Corporate and Regulatory Due Diligence

Certificate of Registration (CoR) Verification

Under Section 45-IA of the RBI Act, 1934, every NBFC must hold a valid Certificate of Registration (CoR) from the RBI to commence or continue its financial business. The acquirer must verify the CoR’s validity, registration number, category (deposit-taking or non-deposit-taking), and the asset size to determine if the NBFC falls under the Base, Middle, Upper, or Top Layer of the Scale-Based Regulation (SBR) Framework. It should also be ensured that there are no pending show-cause notices or restrictions imposed by the RBI.

Change in Control and RBI Approval

The acquisition of an NBFC often triggers a “change in control” event, which requires prior approval from the RBI. The acquiring company must apply to RBI through a formal application process supported by business rationale, shareholding pattern, and financial position of the acquirer. Compliance with Fit and Proper Criteria for directors and shareholders (as per RBI circular DNBR.PD. CC.No. 090/03.10.001/2016-17) must also be verified. A public notice of change in control, published in two newspapers, is mandatory to maintain transparency.

Corporate Records and Shareholding Structure

Due diligence must include reviewing the NBFC’s Memorandum of Association (MoA) and Articles of Association (AoA) to ensure that its objects clause aligns with RBI-approved activities. The shareholding pattern, equity capital structure, minutes of board and shareholder meetings, and details of directors and key managerial personnel must be examined. Any pledge or encumbrance on shares should also be verified through the Registrar of Companies (ROC) and CERSAI records.

Legal and Compliance Due Diligence

Compliance with RBI Regulations

The acquirer must confirm that the NBFC adheres to all RBI Master Directions and guidelines. This includes:

• Master Direction – NBFC (Non-Deposit Taking and Deposit Taking) Prudential Norms, 2016

• Master Direction on IT Governance, 2023

• Master Direction on Outsourcing of IT Services, 2023

• Master Direction on Transfer of Loan Exposures, 2021

The due diligence process should verify timely submission of RBI returns such as NBS-2, NBS-4, and NBS-9, adherence to Fair Practices Code, and compliance with KYC/AML obligations under the Prevention of Money Laundering Act (PMLA), 2002.

Litigation and Dispute Review

A detailed search for ongoing or potential civil, criminal, or regulatory litigations must be conducted. This includes consumer cases, tax disputes, contractual breaches, and enforcement actions from RBI or other regulators. The buyer should review any penalties imposed under Section 58B of the RBI Act, or prosecution proceedings under Section 447 of the Companies Act, 2013 for fraud or misreporting. An adverse litigation history could materially impact valuation and regulatory approval.

Contractual and Property Review

All major loan agreements, lease contracts, vendor arrangements, and collateral documentation must be scrutinized. The enforceability of security interests and registration of charges under Section 77 of the Companies Act and with CERSAI must be verified. Title deeds, mortgage documents, and hypothecation agreements should be reviewed to ensure clear ownership and no conflicting claims.

Financial and Asset Quality Due Diligence

Review of Financial Statements

Financial due diligence involves analyzing the NBFC’s audited financials for the past three to five years, including the balance sheet, profit and loss account, and cash flow statements. The acquirer must verify compliance with Ind AS accounting standards and assess key metrics such as Net Owned Fund (NOF), Capital Adequacy Ratio (CAR), and leverage limits as mandated under the RBI’s prudential norms. A consistent track record of profits and clean audit opinions indicates financial robustness.

Evaluation of NPAs and Asset Quality

One of the most critical areas is assessing the Non-Performing Assets (NPAs). The acquirer should verify whether the NBFC follows the 90-day overdue norm for classifying NPAs, as harmonized with banks under the RBI Circular of November 2021. Review provisioning adequacy as per RBI Prudential Norms, and ensure transparency in the classification of Standard, Sub-Standard, Doubtful, and Loss Assets. The provisioning ratios should meet or exceed the regulatory minimums 10% for sub-standard assets and up to 100% for doubtful and loss assets.

Contingent Liabilities and Off-Balance Sheet Items

The due diligence should cover potential off-balance-sheet exposures, guarantees, pending tax demands, and other contingent liabilities. Any non-disclosure of liabilities could result in post-acquisition financial risks. Tax returns, GST filings, and TDS compliance should be reviewed for at least five preceding assessment years.

