Banking Frauds Risk, Cyber Risk & Operational Risk

Fraud and risk management are critical in banking because banks operate on trust. Any fraud or cyber incident can erode customer confidence and cause financial losses. In recent years, Indian banks have seen a sharp rise in fraud cases – for example, the number of reported online payment frauds quadrupled from about 6,700 in 2022-23 to 29,000 in 2023-24. In terms of value, large loan scams still account for the biggest losses; in FY2024-25 banks lost over ₹36,000 crore to fraud, mostly due to a few high-value loan frauds.

Fraud risk refers to the risk of losses due to deliberate deception (like forgery, theft, or scams), while cyber risk is the risk of losses from cyber-attacks or IT system breaches. Both are subsets of operational risk, which broadly means the risk of loss from failed internal processes, people, systems, or external events. Effective management of these risks is not only important for protecting the bank’s assets but also for maintaining the stability and integrity of the financial system.

Types of Banking Frauds

Banking frauds range from traditional document-based crimes to sophisticated digital scams. Common types include:

Loan Frauds

These involve obtaining loans using forged documents or false information. Fraudsters may falsify financial statements, valuation reports, or identity documents to secure loans they never intend to repay. Large corporate loan frauds often cause major losses. For example, loans may be taken in another person’s name using stolen documents, leaving the victim liable for unpaid debt. Banks counter this through strict due diligence, including KYC verification, credit checks, and early warning monitoring systems.

KYC/Documentation Frauds

KYC frauds occur when accounts are opened using fake or stolen identity documents such as forged PAN cards or Aadhaar IDs. These accounts may be used for illegal activities or left as liabilities for identity theft victims. Banks prevent this through strict KYC norms, document verification with issuing authorities, biometric checks, and digital KYC systems that authenticate customer data against government databases.

Digital Frauds

With the growth of online and mobile banking, digital frauds have become widespread. They usually exploit human behaviour or security gaps. Common forms include:

• Phishing/Smishing: Fake emails or SMS posing as banks or trusted entities to steal login details, card numbers, or OTPs.
• Vishing: Fraudulent phone calls impersonating bank officials or regulators to extract confidential information.
• SIM Swap Fraud: Fraudsters obtain a duplicate SIM card, disabling the victim’s phone and intercepting banking OTPs to access accounts. Sudden loss of mobile signal is a common warning sign.
• Card Skimming/Cloning: Card data and PINs are stolen using skimmers, cameras, or keypad overlays on ATMs or PoS machines, enabling cloned card misuse.
• UPI Frauds: Scams include misleading collect requests, fake QR codes, and fraudulent UPI handles or apps that trick users into transferring money.

Digital frauds rely heavily on social engineering. Customers are advised never to share OTPs, UPI PINs, or CVVs. Banks combat these risks through IT security systems, transaction monitoring, alerts, and public awareness campaigns.

Insider Frauds

Insider frauds involve bank employees misusing their access, such as diverting funds, leaking customer data, or colluding to approve fraudulent loans. Examples include creating fictitious accounts or bypassing controls for bribes. Though rare, these frauds are serious due to insiders’ system knowledge. Banks mitigate them through dual controls, staff rotation, background checks, whistleblower policies, audits, and strong audit trails.

ATM Frauds

ATM frauds can be physical or electronic. Common methods include card skimming, card trapping devices, ATM jackpotting (malware-driven cash dispensing), and theft or vandalism of machines. Preventive measures include anti-skimming devices, CCTV surveillance, alarm systems, and withdrawal limits. Customers should use secure ATMs, shield PIN entry, and report any suspicious devices immediately.

Cybersecurity Framework

Given rising cyber risks, regulators have prescribed frameworks for banks to secure their IT systems and digital channels. The Reserve Bank of India has issued detailed cybersecurity guidelines for Scheduled Commercial Banks. Key elements include:

Board-Approved Cyber Security Policy

Banks must have a dedicated cyber security policy approved by the Board. Separate from the general IT policy, it focuses solely on cyber threats and defenses. The policy defines risk appetite, protection strategy, and roles and responsibilities. Banks also assess inherent cyber risk based on technology usage, products, and threat exposure, and implement controls accordingly.

Security Operations Center (SOC) & Continuous Monitoring

Banks are required to maintain 24×7 surveillance of their networks through a centralized Security Operations Center. The SOC monitors real-time threats such as malware, abnormal traffic, and unauthorized access, and enables rapid response. Regular vulnerability assessments and penetration testing help identify weaknesses before exploitation.

Secure IT Architecture and Configuration

Banks must securely configure all IT assets by disabling default passwords, using strong encryption and firewalls, and applying timely security patches. Critical systems (core banking, payment gateways) should be segregated from public networks, wireless networks secured, and unnecessary services disabled. Robust firewalls and hardened configurations reduce the overall attack surface.

