Introduction
The Reserve Bank of India (RBI) treats fraud risk as a distinct, board-owned risk category that sits alongside credit, market, liquidity and operational risk. Over the past decade, and decisively through the Master Directions on Fraud Risk Management issued on 15 July 2024, the RBI has moved regulated entities away from a purely detective, reporting-driven posture towards a preventive, governance-anchored Fraud Risk Management (FRM) framework. An RBI Fraud Risk Management Audit is an independent assessment of whether a regulated entity — a commercial bank, cooperative bank, Non-Banking Financial Company (NBFC), All-India Financial Institution, Payment Aggregator or other RBI-supervised entity — has designed, implemented and can evidence a fraud risk management framework that meets the letter and intent of the Master Directions, the Early Warning Signals (EWS) and Red-Flagged Account (RFA) mechanism, the Fraud Monitoring Return (FMR) reporting discipline, and the principles of natural justice mandated by the Supreme Court in the SBI v. Rajesh Agarwal judgment (2023).
This guide is written for two readers at once. For the auditor, it sets out an assessment methodology, a control-by-control master checklist, an evidence request list and a maturity model that can withstand supervisory scrutiny. For the implementer — the Chief Vigilance Officer, Head of Fraud Risk, Chief Risk Officer, Chief Compliance Officer or IT security lead — it explains what must actually be built, wired and operated so that the audit finds a working framework rather than a paper policy. The scope is deliberately holistic: it spans board governance, the Special Committee of the Board for Monitoring and Follow-up of cases of Fraud (SCBMF), EWS and transaction monitoring technology, staff accountability, recovery, wilful-defaulter interplay, digital and payment-channel fraud, and the strict FMR / Central Fraud Registry (CFR) timelines that trigger supervisory penalties when missed.
Source and copyright note
This guide is an original CyberSigma work product. The RBI Master Directions on Fraud Risk Management, associated circulars, Fraud Monitoring Return formats and the Central Fraud Registry documentation are Crown-equivalent public regulatory texts issued by the Reserve Bank of India and remain the property of the RBI. We paraphrase and interpret them for audit purposes and do not reproduce RBI copyrighted text verbatim. Regulated entities must always assess against the current signed Master Directions and any subsequent amendments or FAQ clarifications published on rbi.org.in, as circular references and timelines are periodically revised.
What is RBI Fraud Risk Management
RBI Fraud Risk Management is the supervisory framework through which the Reserve Bank requires its regulated entities to prevent, detect, classify, report, investigate, remediate and recover from fraud, and to hold accountable those responsible — whether staff, borrowers or third parties. It is codified principally in three near-identical Master Directions issued on 15 July 2024, addressed respectively to (i) commercial banks and All-India Financial Institutions, (ii) cooperative banks (Urban Cooperative Banks, State and Central Cooperative Banks), and (iii) NBFCs including Housing Finance Companies. These consolidated and superseded roughly nine earlier circulars, including the long-standing Master Directions on Frauds — Classification and Reporting of 2016.
The framework rests on several interlocking pillars. First, board-level governance: fraud risk management must be owned by the Board through a dedicated Special Committee (SCBMF) and operationalised by a senior-management fraud risk management committee and a functionally independent fraud risk management function. Second, prevention and early detection: entities must operate an Early Warning Signals framework and, for large-value accounts, a Red-Flagged Account mechanism that triggers forensic audit before an account crystallises into a declared fraud. Third, a defined fraud classification taxonomy: misappropriation and criminal breach of trust; fraudulent encashment through forged instruments or manipulation of accounts; unauthorised credit facilities extended for illegal gratification; cash shortages; cheating and forgery; irregularities in foreign exchange transactions; and any other type of fraud not covered above. Fourth, mandatory, time-bound reporting through the Fraud Monitoring Return system and the Central Fraud Registry. Fifth, and following the Supreme Court's 2023 ruling, a mandatory principles-of-natural-justice process — the borrower or accused must be given a reasoned show-cause notice and a fair opportunity to be heard before an account is classified as fraud.
Crucially, the 2024 Master Directions are technology-forward: they explicitly require a data-analytics and market-intelligence driven approach to fraud detection, engagement with the Reserve Bank's digital-fraud initiatives, and coordination with mechanisms such as the Central Payments Fraud Information Registry and the Citizen Financial Cyber Fraud Reporting and Management System (the 1930 helpline / NCRP ecosystem). An RBI Fraud Risk Management Audit therefore assesses both a governance apparatus and a working detection-and-response engine.
