Non-Banking Financial Companies (NBFCs) operate in a tightly regulated financial ecosystem governed by the Reserve Bank of India (RBI) under the RBI Act, 1934, and the Companies Act, 2013. These institutions are subject to continuous regulatory evolution, especially under the Scale-Based Regulation (SBR) Framework, which categorizes NBFCs into layers based on their size, risk profile, and systemic importance. Each new direction, master circular, or notification issued by the RBI affects operational policies, risk management frameworks, and governance protocols that must be updated accordingly.

Updating internal policies is not merely a procedural task it is a statutory obligation ensuring full alignment with RBI Master Directions, circulars, and compliance standards. Periodic policy reviews help NBFCs adapt to emerging regulatory expectations, strengthen governance, prevent supervisory penalties, and maintain public trust. Thus, regular policy updates safeguard not only regulatory compliance but also the long-term sustainability and credibility of the NBFC’s operations.

In this article, CA Manish Mishra talks about How to update NBFC Policies to Reflect Regulatory Changes.

Legal Foundation for Policy Updates

NBFCs operate under a robust legal framework designed to ensure transparency, financial discipline, and regulatory oversight. Updating internal policies is not just a best practice but a legal obligation arising from several Indian laws primarily the Reserve Bank of India Act, 1934, the Companies Act, 2013, and other allied legislations. Each of these statutes lays down specific provisions that define how NBFCs must govern their operations, manage risks, and comply with changing regulatory norms.

Key Provisions under the RBI Act, 1934

The RBI Act, 1934 is the cornerstone of NBFC regulation in India.

• Section 45-IA mandates that no company can start or carry on NBFC business without obtaining a Certificate of Registration (CoR) from the RBI and maintaining the prescribed minimum Net Owned Fund (NOF). This ensures that only financially sound and compliant entities operate as NBFCs.

• Sections 45-JA, 45-K, 45-L, and 45-M empower the RBI to issue binding directions, inspect NBFCs, call for periodic information, and enforce prudential norms such as capital adequacy, asset classification, provisioning, and exposure limits. These provisions enable RBI to maintain systemic stability and ensure that NBFCs operate in a safe and sound manner.

• Section 45-IC requires every NBFC to create a Reserve Fund, transferring at least 20% of its net profits each year before dividend declaration. This strengthens financial resilience and ensures long-term sustainability.

Provisions under the Companies Act, 2013

The Companies Act, 2013 governs corporate structure, governance, and disclosure standards for NBFCs.

• Section 134 assigns directors the duty to approve financial statements, policies, and ensure compliance with applicable laws. Directors must also include a statement of responsibility in the Board’s Report, confirming the adequacy of internal controls.

• Sections 177 and 178 make it mandatory to constitute Audit and Nomination & Remuneration Committees. These committees monitor internal controls, risk management, and the integrity of financial reporting ensuring that policy frameworks remain updated and effective.

• Section 447 prescribes stringent penalties for fraud, misstatement, or deliberate non-compliance with statutory or regulatory requirements. This enforces accountability on directors and senior management for maintaining accurate, updated, and lawful policies.

Other Applicable Legislations

In addition to RBI and Companies Act provisions, several other statutes shape the compliance landscape for NBFCs:

• Prevention of Money Laundering Act (PMLA), 2002: Mandates strict Know Your Customer (KYC) and Anti-Money Laundering (AML) measures. NBFCs must adopt policies aligned with RBI’s Master Direction on KYC, ensuring that financial transactions are traceable and transparent.

• Information Technology Act, 2000: Governs data protection, digital transactions, and cybersecurity. NBFCs are required to implement IT governance and cybersecurity policies in line with the RBI IT Governance Directions (2023).

• SARFAESI Act, 2002: Applicable to asset-financing NBFCs, it provides a legal mechanism for enforcing security interests and recovering loans without court intervention. Hence, policies on lending, security creation, and recovery must align with SARFAESI provisions.

• Foreign Exchange Management Act (FEMA), 1999: Regulates cross-border transactions, external commercial borrowings, and foreign investments. NBFCs dealing in overseas funding or FDI must ensure their treasury and compliance policies reflect FEMA norms.

