically in the non-KYC compliant and money mule accounts etc., so as to contain unauthorised / fraudulent transactions and to prevent misuse of banking / financial channel. 3.4.3 The dedicated MIS Unit or other Analytics Setup in NBFCs – UL & ML shall extensively monitor and analyse financial transactions, including transactions carried out through digital platforms / applications, in order to identify unusual patterns and activities which could alert the NBFCs – UL & ML in time for initiating appropriate measures towards prevention of fraudulent activities. 3.5 NBFCs – UL & ML shall put in place / suitably upgrade their existing EWS system within six months from the date of issuance of these Directions. 4. Credit facility / Loan account / Other financial transactions - indication of fraudulent activities Applicable NBFCs shall monitor activities in credit facility / loan account / other financial transactions and remain alert on activities which could potentially turn out to be fraudulent. 4.1 In case where there is a suspicion / indication of wrongdoing or fraudulent activity, Applicable NBFCs shall use an external audit18 or an internal audit as per their Board approved Policy for further investigation in such accounts. 4.1.1 Applicable NBFCs shall frame a policy on engagement of external auditors covering aspects such as due diligence, competency and track record of the auditors, among others. Further, the contractual agreement with the auditors shall, inter alia, contain suitable clauses on timeline for completion of the audit and submission of audit report to the Applicable NBFC within a specified time limit, as approved by the Board. 4.1.2 The loan agreement with the borrower shall contain clauses for conduct of such audit at the behest of lender(s). In cases where the audit report submitted remains inconclusive or is delayed due to non-cooperation by the borrower, Applicable NBFCs shall conclude on status of the account as a fraud or otherwise based on the material available on their record and their own internal investigation / assessment in such cases19. 4.1.3 Applicable NBFCs (sole lending, multiple banking arrangement or consortium lending) shall ensure that the principles of natural justice20 are strictly adhered to before classifying / declaring an account as fraud. 4.1.4 In case an account is identified as a fraud by any Applicable NBFC, the borrowal accounts of other group companies, in which one or more promoter(s) / whole-time director(s) are common, shall also be subjected to examination by Applicable NBFCs concerned from fraud angle under these Directions. 4.1.5 In cases where Law Enforcement Agencies (LEAs) have suo moto initiated investigation involving a borrower account, Applicable NBFCs shall follow the process of classification of account as fraud as per their Board approved Policy and in tune with the process as given under Para 2.1 ibid. 4.2 Independent confirmation from the third-party service providers including professionals Applicable NBFCs place reliance on various third-party service providers as part of pre-sanction appraisal and post-sanction monitoring. Therefore, Applicable NBFCs may incorporate necessary terms and conditions in their agreements with third-party service providers to hold them accountable in situations where wilful negligence / malpractice by them is found to be a causative factor for fraud. 4.3.1 Applicable NBFCs shall initiate and complete the examination of staff accountability in all fraud cases in a time-bound manner in accordance with their internal policy. 4.3.2. Government-NBFCs21 shall conduct examination of staff accountability as per the guidelines issued by the Central Vigilance Commission (CVC). In terms of CVC Order, Applicable NBFCs in the public sector shall also refer all fraud cases of amount involving ₹3 crore and above for examining the role of all levels of officials / whole-time directors (including ex-officials / ex-WTDs) to the Advisory Board for Banking and Financial Frauds (ABBFF)22 constituted by the CVC. 4.3.3 In cases involving very senior executives of the Applicable NBFCs (MD & CEO / Executive Director / Executives of equivalent rank)23, the ACB shall initiate examination of their accountability and place it before the Board. However, in case of Applicable NBFCs in the public sector, such cases shall also be referred to the ABBFF. 4.4.1 Persons / Entities classified and reported as fraud by Applicable NBFCs and also Entities and Persons associated24 with such Entities, shall be debarred from raising of funds and / or seeking additional credit facilities from financial entities regulated by RBI, for a period of five years from the date of full repayment of the defrauded amount / settlement amount agreed upon in case of a compromise settlement. 