Knowledge Center / RBI Fraud Risk Management
Reserve Bank of India · India

RBI Fraud Risk Management Audit

Audit of fraud governance, monitoring and reporting technology for REs.

Introduction

The Reserve Bank of India (RBI) treats fraud risk as a distinct, board-owned risk category that sits alongside credit, market, liquidity and operational risk. Over the past decade, and decisively through the Master Directions on Fraud Risk Management issued on 15 July 2024, the RBI has moved regulated entities away from a purely detective, reporting-driven posture towards a preventive, governance-anchored Fraud Risk Management (FRM) framework. An RBI Fraud Risk Management Audit is an independent assessment of whether a regulated entity — a commercial bank, cooperative bank, Non-Banking Financial Company (NBFC), All-India Financial Institution, Payment Aggregator or other RBI-supervised entity — has designed, implemented and can evidence a fraud risk management framework that meets the letter and intent of the Master Directions, the Early Warning Signals (EWS) and Red-Flagged Account (RFA) mechanism, the Fraud Monitoring Return (FMR) reporting discipline, and the principles of natural justice mandated by the Supreme Court in the SBI v. Rajesh Agarwal judgment (2023).

This guide is written for two readers at once. For the auditor, it sets out an assessment methodology, a control-by-control master checklist, an evidence request list and a maturity model that can withstand supervisory scrutiny. For the implementer — the Chief Vigilance Officer, Head of Fraud Risk, Chief Risk Officer, Chief Compliance Officer or IT security lead — it explains what must actually be built, wired and operated so that the audit finds a working framework rather than a paper policy. The scope is deliberately holistic: it spans board governance, the Special Committee of the Board for Monitoring and Follow-up of cases of Fraud (SCBMF), EWS and transaction monitoring technology, staff accountability, recovery, wilful-defaulter interplay, digital and payment-channel fraud, and the strict FMR / Central Fraud Registry (CFR) timelines that trigger supervisory penalties when missed.

Source and copyright note
This guide is an original CyberSigma work product. The RBI Master Directions on Fraud Risk Management, associated circulars, Fraud Monitoring Return formats and the Central Fraud Registry documentation are Crown-equivalent public regulatory texts issued by the Reserve Bank of India and remain the property of the RBI. We paraphrase and interpret them for audit purposes and do not reproduce RBI copyrighted text verbatim. Regulated entities must always assess against the current signed Master Directions and any subsequent amendments or FAQ clarifications published on rbi.org.in, as circular references and timelines are periodically revised.

What is RBI Fraud Risk Management

RBI Fraud Risk Management is the supervisory framework through which the Reserve Bank requires its regulated entities to prevent, detect, classify, report, investigate, remediate and recover from fraud, and to hold accountable those responsible — whether staff, borrowers or third parties. It is codified principally in three near-identical Master Directions issued on 15 July 2024, addressed respectively to (i) commercial banks and All-India Financial Institutions, (ii) cooperative banks (Urban Cooperative Banks, State and Central Cooperative Banks), and (iii) NBFCs including Housing Finance Companies. These consolidated and superseded roughly nine earlier circulars, including the long-standing Master Directions on Frauds — Classification and Reporting of 2016.

The framework rests on several interlocking pillars. First, board-level governance: fraud risk management must be owned by the Board through a dedicated Special Committee (SCBMF) and operationalised by a senior-management fraud risk management committee and a functionally independent fraud risk management function. Second, prevention and early detection: entities must operate an Early Warning Signals framework and, for large-value accounts, a Red-Flagged Account mechanism that triggers forensic audit before an account crystallises into a declared fraud. Third, a defined fraud classification taxonomy: misappropriation and criminal breach of trust; fraudulent encashment through forged instruments or manipulation of accounts; unauthorised credit facilities extended for illegal gratification; cash shortages; cheating and forgery; irregularities in foreign exchange transactions; and any other type of fraud not covered above. Fourth, mandatory, time-bound reporting through the Fraud Monitoring Return system and the Central Fraud Registry. Fifth, and following the Supreme Court's 2023 ruling, a mandatory principles-of-natural-justice process — the borrower or accused must be given a reasoned show-cause notice and a fair opportunity to be heard before an account is classified as fraud.

