RBI Guidelines on Current Account and OD Facilities: Key Provisions

/0 Comments/in /by

– Anita Baid | finserv@vinodkothari.com

RBI has introduced significant amendments concerning the opening and operation of Current Accounts and Overdraft (OD) facilities. In case of commercial banks, the new provisions contained in Chapter XIA – ‘Opening of Current Accounts and CC / OD Accounts by Banks’, replace the erstwhile framework outlined in Chapter XI of the Reserve Bank of India (Commercial Banks – Credit Risk Management) – Amendment Directions, 2025. The revised guidelines aim to rationalize the restrictions, particularly by increasing the minimum exposure threshold for applicability and providing explicit exemptions for Cash Credit (CC) facilities, thereby streamlining the management of working capital and banking arrangements for corporate borrowers.

Read more

Shastrartha 25 – Regulations for Banking Group Entities

/0 Comments/in /by

Register your interest here: https://forms.gle/cfHXEVc39B4g14ek6

A 5th December 2025 RBI amendment has introduced significant changes to the manner in which business activities may be allocated among banks and entities within banking groups, including NBFCs, HFCs, securities broking entities, AMCs, and others. These changes impact all banks with non-banking subsidiaries or associates, as well as all NBFCs, HFCs, and related entities forming part of banking groups.

Some of the requirements come into effect as early as 31st March 2026, creating an urgent need for impacted entities to reassess, restructure, or reposition their business models and inter-group arrangements.

We intend to examine these developments in depth. Given the nature and implications of the amendment, the session will include active interaction with seasoned banking and finance professionals.

You are invited to express your interest in joining this interactive discussion, scheduled for December 15th, 2025 | 6:00 p.m. onwards | YouTube & Zoom Live.

Other Resources:

A New Way to Verify Aadhaar Offline: Introduction of Face Matching

/0 Comments/in /by

– Anita Baid | finserv@vinodkothari.com

The identity verification process, specifically in case of digital transactions, has taken another step with the introduction of the Aadhaar Verifiable Credential (AVC) verification process. Introduced vide the Aadhaar (Authentication and Offline Verification) Amendment Regulations, 2025, this intends to ease the KYC verification process by regulated entities. 

For all these years, aadhaar verification relied primarily on authentication mechanisms such as OTP or biometric scanning or various forms of offline verification such as QR code verification or e-aadhaar verification or offline paper based verification. While authentication requires interaction with the UIDAI’s central servers; offline methods can be prone to manual handling and lack the security assurance that comes with a digitally verifiable central record.

Existing Offline Verification Mode

Regulated entities like banks and NBFCs, have a requirement of performing identity verification or KYC, make use of Aadhaar offline verification for the same. The common modes of offline verifications are as follows:

  1. Collection of the Aadhaar letter copy or printed E-aadhaar or PVC card and subsequently read the QR code to validate the digital signature and match the information in QR code with the printed information. 
  2. Reading QR code from the e-Aadhaar or m-Aadhaar application or PVC card or Digi locker app by using a mobile app or computer application. Subsequently the digital signature present in the QR code is validated, the information in QR code is matched with the Aadhaar data.
  3. Borrower submits a downloaded Paperless Offline e-KYC file and the digital signature in the file is validated. 

Now the Amendment Regulations have inserted another mode that is, Aadhaar Verifiable Credential verification, which may be carried out with or without offline face verification. Further, the reference to XML file and m-Aadhaar has been removed. 

What is an Aadhaar Verifiable Credential (AVC)?

AVC is a digital document issued by the Unique Identification Authority of India (UIDAI) that encapsulates specific, minimal identity attributes of an Aadhaar holder (e.g., name, date of birth, photo, last four digits of the Aadhaar number). Given that the AVC is issued by the UIDAI, makes it tamper-proof and instantly verifiable for authenticity. 

The Amendment Regulations provides the following definition:

“Aadhaar Verifiable Credential” means a digitally signed document issued by the Authority to the Aadhaar number holder which may contain last 4 digits of Aadhaar number, demographic data, like, name, address, gender, date of birth, and photograph of Aadhaar number holder, and such other information as may be specified by the Authority, which may be shared by Aadhaar number holder in full or part with an OVSE in the manner specified by the Authority, for verifying the demographic information or photograph of the Aadhaar number holder;”

Unlike full Aadhaar authentication, which might reveal more information than necessary, the AVC allows for selective disclosure, containing last 4 digits of Aadhaar number, demographic data, like, name, address, gender, date of birth, and photograph of Aadhaar number holder, and such other information as may be specified by the UIDAI. 

The key features of the AVC are as follows:

  1. Nature of document: It is a digitally signed document, with a tamper-proof and verified nature.
  2. Issuer: The document is issued solely by the Authority, that is UIDAI.
  3. Selective Disclosure: The AVC contains selective demographic data, including the last four digits of the Aadhaar number and a photograph.
  4. Controlled Sharing: The AVC is shared by the Aadhaar number holder with an OVSE (Offline Verifying Seeking Entity), ensuring the holder maintains control over  its dissemination.
  5. Purpose: The sole purpose of sharing the VC is for verifying the demographic information or photograph of the holder, strictly limiting its use for KYC procedures.

Who are Offline Verification Seeking Entity (OVSE)?

The Amendment Regulations, 2025, require Verifying Entities on being registered as OVSE to perform offline verification. Further, the regulated entities are required to make an application to UIDAI under Regulation 13A to perform Aadhaar Paperless Offline e-KYC or Aadhaar Verifiable Credential (AVC) verification via the Aadhaar Application.

