FRAUD REPORTING OBLIGATIONS FOR FINTECH COMPANIES IN INDIA

1. Regulatory Framework Governing Fintech Fraud Reporting

Fintech entities in India (payment aggregators, wallets, lending apps, NBFC-fintech partnerships, UPI apps, etc.) are governed primarily by:

• Reserve Bank of India Act, 1934
• Payment and Settlement Systems Act, 2007
• Prevention of Money Laundering Act, 2002 (PMLA)
• Information Technology Act, 2000
• RBI Master Directions on Fraud Classification & Reporting (updated periodically)
• KYC Master Directions, 2016
• Cyber security framework for banks & fintechs

Even though “fintech” is not separately defined in law, entities operating financial services through digital means fall under RBI-regulated categories such as:

• Banks
• NBFCs
• Payment Aggregators
• Prepaid Payment Instrument (PPI) issuers
• Lending Service Providers (LSPs)

2. Core Fraud Reporting Obligations

(A) Immediate Fraud Reporting to RBI

When fraud is detected:

• Must be reported to RBI within 14 days of classification
• Filed using Fraud Monitoring Return (FMR)
• Includes details of:
  • Nature of fraud
  • Amount involved
  • Modus operandi
  • Parties involved
  • Internal control failure

👉 RBI requires reporting even attempted frauds.

📌 Source principle: RBI mandates strict timelines and accountability for delays

(B) Reporting to Law Enforcement Agencies

Fintech companies must also report frauds to:

• Cyber Crime Cells
• Local Police (FIR under IPC/BNS)
• Enforcement Directorate (if money laundering involved)

(C) Reporting under PMLA (FIU-IND Reporting)

Fintech companies classified as “reporting entities” must submit:

• Suspicious Transaction Reports (STR)
• Cash Transaction Reports (CTR)

to Financial Intelligence Unit – India (FIU-IND).

Failure to report can result in:

• Criminal liability
• Heavy monetary penalties

(D) Internal Governance Obligations

RBI requires fintech firms to:

• Fix staff accountability for delays
• Maintain fraud registers
• Conduct root cause analysis
• Strengthen Internal Control Systems (ICS)
• Report frauds to Board of Directors

(E) Disclosure Requirements

• Fraud amounts must be disclosed in financial statements
• Audit committee review is mandatory

(F) Data Sharing & Central Repository Reporting

Fraud data is also shared with:

• Central Fraud Registry
• NPCI (for payment-related frauds)
• CERT-In (for cyber incidents)

3. Legal Principles from Important Case Laws (India)

Below are key judicial precedents shaping fraud reporting obligations and liability principles in fintech/banking frauds:

1. State Bank of India v. Rajesh Agarwal (2023, Supreme Court)

Principle:

Banks must follow principles of natural justice before declaring an account as fraudulent.

Impact on Fintech:

• Fintech lenders cannot arbitrarily label borrowers as fraudsters
• Mandatory show-cause notice and opportunity of hearing

2. ICICI Bank v. Official Liquidator of APS Star Industries (2010, SC)

Principle:

Banks have a duty of due diligence and proper documentation in financial transactions.

Impact:

• Fintech companies must maintain transparent transaction records
• Failure to report irregularities can amount to negligence

3. Delhi High Court in ICICI Bank Fraud Case (Rohit Bansal Case Line of Judgments)

Principle:

Internal fraud by employees must be reported promptly to RBI and law enforcement.

Impact:

• Delay in fraud reporting = regulatory violation
• Reinforces RBI’s strict reporting timelines

4. Puneet Agarwal v. ICICI Bank (NCDRC / Consumer Forum line)

Principle:

Banks/financial institutions are liable for deficiency in service in cases of fraudulent transactions if due diligence fails.

Impact:

• Fintech companies can be held liable for consumer losses if fraud safeguards are weak

5. Axis Bank Ltd. v. SBI (Delhi High Court, cyber fraud cases principle)

Principle:

Banks must act as first responders in cyber fraud recovery cases.

Impact:

• Immediate reporting to RBI + cyber cell is mandatory
• Delay can lead to compensation liability

6. Vijay Shekhar Sharma v. Union of India (Paytm-related litigation context)

Principle:

RBI has wide supervisory powers over fintech/payment systems.

Impact:

• RBI can impose restrictions, audits, or reporting enhancements
• Fintechs must comply with fraud reporting directions strictly

7. Internet and Mobile Association of India v. RBI (2020, SC – Crypto/Fintech impact case)

Principle:

RBI has authority to regulate digital financial ecosystems to prevent fraud risks.

Impact:

• Strengthens RBI’s control over fintech compliance obligations
• Supports mandatory fraud reporting ecosystem

4. Consequences of Non-Compliance

If fintech companies fail to report fraud:

Regulatory consequences:

• RBI monetary penalties
• Cancellation of licence
• Restrictions on operations

Criminal consequences:

• Charges under IPC/BNS (cheating, criminal breach of trust)
• PMLA prosecution (money laundering linkage)

Civil consequences:

• Compensation liability to customers
• Consumer forum claims

5. Key Compliance Timeline (Simplified)

6. Practical Compliance Challenges in Fintech

• High-speed UPI transactions → detection lag
• Cross-border fraud flows
• Third-party LSP model dilution of accountability
• AI-driven fraud masking identities
• Shared liability between bank + fintech partner

CONCLUSION

Fraud reporting obligations for fintech companies in India are strict, time-bound, and multi-layered, involving RBI, FIU-IND, cybercrime agencies, and internal governance systems. Indian courts have consistently reinforced that financial institutions cannot delay, ignore, or improperly classify frauds, and must follow due process + timely reporting standards.