Who must comply
The obligation to maintain an RBI-compliant fraud risk management framework applies to every entity supervised by the Reserve Bank, though the specific Master Direction that governs a given entity depends on its category. The table below maps entity types to the applicable direction and the intensity of obligation.
| Regulated entity category | Applicable RBI direction (15 Jul 2024) | Key obligation intensity |
|---|
| Public and private sector commercial banks, Small Finance Banks, Payments Banks, foreign banks operating in India | Master Directions on FRM — Banks (RBI/DOS/2024-25/119) | Full framework: SCBMF, EWS, RFA, forensic audit, FMR, CFR, staff accountability |
| All-India Financial Institutions (EXIM Bank, NABARD, NHB, SIDBI, NaBFID) | Master Directions on FRM — Banks / AIFIs | Full framework, calibrated to development-finance mandate |
| Urban Cooperative Banks, State & Central Cooperative Banks | Master Directions on FRM — Cooperative Banks | Full framework, proportionate to tier and asset size |
| NBFCs (Base/Middle/Upper/Top Layer), Housing Finance Companies | Master Directions on FRM — NBFCs (incl. HFCs) | Full framework; scaling-based regulation applies to depth of governance |
| Payment Aggregators, Payment System Operators, PPI issuers | FRM Master Directions read with PSS Act guidelines & CPFIR | Payment/digital fraud focus; CPFIR reporting; RE-specific EWS |
| Regional Rural Banks, Local Area Banks | FRM Master Directions (banking cohort) | Full framework, proportionate |
| Credit Information Companies, ARCs (indirect) | Interfacing obligations (CFR/CIC data) | Data-sharing and consumption obligations |
- Applicability is not size-gated — even the smallest cooperative bank or Base Layer NBFC must have a fraud risk policy approved by its Board and a mechanism to report frauds to the RBI.
- The RFA and forensic-audit obligations are most material for lenders with large exposures; entities with credit exposure above the RFA threshold (historically Rs. 50 crore for consortium/multiple-banking accounts) carry the heaviest EWS burden.
- Statutory auditors and concurrent auditors are indirectly bound: the framework requires their reports to feed the EWS and fraud-detection process, and auditor lapses can themselves be reported.
- Boards and senior management bear personal accountability — supervisory action can attach to individuals where the framework is found deficient or reporting is delayed.
Structure of RBI Fraud Risk Management
The framework can be decomposed into governance domains and operational control families. The table below presents the domain architecture that an auditor should use as the top-level assessment map. Each domain is expanded into verifiable controls in the master assessment checklist that follows.
| Domain code | Domain | Core content |
|---|
| FRM-1 | Governance & Board Oversight | Board-approved policy, SCBMF, senior-management committee, three-lines model |
| FRM-2 | Fraud Risk Management Function | Independent function, CVO/Head-FRM, staffing, empowerment, reporting lines |
| FRM-3 | Fraud Prevention Controls | Preventive vigilance, KYC/onboarding controls, segregation of duties, awareness |
| FRM-4 | Early Warning Signals (EWS) | EWS indicator library, data sources, automated triggering, escalation |
| FRM-5 | Red-Flagged Account (RFA) Mechanism | RFA thresholds, tagging, JLF referral, forensic audit trigger |
| FRM-6 | Fraud Detection & Investigation | Transaction monitoring, forensic audit, investigation SOP, evidence handling |
| FRM-7 | Fraud Classification | Six/seven-category taxonomy, decisioning authority, timelines |
| FRM-8 | Principles of Natural Justice | Show-cause notice, opportunity to be heard, reasoned order (SBI v. Rajesh Agarwal) |
| FRM-9 | Reporting — FMR & CFR | Fraud Monitoring Return timelines, Central Fraud Registry upload, flash reports |
| FRM-10 | Staff Accountability & Vigilance | Staff-side examination, disciplinary process, CVC coordination |
| FRM-11 | Law Enforcement & Recovery | FIR/CBI/EOW referral, wilful-defaulter interplay, provisioning, recovery |
| FRM-12 | Digital & Payment Fraud | Channel monitoring, CPFIR, mule accounts, 1930/NCRP, real-time controls |
| FRM-13 | Data Analytics & Technology | Market intelligence, analytics engine, model governance, data quality |
| FRM-14 | Assurance, Review & Closure | Periodic review, closure of fraud cases, audit trail, learning loop |
Master assessment checklist
This is the core of the audit. Each control family below is presented with what the auditor must verify and the typical evidence that substantiates conformity. Implementers should read the same tables as a build specification: if the evidence does not exist, the control does not exist. No domain has been omitted.
