📌 Introduction

The Reserve Bank of India (RBI) has recently overhauled its risk governance norms for Non-Banking Financial Companies (NBFCs) as part of a wider push toward making financial institutions more resilient and better aligned with banking regulations. These revisions are part of RBI’s larger Scale-Based Regulatory (SBR) framework that aims to stratify NBFCs based on their size, complexity, and systemic importance. The move is a direct response to growing concerns around financial stability, governance lapses, and technological vulnerabilities within the sector.

This article dives deep into the new guidelines, their background, and their far-reaching implications for India’s NBFC sector, including layers of regulation, fraud risk management, IT governance, compliance expectations, capital requirements, and board responsibilities.

⚙️ Background and Framework

The RBI has categorized NBFCs into three layers:

• Base Layer (BL): Smaller NBFCs with simpler operations
• Middle Layer (ML): Mid-sized, systemically non-critical NBFCs
• Upper Layer (UL): Systemically important NBFCs with greater exposure and interconnectedness

Each layer is subject to a progressively stringent set of rules. This layered approach ensures that regulation is proportionate to the risk an NBFC poses to the overall financial system. The latest updates represent a sharp elevation in governance, disclosure, risk management, and compliance standards—especially for NBFCs in the Middle and Upper Layers.

📌 Key Regulatory Updates

✅ 1. Board-Level Risk Management Committee (RMC)
NBFCs in the ML and UL categories must constitute a dedicated Risk Management Committee at the board level. This committee will be responsible for:

• Identifying, assessing, and mitigating risks including liquidity, credit, market, operational, and technology risks
• Reporting risk assessments and mitigation strategies to the full board regularly
• Being chaired by an independent director
• Having members with significant experience in finance, risk management, or banking

Optional for BL NBFCs, but encouraged.

✅ 2. Board Composition and Expertise Requirements
RBI now mandates that at least one member of the board of directors must have prior experience in banking or an NBFC. This is to ensure competent oversight and to facilitate informed decision-making.

Additionally, independent directors must not serve on the boards of more than three NBFCs (ML or UL), and key managerial personnel (KMP) are barred from holding similar roles in other NBFCs outside their group.

✅ 3. Compliance Officer and Compliance Function
All ML and UL NBFCs must appoint a Chief Compliance Officer (CCO) and establish an independent compliance function. These measures must be approved by the board and tailored to the organization’s complexity.

Key responsibilities include:

• Ensuring adherence to regulatory obligations
• Reporting breaches or lapses
• Advising the board and senior management on compliance matters

✅ 4. Fit and Proper Norms and Conflict of Interest Mitigation
To avoid conflict of interest and ensure the independence of governance bodies, new rules stipulate that:

• Independent directors cannot be removed without sufficient cause
• Premature resignations or removals must be reported to RBI (for UL NBFCs)
• Directors must meet a ‘fit and proper’ criteria including integrity, reputation, and experience

✅ 5. Whistleblower and Remuneration Policies
NBFCs must implement a whistleblower policy, enabling employees and stakeholders to report unethical behavior or lapses confidentially.

They must also have a board-approved compensation policy that includes:

• Provisions for claw-back or malus (in cases of misconduct or underperformance)
• Proper alignment between risk-taking and remuneration
• A Nomination and Remuneration Committee to oversee executive pay structures

✅ 6. Enhanced Disclosures and Transparency
NBFCs in the UL and ML must provide expanded disclosures in their annual reports, including:

• Governance structures
• Related party transactions
• Auditor qualifications and management responses
• Material breaches of governance policies
• Exposure to group companies or large borrowers

This level of transparency brings NBFCs closer to disclosure standards followed by commercial banks.

✅ 7. Core Financial Services Solution (CFSS) Implementation
NBFCs (ML and UL) with more than 10 fixed-point service delivery units must implement a Core Financial Services Solution (CFSS), akin to a Core Banking Solution used in banks.

Key dates:

• UL NBFCs: 70% of units must be CFSS-enabled by September 2024
• ML and UL NBFCs: All units must comply by September 2025

This ensures consistency, efficiency, and data integration across service channels.

✅ 8. Capital and Concentration Risk Framework
NBFCs in the UL category must adopt an Internal Capital Adequacy Assessment Process (ICAAP) to assess capital needs in line with risks faced.

Additional measures include:

• Maintaining Common Equity Tier 1 (CET1) capital of at least 9%
• Complying with concentration risk guidelines, especially for large group exposures

🛡️ Fraud Risk Management – Master Directions (July 2024)

To combat increasing fraud instances, RBI released comprehensive Fraud Risk Management Master Directions applicable to:

• ML and UL NBFCs
• BL NBFCs with asset size ≥ ₹500 crore

Highlights include:

🔍 Board-Approved Fraud Risk Policy
NBFCs must frame a detailed fraud risk policy that defines roles, responsibilities, prevention strategies, and investigation protocols. Oversight must be provided by a subcommittee including independent directors and the CEO.

