Delegation of powers by Board made prescriptive yet principle based

/0 Comments/in , , /by

Governance Directions of Banks set to be amended effective September 1, 2026

– Vinita Nair and Saloni Khant |  finserv@vinodkothari.com

RBI continues its drive of regulatory reforms for the banking sector, with the recent one being the amendment proposed in the governance directions applicable to commercial banks i.e. Draft Reserve Bank of India (Commercial Banks – Governance) Amendment Directions, 2026 (Draft Directions) relating to policy and non-policy matters placed before the Board for approval, review, information etc. proposed to be made applicable from September 1, 2026. As indicated in RBI’s Statement on Developmental and Regulatory Policies, RBI has undertaken comprehensive review and rationalization of all earlier instructions in an endeavor to enable Boards to utilize its time effectively, and to facilitate a more focused and qualitative engagement on strategy and risk governance.

While, the Draft Directions provide a compilation of matters to be placed before the Board and those that can be delegated to a specific committee or any committee of board/ management, it also provides the principles to be considered by the board while delegating the matters thereby ensuring the adequate oversight of the board  on delegated matters. The amendment would primarily affect the manner in which information is placed before the board of banks, manner and extent of delegation of their powers to committees of board and/or management and reporting requirements for such matters.

The Draft Directions are applicable to both public sector banks and private sector banks.

In this piece, the authors analyse the proposed amendment, impact and indicate the likely actionables for Banks if the amendment is notified as is.

The Role of the Board

The Board of a Bank is expected to majorly focus on overseeing the risk profile of the Bank, monitoring the integrity of its business and control mechanisms, ensuring the expert management, and maximising the interests of its stakeholders. The Board always had the power to delegate certain items to management and board committees, in some cases by way of express provisions in RBI directions, guidelines. But at the same time, it must set and enforce clear lines of responsibility and accountability for itself as well as the senior management.

The Draft Directions draw a clear line between the matters to be dealt by the Board and the matters which can be delegated to committees with only material matters being placed before the Board. Further, a principle based approach is provided for the manner in which information is placed before the Board.

Principle Based Approach for matters to be placed before the Board

The objective of these principles is for the Board to consciously examine the areas where it devotes its valuable time and expertise. The principles require the Board to document express guidelines on the manner in which information is being placed before it.

The board is required to clearly articulate the matters reserved for its approval or to be brought to its notice for information or reporting, based on applicable laws and define the nature, level of detail and frequency of information required from the management. To optimize the time of the Board for real value addition, the chairperson of the Board shall have the primary responsibility of setting the agenda of the meeting.

The matters being placed before it or the Board committees, sub-committees or senior management must be reviewed periodically. This would enable the Board to examine and revoke delegation or further delegate responsibilities wherever required. The review must be detailed enough to include the timelines for circulation of agenda items, adequacy of information captured in the agenda, time allotted for important matters, etc.

The Powers of Delegation

The RBI (Commercial Banks – Governance) Directions, 2025 (existing Directions) provide for delegation of specific items viz. reviews dealing with various performance areas, monitoring of the exposures (both credit and investment) of the bank, review of the adequacy of the risk management process and upgradation thereof, internal control system, ensuring compliance with the statutory / regulatory framework, etc. to a Committee of Board. For ease of reference, the Draft Directions compile as well as draw a clear line between the matters to be dealt by the Board and the matters which can be delegated to committees with only material matters being placed before the Board.

This distinction would enable the Board to focus on its key areas of responsibility – risk and strategy governance and strengthens its powers of oversight over the risk management system, exposures to related entities and conformity with corporate governance standards[1].

Policy Matters

A list of policies which must be placed before the Board for its approval and which may be delegated for review are prescribed in Appendix-I of the Draft Directions. The Board is responsible for approving the policies at the time of framing and only periodical review is to be delegated to the committees. In case of any ‘material amendments’ (to be defined by the Board), the Board’s approval must be sought. Thus, the Board does not lose complete oversight.

Along with a major consolidating exercise, the Draft Directions also indicate policies where delegation is expressly allowed, even where the underlying directions/ guidelines did not expressly provide for the same. Accordingly, the amendments are enabling in nature in certain cases, as illustrated below:

ProvisionsContentsDelegation to
Para 7(3) and 7(4) of RBI (Commercial Banks – Undertaking of Financial Services) Directions, 2025Where the bank intends to function as a Professional Clearing Member in commodity derivatives, policy for-Specification of risk control measures and prudential norms for exposure limits for each trading member;Governing the bank’s exposure to trading members, ensuring consistency with the overall risk appetite and regulatory requirements.Risk Management Committee
Para 7(2) and 7(3) of the RBI (Commercial Banks – Miscellaneous) Directions, 2025Policy on- Courses / certifications required for specialised areas of operationsList of sensitive positions to be covered under mandatory leave requirementsAny Committee to which powers have been delegated by the Board.

