Capital markets are subject to higher fluctuations and volatility, and hence, Capital Market Exposures (CME) carry a higher risk, naturally requiring higher level of control and prudential norms by the regulator. The RBI recently released Draft Reserve Bank of India (Commercial Banks – Capital Market Exposure) Directions, 2025, consolidating and amending the regulatory directions pertaining to CMEs. The proposed amendments are significant, providing for a flexibility of financing “acquisitions” in the secondary market while also strengthening the prudential requirements in relation to CMEs.
Where the CoC has no regulated financial entity and a single unregulated financial creditor holds over 66% of the voting share, effectively dominating all decisions, IBBI in its Discussion Paper dated 17th November, 2025 proposed that the five largest operational creditors will also be brought into the CoC meeting, giving them a seat and a voice in the discussions, even though they will not have voting rights.
Such operational creditors will be entitled to receive the notice, agenda and minutes of the meeting and may participate in deliberations. Notably, they cannot cast their vote in any of the agenda and merely attend the meeting as observers. However, the proposal suggests that the RP shall record their observations, if any, in the minutes.
The rationale behind such inclusion is that, in cases where the CoC does not have any regulated lender and an unregulated creditor effectively controls decisions with more than 66%, it raises a genuine concern about the quality and objectivity of CoC decision-making. Such a creditor may not have the financial or institutional expertise that banks and regulated entities typically bring to the process, and in some cases may even be a friendly or aligned party. This creates a risk that decisions may not withstand scrutiny and may dilute the credibility of what is otherwise treated as the CoC’s commercial wisdom.
However, the proposal does not fully take into account the following:
Whether possible under subordinate law: The Code already provides for exclusion of related party financial creditors from CoC. The Code does not permit further exclusions or inclusions to be specified by IBBI. The only scenario where IBBI regulations can step in is where there are NO financial creditors. Therefore, whether this proposed inclusion of operational creditors is possible by way of amendments in regulations, can be a point of discussion. Notably, the constitutionality and the “intelligibility” of the distinction between financial and operational creditors was discussed and settled in very early rulings of the SC on the Code – viz., Swiss Ribbons Pvt. Ltd. & Anr v. Union of India & Ors., Committee of Creditors of Essar Steel India Limited Through Authorised Signatory v. Satish Kumar Gupta & Ors. In those rulings as also in the frame of the Code, the image of a CD under insolvency has been one who has multiple financial creditors, primarily banks. The structure of the Code does not realize that in practice, there are several outliers. There are situations where insolvency may be a design rather than a fait accompli. In such cases, there may be a so-called financial creditor who has been introduced to avoid the formation of a CoC with operational creditors. Hence, the concern that IBBI is trying to address is quite well appreciated, but the issue is – are these remedies possible without the main law being amended?
Regulated vs. unregulated financial creditors: The proposal seeks to distinguish between “regulated” vs. “unregulated” financial entities. The concerns as to quality, objectivity may still be there, as being a regulated entity does not guarantee these features. There are some 8000-odd NBFCs which are regulated. Technically, even the non-corporate moneylenders may also have registration under State money-lending laws and may claim to be regulated. The mere fact that a financial creditor is regulated does not ensure objectivity and transparency.
In fact, assume there is a single regulated entity holding the financial debt. The very fact that one entity has 66% share (that is, the voting share required to have decisions passed) in the admitted financial claims gives the creditor the right of complete control on the proceedings.
The inclusion of OCs without voting rights raises concerns about utility: Their presence adds no real decision-making power, calling into question the practical value of their participation. The only silver lining may be that as the minutes of CoCs will capture the observations of the OCs, the NCLT while approving the plan may have regard to the fairness or otherwise of the decisions of the CoC. Going by the weight of SC views that AAs do not have the right to question the commercial wisdom of the CoC, whether a solo-powered CoC’s decisions will also carry the same aura of commercial wisdom remains to be seen.
The core issue remains unaddressed: An unregulated financial creditor with over 66% voting share continues to dominate outcomes, while the OCs’ views are merely recorded without any mandatory impact on final decisions.
The proposal diverges from the BLRC’s foundational reasoning: The BLRC Committee reasoned that members of the creditors committee have to be creditors both with the capability to assess viability, as well as to be willing to modify terms of existing liabilities in negotiations. This proposal thereby contradicts the BLRC framework.
In this regard, the BLRC Committee noted as follows:
“Typically, operational creditors are neither able to decide on matters regarding the insolvency of the entity, nor willing to take the risk of postponing payments for better future prospects for the entity. The Committee concluded that, for the process to be rapid and efficient, the Code will provide that the creditors committee should be restricted to only the financial creditors.”
Our Views:
Even though the intent behind such a proposal is noble, it may fail its desired objective.. The intent of this provision can succeed only if the rights of OCs are clearly laid down. Securing a seat in CoC meetings and a right to put forward their views may be a welcome step for bringing OCs into the process. However, the actual influence that OCs can exert as mere observers remains uncertain. Only with time will it become clear whether their inclusion practically alters decision making in CoC meetings or merely remains a symbolic entry.
Also read our detailed article titled “Subordination of Operational Creditors Under IBC: Whether Equitable” [Published on 26th July, 2018]
Other Proposals in the DP:
1. Mandate that the IM shall include the details of all allottees, including their names, amounts due, and units allotted, as reflected in the CD’s records, regardless of whether they have filed formal claims and require that the resolution plan provides for the treatment of such allottees.
2. Disclosure of receivables, JDAs and information on assets which are under attachment, should be mandatorily included in the IM
3. When the CoC recommends liquidation even though a compliant resolution plan of value greater than the liquidation value was received, the reasons for recommendation for liquidation shall be recorded and submitted in the application for liquidation to the NCLT.
https://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.png00Staffhttps://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.pngStaff2025-11-26 11:16:592025-11-26 11:23:37A voice without a vote: IBBI proposes OCs as observers amongst unrelated FCs in CoC
This episode of Mahattva – Voices that Matter, brings together the heads of two prominent MFIs. Microfinance has been attracting attention of the entire financial system, with concerns as well as with significant optimist curiosity. Clearly, this is one segment of the financial system where financial inclusion is at its very core. We intend to have a range of questions of what are the causes of the current state of things, opportunities, way forward, induction of capital and debt, and regulatory advocacy.
https://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.png00Staffhttps://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.pngStaff2025-11-25 10:47:312025-11-25 14:33:44Microfinance: State of the Industry and Way Forward
The structure of a trust inherently creates a separation of roles, typically involving three distinct parties viz. the author/settlor, trustee, and beneficiaries. While the control/operations rests with the trustee, economic benefit lies with the beneficiaries, and the settlor may continue to exert influence through the trust deed or reserved powers, thus making it difficult to clearly identify who actually “owns” or “controls” the trust. This intrinsic separation of legal control, economic interest and potential influence renders trusts far more opaque than other conventional structures like companies or partnerships. What makes the structure even more complicated is that trusts are mostly governed by 19th century laws. Trusts are not required to publicly file information about their beneficiaries; in many cases, trustees may even contend that they are not maintaining any such regular list.