The registration process requires the entity to apply to UIDAI on specified terms and conditions. UIDAI has the power to request further information, verify the details submitted, approve the application if satisfied, or reject it otherwise. If rejected, the grounds must be communicated within fifteen days. An aggrieved applicant has thirty days to apply for reconsideration. Crucially, a registered OVSE must perform offline verification only for lawful purposes, which includes carrying out KYC and Customer Due Diligence by a regulated entity.

The Amendment Regulations also clarify that Offline Verification may be carried out by the OVSE with or without offline face verification. Hence, there is an option that AVC verification can be clubbed with offline face verification.

Offline Face Verification Process

The Amendment Regulations formally define ‘Offline Face Verification’ as: 

‘”Offline Face Verification” means a mode of offline verification in which the live facial image of an Aadhaar number holder is captured and is verified against the photograph of the Aadhaar number holder stored within the Aadhaar application of the Aadhaar number holder for the correctness, or lack thereof;”

In this regard, “Aadhaar Application” means any official mobile application or web application developed and managed by UIDAI to provide an interface to Aadhaar number holders for services related to Aadhaar, including performing offline verification.

The process of Offline Face Verification establishes a secondary, crucial layer of verification that links the digital credential embedded in the AVC to the physical presence of the individual. The requirement is to ensure a live facial image of the aadhaar holder is captured, hence requiring a physical meeting and verifying it against the photograph from the aadhaar application. This is a significant step toward preventing the fraudulent use of a verified credential by someone other than the actual holder, ensuring greater integrity of the KYC process. We will have to wait and see in case the RBI comes up with necessary amendments in the KYC Directions to recognise the AVC and face verification done remotely as a face to face mode of KYC. 

Will there be an ease for Regulated Entities (RE)?

The existing process of KYC identification includes offline verification and authentication. For the implementation of the AVC and face verification facility, the RE is additionally required to be registered as an OVSP.  

Henceforth, there will be only 3 recognised ways of performing Aadhaar offline verification with or without offline face verification- 

  • QR Code verification 
  • Aadhaar Paperless Offline e-KYC  
  • AVC verification 

It seems that the Amendment Regulations require registration as an OVSE for the purpose of carrying out offline verification in case of AVC or Aadhaar Paperless Offline e-KYC Verification through the Aadhaar Application. The other modes of carrying out the verification (QR code verification, e-Aadhaar verification/Offline Paperless e-KYC verification) do not require any such registration. However, these modes require the RE to validate the digital signature of the Authority embedded in these documents. RE will, therefore, now have to decide which of these options is operationally more convenient for them.

Further, it seems that offline verification along with offline face verification would be regarded as a complete face-to-face KYC for the purpose of the onboarding of customers by regulated entities. 

Read More:

  1. Online Authentication of Aadhaar: Exclusive Club, Members Only!
  2. Setu-ing the Standard: NPCI’s New Path to Aadhaar e-KYC
  3. Resources on KYC


Every Business is a Data Business: Applicability of DPDP Act to Non-Financial Entities

/0 Comments/in , , , , /by

-Archisman Bhattacharjee | finserv@vinodkothari.com

Introduction

The Digital Personal Data Protection Act, 2023 (“DPDPA”), along with the Digital Personal Data Protection Rules, 2025 (“DPDP Rules’, “Rules”), establishes India’s first comprehensive and rights-based data protection regime. The Act’s applicability extends far beyond financial institutions; it encompasses any entity, large or small, digital or traditional, that processes digital personal data. Although public discourse frequently associates data protection obligations with banks, fintech companies, and large technology entities, the DPDPA’s scope is intentionally crafted to be broad and sector-agnostic. As a result, non-financial entities operating in fields such as FMCG, real estate, healthcare, hospitality, education, retail, and even small kirana shops using basic digital systems are brought squarely within its regulatory ambit.

This wide applicability stems from the Act’s fundamental design. It regulates processing, not industry classification. As long as an entity processes any digital personal data, whether it is a customer’s name and phone number, an employee’s email address, a patient’s medical record, or a tenant’s identity document, the DPDPA applies, unless a statutory exemption is granted.

This article examines the applicability of the DPDPA to non-financial entities, analyses the lawful bases for processing personal data, evaluates sector-specific implications, discusses whether corporate data is included within the scope of “personal data”, and explores the operational and regulatory obligations, including security safeguards, deletion timelines, and Data Principal rights. A supporting analysis of Section 17 of the DPDPA which empowers the Central Government to exempt certain entities is also provided, along with the practical question of whether small businesses such as kirana stores may eventually be exempted.

Statutory Foundation for Applicability to Non-Financial Entities

The applicability of the DPDPA flows from Section 3, which states that the Act applies to the processing of digital personal data (including personal data which is collected physically and digitised later) within the territory of India and to processing outside India if the processing is connected with any activity of offering goods or services to data principals within the territory of India. There is no carve-out or exception based on the nature of the business, regulatory environment, or industry classification of the entity. Consequently, companies operating in sectors such as fast-moving consumer goods (FMCG), real estate, hospitality, e-commerce, education, healthcare, and professional services must comply with the Act if they process digital personal data.

The definition of “personal data” under Section 2(t) is intentionally broad, referring to any data about an identified or identifiable individual. This broad definitional standard ensures that even the most basic identifiers such as, names, phone numbers, email addresses, login credentials, and customer records fall within the purview of the Act. As a result, non-financial entities that process personal information of customers, employees, patients, visitors, students, tenants, or vendors automatically become “data fiduciaries” under Section 2(i) and must meet all obligations imposed by the Act.

