Whistleblower Policy: RBI Scheme and Key Rules 2025

Why whistleblowing is back in focus

Public-interest disclosures by employees are increasingly being recognised as a way to improve governance standards and strengthen probity and transparency in public institutions. The backdrop is familiar: large corporate frauds, in India and globally, have often surfaced only after insiders raised red flags. Internationally, the material cites legislative responses such as the Whistleblower Protection Act in the US and the Public Interest Disclosure Act in the UK. In India, whistleblowing has evolved through a mix of government resolutions, regulator-led schemes, and company-level “vigil mechanism” requirements. But the same material also highlights a key weakness: the absence of a single comprehensive, fully effective whistleblower protection regime.

The 2004 step: CVC as the “Designated Agency”

In the Indian context, the Government of India passed a resolution on April 21, 2004 authorising the Central Vigilance Commission (CVC) as the “Designated Agency” to receive written complaints or disclosures. The resolution covers allegations of corruption or misuse of office, and empowers the CVC to recommend appropriate action. However, the jurisdiction described is limited. It is restricted to employees of the Central Government, corporations established by it or under any Central Act, government companies, societies, or local authorities owned or controlled by the Central Government. That design means the framework was not built to directly cover the entire banking sector, especially private and foreign banks.

RBI’s Protected Disclosures Scheme for private and foreign banks

As a “proactive measure for strengthening financial stability” and to enhance public confidence in the robustness of the financial sector, RBI formulated a scheme titled “Protected Disclosures Scheme for Private Sector and Foreign Banks.” The scope is deliberate: since public sector banks and RBI (as an entity established under central statute) were already brought under the Government of India scheme, RBI’s framework is intended to avoid duplication. As a result, it covers all private sector and foreign banks operating in India. The scheme’s core expectation is that these banks frame their own “Protected Disclosures Scheme,” approved by their boards, aligned to the broad framework. The policy should lay down norms to protect the identity of employees making disclosures and safeguard them from adverse personnel action.

What banks are expected to put in writing

The material is clear that board oversight is central. Private and foreign banks are expected to define the role and responsibilities of the board of directors when dealing with complaints received under the scheme. The goal is not limited to fraud detection. The wider objective described includes giving employees and stakeholders an avenue to raise concerns around corruption, misuse of office, criminal offences, suspected or actual fraud, and failure to comply with rules and regulations such as the Banking Regulation Act, 1949. The same framework also links whistleblowing to broader operational outcomes such as financial loss, operational risks, and reputational loss detrimental to depositors, the bank, and public interest.

Who can complain, and what complaints can cover

Under a whistleblower policy described in the material, the avenue can extend beyond employees. It states that employees, depositors, borrowers, shareholders, and other stakeholders with sufficient grounds for concern can lodge complaints, and the complainant is referred to as the “Whistleblower.” Complaints can relate to acts of omission or commission by employees across branches, departments, or the corporate office. A key internal control point is the expectation of a preliminary assessment to ascertain prima facie credibility, documentation of the initial enquiry, and a closure decision if no further investigation is indicated. Where further investigation is needed, the matter is carried forward through a designated whistleblower committee.

India’s legal position: a law exists, but not in force

The material states there is no single comprehensive legislation in India that provides protection to whistleblowers. It notes that the Whistle Blowers Protection Act, 2014 was enacted to enable complaints against public servants relating to corruption, wilful misuse of power, or commission of a criminal offence. But it also states that the provisions of the Act have not yet been enforced by the Central Government of India. This creates a practical gap between a statutory text and on-ground enforceability, particularly for those who are not clearly covered as “public servants.”

Companies Act requirements and penalties

On corporate compliance, the material answers a practical question directly: companies can be legally obliged to introduce a whistleblowing system. It lists “Covered Companies” under the Companies Act as including (i) listed companies, (ii) companies accepting public deposits, and (iii) companies that have borrowed from banks and public financial institutions in excess of INR 500 million. It also notes that banking institutions, including commercial banks (including regional rural banks), all-India financial institutions, urban co-operative banks, state co-operative banks, central co-operative banks, and NBFCs (including housing finance companies) are mandatorily required to frame policies, codes of conduct, and other vigil mechanisms under their respective frameworks. For certain covered companies, the board may nominate a director to play the role of the audit committee for the vigil mechanism. The material also states sanctions for failure: Section 178(8) provides a penalty of INR 0.5 million, and every officer in default is liable to INR 0.1 million. It further notes penalties under SEBI PIT Regulations and SEBI DR Guidelines can range from INR 0.1 million up to INR 10 million.

IndusInd Bank: whistleblower trigger and an internal audit finding

A recent disclosure described in the material points to how whistleblower inputs can drive internal controls. It refers to an ET report citing a whistleblower complaint, stating that the bank’s internal audit department reopened investigations into past accounting reversals. The entries included items under “other assets” and “other liabilities” listed within operating expenses. In a letter dated May 15, IndusInd stated the internal audit department submitted its report on May 8. The report found that a cumulative amount of INR 674 crore was incorrectly recorded as interest over three quarters of FY24-25, and that the amount was fully reversed as on Jan 10, 2025. The bank acknowledged that the findings were triggered by a whistleblower complaint. The cited report also noted that the accounting issues were separate from matters earlier disclosed, and referred to a whistleblower letter to both RBI and the bank’s board flagging a INR 600 crore discrepancy in microfinance interest income and an alleged conflict of interest involving a senior executive.

IL&FS: ignored warnings and the cost of delayed action

The material also recounts an earlier episode where whistleblower letters allegedly did not lead to timely intervention. It cites a report that a whistleblower wrote in July 2017 to RBI Governor Urjit Patel seeking investigation into “4 years of mismanagement” and alleged corruption at IL&FS/IFIN, with a caption warning that “Rs 1 lakh crore of PSU bank exposure” was at serious risk. It says the whistleblower sent letters to multiple stakeholders, including the IL&FS board and major shareholders, and that “no action was taken.” The same account states that in May of a later year, the whistleblower sent another letter warning IL&FS could collapse in 12-18 months. It also states that in October, the government acted against IL&FS, sacked its board, appointed a new board with Uday Kotak as non-executive chairman, and that the group’s total debt was INR 91,000 crore. The episode is described as a case where checks and balances and routine compliances did not translate into timely risk containment.

Key facts at a glance

Market and governance implications

For investors and depositors, the common thread across these references is governance plumbing. RBI’s approach focuses on policy design, board accountability, and protection against retaliation so that disclosures do not get suppressed by fear of adverse personnel action. At the same time, the material highlights persistent concerns about transparency and retaliation risks in public institutions, including commentary that points to reduced transparency in certain anti-corruption processes over time. Separately, the IndusInd episode shows how a whistleblower complaint can directly trigger internal audit work and result in an identified accounting misstatement and reversal, with dates and amounts disclosed. The IL&FS narrative underscores the opposite risk: when detailed warnings exist but action is delayed, exposures can become systemic and expensive.

What to watch next

The scheme framework indicates that banks are expected to maintain clear mechanisms for receipt, assessment, investigation, and board-level handling of complaints, while protecting identity and preventing retaliation. The material also notes RBI’s scheme could get extended to other RBI-regulated entities, including primary (urban) co-operative banks, in due course. For the market, the most relevant near-term signposts are formal disclosures by banks about internal audit findings, board handling of whistleblower complaints, and any regulator-led follow-ups where complaints are routed to RBI. Separately, the status of the Whistle Blowers Protection Act, 2014 remains a structural issue, because the material states it is enacted but not enforced.