Crucially, the 2024 Master Directions are technology-forward: they explicitly require a data-analytics and market-intelligence driven approach to fraud detection, engagement with the Reserve Bank's digital-fraud initiatives, and coordination with mechanisms such as the Central Payments Fraud Information Registry and the Citizen Financial Cyber Fraud Reporting and Management System (the 1930 helpline / NCRP ecosystem). An RBI Fraud Risk Management Audit therefore assesses both a governance apparatus and a working detection-and-response engine.

Who must comply

The obligation to maintain an RBI-compliant fraud risk management framework applies to every entity supervised by the Reserve Bank, though the specific Master Direction that governs a given entity depends on its category. The table below maps entity types to the applicable direction and the intensity of obligation.

Regulated entity categoryApplicable RBI direction (15 Jul 2024)Key obligation intensity
Public and private sector commercial banks, Small Finance Banks, Payments Banks, foreign banks operating in IndiaMaster Directions on FRM — Banks (RBI/DOS/2024-25/119)Full framework: SCBMF, EWS, RFA, forensic audit, FMR, CFR, staff accountability
All-India Financial Institutions (EXIM Bank, NABARD, NHB, SIDBI, NaBFID)Master Directions on FRM — Banks / AIFIsFull framework, calibrated to development-finance mandate
Urban Cooperative Banks, State & Central Cooperative BanksMaster Directions on FRM — Cooperative BanksFull framework, proportionate to tier and asset size
NBFCs (Base/Middle/Upper/Top Layer), Housing Finance CompaniesMaster Directions on FRM — NBFCs (incl. HFCs)Full framework; scaling-based regulation applies to depth of governance
Payment Aggregators, Payment System Operators, PPI issuersFRM Master Directions read with PSS Act guidelines & CPFIRPayment/digital fraud focus; CPFIR reporting; RE-specific EWS
Regional Rural Banks, Local Area BanksFRM Master Directions (banking cohort)Full framework, proportionate
Credit Information Companies, ARCs (indirect)Interfacing obligations (CFR/CIC data)Data-sharing and consumption obligations
  • Applicability is not size-gated — even the smallest cooperative bank or Base Layer NBFC must have a fraud risk policy approved by its Board and a mechanism to report frauds to the RBI.
  • The RFA and forensic-audit obligations are most material for lenders with large exposures; entities with credit exposure above the RFA threshold (historically Rs. 50 crore for consortium/multiple-banking accounts) carry the heaviest EWS burden.
  • Statutory auditors and concurrent auditors are indirectly bound: the framework requires their reports to feed the EWS and fraud-detection process, and auditor lapses can themselves be reported.
  • Boards and senior management bear personal accountability — supervisory action can attach to individuals where the framework is found deficient or reporting is delayed.

Structure of RBI Fraud Risk Management

The framework can be decomposed into governance domains and operational control families. The table below presents the domain architecture that an auditor should use as the top-level assessment map. Each domain is expanded into verifiable controls in the master assessment checklist that follows.

Domain codeDomainCore content
FRM-1Governance & Board OversightBoard-approved policy, SCBMF, senior-management committee, three-lines model
FRM-2Fraud Risk Management FunctionIndependent function, CVO/Head-FRM, staffing, empowerment, reporting lines
FRM-3Fraud Prevention ControlsPreventive vigilance, KYC/onboarding controls, segregation of duties, awareness
FRM-4Early Warning Signals (EWS)EWS indicator library, data sources, automated triggering, escalation
FRM-5Red-Flagged Account (RFA) MechanismRFA thresholds, tagging, JLF referral, forensic audit trigger
FRM-6Fraud Detection & InvestigationTransaction monitoring, forensic audit, investigation SOP, evidence handling
FRM-7Fraud ClassificationSix/seven-category taxonomy, decisioning authority, timelines
FRM-8Principles of Natural JusticeShow-cause notice, opportunity to be heard, reasoned order (SBI v. Rajesh Agarwal)
FRM-9Reporting — FMR & CFRFraud Monitoring Return timelines, Central Fraud Registry upload, flash reports
FRM-10Staff Accountability & VigilanceStaff-side examination, disciplinary process, CVC coordination
FRM-11Law Enforcement & RecoveryFIR/CBI/EOW referral, wilful-defaulter interplay, provisioning, recovery
FRM-12Digital & Payment FraudChannel monitoring, CPFIR, mule accounts, 1930/NCRP, real-time controls
FRM-13Data Analytics & TechnologyMarket intelligence, analytics engine, model governance, data quality
FRM-14Assurance, Review & ClosurePeriodic review, closure of fraud cases, audit trail, learning loop

Master assessment checklist

This is the core of the audit. Each control family below is presented with what the auditor must verify and the typical evidence that substantiates conformity. Implementers should read the same tables as a build specification: if the evidence does not exist, the control does not exist. No domain has been omitted.