FRM-1 Governance and Board oversight
| What to verify | Typical evidence |
|---|
| A Board-approved Fraud Risk Management Policy exists, aligned to the 15 Jul 2024 Master Directions, and is reviewed at least annually | Signed policy document with version history; board resolution; review minutes |
| A Special Committee of the Board for Monitoring and Follow-up of cases of Fraud (SCBMF) is constituted with the required composition and meeting cadence | SCBMF charter; composition list; meeting minutes for the last 12-18 months |
| SCBMF reviews all frauds of Rs. 1 crore and above and monitors follow-up, recovery and staff accountability | SCBMF agenda papers; case-tracking registers; action-taken reports |
| A senior-management level fraud risk management committee operationalises board policy | Committee terms of reference; attendance; escalation logs |
| Board is periodically apprised of fraud trends, EWS effectiveness and top exposures | Board deck extracts; MIS dashboards presented to the board |
| Three-lines-of-defence responsibilities for fraud risk are documented and distinct | RACI matrix; org chart; function mandates |
FRM-2 Fraud Risk Management Function
| What to verify | Typical evidence |
|---|
| A functionally independent Fraud Risk Management function/department exists, headed by a sufficiently senior officer (Chief Vigilance Officer / Head-FRM) | Function mandate; appointment order; reporting line to MD/CEO/board committee |
| The function is adequately staffed with skilled resources (analysts, investigators, forensic specialists) | Staffing chart; skills matrix; training records |
| The function has authority to access data, initiate investigations and direct forensic audits without line-management veto | Delegation of authority; access-rights records; investigation initiation logs |
| Segregation is maintained between fraud detection, investigation and staff-accountability decisioning | Process flow; approval matrices; conflict-of-interest declarations |
| The function coordinates with internal audit, compliance, IT security, legal and HR | Cross-functional SOPs; joint case files; escalation records |
FRM-3 Fraud prevention controls
| What to verify | Typical evidence |
|---|
| Preventive vigilance measures are defined and operating across origination, disbursement and servicing | Preventive vigilance SOP; branch inspection reports |
| KYC / customer due diligence and beneficial-ownership controls reduce impersonation and shell-entity fraud | CDD records; onboarding exception reports; PEP/AML linkage |
| Segregation of duties and maker-checker controls exist for high-risk transactions | System role definitions; SoD conflict reports; maker-checker logs |
| Staff and customer fraud-awareness programmes run periodically | Training calendar; attendance; customer awareness collateral |
| Vendor / third-party and outsourcing arrangements carry fraud-risk controls | Vendor due diligence; contract clauses; outsourcing risk assessments |
| End-use monitoring of credit facilities is performed to detect diversion of funds | End-use certificates; stock/receivables audits; cash-flow monitoring |
FRM-4 Early Warning Signals (EWS)
| What to verify | Typical evidence |
|---|
| An EWS indicator library is documented, covering behavioural, financial, transactional and external signals | EWS master list; indicator definitions; source mapping |
| EWS are generated from multiple data sources (account behaviour, auditor reports, market intelligence, public/third-party data) | Data-source inventory; feed configuration; sample EWS outputs |
| EWS are largely system-generated and automatically triggered rather than manual | EWS engine screenshots; trigger logs; automation coverage report |
| Triggered EWS are time-bound for review, disposition and escalation | EWS workflow SLA; ageing report; disposition register |
| EWS effectiveness (hit rate, false positives, conversion to RFA/fraud) is measured and tuned | EWS MIS; tuning change log; back-testing results |
| Statutory / concurrent / stock auditor observations feed the EWS process | Auditor report intake log; linkage to EWS cases |
FRM-5 Red-Flagged Account (RFA) mechanism
| What to verify | Typical evidence |
|---|
| An account is tagged Red-Flagged when one or more EWS indicating fraud-like activity are triggered | RFA tagging register; trigger-to-tag mapping |
| RFA status is recorded and communicated to consortium / multiple-banking members (via JLF / CRILC where applicable) | JLF minutes; CRILC reporting; inter-bank communication |
| An RFA above threshold triggers a forensic / stock-and-book audit within the prescribed timeline | Forensic audit engagement letters; timeline tracker |
