RBI Frauds MD 2024: What It Requires and Who It Applies To

What is RBI Frauds MD 2024?

The RBI Master Direction on Frauds 2024 is a consolidated regulatory framework issued by the Reserve Bank of India that governs how banks and certain non-banking financial companies must classify, detect, report, and manage fraud. It supersedes earlier piecemeal circulars and updates the 2016 Master Direction on Frauds. The 2024 version aligns India's regime more closely with FATF standards and Basel Committee guidance on operational risk.

The direction came into force in 2024. The impetus was concrete: India's banking sector reported 13,564 fraud cases worth Rs. 30,252 crore in fiscal year 2022-23, according to the RBI Annual Report 2022-23. The regulator's diagnosis was equally concrete. Fragmented circulars, inconsistent classification practices, and weak board oversight had allowed fraud risks to accumulate without adequate accountability. A single binding reference was needed.

The framework covers fraud classification across eight prescribed categories, mandatory reporting timelines, staff accountability procedures, recovery tracking, and board-level governance requirements. It sits inside a broader financial crime architecture that includes the Prevention of Money Laundering Act (PMLA) and the RBI KYC Master Direction. The two frameworks intersect frequently: a fraud detected during a periodic Know Your Customer (KYC) review may simultaneously trigger an FMR to the RBI and a Suspicious Transaction Report to India's Financial Intelligence Unit.

Non-compliance with reporting timelines has attracted monetary penalties since earlier iterations of this direction. The 2024 update tightens several timelines and materially expands NBFC coverage.

Who does RBI Frauds MD 2024 apply to?

The direction applies across a wide range of regulated entities operating in India:

• Scheduled Commercial Banks (SCBs): All public sector banks, private sector banks, foreign banks with Indian branches, regional rural banks, and small finance banks. This covers institutions ranging from State Bank of India and HDFC Bank to smaller state-level regional rural banks.
• Non-Banking Financial Companies (NBFCs): NBFCs classified as Upper Layer (NBFC-UL) and Middle Layer (NBFC-ML) under the RBI's scale-based regulation framework, including housing finance companies that transferred to RBI oversight following the 2019 amendments to the National Housing Bank Act.
• All India Financial Institutions (AIFIs): Entities such as NABARD, NHB, EXIM Bank, and SIDBI.
• Primary (Urban) Co-operative Banks (UCBs): Scheduled UCBs with deposits above Rs. 500 crore face the full compliance regime. UCBs below this threshold have reduced but still binding obligations.
• Local Area Banks.

Foreign bank branches operating in India are fully covered for their India-domiciled operations. There's no asset-size exemption for scheduled commercial banks. Every SCB, regardless of balance sheet size, must meet the full reporting, governance, and accountability requirements.

NBFCs classified as Base Layer (NBFC-BL) are the one category with lighter obligations. They must maintain fraud registers and report to the RBI, but the board governance and staff accountability requirements are less prescriptive than for Upper and Middle Layer peers.

The expanded NBFC coverage in 2024 is one of the most substantive changes from the 2016 direction. Compliance teams at mid-sized NBFCs that previously operated under informal practices now face binding FMR timelines and board oversight mandates that apply to them for the first time.

What does RBI Frauds MD 2024 require?

The direction's core obligations fall into eight categories:

1. Fraud classification: Every detected fraud must be mapped to one of eight RBI-prescribed categories: misappropriation and criminal breach of trust; fraudulent encashment and manipulation of books; unauthorized credit facilities; cash shortages; cheating and forgery; irregularities in foreign exchange transactions; card, internet, and cyber fraud; and other types. Each incident in the Fraud Monitoring Return must carry exactly one category.

2. Reporting to RBI within 21 days: Any fraud above Rs. 1 lakh must be reported via Fraud Monitoring Return (FMR) within 21 days of detection. The clock starts at detection, not at the end of an internal investigation. For frauds above Rs. 1 crore or classified as systemic, an initial flash report is due within 7 days.

3. Police and CBI reporting: Frauds above Rs. 1 crore must be reported to the Central Bureau of Investigation or the local Economic Offences Wing within the same 21-day window. Frauds below Rs. 1 crore require a report to the local police. Filing the FMR with the RBI without the corresponding police report is a separate compliance failure.