Matters other than policy

Matters other than policies which must be placed before the Board for its approval, review or information are given in Appendix-II of Draft Directions. While several matters must be mandatorily taken up by the Board, the Board shall have the discretion to delegate certain matters even where the underlying directions/ guidelines did not expressly provide for the same. Accordingly, the amendments are enabling in nature in certain cases – for e.g. matters relating to risk assessment methodology for RBIA, Annual Audit Plan, analysis of incidents of operational risk failures & their impact to audit committee, matters relating to investment portfolio to risk management committee.

The Draft Directions also provide for discontinuation of about 6 matters at the discretion of the Board. In certain cases, such as ATM transactions including failed transactions and penalties paid, certain details are to be placed before the Board. The details must be forwarded to RBI along with the Board’s observations. The Draft Directions proposes that such review may be discontinued at the discretion of the Board. Accordingly, amendments would be required in the underlying laws as well.  Similarly in case of matters relating to loans to stockbrokers and market makers where the provisions mandate half-yearly review of the aggregate portfolio, its quality and performance by the Board, the board will have to exercise its discretion depending on the extent of exposure.

Proposed Omissions

Certain provisions of the existing Directions proposed to be omitted are as follows:

ParaProvision deals withVKC Remarks
14The Board should focus on the 7 themes of: Business Strategy, Risk, Financial Reports and their integrity, Compliance, Customer Protection, Financial Inclusion, Human ResourcesInstead of specifying the themes, the proposed amendment indicates that the ultimate responsibility for the bank’s performance, conduct and control rests with the Board and that it needs to ensure that sufficient time is dedicated to strategy and risk governance.
16Review of action taken on points arising from earlier meetings till the satisfaction of the boardBroader discretion provided to Banks to decide internal processes and articulate matters requiring its approval or to be brought for reporting or noting of information.
17Placing regulatory communication from RBI and the government along with supplementary information before the Board
18Delegation expressly permitted for: Reviews dealing with various performance areas and only a summary on each of the reviews may be put up to the Board at periodic intervals; Monitoring of the exposures (both credit and investment) of the bank; Review of the adequacy of the risk management process and upgradation thereof; Internal control system; Ensuring compliance with the statutory / regulatory framework, etc.A prescriptive list of permitted delegation has been specified by RBI, refer discussion below.
19Procedural technicalities relating to placing a summary of key observations by directors at the next board meeting and confirmation by directors for their observations, dissents etc. Broader discretion provided to Banks to decide internal processes.

Conclusion

The Draft Directions propose to optimise the time of the Board of Banks to focus on strategic and governance matters instead of operational matters. While this measure aims to boost the productivity of Banks and bring ease of doing business in the short term, once notified, several actionables would arise for Banks. Banks must examine their current decision making structure, at the level of the Board and delegation to committees, to understand how they would align it with the proposed amendments.

[1] Para 15 of the existing directions retained as para 11A of the Draft Directions.

Refer to our other resources:

  1. Representation for issues related to RBI (Commercial Banks – Credit Risk Management)(Amendment) Directions, 2026
  2. RBI Directions on Lending to Related Parties: Frequently Asked Questions
  3. Navigation Roadmap through New Consolidated RBI Directions – Presentation

Indian Securitisation in FY26: Securitised Paper Volumes grow, with originator and asset diversity 

/0 Comments/in , , , /by

– Vinod Kothari & Chirag Agarwal | finserv@vinodkothari.com

Volumes of securitisation (which, of course, have always included bilateral assignments or so-called DA transactions) fell by 6% in FY 26, if the origination volume by Reliance group entities in the first half were to be excluded. However, the market has shown more originator diversity, with an increasing share of smaller issuers, including those tasting the market for the first time.

The dip in volumes is because of the larger issuers who were prominently absent or subdued – Shriram Finance as the largest issuer having raised on-balance sheet liquidity, and banking companies. However, the share of gold loans went up sharply, largely due to the sharp increase in gold prices and gold lending, Microfinance companies went more for securitisation, rather than direct assignment transactions.