The core philosophy underlying the DPDPA is processing-centric regulation. The Act deliberately avoids distinguishing entities based on their business sector, risk level, or regulatory regime. Instead, it focuses on the fundamental principle that any organisation handling personal data plays a significant role in the digital ecosystem. Non-financial entities have dramatically increased collection and utilisation of personal data for purposes such as digital marketing, analytics, supply-chain management, customer engagement, employee administration, and third-party platform integrations. This reality makes them equally capable of causing privacy harms or security breaches as financial institutions, and hence equally subject to regulation.

Moreover, non-financial sectors operate extensive digital infrastructure, such as e-commerce platforms, CRMs, ERPs, AI-based analytics systems, CCTV surveillance networks, and biometric verification systems, that rely heavily on personal data. These systems are vulnerable to cyberattacks, unauthorised access, data misuse, profiling, and identity theft. By bringing them fully within the regulatory framework, the DPDPA ensures a uniform accountability standard across the Indian digital economy.

Impact on Small Entities and the Prospect of Exemptions

Small business owners including kirana shops, local merchants, fitness coaches, small doctor’s clinics, tuition centres, neighbourhood restaurants and small real-estate brokers frequently engage in personal data processing such as storing customer phone numbers for order delivery, maintaining digital records for loyalty schemes, providing receipts digitally etc. The Act, as it stands, does not grant automatic exemptions for such entities. They are expected to issue notices, collect valid consent where applicable, respect withdrawal, ensure reasonable security safeguards, and delete data once the purpose is achieved.

This creates a compliance burden that many micro-enterprises lack the resources to fulfil. The proportionality concerns are evident: penalties under the Act may reach hundreds of crores, even though government statements indicate that penalties will be imposed only where there is significant negligence or wilful misconduct. 

The presence of Section 17(3), however, signals clear legislative recognition that small entities may require differentiated treatment. It remains reasonably likely that the government may, in future, exempt certain classes of micro-entities processing minimal personal data from certain provisions of the Act as provided under Section 17(3) and declare them as “low-risk data fiduciaries” with reduced compliance requirements.

Such exemptions would be consistent with global practice: for instance, GDPR permits reduced compliance obligations for small data volumes and uses a risk-based approach. Until notifications are issued, however, all entities including small merchants who are processing digital personal data,  remain subject to the Act.

Modes of Data Processing: Consent and Legitimate Uses

Under the DPDPA, the only lawful basis for processing personal data without consent is the limited set of “legitimate uses” specified under Section 7. Unlike earlier drafts of the Bill or international frameworks like the GDPR, “contractual necessity” or “contractual obligation” is not included as a legitimate use under the enacted DPDPA. This is a deliberate departure from global practice and means that entities cannot rely merely on contractual engagement to justify processing of personal data without consent.

Consent therefore becomes the primary lawful basis for most private-sector organisations, especially in non-financial sectors. Consent must meet the requirements of Section 6 and must be preceded by a detailed notice under Section 5. Withdrawal of consent must be as easy as its grant, placing significant obligations on data fiduciaries.

Legitimate uses under Section 7 remain narrow and apply primarily to scenarios such as compliance with law or judicial orders, medical emergencies, safeguarding individuals during disasters, and other notified public-interest functions. Most routine commercial operations in FMCG, real estate, healthcare, retail, and education do not fall within legitimate use and therefore require consent-based processing.

Applicability on Non-Financial Sector entities

Applicability in the FMCG Sector

FMCG companies, both digital-first and traditional, routinely collect and process large volumes of personal data, often through online portals, mobile applications, loyalty cards, e-commerce platforms, and promotional events. Customer names, phone numbers, addresses, behavioural data, purchase histories, and feedback form the core of their data-driven marketing strategy. Because “contractual necessity” is not a legitimate use under the DPDPA, almost all customer-facing processing requires consent, particularly marketing, profiling, analytics, and preference tracking

Additionally, FMCG entities store substantial employee personal data, which may be processed under legitimate uses for employment However, indefinite retention of customer data after fulfilment of the purpose is expressly prohibited under Section 9, mandating regular deletion or anonymisation.

FMCG entities must ensure:

  1. Clear and accessible privacy notices at all customer touchpoints
  2. Consent for marketing communications and behavioural profiling
  3. Data minimisation—avoiding excessive or persistent tracking
  4. Right to withdrawal and grievance redressal mechanisms
  5. Deploy consent banners for digital marketing
  6. Maintain opt-out mechanisms
  7. Train sales agents on data minimisation
  8. Delete customer data after loyalty programme completion

Applicability in the Real Estate Sector

The real estate sector handles sensitive personal data of prospective buyers, tenants, investors, and visitors, including identification documents, financial details, contact numbers, and biometric or CCTV data for access control in residential and commercial complexes. Most of this data is collected for contractual and compliance purposes under RERA, municipal laws, or verification procedures, placing it within the scope of legitimate uses. Yet, marketing of new projects, cold calling, and database sharing with brokers or partners require explicit consent.

A major compliance challenge in this sector is data retention, since developers often maintain personal records of customers long after project completion or sale. Section 9 makes it clear that data fiduciaries cannot retain personal data beyond the period necessary to satisfy the purpose for which it was collected, unless mandated by law. Real estate entities must therefore implement strict retention schedules and erasure policies.

Given that contractual obligation is not a legitimate use, real estate entities must:

  1. Obtain explicit consent for collection of identity documents and contact details
  2. Provide detailed notices explaining the purpose of collection of each category of data
  3. Securely store documentation, especially digital scans of IDs
  4. Establish retention and deletion policies for old applications, unconverted leads, or completed transactions
  5. Obtain consent before collecting identity proofs
  6. Encrypt storage of buyer documentation
  7. Delete lead data after reasonable time if unconverted
  8. Update customer agreements with DPDPA disclosures
  9. Ensure breach notifications and incident reporting mechanisms

Limited circumstances, such as government-required land/property registration processes, may fall under legitimate use.

