Fraud Risk Management Obligations Of NBFCs: Recent Changes Introduced By The RBI
FRAUD RISK MANAGEMENT OBLIGATIONS OF NBFCS: RECENT CHANGES INTRODUCED BY THE RBI Pursuant to the Master Directions on Fraud Risk Management in Non-Banking Financial Companies dated July 15, 2024 (“Directions”), the Reserve Bank of India (“RBI”) recently amended and consolidated the fraud risk management and reporting obligations of non-banking finance companies (“NBFCs”)...
FRAUD RISK MANAGEMENT OBLIGATIONS OF NBFCS: RECENT CHANGES INTRODUCED BY THE RBI
Pursuant to the Master Directions on Fraud Risk Management in Non-Banking Financial Companies dated July 15, 2024 (“Directions”), the Reserve Bank of India (“RBI”) recently amended and consolidated the fraud risk management and reporting obligations of non-banking finance companies (“NBFCs”) (including housing finance companies). The Directions are applicable to NBFCs in the upper, middle, and base layer (with an asset size of INR 5 billion and above, as per the audited balance sheet as on March 31 of the immediately preceding financial year), respectively (“Applicable NBFCs”). Such layers relate to the existing scale-based regulatory framework for regulating NBFCs (“SBR Framework”) based on their size, activity, and perceived risk. The Directions superseded the Master Direction - Monitoring of Frauds in NBFCs (Reserve Bank) Directions, 2016 (“2016 Master Direction”) and repealed three previous circulars dated June 6, 2022, July 1, 2022, and October 3, 2022, respectively.
By introducing a new comprehensive regime for Applicable NBFCs pursuant to the Directions, the RBI’s aim is to ensure the prevention, early detection, and timely reporting of fraud. Several significant and focused changes have been introduced which will require Applicable NBFCs to revamp their existing policies, governance and board structures.
SIGNIFICANT ADDITION TO FRAUD RISK MANAGEMENT
Inspired by the 2023 judgement of the Supreme Court of India in State Bank of India v. Rajesh Agarwal, an appeal which stemmed from challenges to the Master Directions on Frauds, the RBI has now mandated the observance of principles of natural justice before any entity/person is classified as fraudulent. In particular, the Supreme Court had held that for the purpose of preventing arbitrariness, the rule of audi alteram partem (i.e., each party is entitled to a fair hearing and must be given an opportunity to respond to evidence against them) must be read into regulatory directions on fraud.
PREVENTION
Governance Structure
The Directions require Applicable NBFCs to set up an appropriate organizational structure for institutionalizing fraud risk management within their overall risk management functions and/or departments.
Applicable NBFCs are also required to put in place a transparent mechanism to ensure that whistleblower complaints on possible fraud cases and/or suspicious activities are examined and concluded appropriately under their respective whistleblower policies.
Board-approved policy
Each Applicable NBFC needs to put in place a policy on fraud risk management (“Policy”), which must be approved and reviewed by its board of directors at least once in three years, or oftener if prescribed by the board. Among other things, the Policy should: (i) outline the roles and responsibilities of the Applicable NBFC’s board/board committees and senior management; (ii) incorporate measures for ensuring compliance with principles of natural justice in a time-bound manner; (iii) contain measures towards prevention, early detection, investigation, staff accountability and monitoring, as well as with respect to the recovery, analysis and reporting of fraud.
Further, the Policy should, at a minimum, provide for the issuance of a detailed show cause notice (“SCN”) to those persons (including third-party service providers and professionals), entities and their promoters/whole-time and executive directors against whom an allegation of fraud is being examined. The accused persons/entities must be given at least 21 days to respond to the SCN, and their responses/submissions should be examined by the Applicable NBFC pursuant to a well-established system before declaring them as fraudulent. A reasoned order conveying such decision is also required to be served upon the persons/entities concerned, including the facts and circumstances relied upon.
Special board committee for monitoring and follow-up of fraud cases or committee of the executives
Applicable NBFCs must constitute a special board committee for the monitoring and follow-up of fraud cases (“SCBMF”). An SCBMF must be headed by an independent director and consist of at least three board members comprising the chief executive officer (or the managing director where the chief executive officer is not a whole-time director) and two independent directors.
Pursuant to the SBR Framework, Applicable NBFCs which are categorized in the middle or base layer, will have the option of constituting a Committee of the Executives (“CoE”) with a minimum of three members, at least one of whom must be a whole-time director or an official of equivalent rank for the purpose of performing the required roles and responsibilities of SCBMFs.
The SCBMF/CoE of each Applicable NBFC will be responsible for overseeing the effectiveness of fraud risk management. In this regard, the SCBMF/CoE should also conduct root cause analysis and suggest mitigation measures for strengthening the internal controls and risk management framework of the Applicable NBFC, as well as minimize the incidence of frauds.