| A decision to declare fraud or lift the RFA is taken within the mandated window (historically ~six months) with reasons recorded | RFA decision notes; committee approvals; audit-trail |
| RFA accounts are monitored for asset dissipation pending decisioning | Monitoring reports; charge/security verification |
FRM-6 Fraud detection and investigation
| What to verify | Typical evidence |
|---|
| Transaction-monitoring rules and analytics detect anomalous patterns across products and channels | Rule inventory; alert volumes; tuning records |
| A documented investigation SOP governs case intake, evidence collection and chain-of-custody | Investigation manual; case files; evidence logs |
| Forensic audits are commissioned from empanelled forensic auditors with defined scope | Empanelment list; scope documents; forensic reports |
| Investigation outcomes feed classification, staff accountability and recovery decisions | Investigation-to-classification linkage; decision memos |
| Digital evidence is preserved in a legally admissible manner | IT Act Section 65B certificates; imaging logs; hash records |
FRM-7 Fraud classification
| What to verify | Typical evidence |
|---|
| Every fraud is classified into the RBI taxonomy (misappropriation/CBT; fraudulent encashment/forgery; unauthorised credit for gratification; cash shortages; cheating & forgery; forex irregularities; other) | Classification register mapping each case to a category |
| Classification is decided by an authorised committee within the prescribed timeline from detection | Committee minutes; detection-to-classification date tracker |
| The date of detection is correctly determined and consistently applied | Detection-date methodology note; case timelines |
| Amount involved is accurately quantified for provisioning and reporting | Quantum computation working; reconciliation to GL |
| Reclassification / de-classification (e.g., after adjudication) is controlled and documented | Reclassification approvals; audit trail |
FRM-8 Principles of natural justice
| What to verify | Typical evidence |
|---|
| Before classifying a borrower account as fraud, a detailed reasoned show-cause notice is issued to the borrower / guarantors / promoters | Show-cause notice copies with dispatch proof |
| The noticee is granted a reasonable time (typically not less than 21 days) to respond | SCN with response deadline; acknowledgement records |
| Responses received are considered and a reasoned, speaking order is passed | Reply register; reasoned classification order |
| The process complies with the Supreme Court judgment in State Bank of India v. Rajesh Agarwal (2023) | Compliance note; legal opinion; process SOP referencing the judgment |
| Records demonstrate that no classification occurs without opportunity to be heard | Exception log confirming nil bypass; internal audit attestation |
FRM-9 Reporting — Fraud Monitoring Return and Central Fraud Registry
| What to verify | Typical evidence |
|---|
| Frauds of Rs. 1 lakh and above are reported to the RBI through the Fraud Monitoring Return (FMR) within the prescribed timeline from classification | FMR submissions with timestamps; XBRL/portal acknowledgements |
| Frauds of Rs. 5 crore and above trigger a Flash Report / immediate reporting and, where relevant, RBI Central Fraud Registry (CFR) upload | Flash reports; CFR upload confirmations |
| Very large frauds (historically Rs. 100 crore and above) trigger additional reporting to RBI Central Fraud Monitoring Cell | Escalation records; correspondence with RBI |
| Data reported to CFR is complete, accurate and timely so that other lenders can consume it | CFR data-quality checks; error/rejection logs |
| Closure and update returns are filed as cases progress (recovery, conviction, closure) | Update returns; closure returns; status reconciliation |
| Reporting timelines are met without delay; delays are root-caused and remediated | Timeline dashboard; delay-analysis notes; corrective actions |
FRM-10 Staff accountability and vigilance
| What to verify | Typical evidence |
|---|
| Staff-side accountability is examined for every fraud within the prescribed period, independent of the fraud amount | Staff accountability register; examination reports |
| Disciplinary proceedings are initiated where lapses are established, per the disciplinary framework | Charge sheets; inquiry reports; penalty orders |
| Cases involving vigilance angle are coordinated with the Central Vigilance Commission (public sector entities) | CVC references; vigilance case files |
| Accountability outcomes are tracked to closure and reported to SCBMF | Accountability tracker; SCBMF status updates |