Applicability in the Medical and Healthcare Sector

Healthcare providers including hospitals, clinics, diagnostic centres, telemedicine platforms, and wellness service providers process exceptionally sensitive categories of personal data, such as health records, medical histories, prescriptions, laboratory results, insurance information, and emergency contact details. While the DPDPA does not create a separate class of sensitive personal data (unlike GDPR’s Article 9), it indirectly imposes a heightened duty of care through Section 8, which mandates reasonable security safeguards for all personal data.

Most healthcare processing is covered under legitimate uses, particularly when it is necessary to provide medical treatment, respond to emergencies, or ensure patient safety. However, collecting personal data for promotional communication, wellness packages, and non-essential data analytics require explicit consent. Healthcare entities must also be mindful of strict deletion timelines under Section 9, ensuring that data is retained only for statutory medical record retention periods and not beyond.

Medical entities must:

  1. Implement the highest level of security safeguards mandated under the Rules
  2. Minimise collection of data not directly required for treatment
  3. Provide deletion rights once data retention laws (such as clinical establishment rules) permit deletion
  4. Ensure breach notifications and incident reporting mechanisms

Applicability to Other Non-Financial Sectors

A wide range of other sectors also fall fully under the Act’s scope. The hospitality industry collects personal data for guest registration, reservations, and government-mandated identity verification, and must ensure consent for digital marketing, loyalty schemes, or data sharing with travel partners. The e-commerce sector relies heavily on personal data for order fulfilment, logistics, and grievance redressal, but requires explicit consent for recommendation engines and personalised advertising. Educational institutions process student data for academic administration and compliance, requiring parental consent for processing of minors’ data under the DPDP Rules. Manufacturing and industrial entities may process limited personal data, but employee data, vendor contact details, CCTV surveillance footage, and visitor logs still bring them under the scope of the Act.

Processing of employee and vendor related data

Processing of employee and vendor personal data requires a nuanced understanding under the DPDPA, because the lawful bases and practical compliance mechanisms differ significantly for each category. In the case of employees, section 7(i) of the Act expressly recognises employment-related purposes as a legitimate use, thereby permitting employers to process the personal data of their employees including candidates, full-time staff, contractors, interns and potential employees without requiring explicit consent, so long as such processing is necessary for recruitment, attendance management, payroll, statutory compliance, or performance evaluation. However, any processing that goes beyond what is necessary for employment for instance, wellness programmes, optional benefits, behavioural analytics, or promotional features must still be based on consent.

However, in contrast, vendor employee related personnel data (names, email IDs, mobile numbers of points of contact) does not fall within any legitimate use category, and contractual necessity is not recognised as a lawful ground under the DPDPA. This leads to a practical challenge: vendors must supply personal data of their representatives for coordination and performance of commercial contracts, yet obtaining individual notices and explicit consent from each representative is often impracticable, and mere inclusion of consent language in the vendor contract does not satisfy the statutory requirement of explicit, informed consent.

To mitigate this, businesses can adopt a multi-layer compliance model. First, during vendor onboarding, companies can require the vendor entity to nominate authorised representatives, and mandate that the vendor obtain explicit consent from those individuals before sharing their information. The obligation can be placed contractually on the vendor to:

  1. inform its representatives of the purposes for which their data will be processed,
  2. provide them with the Data Fiduciary’s privacy notice, and
  3. obtain explicit, affirmative consent before disclosing the data. 

While the DPDPA requires explicit consent from the Data Principal, it does not prohibit consent being obtained through an authorised intermediary, provided the intermediary can demonstrate that the individual has indeed given such consent. Second, companies may maintain a publicly accessible privacy notice (e.g., on their website) that applies to all external stakeholders including vendor personnel setting out the purposes of processing, retention periods, rights, and grievance redressal mechanisms. Though a notice must still be “made available,” a standardised publicly available notice reduces the administrative burden of issuing individualised notices in every instance. Third, when communication is initiated with a vendor’s representative for the first time, companies should send a brief digital notice, via email or SMS, giving the individual access to the privacy notice and explaining that their data has been provided by their employer for coordination of contractual activities. This satisfies the obligation of informing the Data Principal even if consent was collected upstream by the vendor. Finally, systems must allow vendor personnel to request correction or deletion of their details, and a replacement representative can be nominated by the vendor entity, enabling ongoing compliance without business disruption.

Treatment of Corporate Data and Email IDs as “Personal Data”

The DPDPA’s definition of personal data applies strictly to natural persons, and therefore corporate data that does not identify an individual lies outside its scope. However, the boundary can be complex. Email addresses such as firstname.lastname@company.com or name@gmail.com clearly identify specific individuals and therefore may fall within the definition of personal data. Similarly, phone numbers, employee codes linked to individuals, or vendor representative names constitute personal data.

Conversely, generic email addresses such as info@company.com, support@business.com, or legal@gmail.com cannot be traced to a specific individual and therefore would not be considered personal data. This interpretation aligns closely with GDPR Recital 26, which clarifies that data relating to legal persons or generic organisational identifiers does not constitute personal data unless it directly identifies a natural person. Non-financial entities must thus carefully classify their corporate data based on identifiability to avoid over- or under-compliance.

Security Obligations, Data Principal Rights and Deletion Requirements

All non-financial entities qualifying as data fiduciaries must comply with Section 8’s mandate to implement reasonable security safeguards, including organisational policies, encryption standards, access controls, periodic audits, vulnerability assessments, and incident response mechanisms. Data breaches must be reported both to the Data Protection Board and to affected data principals in accordance with the DPDP Rules, 2025. Larger non-financial entities may be designated as Significant Data Fiduciaries under Section 10, requiring them to appoint Data Protection Officers, conduct Data Protection Impact Assessments, and undergo independent data audits.