4.4.2 Lending to such Persons / Entities being commercial decisions, the lending Applicable NBFCs shall have the sole discretion to entertain or decline such requests for credit facilities after the expiry of the above mandatory cooling period as mentioned at Para 4.4.1 above. 4.5 Treatment of accounts under Resolution 4.5.1 In case an entity classified as fraud has subsequently undergone a resolution either under IBC or under the resolution framework of RBI25 resulting in a change in the management and control of the entity / business enterprise, the Applicable NBFC shall examine whether the entity shall continue to remain classified as fraud or the classification as fraud could be removed after implementation of the Resolution Plan under IBC or aforesaid prudential framework. This would, however, be without prejudice to the continuance of criminal action against erstwhile promoter(s) / director(s) / persons who were in charge and responsible for the management of the affairs of the entity / business enterprise. 4.5.2 The penal measures as detailed in Para 4.4 shall not be applicable to entities / business enterprises after implementation of the resolution plan under IBC or aforesaid prudential framework. 4.5.3 The penal measures detailed in Para 4.4 shall continue to apply to the erstwhile promoter(s)/ director(s)/ persons who were in charge and responsible for the management of the affairs of the entity / business enterprise. 5. Reporting of Frauds to Law Enforcement Agencies (LEAs) 5.1 Applicable NBFCs shall immediately report the incidents of fraud to appropriate LEAs, viz. State Police authorities, etc., subject to applicable laws. 5.2 Applicable NBFCs shall establish suitable nodal point(s) / designate officer(s) for reporting incidents of fraud to LEAs and for proper coordination to meet the requirements of the LEAs. CHAPTER VI26 6.1 Reporting of Incidents of Fraud to Reserve Bank of India (RBI) To ensure uniformity and consistency while reporting incidents of fraud to RBI through Fraud Monitoring Returns (FMRs) using online portal, Applicable NBFCs shall choose the most appropriate category from any one of the following:
6.2 Modalities of Reporting Incidents of Fraud to RBI 6.2.1 Applicable NBFCs shall furnish FMR27 in individual fraud cases, irrespective of the amount involved, immediately but not later than 14 days from the date of classification28 of an incident / account as fraud. 6.2.2 Incidents of fraud at overseas branches of Indian NBFCs shall also be reported to the concerned overseas LEAs in accordance with the relevant laws / regulations of the host countries. 6.2.3 Applicable NBFCs shall also report frauds perpetrated in their group entities29 to RBI separately30, if such entities are not regulated / supervised by any financial sector regulatory / supervisory authority. However, in case of overseas financial group entity of Indian NBFC, the parent NBFC shall also report incidents of fraud to RBI. The group entities will have to comply with the principles of natural justice before declaration of fraud31. 6.2.4 Applicable NBFCs shall adhere to the timeframe prescribed in these Master Directions for reporting of fraud cases to RBI32. Applicable NBFCs must examine and fix staff accountability for delays in identification of fraud cases and in reporting to RBI. 6.2.5 While reporting frauds, Applicable NBFCs shall ensure that persons / entities who / which are not involved / associated with the fraud are not reported in the FMR. 6.2.6 Applicable NBFCs may, under exceptional circumstances, withdraw FMR / remove name(s) of perpetrator(s) from FMR. Such withdrawal / removal shall, however, be made with due justification and with the approval of an official at least in the rank of a director. 6.3 Closure of Fraud Cases Reported to RBI 6.3.1 Applicable NBFCs shall close fraud cases using ‘Closure Module’ where the actions as stated below are complete:
6.3.2 NBFCs are allowed, for limited statistical / reporting purposes, to close those reported fraud cases involving amount upto ₹25 lakh, where examination of staff accountability and disciplinary action, if any, has been taken and:
