The Reserve Bank of India (RBI) imposed a monetary penalty of ₹44.70 lakh on Bandhan Bank Limited for deficiencies found during a statutory inspection. The inspection was conducted based on the bank’s financial position as of March 31, 2024. The penalty was imposed for violating Section 10(1)(b)(ii) of the Banking Regulation Act, 1949, and for not complying with RBI directions on the ‘Automation of Income Recognition, Asset Classification and Provisioning processes in banks.’
Key Details
- Entity Penalized: Bandhan Bank Limited
- Penalty Amount: ₹44.70 lakh (Rupees Forty-Four Lakh and Seventy Thousand only)
- Date of Order: August 26, 2025
- Contraventions:
- Payment of remuneration to certain employees in the form of commission.
- Carrying out manual intervention in the data of certain accounts through back-end processes.
- Failure to capture audit trails/logs of access with specific user details in the system.
- Regulatory Basis: The penalty was imposed using the powers vested in the RBI under Section 47 A (1) (c) read with Section 46 (4) of the Banking Regulation (BR) Act.
Root Cause Analysis (RCA) 🔍
The underlying cause of the penalty appears to be a breakdown in the bank’s internal controls and compliance framework, specifically relating to its human resources and IT systems.
- Employee Remuneration: The bank’s policy of paying commission to certain employees violated regulations, suggesting a lack of oversight or a deliberate deviation from established norms. This could be due to a failure to update internal policies to align with regulatory requirements or inadequate training and communication to staff regarding permissible forms of remuneration.
- Data Integrity and Audit Trails: The finding of manual intervention in account data without capturing audit trails indicates significant issues with the bank’s IT security and data governance. This could be caused by several factors:
- Inadequate System Controls: The bank’s system likely lacked robust controls to prevent unauthorized manual data changes or to automatically log all user actions.
- Weak Access Management: Employees may have had excessive access privileges, allowing them to manipulate data without proper authorization.
- Poor Compliance Culture: A lack of emphasis on adherence to regulatory guidelines could have led to employees circumventing automated processes for operational expediency, without regard for the compliance risks.
Preventive Controls ✨
To prevent similar violations, banks should implement a multi-layered control framework.
- Strengthen Internal Audit and Compliance: Banks should establish a strong internal audit function to regularly monitor adherence to regulatory norms. Regular internal control assessments can help proactively identify gaps before they lead to penalties.
- Enhance IT Governance and Security: Implement strict IT policies that prohibit manual interventions in core banking systems without a proper, documented workflow. It’s crucial to deploy systems that ensure audit trails/logs of access are captured automatically with specific user details to maintain data integrity and accountability.
- Review and Update Policies: Banks must continuously review and update their internal policies, especially those related to remuneration and operational procedures, to ensure they are in alignment with the latest RBI guidelines. For example, policies on employee compensation must comply with the Banking Regulation Act.
- Role-Based Access Controls: Implement a principle of least privilege, where employees are only given access to the data and functions necessary for their job roles. This prevents unauthorized data manipulation and reduces the risk of back-end interventions.
- Employee Training and Awareness: Regular and comprehensive training programs are essential to educate all employees on RBI regulations, internal policies, and the importance of a strong compliance culture.
Lessons Learned 💡
The penalties imposed on Bandhan Bank offer important lessons for all regulated financial entities.
- Regulatory Compliance is Non-Negotiable: The RBI is committed to enforcing regulatory discipline and integrity in the financial sector. Banks must prioritize compliance with all directions, even those that may seem technical, as failure to do so can result in significant penalties.
- Technology Must Be Aligned with Compliance: Relying on technology for processes like income recognition and asset classification is not enough; the technology must have robust controls that prevent unauthorized manual overrides and maintain a complete record of all actions. The lack of proper audit trails was a key charge against Bandhan Bank, highlighting the need for systems that ensure full transparency and accountability. * Proactive vs. Reactive Approach: A key lesson is that banks should adopt a proactive risk mastery approach rather than a reactive one. Instead of waiting for an audit to find a deficiency, they should continuously monitor their compliance posture and address potential issues as they arise.
- Internal Controls and Culture Matter: The root causes of the penalty—unauthorized remuneration and manual data interventions—point to a need for strong internal controls and a culture where compliance is integrated into every aspect of the organization’s operations.