Adding to this complexity is the fact that trusts may be structured in different forms. Based on the degree of control with the trustees, trusts may be discretionary, where the trustee has full discretion to identify the beneficiaries and/or their share, or non-discretionary, where the beneficiaries have identifiable and predetermined rights in the trust property.There are trusts where the determination of beneficiaries is either contingent or future – for example, children and grandchildren of the settlor. In discretionary trusts, beneficiaries may not have a defined share or enforceable claim at any given point, making it unclear whether they can be treated as beneficial owners at all. In non-discretionary trusts, although the beneficiaries are identifiable, the trustee continues to hold legal title, again blurring the line of who truly “owns” the trust.
For Reporting Entities1 (“REs”), including Banks and NBFCs, identification and onboarding becomes more complex when the customer is a non-individual entity. The extent of verification varies by entity type, and trusts in particular create added challenges because of the reasons cited above.
Relevance of Identifying Beneficial Owners (‘BO’)
Before discussing how REs should identify a trust’s BO, it is important to understand why they must do so. Under para 9 and 10 of the RBI KYC Directions, 2016, every regulated entity is required to frame a Customer Acceptance Policy which, at a minimum, mandates that no account-based relationship or transaction may be undertaken unless full Customer Due Diligence (‘CDD’) is completed. The same is based on R.10 of The FATF Recommendations.
As defined under para 3(b) Clause (v) of RBI KYC Directions, 2016, “Customer Due Diligence means identifying and verifying the customer and the beneficial owner using reliable and independent sources of identification”. Further, clause 3 under explanation to the above para extends this requirement to “Determining whether a customer is acting on behalf of a beneficial owner, and identifying the beneficial owner and taking all steps to verify the identity of the beneficial owner, using reliable and independent sources of identification.”. Similar to what is prescribed under Rule 9(1) of PML Rules, 2005.
As part of CDD, REs are required to identify customers and their BOs, which in turn places a corresponding obligation on customers to truthfully disclose their ownership structure and furnish relevant documents that establish the identity of a natural BO. This process obliges REs to verify the authenticity and completeness of the information and documents submitted, use these findings to determine whether to establish the business relationship and to appropriately assign a risk rating.
However, in practice, BOs may be reluctant to provide their KYC documents due to privacy concerns, fear of scrutiny, or because complex structures were intentionally designed to keep the BO’s identity concealed.
Who are ‘beneficial owners’?
As per para 3(a)(iv) clause (d) of RBI KYC Directions, “Where the customer is a trust, the identification of beneficial owner(s) shall include identification of the author of the trust, the trustee, the beneficiaries with 10 percent or more interest in the trust and any other natural person exercising ultimate effective control over the trust through a chain of control or ownership”. A similar definition is provided under Rule 9(3) of PML Rules, 2005.
Aforesaid definitions originates from The FATF Recommendations which clearly defines that in context of legal arrangements i.e. Trust, beneficial owner includes: “(i) the settlor(s); (ii) the trustee(s); (iii) the protector(s) (if any); (iv) each beneficiary, or where applicable, the class of beneficiaries and objects of a power; and (v) any other natural person(s) exercising ultimate effective control over the arrangement. In the case of a legal arrangement similar to an express trust, beneficial owner refers to the natural person(s) holding an equivalent position to those referred above.”
In a discretionary trust, the trustee has full discretion, whereas in a non-discretionary trust, beneficiaries have fixed rights and the trustee has limited discretion. This influences who can practically be identified as exercising control.
Now, in the case of a discretionary trust, the above framework is usually manageable because the trustee, who exercises control, may not object to being identified as a BO. However, in a non-discretionary trust, the trustee does not exercise independent discretion. In such cases, the trustee may express reluctance to be classified as a BO because he does not “benefit” from the trust in an economic sense and may view BO identification as an unwarranted extension of responsibility. This confusion often results from equating BO with someone who derives economic benefit, whereas under AML laws the emphasis is on identifying at least one identifiable individual, ensuring that there is an accountable natural person whom authorities and REs can pursue in the event of ML/TF concerns, regardless of whether they receive monetary benefit.
Difference between BO and Beneficiary
It is important to understand that the terms “beneficiary” and “beneficial owner” serve different purposes. The objective of identifying the BO is not to treat the trustee or settler as recipients of trust benefits, but to ensure that the RE can clearly trace the natural persons involved in controlling, directing, and/or benefiting from the trust arrangement. BO identification is a regulatory requirement aimed at preventing misuse of trusts for ML/TF purposes, not a determination of who is entitled to trust assets. When viewed this way, trustee and settler identification becomes a matter of transparency and risk assessment, not a reclassification of their legal or economic rights under the trust.
Identification of the natural person behind the Trust
REs typically encounter two scenarios that require them to look behind the trust structure, first, when the trust is the direct customer, second, when the trust is recognised as a BO of another entity.
Trust itself is the customer
When the trust itself is the customer, the BO identification framework is relatively straightforward. The PML Rules clearly prescribe that the following individuals must always be treated as BOs:
the author/settlor,
the trustee(s), and
any beneficiary holding 10% or more interest, where such interest is defined or quantifiable.
These natural persons fall squarely within the definition of beneficial owners and should be identified and verified without debate.
Where specific beneficiaries cannot be identified, for example, in a public charitable trust, or in a private trust where beneficiaries do not meet the 10% threshold, the obligation to identify BOs does not fall away. In such cases, the RE must still identify:
the author/settlor,
the trustee(s), and
any natural person exercising ultimate effective control, if any, .
Thus, the absence of identifiable beneficiaries does not dilute the requirement.
Indirect Identification (Trust as a BO / Shareholder / Partner of Another Entity)
Complexity increases when the customer is not the trust, but another legal entity, such as a company, LLP, or partnership, in which a trust holds a substantial stake. In such cases, identifying the natural person as BO requires a deeper “look-through” analysis.
The Interpretive Note to Recommendation 10 of The FATF Recommendations provides a structured cascading approach to determine BOs of legal persons. This approach should be applied sequentially2:
Step 1: Identify the natural persons with controlling ownership interest
Determine whether any natural person ultimately owns or controls the entity through direct or indirect ownership (including ownership via the trust), if yes, identify the person(s) as BO.
Step 2: Identify natural persons exercising control through other means
If no natural person is identifiable through ownership, identify the natural persons exercising control of the entity through other means, such as through one or more juridical persons.
In such cases, the BO definition for trusts should not be imported from the definitions as discussed above i.e. all parties to the trust need not automatically be treated as BOs of the entity concerned.
Instead, the focus should be on identifying the natural person(s), whether trustee or settlor, who genuinely hold or exercise the relevant control over the underlying company, and evaluating them against the test of control.
Step 3: Identify the Senior Managing Official (SMO)
If no natural person can be identified under Step 1 or Step 2, the reporting entity must identify and verify a Senior Managing Official of the customer entity itself.