6.3.3 In all closure cases of reported frauds, Applicable NBFCs shall maintain details of such cases for examination by auditors. 7.1 Legal Audit of Title Documents in respect of Large Value Loan Accounts Applicable NBFCs shall subject the title deeds and other related title documents in respect of all credit facilities of ₹1 crore and above to periodic legal audit and re-verification, till the loan is fully repaid. The scope and periodicity of legal audit shall be in accordance with the Board approved policy referred to in clause 2.1 above. 7.2 Treatment of Accounts classified as Fraud and sold to other Lenders / Asset Reconstruction Companies (ARCs)33 Applicable NBFCs shall complete the investigation from fraud angle before transferring the loan account / credit facility to other lenders / ARCs. In cases where Applicable NBFCs conclude that a fraud has been perpetrated in the account, they shall report it to RBI / NHB34 before selling the accounts to other lenders / ARCs35. 7.3.1 During the course of the audit, auditors may come across instances where the transactions in the account or the documents point to the possibility of fraudulent transactions in the account. In such a situation, the auditor should immediately bring it to the notice of the senior management and if necessary, to the Audit Committee of the Board (ACB) of the Applicable NBFCs for appropriate action. 7.3.2 Internal Audit in Applicable NBFCs shall cover controls and processes involved in prevention, detection, classification, monitoring, reporting, closure and withdrawal of fraud cases, and also weaknesses observed in the critical processes in the fraud risk management framework of the Applicable NBFC36. 7.4 ‘Date of Occurrence’, ‘Date of Detection’ and ‘Date of Classification’ of Fraud – for the purpose of reporting under FMR 7.4.1 The ‘date of occurrence’ is the date when the actual misappropriation of funds has started taking place, or the event occurred, as evidenced / reported in the audit or other findings. 7.4.2 The ‘date of detection’ to be reported in FMR is the actual date when the fraud came to light in the concerned branch / audit / department, as the case may be, and not the date of approval by the competent authority of the Applicable NBFC. 7.4.3 The ‘date of classification’ is the date when due approval from the competent authority has been obtained for such a classification, and the reasoned order is passed. CHAPTER VIII37 8. Reporting Cases of Theft, Burglary, Dacoity and Robbery 8.1 Applicable NBFCs shall report38 instances of theft, burglary, dacoity and robbery (including attempted cases), to Fraud Monitoring Group (FMG), Department of Supervision, Central Office, Reserve Bank of India, immediately (not later than seven days) from their occurrence. 8.2 Applicable NBFCs shall also submit a quarterly Return (RBR) on theft, burglary, dacoity and robbery to RBI using online portal, covering all such cases during the quarter. This shall be submitted within 15 days from the end of the quarter to which it relates. With the issue of these Directions, the instructions / guidelines contained in the Circulars issued by the Reserve Bank of India listed in Appendix stand repealed, as the contents of the same have been incorporated in the Master Directions. All the instructions / guidelines contained in these Circulars shall be deemed as given under these Directions. List of Circulars Repealed
1 Non-banking financial company as defined in Section 45 I(f) of the Reserve Bank of India Act, 1934 (Act 2 of 1934). 2 Please refer to the Reserve Bank’s guidelines on ‘Scale Based Regulation (SBR): A Revised Regulatory Framework for NBFCs’ dated October 22, 2021. 3 Asset size as per audited balance sheet as on 31st March of the immediate preceding Financial Year. 4 HFCs shall report the incidents of fraud to NHB as hitherto. 5 Board of Directors of the Applicable NBFC. 6 The policy shall inter alia contain measures towards prevention, early detection, investigation, staff accountability, monitoring, recovery and reporting of frauds. 7 Please refer to the judgement of the Hon’ble Supreme Court dated March 27, 2023 on Civil Appeal No.7300 of 2022 in the matter of State Bank of India & Ors Vs. Rajesh Agarwal & Ors. and connected matters, read with the Order dated May 12, 2023 passed by the Hon’ble Supreme Court in Misc. Application. No.810 of 2023, specifically in relation to serving a notice, giving an opportunity to submit a representation before classifying Persons / Entities as fraud and passing a reasoned order. The orders of the Hon’ble High Court of Bombay dated August 7, 2023 in Writ Petition (L) No. 20751 of 2023 and the Hon’ble High Court of Gujarat dated August 31, 2023 in Special Civil Application No. 12000 of 2021 and connected matters shall be referred to. 8 Including Third Party Service Providers and Professionals such as architects, valuers, chartered accountants, advocates, etc. 9 As non-whole-time directors (like nominee directors and independent directors) are normally not in charge of, or responsible to the company for the conduct of business of the company, Applicable NBFCs may take this into consideration before proceeding against such directors under these Directions. 10 Managing Director where the Chief Executive Officer is not a whole-time director. 