Governance, Risk, and Internal Controls

Corporate Governance and Board Oversight

Under Sections 177 and 178 of the Companies Act, 2013, every NBFC must have an Audit Committee and a Nomination and Remuneration Committee. These committees oversee internal financial controls, auditor appointments, and governance matters. The acquirer must ensure that independent directors meet fit and proper standards and that there is no RBI disqualification or governance gap. RBI’s Corporate Governance Directions (2022) also require larger NBFCs to conduct periodic board-level reviews of risk management frameworks.

Internal Controls and Risk Framework

Review the internal audit reports, risk management policy, credit appraisal system, and fraud monitoring mechanism. RBI mandates NBFCs to maintain strong Internal Financial Controls (IFC) under Section 134(5)(e) of the Companies Act, 2013. Compliance audits and IT system evaluations are also essential, particularly with the recent Master Direction on IT Governance (2023).

Technology and Operational Due Diligence

Given the RBI’s increasing focus on digital governance, the acquirer must review the NBFC’s IT infrastructure, cybersecurity framework, and data privacy policies. The Outsourcing of IT Services Direction, 2023 requires a Board-approved outsourcing policy, vendor risk assessment, and audit rights. The acquirer should evaluate whether the NBFC’s systems are scalable and compliant with data localization norms and digital lending guidelines issued in August 2022.

Human Resource and Taxation Review

The human resource component includes verifying employment agreements, statutory compliances under the Factories Act, PF Act, and Gratuity Act, and identifying any pending employee disputes. On the taxation front, due diligence should verify compliance with Income Tax, GST, and Transfer Pricing regulations. Any pending tax audits or disputed assessments must be reviewed for contingent liabilities.

Post-Acquisition and Regulatory Notifications

Once the acquisition is complete, compliance obligations continue. The acquirer must notify the RBI about the change in control, update its shareholding details, and ensure ongoing compliance with the Scale-Based Regulation (SBR) framework. The company must also reconstitute its Board and committees as per RBI’s governance requirements, and ensure continuity of policies such as Fair Practices Code, KYC/AML, and Grievance Redressal Mechanism. Any non-compliance post-acquisition can attract penalties under Section 45MA of the RBI Act.

Recent Regulatory Updates

Recent updates that directly impact NBFC acquisitions include:

• The RBI Master Direction on IT Governance (2023) emphasizing digital risk management.

• The SBR Framework (2023) introducing differentiated regulation for NBFCs based on their systemic importance.

• The Compromise Settlement Guidelines (2023) allowing write-offs for legacy NPAs under Board supervision.

• Increased RBI scrutiny on ownership structures, related-party lending, and evergreening practices.

These developments make it essential that acquirers focus on governance and compliance integrity during due diligence.

Conclusion

Conducting thorough due diligence before acquiring a Non-Banking Financial Company (NBFC) is not merely a regulatory formality but a crucial strategic exercise. It enables acquirers to assess the target’s financial soundness, legal compliance, governance structure, and risk exposure under frameworks like the RBI Act, 1934, and Companies Act, 2013. This process ensures that the acquirer inherits a transparent and compliant entity, minimizing exposure to hidden liabilities or regulatory non-conformities.

With the Reserve Bank of India’s increasing focus on digital supervision, corporate governance, and prudential standards, NBFC acquisitions today require greater analytical depth and compliance discipline. Adopting technology-led assessments, comprehensive risk evaluations, and structured post-acquisition integration ensures long-term stability and smooth regulatory approval. In essence, effective due diligence safeguards investment value, promotes continuity, and strengthens confidence in India’s regulated financial sector.

Frequently Asked Questions (FAQs)

Q1. What is due diligence in the context of acquiring an NBFC?

Ans. Due diligence is a comprehensive review of an NBFC’s legal, regulatory, financial, and operational standing before acquisition. It ensures that the acquirer identifies all potential risks, including pending litigation, non-compliance with RBI guidelines, asset quality concerns, and governance gaps. This process verifies whether the NBFC holds a valid Certificate of Registration (CoR) under Section 45-IA of the RBI Act, 1934 and complies with all RBI Master Directions and the Companies Act, 2013.

Q2. Is RBI approval mandatory for acquiring an NBFC?

Ans. Yes. Under Section 45-IA(4)(c) of the RBI Act, 1934 and subsequent RBI circulars on change in control, prior approval is mandatory when there is a transfer of 26% or more of the paid-up capital or a change in management exceeding 30% of the Board composition. The acquirer must file an application with RBI, furnish details of the proposed shareholding, business plan, financials, and satisfy fit and proper criteria for directors and shareholders.

Q3. What are the key legal documents reviewed during NBFC due diligence?