Data principals are granted a suite of rights under Sections 11 to 15, including the right to access information about processing, seek correction or erasure of personal data, nominate a representative for emergency situations, and obtain a grievance resolution in a timely manner. These rights create substantial operational obligations for non-financial entities, which must set up dedicated channels and workflows to address such requests.

Retention and deletion are governed explicitly by Section 9, which requires that personal data be erased once the purpose has been fulfilled and no legal obligation justifies continued retention. This provision significantly impacts sectors that historically maintained extensive archives of customer and employee data with no defined deletion timeline. The DPDP Rules, 2025, require periodic data retention assessments and impose specific timelines for erasure following the withdrawal of consent or completion of purpose.

Conclusion

The DPDPA represents a transformative shift by imposing uniform obligations across all entities that process digital personal data, regardless of the industry in which they operate. Non-financial entities often overlooked in discussions of data protection engage in extensive personal data processing through their digital platforms, operational systems, and customer engagement mechanisms. As a result, they are equally bound by statutory requirements governing lawful processing, consent mechanisms, legitimate uses, security safeguards, erasure obligations, and individual rights. The DPDP Rules, 2025, further operationalise these requirements, placing significant compliance responsibilities on non-financial sectors that must now adopt structured governance frameworks, update internal policies, and strengthen technical safeguards.

As India moves closer to an integrated digital economy, the DPDPA’s application to non-financial sectors ensures that privacy protection becomes a universal standard rather than a sector-specific obligation, aligning the country’s data governance landscape more closely with global frameworks such as the GDPR, while addressing local needs through its own unique regulatory philosophy. 

As Justice D.Y. Chandrachud observed in the landmark judgment of K.S. Puttaswamy v. Union of India:

“In the digital economy, every entity that touches personal data becomes a gatekeeper of privacy.”

This statement has become a defining reality in today’s data-driven landscape.

Our other related resources:

Banking group NBFCs:  Need to map businesses to avoid overlaps with the parent banks

/0 Comments/in , , , , , /by

– Vinod Kothari | finserv@vinodkothari.com

The new dispensation implemented from 5th December 2025 implies that lending business, obviously carried in the parent bank, needs to be allocated between the bank and the group entities so as to avoid overlaps. The bank will have to take its business allocation plan, at a group level, to its board, by 31st March 2026.

The RBI’s present move has certain global precedents. Singapore passed an anti-commingling rule applicable to banking groups way back in 2004, but has subsequently relaxed the rule by a provision referred to as section 23G of the Banking Regulations. However, the approach is not uniformly shared across jurisdictions.

We are of the view that as the decision works both at the bank as well as the NBFC/HFC level, the same has to be taken to the boards of the respective NBFCs/HFCs too.

Businesses which currently overlap include the following:

  1. Loans against properties
  2. Housing finance
  3. Loans against shares
  4. Trade finance
  5. Personal loans
  6. Digital lending
  7. Small business loans
  8. Gold loans
  9. Loans against vehicles  – passenger and commercial, or loans against construction equipment

In our view, banks will have serious concerns in meeting their priority sector lending targets, unless they decide to keep priority sector lending business in the bank’s books. Priority sector lending is quite often much less profitable, and the NBFCs in the group are able to create such loans at much higher rates of return due to their delivery strengths or customer franchise. As to how the banks will be able to originate such loans departmentally, will remain a big question.

There are other implications of the above restrictions too:

  1. If a bank is engaged, for example, in MSME lending, but auto loans are done at the group entity, the bank cannot be a co-lender with its group entity, nor can it acquire auto loans originated by its group entity.
  2. Extending the same argument, if the banking group is carrying auto loan activity in its group NBFC, it cannot buy auto loans either by way of a direct assignment or co-lending, originated by other banks or other independent NBFCs. The reason for this is obvious – if the bank has decided to carry auto lending activity in its group entity, it should stay away from that exposure, even if originated by other entities.
  3. The decision to keep particular loan products with group entities – can it be stretched to the extent that bank will not have indirect exposure in such products, for example, by way of giving a loan to its group entity for on-lending for a product which the bank does not undertake departmentally? One of the reasons that may have prompted the Mohanty Group report in 2020 to segregate products between the bank and its group entities was contagion risk. If contagion is at the core of the present restriction, then that risk is still there even if the bank lends to a group entity for on-lending for a product. However, in our view, the present restriction is primarily aimed at avoiding regulatory arbitrages, and cannot be expected to require a completely independent financing of the loan products that a subsidiary finances, and not the bank.
  4. Therefore, in our view, a bank may not only on-lend to its group entities (of course, on the basis of an arm’s length lending approach), but it may also buy the asset-backed securities arising from such loan portfolios as sit with its group entities.

Factors to decide loan product allocation

In case of several non-lending products such as securities trading, demat services, etc., the approach may be easier. However, lending services constitute the bulk of any bank’s financial business, and group NBFCs and HFCs are also evidently engaged in lending. Hence, there may be a delicate decisioning by each of the boards on who does what. Note that this choice is not spasmodic – it is a strategic decision that will bind the entities for several years.

The factors based on which banks will have to decide on their business allocation may include:

  1. Delivery mechanisms – Mostly, branch and team strengths are sitting in group entities. Therefore, the loan products that entail last mile customer outreach, geographical access, etc are naturally housed in entities which possess those abilities.
  2. Technology strength: Some of the products are based on fintech or similar technology strength, which may be sitting with respective entities.
  3. Recovery mechanisms – Group entities are typically more nimble than banks. Hence, while banks may keep loans on their books, but they may engage group entities for recovery purposes.
  4. Priority sector requirements-:  This will be a very important factor in deciding business allocation. Banks are mandated to invest 40% of their ANBC in qualifying priority sector loans – not NBFCs. Hence, for such loans as qualify as priority sector, the option may be to house the portfolios with the bank, or to invest in pass through certificates.