FRM-1 Governance and Board oversight

What to verifyTypical evidence
A Board-approved Fraud Risk Management Policy exists, aligned to the 15 Jul 2024 Master Directions, and is reviewed at least annuallySigned policy document with version history; board resolution; review minutes
A Special Committee of the Board for Monitoring and Follow-up of cases of Fraud (SCBMF) is constituted with the required composition and meeting cadenceSCBMF charter; composition list; meeting minutes for the last 12-18 months
SCBMF reviews all frauds of Rs. 1 crore and above and monitors follow-up, recovery and staff accountabilitySCBMF agenda papers; case-tracking registers; action-taken reports
A senior-management level fraud risk management committee operationalises board policyCommittee terms of reference; attendance; escalation logs
Board is periodically apprised of fraud trends, EWS effectiveness and top exposuresBoard deck extracts; MIS dashboards presented to the board
Three-lines-of-defence responsibilities for fraud risk are documented and distinctRACI matrix; org chart; function mandates

FRM-2 Fraud Risk Management Function

What to verifyTypical evidence
A functionally independent Fraud Risk Management function/department exists, headed by a sufficiently senior officer (Chief Vigilance Officer / Head-FRM)Function mandate; appointment order; reporting line to MD/CEO/board committee
The function is adequately staffed with skilled resources (analysts, investigators, forensic specialists)Staffing chart; skills matrix; training records
The function has authority to access data, initiate investigations and direct forensic audits without line-management vetoDelegation of authority; access-rights records; investigation initiation logs
Segregation is maintained between fraud detection, investigation and staff-accountability decisioningProcess flow; approval matrices; conflict-of-interest declarations
The function coordinates with internal audit, compliance, IT security, legal and HRCross-functional SOPs; joint case files; escalation records

FRM-3 Fraud prevention controls

What to verifyTypical evidence
Preventive vigilance measures are defined and operating across origination, disbursement and servicingPreventive vigilance SOP; branch inspection reports
KYC / customer due diligence and beneficial-ownership controls reduce impersonation and shell-entity fraudCDD records; onboarding exception reports; PEP/AML linkage
Segregation of duties and maker-checker controls exist for high-risk transactionsSystem role definitions; SoD conflict reports; maker-checker logs
Staff and customer fraud-awareness programmes run periodicallyTraining calendar; attendance; customer awareness collateral
Vendor / third-party and outsourcing arrangements carry fraud-risk controlsVendor due diligence; contract clauses; outsourcing risk assessments
End-use monitoring of credit facilities is performed to detect diversion of fundsEnd-use certificates; stock/receivables audits; cash-flow monitoring

FRM-4 Early Warning Signals (EWS)

What to verifyTypical evidence
An EWS indicator library is documented, covering behavioural, financial, transactional and external signalsEWS master list; indicator definitions; source mapping
EWS are generated from multiple data sources (account behaviour, auditor reports, market intelligence, public/third-party data)Data-source inventory; feed configuration; sample EWS outputs
EWS are largely system-generated and automatically triggered rather than manualEWS engine screenshots; trigger logs; automation coverage report
Triggered EWS are time-bound for review, disposition and escalationEWS workflow SLA; ageing report; disposition register
EWS effectiveness (hit rate, false positives, conversion to RFA/fraud) is measured and tunedEWS MIS; tuning change log; back-testing results
Statutory / concurrent / stock auditor observations feed the EWS processAuditor report intake log; linkage to EWS cases

