1. Bank of Baroda
Key Details
- Penalty Amount: ₹63.60 Lakh
- Date of Order: June 30, 2026
- Violations: ‘Fair Practices Code for Lenders’ and ‘Know Your Customer (KYC)’.
- Specific Lapses: Collected interest higher than the contracted rate in certain loan accounts; failed to upload KYC records of certain customers onto the Central KYC Records Registry (CKYCR) within the prescribed timeline.
Root Cause Analysis (RCA)
The interest rate discrepancy indicates a configuration error or lack of dynamic synchronization in the Core Banking System (CBS) regarding loan product pricing parameters. The KYC lapse points to either manual bottlenecks in the CKYCR upload process or API integration failures between the bank’s onboarding systems and the central registry.
Preventive Controls
- Implement automated Maker-Checker workflows for interest rate configurations in the CBS to prevent manual entry errors.
- Establish automated, daily batch-processing APIs for CKYCR uploads with real-time error logging and exception alerts for failed uploads.
Lessons Learnt
Relying on manual processes for high-volume tasks like KYC uploads and interest rate applications is a significant compliance risk. Automation combined with daily reconciliation is essential to maintain regulatory adherence at scale.
RBI Press Release
2. The Citizens Urban Cooperative Bank Ltd., Jalandhar
Key Details
- Penalty Amount: ₹5 Lakh
- Date of Order: June 25, 2026
- Violations: ‘Exposure Norms and Statutory / Other Restrictions’ and ‘Comprehensive Cyber Security Framework for Primary (Urban) Cooperative Banks’.
- Specific Lapses: Sanctioned loans beyond the prescribed regulatory limit to nominal members; failed to implement Two-Factor Authentication (2FA) for accessing the Core Banking Solution.
Root Cause Analysis (RCA)
The exposure limit breach highlights a lack of hard-coded parameterization in the CBS to block credit sanctions to nominal members automatically. The cyber security lapse indicates inadequate IT governance and budgeting prioritizing foundational security controls like 2FA.
Preventive Controls
- Configure hard stops in the loan origination system to automatically reject applications that breach exposure limits for nominal members.
- Mandate and deploy biometric or OTP-based 2FA for all internal employee access to the CBS and critical IT infrastructure.
Lessons Learnt
Basic cybersecurity measures such as 2FA are non-negotiable regulatory expectations. Furthermore, exposure limits must be enforced by system algorithms, not just by credit committee policies.
RBI Press Release
3. GIC Housing Finance Limited
Key Details
- Penalty Amount: ₹3.10 Lakh
- Date of Order: June 24, 2026
- Violations: RBI (Know Your Customer (KYC)) Directions.
- Specific Lapses: Failed to implement a system for the periodic review of risk categorisation of accounts (required at least once every six months).
Root Cause Analysis (RCA)
Absence of an automated scheduling engine within the institution’s AML/KYC framework. The institution likely relied on manual trackers or ad-hoc reviews which failed to meet the strict six-month regulatory timeline for dynamic risk profiling.
Preventive Controls
- Deploy an automated AML/KYC alert system that tracks account vintage and dynamically triggers a mandatory risk categorization review every 6 months.
- Implement management dashboards that highlight pending risk reviews 30 days prior to the regulatory deadline.
Lessons Learnt
KYC compliance is a continuous process, not a one-time onboarding task. Continuous risk assessment requires robust, system-driven scheduling tools.
RBI Press Release
4. Sri Bharathi Co-operative Urban Bank Limited, Hyderabad
Key Details
- Penalty Amount: ₹1.50 Lakh
- Date of Order: June 25, 2026
- Violations: ‘Loans and advances to directors, their relatives, and firms/concerns’ and ‘Small Value Loans – Primary (Urban) Co-operative Banks’.
- Specific Lapses: Sanctioned director-related loans; failed to ensure that small value loans comprised at least 40% of its aggregate loans and advances.
Root Cause Analysis (RCA)
The director-related loans indicate a severe breakdown in corporate governance and conflict-of-interest policies. The failure to meet the 40% small value loan mandate points to a lack of active portfolio-level monitoring and strategic credit planning.
Preventive Controls
- Integrate the PAN and identification details of directors and their relatives into the CBS blocklist to auto-reject related loan applications.
- Develop real-time portfolio composition dashboards that restrict large ticket loans if the small-value loan ratio drops near the 40% threshold.
