RBI and CIBIL Compliance Checklist for Base Layer NBFCs: What You Need to Know in 2025

S. No. Compliance Relevant Provision Relevant Form / Portal Timeline Remarks
1 Display following information: (a) name and contact details (Telephone/ Mobile nos. and email address) of Grievance Redressal Officer. (b) If complaint/ dispute is not redressed within 1 (One) month, customer may appeal to Officer-in-Charge of Regional Office of DNBS of RBI (complete contact details), under whose jurisdiction registered office of NBFC falls. Para 5.10.1. of Annex XIII of Scale Based Regulations - Ongoing Published at branches/places of business
2 Display following information: (a) name and contact details (Telephone/mobile number and E-mail ID) of Principal Nodal Officer. (b) details of complaint lodging portal of Ombudsman (https://cms.rbi.org.in) Para 18(3), Integrated Ombudsman Scheme, 2021 - Ongoing Published at branches/places of business
3 Display salient features of Ombudsman Scheme in English, Hindi, regional language Para 18(4), Integrated Ombudsman Scheme, 2021 - Ongoing All offices, branches, places of business
4 Display Ombudsman Scheme along with copy of Scheme Para 18(6), Integrated Ombudsman Scheme, 2021 - Ongoing Website
5 Disclosure on liquidity risk framework and liquidity position Para 1.9 of Annex VI of Scale Based Regulations Appendix VI-A Quarterly Publish on website & annual financial statements
6 Disclosure on related party, real estate, capital market & sectoral exposures, etc Annex VII of Scale Based Regulations - Annual Annual financial statements
7 Information on borrowers whose secured assets are possessed Para 69 of Scale Based Regulations Annex XIX Monthly (by month-end) Publish on website
8 Publish interest rates & risk gradation approach Para 45.11.2. of Scale Based Regulations - Ongoing Website or newspaper
9 Removal of "penal interest" term from loan documents Para 45.3 of Scale Based Regulations - - -
10 Report on pledge of listed shares Para 36(iii) of Scale Based Regulations Annex X Quarterly Send to Stock Exchange
11 Risk Management Committee Para 39 of Scale Based Regulations - Ongoing -
12 Statement enumerating principal and interest recovered till date, EMI amount, number of EMIs left and annualized rate of interest/ Annual Percentage Rate for entire tenor of loan Para 45.6.1.(vi) of Scale Based Regulations Email to borrowers Quarterly -
13 Annual audit covering regulatory cyber security framework- Sections 19, 20, 22 of CICRA, 2005; Rules 18(b), 23, 28, 29 CIC Rules 2006 TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Annual -
14 Data must be encrypted at rest & in transit (AES256/3DES/FIPS 140-2/3 compliant) TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Ongoing -
15 Apply principle of least privilege for user access to TransUnion CIBIL data TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Ongoing Sign NDA
16 Inform TransUnion CIBIL if an external vendor provides services on servers holding CIBIL data TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Ongoing -
17 Server authentication must include strong passwords TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Ongoing -
18 Sensitive personally identifiable information should not be stored in clear text on intermediate servers TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Ongoing -
19 Servers storing TransUnion CIBIL data must be separate from web servers TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Ongoing -
20 Servers storing TransUnion CIBIL data must not be exposed to internet or public DNS TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Ongoing -
21 Share list of IPs to connect to TransUnion CIBIL systems TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Ongoing -
22 SOC 2 Type II attestation TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Annual -
23 TransUnion CIBIL data, when shared, must be stored in application/database server TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) - Ongoing -
 Please also see list of policies to be drafted in our next blog

Comments

Post a Comment

Popular posts from this blog

RBI’s 100+ Penalties in a Year: What Went Wrong?

  In the past year, the Reserve Bank of India (RBI) has imposed more than 100 monetary penalties on banks, NBFCs, fintechs, and cooperative institutions. These penalties span a wide range of compliance failures—from customer due diligence lapses to weak cyber security, and from outsourcing gaps to violations of lending norms. While the penalties differ in size, they all point to a common theme: regulatory compliance is non-negotiable . Here’s a breakdown of the most frequent reasons behind these actions. Category Typical Lapses Illustrative Orders Key Directions Change in management Failed to take prior written permission of the RBI before appointing a director Grewal Brothers Finance Company Private Limited (15 May, 2025) Mahindra Rural Housing Finance Limited (28 March, 2025) Habitat Micro Build Ind...
Read more

Speech on AI-generated content & IP (Video)

Image
When ChatGPT writes your caption… who owns it?  That’s just one of the questions I tackled at LexDita 2025 while speaking on AI-generated content & IP.  From memes to music to machine-written code — the lines around ownership, originality, and liability are getting blurry (and legally messy).   This was more than a welcome address — it was a deep dive into a subject I’ve been reflecting on for a while.  Here’s the full talk if you're curious about where the law may be headed-
Read more