4. Quarterly Fraud Monitoring Returns: Aggregate quarterly FMRs must be submitted covering all fraud incidents during the period, including case status updates, amounts involved, and recovery data. These returns feed into the RBI's CRILC database and are cross-checked against balance sheet disclosures.

5. Board-level governance: Each institution must establish a Fraud Monitoring Committee (FMC) at board level, or the board's risk committee must review fraud data quarterly. The board must approve the institution's Fraud Risk Management Policy annually.

6. Staff accountability within 6 months: For every fraud involving internal staff, the institution must complete a staff accountability review and initiate disciplinary proceedings within 6 months of formal fraud classification. Extensions require written notification to the RBI.

7. Recovery tracking: Institutions must maintain a live register of all reported frauds with current recovery status. Quarterly updates on legal proceedings and provisioning are expected for each active case.

8. Record retention for 8 years: All fraud-related records, including FIRs, investigation reports, FMR acknowledgements, and audit findings, must be retained for a minimum of 8 years from the date of reporting.

What evidence do regulators expect?

RBI examination teams look for specific artefacts. Being audit-ready means having these on hand before an examiner arrives:

• Board-approved Fraud Risk Management Policy: A dated, signed document covering classification criteria, escalation thresholds, roles and responsibilities, and annual review dates. A policy signed two years ago won't pass scrutiny.
• FMC meeting minutes: Signed minutes from every quarterly Fraud Monitoring Committee meeting, with attendance records. Examiners test whether the minutes reflect substantive deliberation or are rubber stamps with no corrective actions directed.
• Timestamped FMR acknowledgements: Download confirmations from the RBI portal for every FMR filed. Examiners cross-check submission dates against detection dates to find reporting delays.
• Staff accountability records: For each fraud involving internal staff, evidence that the review completed within 6 months. If extensions were sought, the RBI correspondence must be filed and retrievable.
• Early Warning Signal (EWS) system logs: Transaction-level data showing EWS alerts for accounts that subsequently became fraud cases, with documented escalation responses. Examiners test whether alerts produced action or accumulated in queues.
• Training records: Logs confirming that front-line staff, relationship managers, and risk officers completed fraud awareness training within the past 12 months.
• Recovery register: A live, granular register of all reported frauds with current recovery status, legal proceedings stage, and provisioning data reconciled against balance sheet entries.
• Internal audit reports: Recent reports covering the fraud function, with management responses and tracked remediation.

Customer Due Diligence (CDD) gaps frequently surface in fraud root-cause analysis. Examiners check whether onboarding failures contributed to the fraud and whether the CDD framework has been strengthened since the event.

Common failure modes

Banks get cited for predictable reasons. These patterns appear in RBI inspection reports repeatedly:

• Delayed classification: Accounts sit in "suspected fraud" or "under investigation" status for months before formal classification. The 21-day clock starts at detection. Several banks received RBI show-cause notices between 2020 and 2023 for classification delays averaging 90 to 180 days past the initial suspicion date.
• Incomplete FMR data: Returns filed with missing fields, particularly on recovery amounts and legal proceedings status. The RBI's CRILC database cross-checks FMR disclosures against balance sheet data, and mismatches trigger follow-up inspections.
• Board oversight on paper only: FMC meetings scheduled but not substantive. Minutes that record no corrective actions despite persistent fraud trends. RBI's Supervisory Evaluation Framework specifically tests whether board oversight is functional.
• EWS alerts without documented follow-up: Early Warning Signal systems generating flags with no documented triage or escalation process behind them. This disconnect is a recognized problem in financial crime operations: the alert exists, but the response capacity doesn't. See AI Agents in Financial Crime Investigation for how institutions are addressing this gap.
• Staff accountability delays: Disciplinary proceedings against implicated staff running past the 6-month window without RBI notification. This is a distinct compliance failure, separate from the underlying fraud.
• Failure to file police reports: Institutions reporting to the RBI promptly but delaying FIR filing, particularly in the Rs. 1-10 crore range. Relationship management concerns don't override regulatory obligations.
• Provisioning mismatches: Fraud cases provisioned at figures that diverge from FMR disclosures. This surfaces during annual inspection cycles and can escalate to a finding of deliberate under-reporting.