| Whistle-blower / protected-disclosure mechanism exists and feeds fraud detection | Whistle-blower policy; disclosure register; investigation linkage |
FRM-11 Law enforcement referral and recovery
| What to verify | Typical evidence |
|---|
| Frauds are referred to police / CBI / Economic Offences Wing per amount-based thresholds and ownership | FIR/complaint copies; referral thresholds SOP; CBI references |
| Interplay with wilful-defaulter classification is managed per the RBI wilful-defaulter directions | Wilful-defaulter committee minutes; cross-reference register |
| Provisioning for fraud accounts is made per RBI norms (full provisioning over the permitted period) | Provisioning schedule; GL entries; auditor confirmation |
| Recovery actions (SARFAESI, DRT, IBC, settlement) are pursued and monitored | Recovery case files; recovery MIS; settlement approvals |
| Insurance / indemnity claims are lodged where applicable | Claim files; recovery-from-insurer records |
FRM-12 Digital and payment fraud
| What to verify | Typical evidence |
|---|
| Real-time / near-real-time monitoring covers UPI, cards, net-banking, mobile and wallet channels | Channel monitoring rules; alert dashboards |
| Mule-account detection and account-freeze mechanisms operate | Mule-account model outputs; freeze/lien logs |
| Reporting to the Central Payments Fraud Information Registry (CPFIR) is timely and complete | CPFIR submissions; reconciliation to internal fraud data |
| Integration with the Citizen Financial Cyber Fraud Reporting system (1930 / NCRP) enables rapid response | 1930/NCRP intake logs; hold/lien action records |
| Customer-liability framework (limited-liability circular) is applied for unauthorised electronic transactions | Complaint resolution records; shadow-reversal / refund evidence |
| Digital-payment security controls (2FA, device binding, velocity limits) are enforced | Control configuration; exception reports |
FRM-13 Data analytics and technology
| What to verify | Typical evidence |
|---|
| A data-analytics and market-intelligence capability drives fraud detection, as required by the 2024 directions | Analytics platform documentation; use-case inventory |
| Analytical models (rules, scoring, ML) are governed — validated, version-controlled and periodically reviewed | Model inventory; validation reports; model-governance policy |
| Data quality, lineage and completeness are managed for fraud-relevant data | Data-quality dashboards; reconciliation reports |
| External intelligence (bureau, negative lists, industry alerts, RBI advisories) is ingested | Feed inventory; ingestion logs |
| Access to fraud systems is least-privilege and logged; the systems themselves are protected | IAM records; audit logs; security assessment reports |
FRM-14 Assurance, review and closure
| What to verify | Typical evidence |
|---|
| The FRM framework is subject to periodic independent review (internal audit / assurance) | Audit plan; FRM audit reports; management responses |
| Fraud cases are formally closed only after prescribed conditions (recovery, adjudication, examination) are met | Closure checklist; closure approvals; closure returns |
| Lessons learned from frauds feed back into controls, EWS and policy | Root-cause reports; control-change register |
| A complete, tamper-evident audit trail exists for every fraud case end-to-end | Case-management audit logs; retention policy |
| Regulatory correspondence and supervisory observations are tracked to closure | Supervisory action tracker; compliance confirmations |
Scoping
Scoping an RBI Fraud Risk Management Audit means defining which entities, products, channels, geographies, systems and time periods the assessment will cover, and against which version of the Master Directions. Because the framework is enterprise-wide, scope should be defined by exclusion (what is explicitly out) rather than by inclusion, so that no fraud-bearing surface is inadvertently omitted.
- Entity and legal scope: identify the exact regulated entity (and any subsidiaries, RRB sponsorship, or co-lending arrangements) and confirm which of the three Master Directions applies.
- Product and portfolio scope: retail lending, corporate/wholesale lending, treasury/forex, trade finance, deposits, cards, and payment products each carry distinct fraud typologies.
- Channel scope: branch, internet banking, mobile, UPI, ATM/cards, agent/BC networks and third-party/aggregator flows.
- System scope: core banking, loan origination, LOS/LMS, the EWS/fraud-analytics engine, case management, and reporting/XBRL interfaces to RBI.
- Time-period scope: typically the trailing 12-18 months of fraud cases, EWS triggers, FMR filings and SCBMF minutes, plus any open legacy cases.
