When Risk Frameworks Fail: The ₹5.9-Billion Reality Check

A ₹5.9-billion insider fraud does not erupt because banks lack frameworks. It erupts because frameworks, however sophisticated, are ultimately mediated through people, incentives, and institutional behaviour. The recent disclosure of unauthorised transactions involving government accounts at a Chandigarh branch of IDFC First Bank is not merely an episode of misconduct. It is a stress test of the operational risk architecture that modern banking prides itself on.

The episode follows closely on my recent column in BasisPoint Insight, “How AI and Real-Time Banking are Turning Operational Risk Systemic Today”, which examined how technology-driven banking was reshaping risk dynamics.

The IDFC case now provides an uncomfortable real-world validation of those concerns.

High-severity frauds built on collusion, reconciliation gaps and prolonged concealment are not just balance-sheet events. They corrode trust, undermine governance credibility and expose the fault line between how controls are designed and how institutions actually function. When such an event surfaces not through internal detection systems but because an account holder initiates a routine operational request, the uncomfortable question is not how the fraud occurred, but why the safeguards meant to detect it remained silent.

Framework vs Practice
On February 18, 2026, a complaint from a government department triggered a review of Haryana government accounts at a single branch. Reconciliation later revealed a ₹5.9 billion gap, traced to unauthorised transactions involving bank staff and outside parties. Employees have been suspended, a forensic audit commissioned, and legal proceedings initiated. The market reaction was immediate, and the Haryana government de-empanelled the bank for official business, compounding reputational damage.

Yet the deeper significance lies not in the sequence of corrective actions, but in what the episode reveals about operational risk governance.

Modern frameworks shaped by the Basel Committee and operationalised through RBI supervision rest on a coherent logic: risks are to be identified, measured, monitored and controlled through an integrated ecosystem of policies, surveillance systems, segregation of duties and audit assurance. In theory, severe losses should either be prevented or detected before they attain material scale.

In practice, the friction arises not from the absence of architecture, but from the gap between architecture and behaviour. The fraud illustrates how formal structures may coexist with latent vulnerabilities capable of neutralising the intended protections.

Segregation of duties, for instance, remains a foundational principle. By distributing initiation, authorisation, recording and reconciliation across independent actors, institutions attempt to diffuse risk concentration. However, segregation assumes that independence between control actors remains intact. When collusion compromises multiple control points simultaneously, separation transforms into procedural theatre. Controls remain visible, approvals are logged, reconciliations appear complete, yet functional integrity collapses beneath the surface.

This reveals a recurring blind spot. Control systems are often designed around the risk of individual misconduct, while coordinated deviation receives less structural attention. Dual controls and supervisory gates lose deterrent strength when informal authority, cultural pressure, or performance incentives subtly legitimise overrides. Over time, exceptions cease to feel exceptional.

Surveillance systems are meant to compensate for this human fragility. Automated reconciliation engines and behavioural analytics are expected to surface anomalies in real time. That a discrepancy of this magnitude surfaced only when external account closure requests were initiated raises what may be termed a detection paradox. If monitoring is continuous, how do distortions accumulate unnoticed?

One explanation lies in calibration asymmetry. Detection models are typically optimised to capture statistically conspicuous deviations - sudden spikes, velocity anomalies, threshold breaches. Gradual manipulations that remain within expected operational ranges, or that mimic legitimate flows, are harder to isolate. Fraud schemes that unfold incrementally remain within expected behavioural ranges or exploit known system tolerances and may therefore evade automated scrutiny.

Equally significant is alert governance. Detection engines generate signals, but institutions determine their interpretation and escalation. Alert fatigue, resource constraints and prioritisation biases frequently suppress weak signals. The issue is therefore not only technological sophistication, but organisational willingness to interrogate discomforting indicators.

Internal audit functions, meanwhile, provide episodic assurance. However, audits operate on predictable cycles, while frauds  adapt dynamically. Standardised sampling and checklist-driven reviews may inadvertently create environments in which observable behaviour aligns temporarily with expectations. In such contexts, audits risk validating compliance performance rather than probing structural vulnerabilities. Even where anomalies are detected, their impact depends on escalation pathways and governance consequences. Documentation without enforcement rarely transforms behaviour.

Systemic Signals
The IDFC episode is not isolated in its underlying mechanics. The ₹19.6 billion accounting issues at IndusInd Bank may differ from a branch-level fraud in form, but they spring from a similar weakness: the gap between formal oversight and how things actually run on the ground. The specifics change. The underlying pattern does not - insiders with system familiarity, controls bent or bypassed, and problems that surface later than they should.

In each instance, the real question is cultural. Not culture as a boardroom talking point, but the everyday signals an organisation sends about what truly matters. A system can be procedurally compliant and still lack ownership of risk. When growth targets, internal hierarchies or commercial pressures subtly outweigh control discipline, small compromises stop feeling like breaches and start feeling like business as usual.

And the damage rarely stops at the numbers. Markets do not react only to the reported loss; they react to what it says about oversight and judgment. When a government counterparty withdraws, the impact runs deeper: operational disruption, reputational drag and a recalibration of trust that can take years to rebuild. Funding costs, investor expectations and credit assessments adjust accordingly. Over time, recurring high-severity frauds elevate systemic compliance expenditure, particularly for institutions operating without the buffer of scale.

Reducing recurrence demands a shift in orientation. Operational risk management cannot remain a compliance-driven reporting exercise. It has to evolve into a system that actively senses stress and intervenes early. Real-time surveillance must move beyond dashboards and summaries, and become an investigative tool that surfaces weak signals of collusion, override behaviour and creeping control failures. Control design must incorporate behavioural resilience through dynamic authority validation and tamper-evident override trails. Audit functions must become less predictable and more consequence-driven. Most critically, incentive systems must align measurable behavioural conduct with risk integrity.

Regulatory ecosystems may, in parallel, benefit from secure, high-frequency supervisory data infrastructures that narrow temporal blind spots. Such evolution represents not regulatory expansion, but alignment with the complexity of modern financial operations.

Fraud risk is intrinsic to complex banking systems. Its persistence does not imply the futility of operational risk frameworks; rather, it exposes the limits of static controls operating within adaptive human environments. Frameworks provide structure. Resilience emerges from behavioural alignment, institutional curiosity and governance consequence.

The ₹5.9-billion fracture is not just a lapse at one branch. It is a reminder that when controls are treated as paperwork rather than living safeguards, the gap between design and reality can quietly widen until it becomes impossible to ignore.