The Scale-Based Regulatory Framework

The Scale-Based Regulatory (SBR) Framework, introduced by the Reserve Bank of India (RBI) through the RBI (Non-Banking Financial Company – Scale Based Regulation) Directions, 2023, represents a transformative step in regulating NBFCs. It aims to bring proportionality, stability, and risk-based supervision to the NBFC sector by tailoring regulations according to the size, complexity, and systemic importance of each entity. This framework replaced the earlier uniform approach and introduced a layered model to ensure that larger and more systemically significant NBFCs are subject to stricter oversight and governance requirements.

Classification under SBR

Under the SBR Directions, 2023, NBFCs are categorized into four distinct layers based on their asset size, business model, and risk exposure:

• Base Layer (NBFC-BL): This category includes smaller, non-deposit-taking NBFCs with limited size and low risk. Examples include NBFC-P2P (peer-to-peer lending platforms), NBFC-Account Aggregators, and NBFC-Factors. These entities face the least regulatory burden but must still adhere to basic prudential norms, KYC guidelines, and fair lending practices.

• Middle Layer (NBFC-ML): This includes larger NBFCs such as NBFC-Investment and Credit Companies (NBFC-ICC), NBFC-Microfinance Institutions (NBFC-MFI), and NBFC-Housing Finance Companies (NBFC-HFC) that are systemically significant but not in the top tier. They are subject to higher capital adequacy requirements, risk management norms, and corporate governance standards.

• Upper Layer (NBFC-UL): These are large NBFCs identified by RBI as having the potential to pose systemic risk, such as Bajaj Finance, Tata Capital, or HDB Financial Services. They are subject to bank-like regulation, enhanced disclosure norms, stringent credit concentration limits, and detailed governance requirements. RBI may also apply differential treatment in capital buffers, exposure norms, and supervisory scrutiny.

• Top Layer (NBFC-TL): This layer is currently expected to remain empty. It is meant for NBFCs that may, in future, exhibit elevated systemic risks or supervisory concerns. RBI reserves the right to move entities from the Upper to the Top Layer based on risk indicators or compliance lapses, imposing even stricter prudential standards.

Each layer therefore represents a graduated regulatory intensity where the higher the layer, the more rigorous the requirements in terms of capital adequacy, governance, exposure limits, liquidity management, and disclosures.

Legal Requirement for Policy Differentiation

The SBR Framework legally requires NBFCs to customize and align their internal policies with the specific regulatory layer to which they belong. This means that a uniform, one-size-fits-all policy structure is no longer legally adequate.

Every NBFC must:

• Review its SBR classification (Base, Middle, or Upper) based on the criteria prescribed in the RBI Directions.

• Amend internal policies such as the Credit Policy, Risk Management Policy, Corporate Governance Framework, Fair Practices Code, Liquidity and ALM Policy, and IT Governance Policy to explicitly reflect applicable regulatory provisions.

• Cite specific clauses or paragraph references from the SBR Master Directions in each policy, ensuring traceability and legal clarity.

For instance:

• A Middle Layer NBFC must maintain a minimum Capital to Risk Weighted Assets Ratio (CRAR) of 15%, incorporate detailed board-approved governance policies, and comply with RBI’s Guidelines on Core Financial Services.

• An Upper Layer NBFC, on the other hand, must implement enhanced disclosure standards, Board-level risk committees, and internal capital adequacy assessment processes (ICAAP) similar to banks.

Additionally, Section 45-L of the RBI Act, 1934 empowers the RBI to issue specific directions to NBFCs to modify their policies to meet SBR compliance. Non-alignment with SBR norms can invite penalties under Section 45-MA and may also lead to reclassification or closer supervisory scrutiny.

Recent Regulatory Updates Requiring Policy Changes

In recent years, the Reserve Bank of India (RBI) has introduced several new directions, circulars, and frameworks to strengthen the resilience, transparency, and digital governance of NBFCs. These reforms are designed to ensure that NBFCs adopt robust risk management and IT systems, maintain investor confidence, and align with global regulatory standards. Each of these regulatory updates carries specific legal and operational implications, making it mandatory for NBFCs to update their internal policies, frameworks, and governance documents to stay compliant.