Cyber Crisis Management Plan (CCMP)

Banks must prepare a Cyber Crisis Management Plan to handle incidents despite preventive controls. The CCMP defines procedures for detection, response, containment, recovery, and communication, including regulatory and customer notifications. It covers scenarios such as ransomware, data breaches, DDoS attacks, phishing, and website defacement, and includes drills and simulations. The plan addresses cyber-specific threats like zero-day exploits and advanced persistent threats.

Access Controls and IT Governance

Strong access controls follow the principle of least privilege, ensuring users have only role-based access. Multi-factor authentication is required for administrators and remote access, and user access must be promptly revoked upon role change or exit. Banks adopt IT governance frameworks such as COBIT or ISO 27001, supported by Board-level oversight, IT strategy committees, regular cyber risk reporting, IS audits, and regulatory examinations.

User and Customer Awareness

Human awareness is critical to cybersecurity. Banks conduct regular staff training, including phishing simulations, and provide specialized training for sensitive roles. Customers are educated through alerts and advisories on safe digital practices such as verifying URLs, not sharing OTPs or PINs, and keeping apps updated. An informed customer base strengthens overall cyber defense.

Regulatory Reporting and Systemic Resilience

Banks must promptly report major cyber incidents to the regulator within prescribed timelines. This enables early warnings across the banking system and helps mitigate systemic risk.

Tokenization in Digital Payments

With the rapid growth of digital payments, protecting card data became critical. Tokenization is a key security measure that replaces sensitive card details with a surrogate value called a token. As defined by the Reserve Bank of India, tokenisation is the replacement of actual card details with a unique token linked to a specific card, merchant (token requester), and device. Instead of storing the 16-digit card number, expiry date, and CVV, merchants store a random token, while the real card data remains securely with the issuing bank or card network and is never exposed during transactions.

Use in Digital Card Payments

When a customer chooses to save a card for online payments, the merchant or payment gateway requests tokenization through card networks such as Visa or Mastercard. After customer consent and authentication (usually via OTP), a token is issued and mapped to the actual card. For future transactions, only the token is used. Since the token works only for a specific merchant or device, even a data breach cannot reveal real card details. Tokenization is also used in mobile wallets and contactless payments, where device-specific tokens are created.

RBI’s 2021 Tokenization Guidelines

In 2021, RBI mandated tokenization to reduce risks from merchants storing card data for one-click payments. RBI directed that from 1 January 2022, no entity other than card issuers or networks may store customer card details. Previously stored card data had to be deleted. Merchants and payment gateways were required to implement Card-on-File Tokenization for saved or recurring payments.
Only limited information (such as last four digits and card issuer name) may be retained; full card number and CVV storage is prohibited. Customer consent with additional authentication is mandatory for tokenization.
Due to ecosystem readiness issues, RBI extended timelines and fully enforced tokenization from October 2022. Around this time, users were asked to re-enter card details and approve tokenization. Tokenization remains optional for customers, but it is strongly encouraged and provided free of cost.

Benefits

Tokenization significantly reduces the risk of large-scale card data breaches, as stolen tokens are unusable outside their intended context. It enhances customer confidence in online shopping and reduces merchants’ liability from handling sensitive card data.

Deepfakes – The New-Age Impersonation Fraud

Deepfakes are highly realistic fake audio or video generated using artificial intelligence to impersonate real people. In financial fraud, they enable advanced impersonation scams.
Fraudsters can create fake video or voice calls that appear to be from senior executives, bank officials, or customers. For example, a deepfake video of a bank CEO may instruct staff to urgently transfer funds, or criminals may use deepfake videos to bypass video-KYC by posing as another individual. Such accounts can later be used for money laundering or further fraud.
Deepfake audio has also been used internationally to trick employees into transferring funds. Unlike basic phishing, deepfakes exploit visual and voice trust, making them harder to detect and more dangerous as social-engineering tools.

Red Flags and Responses

Indicators of deepfakes include minor lip-sync errors, unnatural facial expressions, abnormal eye movements, or emotionless voices. Typical fraud red flags—unsolicited contact, urgency, secrecy, or sudden requests for money—often accompany deepfake scams.
Banks are responding by training KYC staff to spot anomalies, using liveness checks (random actions during video calls), and deploying tools that detect manipulated media. Customers are advised to independently verify any video or voice request for financial action through official channels. Banks warn that they will never request fund transfers via video calls or social media.

Mule Accounts – The Money Laundering Workhorse

A money mule is a person who knowingly or unknowingly allows their bank account to be used for transferring illegal funds. Mule accounts help criminals launder proceeds of cybercrime by obscuring the money trail through multiple transfers.
In India, mule accounts have surged with online scams. Fraudsters recruit mules through fake job offers, easy-money schemes, or by targeting students and unemployed individuals. Some mules use forged documents to open accounts, while others unknowingly surrender access believing they are part of legitimate work. Funds are rapidly moved through multiple mule accounts before being withdrawn or converted to crypto, making tracing difficult.