- Threshold scope: RFA-eligible large exposures, Rs. 1 lakh / Rs. 1 crore / Rs. 5 crore / Rs. 100 crore reporting bands, and forensic-audit-eligible accounts.
- Third-party scope: outsourced operations, forensic auditors, recovery agents and technology vendors relevant to fraud handling.
- Explicit exclusions: document any legal-entity, geography or product deliberately excluded, with rationale and residual-risk note.
Scoping pitfall
A common and penalty-attracting error is scoping the audit around declared frauds only, ignoring the population of EWS triggers and RFA-tagged accounts that never converted. Supervisors specifically probe whether genuine fraud indicators were suppressed, delayed or wrongly closed — so the audit population must start from all EWS/RFA events, not just from the fraud register.
Implementation approach
For an entity building or uplifting its framework, the following phased approach sequences governance before technology and detection before reporting automation. Each phase lists indicative activities and deliverables.
Phase 1 — Governance and policy foundation (Weeks 1-6)
- Activities: gap-assess the current framework against the 15 Jul 2024 Master Directions; draft/refresh the Board-approved FRM policy; constitute or recharter the SCBMF and senior-management committee; define the three-lines model and RACI.
- Deliverables: Board-approved FRM policy; SCBMF charter and cadence; RACI matrix; governance operating model.
Phase 2 — Fraud risk function and process build (Weeks 5-12)
- Activities: establish/uplift the independent FRM function; appoint Head-FRM/CVO; write investigation, classification, natural-justice and staff-accountability SOPs; empanel forensic auditors.
- Deliverables: function mandate and staffing plan; investigation manual; classification SOP; SCN templates; forensic-auditor panel.
Phase 3 — EWS, RFA and analytics enablement (Weeks 8-20)
- Activities: build the EWS indicator library; integrate data sources; deploy or tune the analytics/transaction-monitoring engine; wire RFA tagging and JLF/CRILC linkage; define automation and SLAs.
- Deliverables: EWS catalogue; configured EWS/analytics engine; RFA workflow; model-governance framework.
Phase 4 — Reporting automation and integration (Weeks 14-22)
- Activities: implement FMR generation and timeline controls; wire CFR and CPFIR uploads; integrate 1930/NCRP intake; build the fraud MIS and board dashboards.
- Deliverables: automated FMR/CFR/CPFIR pipelines; timeline-monitoring dashboard; board MIS pack.
Phase 5 — Assurance, training and continuous improvement (Weeks 20-28+)
- Activities: run staff and customer awareness; conduct independent FRM audit; institute root-cause / lessons-learned loop; embed periodic policy review.
- Deliverables: training records; independent audit report; control-improvement register; annual review calendar.
Maturity and capability model
Use the following five-level model to score each of the fourteen domains. The overall framework maturity is the weighted aggregate, with governance and reporting domains weighted highest because supervisory penalties attach most directly to them.
| Level | Label | Characteristics |
|---|
| 1 | Initial / Ad-hoc | Policy exists on paper only; fraud handled reactively; reporting frequently delayed; no EWS |
| 2 | Developing | Basic committees and manual EWS exist; reporting mostly on time but inconsistent; limited automation |
| 3 | Defined | Full governance operating; documented SOPs; automated EWS/RFA; FMR/CFR timelines consistently met |
| 4 | Managed | Analytics-driven detection; measured EWS effectiveness; natural-justice process robust; strong staff accountability |
| 5 | Optimised | Predictive analytics and market intelligence; near-zero reporting delays; continuous tuning; cross-industry intelligence sharing |
Assessment and audit approach
- Confirm scope, applicable Master Direction version and the audit period; obtain the fraud register, EWS/RFA logs and SCBMF minutes.
- Assess governance: review the Board-approved policy, SCBMF composition/cadence and senior-management committee operation.
- Evaluate the FRM function's independence, staffing, empowerment and cross-functional coordination.
- Test the EWS framework: examine the indicator library, data-source coverage, automation, disposition SLAs and effectiveness metrics.
- Trace a sample of RFA-tagged accounts through forensic audit, decisioning and timeline compliance.
- Walk through fraud investigations end-to-end, testing evidence handling, classification accuracy and quantum computation.
- Verify the principles-of-natural-justice process (SCN issuance, response window, reasoned order) against SBI v. Rajesh Agarwal.