Intent behind this clause, might be to cater to conditions where the legal person is held by another legal person which is, in turn, held by a trust or where the trust is a charitable trust with no identifiable beneficiaries and no effective control exercised by the trustee, the chain may not yield any natural person with a controlling ownership or control interest. In such situations, the responsibility reverts to the customer entity itself, and the senior managing official (SMO) of the customer is identified as the BO for CDD purposes.
While the concept of a BO and the concept of a Significant Beneficial Owner (SBO) under the Companies Act both aim to identify the natural persons behind an entity, the two frameworks differ significantly in scope and approach. The SBO definition focuses on identifying individuals who hold a prescribed level of ownership or control, and it does not provide a structured fallback if no individual meets that threshold.
In contrast, the BO identification under the Rule 9(3) PML Rules follows a cascading approach i.e. REs must first identify natural persons with ownership, then those who exercise control through other means. Further, only when neither approach detects a clear individual do the rules require identifying the senior managing official as the BO of last resort. This ensures that BO identification cannot be left blank, every entity must ultimately map to a natural person for AML purposes, even where no SBO exists, so that transactions are not carried out in benami or opaque structures.
Conclusion
It is important to clarify that being identified as a BO is primarily a regulatory formality for compliance. It does not alter a person’s rights, liabilities, or relationship with the trust or entity. The core objective is simply to ensure that there is a clearly identifiable natural person connected to the legal entity so that the RE can complete its due diligence and satisfy ALM requirements. Following are the limited obligations of being identified as a BO:
Provide basic KYC documents or Official Valid Document (OVDs) for verification of identity;
Respond to any follow-up queries during onboarding or monitoring; and
Undergo periodic KYC updates, as requested by the RE.
As per Section 2(wa) of PMLA Act, 2002 “reporting entity” means a banking company, financial institution, intermediary or a person carrying on a designated business or profession. ↩︎
https://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.png00Staffhttps://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.pngStaff2025-11-23 14:31:492025-11-25 15:09:21The Hidden Hand: Understanding Beneficial Ownership in case of Trusts
Materiality thresholds increased, significant RPTs relaxed for small-value RPTs and newly incorporated subsidiaries
Highlights:
Following a 32-pager consultation paper proposing significant amendments to RPT provisions, towards ease of doing business, rolled out by SEBI on August 4, 2025, several amendments were approved by SEBI in its Board Meeting on 12th September, 2025. The SEBI (Listing Obligation and Disclosure Requirements) (Fifth Amendment) Regulations, 2025 have been notified on 19th November, 2025 amending the RPT framework for listed entities.
Some of our comments on the proposals, as recommended to SEBI, have also been accepted in the approved decisions. Our comments on the Consultation Paper may be read here.
Applicability of the Amendment Regulations
While the Amendment Regulations have been notified, the amendments with respect to the RPT framework are effective from the 30th day of the notification of the Amendment Regulations, that is, with effect from 19th December, 2025.
1. Materiality Thresholds: From One-Size-Fits-All to several sizes for the short-and-tall
A scale-based threshold mechanism has been approved, such that the RPT materiality threshold increases with the increase in the turnover of the company, though at a reduced rate, thus leading to an appropriate number of RPTs being categorized as material, thereby reducing the compliance burden of listed entities. The maximum upper ceiling of materiality has been kept at Rs. 5,000 crores, as against the existing absolute threshold of Rs. 1000 crores. The thresholds have been provided in Schedule XII, along with an illustration towards better understanding of the materiality thresholds.
Materiality thresholds as specified in Schedule XII:
Annual Consolidated Turnover of listed entity (in Crores)
Approved threshold (as a % of consolidated turnover)
Maximum upper ceiling (in Crores)
< Rs.20,000
10%
2,000
20,001 – 40,000
2,000 Crs + 5% above Rs. 20,000 Crs
3,000
> 40,000
3,000 Crs + 2.5% above Rs. 40,000 Crs
5,000 (deemed material)
Back-testing the proposal scale on RPTs undertaken by top 100 NSE companies show a 60% reduction in material RPT approvals for FY 2023-24 and 2024-25 with total no. of such resolutions reducing from 235 and 293, to around 95 to 119. The 60% reduction may itself be seen as a bold admission that the existing regulatory framework was causing too many proposals to go for shareholder approval.
Our Analysis and Comments
With the amendments becoming effective, RPT regime is all set to be a lot relaxed, with the absolute threshold for taking shareholders’ approval to be doubled to Rs. 2000 crores. In addition, for larger companies, there will be a scalar increase in the threshold, rising to Rs. 5000 crores. A lot lesser number of RPTs will now have to go before shareholders for approval in general meetings.
In times to come, a multi-metric approach, depending on the nature of the transaction, may be adopted, drawing on a consonance-based criteria as seen in Regulation 30 of the LODR Regulations, thus offering a more balanced and effective approach. See detailed discussion in the article here.
2. Significant RPTs of Subsidiaries: Plugging Gaps with Dual Thresholds
Extant provisions vis-a-vis Amended Regulations
Pursuant to the amendments in 2021, RPTs exceeding a threshold of 10% of the standalone turnover of the subsidiary are considered as Significant RPTs, thus, requiring approval of the Audit Committee of the listed entity. The following modifications have been approved with respect to the thresholds of Significant RPTs of Subsidiaries:
‘Material’ is always ‘Significant’: RPTs of subsidiary would require listed holding company’s audit committee approval if they breach the lower of following limits:
10% of the standalone turnover of the subsidiary or
Material RPT thresholds as applicable to listed holding company
This is a mathematical impossibility, since materiality threshold is based on “consolidated turnover”, and hence, includes the turnover of the subsidiary. Further, unlike networth, turnover cannot be a negative number, and hence, even if one or more of the subsidiaries of the listed entity are loss-making entities, the same cannot reduce the consolidated turnover of the listed entity to a number below the standalone turnover of its subsidiaries, whose accounts are being consolidated with the entity.
Exemption for small value RPTs: The threshold for Significant RPTs is subject to an exemption for small value RPTs based on the absolute value of Rs. 1 crore. Thus, where a transaction between a subsidiary and a related party (of the listed entity/ subsidiary), on an aggregate, does not exceed Rs. 1 crore, the same is not required to be placed for approval of the Audit Committee of the listed entity, even if the aforesaid limits are breached.
Alternative for newly incorporated subsidiaries without a track record: For newly incorporated subsidiaries which are <1 year old, consequently not having audited financial statements for a period of at least one year, the threshold for Significant RPTs to be based on lower of:
10% of aggregate of paid-up capital and securities premium of the subsidiary, or
Material RPT thresholds as applicable to listed holding company
The aggregate value of paid-up capital and securities premium, to be considered for the purpose of determination of Significant RPTs, should not be older than three months prior to the date of seeking AC approval. Since the value of paid-up capital and securities premium would be available with the company on a real-time basis, the same does not result in any additional compliance burden.
