News Articles

Frauds in NBFCs

---

• RBI recently notified the Reserve Bank of India (Fraud Risk Management in NBFC) Directions, 2024 to create revised guidelines governing the prevention, early detection and reporting of frauds in NBFCs.

• These directions are intended to cover multiple types of frauds, which include but are not limited to forgery, misappropriation of funds, manipulation of books of accounts, etc.

• The stringent governance requirements specified within these directions will likely prove beneficial to existing and incoming investors in such NBFCs alike.

• A checklist of key action points for investors, based on the directions, has also been prepared.

---

In an important development aimed at strengthening the framework for prevention, early detection and reporting of frauds in non-banking financial companies (“NBFCs”) in India, the Reserve Bank of India (“RBI”) recently issued the “Reserve Bank of India (Fraud Risk Management in NBFC) Directions, 2024” (the “Directions”) on July 15, 2024. 

The Directions are intended to apply to all NBFCs (including housing finance companies (“HFCs”)) in the base layer (with an asset size of INR 500 crore or more),¹ middle layer² and upper layer³ (as categorised by the RBI) (collectively, “Applicable NBFCs”) and supersede the previously enacted Master Direction – Monitoring of Frauds in NBFCs (Reserve Bank) Directions, 2016. The Directions cover a wide variety of frauds such as misappropriation of funds, manipulation of books of accounts and fictitious accounts, cheating through concealment of facts with an intent to deceive, forgery, fraudulent transactions involving foreign exchange, etc. Importantly, the Directions are silent on an effective date, and it is thus likely that they are intended to be applicable with immediate effect.

A checklist has been provided for both existing and incoming investors at the end of this article keeping in mind the new Directions.

Broad Overview of the Directions 

Prevention:

1. The new Directions include measures such as requirement for a board-approved Fraud Risk Management Policy, which outlines roles and responsibilities of key personnel and investigations based on principles of natural justice.⁴ This policy must be reviewed regularly, with senior management responsible for its implementation and reporting on fraud incidents.⁵

2. Applicable NBFCs are also required to establish committees to monitor fraud cases. Applicable NBFCs (that are not categorized as Middle Layer and Base Layer) must form a Special Committee for Monitoring Fraud Cases (“SCBMF”),⁶ while Applicable NBFCs (that are categorized as Middle Layer and Base Layer) can create a Committee of Executives (“COE”).⁷ These committees are tasked with overseeing fraud risk management effectiveness, reviewing fraud cases, and suggesting improvements to internal controls.

3. Amounts relating to fraud reported must be disclosed by the Applicable NBFC in the “notes to accounts” of their financial statements.⁸

4. For NBFCs (that are categorized as Middle Layer and Upper Layer), an Early Warning Signals (“EWS”) system is mandated to identify potential fraud in financial transactions.⁹ This system should be part of the Fraud Risk Management Policy and overseen by a board committee. Senior management is responsible for implementing the EWS framework within six months of the new directions being issued. 

Detection:

1. The detection measures include continuous monitoring of credit facilities and transactions to assess potentially fraudulent activities.¹⁰ Applicable NBFCs are required to include clauses in loan agreements allowing them to conduct audits at their discretion.¹¹

2. For NBFCs (that are categorized as Middle Layer and Upper Layer), EWS system is mandated to detect potential fraud by analyzing various indicators related to transactional data, financial performance, market intelligence, and borrower conduct.¹² Any EWS trigger must be examined for potential fraud, and these Applicable NBFCs are required to vigilantly monitor transactions, especially in non-KYC compliant accounts.¹³

3. If fraud is suspected, Applicable NBFCs must conduct external or internal audits following principles of natural justice.¹⁴ When an account is identified as fraudulent, the Applicable NBFC must examine borrowing accounts of related group companies. Additionally, if a law enforcement agency initiates an investigation, the Applicable NBFC must classify the account according to their board policy.¹⁵ 

Reporting:

1. Applicable NBFCs must immediately report fraud incidents to appropriate Law Enforcement Agencies (“LEAs”), including state police authorities.¹⁶ They are required to designate a nodal officer to handle these reports and coordinate with LEAs.¹⁷

2. Applicable NBFCs must also report fraud incidents to the RBI through Fraud Monitoring Returns (“FMR”) on an online portal within 14 days of classifying an incident as fraud.¹⁸ This applies to all frauds, regardless of the amount involved, and includes those perpetrated within group entities or overseas branches.¹⁹ Specific incidents like theft, burglary, and robbery must be reported within 7 days of occurrence,²⁰ with quarterly returns submitted for these cases.²¹

