RBI and CIBIL Compliance Checklist for Base Layer NBFCs: What You Need to Know in 2025 (Updated as on 5th December, 2025)
| S. No. | Compliance | Relevant Provision | Relevant Form / Portal | Timeline | Remarks |
|---|---|---|---|---|---|
| 1 | Display following information: (a) name and contact details (Telephone/ Mobile nos. and email address) of Grievance Redressal Officer. (b) If complaint/ dispute is not redressed within 1 (One) month, customer may appeal to Officer-in-Charge of Regional Office of DNBS of RBI (complete contact details), under whose jurisdiction registered office of NBFC falls. | Para 12 of Reserve Bank of India (Non-Banking Financial Companies– Credit Facilities) Directions, 2025 | - | Ongoing | Published at branches/places of business |
| 2 | Display following information: (a) name and contact details (Telephone/mobile number and E-mail ID) of Principal Nodal Officer. (b) details of complaint lodging portal of Ombudsman (https://cms.rbi.org.in) | Para 18(3), Integrated Ombudsman Scheme, 2021 | - | Ongoing | Published at branches/places of business |
| 3 | Display salient features of Ombudsman Scheme in English, Hindi, regional language | Para 18(4), Integrated Ombudsman Scheme, 2021 | - | Ongoing | All offices, branches, places of business |
| 4 | Display Ombudsman Scheme along with copy of Scheme | Para 18(6), Integrated Ombudsman Scheme, 2021 | - | Ongoing | Website |
| 5 | Disclosure on liquidity risk framework and liquidity position | Para 15 of Reserve Bank of India (Non-Banking Financial Companies – Asset Liability Management) Directions, 2025 | Annex- I | Quarterly | Publish on website & annual financial statements |
| 6 | Disclosure on related party, real estate, capital market & sectoral exposures, etc | Para 21 of Reserve Bank of India (Non-Banking Financial Companies – Financial Statements: Presentation and Disclosures) Directions, 2025 | - | Annual | Annual financial statements |
| 7 | Information on borrowers whose secured assets are possessed | Para 21 of Reserve Bank of India (Non-Banking Financial Companies – Credit Information Reporting) Directions, 2025 | Annex-IV | Monthly (by month-end) | Publish on website |
| 8 | Publish interest rates & risk gradation approach | Para 23 of Reserve Bank of India (Non-Banking Financial Companies – Responsible Business Conduct) Directions, 2025 | - | Ongoing | Website or newspaper |
| 9 | Removal of "penal interest" term from loan documents | Para 30 of Reserve Bank of India (Non-Banking Financial Companies – Responsible Business Conduct) Directions, 2025 | - | - | - |
| 10 | Report on pledge of listed shares | Para 106(2)(ii) of Reserve Bank of India (Non-Banking Financial Companies– Credit Facilities) Directions, 2025 | Annex-III | Quarterly | Send to Stock Exchange |
| 11 | Asset Liability Management Committee | Para 8 and 17 of Reserve Bank of India (Non-Banking Financial Companies – Asset Liability Management) Directions, 2025 | - | Ongoing | - |
| 12 | Statement enumerating principal and interest recovered till date, EMI amount, number of EMIs left and annualized rate of interest/ Annual Percentage Rate for entire tenor of loan | Para 29 of Reserve Bank of India (Non-Banking Financial Companies – Responsible Business Conduct) Directions, 2025 | Email to borrowers | Quarterly | - |
| 13 | Annual audit covering regulatory cyber security framework- Sections 19, 20, 22 of CICRA, 2005; Rules 18(b), 23, 28, 29 CIC Rules 2006 | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Annual | - |
| 14 | Data must be encrypted at rest & in transit (AES256/3DES/FIPS 140-2/3 compliant) | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Ongoing | - |
| 15 | Apply principle of least privilege for user access to TransUnion CIBIL data | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Ongoing | Sign NDA |
| 16 | Inform TransUnion CIBIL if an external vendor provides services on servers holding CIBIL data | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Ongoing | - |
| 17 | Server authentication must include strong passwords | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Ongoing | - |
| 18 | Sensitive personally identifiable information should not be stored in clear text on intermediate servers | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Ongoing | - |
| 19 | Servers storing TransUnion CIBIL data must be separate from web servers | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Ongoing | - |
| 20 | Servers storing TransUnion CIBIL data must not be exposed to internet or public DNS | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Ongoing | - |
| 21 | Share list of IPs to connect to TransUnion CIBIL systems | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Ongoing | - |
| 22 | SOC 2 Type II attestation | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Annual | - |
| 23 | TransUnion CIBIL data, when shared, must be stored in application/database server | TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) | - | Ongoing | - |
Disclaimer: This content is provided solely for general informational purposes and should not be construed as legal advice. Its applicability depends on multiple factors — including the size of assets, nature of business, regulatory classification, specific facts and individual circumstances.
To understand the full set of internal policies every Base-Layer NBFC is required to formulate, please read our next blog.
Comments
Post a Comment