Our Analysis and Comments
For newly incorporated subsidiaries, the Consultation Paper proposed linking the thresholds with net worth, and requiring a practising CA to certify such networth, thus leading to an additional compliance burden in the form of certification requirements. Following the approval in SEBI BM, the Amendment Regulations provide a threshold based on paid-up share capital and securities premium, and hence, certification requirement does not arise.
3. Clarification w.r.t. validity of shareholders’ Omnibus Approval
Existing provisions vis-a-vis Amended Regulations
The existing provisions [Para (C)11 of Section III-B of LODR Master Circular] permit the validity of the omnibus approval by shareholders for material RPTs as:
From AGM to AGM – in case approval is obtained in an AGM
One year – in case approval is obtained in any other general meeting/ postal ballot
Pursuant to the Amendment Regulations, the timelines have been incorporated as a proviso to Reg 23(4). Further, a clarification has been incorporated that the AGM to AGM approval will be valid till the date of next AGM held within the timelines prescribed as per section 96 of the Companies Act.
4. Exclusions for retail purchases
Proviso (e) to Regulation 2(1)(zc) of the extant SEBI LODR Regulations exempted transactions involving retail purchases by employees from being classified as Related Party Transactions (RPTs), even though employees are not technically classified as related parties. Conversely, it includes transactions involving the relatives of directors and Key Managerial Personnel (KMPs) within its ambit.
The CP proposed that the exemption related to retail transactions should be expressly limited to related parties (i.e., directors, KMPs, or their relatives) to grant the appropriate exemption.
Under the extant framework, retail purchases made on the same terms as applicable to all employees were excluded from the meaning of RPTs when undertaken by employees, but not when made by relatives of directors or KMPs. This led to an inconsistent treatment, where similarly situated individuals receive different regulatory treatment solely on the basis of their relationship with the company.
Pursuant to the Amendment Regulations, the exclusion for retail purchases has been extended to the relatives of the directors/ KMP, when undertaken on “terms which are uniformly applicable/offered to all employees, directors, key managerial personnel and relatives of directors or key managerial personnel ”. While the language refers to terms offered to “employees, directors, key managerial personnel and relatives of directors or key managerial personnel”, the same cannot be read to mean that preferential terms can be granted to “director”, “KMPs” or “relatives of such directors/ KMPs” as a separate class. The terms need to be uniform to what is otherwise offered to “employees” by such a listed entity/ its subsidiaries.
5. Exemptions for RPTs between holding company and WoS
Regulation 23(5)(b) provides an exemption from audit committee and shareholder approvals for transactions between a holding company and its wholly owned subsidiary. However, the term “holding company” used in this context has remained undefined, leaving ambiguity as to whether it refers only to a listed holding company or includes unlisted ones as well.
A clarification has been inserted to provide the interpretational guidance that the term ‘holding company’ refers to the listed entity. The relevance of the aforesaid clarification would primarily be in cases where the unlisted subsidiary of the listed entity enters into a significant RPT with its wholly owned subsidiary (step-down subsidiary of the listed entity). Pursuant to the aforesaid proposal, as approved, no exemption will be available in such a case.
Conclusion
The amendments seem more or less welcoming, relaxing the RPT regime for listed entities. With the new leadership at SEBI meant to rationalise regulations, it was quite an appropriate occasion to do so. In sum, SEBI’s iterative approach to RPT governance demonstrates commendable responsiveness, contributing to the ease of compliances and in turn, of doing business by the companies.
https://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.png00Team Corplawhttps://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.pngTeam Corplaw2025-11-19 19:11:392025-11-27 16:54:51FAQs on contra trade restrictions under PIT Regulations
While equity is the “flavour of the season”, companies can produce efficient returns on equity only if they leverage it; therefore, companies are also reaching out to investors through debt issuance. Most of the bond issuance in India is privately placed; however, it is increasingly common for companies to reach out, mostly through intermediaries, to HNIs and other investors to invest in privately placed listed debt. While some of it happens through OBPPs (see an article on Regulatory framework for Online Bond Platform), much of it is simply distributed to investors by brokers, portfolio managers, distributors, investment advisers, and so on. Question is, if a privately placed bond issue is downsold, through intermediaries, to more than 200 investors, will the issue itself be regarded as a “deemed public offer” and therefore, require compliance with public offer norms as per Part I of Chapter III of the Companies Act, 2013 read with Chapter III of the SEBI (Issue and Listing of Non-Convertible Securities) Regulations, 2021.
If you cannot do something, you cannot employ someone to do it. In Sanskrit Nyayavali, there is a maxim that reads:
यः करोति स करोत्येवेति न्यायः
This maxim is used to denote that the responsibility of one who sets another to do a thing is quite equal to that of the doer himself. That is, what you cannot do, you cannot employ someone to do.
If a bond issuer engages an intermediary to downsell an issue to an undefined group of investors, it must be taken to be the act of the issuer itself. While mostly the focus is on the magical number 200, but 200 is only the “deeming line”. The real line of distinction is – did I reach out to a closed group of investors who were known to me, or did I make a wide and open offer to whoever might be interested. Even if one might contend that all the offerees were known to the offerers, the 200 lakshman rekha will still apply and will result in the so-called private placement being taken as a public offer.
This article discusses:
The contours of the deemed public offer provision in context of bonds
What difference would be made if the bonds were privately placed and listed
Is the limit to be counted for all bonds issued in a year, or per ISIN or per bond issuance?
What if the intermediary buys the bonds from secondary market and then downsells the same?
How is the nexus between the bond issue and downselling derived/deduced?
What difference is made if the bonds are sold on OBPPs? What are the defining features of an OBPP, as opposed to securities intermediaries?
So, in what circumstances will a downsold bond not result in a breach of sec. 25(2) and 42 of the Companies Act / NCS Regs?
Section 25(2) of the Companies Act specifies cases that may be considered as a deemed public offer.
For the purposes of this Act, it shall, unless the contrary is proved, be evidence that an allotment of, or an agreement to allot, securities was madewith a view to the securities being offered for sale to the public if it is shown—
(a) that an offer of the securities or of any of them for sale to the public was made within six months after the allotment or agreement to allot; or
(b) that at the date when the offer was made, the whole consideration to be received by the company in respect of the securities had not been received by it.
Additionally, in terms of section 42(11) of the Act, a private placement offer, non-compliant with the provisions of Section 42(2) shall be deemed to be a public offer and shall attract the provisions as applicable to any public offer. Section 42(2) requires that a private placement offer be made only to pre-identified investors and to not more than 200 persons in a financial year. Penalty for breach of section 42 may stretch to the amount of funding raised, capped at Rs 2 crores. Further, the issuer is also required to refund all monies with interest to subscribers within a period of 30 days of the order imposing the penalty. The interest is to be paid at the rate of 12% p.a. calculated from the expiry of the 60th day from the date of the receipt of application money for such securities till the time the money has been refunded.
