Beyond RBI Returns: Critical Policies Every NBFC Should Have in Place

While RBI returns often receive the greatest attention, regulatory inspections increasingly focus on whether an NBFC has adopted, implemented and periodically reviewed the policies mandated under various Master Directions and circulars.

The following table serves as a practical reference for NBFCs.

Sl. No.

Particulars

Approved / Reviewed By

Frequency

Key Compliance Points

1

Asset Liability Management (ALM) Policy

Board / Risk Management Committee

Annual review with periodic ALCO monitoring

Monitor maturity mismatches, liquidity gaps and funding profile

2

Business Continuity Plan (BCP)

Board

Annual

Conduct BCP testing and maintain disaster recovery arrangements

3

Business Model Framework

Board

Annual

Review strategic assumptions, product mix and business risks

4

Corporate Governance – Internal Guidelines

Board

Annual

Define governance structure, delegation of authority and oversight mechanism

5

Code of Business Ethics

Board

Annual

Applicable to directors, KMPs and employees

6

Contingency Funding Plan

Board / ALCO

Annual

Identify emergency funding sources and escalation procedures

7

Cyber Crisis Management Plan

Board

Annual

Incident response, reporting and recovery procedures

8

Cyber Security Policy

Board

Annual

Vulnerability assessment, monitoring and cyber governance

9

Expected Credit Loss (ECL) Policy

Board

Annual

Define provisioning methodology and assumptions

10

Fair Practices Code

Board

Annual

Disclosure of loan terms, grievance mechanism and recovery practices

11

Risk Management Policy

Board / Risk Management Committee

Annual

Credit, market, operational, liquidity and compliance risks

12

Fit and Proper Criteria Policy

Board

Annual

Due diligence and declarations from directors

13

ICAAP Policy

Board

Annual

Risk assessment and capital planning document

14

IT Framework

Board

Annual

IT governance, outsourcing and technology risk

15

Information System Audit Policy

Board

Annual

Independent IS audit and compliance tracking

16

Interest Rate Policy

Board

Annual

Transparent pricing methodology and disclosures

17

Investment Policy

Board

Annual

Exposure limits, approval hierarchy and monitoring

18

KYC & AML Policy

Board

Annual

Customer due diligence, monitoring and reporting

19

Loan Policy

Board

Annual

Eligibility, documentation, delegation and monitoring

20

MIS Policy

Board

Annual

Reporting framework and data governance

21

Nomination & Remuneration Committee (NRC) Policy

NRC / Board

Annual

Performance evaluation and remuneration principles

22

Outsourcing Policy

Board

Annual

Vendor due diligence, monitoring and business continuity

23

Related Party Transaction Policy

Board / Audit Committee

Annual

Approval process and disclosure requirements

24

Stress Testing Framework

Board / Risk Management Committee

Periodic

Credit, liquidity and capital stress testing

25

Whistle Blower Policy

Board / Audit Committee

Annual

Confidential reporting mechanism and protection against retaliation

26

Grievance Redressal Mechanism

Board

Annual

Complaint tracking, timelines and escalation matrix

27

Fraud Risk Management Policy

Board

Annual

Early warning signals, reporting framework and investigation process

28

Liquidity Risk Management Policy

Board / Risk Management Committee

Annual

Liquidity monitoring, stress scenarios and contingency measures

Disclaimer: Applicability may vary depending upon whether the entity is a Base Layer (NBFC-BL), Middle Layer (NBFC-ML), Upper Layer (NBFC-UL), Top Layer (NBFC-TL), Housing Finance Company (HFC) or other category of Regulated Entity. 

Practical Compliance Checklist:

For every policy, the Compliance Officer should maintain:

  • Date of Board approval;
  • Date of last review;
  • Applicable RBI Master Direction/Circular;
  • Version control and amendment history;
  • Policy owner;
  • Next review due date;
  • Evidence of implementation;
  • Board/Committee minutes recording review;
  • Internal audit observations;
  • Action Taken Report (ATR).

Key Takeaway:

RBI inspections increasingly focus on whether policies are living governance documents rather than static records. A policy that is approved but not reviewed, implemented, monitored or evidenced through Board and Committee deliberations may still attract supervisory observations.

Accordingly, every NBFC should maintain a centralised policy register linked to a compliance calendar, ensuring timely reviews, regulatory updates and documented oversight.

Comments

Popular posts from this blog

RBI-Mandated Policies Every Base Layer NBFC Must Have: A Comprehensive Guide (Updated as on 5th December, 2025)

RBI and CIBIL Compliance Checklist for Base Layer NBFCs: What You Need to Know in 2025 (Updated as on 5th December, 2025)

RBI’s 100+ Penalties in a Year: What Went Wrong?