3. The RBI has provided guidelines for closing fraud cases reported on the FMR (where the quantum is below INR 25 lakh). Cases can be closed when pending legal matters are resolved or staff accountability examinations are completed. Further, any ongoing investigations or delays in court proceedings must have been ongoing for more than three years from the date of registration of an FIR, for such proceedings to be closed.²²

Staff Accountability Examination process:

1. The Directions provide for examination of staff that must be undertaken in a timely manner, as per the internal policy, in all fraud cases.²³

2. For Government-NBFCs,²⁴ examination is to be undertaken as per the guidelines issued by the Central Vigilance Commission (“CVC Guidelines”). Further, Applicable NBFCs in the public sector are required to ensure that all fraud cases of INR 3 crores and above are referred to the Advisory Board for Banking and Financial Frauds (“ABBFF”) constituted by the Central Vigilance Commission (“CVC”), to examine the role of all levels of present and previous officials and whole-time directors.

3. If cases involve very senior executives of Applicable NBFCs (such as a managing director, chief executive officer, executive director or executives of an equivalent rank), the audit committee must initiate an examination of their accountability before the Board (with such impugned executives, if members of the committee, recusing themselves during the determination).²⁵

Penalties²⁶

1. Persons or entities “classified and reported as fraud”²⁷ by Applicable NBFCs (along with any entities and persons associated with them) are to be debarred from raising funds and seeking additional credit facilities from RBI regulated entities for 5 years from the date of repayment of defrauded amount / settlement amount (as applicable).

2. Once the 5 year period has elapsed, Applicable NBFCs have the discretion to entertain or decline credit facility requests from such persons, entities and their associates.

3. The above penal consequences will continue to apply to erstwhile promoters, directors and persons that were in charge of the management and affairs of the fraudulent entity.

Checklist for existing and incoming investors in an Applicable NBFC

While the Directions have created an intensive framework to prevent, detect, and report frauds, in order to ensure holistic security of the value of their investment, the existing investors and incoming investors in an Applicable NBFC must keep the following points in mind:

(i) Existing investors in an Applicable NBFC

1. Review the Applicable NBFC’s current fraud risk management policies:

   • Request and review the updated Board-approved fraud risk management policy;

   • Ensure it aligns with the present Directions.

2. Assess the Applicable NBFC’s governance structure:

   • Verify the existence of a SCBMF;

   • For Middle and Base Layer NBFCs, check if the company has opted for a CoE;

3. Evaluate the EWS Framework implementation (for Upper and Middle Layer Applicable NBFCs):

   • Confirm the EWS Framework is integrated with core banking or operational systems;

   • Review the effectiveness and robustness of the EWS Framework;

4. Check compliance with new reporting requirements:

   • Ensure the Applicable Applicable NBFC has systems in place to report frauds to RBI within 14 days of classification;

   • Verify the process for reporting to Law Enforcement Agencies (“LEAs”);

5. Review staff accountability measures:

   • Assess the NBFC's policy on examining staff accountability in fraud cases;

   • For public sector Applicable NBFCs, check adherence to CVC Guidelines;

6. Analyze the impact on financial statements:

   • Review any changes in fraud-related disclosures in the financial statements, including the “notes to accounts”;

   • Assess any increase in compliance costs or provisions related to fraud risk management;

7. Monitor fraud trends:

   • Request regular updates on fraud cases, their nature, and amounts involved;

   • Look for any sudden spikes in reported frauds post-implementation of new systems;

8. Recourse to contractual rights:

   Reserved matter consent: 

   • Obtain information on the nature, scope, quantum and purpose of all financial transactions²⁸ being subject to reserved matter consent under the existing shareholders’ agreement of the Applicable NBFC;

   • Look for any glaring concerns in such information before granting consent. 

   Information rights: 

   • Carefully review MIS, quarterly financial statements and operating expenses provided as part of information rights periodically;

   • Check whether there are any expenses that raise eyebrows;

   • In case of suspicion (either basis regular review or otherwise), seek additional documents and information from the Company under the broader information right;

   • Ask for FMR and whistleblower complaint details from time to time. 

   Inspection rights: 

   Conduct inspection of reporting systems, premises and documents of the Company in case any concerns are noted through above.