The RBI Annual Report 2023 cited deficiencies in fraud risk governance among the top three grounds for monetary penalties imposed on banks that year.

Penalties for non-compliance

The RBI's enforcement tools are specific and publicly documented.

Monetary penalties: Under Section 47A of the Banking Regulation Act, 1949, the RBI can impose penalties of up to Rs. 1 crore per violation, or twice the amount involved in the default, whichever is higher. For NBFCs, penalties flow from Chapter V of the Reserve Bank of India Act, 1934. In practice, penalties for fraud reporting failures since 2020 have ranged from Rs. 25 lakh to Rs. 2 crore per enforcement order. Every penalty order is published at rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx.

Named enforcement actions: IndusInd Bank was penalized Rs. 2.35 crore in 2023 for multiple regulatory deficiencies, including reporting failures. Bandhan Bank received a Rs. 29.55 lakh penalty in 2022. Both orders are publicly accessible on the RBI website and detail the specific contraventions.

Business restrictions: For systemic failures, the RBI can restrict new customer onboarding, cap credit sanctioning, or require CEO-level accountability through the Supervisory Engagement Framework. These restrictions carry operational costs that dwarf any monetary fine.

Compounding of contraventions: Fraud-related foreign exchange violations can be compounded under FEMA provisions. The RBI's compounding orders, also published on rbi.org.in, show penalty ranges for specific violation types and serve as a reference for what examiners consider material.

Repeat violations attract progressively larger penalties and enhanced supervisory scrutiny, including special audits ordered by the RBI. An institution that self-discloses and remediates consistently faces materially better outcomes than one that under-reports across consecutive inspection cycles.

Related regulations and frameworks

The RBI Frauds MD 2024 connects directly to several frameworks that compliance teams must manage in parallel:

PMLA 2002 and FIU-IND reporting: The PMLA requires Suspicious Transaction Reports (STRs) to be filed with India's Financial Intelligence Unit within 7 days of forming suspicion. Many bank frauds trigger both an FMR to the RBI and an STR to FIU-IND. The timelines and reporting channels differ, and failing one while complying with the other is not treated as partial credit.

FATF Recommendation 20: India is a FATF member. Its STR regime is assessed against FATF Recommendation 20 in mutual evaluations. The Frauds MD's reporting requirements directly support India's FATF compliance posture, and gaps identified during inspections can influence FATF's assessment of India's overall AML/CFT effectiveness. FATF's India country profile is tracked at fatf-gafi.org.

RBI KYC Master Direction: Fraud frequently originates in KYC failures. When a root-cause analysis points to inadequate onboarding or a missed periodic review, it creates findings under both the Frauds MD and the KYC MD simultaneously. Enhanced Due Diligence requirements in the KYC MD are often the first line of defence for the fraud categories covered here.

RBI Cyber Security Framework for Banks: Card, internet, and cyber fraud classified under the Frauds MD also fall within the Cyber Security Framework. Banks must maintain a separate IT incident register alongside the fraud register. Reconciling the two is a standard inspection task.

BCBS 323 on Operational Risk: The Basel Committee classifies internal and external fraud as distinct operational risk event types. Indian banks subject to Basel III must provision against fraud losses accordingly, with data from fraud registers feeding directly into capital calculations.

FATF Recommendation 10 on Customer Due Diligence: CDD failures that enable fraud are assessed against FATF standards in India's mutual evaluation. Gaps that appear in fraud root-cause reports can affect FATF's rating of India's CDD regime as a whole.

How FluxForce supports RBI Frauds MD 2024 compliance

FluxForce's AI agents monitor transactions in real time, flag Early Warning Signals, and generate structured fraud reports mapped directly to FMR submission fields. Nova Sentinel automates case triage and tracks staff accountability deadlines, so the 6-month review window doesn't slip. Aiden Flux maintains a live fraud register with recovery status and surfaces the granular data boards need for quarterly FMC reviews. Every decision comes with a full audit trail for examiners. To see how FluxForce cuts fraud reporting backlogs, request a demo.