FRM-5 Red-Flagged Account (RFA) mechanism

What to verifyTypical evidence
An account is tagged Red-Flagged when one or more EWS indicating fraud-like activity are triggeredRFA tagging register; trigger-to-tag mapping
RFA status is recorded and communicated to consortium / multiple-banking members (via JLF / CRILC where applicable)JLF minutes; CRILC reporting; inter-bank communication
An RFA above threshold triggers a forensic / stock-and-book audit within the prescribed timelineForensic audit engagement letters; timeline tracker
A decision to declare fraud or lift the RFA is taken within the mandated window (historically ~six months) with reasons recordedRFA decision notes; committee approvals; audit-trail
RFA accounts are monitored for asset dissipation pending decisioningMonitoring reports; charge/security verification

FRM-6 Fraud detection and investigation

What to verifyTypical evidence
Transaction-monitoring rules and analytics detect anomalous patterns across products and channelsRule inventory; alert volumes; tuning records
A documented investigation SOP governs case intake, evidence collection and chain-of-custodyInvestigation manual; case files; evidence logs
Forensic audits are commissioned from empanelled forensic auditors with defined scopeEmpanelment list; scope documents; forensic reports
Investigation outcomes feed classification, staff accountability and recovery decisionsInvestigation-to-classification linkage; decision memos
Digital evidence is preserved in a legally admissible mannerIT Act Section 65B certificates; imaging logs; hash records

FRM-7 Fraud classification

What to verifyTypical evidence
Every fraud is classified into the RBI taxonomy (misappropriation/CBT; fraudulent encashment/forgery; unauthorised credit for gratification; cash shortages; cheating & forgery; forex irregularities; other)Classification register mapping each case to a category
Classification is decided by an authorised committee within the prescribed timeline from detectionCommittee minutes; detection-to-classification date tracker
The date of detection is correctly determined and consistently appliedDetection-date methodology note; case timelines
Amount involved is accurately quantified for provisioning and reportingQuantum computation working; reconciliation to GL
Reclassification / de-classification (e.g., after adjudication) is controlled and documentedReclassification approvals; audit trail

FRM-8 Principles of natural justice

What to verifyTypical evidence
Before classifying a borrower account as fraud, a detailed reasoned show-cause notice is issued to the borrower / guarantors / promotersShow-cause notice copies with dispatch proof
The noticee is granted a reasonable time (typically not less than 21 days) to respondSCN with response deadline; acknowledgement records
Responses received are considered and a reasoned, speaking order is passedReply register; reasoned classification order
The process complies with the Supreme Court judgment in State Bank of India v. Rajesh Agarwal (2023)Compliance note; legal opinion; process SOP referencing the judgment
Records demonstrate that no classification occurs without opportunity to be heardException log confirming nil bypass; internal audit attestation

FRM-9 Reporting — Fraud Monitoring Return and Central Fraud Registry

What to verifyTypical evidence
Frauds of Rs. 1 lakh and above are reported to the RBI through the Fraud Monitoring Return (FMR) within the prescribed timeline from classificationFMR submissions with timestamps; XBRL/portal acknowledgements
Frauds of Rs. 5 crore and above trigger a Flash Report / immediate reporting and, where relevant, RBI Central Fraud Registry (CFR) uploadFlash reports; CFR upload confirmations
Very large frauds (historically Rs. 100 crore and above) trigger additional reporting to RBI Central Fraud Monitoring CellEscalation records; correspondence with RBI
Data reported to CFR is complete, accurate and timely so that other lenders can consume itCFR data-quality checks; error/rejection logs
Closure and update returns are filed as cases progress (recovery, conviction, closure)Update returns; closure returns; status reconciliation
Reporting timelines are met without delay; delays are root-caused and remediatedTimeline dashboard; delay-analysis notes; corrective actions

FRM-10 Staff accountability and vigilance

What to verifyTypical evidence
Staff-side accountability is examined for every fraud within the prescribed period, independent of the fraud amountStaff accountability register; examination reports
Disciplinary proceedings are initiated where lapses are established, per the disciplinary frameworkCharge sheets; inquiry reports; penalty orders
Cases involving vigilance angle are coordinated with the Central Vigilance Commission (public sector entities)CVC references; vigilance case files
Accountability outcomes are tracked to closure and reported to SCBMFAccountability tracker; SCBMF status updates
Whistle-blower / protected-disclosure mechanism exists and feeds fraud detectionWhistle-blower policy; disclosure register; investigation linkage