11 Please refer to the Reserve Bank’s guidelines on ‘Scale Based Regulation (SBR): A Revised Regulatory Framework for NBFCs’ dated October 22, 2021. 12 The coverage may include, among others, categories/trends of frauds, industry/sectoral/ geographical concentration of frauds, delay in detection/classification of frauds and delay in examination/conclusion of staff accountability, etc. 13 i.e. prevention, early detection, investigation, staff accountability, monitoring, recovery, analysis and reporting of frauds, etc. and other related aspects under the Board approved Policy. 14 The Directions prescribed under Chapter III shall be applicable to NBFCs in the Upper Layer and Middle Layer only. 15 i.e. Risk Management Committee or any other Committee having similar functions. 16 i.e., other than those transactions covered under Para 3.3. 17 or with a minimum time lag without compromising the effectiveness of the outcome of EWS system in prevention / detection of potential frauds. 18 Auditors who are qualified to conduct audit under relevant statutes. 19 Applicable NBFCs shall ensure that principles of natural justice are strictly adhered to before classifying / declaring an account as fraud (Please refer to Para 2.1 ibid). 20 Please refer to the judgement of the Hon’ble Supreme Court dated March 27, 2023 on Civil Appeal No.7300 of 2022 in the matter of State Bank of India & Ors Vs. Rajesh Agarwal & Ors. and connected matters, read with the Order dated May 12, 2023 passed by the Hon’ble Supreme Court in Misc. Application. No.810 of 2023, specifically in relation to serving a notice, giving an opportunity to submit a representation before classifying Persons / Entities as fraud and passing a reasoned order. The orders of the Hon’ble High Court of Bombay dated August 7, 2023 in Writ Petition (L) No. 20751 of 2023 and the Hon’ble High Court of Gujarat dated August 31, 2023 in Special Civil Application No. 12000 of 2021 and connected matters shall be referred to (Please refer to Para 2.1 ibid). 21 As listed in the Standard Operating Procedure dated September 15, 2021 for making references to ABBFF issued by CVC. 22 Please refer to the Vigilance Manual issued by Central Vigilance Commission (CVC), CVC Office Order No. 02/01/22 dated January 06, 2022 and CVC Office Order No. 10/03/22 dated March 14, 2022 updated from time to time. 23 Such executive shall not participate in the meeting of the Board / ACB / SCBMF in which their accountability is to be considered. 24 (a) if it is an entity, another entity will be deemed to be associated with it, if that entity is (i) a subsidiary company as defined under clause 2 (87) of the Companies Act, 2013 or (ii) falls within the definition of a ‘joint venture’ or an ‘associate company’ under clause (6) of section 2 of the Companies Act, 2013. (b) in case of a natural person, all entities in which she / he is associated as promoter, or director, or as one in charge and responsible for the management of the affairs of the entity shall be deemed to be associated. 25 Prudential Framework for Resolution of Stressed Assets dated June 7, 2019 (as amended from time to time) issued by the RBI. 26 The reporting requirements prescribed under Chapter VI are not applicable to HFCs. They shall report incidents of fraud to NHB in the manner and in Returns / Formats as prescribed by NHB. 27 Updates to the FMR shall be provided through FMR Update Application (FUA). 28 As defined under Para 7.4.3. 29 Group entities mean both the domestic and overseas subsidiaries, affiliates, joint ventures etc. as defined under applicable accounting standards, whether engaged in financial and non-financial services. 30 However, the FMR shall be furnished through e-mail (fmgconbfc@rbi.org.in) only. 32 Delay in reporting of frauds, and the consequent delay in alerting other NBFCs could result in similar frauds being perpetrated elsewhere. 33 Reference is invited to Master Direction – Reserve Bank of India (Transfer of Loan Exposures) Directions, 2021 (ref:DOR.STR.REC.51/21.04.048/2021-22 dated September 24, 2021) as updated from time to time. 35 In cases where accounts are sold to ARCs, Applicable NBFCs shall continue to report subsequent developments in such accounts to RBI / NHB, by obtaining requisite information periodically from the concerned ARCs. 36 Including delay in reporting, non-reporting, conduct of staff accountability examination, prudential provisioning, etc. 37 The reporting requirements prescribed under Chapter VIII are not applicable to HFCs. They shall report incidents of theft, burglary, dacoity and robbery to NHB in the manner and in Returns / Formats as prescribed by NHB. 38 In the prescribed format ‘Report on Bank Robbery, Theft, etc. (RBR) through e-mail (fmgconbfc@rbi.org.in) |