IT Governance and Cybersecurity

The RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, 2023, effective from April 1, 2024, represents a major reform in the digital governance of financial entities.
It mandates that NBFCs must establish a comprehensive IT governance framework approved by their Board of Directors.

Key obligations include:

• Board Oversight: The Board and senior management are now directly accountable for IT strategy, risk management, and resource allocation.

• Cybersecurity Framework: NBFCs must establish robust incident response and escalation procedures to detect, contain, and recover from cyber threats.

• Data Management Policies: Clear policies for data backup, storage, encryption, and recovery are compulsory.

• Vendor Risk Assessments: Before outsourcing IT operations, NBFCs must conduct detailed vendor due diligence, including data privacy, cloud hosting, and audit rights.

• Legal implication: Non-compliance with the IT Governance Master Direction may attract supervisory penalties under Section 45-L and 45-MA of the RBI Act, 1934, since the direction is issued under statutory powers.

Outsourcing of IT Services

The RBI Framework on Outsourcing of IT Services by Regulated Entities, 2023 requires NBFCs to ensure that outsourcing arrangements do not compromise their internal control, confidentiality, or regulatory compliance.
NBFCs must now:

• Formulate a Board-approved Outsourcing Policy covering risk assessment, monitoring, and exit strategies.

• Include mandatory contractual clauses ensuring data protection, confidentiality, business continuity, and RBI’s right to inspect or audit vendors.

• Maintain a central register of all outsourced activities, categorizing them by criticality.

Legal implication: The outsourcing policy must align with the IT Act, 2000 and RBI’s supervisory guidelines. Any breach of confidentiality or failure in vendor management may expose the NBFC to penalties, supervisory directions, or license restrictions.

Investment in Alternative Investment Funds (AIFs)

In December 2023, the RBI issued a circular restricting NBFCs’ exposure to Alternative Investment Funds (AIFs).
The limits are:

• 10% of the corpus per AIF scheme, and

• 20% aggregate cap across all AIF investments by a single NBFC.

NBFCs must revise their Treasury and Investment Policies to reflect these caps, ensuring compliance with exposure and diversification norms.

Additionally, NBFCs must introduce internal monitoring mechanisms to detect indirect exposures (for instance, through downstream investments). If any AIF subsequently invests in a company to which the NBFC has existing exposure, the NBFC must liquidate its investment within 30 days.

Legal implication: Failure to comply can lead to supervisory action under Section 45K and Section 45L of the RBI Act, as the directions are legally binding.

Project Finance and Infrastructure Exposure

The Revised Project Finance Norms, effective October 1, 2025, harmonize credit exposure and provisioning rules for banks and NBFCs.
Key changes include:

• Provisioning Standards: Uniform provisioning for standard, substandard, and restructured project loans.

• Disbursement Conditions: NBFCs must ensure financial closure, promoter equity infusion, and regulatory clearances before loan disbursal.

• Restructuring Timelines: Any delay in achieving the Date of Commencement of Commercial Operations (DCCO) must be monitored, and additional provisioning made in line with the revised norms.

NBFCs should update their Credit Policy, Risk Management Policy, and Project Finance Guidelines to incorporate these timelines and monitoring mechanisms.

Legal implication: These norms are enforceable under Section 45L of the RBI Act, empowering RBI to issue mandatory directions on asset classification and provisioning.

Risk Weight Adjustments and SRO Oversight

The RBI has proposed revised risk weights for infrastructure and large corporate loans, effective April 1, 2026, to align with global Basel III standards.

• NBFCs will need to recalibrate their capital adequacy and exposure management policies to reflect higher risk weights.

• The change will impact Capital to Risk-Weighted Assets Ratio (CRAR) computations, necessitating policy-level adjustments to maintain compliance.

Additionally, the RBI has formally recognized the Finance Industry Development Council (FIDC) as a Self-Regulatory Organisation (SRO) for NBFCs. The SRO will issue best practice advisories, particularly concerning customer protection, collections, and ethical conduct.