FRM-11 Law enforcement referral and recovery

What to verifyTypical evidence
Frauds are referred to police / CBI / Economic Offences Wing per amount-based thresholds and ownershipFIR/complaint copies; referral thresholds SOP; CBI references
Interplay with wilful-defaulter classification is managed per the RBI wilful-defaulter directionsWilful-defaulter committee minutes; cross-reference register
Provisioning for fraud accounts is made per RBI norms (full provisioning over the permitted period)Provisioning schedule; GL entries; auditor confirmation
Recovery actions (SARFAESI, DRT, IBC, settlement) are pursued and monitoredRecovery case files; recovery MIS; settlement approvals
Insurance / indemnity claims are lodged where applicableClaim files; recovery-from-insurer records

FRM-12 Digital and payment fraud

What to verifyTypical evidence
Real-time / near-real-time monitoring covers UPI, cards, net-banking, mobile and wallet channelsChannel monitoring rules; alert dashboards
Mule-account detection and account-freeze mechanisms operateMule-account model outputs; freeze/lien logs
Reporting to the Central Payments Fraud Information Registry (CPFIR) is timely and completeCPFIR submissions; reconciliation to internal fraud data
Integration with the Citizen Financial Cyber Fraud Reporting system (1930 / NCRP) enables rapid response1930/NCRP intake logs; hold/lien action records
Customer-liability framework (limited-liability circular) is applied for unauthorised electronic transactionsComplaint resolution records; shadow-reversal / refund evidence
Digital-payment security controls (2FA, device binding, velocity limits) are enforcedControl configuration; exception reports

FRM-13 Data analytics and technology

What to verifyTypical evidence
A data-analytics and market-intelligence capability drives fraud detection, as required by the 2024 directionsAnalytics platform documentation; use-case inventory
Analytical models (rules, scoring, ML) are governed — validated, version-controlled and periodically reviewedModel inventory; validation reports; model-governance policy
Data quality, lineage and completeness are managed for fraud-relevant dataData-quality dashboards; reconciliation reports
External intelligence (bureau, negative lists, industry alerts, RBI advisories) is ingestedFeed inventory; ingestion logs
Access to fraud systems is least-privilege and logged; the systems themselves are protectedIAM records; audit logs; security assessment reports

FRM-14 Assurance, review and closure

What to verifyTypical evidence
The FRM framework is subject to periodic independent review (internal audit / assurance)Audit plan; FRM audit reports; management responses
Fraud cases are formally closed only after prescribed conditions (recovery, adjudication, examination) are metClosure checklist; closure approvals; closure returns
Lessons learned from frauds feed back into controls, EWS and policyRoot-cause reports; control-change register
A complete, tamper-evident audit trail exists for every fraud case end-to-endCase-management audit logs; retention policy
Regulatory correspondence and supervisory observations are tracked to closureSupervisory action tracker; compliance confirmations

Scoping

Scoping an RBI Fraud Risk Management Audit means defining which entities, products, channels, geographies, systems and time periods the assessment will cover, and against which version of the Master Directions. Because the framework is enterprise-wide, scope should be defined by exclusion (what is explicitly out) rather than by inclusion, so that no fraud-bearing surface is inadvertently omitted.

  • Entity and legal scope: identify the exact regulated entity (and any subsidiaries, RRB sponsorship, or co-lending arrangements) and confirm which of the three Master Directions applies.
  • Product and portfolio scope: retail lending, corporate/wholesale lending, treasury/forex, trade finance, deposits, cards, and payment products each carry distinct fraud typologies.
  • Channel scope: branch, internet banking, mobile, UPI, ATM/cards, agent/BC networks and third-party/aggregator flows.
  • System scope: core banking, loan origination, LOS/LMS, the EWS/fraud-analytics engine, case management, and reporting/XBRL interfaces to RBI.
  • Time-period scope: typically the trailing 12-18 months of fraud cases, EWS triggers, FMR filings and SCBMF minutes, plus any open legacy cases.
  • Threshold scope: RFA-eligible large exposures, Rs. 1 lakh / Rs. 1 crore / Rs. 5 crore / Rs. 100 crore reporting bands, and forensic-audit-eligible accounts.
  • Third-party scope: outsourced operations, forensic auditors, recovery agents and technology vendors relevant to fraud handling.
  • Explicit exclusions: document any legal-entity, geography or product deliberately excluded, with rationale and residual-risk note.
Scoping pitfall
A common and penalty-attracting error is scoping the audit around declared frauds only, ignoring the population of EWS triggers and RFA-tagged accounts that never converted. Supervisors specifically probe whether genuine fraud indicators were suppressed, delayed or wrongly closed — so the audit population must start from all EWS/RFA events, not just from the fraud register.

