RBI-Mandated Policies Every Base Layer NBFC Must Have: A Comprehensive Guide (Updated as on 5th December, 2025)

S. No.	Policy	Relevant Provision of Law	Objective	Remarks / Implementation Insights
1	Business Continuity Plan (BCP) & Disaster Recovery (DR) Policy	Para 62, Reserve Bank of India (Non-Banking Financial Companies – Managing Risks in Outsourcing) Directions, 2025	Ensure uninterrupted business operations during disasters or cyberattacks.	Ensure vendors follow recovery protocols; conduct regular mock drills and resilience testing.
2	Fair Practices Code	Para 7, Reserve Bank of India (Non-Banking Financial Companies – Responsible Business Conduct) Directions, 2025	Promote transparency, ethical lending, and borrower protection.	Use plain-language communications; disclose all charges upfront; avoid hidden clauses.
3	Grievance Redressal Policy	Para 7, Reserve Bank of India (Non-Banking Financial Companies – Responsible Business Conduct) Directions, 2025	Provide a structured, timely mechanism to address customer complaints.	Publish grievance officer contact details; set turnaround times; escalation to Ombudsman if needed.
4	Policy on grant of loans to directors, senior officers and relatives of directors and to entities where directors or their relatives have major shareholding	Para 13, Reserve Bank of India (Non-Banking Financial Companies – Credit Risk Management) Directions, 2025	Regulate loans/advances to directors and senior officials.	Threshold beyond which loans shall be reported to the Board. Disclosure in Annual Financial Statement
5	Outsourcing Policy	Para 10,20, 62 and 92, Reserve Bank of India (Non-Banking Financial Companies – Managing Risks in Outsourcing) Directions, 2025	Manage risks from outsourcing critical functions.	Board remains responsible; conduct vendor due diligence; set clear service level agreements.
6	KYC & Anti-Money Laundering (AML) Policy	Para 6 of Reserve Bank of India (Non-Banking Financial Companies – Know Your Customer) Directions, 2025	Prevent money laundering and terrorist financing.	CDD, periodic KYC updates, suspicious transaction reporting to FIU-IND.
7	Credit & Investment Policy	Para 6, Reserve Bank of India (Non-Banking Financial Companies - Concentration Risk Management) Directions, 2025	Ensure prudent lending and investment practices.	Define exposure norms, credit appraisal standards, sectoral caps.
8	Liquidity Risk Management Policy	Para 9, Reserve Bank of India (Non-Banking Financial Companies – Asset Liability Management) Directions, 2025	Identify, monitor, and mitigate risks.	Cover credit, market, liquidity, and operational risks.
9	Interest Rate Policy	Para 22, Reserve Bank of India (Non-Banking Financial Companies – Responsible Business Conduct) Directions, 2025	Transparency in loan pricing and interest charges.	Review rates periodically; disclose methodology to borrowers.
10	Data Retention & Purging Policy	TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0)	Secure storage and deletion of data.	Preserve as per law; securely delete redundant/expired data.
11	Incident Response & Recovery Policy	TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0)	Ensure preparedness for cyber or operational incidents.	Clear reporting lines; immediate containment measures; recovery steps.
12	Information Security Policy	Para 97(x)(a) of Reserve Bank of India (Non-Banking Financial Companies – Managing Risks in Outsourcing) Directions, 2025 and TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0)	Define IT governance, access controls, and secure handling of systems and data.	Align with ISO/IEC 27001; safeguard sensitive customer data.
13	Logging & Monitoring Policy	TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0)	Track system activities to detect suspicious behavior.	Maintain logs for servers, networks, and critical systems.
14	Vulnerability & Threat Management Policy	TransUnion CIBIL Technical Guidelines (May, 2024, version 3.0)	Regularly assess and mitigate IT vulnerabilities.	Include patch management, penetration testing, and threat monitoring.

For a detailed operational compliance and disclosure checklist that complements these mandatory policies, see our post: “RBI and CIBIL Compliance Checklist for Base Layer NBFCs: What You Need to Know in 2025”