NBFCs are therefore required to amend their governance and compliance policies to align with SRO guidance and establish internal oversight mechanisms to ensure conformity with FIDC standards.

Legal implication: RBI’s recognition of an SRO is backed by its powers under Sections 45-L and 45-M of the RBI Act, making compliance with its advisories an integral part of NBFC governance obligations.

The Step-by-Step Policy Update Process

Updating NBFC policies in line with the latest RBI regulations requires a structured, methodical, and legally sound approach. Every policy update must be traceable to a specific regulatory directive, approved by the Board, and implemented across operations. The following seven-step process ensures that NBFCs remain compliant, transparent, and audit-ready.

Step 1: Establish a Regulatory Tracking Framework

The foundation of policy governance begins with a Regulatory Change Register, a centralized document that records all RBI circulars, Master Directions, and notifications relevant to NBFCs.

This register should include:

• Date of issuance and effective date of each regulatory update.

• Applicable SBR layer (Base, Middle, Upper, or Top).

• Specific policy area impacted, such as credit risk, IT, or governance.

The Chief Compliance Officer (CCO) should be made responsible for monitoring regulatory developments, analyzing their applicability, and informing management or the Board about required policy changes. This system ensures early identification of compliance requirements and reduces the risk of missing critical updates.

Step 2: Maintain a Comprehensive Policy Inventory

Every NBFC must maintain a Policy Inventory Register, cataloguing all internal policies and their latest versions.

Common policy documents include:

• Credit and Underwriting Policy: outlines risk parameters for loan approvals.

• KYC/AML Policy: complies with RBI’s Master Direction on KYC (issued under PMLA).

• Asset Classification and Provisioning Policy: aligns with prudential norms under the RBI Act.

• IT and Cybersecurity Policy: based on the 2023 IT Governance Master Direction.

• Outsourcing Policy: reflects the RBI’s 2023 outsourcing guidelines.

• Treasury and Investment Policy: includes AIF investment limits and exposure norms.

• Fair Practices Code: protects borrower rights and transparency.

• Risk Management Policy: covers operational, market, and credit risks.

• Grievance Redressal Policy: ensures timely handling of customer complaints.

Each policy should explicitly cite the RBI Master Direction, circular number, or relevant statutory section to establish clear legal linkage and accountability.

Step 3: Conduct Legal Gap Analysis

When a new RBI circular or Master Direction is issued, the compliance team must perform a Legal Gap Analysis.

This involves:

• Summarizing the regulatory change: what is new, revised, or withdrawn.

• Identifying impacted policies: determining which internal documents require modification.

• Comparing old provisions with new requirements: ensuring no discrepancies remain.

• Recording findings in a Compliance Note: with references to specific legal provisions, such as Para 38 of RBI SBR Directions, 2023 or Section 45-L of the RBI Act, 1934.

This process serves as an internal legal audit trail, demonstrating to the RBI and auditors that the NBFC actively reviews and integrates new regulations.

Step 4: Draft and Revise Policies

The drafting stage requires precision and legal accuracy. Updated policies should:

• Quote mandatory legal text verbatim instead of paraphrasing regulatory language.

• Reference exact paragraphs or clauses for example, “Para 21 of RBI SBR Directions, 2023.”

• Define roles and responsibilities across the organization, ensuring clear accountability.

• Include Board oversight requirements, internal audit triggers, and compliance monitoring processes.

By embedding these elements, policies remain enforceable, defensible, and transparent during inspections or litigation.

Step 5: Obtain Board Approval

Once revised, every policy must be formally approved by the Board of Directors or designated committees such as the Audit Committee, Risk Management Committee, or Compliance Committee.

Board approval minutes must:

• Reference the specific RBI circular or legal provision that necessitated the update.

• Record the date of approval and effective date of implementation.

• Include an acknowledgment that the policy has been reviewed and found compliant.

Policies that are publicly accessible such as the Fair Practices Code or Grievance Redressal Mechanism should also be uploaded to the company website for stakeholder transparency.