Ans. Essential documents include:

• Certificate of Registration (CoR) from RBI

• MoA & AoA of the company

• Audited financial statements (past 3–5 years)

• RBI returns (NBS-2, NBS-4, NBS-9)

• Loan documentation, charge registrations, and CERSAI filings

• Litigation records and RBI inspection reports

• Board meeting minutes and share transfer records

• KYC/AML policies, Fair Practices Code, and outsourcing policies

These records help assess compliance, asset quality, and governance standards.

Q4. How does RBI’s Scale-Based Regulation (SBR) Framework affect due diligence?

Ans. The SBR Framework (2023) classifies NBFCs into Base, Middle, Upper, and Top Layers, each subject to escalating regulatory scrutiny. Due diligence must determine the NBFC’s classification to assess capital adequacy requirements, credit risk policies, governance structure, and disclosure obligations. Larger NBFCs (Upper Layer) must comply with stricter norms on risk management, Board independence, and stress testing.

Q5. What financial aspects should be reviewed during NBFC acquisition?

Ans. Financial due diligence should cover:

• Net Owned Fund (NOF) compliance as per RBI norms

• Capital Adequacy Ratio (CAR) under prudential guidelines

• NPA classification and provisioning

• Liquidity ratios and asset-liability mismatches

• Exposure limits to single/group borrowers

• Tax liabilities, contingent liabilities, and pending assessments

This ensures the NBFC’s financial statements reflect true solvency and compliance with RBI’s prudential norms.

Q6. How should NPAs be evaluated during due diligence?

Ans. NBFCs must classify NPAs based on the 90-day overdue norm introduced by RBI in November 2021. The acquirer should review loan files, recovery records, provisioning levels, and whether NPAs are disclosed per RBI’s Master Direction on NBFC Prudential Norms, 2016. Any deviation can attract penalties or require additional provisioning post-acquisition.

Q7. What are the common regulatory filings NBFCs must comply with?

Ans. NBFCs must submit periodic returns to RBI such as:

• NBS-2: Prudential Norms Return

• NBS-4: Return on critical financial parameters

• NBS-9: Return for non-deposit-taking NBFCs
  They must also file annual returns and financial statements with the Registrar of Companies (ROC) and report KYC compliance to FIU-IND under the PMLA, 2002.

Q8. What governance elements must be verified in an NBFC takeover?

Ans. Under Sections 177 and 178 of the Companies Act, 2013, an NBFC must have a properly constituted Audit Committee and Nomination & Remuneration Committee. Due diligence should review Board independence, internal audit reports, compliance policies, and whether directors meet fit and proper standards under RBI’s governance directions (2022).

Q9. Does the acquisition of an NBFC attract any tax or stamp duty implications?

Ans. Yes. Acquisitions involving share transfers may attract stamp duty under the Indian Stamp Act, 1899, depending on the state of incorporation. The transaction may also trigger capital gains tax or transfer pricing obligations, depending on the structure (share purchase vs. business transfer). The acquirer should verify past tax assessments and potential liabilities under the Income Tax Act, 1961.

Q10. What happens after the acquisition is completed?

Ans. After completion, the acquirer must:

• Notify RBI about the change in control.

• Update corporate filings with the ROC and MCA.

• Ensure Board reconstitution and appointment of key managerial personnel as per RBI’s governance norms.

• Continue filing all RBI returns and maintain compliance with Scale-Based Regulation (SBR) norms.

RBI may conduct an inspection or scrutiny post-acquisition to ensure regulatory integrity and proper transfer of control.

Q11. What recent RBI updates affect NBFC acquisitions?

Ans. Key regulatory developments include:

• Master Direction on IT Governance (2023): mandates IT and cybersecurity compliance.

• Outsourcing of IT Services (2023): regulates vendor risk and data privacy.

• Compromise Settlement Guidelines (June 2023): allows settlement/write-off of legacy NPAs under strict governance.

• Enhanced Fit & Proper Criteria (2022): stricter standards for directors and shareholders.

These updates must be reviewed to assess compliance gaps before finalizing acquisition.

Q12. Why is due diligence critical before acquiring an NBFC?

Ans. Due diligence mitigates the risk of acquiring an NBFC with hidden non-compliance, financial irregularities, or governance failures. It ensures regulatory continuity, smooth RBI approval, and protection against penalties under Section 45MA of the RBI Act. A properly conducted due diligence safeguards capital, ensures transparency, and provides strategic clarity to the acquirer.