- Reconcile the fraud register to FMR/CFR/CPFIR submissions and test reporting timeliness against prescribed windows.
- Examine staff-accountability examination, disciplinary outcomes and (where applicable) CVC coordination.
- Assess law-enforcement referral, provisioning, recovery and wilful-defaulter interplay.
- Review digital/payment fraud controls, mule-account handling and 1930/NCRP integration.
- Test analytics/model governance, data quality and access controls over fraud systems.
- Assess independent assurance, case-closure discipline and the lessons-learned feedback loop.
- Rate each domain on the maturity model, quantify residual risk, and issue findings with prioritised, time-bound remediation.
Evidence request list
The following categorised list is the standard document request pack. Implementers can pre-assemble it; auditors should treat missing items as potential control gaps.
- Governance: Board-approved FRM policy (with version history); SCBMF charter, composition and 12-18 months of minutes; senior-management committee ToR and minutes; board MIS packs.
- Function: FRM function mandate; org chart; staffing and skills matrix; delegation of authority; training records.
- Prevention: preventive-vigilance SOP; KYC/CDD exception reports; SoD/maker-checker configuration; awareness collateral; end-use monitoring records.
- EWS/RFA: EWS indicator catalogue; data-source inventory; EWS engine outputs and ageing reports; RFA tagging register; JLF/CRILC records; forensic-audit engagements and reports.
- Investigation/Classification: investigation manual; sample case files with chain-of-custody; classification register; quantum computation workings; reclassification approvals.
- Natural justice: SCN templates and issued notices with dispatch proof; response register; reasoned classification orders; legal opinion on process.
- Reporting: FMR submissions and acknowledgements; Flash Reports; CFR and CPFIR upload confirmations; closure/update returns; timeline dashboards.
- Accountability/Recovery: staff-accountability register; disciplinary orders; CVC references; provisioning schedules; recovery MIS; FIR/CBI referrals.
- Digital fraud: channel-monitoring rules; mule-account model outputs; 1930/NCRP intake logs; customer-liability resolution records.
- Technology: model inventory and validation reports; data-quality dashboards; IAM/access logs; security assessment of fraud systems.
- Assurance: independent FRM audit reports; management responses; root-cause reports; supervisory correspondence tracker.
Roles and responsibilities
| Role | Fraud risk management responsibility |
|---|
| Board of Directors | Approve FRM policy; own fraud risk; ensure adequate resourcing and accountability |
| Special Committee (SCBMF) | Monitor and follow up frauds >= Rs. 1 crore; oversee recovery and staff accountability |
| MD & CEO / Senior Management | Operationalise policy; chair the senior-management fraud committee; ensure timely reporting |
| Chief Vigilance Officer / Head-FRM | Run the FRM function; direct investigations and forensic audits; own EWS/RFA |
| Chief Risk Officer | Integrate fraud risk into enterprise risk; oversee model and analytics governance |
| Chief Compliance Officer | Ensure regulatory reporting (FMR/CFR/CPFIR) timeliness and supervisory closure |
| Internal Audit | Provide independent assurance over the FRM framework's design and operation |
| IT / Information Security | Operate detection technology; protect fraud systems; support digital forensics |
| Business / Branch Heads | First-line prevention, EWS response and end-use monitoring |
| Legal | Advise on natural justice, referrals, recovery and litigation |
| HR | Execute disciplinary process for established staff lapses |
KPIs to track
- Percentage of FMR / CFR / CPFIR submissions filed within the prescribed timeline (target 100%).
- Average number of days from fraud detection to classification, and from classification to reporting.
- EWS effectiveness: proportion of EWS triggers converting to RFA and to declared fraud; false-positive rate.
- RFA-to-decision cycle time and adherence to the forensic-audit timeline.
- Percentage of fraud cases with completed staff-accountability examination within the prescribed period.
- Number and value of frauds detected pre-crystallisation (via EWS) versus post-loss.
- Recovery rate and provisioning coverage on fraud accounts.
- Percentage of borrower classifications preceded by a compliant show-cause / opportunity-to-be-heard process (target 100%).
- Digital-channel fraud loss rate and mule-account freeze turnaround time (including 1930/NCRP cases).
- Number of overdue supervisory observations relating to fraud risk.
Readiness checklist
- Board-approved FRM policy aligned to the 15 Jul 2024 Master Directions is in force and reviewed annually.