Scale of the Problem

In mid-2025, investigations by the Central Bureau of Investigation uncovered around 8.5 lakh (850,000) mule accounts across Indian banks linked to cyber-fraud syndicates. Many accounts were opened using forged KYC documents or without the account holder’s knowledge. Lapses in due diligence and failure to report suspicious activity were also noted.

Red Flags for Mule Accounts

Banks monitor for patterns such as:

• Sudden large inflows and quick outflows (“pass-through” activity).
• Transaction volumes inconsistent with customer profile (e.g., student accounts handling crores).
• Multiple accounts linked to the same phone number or address.
• Accounts opened via agents or in distant/remote branches.
• Vague, inconsistent, or confused explanations from customers when queried.

Bank Responses

Banks are strengthening Customer Due Diligence (CDD), improving KYC checks, and closely monitoring high-risk accounts. AI-based transaction monitoring systems detect mule-like patterns in real time. Suspicious accounts may be frozen pending investigation. Banks also share intelligence through regulators and agencies.
Under Reserve Bank of India regulations, banks must file Suspicious Transaction Reports (STRs) with the Financial Intelligence Unit for suspected mule or laundering activity. Failure to file STRs is a compliance violation. Following recent cases, banks are pushing for faster freezing powers and stronger coordination with law-enforcement agencies.
Customers are warned never to share account details or allow others to use their accounts. Offers of money for “using your bank account” are clear red flags and can lead to criminal liability.

Grievance Redressal – Integrated Ombudsman Scheme (2021)

Despite preventive measures, banking frauds and service deficiencies occur. To provide a fast, free, and uniform grievance redressal mechanism, the Reserve Bank of India launched the Integrated Ombudsman Scheme (RB-IOS), 2021 in November 2021.

What is the RBI Integrated Ombudsman Scheme (RB-IOS), 2021?

RB-IOS is an RBI-run system for resolving customer complaints against RBI-regulated entities in a speedy, cost-free, and jurisdiction-neutral manner. It merged three earlier schemes:

• Banking Ombudsman
• NBFC Ombudsman
• Digital Transactions Ombudsman

The scheme follows the principle of “One Nation, One Ombudsman”, providing a single platform, uniform rules, and no territorial limits. The Ombudsman examines whether there is a deficiency in service and facilitates fair resolution.

Coverage

RB-IOS covers:

• All Commercial Banks (Public, Private, Foreign, RRBs)
• Scheduled Primary Urban Cooperative Banks (deposit size ≥ ₹50 crore)
• RBI-regulated NBFCs
• Payment System Participants (digital wallets, card payment entities)
• Credit Information Companies (credit bureaus)

The coverage is broader than earlier schemes, bringing more entities under consumer protection.

When Can a Customer Approach the Ombudsman?

• The customer must first approach the concerned bank/NBFC.
• If the complaint is rejected or not resolved satisfactorily within 30 days, it can be escalated to the Ombudsman.
• Complaints must be filed within one year of the bank’s final response or the cause of action (after the 30-day waiting period).

The scope is broad: any deficiency in service, including wrong charges, delays, mis-selling, harassment, non-compliance with RBI directions, and mishandling of unauthorized electronic transactions or frauds. Unlike earlier schemes, grounds are not restricted to a fixed list. The process is completely free, with no requirement for lawyers.

How to File a Complaint under RB-IOS 2021

• Online (Primary Mode): Complaint Management System (CMS) portal – rbi.org.in (24×7 access, document upload, complaint tracking).
• Email / Physical Mode: Complaints can be sent to the Centralised Receipt and Processing Centre (CRPC), Chandigarh, which digitizes and routes them through CMS.
• Helpline: RBI Contact Centre 14448 (multi-language support for guidance and status queries).

Customers no longer need to identify the correct ombudsman office; routing is automatic.

What Happens After Filing?

• Maintainability Check: Ensures eligibility (time limit, prior approach to bank, not sub-judice, etc.).
• Conciliation/Mediation: Ombudsman facilitates settlement between customer and bank.
• Award: If settlement fails, the Ombudsman may issue a formal award directing corrective action or compensation. Awards are binding on the bank if accepted by the customer.

Escalation – Appeal

• If dissatisfied, the complainant (or bank, in some cases) may appeal within 30 days.
• Appeals lie with the Appellate Authority in RBI (currently the Deputy Governor in charge of consumer protection).
• Appeals are filed via the CMS portal or designated email.
• The Appellate Authority may uphold, modify, or overturn the Ombudsman’s decision.

The RBI Integrated Ombudsman Scheme, 2021 is a cornerstone of consumer protection in India’s financial system. By integrating multiple ombudsman schemes into a single, technology-enabled platform, it simplifies grievance redressal and strengthens customer confidence.