Lessons Learnt
Governance hygiene regarding insider lending is strictly monitored by the RBI. UCBs must proactively steer their credit portfolios to align with regulatory sector targets rather than monitoring them retrospectively.
RBI Press Release
5. The N.E. & E.C. Railway Employees’ Multi-State Primary Co-operative Bank Ltd, Gorakhpur
Key Details
- Penalty Amount: ₹1.05 Lakh
- Date of Order: June 30, 2026
- Violations: Section 26A of BR Act (DEA Fund) and ‘Membership of Credit Information Companies (CICs)’.
- Specific Lapses: Failed to transfer eligible unclaimed amounts to the Depositor Education and Awareness (DEA) Fund; failed to obtain membership of two CICs and submit credit info to all four CICs.
Root Cause Analysis (RCA)
Operational oversight in identifying accounts inactive for 10 years and delaying statutory sweeps to the DEA Fund. Lack of awareness or administrative lethargy regarding mandatory onboarding and data sharing with multiple credit bureaus.
Preventive Controls
- Create an automated, end-of-month script in the CBS that identifies 10-year dormant accounts and automatically sweeps the funds to the DEA pool.
- Establish a centralized compliance calendar and mandate API integrations with all four CICs for monthly borrower data submission.
Lessons Learnt
Safeguarding unclaimed deposits and participating thoroughly in the national credit information ecosystem are critical statutory obligations, not optional industry best practices.
RBI Press Release
6. The Chikmagalur District Co-operative Central Bank Ltd., Karnataka
Key Details
- Penalty Amount: ₹1 Lakh
- Date of Order: June 25, 2026
- Violations: Section 20 read with Section 56 of the Banking Regulation Act, 1949.
- Specific Lapses: Sanctioned director-related loans.
Root Cause Analysis (RCA)
Similar to Sri Bharathi UCB, this points to a failure in borrower screening and inadequate “Declaration of Relationship” disclosures during the loan application stage, leading to a direct violation of statutory provisions against insider lending.
Preventive Controls
- Digitize the “Declaration of Relationship” process making it a mandatory field before any loan file moves to the sanctioning authority.
- Conduct independent audits of all loan files exceeding a certain threshold to verify the absence of director connections.
Lessons Learnt
Section 20 of the BR Act is strictly enforced. Cooperative banks must ensure absolute separation between their board of directors and the credit sanctioning process to maintain institutional integrity.
RBI Press Release
7. Nirmal Urban Co-operative Bank Ltd., Nagpur
Key Details
- Penalty Amount: ₹1 Lakh
- Date of Order: June 30, 2026
- Violations: Operational instructions under ‘Supervisory Action Framework (SAF)’ and exposure limit directions.
- Specific Lapses: Failed to reduce single borrower exposure limits for fresh loans by 50% under SAF; offered interest rates on deposits higher than SBI under SAF restrictions.
Root Cause Analysis (RCA)
The bank failed to translate the restrictive conditions of the Supervisory Action Framework (SAF) into immediate system-level parameters. Internal communication of SAF rules was likely limited to policy memos rather than hard-coded CBS constraints.
Preventive Controls
- Implement dynamic rule engines in the CBS that automatically cap deposit rates at the SBI benchmark the moment SAF is triggered.
- Apply immediate system blocks to halve single-borrower exposure limits for all new credit originations when operating under SAF.
Lessons Learnt
When RBI places a bank under SAF, the imposed restrictions require instantaneous IT system reconfiguration. Procedural memos alone are insufficient to guarantee compliance.
RBI Press Release
8. Dharmavir Sambhaji Urban Cooperative Bank Ltd., Pune
Key Details
- Penalty Amount: ₹10,000
- Date of Order: June 29, 2026
- Violations: ‘Know Your Customer (KYC)’ Directions.
- Specific Lapses: Failed to upload the KYC records of customers onto the Central KYC Records Registry (CKYCR) within the prescribed timeline.
Root Cause Analysis (RCA)
A dependency on manual data entry for uploading records to the CKYCR portal, which likely failed due to operational bottlenecks, staff attrition, or simple administrative negligence.
Preventive Controls
- Transition from manual portal uploads to an automated SFTP/API batch process that securely transmits new account KYC data to CKYCR at the end of each business day.
- Implement daily compliance checks to reconcile accounts opened vs. CKYCR uploads successful.
Lessons Learnt
Even minor administrative delays in data reporting attract strict regulatory scrutiny. Automating routine compliance tasks is the most effective way to eliminate human error.