Securitised notes: whether investment in group entities?

Talking about pass through certificates, there is a complicated question as to whether the investment limits imposed by the 5th Dec. 2025 amendment on aggregate investments in group entities will include investment in pass through certificates arising out of pools originated by group entities. In our view, the answer is in the negative, as the investment is not originator, but in the asset pools. However, if the bank makes investment in the equity tranche or credit enhancing unrated tranches, the view may be different.

Conclusion

Banks are heading shortly in the last quarter of a year which is laden with strong headwinds. In this scenario, facing business allocation decisions, rather than business expansion or risk management, may be more challenging than it may seem to the regulators.

Other resources:

Banks’ exposure to AIFs: Group-wide limits introduced

/0 Comments/in , /by

– Simrat Singh | Finserv@vinodkothari.com

The RBI has long been stitching up the seams where AIF structures threatened to pull at the fabric of Banking regulation. The latest amendment to the Reserve Bank of India (Commercial Banks – Undertaking of Financial Services) Directions, 2025 is another careful thread in that ongoing work. The provisions apply not only to banks directly but also to exposures routed through their group entities (meaning subsidiary, JV or associate of the bank). Banks (and their group entities) may still participate in AIFs but only within closely drawn boundaries. The message is unambiguous: the AIF route cannot be used to skirt evergreen exposures or manufacture regulatory arbitrage. 

Limits on investment in AIF schemes

For Category I and Category II AIFs, limits apply at both the individual bank level and at the group level.

  • At the bank level, no bank may contribute more than 10% of the corpus of any AIF scheme;
  • At the bank group level, investments are permitted within a corridor:
    • Less than 20% of the corpus of Cat I or Cat II AIFs may be invested without prior approval, provided the parent bank continues to meet minimum capital requirements and has reported net profit in each of the preceding two financial years. This means even the AMC along with the bank cannot hold more than 20%;
    • Between 20% and 30% of the corpus may be invested with prior RBI approval.

A systemic cap overlays this: contributions from all regulated entities  – banks, NBFCs, co-operative banks and AIFIs etc. – cannot collectively exceed 20% of any AIF corpus. Similarly investment in the unit capital of REITs and InvITs is capped at 10%, within the overall ceiling of 20% of net worth for equity, convertible instruments and AIF exposures. 

A question may arise on whether such limits, as applicable to investments in AIFs, would also be applicable to making investments in FMEs operating in IFSC? Practically, Indian banks are unlikely to invest in FMEs, because such investments would cause the FME to lose its tax benefits. For an FME to qualify as a “specified fund”, all its units must be held by non-residents, except those held by the sponsor. When this condition is met, the income of the fund is exempt under Section 10(4D) and the income received by non-resident investors is exempt under Section 10(23FBC) of the Income Tax Act. 

No circumvention of regulations through investments in AIFs 

Banks shall ensure that their exposure in an investee company through their investments in AIF schemes does not result in circumvention of any regulations applicable to banks. (see para 38D). This would mean that where a bank is restricted from having any exposure in an investee company (this may include restrictions on account of the end-use of funds, or restrictions in terms of limits to exposures etc), such exposures cannot be made indirectly through making investments in AIF schemes, which, in turn, leads to the bank’s exposures to such investee companies. 

Prohibition on Category III AIFs

The clearest prohibition concerns Category III AIFs. Banks are not permitted to invest in their corpus at all. If a subsidiary is a sponsor, it may hold only the minimum contribution required under SEBI’s regulations (which currently is lower of 5% of the corpus or ₹10 Crore as per proviso to Regulation 10(d) of the SEBI AIF Regulations, 2012). Highly traded, leveraged or long-short strategies are thus kept outside the perimeter of bank funding in a deliberate effort to insulate bank balance sheets from hedge-fund-type risk.

Globally, regulators have taken a different, more permissive route. In the United States, banks are not barred from investing in hedge-fund-type vehicles. Instead, the Volcker Rule restricts ownership to de-minimis levels, generally up to 3% of a fund and 3% of Tier 1 capital in aggregate.1

Under Basel’s CRE 60 framework, investments in funds are permitted, however, discipline lies in capital treatment:

  • If the bank can look-through to underlying exposures, risk weights are based on the underlying assets2;
  • Where transparency is not available, risk weights can rise to punitive levels, up to 1,250% –  making opaque fund exposures extremely capital-intensive.

Recently, IMF in its October 2025 Financial Stability Report has highlighted that banks’ exposures to non-banks, including private-credit and private-equity funds, have grown materially, raising concerns about concentration and potential spill-over risks.

India therefore stands apart. Where other jurisdictions rely on expensive capital and other constraints to manage hedge-fund-type exposures, the RBI has chosen to keep such structures outside the banking perimeter altogether. 

Provisioning and Capital Treatment

Capital consequences have also been tightened. Where a bank holds more than 5% of the corpus of an AIF that subsequently invests – other than in equity instruments3 – into a debtor company of the bank, a 100% provision must be created for the bank’s proportionate exposure (See our write-up on the same here). This directly addresses the risk that AIFs could become conduits for evergreening or indirect refinancing of stressed loans.

Overall Perspective

The Amendment Directions extend the guardrails on AIF participation to the bank group, as against the previous approach of regulating only the bank’s exposures. Guardrails are numerical and backed by provisioning and capital consequences. Any breach in the limits require reporting to RBI, with clear reasons and plan for corrective actions. For existing investments, banks are required to provide an action plan by 31st March, 2026 – ensuring the compliances within a maximum of 2 years, viz., 31st March 2028. 

