More than two decades ago, when this writer was introduced to the world of law, regulations, and systems, it felt more sacred than any religious scripture. Every piece of legislation has a history of deep systemic failure affecting the broader public.

We understood that every regulation and rule enacted, re-enacted, or amended tightened the scope for concealment, fraud, and misrepresentation. The aim was to protect investors' interests—not just those who held a majority stake, but also those who held a minority stake.

As a Company Secretary, this instinct and context stay with you as you navigate the complex world of rules in real life. It forces you to look beyond compliance checklists and motivates you to ask a harder question: are we honouring the intent of the law, or merely its form?

However, every time we saw stricter rules and stronger governance mechanisms, we also saw an inherent urge to exploit loopholes and flout the rules. In fact, this vicious cycle of enacting more rules, their consequent failure leading to a newer set of laws, has been continuing ever since mankind came into being. And so has this process of asking questions.

The recent fraud linked to HDFC Bank—one of the largest private banks in the country—brings us back to the same questions we probably ask every time we see powerful individuals misuse loopholes, albeit with impunity.

Over the past year, the bank has faced multiple issues. A loan fraud that reportedly began at around ?4 crore expanded to nearly ?20 crore, involving forged salary slips and bank statements to secure disbursements. Then there were cases involving senior-most employees engaged in mis-selling Additional Tier 1 (AT-1) bonds amounting to USD 20 billion to customers without adequately explaining the risks.

The investors, mostly non-resident Indians (NRIs), alleged that the executives deceived them into transferring their foreign-currency non-resident (FCNR) deposits from India to Bahrain, misrepresenting fixed and assured returns. In some cases, the bank officials also took signatures on blank papers. The incident forced the Dubai Financial Services Authority to bar the bank from onboarding new clients in Dubai last year.

The Reserve Bank of India imposed penalties in 2025 for lapses in KYC compliance, outsourcing norms, and interest rate practices following supervisory inspections.

These are not isolated incidents. The banking industry has seen bigger frauds than this. But what is troubling is the pattern with which internal processes, checks, verifications, and compliance fail to detect these frauds. The incidents show that risk is not merely entering the system silently but is being enabled within it, perhaps by those who are entrusted with the responsibility of mitigating and managing it.

And then comes the more difficult question, one that regulation alone cannot answer: when did the system know?

In several such cases across the banking sector, irregularities are detected internally long before they are formally classified as fraud and reported to regulators. That creates a grey zone between suspicion and disclosure. Under RBI norms, banks are required to report fraud within the prescribed timelines once it is identified.

Under SEBI's disclosure framework, listed entities must inform the market of material developments. But both frameworks depend on a critical moment of judgment: when does an irregularity become serious enough to be reported?

That moment is not defined by law alone. It is defined by incentives.
To understand why this matters, one must step back and look at the broader landscape. The RBI's own data tells a story that is both revealing and uncomfortable. During FY 2024–25, bank frauds in India amounted to approximately ?36,000 crore, a near threefold increase from the previous year, even though the number of cases declined. This indicates that while fewer frauds are being reported, the size and sophistication of each fraud are increasing manifold, perhaps with a more complex modus operandi.

During the first half of FY 2026–27, frauds worth over ?21,500 crore were reported, registering an increase of 30 per cent year-on-year. A large majority of fraud involves loans and advances, accounting for the bulk of financial losses.

At the same time, digital fraud is proliferating rapidly. Of late, the RBI recorded over 13,000 cases of card and internet-related fraud involving losses exceeding ?500 crore. While these account for a large number of cases, their value remains lower than that of loan-related frauds. The real systemic risk still lies in credit processes, documentation, and internal controls.

This is where the HDFC Bank episodes become significant. They sit precisely at the intersection of these vulnerabilities. The acceptance of forged documents for loan approvals points to breakdowns in credit underwriting. Mis-selling of complex instruments reflects incentive structures that prioritise revenue over fiduciary responsibility. Regulatory penalties for KYC lapses indicate that even foundational safeguards are not consistently enforced.

On paper, our regulatory architecture is strong, perhaps the strongest in the world. The Securities and Exchange Board of India (SEBI) exists because of a crisis that fundamentally altered how we think about markets. The 1992 securities scam, driven by Harshad Mehta, exposed how opacity and regulatory gaps could be exploited to distort the financial system. The response was not incremental; it was structural. SEBI was empowered, disclosure norms were tightened, and the idea that markets require transparency was embedded in policy.

But history has a habit of repeating itself in quieter forms. Today, the issue is not the absence of regulation. It is the dilution of its spirit. We have stricter reporting requirements and stronger internal controls mandated by law, but their enforcement is uneven.

This creates what can only be described as a regulatory illusion. The framework appears robust, but its effectiveness depends on how institutions choose to engage with it.

The RBI's supervisory reports have repeatedly highlighted this concern. Fraud is increasingly linked to operational risk, internal control failures, and deficiencies in due diligence. The apex bank has continuously and consistently strengthened reporting systems, introduced risk-based supervision, and pushed for better governance. Yet, the persistence of fraud indicates that compliance is being treated as a process rather than a principle.

Even customer-level data points to shifting pressures. Complaints against private sector banks have risen as a share of total grievances, suggesting growing stress in service quality and possibly internal systems. This certainly does not mean that public sector banks are any better. This malaise is widely spread. However, it shows that growth has outpaced governance.

Private sector banks have built their success on efficiency, scale, and aggressive expansion, where loan growth, cross-selling, and customer acquisition are central to their performance metrics. In such an environment, compliance functions often operate within the same target-driven ecosystem. When the two collide, compliance tends to adjust.

A document is accepted without full verification because the customer is considered reliable. A product is sold because it contributes to revenue, even if it does not align with the client's risk profile. A discrepancy is flagged but held back for internal review rather than being escalated immediately. Each decision appears rational in isolation. Collectively, they create a huge systemic risk.

The role of regulators, therefore, cannot be limited to prescribing rules. It must extend to reshaping incentives.

The RBI has recognised this in its supervisory observations, repeatedly emphasising the need for stronger internal controls, a better risk culture, and accountability at senior levels. It has also moved towards more data-driven supervision, seeking to identify patterns rather than isolated incidents. But the effectiveness of supervision still depends on the quality and timeliness of information received from the banks.

SEBI faces a similar challenge. Its disclosure framework is robust, but it relies on listed entities' judgment to determine materiality. However, this judgment is often influenced by the desire to contain reputational damage. In such cases, disclosures are delayed or non-existent, and the market operates on incomplete information.

The uncomfortable truth is we have learned how to write laws but not how to internalise and operationalise them.

One lesson that the HDFC Bank episode reinforces is that governance cannot be episodic. It cannot be activated only after a fraud is confirmed. It must operate with immediacy at the stage of suspicion, when something appears out of place, putting more onus on whistleblowers than on compliance owners, or evolving an early warning system to detect potential fraud and contain its effects at an early stage.

Because the real failure is not that fraud happens. It is that the system often knows before it chooses to admit and disclose it.