🛎️ Early Warning System (EWS)
NBFCs must set up automated tools and manual monitoring systems that flag early signs of potential fraud. These tools must monitor:

• Credit scoring anomalies
• Transaction pattern changes
• Loan utilization divergences

🧾 Auditing and Investigations
Both internal and statutory auditors must actively investigate suspicious activity. Title deed audits are mandatory for credit exposures exceeding ₹1 crore.

📢 Fraud Reporting and Penalties
All frauds must be reported to RBI and law enforcement authorities. Entities and individuals found guilty of fraud will be barred from accessing credit facilities for at least five years from any RBI-regulated entity.

🔐 Technology Governance and IT Risk Controls

RBI’s Master Direction on IT Governance, Risk, Controls & Assurance, released in late 2023, brings NBFCs’ cyber standards closer to banks.

💻 Annual IT Risk Assessments
NBFCs must conduct annual risk assessments covering threats, existing controls, and vulnerabilities. These findings should be submitted to the CIO, CRO, and the board.

📡 Cybersecurity and Awareness Programs
Mandatory training must be imparted to employees, executives, and board members. Vendors and third-party service providers must comply with the NBFC’s cybersecurity policies.

🔏 Encryption and Digital Signatures
Strong encryption and the use of digital signatures are encouraged for transaction security and regulatory compliance.

📲 Social Media and Mobile App Controls
NBFCs must establish risk protocols for social media marketing and digital apps, including secure coding practices, encryption, and user data privacy controls.

📈 Capital Relief and Risk Weight Adjustments

In November 2023, RBI had increased risk weights on:

• Banks’ exposure to NBFCs by 25 percentage points
• Unsecured micro-credit lending to 125%

These changes tightened credit conditions for NBFCs, especially those dependent on bank funding.

However, in February 2025, the RBI rolled back these risk weights for highly-rated NBFCs, restoring them to pre-November 2023 levels. For micro-credit loans, the risk weight was reduced back to 100%.

💡 Impact:

• More liquidity and cheaper funding for top-rated NBFCs
• Increased bank lending to NBFCs as capital requirements reduce
• Shift in funding strategy from commercial papers to bank loans

👥 Leadership and Supervisory Focus

RBI’s Deputy Governor reiterated in early 2025 that NBFCs must:

• Sharpen board oversight of liquidity and funding mismatches
• Strengthen internal audit and risk management systems
• Treat consumers fairly and responsibly, especially in digital lending

Auditors were urged to adopt a more proactive approach in identifying control failures, fraud patterns, and related-party exposures.

🏛️ Timeline Snapshot

📅 October 2021 – RBI introduces Scale-Based Regulation Framework
📅 October 2022 – Board expertise and director limits come into force
📅 April & October 2023 – Compliance officers and compliance units established
📅 September 2024–2025 – CFSS rollout deadlines for UL and ML NBFCs
📅 July 2024 – Fraud Risk Master Directions applicable
📅 February 2025 – Risk-weight rollbacks announced

📊 Sector Implications

For NBFCs, these updates are not just regulatory hurdles—they are catalysts for institutional maturity.

• UL & ML NBFCs: Must significantly upgrade governance, systems, and board-level supervision
• BL NBFCs: May see increased costs in compliance if asset size crosses ₹500 crore
• High-rated NBFCs: Benefit from easier capital access post rollback of risk weights
• Auditors & Investors: Gain better visibility due to enhanced disclosures

✍️ Final Takeaways

The RBI’s latest updates represent a paradigm shift in how NBFCs are regulated in India. With more responsibility being shifted to boards, committees, and compliance officers, the message is clear: NBFCs must act not just as financiers, but as prudent financial institutions with sound risk culture.

🏦 Governance is no longer optional.
🛡️ Fraud control is now systemic.
🔐 Cybersecurity is critical infrastructure.
📈 Capital adequacy is forward-looking, not reactive.

NBFCs that adopt these changes with urgency and sincerity are likely to not only survive but thrive in India’s dynamic financial landscape.

Accounts Executive at TAXAJ

TAXAJ is a consortium of CA, CS, Advocates & Professionals from specific fields to provide you a One Stop Solution for all your Business, Financial, Taxation & Legal Matters under One Roof. Some of them are: Launch Your Start-Up Company/Business, Trademark & Brand Registration, Digital Marketing, E-Stamp Paper Online, Closure of Business, Legal Services, Payroll Services, etc. For any further queries related to this or anything else visit TAXAJ

Watch all the Informational Videos here: YouTube Channel                                                                                               

TAXAJ Corporate Services LLP

Address: 1/3, UGF, Sulahkul Vihar, Old Palam Road, Dwarka, New Delhi-110078