- SCBMF is constituted with correct composition, meets on schedule and reviews all frauds >= Rs. 1 crore.
- An independent, adequately staffed FRM function headed by a senior officer is operating.
- A documented, largely automated EWS framework with a defined indicator library is live.
- The RFA mechanism triggers forensic audit and time-bound decisioning for large accounts.
- A show-cause / opportunity-to-be-heard process compliant with SBI v. Rajesh Agarwal precedes every fraud classification.
- Fraud classification uses the RBI taxonomy and is decided within prescribed timelines.
- FMR, CFR, CPFIR and Flash Reports are filed accurately and within mandated windows.
- Staff-accountability examination is completed for every fraud, with CVC coordination where applicable.
- Provisioning, recovery and law-enforcement referral are pursued and tracked.
- Digital / payment fraud monitoring is integrated with 1930 / NCRP and mule-account controls.
- Analytics models are governed, data quality is managed and fraud systems are access-controlled.
- Independent assurance over the FRM framework is performed and findings are remediated.
Common gaps
- Reporting delays: FMR / CFR filings submitted after the prescribed window, the single most common trigger for supervisory penalty.
- Manual, low-coverage EWS: indicator library too small, dependent on manual review, with high false positives and poor conversion tracking.
- Missing natural-justice step: accounts classified as fraud without a reasoned show-cause notice, exposing the classification to legal challenge post-2023.
- SCBMF operating in name only: irregular meetings, incomplete case coverage, weak follow-up on recovery and accountability.
- Weak staff-accountability discipline: examinations not completed within the prescribed period or not initiated for smaller frauds.
- Fragmented digital-fraud response: poor 1930 / NCRP integration and slow mule-account freezes leading to unrecoverable losses.
- Model and data-quality gaps: ungoverned analytics models and incomplete data feeding the EWS engine.
- Scoping the audit to declared frauds only, ignoring suppressed or wrongly closed EWS / RFA events.
- Inadequate provisioning or delayed law-enforcement referral relative to RBI thresholds.
- No lessons-learned loop: recurring fraud typologies not fed back into control redesign.
RBI Fraud Risk Management mapped to other frameworks
Mapping the FRM framework to adjacent standards helps entities reuse controls and evidence. The mapping is indicative, not a substitute for each framework's own requirements.
| RBI FRM domain | Related framework / standard | Nature of overlap |
|---|
| Governance & Board oversight | RBI IT Governance & Risk Directions; ISO 37301 | Board ownership, policy and committee structures |
| Prevention & KYC controls | PMLA / RBI KYC-AML Master Direction; FATF | Customer due diligence, beneficial ownership, monitoring |
| EWS & transaction monitoring | AML transaction monitoring; ISO 31000 | Rule/scenario-based anomaly detection |
| Digital & payment fraud | RBI Cyber Security Framework; PCI DSS; CERT-In directions | Channel security, incident handling, 6-hour CERT-In reporting |
| Data analytics & model governance | RBI model-risk expectations; SR 11-7 (analogue) | Model validation, versioning and review |
| Reporting (FMR/CFR/CPFIR) | RBI supervisory returns; NPCI/CPFIR reporting | Time-bound regulatory data submission |
| Assurance & audit | IIA standards; RBI Risk-Based Internal Audit | Independent assurance over control effectiveness |
| Staff accountability | CVC guidelines; internal HR/disciplinary framework | Vigilance and disciplinary coordination |
| Recovery & wilful defaulter | RBI Wilful Defaulter Directions; SARFAESI/IBC | Cross-classification and enforcement |
How CyberSigma helps
CyberSigma's CERT-In empanelled auditors and QSAs deliver end-to-end RBI Fraud Risk Management engagements: a gap assessment against the 15 July 2024 Master Directions; design and stand-up of the SCBMF, FRM function and natural-justice process aligned to SBI v. Rajesh Agarwal; build and tuning of an automated EWS/RFA and analytics engine; automation of FMR, CFR and CPFIR reporting with timeline controls; independent assurance and board-ready reporting; and remediation programme management. We give the auditor defensible evidence and the implementer a working, supervision-ready framework — closing reporting-delay, natural-justice and EWS-coverage gaps before the RBI does. Contact CyberSigma to scope your RBI Fraud Risk Management Audit.