Thus, downselling of bonds by the investor within 6 months of issuance by the bond issuer results in a deemed public offer. Further, in case of a public offer, section 40 mandates the listing of securities, in case of public offer of securities. In case of listed or proposed to be listed securities, Section 24 of the Act extends SEBI’s authority to administer the provisions of the Act (Chapter III and IV) in relation to the issue and transfer of such securities.
Deemed public issue in privately issued bonds and recent SEBI orders
In an August 2025 order pertaining to downselling of privately placed unlisted NCDs to 699 investors, the issuer contended that the allotment of NCDs was made to a single investor on private placement basis, and any subsequent transfer of such securities within 6 months from its allotment is an independent action of the investor, with no direction or influence from the issuer. Here, SEBI referred to the legal maxim ‘acta exterior indicant interior secreta’ (external action reveals inner secrets) to rule out the aforesaid contention of the issuer.
In the facts of the said case, the investor (primary subscription) was referred to as Debenture Holder Representative (DHR), and the investor was identified as a depository account of such DHR. The issue related documents indicated the primary subscriber’s intention to downsell, and not to hold investments in the NCDs.
In the said case, while dealing with the concept of “deemed public offer”, SEBI also interpreted the construct of section 25, and observed:
The expression “with a view to” in section 25 indicates the reason or goal behind an action. It signifies the action being taken with a specific objective in mind and implies a forward-looking perspective, suggesting that the action is a means to an end. It is pertinent to mention that such intent, design or reason can be drawn from a mass of factual details and can be gleaned from the whole gamut of surrounding foundational facts and circumstances both poste and ante the typical gambit of allotment in this case.
SEBI also held that:
…(unless the contrary is proved) if it is shown that an offer of the securities allotted or of any of them, for sale to the public was made within six months after the allotment or agreement to allot, it is presumed that the allotment or an agreement to allot the securities was made with a view to the securities being offered to the public and the document whereby the offer for sale is made shall be deemed to be a prospectus under section 25(1).
The order also referred to another adjudication order of SEBI dated 20th September, 2023 (subsequently settled on 10th April, 2024). In the said case, the allotment of NCDs was made in the portfolio demat account of the primary investor, which were subsequently transferred to 355 investors. The application money was also received from the portfolio pool account of the investor, and not the proprietary account. In the facts of the case, the investor had also acted as a structurer of the deal and received an advisory fee from the issuer for the same.
Downselling of privately placed “listed” bonds
Securities, once listed, are freely transferable. There is no lock-in period or transfer restrictions on the listed bonds. Therefore, a question arises on whether the downselling restrictions and deemed public issue implications arise in a case where the NCDs are issued through private placement, and listed on the stock exchanges?
In our view, if the bonds were privately placed, but have been downsold in a quick succession, it is implied that the downselling was a part of the primary issuance. In such cases, the issuer may be said to have violated public issue norms by calling what was really a public offer as a private placement. Thus, if the nexus between primary issuance through private placement and secondary transfer to retail investors is clear, it is substantively a public offer, being camouflaged as a private placement. The impugning issue here is not the sale of a listed security, but claiming the issue to be private placement, though with distribution nexus.
Had the securities been intended to be offered to the public, the same should have been done through “public issue” of such bonds, and not through the “private placement” route.
Downselling of bonds purchased from secondary market
The trigger of deemed public issue norms is not based on the number of stopovers; what is relevant is the intent of downselling to the retail public. For instance, consider a case where the issuer issues bonds to XYZ Ltd, an investor. The investor, in turn, transfers the same to a market intermediary (portfolio manager/ stock broker etc). Now, the market intermediary downsells such bonds to a large number of investors. The proximity of each of the aforesaid events, viz., (a) primary issuance, (b) secondary transfer to intermediary and (c) downselling by intermediary to public – are itself suggestive of the ultimate intent of downselling. Therefore, in such cases as well, the provisions of deemed public issue should apply.
Further, where a registered market intermediary acts as a conduit investor to facilitate such transfers, SEBI may also take action against the same. For instance, In an adjudication order dated 25th April, 2023, SEBI has levied penalty on the registered intermediary (portfolio manager) for having facilitated downselling of privately placed securities in violation of the regulatory requirements. Similarly, in the August 2025 order referred above, while penalty has not been levied on the conduit investor, SEBI observed the following in relation to the role of the conduit investor:
Down-selling of the NCDs cannot entirely be a unilateral and independent act without the involvement of other parties and the entire scheme could not have been possible without the connivance of the parties involved.
Nexus between primary issuance and secondary transfers
Section 25(2) of the Act refers to a time gap of six months between primary issuance and secondary transfer for considering the same as a deemed public issuance. The time period of six months is for the purpose of reasonability of connection between the primary issuance and the secondary sale. Thus, proximity between primary issuance and secondary transfer is one of the factors to be considered.
Sometimes, attending circumstances make it clear that the intent of the intermediary was to downsell. For example, the intermediary may have reached out to the potential investors, sourced their intent to subscribe or actually procured their subscriptions, and then may have made the investment in the bonds. Or, as sometimes seen, there may be an irrevocable intent expressed by the ultimate investors to invest the subject bonds.
Charging of fees, by whatever name called, by the primary investor from the issuer may also indicate that the fees is being charged by the investor for acting as a conduit in the private placement offer of the issuer.
Because the substantive view of the arrangement in its entirety is by connecting the dots together, the view may be subjective, but mostly, it is not difficult to discern.
Limit on number of offerees: each ISIN or each issuer?
Section 42(2) r/w Rule 14 of the PAS Rules provides that an offer or invitation to subscribe securities under private placement should only be made upto 200 investors (excluding QIBs and employees under ESOP) in aggregate for a financial year. Further, an explanation to Rule 14(2) clarifies that the limit would be reckoned individually for each kind of security that is equity share, preference share or debenture. The same is based on the recommendations of the Report of the Companies Law Committee, 2016.
The term “securities” is defined to include “debentures”, however, different series of debentures having different terms of issue, inter alia, nature of security, nature of listing, terms of conversion (OCDs, NCDs etc) does not comprise a separate “kind” of security altogether. ISIN (International Securities Identification Number) of securities is a unique 12-character alphanumeric code that identifies a specific financial security, such as a stock, bond, or mutual fund unit. As such, it is merely a tool of identification of security rather than a determinant of the kind of security. Accordingly, the limit of 200 under the Rule should be reckoned at the issuer level for each type of security and not on ISIN basis.
Sale of privately placed bonds by Online Bond Platform Providers
Offer of NCDs in secondary market transactions are permitted through the registered Online Bond Platform Providers (OBPP), as per Reg 51A of NCS Regulations read with Chapter XXI of the Master Circular for issue and listing of Non-convertible Securities, Securitised Debt Instruments, Security Receipts, Municipal Debt Securities and Commercial Paper. However, the OBPP is required to be registered with SEBI and their services are restricted to only (a) listed bonds and (b) bonds that are proposed to be listed through a public offering.