EARLY DETECTION
Framework for early warning signals
The Directions require Applicable NBFCs in the upper and middle layers to have a framework for Early Warning Signals (“EWS”) under their overall Policy. The EWS framework must be overseen by a board-level committee (e.g., dealing with risk management or a similar function). Appropriate early warning indicators for monitoring credit facilities/loan accounts and other financial transactions should be identified and periodically reviewed for effectiveness.
In addition, the EWS framework should provide for: (i) a robust early warning system which is integrated with the core banking solution or other operational system(s) of the Applicable NBFC; (ii) the timely initiation of remedial actions based on triggers and alerts; and (iii) a periodic review of credit sanction and monitoring processes, as well as internal controls and systems.
Audit of suspicious accounts
In case of suspicion/indication of wrongful or fraudulent activity in a credit facility/loan account, an Applicable NBFC must refer the matter to an external or internal auditor for investigation, as stipulated in its Policy. In this regard, Applicable NBFCs should also frame a policy with respect to the engagement of external auditors, including on aspects such as due diligence, as well as the competency and track record of such auditors. Further, Applicable NBFCs are required to incorporate clauses in loan agreements to provide for the conduct of such audits at the behest of the lender.
In case an account is identified as fraudulent by an Applicable NBFC, the borrowing accounts of other group companies – in which one or more promoter(s)/whole-time director(s) are common – will also be subjected to examination by such Applicable NBFC under the Directions.
Unlike the 2016 Master Direction, in addition to their customers, staff and employees, Applicable NBFCs can also investigate third-party service providers and professionals (e.g., valuers, chartered accountants, advocates) for fraud. Applicable NBFCs may incorporate appropriate clauses in contracts with third-party entities to hold such service providers accountable if their negligence or malpractice is found to be a causative factor for fraud. However, the Directions do not provide clarity on how such service providers will be penalized under the Directions.
REPORTING AND PENALTIES
Applicable NBFCs (excluding housing finance companies) need to report all instances of fraud to the RBI through fraud monitoring returns within 14 days of classifying an incident or account as fraudulent. Housing finance companies must report incidents of fraud to the National Housing Bank (“NHB”) in the manner prescribed by the NHB. All attempted and successful instances of theft, burglary, dacoity, and robbery must be reported to the Fraud Monitoring Group of the RBI within seven days of occurrence.
Applicable NBFCs must also report all incidents of fraud immediately to appropriate law enforcement agencies through a nodal point or designated officer (of such Applicable NBFC). Overseas branches of Indian Applicable NBFCs must report incidents of fraud to local law enforcement agencies of the applicable host country. Applicable NBFCs are also required to separately report on fraud perpetrated in their group companies to the RBI, if such entities are not regulated/supervised by an appropriate authority in the financial sector. Further, parent NBFCs must report incidents of fraud in their overseas financial group entities to the RBI.
In addition, Applicable NBFCs are required to disclose the amount related to fraud reported in a financial year in their financial statements as notes to accounts.
Penalties
Previously, under the 2016 Master Direction, Applicable NBFCs were required to report specified thresholds of fraud to the RBI or other prescribed entities, failing which such Applicable NBFCs could face penal action. The Directions now specify penal measures for the persons/entities that are classified and reported as fraudulent by Applicable NBFCs, including specified categories of entities and persons that are ‘associated’ (as defined in the Directions) with such entities, where such fraudulent persons/entities will be debarred from raising funds and/or seeking additional credit facilities from all RBI-regulated financial entities for a period of five years from the date of full repayment of the defrauded/settlement amount.
The following checklist provides a snapshot of requirements under the Directions, as applicable to layer-specific Applicable NBFCs:
CONCLUDING REMARKS
Over the years, the RBI has made consistent efforts towards regulating fraud risk management in NBFCs, including through informal communication and guidance. However, the absence of, and the need for, a set of stringent, comprehensive, and clear regulations to curb growing instances of fraud had persisted. With the aim of filling this gap, and to overcome lacunae in the 2016 Master Direction, the RBI has now introduced the Directions to provide a robust framework for not only reporting incidents of fraud but also for detecting and preventing such incidents.
Through the Directions, the RBI has increased the regulatory pressure on Applicable NBFCs, including by requiring them to conduct a detailed review of their operations and management. If the Directions are implemented effectively, the long-term benefits can surpass the short-term costs incurred by Applicable NBFCs. Proper compliance with the enhanced requirements under the Directions may reduce the likelihood of the RBI penalizing NBFCs on account of the lack of adequate measures taken to curb fraud.
In addition, the requirement of adhering to principles of natural justice before classifying an entity/person as fraudulent, as now applicable to Applicable NBFCs under the Directions, is likely to reduce the reputational loss and financial challenges faced by persons/entities on account of improper classifications of fraud. Further, the introduction of penal measures may itself serve as a strong deterrent for potentially fraudulent person/entities, thereby saving Applicable NBFCs from financial and reputational losses which might have occurred as a result of such fraudulent activities.