RBI-Mandated Policies Every Base Layer NBFC Must Have: A Comprehensive Guide

S. No. Policy Relevant Provision of Law Objective Remarks / Implementation Insights
1 Business Continuity Plan (BCP) & Disaster Recovery (DR) Policy Para 8(VIII), Master Direction- Information Technology Framework for the NBFC Sector Ensure uninterrupted business operations during disasters or cyberattacks. Ensure vendors follow recovery protocols; conduct regular mock drills and resilience testing.
2 Fair Practices Code Para 45, Scale-Based Regulations Promote transparency, ethical lending, and borrower protection. Use plain-language communications; disclose all charges upfront; avoid hidden clauses.
3 Grievance Redressal Policy Para 45.8.1, Scale-Based Regulations Provide a structured, timely mechanism to address customer complaints. Publish grievance officer contact details; set turnaround times; escalation to Ombudsman if needed.
4 Policy on grant of loans to directors, senior officers and relatives of directors and to entities where directors or their relatives have major shareholding Para 40, Scale Based Regulations Regulate loans/advances to directors and senior officials. Threshold beyond which loans shall be reported to the Board. Disclosure in Annual Financial Statement
5 Outsourcing Policy Annex- XIII, Scale Based Regulations Manage risks from outsourcing critical functions. Board remains responsible; conduct vendor due diligence; set clear service level agreements.
6 KYC & Anti-Money Laundering (AML) Policy Para 4(a) of KYC Directions Prevent money laundering and terrorist financing. CDD, periodic KYC updates, suspicious transaction reporting to FIU-IND.
7 Credit & Investment Policy Para 29 and 32A, Scale-Based Regulations Ensure prudent lending and investment practices. Define exposure norms, credit appraisal standards, sectoral caps.
8 Liquidity Risk Management Policy Para 26, Scale-Based Regulations Identify, monitor, and mitigate risks. Cover credit, market, liquidity, and operational risks.
9 Interest Rate Policy Para 45, Scale-Based Regulations Transparency in loan pricing and interest charges. Review rates periodically; disclose methodology to borrowers.
10 Data Retention & Purging Policy TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) Secure storage and deletion of data. Preserve as per law; securely delete redundant/expired data.
11 Incident Response & Recovery Policy TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) Ensure preparedness for cyber or operational incidents. Clear reporting lines; immediate containment measures; recovery steps.
12 Information Security Policy Para 8 of Master Direction- Information Technology Framework for the NBFC Sector and TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) Define IT governance, access controls, and secure handling of systems and data. Align with ISO/IEC 27001; safeguard sensitive customer data.
13 Logging & Monitoring Policy TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) Track system activities to detect suspicious behavior. Maintain logs for servers, networks, and critical systems.
14 Vulnerability & Threat Management Policy TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0) Regularly assess and mitigate IT vulnerabilities. Include patch management, penetration testing, and threat monitoring.

Comments

Post a Comment

Popular posts from this blog

RBI’s 100+ Penalties in a Year: What Went Wrong?

  In the past year, the Reserve Bank of India (RBI) has imposed more than 100 monetary penalties on banks, NBFCs, fintechs, and cooperative institutions. These penalties span a wide range of compliance failures—from customer due diligence lapses to weak cyber security, and from outsourcing gaps to violations of lending norms. While the penalties differ in size, they all point to a common theme: regulatory compliance is non-negotiable . Here’s a breakdown of the most frequent reasons behind these actions. Category Typical Lapses Illustrative Orders Key Directions Change in management Failed to take prior written permission of the RBI before appointing a director Grewal Brothers Finance Company Private Limited (15 May, 2025) Mahindra Rural Housing Finance Limited (28 March, 2025) Habitat Micro Build Ind...
Read more

Speech on AI-generated content & IP (Video)

Image
When ChatGPT writes your caption… who owns it?  That’s just one of the questions I tackled at LexDita 2025 while speaking on AI-generated content & IP.  From memes to music to machine-written code — the lines around ownership, originality, and liability are getting blurry (and legally messy).   This was more than a welcome address — it was a deep dive into a subject I’ve been reflecting on for a while.  Here’s the full talk if you're curious about where the law may be headed-
Read more