R Kannan
For decades, banking supervision in India followed the logic
of an autopsy. When a financial institution failed or a massive fraud was
unearthed, regulators and auditors would descend upon the remains to perform a
post-mortem. By the time the "cause of death" was determined, the
capital was gone, and the public’s trust was often buried with it.
As we navigate 2026, the Reserve Bank of India (RBI) has
fundamentally rewritten this script. We have moved from the era of
"Post-Facto" regulation to the era of the "Live" Financial
Institution. The RBI’s shift to a continuous, tech-driven, and
risk-sensitive supervisory regime is not just a policy update; it is a
paradigm shift that turns compliance from a back-office burden into the very
fabric of a bank’s code.
From Snapshots to Motion Pictures
The centrepiece of this transformation is the transition from
periodic manual oversight to real-time monitoring through the Centralized
Information Management System (CIMS). Traditionally, compliance was a
"snapshot"—a monthly or quarterly audit that captured a moment in
time. Today, it is a "motion picture".
Through CIMS, regulated entities (REs) now provide structured
data feeds that allow the RBI to monitor liquidity and solvency daily. This
eliminates the "lag time" that once gave bad actors or incompetent
management the shadows they needed to hide systemic stress. By demanding 24/7
compliance, the RBI has ensured that the "health" of the Indian
financial system is always visible, in high definition.
The Rise of SupTech and the End of "Black Boxes"
The RBI’s adoption of Supervisory Technology (SupTech)—using
AI and Machine Learning to scan vast amounts of bank data—has levelled the
playing field. Compliance is no longer just about what a bank chooses to
report; it is about what the RBI’s algorithms discover. This "God
View" of banking uses active probes like the DAKSH platform to
"pull" raw data directly from banks, ensuring a "Single Version
of Truth". A bank can no longer show one NPA figure to the public and a
different one to the regulator.
However, with great power comes great accountability. As
banks adopt Generative AI and "Agentic AI" for credit scoring, the
RBI has wisely mandated a "Responsible AI" framework. We have
moved beyond the era of "black box" algorithms. Today, banks must
provide audits of AI "explainability" to ensure that loan rejections
or credit limits are not influenced by hidden biases that lead to financial
exclusion.
Killing the Culture of "Evergreening"
Perhaps the most aggressive use of this new technology is the
war on "Evergreening"—the practice of masking bad loans by
giving a borrower a new loan to pay off the old one. In the past, this was the
"Public Enemy No. 1" that hollowed out balance sheets.
Modern AI engines now scan "Related Party
Clusters," tracking thousands of transactions to see if money is
simply moving in a circle—from the bank to Company A, then to Company B, and
finally back to the bank. By identifying these patterns in real-time, the RBI
has forced banks to clean their balance sheets immediately rather than hiding
Non-Performing Assets (NPAs) until they become unmanageable.
The "Golden Hour" of Cyber-Compliance
In 2026, the speed of commerce is matched only by the speed
of cyber threats. The RBI’s "zero-tolerance" policy toward data
breaches is exemplified by the strict 6-hour reporting window for
significant incidents. For Tier I and II banks, a 24/7 Security Operations
Centre (SOC) is now mandatory.
To meet these "Golden Hour" requirements, banks
have built internal "War Rooms" where the Chief Information Security
Officer (CISO) and Chief Compliance Officer (CCO) sit together. Automation is
the only way to survive this environment; banks now use APIs to push data
directly from their SOC to the RBI, ensuring that "human hesitation"
or internal bureaucracy doesn't delay a report.
Integrating the Physical and the Digital
The 2026 approach recognizes that the "Bank Branch"
and the "Bank App" are no longer separate worlds. The RBI now
mandates Integrated Monitoring, where physical security—CCTV, fire
sensors, and vaults—talks to digital security systems.
Consider the "Locker Scenario". In the past, locker
fraud was often an inside job. Today, IoT sensors on vault doors are synced
with the bank’s HR system. If a staff member’s biometric is used to open a
vault while they are marked as "On Leave," the system physically
locks the door and alerts the authorities. Mere "recording" of
footage is no longer enough; "active verification" is the new
standard.
Behavioural KYC: Ending the 10-Year Cycle
The traditional 10-year cycle for updating customer records
is dead, replaced by Perpetual or Event-Based KYC. A student account
that typically handles small UPI transfers will now be flagged instantly if it
receives a foreign remittance of ₹50 lakhs. While "Static KYC" might
label the student as low risk, "Behavioural KYC" identifies
the anomaly as high risk. This may trigger a temporary restriction on debits
until a Video-KYC (V-KYC) confirms the source of funds, preventing money
laundering at "internet speed".
A Financial Incentive for Safety
Crucially, the RBI has turned compliance into a direct
financial incentive through the Risk-Based Deposit Insurance Premium.
Starting April 2026, banks with superior risk management and supervisory
ratings pay lower premiums (8 paise per ₹100) compared to weaker institutions
(12 paise). This forces Boards to treat compliance not as a legal obligation to
be minimized, but as a core business strategy that directly impacts the bottom
line.
The Human Element: Whistleblowing and Mis selling
Despite the focus on AI and data, the RBI has not ignored the
human element. New standards for digitized whistleblowing ensure that
internal IT teams cannot compromise the anonymity of employees. By hosting
these portals on separate clouds and using "Zero-Knowledge Proofs,"
the system verifies an employee’s status without ever revealing their identity.
Furthermore, the RBI is using speech analytics to combat aggressive
mis selling. AI now scans sales call recordings for forbidden phrases like
"guaranteed 20% return" or "no risk". If a specific branch
shows a pattern of complaints regarding a specific product, the system can
automatically halt sales of that product at that location until an
investigation is complete.
Conclusion: The Fabric of the Code
The "India Approach" to banking in 2026 is defined
by proactive prevention rather than post-facto recovery. By
shifting capital from "Audit Departments" to "Data Science
Units," banks are moving compliance from the "Back Office" to
the "Front Line".
This continuous, "biopsy-based" monitoring ensures
that the Indian financial system remains resilient in the face of global
volatility, AI-driven fraud, and rapid digitalization. For the global banking
community, the message is clear: in the digital age, you cannot regulate by
looking in the rearview mirror. You must be in the driver’s seat, watching the
road in real-time.