Implementation approach

For an entity building or uplifting its framework, the following phased approach sequences governance before technology and detection before reporting automation. Each phase lists indicative activities and deliverables.

Phase 1 — Governance and policy foundation (Weeks 1-6)

  • Activities: gap-assess the current framework against the 15 Jul 2024 Master Directions; draft/refresh the Board-approved FRM policy; constitute or recharter the SCBMF and senior-management committee; define the three-lines model and RACI.
  • Deliverables: Board-approved FRM policy; SCBMF charter and cadence; RACI matrix; governance operating model.

Phase 2 — Fraud risk function and process build (Weeks 5-12)

  • Activities: establish/uplift the independent FRM function; appoint Head-FRM/CVO; write investigation, classification, natural-justice and staff-accountability SOPs; empanel forensic auditors.
  • Deliverables: function mandate and staffing plan; investigation manual; classification SOP; SCN templates; forensic-auditor panel.

Phase 3 — EWS, RFA and analytics enablement (Weeks 8-20)

  • Activities: build the EWS indicator library; integrate data sources; deploy or tune the analytics/transaction-monitoring engine; wire RFA tagging and JLF/CRILC linkage; define automation and SLAs.
  • Deliverables: EWS catalogue; configured EWS/analytics engine; RFA workflow; model-governance framework.

Phase 4 — Reporting automation and integration (Weeks 14-22)

  • Activities: implement FMR generation and timeline controls; wire CFR and CPFIR uploads; integrate 1930/NCRP intake; build the fraud MIS and board dashboards.
  • Deliverables: automated FMR/CFR/CPFIR pipelines; timeline-monitoring dashboard; board MIS pack.

Phase 5 — Assurance, training and continuous improvement (Weeks 20-28+)

  • Activities: run staff and customer awareness; conduct independent FRM audit; institute root-cause / lessons-learned loop; embed periodic policy review.
  • Deliverables: training records; independent audit report; control-improvement register; annual review calendar.

Maturity and capability model

Use the following five-level model to score each of the fourteen domains. The overall framework maturity is the weighted aggregate, with governance and reporting domains weighted highest because supervisory penalties attach most directly to them.

LevelLabelCharacteristics
1Initial / Ad-hocPolicy exists on paper only; fraud handled reactively; reporting frequently delayed; no EWS
2DevelopingBasic committees and manual EWS exist; reporting mostly on time but inconsistent; limited automation
3DefinedFull governance operating; documented SOPs; automated EWS/RFA; FMR/CFR timelines consistently met
4ManagedAnalytics-driven detection; measured EWS effectiveness; natural-justice process robust; strong staff accountability
5OptimisedPredictive analytics and market intelligence; near-zero reporting delays; continuous tuning; cross-industry intelligence sharing

Assessment and audit approach

  1. Confirm scope, applicable Master Direction version and the audit period; obtain the fraud register, EWS/RFA logs and SCBMF minutes.
  2. Assess governance: review the Board-approved policy, SCBMF composition/cadence and senior-management committee operation.
  3. Evaluate the FRM function's independence, staffing, empowerment and cross-functional coordination.
  4. Test the EWS framework: examine the indicator library, data-source coverage, automation, disposition SLAs and effectiveness metrics.
  5. Trace a sample of RFA-tagged accounts through forensic audit, decisioning and timeline compliance.
  6. Walk through fraud investigations end-to-end, testing evidence handling, classification accuracy and quantum computation.
  7. Verify the principles-of-natural-justice process (SCN issuance, response window, reasoned order) against SBI v. Rajesh Agarwal.
  8. Reconcile the fraud register to FMR/CFR/CPFIR submissions and test reporting timeliness against prescribed windows.
  9. Examine staff-accountability examination, disciplinary outcomes and (where applicable) CVC coordination.
  10. Assess law-enforcement referral, provisioning, recovery and wilful-defaulter interplay.
  11. Review digital/payment fraud controls, mule-account handling and 1930/NCRP integration.
  12. Test analytics/model governance, data quality and access controls over fraud systems.
  13. Assess independent assurance, case-closure discipline and the lessons-learned feedback loop.
  14. Rate each domain on the maturity model, quantify residual risk, and issue findings with prioritised, time-bound remediation.