Step 6: Implement and Train

Once approved, the focus shifts to execution and capacity building. Implementation involves:

• Updating Standard Operating Procedures (SOPs) and process manuals.

• Conducting training and awareness sessions for employees, senior management, and outsourced partners.

• Introducing compliance certification programs to confirm employee understanding.

• Configuring IT and MIS systems to integrate the updated policy parameters—such as new exposure limits, reporting timelines, or customer verification norms.

This ensures that policies move beyond paper compliance and are integrated into day-to-day operations.

Step 7: Internal Audit and Continuous Monitoring

The final step ensures ongoing oversight and periodic validation. The internal audit plan should be updated to include:

• Testing of compliance with newly revised policies.

• Verification of RBI circular implementation across departments.

• Maintenance of a breach or deviation register, recording instances of non-compliance and corrective measures taken.

Regular compliance reports must be submitted to the Audit Committee and Board, and serious deviations should be reported to the RBI under Section 45-L of the RBI Act.

Continuous monitoring builds an evidence-based compliance culture and ensures that policy updates remain effective long after initial implementation.

Integration of Technology and RegTech Solutions

Non-Banking Financial Companies (NBFCs) must move beyond manual compliance practices. The increasing frequency of RBI circulars, Master Directions, and notifications requires NBFCs to adopt Regulatory Technology (RegTech) for efficient, transparent, and real-time compliance management. Integrating technology into the compliance framework enables NBFCs to automate regulatory tracking, streamline policy management, and maintain accountability throughout the governance chain.

By leveraging digital tools and data analytics, NBFCs can ensure that every regulatory update is identified, analyzed, and implemented without delay. This integration not only minimizes human error but also strengthens compliance readiness for RBI inspections and audits.

Automation in Compliance Tracking

The first step toward technological integration is automation of compliance monitoring. Using Regulatory Change Management (RCM) Software, NBFCs can automatically track and detect new regulatory developments from the Reserve Bank of India (RBI).

These tools use AI-driven algorithms to:

• Monitor RBI’s websites and notifications for new Master Directions, circulars, and FAQs.

• Categorize updates by business area (e.g., credit, IT, or risk management).

• Send automated alerts to compliance officers and relevant departments whenever a new circular is released.

This automation ensures that NBFCs do not miss critical updates, such as revisions in capital adequacy norms, exposure limits, or IT governance requirements. It also enables real-time compliance mapping, reducing manual effort and the risk of regulatory lapses.

Moreover, an automated system provides timestamped documentation of every regulatory alert received and action taken, strengthening the company’s defense during inspections under Section 45-L of the RBI Act, 1934.

Central Policy Repository

A Policy Management System (PMS) acts as the digital backbone of an NBFC’s compliance ecosystem. It is a centralized platform where all policies, manuals, and regulatory documents are stored, version-controlled, and easily accessible.

The PMS should be designed to:

• Maintain version control: Each policy version should carry an approval date, revision history, and author details, allowing auditors to verify compliance evolution over time.

• Record legal references: Every policy must cite relevant laws, RBI Master Directions, and circular numbers to establish legal traceability.

• Log updates and approvals: The system should document who made the update, when it was approved, and which regulatory change triggered it.

• Generate audit trails: During RBI or statutory audits, NBFCs can quickly produce digital records showing how regulatory updates were incorporated into internal policies.

A central repository not only enhances data accessibility and transparency but also eliminates the risk of version conflicts between departments. This digital record-keeping ensures seamless supervisory inspections and compliance with corporate governance obligations under Section 134 of the Companies Act, 2013.

Data Analytics and Dashboards

Integrating data analytics and compliance dashboards empowers management with real-time insights into compliance performance. These dashboards consolidate regulatory, audit, and operational data into an interactive, visual format.

Key benefits include:

• Linking policy updates to risk metrics: Dashboards can map how changes in RBI guidelines impact risk indicators such as capital adequacy, provisioning, and liquidity.

• Tracking audit findings: Integration with the internal audit system allows automatic reflection of compliance gaps, observations, and corrective actions.

• Connecting to supervisory returns: NBFCs can align their RBI filings (e.g., NBS-1, NBS-2, NBS-9) with updated internal policies, ensuring consistency between reported data and regulatory expectations.

