Harmonisation and Consolidation of Instructions on Control / Assurance Functions for NBFCs

• Harshita Malik | finserv@vinodkothari.com

The RBI issued the Reserve Bank of India (Non-Banking Financial Companies – Governance) Directions, 2025 (‘Governance Directions’) on November 28, 2025, consolidating all governance-related instructions for NBFCs into a single master framework. While the said exercise addressed regulations around Board composition, fit and proper criteria, KMP compensation, and related matters, it left the two core control/assurance functions, namely, compliance and internal audit, governed by separate circulars. The draft Reserve Bank of India (Non-Banking Financial Companies – Governance) Amendment Directions, 2026 (‘Amendment Directions’), issued for public comments, absorbs the CCO Circular and RBIA Circular into the Governance Directions and proposes certain amendments to the risk management framework. 

Effective Date: The Amendment Directions propose an effective date of January 1, 2027, upon formal notification.

The amendments introduced go beyond mere consolidation of existing circulars; they introduce new obligations and structural changes to the governance norms. Key changes are given below, for banks, refer to our article here.

1. Important concepts defined: The Amendment Directions contain new definitions of key concepts relating to control and assurance functions, including ‘Assurance’, ‘Clawback’, ‘Compliance’, ‘Compliance Culture’, ‘Compliance Function’, ‘Compliance Risk’, ‘Control Functions’, ‘Internal Audit Function’, ‘Internal Audit Plan’, ‘Internal Controls’, ‘Risk Appetite’, ‘Risk Limits’, ‘Risk Management’, and ‘Risk Management Function’.
2. Common instructions for CRO, CCO and HIA: The Amendment Directions provide a unified set of provisions for the three heads of control and assurance functions, namely, Chief Risk Officer (CRO), Chief Compliance Officer (CCO), and Head of Internal Audit (HIA), covering eligibility, appointment conditions (seniority ≤2 levels below MD & CEO, Board approval, tenure ≥3 years, premature removal requiring Board approval), independence, and reporting lines (functional to Board/ACB; administrative to MD & CEO). Does this mean that the same person can be appointed as the CCO and HIA? Given that the role of the HIA includes oversight on compliance risk, it will be counter-intuitive to have the same person as the head of the compliance function as well as the head of internal audit. Similar instructions have also been introduced for banks.
3. Relaxation for Base Layer continues and further enhancement- Under the existing framework, the CCO framework was applicable on Middle Layer NBFC and appointment of CRO and RBIA Framework on those with an asset size more than ₹5000 crore, respectively. The said exemption for base layer NBFCs continues and further even includes the requirement of constituting the RMC. 
4. ₹5,000 crore threshold for mandatory RMC: NBFCs with total assets of ₹5,000 crore or above must constitute a RMC and establish a Risk Management Function headed by a CRO; the RMC is responsible for evaluating overall risks, including liquidity risk, and reporting to the Board. The existing regulations require the RMC to be constituted by all NBFCs irrespective of asset size, and hence, this may be seen as a major relaxation.
5. Quarterly Board meetings without Senior Management: CCO, CRO, and HIA must meet the Board or ACB at least once every quarter without the presence of Senior Management (including MD/CEO/WTD), and must have direct and unrestricted access to the Board/ACB to communicate concerns without management interference.
6. Stricter external hiring restrictions: Consultants, advisors, part-time auditors, or individuals who are neither on the NBFC’s payroll nor have a contractual employer-employee relationship with the NBFC shall not be appointed/designated as CRO, CCO, or HIA. The same criteria has been prescribed for banks as well.
7. Differentiated intimation timelines to RBI/NHB: For CCO and HIA (NBFC-ML and above), appointment/premature transfer/removal/exit/change in tenure must be reported to DoS, RBI/NHB at least five working days in advance, with candidate profile and fit & proper confirmation; for CRO, such intimation must be made within five working days, accompanied by the candidate’s profile.
8. CRO’s role in credit committee and override mechanism: CRO shall be an invitee to credit sanction/approval committee meetings without voting rights; where risk/exposure is assumed contrary to CRO advice without adequate mitigation, the responsibility rests with the next higher authority in the delegation matrix (except where the Board is the risk-assuming authority), and all such cases must be reported to the Board/RMCB.
9. Internal audit of Compliance and Risk Management Functions: The Compliance Function and Risk Management Function shall be subject to regular internal audit.
10. New tenure and audit-cycle mandates for Internal Audit: Staff posted to the Internal Audit Function shall ordinarily have a tenure of at least three years, and all significant activities shall be audited over a defined cycle ordinarily not exceeding three years, with high-risk areas reviewed more frequently.
11. RBIA adoption and NBFC-BL exemption: All NBFCs shall adopt a Risk-Based Internal Audit (RBIA) approach focusing on higher risk, materiality, systemic relevance, and supervisory concerns as given in Annex I-A of the Amendment Directions; adoption of RBIA is voluntary for NBFC-BL. As per the Companies Act, internal audit is applicable even on private companies having a turnover of ₹ 200 crore rupees or outstanding loans or borrowings exceeding ₹100 crore or more. This means that even Base Layer NBFCs can be subjected to internal audit requirements. However, risk-based internal audit will be applicable only in case of Middle Layer and above entities. RBIA is an audit methodology that focuses on identifying, assessing, and prioritising the most significant risks faced by an organisation, and allocating audit resources accordingly. Unlike traditional compliance-oriented audits, RBIA aligns audit activities with the NBFC’s risk management framework and strategic objectives. Refer to our article on RBIA – here.
12. Periodic external review for NBFC-UL Risk Management Function: NBFC-UL shall subject its Risk Management Function to periodic external review to benchmark practices and strengthen effectiveness. However, in the case of banks, all three functions- compliance, risk and internal audit are subject to external review.
13. Formal Risk Exposure Matrix (9-cell grid) & Risk Audit Prioritisation Matrix (Magnitude vs. Frequency): The Amendment Directions introduce two formalised, structured risk assessment and prioritisation tools under the RBIA framework (Annex I‑A).
14. Assumption of risk exposure contrary to the advice of CRO: If risk is taken contrary to the CRO’s advice without adequate mitigation, the responsibility lies with the next higher authority in the delegation matrix (except when the Board is the risk-assuming authority). All such cases must be reported to the Board/RMC.
15. Intimation of appointment to RBI/NHB: For CCO and HIA: Report appointment/premature transfer/removal/exit/change in tenure at least 5 working days in advance (pre-event intimation). Intimation to include profile and fit & proper confirmation by the competent authority. Appointment may be communicated to the candidate only after the five-day window, unless a contrary communication is received from RBI/NHB. For CRO: Report appointment/premature transfer/removal/exit/change in tenure within 5 working days (post-event intimation).

For ease of reference, the amendments have been classified into three categories and detailed below:

1. Changes Common for CCO, CRO and HIA

2. Changes Specific to CRO

3. Changes in Internal Audit Function – RBIA