Evidence request list

The following categorised list is the standard document request pack. Implementers can pre-assemble it; auditors should treat missing items as potential control gaps.

  • Governance: Board-approved FRM policy (with version history); SCBMF charter, composition and 12-18 months of minutes; senior-management committee ToR and minutes; board MIS packs.
  • Function: FRM function mandate; org chart; staffing and skills matrix; delegation of authority; training records.
  • Prevention: preventive-vigilance SOP; KYC/CDD exception reports; SoD/maker-checker configuration; awareness collateral; end-use monitoring records.
  • EWS/RFA: EWS indicator catalogue; data-source inventory; EWS engine outputs and ageing reports; RFA tagging register; JLF/CRILC records; forensic-audit engagements and reports.
  • Investigation/Classification: investigation manual; sample case files with chain-of-custody; classification register; quantum computation workings; reclassification approvals.
  • Natural justice: SCN templates and issued notices with dispatch proof; response register; reasoned classification orders; legal opinion on process.
  • Reporting: FMR submissions and acknowledgements; Flash Reports; CFR and CPFIR upload confirmations; closure/update returns; timeline dashboards.
  • Accountability/Recovery: staff-accountability register; disciplinary orders; CVC references; provisioning schedules; recovery MIS; FIR/CBI referrals.
  • Digital fraud: channel-monitoring rules; mule-account model outputs; 1930/NCRP intake logs; customer-liability resolution records.
  • Technology: model inventory and validation reports; data-quality dashboards; IAM/access logs; security assessment of fraud systems.
  • Assurance: independent FRM audit reports; management responses; root-cause reports; supervisory correspondence tracker.

Roles and responsibilities

RoleFraud risk management responsibility
Board of DirectorsApprove FRM policy; own fraud risk; ensure adequate resourcing and accountability
Special Committee (SCBMF)Monitor and follow up frauds >= Rs. 1 crore; oversee recovery and staff accountability
MD & CEO / Senior ManagementOperationalise policy; chair the senior-management fraud committee; ensure timely reporting
Chief Vigilance Officer / Head-FRMRun the FRM function; direct investigations and forensic audits; own EWS/RFA
Chief Risk OfficerIntegrate fraud risk into enterprise risk; oversee model and analytics governance
Chief Compliance OfficerEnsure regulatory reporting (FMR/CFR/CPFIR) timeliness and supervisory closure
Internal AuditProvide independent assurance over the FRM framework's design and operation
IT / Information SecurityOperate detection technology; protect fraud systems; support digital forensics
Business / Branch HeadsFirst-line prevention, EWS response and end-use monitoring
LegalAdvise on natural justice, referrals, recovery and litigation
HRExecute disciplinary process for established staff lapses

KPIs to track

  • Percentage of FMR / CFR / CPFIR submissions filed within the prescribed timeline (target 100%).
  • Average number of days from fraud detection to classification, and from classification to reporting.
  • EWS effectiveness: proportion of EWS triggers converting to RFA and to declared fraud; false-positive rate.
  • RFA-to-decision cycle time and adherence to the forensic-audit timeline.
  • Percentage of fraud cases with completed staff-accountability examination within the prescribed period.
  • Number and value of frauds detected pre-crystallisation (via EWS) versus post-loss.
  • Recovery rate and provisioning coverage on fraud accounts.
  • Percentage of borrower classifications preceded by a compliant show-cause / opportunity-to-be-heard process (target 100%).
  • Digital-channel fraud loss rate and mule-account freeze turnaround time (including 1930/NCRP cases).
  • Number of overdue supervisory observations relating to fraud risk.

