NBFC Compliances

NBFC compliance refers to the continuous legal obligation of a registered non-banking financial institution to adhere to dual regulatory frameworks: the prudential, governance, and return-filing directions mandated by the Reserve Bank of India (RBI), alongside corporate financial reporting and governance laws under the Ministry of Corporate Affairs (MCA).

The RBI has transitioned from complex activity-based classifications to a streamlined two-tier framework based on systematic risk and public exposure:

• Type I NBFCs: Do not access public funds and have no customer interface. Their compliance burden is significantly reduced.

• Type II NBFCs: Access public funds, accept deposits, or have active retail customer interfaces. They face the highest level of regulatory scrutiny

The RBI groups NBFCs into four layers based on size and risk profiles: Base Layer (BL), Middle Layer (ML), Upper Layer (UL), and Top Layer (TL). Compliance mandates—such as capital adequacy, provisioning, and internal board committees—intensify progressively as an NBFC moves up from the Base Layer to the Upper Layer.

DNBS returns are electronic regulatory filings submitted directly through the RBI’s centralized portal using the XBRL platform. Depending on the size and layer of the NBFC, these are filed monthly, quarterly, or annually to update the regulator on prudential norms, liquid assets, and financial health.

The DNBS10 is the Statutory Auditor Certificate (SAC) return filed annually. It is a mandatory compliance requirement where the company’s external auditor verifies under oath that the NBFC continuously maintains its minimum Net Owned Fund (NOF) and conforms to the principal financial business criteria (the 50-50 test).

NBFCs (primarily in the Middle and Upper layers) must submit periodic ALM returns:

• ALM-1: Statement of structural liquidity.

• ALM-2: Statement of short-term dynamic liquidity.

• ALM-3: Statement of interest rate sensitivity.

NBFCs must safeguard their balance sheets by making a minimum provisions portfolio against outstanding loans. For a standard Base Layer NBFC, the standard provisioning requirement is 0.25% of the total outstanding assets, which must be systematically disclosed in the annual financials.

Before commencing active credit operations, an NBFC must complete its setup on key statutory platforms:

1. Credit Information Companies (CICs): Register with all four major bureaus (CIBIL, Experian, Equifax, CRIF High Mark).

2. FIU-IND: Financial Intelligence Unit – India portal registration.

3. CKYC: Central KYC registry registration.
   

An active NBFC is legally required to submit updated credit data, repayment histories, and default statuses of all its borrowers to all four credit bureaus at least once every calendar month or at shorter intervals as directed.

.

Under the current Digital Lending Guidelines (DLG), the registered NBFC remains the primary regulated entity solely responsible for credit decisions. It must ensure that its Lending Service Provider (LSP) partners deploy transparent loan disclosures, obtain explicit borrower data consent, and route funds directly between the NBFC’s bank account and the borrower without third-party escrow pools.

For Middle and Upper-layer NBFCs, the appointment of an independent Chief Compliance Officer (CCO) is mandatory. The CCO serves as the primary liaison between the organization and the RBI, heading an independent compliance function with structural authority to report compliance risks directly to the Board or the Audit Committee.

The RBI mandates strict periodic updation of KYC records based on customer risk profiles. However, under recent regulatory relaxations, the compliance deadline for updating KYC for verified, low-risk customers has been extended, allowing institutions to utilize digital updates or specialized KYC campaigns.

Under Anti-Money Laundering (AML) compliance mandates, an NBFC must report cash transactions exceeding ₹10 Lakhs via Cash Transaction Reports (CTRs) and register any suspicious financial patterns to the FIU-IND portal via Suspicious Transaction Reports (STRs) within 7 days of identifying the activity.

Under the updated NBFC Managing Risks in Outsourcing Directions, the ultimate accountability for outsourced core actions rests entirely on the NBFC’s Board. Companies must review and realign existing third-party IT and financial vendor service level agreements (SLAs) to meet strict data privacy and business continuity baselines.

No. Under the Scale Based Regulation (SBR) framework, Base Layer NBFCs are explicitly exempted from implementing a formal ICAAP, significantly reducing the administrative and actuarial compliance overhead for smaller entities.

NBFCs must maintain absolute pricing transparency. Under the latest fair pricing directives, when floating interest rates are reset, the NBFC must offer consumer borrowers the clear, flexible option to transition to a fixed-rate model, subject to the board-approved policy guidelines of the institution.

Apart from regular annual filings (Form AOC-4 for financials and Form MGT-7 for annual returns), an NBFC must file Form DIR-12 within 30 days of any change, resignation, or appointment within its Board of Directors or Key Managerial Personnel (KMPs).

Registered NBFCs must feature comprehensive annexure notes in their audited financials detailing:

• Related-party transactions and loans extended to directors/senior officers.

• Breaches in loan covenants or payment defaults, if any.

• Sectoral concentration risks, specifically Sensitive Sector Exposures (SSE) like real estate or capital markets.

Under Section 45-IC of the RBI Act, every registered NBFC must create a dedicated Statutory Reserve fund and transfer a minimum of 20% of its net profits earned every financial year into this reserve before declaring any corporate dividend to shareholders.

The RBI enforces severe penalties for compliance lapses, which can include heavy monetary fines, strict restrictions on expanding loan portfolios, public strictures, or, in extreme cases of willful default or systemic failure, the cancellation of the Certificate of Registration (CoR), barring the entity from operating.