For anyone studying the Indian securitisation market, it is important to note the following:

  • Reported volumes in India include direct assignments, which, in international parlance, are not “securitisation” (pure bilateral loan sales). However, in India, traditionally, DA has been a close and quick proxy for securitisation, and hence, mostly included. In FY 26, the split of DA/PTC volumes shows PTC transactions having gained in proportion. One rating agency1 reports an increase of PTC volume percentage from 54% to 60%; another one2 shows the increase from 48% to 52%.
  • Indian transactions mostly show LAP transactions as a part of MBS, whereas what the world reports as RMBS is quite small in India. Last year, there was a prominent transaction by LIC Housing Finance, through the NHB-promoted RDCL. There was no RDCL issuance this year. It seems that RMBS volume was either too small to be reportable, or was completely absent.
  • Microfinance sector has been under some stress in the recent past; however, MFIs have increasingly resorted to PTC issuances, with small deal sizes. Some deal sizes are even below 100 crores. This is indicating greater diversity of issuers, and of course, yields and ratings.
  • The market also seems to be showing larger acceptance for lower rated securities i.e., BBB+.

Overall, in a stressful global scenario, securitisation has stood firm. Non financial sector entities have shown increasing willingness to tap the market. Of course, SEBI regulations have to be more enabling.

Below, we give a detailed overview of the securitisation market, including a discussion on the asset classes. 

NBFCs vs Banks

Securitisation volumes have been largely driven by NBFCs, which recorded a 30% year-on-year increase in value. In contrast, originations by banks have declined significantly.

Recent Securitisation Structures in India – A Mix of Tradition and Innovation

Among asset classes, vehicle loans (including commercial vehicles and two-wheelers) accounted for 50% of securitisation volumes (vs 47% in the corresponding period last fiscal). Mortgage-backed loans accounted for about 28% of securitisation volume (vs 37% in the last FY). 

Vehicle loan-backed securitisations dominated the market, both in terms of number of deals and total value, reaffirming the sector’s strong position. This is consistent with the growth trend in vehicle loan originations during FY 25.

In addition to vehicle loans, originators also securitised receivables from a diverse set of underlying asset classes during Q4, including:

  1. Microfinance Loans
  2. Secured Business Loans
  3. Unsecured Business Loans
  4. Home Loans
  5. Unsecured Personal Loans
  6. Gold Loans

The continued diversification in underlying asset classes highlights the evolving maturity of India’s securitisation market and growing investor appetite across segments. The break-up of securitisation volumes across various asset classes have been presented below:

Securitisation of Vehicle Loans

The issuance volume for vehicle loan securitisation during FY26 was approximately ₹1.26 lakh crores. Most of the transactions were structured as single-tranche issuances. However, a few exceptions featured more layered structures comprising senior and equity tranches, or senior, mezzanine, and equity tranches.

In terms of credit ratings, the tranches were rated between A- and AAA. Notably, the senior tranches in the majority of transactions received high investment-grade ratings, typically falling within the AA+ to AAA range. This indicates strong investor confidence and reflects the underlying credit quality of the asset pools, supported by adequate credit enhancement mechanisms. 

Further, replenishing structures were also observed commonly during FY26. These variations indicate growing sophistication in transaction structuring within the vehicle loan securitisation space, aimed at catering to different investor preferences, improving credit protection, and aligning with originator risk appetite. As the market matures, further innovation in structuring and risk mitigation features can be expected.

In terms of credit enhancements, most vehicle loan securitisation transactions during the last quarter of FY26 featured: cash collateral (CC) and overcollateralisation (OC), with the Excess Interest Spread (EIS) serving as the first layer of loss absorption.

Securitisation of Microfinance Loans

During FY26, the MFI sector has seen a revival after a period of stress during FY 25 and FY 24. This has been due to better credit underwriting of lenders, improving performance trends and granular pool characteristics. Further, after a period of stress, the lenders relied on time-tested borrowers rather than exploring new markets leading to higher average ticket size of loans. This has led to a growth in the volumes of securitisation of microfinance loans during FY26. The PTC issuance volume of microfinance institutions increased to 14%  of total PTC issuance in FY26 from 6% of total PTC issuances in FY25. Most of the transactions were structured as a single tranche securitisation. 

Further, most microfinance loan securitisation transactions during the quarter featured credit enhancement through two primary mechanisms: CC and overcollateralisation OC, with the EIS serving as the first layer of loss absorption.