In case of OBPPs, the concept itself was introduced to facilitate offering of listed debentures, in a controlled and compliant environment. That the lock-in restrictions of six months do not apply in case of sale of bonds through OBPP has been discussed by SEBI in its Board Meeting dated 30th Sep, 2022. Para 3.4.3. of the Board Note provides the rationale, as summarised below:
SEBI already has regulations on issue and listing of privately placed debt securities which inter-alia provides for furnishing of private placement memorandum (which itself is very elaborate), memorandum of association, articles of association, requisite resolutions from the board or committees authorizing such listing of securities on stock exchanges. Once listed, the issuer has to follow all the requirements including detailed disclosures at various intervals. Hence, once the securities are listed, there is not likely to be any circumvention of key public issue requirements. Lock-in requirements, if introduced, may rob the investors from liquidity and the opportunity to exit their investments, if so desired. Debt investors may involve mutual funds or other institutional investors. Restrictions on liquidity can have ramifications which could have large scale implications. Accordingly, the lock-in requirement for listed debts is not proceeded with.
However, it is to be noted that the registered OBPP can deal only in listed or to-be listed securities. The OBPP is not permitted to offer unlisted bonds/ other products either through the same platform or through a separate platform/ website. In this regard, SEBI, in its interim order dated 18th November, 2024, took action against three unregistered OBPPs that facilitated the offering of unlisted NCDs to retail investors.
Circumstances where downselling does not result in deemed public issue
We will want to conclude the write up with some thoughts.
The fact that an issuer cannot market debt instruments to over 200 investors surely cannot mean that at no point of time, the number of investors can exceed 200. While securities of a public company are freely transferable, even if the company is a private company, after listing of the debt securities, the transfers thereafter are largely beyond the control of the issuer. Therefore, the real issue is not the actual number of persons who have invested in the bonds: the real issue is, to how many persons was the issue offered?
Hence, if the nexus between the issuance, and the downselling, is not clear or unambiguous, secondary market transactions do not necessarily hint at the intent of offering to over 200 investors. Even the provision of sec. 25 (2) (a) of the Companies Act is a rebuttable inference – it is capable of being dismissed by contrary evidence. Below, we list out some illustrative situations where it may be possible to contend that the issuer did not make an offer to over 200 investors:
The primary investor of the bonds makes an offer on OBPP. As discussed above, the same is exempt from the deemed public issue restrictions u/s 25(2)(a).
There are acquirer/acquirers who have made a genuine investment in the bonds, and after a reasonable time, make a phased exit by downselling the bonds
A portfolio manager acquires the bonds in the names of various clients, spaced over time, indicating clearly that the acquisition by the PMS clients was not a part of the initial offer.
We do understand the growing debt market in India needs wider investor participation, but there have been instances in the past where the device of private placement was exploited to the hilt. Hence there has to be that delicate balance between regulatory concerns and the need for broadbasing of listed debt, which is why instrumentalities like OBPPs have been permitted.
https://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.png00Staffhttps://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.pngStaff2025-11-19 17:44:492025-11-19 18:57:15Downstreamed through intermediaries: Deemed public issue concerns for privately placed debt
The edifice of IBC is premised on value-maximisation, and thus, resolution has always been preferred over liquidation[1]. Even in liquidation, the regulations and Courts have stressed and preferred on selling the entity/business as going concern (referred to as GCS)[2]. However, IBBI, videInsolvency and Bankruptcy Board of India (Liquidation Process) (Second Amendment) Regulations, 2025 (“Amendment”)[3], has amended Liquidation Regulations omitting the option of GCS altogether from the liquidation process. Notably both the GCS options – one, sale of CD as a going concern (reg. 32(e)), and second, sale of business of the CD as a going concern (reg. 32(f)) – have been omitted.
Operational risk, as defined by the Basel framework, refers to the possibility that a financial institution’s routine operations may be disrupted due to failures in processes, systems, people, or external events. While historically treated as secondary to credit and market risk, it has increasingly become a central focus of risk management, particularly for institutions with complex operations, heavy technology dependence, extensive outsourcing, and stringent regulatory obligations. Reflecting this shift, the RBI’s 2024 Guidance Note on Operational Risk Management and Resilience expands its expectations for operational risk management to all NBFCs.
Having previously discussed the guidance note (refer here), this article now explains the fundamentals of operational risk assessment and outlines its process.
Operational Risk Management
Operational risk poses unique challenges because many of the events that cause losses arise from internal factors, making them difficult to generalise or predict. Large operational losses are often viewed as rare, which can make it difficult to get sustained management attention on the steady, routine work required to identify issues and track trends1. Operational risks typically stem from people, processes, systems and external events, ironically, the same resources essential for running the business. Unlike credit and market risk which are modelled and hedged, operational risks are often idiosyncratic, event-driven and subject to human, process and system failure.
Relevance For Financial Institutions
Financial institutions operate with complex processes, large transaction volumes, strict regulatory reporting requirements and often heavy dependence on technology, outsourcing arrangements and third-party service providers. Because of this, operational failures, such as system glitches, fraud, compliance breaches or breakdowns in business continuity, can result in substantial financial losses, regulatory sanctions, reputational harm and other disruptions to business operations.
Given these risks, regulators have placed growing emphasis on the measurement and management of operational risk. Based on our experience, RBI has frequently raised queries regarding the operational risk frameworks of NBFCs during its supervisory inspections. Under Basel II, for instance, banks using the Advanced Measurement Approach were required to maintain strong, demonstrable operational risk management systems. Recognising the importance of operational risk, the Bank of England’s FSA0732 report, which is applicable on banks and large investment firms, requires firms to record the top ten operational risk loss events for each reporting year. This provides a clear view of what went wrong, where it occurred and the scale of the financial impact.
Operational Risk Assessment Process
In its guidance note for operational risk, RBI at many places underscored the importance for risk assessment. One such example is given below:
Principle 6: Senior Management should ensure the comprehensive identification and assessment of the Operational Risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood. Both internal and external threats and potential failures in people, processes and systems should be assessed promptly and on an ongoing basis. Assessment of vulnerabilities in critical operations should be done in a proactive and prompt manner. All the resulting risks should be managed in accordance with operational resilience approach.
6.1 Risk identification and assessment are fundamental characteristics of an effective Operational Risk Management system, and directly contribute to operational resilience capabilities. Effective risk identification considers both internal and external factors. Sound risk assessment allows an RE to better understand its risk profile and allocate risk management resources and strategies most effectively.
Figure 1: Operational Risk Assessment Process
Risk identification
Risk identification means figuring out what exactly you need to assess. It involves recognising the different risk sources and risk events that may disrupt your business. A risk source is the underlying cause, something that has the potential to create a problem. A risk event is when that problem actually occurs. For example, a weak password is a risk source, while a data breach caused by that weak password is the risk event.