RBI’s stance is more conservative than many international regimes, but the regulatory intent is unmistakable: prudential norms are not to be diluted simply because exposure is packaged through an AIF.

  1. See Section 619 of Dodd-Frank Wall Street Reform and Consumer Protection Act, 2010 ↩︎
  2.  CRE 60 offers three routes for capital treatment – look-through, mandate-based and fall-back – chosen according to how much visibility the bank has into the fund’s underlying assets. ↩︎
  3. Equity instruments means equity shares, compulsorily convertible preference shares (CCPS) and compulsorily convertible debentures (CCDs) ↩︎

See our other relevant resources:

  1. Bank group NBFCs fall in Upper Layer without RBI identification
  2. Group-level regulation: RBI brings major regulatory restrictions on banks and group entities
  3. RBI norms on intra-group exposures amended
  4. New NBFC Regulations: A ready reckoner guide

Bank group NBFCs fall in Upper Layer without RBI identification

/0 Comments/in , , , , /by

– Dayita Kanodia | finserv@vinodkothari.com

RBI on December 5, 2025 issued RBI (Commercial Banks – Undertaking of Financial Services) (Amendment) Directions, 2025 (‘UFS Directions’) in terms of which NBFCs and HFCs, which are group entities of Banks and are therefore undertaking lending activities, will be required to comply with the following additional conditions:

  1. Follow the regulations as applicable in case of NBFC-UL (except the listing requirement)
  2. Adhere to certain stipulations as provided under RBI (Commercial Banks – Credit Risk Management) Directions, 2025 and RBI (Commercial Banks – Credit Facilities) Directions, 2025

The requirements become applicable from the date of notification itself that is December 5, 2025. Further, it may be noted that the applicability would be on fresh loans as well as renewals and not on existing loans. The following table gives an overview of the compliances that NBFCs/HFCs, which are a part of the banking group will be required to adhere to:

Common Equity Tier 1RBI (Non-Banking Financial Companies – Prudential Norms on Capital Adequacy) Directions, 2025Entities shall be required to maintain Common Equity Tier 1 capital of at least 9% of Risk Weighted Assets.
Differential standard asset provisioning RBI (Non-Banking Financial Companies – IncomeRecognition, Asset Classification and Provisioning) Directions, 2025Entities shall be required to hold differential provisioning towards different classes of standard assets.
Large Exposure FrameworkRBI (Non-Banking Financial Companies – Concentration Risk Management) Directions, 2025NBFCs/HFCs which are group entities of banks would have to adhere to the Large Exposures Framework issued by RBI.
Internal Exposure LimitsIn addition to the limits on internal SSE exposures, the Board of such bank-group NBFCs/HFCs shall determine internal exposure limits on other important sectors to which credit is extended. Further, an internal Board approved limit for exposure to the NBFC sector is also required to be put in place.
Qualification of Board MembersRBI (Non-Banking Financial Companies – Governance)Directions, 2025NBFC in the banking group shall be required to undertake a review of its Board composition to ensure the same is competent to manage the affairs of the entity. The composition of the Board should ensure a mix of educational qualification and experience within the Board. Specific expertise of Board members will be a prerequisite depending on the type of business pursued by the NBFC.
Removal of Independent DirectorThe NBFCs belonging to a banking group shall be required to report to the supervisors in case any Independent Director is removed/ resigns before completion of his normal tenure.
Restriction on granting a loan against the parent Bank’s sharesRBI (Commercial Banks – Credit Risk Management) Directions, 2025NBFCs/HFCs which are group entities of banks will not be able to grant a loan against the parent Bank’s shares. 
Prohibition to grant loans to the directors/relatives of directors of the parent BankNBFCs/HFCs will not be able to grant loans to the directors or relatives of such directors of the parent bank. 
Loans against promoters’ contributionRBI (Commercial Banks – Credit Facilities) Directions,2025Conditions w.r.t financing promoters’ contributions towards equity capital apply in terms of Para 166 of the Credit Facilities Directions. Such financing is permitted only to meet promoters’ contribution requirements in anticipation of raising resources, in accordance with the board-approved policy and treated as the bank’s investment in shares, thus, subject to the aggregate Capital Market Exposure (CME) of 40% of the bank’s net worth.  
Prohibition on Loans for financing land acquisitionGroup NBFCs shall not grant loans to private builders for acquisition and development of land. Further, in case of public agencies as borrowers, such loans can be sanctioned only by way of term loans, and the project shall be completed within a maximum of 3 years. Valuation of such land for collateral purpose shall be done at current market value only.
Loan against securities, IPO and ESOP financingChapter XIII of the Credit Facilities Directions prescribes limits on the loans against financial assets, including for IPO and ESOP financing. Such restrictions shall also apply to Group NBFCs. The limits are proposed to be amended vide the Draft Reserve Bank of India (Commercial Banks – Capital Market Exposure) Directions, 2025. See our article on the same here
Undertaking Agency BusinessReserve Bank of India (Commercial Banks – Undertaking of Financial Services) Directions, 2025 NBFCs/HFCs, which are group entities of Banks can only undertake agency business for financial products which a bank is permitted to undertake in terms of the Banking Regulations Act, 1949. 
Undertaking of the same form of business by more than one entity in the bank groupUFS DirectionsThere should only be one entity in a bank group undertaking a certain form of business unless there is proper rationale and justification for undertaking of such business by more than one entities. 
Investment RestrictionsRestrictions on investments made by the banking group entities  (at a group level) must be adhered to. 