• Real-time non-compliance alerts: The system generates alerts for overdue policy reviews, pending board approvals, or non-implementation of regulatory updates.

By adopting these analytics-driven dashboards, NBFCs can transition from reactive compliance (responding after issues arise) to proactive compliance, where risks are detected, reported, and mitigated in real time.

Governance and Accountability

Governance and accountability form the cornerstone of a strong compliance framework within Non-Banking Financial Companies (NBFCs). Merely updating policies is insufficient unless accompanied by structured oversight, responsibility allocation, and transparent reporting mechanisms. The governance framework ensures that each regulatory change issued by the Reserve Bank of India (RBI) or under the Companies Act is properly implemented, monitored, and reviewed at the Board and management levels.

Two key pillars the Board of Directors and the Chief Compliance Officer (CCO) carry the primary responsibility for ensuring that the NBFC’s internal policies remain current, legally compliant, and operationally effective.

Board Responsibility

Under Section 134 of the Companies Act, 2013, the Board of Directors has a statutory duty to ensure that the company maintains effective internal controls, risk management systems, and compliance frameworks aligned with applicable laws.

Key Responsibilities of the Board:

• Implementation of Updated Policies: The Board must ensure that every RBI circular, Master Direction, or amendment is translated into actionable internal policies. It must verify that updated policies are implemented across departments through Standard Operating Procedures (SOPs) and not merely adopted on paper.

• Review of Internal Financial Controls: Section 134(5)(e) mandates the Board to certify the effectiveness of internal financial controls. This includes reviewing mechanisms that monitor policy adherence, audit outcomes, and reporting accuracy to prevent regulatory breaches or financial misstatements.

• Establishing a Risk Management Framework: The Board must oversee the development of a comprehensive Risk Management Policy that covers credit, market, operational, IT, and liquidity risks. The framework should identify potential regulatory and financial risks arising from outdated or non-compliant policies and ensure timely mitigation.

• Oversight through Committees: The Audit Committee, Risk Management Committee, and Compliance Committee constituted under Sections 177 and 178 of the Companies Act assist the Board in reviewing compliance reports, internal audit findings, and policy revisions.

• Documentation and Disclosure: The Board’s Report must include a statement confirming compliance with all applicable laws, including RBI Directions, as well as details of the company’s internal control systems. This reinforces accountability and transparency to regulators and stakeholders.

In essence, the Board acts as the final authority and legal guardian ensuring that policy updates translate into actual compliance, governance, and risk mitigation across the NBFC.

Role of Chief Compliance Officer (CCO)

The Chief Compliance Officer (CCO) plays a pivotal role in implementing the Board’s directives and maintaining a strong compliance culture within the organization. The CCO acts as the bridge between regulators (RBI), internal management, and external auditors to ensure continuous alignment of the NBFC’s policies with the regulatory landscape.

Key Responsibilities of the CCO:

• Regulatory Gap Mapping: The CCO must continuously track all RBI notifications, Master Directions, and circulars. A Regulatory Change Register should be maintained, identifying which laws have changed, which policies are affected, and what corrective measures are required. This ensures that no regulatory update goes unnoticed.

• Documentation of Policy Revisions: For every update, the CCO is responsible for preparing a Compliance Note, summarizing the legal provisions, policy gaps, and corrective actions taken. These notes serve as vital records during inspections or audits, demonstrating proactive compliance.

• Coordination with Auditors: The CCO collaborates with internal and statutory auditors to verify that updated policies are operationalized. Internal audit teams test the effectiveness of implementation, while statutory auditors validate compliance with applicable regulatory standards. The CCO ensures that both audit teams have complete access to policy documents and compliance evidence.

• Liaison with the RBI: During RBI inspections or supervisory reviews, the CCO acts as the company’s official point of contact. The officer must provide all requested information, explain the company’s compliance measures, and present evidence such as audit reports, policy approval minutes, and version histories from the Policy Management System (PMS).

• Training and Awareness: The CCO should organize regular compliance training programs for employees, ensuring that staff at all levels understand their roles in adhering to updated policies and RBI guidelines.