(ii)  Incoming investors in an Applicable NBFC

1. Due diligence on fraud risk management:

   • Review the Applicable NBFC’s fraud risk management policy and its alignment with the present Directions;

   • Assess the robustness of the Applicable NBFC’s EWS Framework (if applicable);

2. Evaluate historical fraud data:

   • Request and analyze the Applicable NBFC’s fraud history for the past 3-5 years;

   • Look for trends in fraud occurrence, detection, and reporting;

3. Assess compliance readiness:

   • Verify the Applicable NBFC’s readiness to comply with all aspects of the present Directions;

   • Evaluate any gaps in current systems and the Applicable NBFC's plan to address them;

4. Review governance structure:

   • Assess the composition and effectiveness of the SCBMF or CoE;

   • Evaluate the involvement of the Board in fraud risk management;

5. Analyze potential financial impacts:

   • Estimate potential compliance costs related to implementing new systems;

   • Assess any potential impact on profitability or capital adequacy;

6. Evaluate human resources:

   • Assess the expertise of key personnel responsible for fraud risk management;

   • Review training programs for staff on fraud prevention and detection;

7. Legal and regulatory assessment:

   • Review the Applicable NBFC’s history of regulatory compliance with all diktats issued by the RBI;

   • Assess any pending legal cases related to fraud;

8. Technology infrastructure:

   • Evaluate the Applicable NBFC’s technological capabilities to implement robust fraud detection systems;

   • Assess plans for upgrading technology, if needed;

9. Compare with peers:

   • Benchmark the Applicable NBFC’s fraud risk management practices against industry peers;

   • Identify any areas where the Applicable NBFC lags behind or leads the industry;

10. Review whistleblower complaints under financial statements:

    • Assess whether the statutory auditor of the financial statements makes disclosures as set out in the Companies (Auditor’s Report) Order, 2020 (“CARO”);

    • Review CARO disclosures on whistleblower complaints and their quantum;

    • Review previous financial statements (along with “notes to accounts”) to assess frequency and nature of whistleblower complaints. 

Conclusion

The Directions will go a long way towards enhancing the processes for fraud risk management within Applicable NBFCs, which will also benefit existing and incoming investors alike. The emphasis on prompt action and adherence to the regulatory requirements within the Directions not only enhances the operational resilience of these institutions but also fortifies the trust of stakeholders in the fast-growing Indian financial services sector.

 

Authors

Parina Muchhala, Mohammad Kamran and Nishchal Joshipura

You can direct your queries or comments to the relevant member.

---

¹As per the Master Direction – Reserve Bank of India (Non-Banking Financial Company – Scale Based Regulation) Directions, 2023 (“SBR”), the base layer is to consist of: (a) non-deposit taking NBFCs below the asset size of INR 1,000 crore and (b) NBFCs undertaking the following activities - (i) NBFC-Peer to Peer Lending Platform (NBFC-P2P), (ii) NBFC-Account Aggregator (NBFC-AA), (iii) Non Operative Financial Holding Company (NOFHC) and (iv) NBFC not availing public funds and not having any customer interface.

²As per the SBR, the middle layer is to consist of: (a) all deposit taking NBFCs (NBFCs-D), irrespective of asset size, (b) non-deposit taking NBFCs with asset size of INR 1,000 crore and above and (c) NBFCs undertaking the following activities (i) Standalone Primary Dealer (SPD), (ii) Infrastructure Debt Fund-Non-Banking Financial Company (IDF-NBFC), (iii) Core Investment Company (CIC), (iv) Housing Finance Company (HFC) and (v) Non-Banking Financial Company-Infrastructure Finance Company (NBFC-IFC).

³As per the SBR, the upper layer is to consist of such NBFCs which are specifically identified by the RBI (including the top ten eligible NBFCs in terms of their asset size).

⁴Direction 2.1.

⁵Direction 2.2.

⁶Direction 2.3.

⁷Direction 2.3.

⁸Direction 2.7.

⁹See generally, Direction 3.3 and 3.4.

¹⁰See generally, Direction 4.

¹¹Direction 4.1.2.

¹²Direction 3.3.1.

¹³Direction 3.4.2.

¹⁴Direction 4.1.

¹⁵Direction 4.1.4.

¹⁶Direction 5.1.

¹⁷Direction 5.2.

¹⁸Direction 6.1. “Date of classification” refers to the date on which approval from a competent authority is obtained, and a reasoned order is passed, with respect to an incident of fraud.

¹⁹Directions 6.2.2 and 6.2.3.

²⁰ Direction 8.1.

²¹Direction 8.2.

²²Direction 6.3.

²³See generally, Direction 4.3.

²⁴As specified within the Standard Operating Procedure dated September 15, 2021 for making references to ABBFF issued by CVC. 

²⁵Direction 4.3.3.

²⁶See generally, Direction 4.4.

²⁷Direction 4.4.1.

²⁸Such transactions may include (and may not be limited to) related party transactions, borrowings exceeding a specified threshold, creation of any form of pledge / lien / financial guarantee which is not within the ordinary course of business of the Applicable NBFC.