Securitisation of pool of loans backed by Home Loans & LAP

The volume of mortgage backed securitisation has been low both in terms of number as well as in terms of amount of issuance. As compared to FY25, the total MBS issuances dropped to 28% of total issuance from 37%. The transactions featured a common waterfall matrix and had received an overall rating of AAA. 

In terms of credit enhancement, CC and OC has been provided as a credit enhancement with the EIS serving as the first layer of loss absorption. 

Securitisation of Gold Loans

Gold loan securitisation volumes in H2FY26 stood at approximately ₹18,500 crore, significantly higher than the ₹5,000 crore recorded for the whole of FY25.

The jump in gold lending securitisation may be due to increase in gold prices and resultant increase in the value of the collateral. As a result of this valuation spike, average ticket sizes have increased, indicating that as gold valuations rise, consumers are leveraging higher-value loans to meet their financing needs. Another reason for the increased origination may be removal of LTV restriction in case of income generating gold loans.

Securitisation of Unsecured Loans

As per rating rationales published by Care the securitisation volumes of unsecured loans (both personal and business) increased during FY26. Investors in unsecured loan transactions, are preferring the PTC route, due to the support provided by external enhancement. CC and OC have also been provided as a credit enhancement with the EIS serving as the first layer of loss absorption.

Related articles: 

  1. Secure with Securitisation: Global Volumes Expected to Rise in 2025
  2. India securitisation volumes 2024: Has co-lending taken the sheen?
  3. Indian securitisation enters a new phase: Banks originate with a bang
  4. Securitisation: Indian market grows amidst global volume contraction
  1. Crisil report on securitisation volumes: https://www.crisilratings.com/en/home/newsroom/press-releases/2026/04/securitisation-deal-value-peaks-to-rs-2-55-lakh-crore-in-fiscal-2026.html ↩︎
  2. Care report on securitisation volumes
    https://www.careratings.com/uploads/newsfiles/1775801608_FY26%20Retail%20Securitisation%20at%20Rs%202.53%20Trillion%20First%20Dip%20PostPandemic.pdf ↩︎

INR Non-deliverable Derivatives barred; Added Bar for Related Parties

/0 Comments/in , , , /by

RBI’s 1st April circular bars Banks from INR-derivatives, with “related parties”, giving an Ind AS meaning to the term

In a move to maintain the integrity of INR in the evolving market conditions and avoid a potential misuse of intra-group structures to bypass regulatory constraints, the RBI has issued revised instructions on Risk Management and Inter-Bank Dealings

Bar on non-deliverable INR derivatives:

Considering the prevailing situation in the currency market, RBI has prohibited banks from entering into derivatives involving INR on non-deliverable basis.

The bar extends to rebooking of any derivative contract, whether deliverable or non deliverable, entered before 1st April, maturing after this date.

Fx-Derivatives contracts involving INR: not permitted with related parties 

The instructions prohibit any form of foreign exchange derivative contract involving INR with their related parties. Note that, the bar is not limited to “non-deliverable” contracts, rather, extends to all forex derivative contracts involving INR. This complete bar is likely to impact the financial markets where it is quite common to undertake such derivative transactions with related parties, more particularly, in banking groups constituting one or more financial sector entities (including NBFCs, insurance entities etc.). 

What is even more interesting is that the meaning of “related party” for this purpose is drawn from Ind AS. Banks in India are currently not following Ind AS, and therefore, they maintain a list of related parties as per IGAAP, viz., AS 18. However, the Circular explicitly refers to Ind AS 24 or equivalent international standards. This, therefore, requires immediate action on the part of banks to draw a list of related parties, not on the basis of the accounting standards applicable to them (AS-18), but, on the basis of the widely recognised IAS-24 (Ind AS 24 in the Indian context). 

The instructions refer to Indian Accounting Standard (Ind AS) 24 – Related Party Disclosures or International Accounting Standard (IAS) 24 – Related Party Disclosures or any other equivalent accounting standards. The reference thus, is not of “applicable accounting standards”, but of “equivalent accounting standards”, meaning thereby, that banks would be required to draw their list of related parties based on Ind AS 24 or its equivalent based on the country whose accounting standards are being followed by the bank in question. For instance, a foreign bank incorporated in the US will draw its definition of related party from US GAAP (ASC 850) being the equivalent of IAS 24. 

RBI’s 3-month breather for new rules on capital market exposures

/0 Comments/in , , , /by

At the fag end of the financial year, just before the Amendment Directions on Capital Market Exposures (originally issued on 13th February, 2026) were to become effective, the 30th March 2026 Press Release by RBI has the effect of deferring the applicability of and substituting the same with Revised Amendment Directions to address certain representations from the stakeholders. 