Read our write-up on other amendments introduced for banks and their group entities here.

Other resources:

  1. FAQs on Large Exposures Framework (‘LEF’) for NBFCs under Scale Based Regulatory Framework
  2. New NBFC Regulations: A ready reckoner guide
  3. New Commercial Bank Regulations: A ready reckoner guide

Group-level regulation: RBI brings major regulatory restrictions on banks and group entities

/0 Comments/in /by

– Team Vinod Kothari Consultants, finserv@vinodkothari.com

Basis a proposal made vide proposed regulation circulated on 4th October, 2024, (“Draft Proposal”), the RBI has released Reserve Bank of India (Commercial Banks – Undertaking of Financial Services) (Amendment) Directions, 2025, which put several significant restrictions on group entities of commercial banks, eventually leading to a group-wide regulation.

Veteran bankers are not surprised by the RBI’s move, though, with proposed introduction of expected losses, related party transactions and a lot more in the offing, this seems too much over too short a time.

In fact, when the non-operating financial holding company (NOFHC) model was recommended in 2013 by the Parliamentary Standing Committee on Finance, it was laid there that “(T)he general principle is that no financial services entity held by the NOFHC would be allowed to engage in any activity that a bank is permitted to undertake departmentally”. The idea of ring fencing of diverse activities was inspired by the need for controlling contagion, alleviation of regulatory arbitrage, etc. The RBI’s Internal Committee named P K Mohanty Working Group in 2020 also made similar recommendations.

The amendments are clearly aimed at curbing any possibility of regulatory arbitrage, which are currently observed. Loans against shares or acquisition finance (for which RBI’s proposals at bank level are still in draft stage), currently restricted for banks, are routed through group entities. Banks cannot fund land acquisition – the practice of general purpose corporate loans or privately placed debentures for construction companies is quite common. The extent of shareholding in entities is limited by the Banking Regulation Act, but not for group entities; therefore, private equity holdings are also funded through group companies. Most of the banking groups in the country have NBFCs and HFCs, as also several entities which have entangled operational and referral business with their parent banks.

The overall result is a complex network of activities with business and operational dependencies. A lot of rethink will be forced at group strategy level pursuant to the Directions, which, of course, were on the anvil for over 2 years now.

Read more

NBFCs shift to 4-snapshots a month for quicker credit reporting

/0 Comments/in , /by

Simrat Singh | finserv@vinodkothari.com

Similar amendments have been made for Commercial Banks, Local Area Banks, Small Finance Banks, Rural and Urban Co-operative Banks, RRBs, ARCs and AIFIs.

RBI CIC Reporting Amendment Directions (2)Download

RBI norms on intra-group exposures amended

/0 Comments/in , , , /by

– Payal Agarwal | payal@vinodkothari.com

Aligns intra group exposure norms with Large Exposure Framework; junks a 2016 framework for “large borrowers”

On 4th December, 2025,  less than a week after the massive consolidation exercise of RBI regulations, the RBI carried out amendments vide Reserve Bank of India (Commercial Banks – Concentration Risk Management) Amendment Directions, 2025, thus amending the recently consolidated Reserve Bank of India (Commercial Banks – Concentration Risk Management) Directions, 2025

Applicability of the Amendment Directions 

  • 1st January, 2026 – for Repeal of provisions on Enhancing Credit Supply for Large Borrowers through Market Mechanism. 
  • 1st April, 2026 – for other amendments
    • Banks may decide to implement such amendments from an earlier date
    • In case of any breach in exposure limits pursuant to the Amendment Directions, the exposures to be brought down within 6 months from the date of issuance of the Amendment Directions, i.e., 3rd June, 2026. 

Intent behind the Amendments and Key changes 

  • Repeal of requirements pertaining to credit supply to Large Borrowers through Market Mechanism (draft Circular proposing such repeal can be accessed here)
    • This is based on the Statement on Developmental and Regulatory Policies dated 1st October, 2025, wherein the extant guidelines pertaining to Large Borrowers were proposed to be withdrawn, in view of the reduced share of credit from the banking system to such large borrowers, and existence of LEF to address the concentration risks at an individual bank level. 
    • The repeal relates to a 2016 Notification (forming part of Chapter IV of the existing Concentration Risk Management Directions), whereby certain “specified borrowers” were identified, meaning those entities which had borrowed, on an aggregate from the banking system, including by way of private placed debt instruments, in excess of Rs 10000 crores.
    • There is a notable difference between LEF and the “specified borrowers” as covered by the 2016 Notification – the latter relates to large borrowers on an aggregate basis, whereas LEF still looks at the size of exposure relative to the Tier 1 capital of a single lender. However, the “specified borrower” regime is said to have lost its relevance. 
  • Alignment of requirements w.r.t. Intra-group transactions and exposures (ITEs) with the Large Exposure Framework (LEF) [see press release on the proposed amendments here]
    • Computation of exposure under ITEs to be made consistent with that under LEF 
    • Linking exposure thresholds for ITEs with Tier 1 capital instead of existing paid-up capital and reserves. 
  • Clarifications w.r.t. prudential treatment of exposures of foreign bank branches operating in India to their group entities

A track change version of the Reserve Bank of India (Commercial Banks – Concentration Risk Management) Directions, 2025, as amended vide the present Amendment Directions can be accessed here. 

RBI (Commercial Banks – Concentration Risk Management) Directions, 2025 – as amended –Download

Refer to our other resources here:

  1. 2025 RBI (Commercial Banks – Governance) Directions – Guide to Understanding and Implementation
  2. RBI Master Directions 2025:Consolidated RegulatoryFramework for NBFCs
  3. New NBFC Regulations: A ready reckoner guide