• Reporting and Escalation: The CCO must periodically submit compliance reports to the Audit Committee and Board of Directors, highlighting areas of non-compliance, corrective actions, and pending updates. Any material lapse must be escalated immediately to the Board and, if required, to the RBI under Section 45L of the RBI Act, 1934.

Conclusion

Updating NBFC policies is not a one-time compliance task but a continuous legal and governance process. The regulatory environment under the RBI Act, 1934, Companies Act, 2013, and Scale-Based Regulation (SBR) Directions, 2023 demands constant vigilance and adaptability. Regular policy updates ensure that NBFCs remain transparent, mitigate operational and financial risks, and maintain robust internal control systems. This process also reinforces corporate accountability and protects the institution from regulatory penalties, including those under Section 45-MA of the RBI Act for non-compliance.

In essence, NBFC policies are living legal instruments they must evolve with every new circular, direction, or amendment issued by the RBI. By making policies legally cross-referenced, digitally maintained, and Board-approved, NBFCs can ensure readiness for regulatory inspections, audits, and supervisory reviews. Continuous compliance fosters trust, operational integrity, and long-term sustainability in an ever-changing financial ecosystem.

Frequently Asked Questions (FAQs)

Q1. Why is it important for NBFCs to update their policies regularly?

Ans. Regular policy updates ensure compliance with the latest RBI guidelines, Companies Act provisions, and sectoral regulations. It helps NBFCs manage risk, avoid penalties, and maintain governance standards in line with the Scale-Based Regulation (SBR) Framework.

Q2. Which laws govern NBFC policy frameworks in India?

Ans. NBFC policies are primarily governed by the Reserve Bank of India Act, 1934 (Sections 45-IA, 45-JA, 45-L, and 45-M), the Companies Act, 2013, and allied legislations such as PMLA, 2002, IT Act, 2000, and FEMA, 1999.

Q3. How often should an NBFC review and revise its policies?

Ans. Policies should be reviewed annually and immediately after any RBI circular, notification, or Master Direction impacting the NBFC’s operations, classification, or compliance standards.

Q4. Who is responsible for policy updation within an NBFC?

Ans. The Board of Directors holds ultimate responsibility, while day-to-day tracking and revisions are managed by the Chief Compliance Officer (CCO) and the Compliance Committee.

Q5. What are the main policies that NBFCs must maintain and update?

Ans. Key policies include:

• Credit and Underwriting Policy

• KYC/AML Policy

• Risk Management Policy

• IT and Cybersecurity Policy

• Outsourcing Policy

• Treasury and Investment Policy (including AIF exposure)

• Fair Practices Code

• Grievance Redressal Mechanism

Q6. What are the recent RBI changes requiring policy revisions?

Ans. NBFCs must update policies to comply with:

• RBI Master Direction on IT Governance (2023)

• Outsourcing of IT Services Framework (2023)

• Revised AIF Investment Limits (2023)

• Project Finance Norms (Effective Oct 2025)

• Revised Risk Weights for Infrastructure Loans (Effective Apr 2026)

Q7. What is the Scale-Based Regulatory (SBR) framework and how does it affect policies?

Ans. The SBR framework categorises NBFCs into four layers Base, Middle, Upper, and Top each with specific prudential norms. Policies must explicitly align with the applicable SBR layer to ensure compliance with RBI’s 2023 Directions.

Q8. What legal consequences arise from not updating NBFC policies?

Ans. Failure to update policies can result in RBI penalties under Section 45-MA, reputational damage, or even cancellation of the Certificate of Registration under Section 45-IA of the RBI Act.

Q9. How should NBFCs conduct a regulatory gap analysis?

Ans. The compliance team should:

• Identify new regulatory provisions.

• Compare existing policies against updated requirements.

• Prepare a Compliance Note highlighting deviations, risks, and corrective actions.

Q10. Can NBFCs automate the policy updating process?

Ans. Yes, using RegTech and policy management software. These tools can automatically track RBI updates, flag impacted policies, and assist in maintaining a version-controlled digital repository.