As per the RBI’s Guidance Note, REs are expected to take a comprehensive view of their entire “risk universe”. This means identifying all categories of risks, traditional or emerging, that could potentially affect their operations. These may include insurance risk, climate-related risk, fourth- and fifth-party risks, geopolitical risk, AML and corruption risk, legal and compliance risks, and many others. The underlying expectation is simple: an RE should systematically identify everything that can go wrong within its business model, processes, people, systems, and external dependencies, and ensure that no material source of risk is overlooked.
There are many ways to identify risks. You may use questionnaires, self-assessments by business or functional heads, workshops with staff involved in risk management, or you may review past failures within the company. Industry reports, experiences of peers, and linking organisational goals to potential obstacles can also reveal important risks. You can even look at upcoming strategic initiatives and think ahead about the risks that may arise when these changes are implemented.
Every organisation has its own risk profile. A lender may worry about borrowers not repaying, untrained staff, biases in an AI underwriting model, IT system failures, employee fraud, or suppliers not delivering on time. These risks should be recorded in a risk register, but it is important that this register reflects your business. A company offering only physical loans may not face digital lending risks, and should not simply copy any generic list. The goal is to identify risks that genuinely matter to your day-to-day operations.
Assessment
Once you know which risks matter, the next step is to assess each of them. For every risk, ask yourself two basic questions:
What is the likelihood of this risk actually happening? This is simply the chance that the event might occur; You may assign parameters to determine the likelihood – for eg if the risk event is almost certain to occur in the next 1 year or is it likely to occur or it will occur only in remote situations?
If it does happen, what impact will it have on my organisation? Will it hurt my reputation? Lead to financial loss? Negative feedback from customers? Cause a data leak? One can record the impact of the risk as High, medium or low based on its gravity
Figure 3: Illustrative impact assessment of risks
These two questions help you understand how serious the risk is inherently (inherent risk level) i.e, before considering whether you have any controls in place. Note that at this stage, you’re only interested in the natural level of risk that exists ignoring any controls you might already have.
Evaluating Controls
Once the inherent risks are understood, the next step is to look at how these risks are currently being managed. These risk-reducing efforts are your controls or mitigation measures. Controls are simply the actions, checks, or processes already in place to lower the likelihood or impact of a risk. For example: Is your underwriting model checked for bias? Are board committees meeting regularly? Do you have proper maker–checker checks in your V-CIP process? Controls can take many forms such as policies, procedures, tools, system checks, reviews, or even day-to-day practices followed by employees. In essence, a control is any measure that maintains or modifies risk and helps the organisation manage it more effectively.
Residual Risk
After evaluating the controls, you can determine the residual risk i.e. the level of risk that remains even after your mitigation measures have been applied. Residual risk shows whether the remaining exposure is acceptable or whether additional controls are needed. By definition, residual risk can never be higher than inherent risk. Generally, residual risk can be interpreted as follows:
Low Residual Risk: When the effectiveness of internal controls fully covers or even exceeds the inherent risk;
Medium Residual Risk: When controls reduce most of the risk, leaving only a small gap;
High Residual Risk: When controls address only part of the risk and a significant gap still remains;
Category
Risk Source
Risk event
Root cause
Likelihood
Consequence
Level of inherent risk
Control Effectiveness
Level of Residual Risk
People Risk
Employees / Staff
Employee fraud, misappropriation, or collusion
Weak internal controls, poor background checks
Highly Likely
Medium
High
Weak
HIGH
Information Technology & Cyber Risk
IT Infrastructure / Systems
System downtime or core platform failure
Server outage, inadequate IT resilience
Possible
Low
Low
Strong
LOW
Process & Internal Control Risk
Onboarding / KYC Processes
Non-compliance with KYC or onboarding procedures
Inadequate verification, manual errors
Possible
High
High
Adequate
MEDIUM
Legal & Compliance Risk
Outsourcing / LSP Arrangements
Non-compliance in outsourcing / LSP arrangements
Weak SLA oversight, inadequate due diligence
Unlikely
Low
Low
Adequate
LOW
External Fraud Risk
Borrowers / External Parties
Borrower fraud – identity theft, fake borrowers, or collusion
Forged documents, weak KYC
Possible
Low
Low
Strong
LOW
Model / Automation / Reporting Risk
Data Aggregation / Systems
Failure in data aggregation across systems for regulatory returns
System inconsistencies, poor data governance
Highly Likely
Medium
High
Strong
LOW
Reputation Risk / Customer Experience
Customer Communication / Sales Practices
Miscommunication of terms or conditions to customers
Poor training, unclear communication scripts
Possible
Medium
Medium
Weak
MEDIUM
Figure 5: An illustrative Snapshot of Operational Risk Assessment
Understanding residual risk helps decide where further action is required and where the organisation may still be vulnerable.
Conclusion
The goal, therefore, is to move away from a simple “tick-box” approach and make the operational risk assessment truly tailored to the organisation. For ML and above NBFCs, the ICAAP requirement to set aside capital for operational risk is useful, but it covers only a narrow part of what operational risk really involves. A comprehensive assessment goes much further by examining the strength of the entity’s internal controls and how effectively they manage real-world risks. If the residual risk exceeds the organisation’s tolerance level, it should trigger a closer look at those controls and prompt corrective action. Ultimately, the focus should be on building a risk framework that is meaningful, proactive, and aligned with how the organisation actually operates. The ultimate goal is therefore to develop ‘operational resilience’ which as per Bank of England3 is the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover from, and learn from operational disruptions.
A Non-Banking Financial Company (NBFC), like other financial intermediaries, operates in a risk-intensive environment where credit, operational, technology, liquidity and regulatory exposures evolve continuously. To manage these effectively, regulators and international standard-setters increasingly expect institutions to maintain a clear, documented, and continuously updated risk inventory. This document—commonly called a risk register—forms the backbone of an NBFC’s risk management framework. Standards such as ISO 31000 emphasise that organisations must maintain structured documentation of risks, controls and monitoring processes, while the Basel Committee recognises the importance of tools that consolidate information for oversight by senior management and boards. The Reserve Bank of India (RBI), through its compliance, operational risk, outsourcing, and information technology governance guidelines, also implicitly requires NBFCs to maintain evidence of risk identification, assessment and monitoring. Together, these expectations make a risk register not just a good practice, but an essential governance artefact.
This article explains what risk registers are, outlines the material risks relevant to NBFCs, describes the contents and structure of effective risk registers, discusses the merits of consolidated versus separate registers, and demonstrates how risk registers are used in practice.
What is a Risk Register?
ISO 73:2009 Risk management—Vocabulary defines a risk register as – record of information about identified risks. A risk register is a structured record that captures an organisation’s identified risks, the causes and consequences of those risks, the controls in place to manage them, the effectiveness of those controls, and the actions planned to further mitigate them. It is not merely a compliance document but a living tool that helps decision-makers view exposures at a glance, track risk levels, and allocate resources. The concept and practice are consistent with ISO 31000’s emphasis on systematic identification, assessment and treatment of risk.