Readiness checklist

  • Board-approved FRM policy aligned to the 15 Jul 2024 Master Directions is in force and reviewed annually.
  • SCBMF is constituted with correct composition, meets on schedule and reviews all frauds >= Rs. 1 crore.
  • An independent, adequately staffed FRM function headed by a senior officer is operating.
  • A documented, largely automated EWS framework with a defined indicator library is live.
  • The RFA mechanism triggers forensic audit and time-bound decisioning for large accounts.
  • A show-cause / opportunity-to-be-heard process compliant with SBI v. Rajesh Agarwal precedes every fraud classification.
  • Fraud classification uses the RBI taxonomy and is decided within prescribed timelines.
  • FMR, CFR, CPFIR and Flash Reports are filed accurately and within mandated windows.
  • Staff-accountability examination is completed for every fraud, with CVC coordination where applicable.
  • Provisioning, recovery and law-enforcement referral are pursued and tracked.
  • Digital / payment fraud monitoring is integrated with 1930 / NCRP and mule-account controls.
  • Analytics models are governed, data quality is managed and fraud systems are access-controlled.
  • Independent assurance over the FRM framework is performed and findings are remediated.

Common gaps

  • Reporting delays: FMR / CFR filings submitted after the prescribed window, the single most common trigger for supervisory penalty.
  • Manual, low-coverage EWS: indicator library too small, dependent on manual review, with high false positives and poor conversion tracking.
  • Missing natural-justice step: accounts classified as fraud without a reasoned show-cause notice, exposing the classification to legal challenge post-2023.
  • SCBMF operating in name only: irregular meetings, incomplete case coverage, weak follow-up on recovery and accountability.
  • Weak staff-accountability discipline: examinations not completed within the prescribed period or not initiated for smaller frauds.
  • Fragmented digital-fraud response: poor 1930 / NCRP integration and slow mule-account freezes leading to unrecoverable losses.
  • Model and data-quality gaps: ungoverned analytics models and incomplete data feeding the EWS engine.
  • Scoping the audit to declared frauds only, ignoring suppressed or wrongly closed EWS / RFA events.
  • Inadequate provisioning or delayed law-enforcement referral relative to RBI thresholds.
  • No lessons-learned loop: recurring fraud typologies not fed back into control redesign.

RBI Fraud Risk Management mapped to other frameworks

Mapping the FRM framework to adjacent standards helps entities reuse controls and evidence. The mapping is indicative, not a substitute for each framework's own requirements.

RBI FRM domainRelated framework / standardNature of overlap
Governance & Board oversightRBI IT Governance & Risk Directions; ISO 37301Board ownership, policy and committee structures
Prevention & KYC controlsPMLA / RBI KYC-AML Master Direction; FATFCustomer due diligence, beneficial ownership, monitoring
EWS & transaction monitoringAML transaction monitoring; ISO 31000Rule/scenario-based anomaly detection
Digital & payment fraudRBI Cyber Security Framework; PCI DSS; CERT-In directionsChannel security, incident handling, 6-hour CERT-In reporting
Data analytics & model governanceRBI model-risk expectations; SR 11-7 (analogue)Model validation, versioning and review
Reporting (FMR/CFR/CPFIR)RBI supervisory returns; NPCI/CPFIR reportingTime-bound regulatory data submission
Assurance & auditIIA standards; RBI Risk-Based Internal AuditIndependent assurance over control effectiveness
Staff accountabilityCVC guidelines; internal HR/disciplinary frameworkVigilance and disciplinary coordination
Recovery & wilful defaulterRBI Wilful Defaulter Directions; SARFAESI/IBCCross-classification and enforcement
How CyberSigma helps
CyberSigma's CERT-In empanelled auditors and QSAs deliver end-to-end RBI Fraud Risk Management engagements: a gap assessment against the 15 July 2024 Master Directions; design and stand-up of the SCBMF, FRM function and natural-justice process aligned to SBI v. Rajesh Agarwal; build and tuning of an automated EWS/RFA and analytics engine; automation of FMR, CFR and CPFIR reporting with timeline controls; independent assurance and board-ready reporting; and remediation programme management. We give the auditor defensible evidence and the implementer a working, supervision-ready framework — closing reporting-delay, natural-justice and EWS-coverage gaps before the RBI does. Contact CyberSigma to scope your RBI Fraud Risk Management Audit.

Frequently asked questions

Is fraud risk management a technology audit?
The RBI directions are broader than technology, but a key part is validating that the monitoring, early-warning and reporting systems actually detect and report fraud effectively.

Need help with RBI Fraud Risk Management?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.