For an NBFC, which must demonstrate proactive risk management under multiple RBI frameworks—including the SBR Master Directions, the operational risk guidance note, outsourcing guidelines, digital lending rules, and IT governance expectations—the register is foundational evidence of risk awareness and accountability.
Figure 1: An illustrative Snapshot of a Risk Register
Risks for Which NBFCs Should Maintain Registers
An NBFC typically faces a wide spectrum of material risks that require structured tracking. The most prominent among these is credit risk, arising from borrower defaults and delinquencies, portfolio deterioration and concentration exposures. NBFCs must also track liquidity risks, especially given their reliance on market borrowings and investor confidence. Operational risks, defined by Basel and adopted by the RBI as losses due to failed processes, people, systems or external events, form a substantial part of an NBFC’s potential vulnerabilities—from frauds and system outages to process gaps.
With increasing digitisation, IT and cybersecurity risks have become highly material. RBI’s guidelines on information technology governance frameworks require NBFCs to implement ongoing monitoring and incident tracking mechanisms, all of which depend on clear risk documentation. Similarly, third-party and outsourcing risks, emphasised by both RBI, are significant given NBFCs’ reliance on technology partners, collection agencies, loan service providers and outsourcing arrangements. NBFCs must also account for regulatory and compliance risks, model and data risks, and conduct and reputational risks that emerge from customer interactions and business practices. Finally, strategic and ESG-related risks are gradually gaining prominence in supervisory expectations.
Components of a Risk Register
Although institutions may customise formats, an effective risk register should contain certain core elements. Each entry should describe the risk clearly, including its causes, potential business impact, and the business unit or process where it arises. It should include an inherent risk assessment (before considering controls) and a residual risk assessment (after controls). Controls must be recorded along with their owners and the results of recent effectiveness testing. The register should also assign a responsible risk owner at a senior level to ensure accountability. Key Risk Indicators (KRIs), where relevant, should be linked to the risk entry along with thresholds, recent values and escalation triggers. Finally, each risk entry should reflect remediation actions, timelines and review dates to ensure the register remains a dynamic management tool rather than static documentation.
An actionable risk register should be concise, structured, and linked to governance and reporting. Recommended fields include:
Figure 2: Contents of a Risk Register
What an Enterprise-Wide Risk Register Looks Like
An enterprise-wide risk register (EWRR) consolidates the institution’s major risks across all business lines into a single, coherent view. In practice, this register acts as the central dashboard for senior management and the Board. It includes credit, operational, cyber, market, liquidity, compliance, strategic and reputational risks, each summarised in a uniform format. The EWRR provides an aggregated view of risk severity, risk levels, and concentration areas. For example, it may highlight that operational risks linked to IT outages are trending upward, or that credit risk concentration in a specific sector has crossed internal appetite thresholds.
Importantly, the EWRR does not replace detailed sub-registers maintained by specialised teams; instead, it integrates their findings. Basel supervisory materials emphasise consolidation as essential for Board oversight, and the EWRR serves precisely that purpose.
Separate Risk Registers vs an Enterprise-Wide Register
NBFCs often question whether it is more effective to maintain a single enterprise-wide register or individual registers for each risk category. Two common approaches exist: maintaining one enterprise-wide register (single source of truth) or maintaining focused registers (e.g., Operational Risk Register, Credit Risk Register) with a roll-up to an enterprise view. Both approaches are widely accepted; choice depends on size, complexity and risk-data capabilities.
In practice, the most effective approach is hybrid. Individual registers—for credit, operational, cyber/IT, third-party risk and others—allow specialised teams to capture detailed technical information, testing results, and granular observations. These feed into the enterprise-wide register, which provides the Board and CRO with clear, aggregated insights. Maintaining only the EWRR risks leads to oversimplifying important technical details, while relying exclusively on separate registers makes it difficult to achieve the consolidated oversight that regulators and Boards expect.
The best practice is to have a centralized ownership of taxonomy and scoring methodologies for the specialised risk registers and the EWRR. This is in accordance with para 32 of the Principles for Effective Risk Data Aggregation and Risk Reporting (BCBS), which states –
A bank should establish integrated data taxonomies and architecture across the banking group, which includes information on the characteristics of the data (metadata), as well as use of single identifiers and/or unified naming conventions for data including legal entities, counterparties, customers and accounts.
This fits in well with the hybrid approach where specialized registers maintained for detailed tracking but using a common data definition may be conveniently aggregated into a governance-level enterprise register containing material risks, owners, KRIs and status for Board reporting.
Applications of a Risk Register in Practice
Risk registers influence nearly every stage of the risk management lifecycle. They support risk identification during new product assessments, process reviews and internal audit findings. They allow risk measurement through inherent/residual scoring and KRIs, ensuring early detection of deteriorating risk conditions. They facilitate the evaluation of controls, since internal audit and risk teams use the register as the primary record of what controls exist and how effective they are. Action plans arising from incidents, audits or supervisory observations are also tracked through the register, making it a central management tool.
Regulations call for a number of risk assessments including compliance risk assessment, ML/ TF risk assessment, information technology and cybersecurity risk assessment, outsourcing risk assessment, identification and assessment of operational risks, etc. NBFCs draw on the risk registers to supply the list of risk events, their inherent likelihood and consequence and provide the residual risks remaining with the company.
Risk registers are also a prerequisite for risk based internal audit. Risk registers, containing the list of internal controls, risk events and levels of inherent and residual risk, along with the Board’s risk appetite statement and tolerance limits form the basis of formulating the internal audit coverage. For more information on audit coverage refer to our write up here.
For reporting, the register forms the basis of periodic risk reports, senior management dashboards and regulatory submissions where required. During supervisory reviews, the RBI often tests whether an NBFC can produce documented evidence of risk identification, control ownership, monitoring and remediation—exactly what a well-maintained register provides. In this way, the risk register becomes both a governance mechanism and a demonstration of compliance readiness.
RBI outsourcing directions emphasise documentation of material outsourcing arrangements and evaluation of outsourcing risk. A risk register is the optimum tool for such third-party risk management to track and escalate both foreseeable and actual outsourcing incidents and due-diligence findings.
Conclusion
For NBFCs, maintaining risk registers is not merely a procedural obligation; it is a critical part of the organisation’s risk culture and governance framework. International standards (ISO 31000), global supervisory principles (Basel Committee), and regulatory expectations all converge on the need for structured, documented, and regularly monitored risk inventories. A robust risk register—supported by discipline, clear ownership and periodic review—enables NBFCs to anticipate threats, strengthen controls, improve decision-making and satisfy supervisory expectations. As NBFCs continue to scale, digitalise and partner with third-party ecosystems, the importance of maintaining comprehensive, dynamic and enterprise-aligned risk registers will only grow.
https://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.png00Staffhttps://vinodkothari.com/wp-content/uploads/2023/06/vinod-kothari-logo.pngStaff2025-11-18 18:26:282025-11-18 18:49:10Tracking Your Material Risks - Importance of Risk Register for NBFCs