Revised Applicability Date: 

  • Effective from 1st July 2026 instead of 1st April 2026
  • Banks may opt for early adoption in its entirety

This would mean an additional window of 3 months towards implementation of the revised rules on capital market exposures. 

Acquisition Finance: clarifications on mergers and amalgamation, on-lending for acquisition permitted: target not to be a financial entity

  • Mergers and amalgamations permitted within acquisition finance, definition amended [Para 4(1)(ia)]
    • This is a clarificatory change
  • Target can be non-financial entity only [Para 170A]
    • Restriction extends to indirectly acquiring control over financial entities who are subsidiaries/ JV of target entity [proviso to Para 170B]
    • Earlier Directions referred to restriction on the Acquiring entity as a financial entity, the Revised Directions extends the restrictions on the target company too, thus limiting the scope of companies that may be acquired through 
  • On-lending by Acquiring entity to subsidiaries for acquiring control permitted [Para 170E(2)]
    • Earlier, lending was permitted to subsidiary/ SPV based on strength of Acquiring company by the bank, now, the Revised Directions further permit on-lending by the Acquiring entity to its subsidiary
  • Potential synergies to be collectively met for all companies of a group acquired pursuant to acquisition finance [Para 170B]
  • Lending to subsidiary/ SPV based on strength of Acquiring company, corporate guarantee to be provided by Acquiring company

Capital Market Intermediaries: relief that does not last long

  • Bank financing for proprietary trading permitted subject to 100% collateral in the form of cash and cash equivalents [third proviso to Para 219ZA]
    • While the proviso enables bank finance, in view of the 100% liquid security requirements, the industry participants does not seem to consider this a favourable change towards meeting the working capital requirements. However, the 3-months’ breather may be considered a favourable step. 
  • For non-debt Mutual Funds, intraday facilities secured by guaranteed receivables not to be considered as Capital Market Exposure
    • Receivables guaranteed on account of maturity proceeds of G Secs, T-Bills, SDL, or interest from G-Sec and SDLs held by such mutual funds, or maturity proceeds of TREPS from CCIL

Lending to individuals: limits to be monitored at banking system level

  • Cap of Rs. 1 crore on lending against eligible securities and Rs. 25 lacs for IPO/ FPO/ ESOP financing to be applicable at banking system level
    • While the borrower-level limits stand increased on an individual basis, the application of such limits at a banking system level will ensure that excessive borrowings are not done by an individual borrower for capital market dealings

See a detailed article on the Amendments on Capital Market Exposures here.

Navigation Roadmap through New Consolidated RBI Directions – Presentation

/0 Comments/in , , /by
Navigation roadmap through new consolidated RBI DirectionsDownload

Some of our other write-ups on the recent Master Directions and amendments/ draft proposals:

  1. https://vinodkothari.com/2025/12/new-commercial-bank-regulations-a-ready-reckoner-guide/
  2. https://vinodkothari.com/2026/02/leading-to-the-world-of-lbos-rbi-opens-up-acquisition-finance/
  3. https://vinodkothari.com/2026/02/representation-for-issues-related-to-crm-directions/
  4. https://vinodkothari.com/2025/12/2025-rbi-commercial-banks-governancedirections-guide-to-understanding-and-implementation/
  5. https://vinodkothari.com/2026/01/rbi-brings-revised-norms-on-related-party-lending-and-contracting/

RBI permits Leveraged Buy-Outs through Bank Finance

/2 Comments/in , /by

– Conditions for acquisition finance, prudential limits and new LTV requirements for various capital market exposures

– Payal Agarwal, Partner | payal@vinodkothari.com 

– Updated on March 31, 2026

Capital markets are subject to higher fluctuations and volatility, and hence, Capital Market Exposures (CME) carry a higher risk, naturally requiring higher level of control and prudential norms by the regulator. In a move to permit Leveraged Buy-Outs (LBOs), RBI issued Amendment Directions on Capital Market Exposures on 13th February, 2026, bringing amendments in various applicable Directions, covering, inter alia, conditions on acquisition finance, revised LTV limits for lending against various securities, structured requirements for funding Capital Market Intermediaries (CMIs), prudential limits on Capital Market Exposures (CMEs) etc. Through a press release on 30th March 2026, RBI has deferred the applicability of the Amendment Directions, and has issued revised Directions to clarify on certain aspects relating to acquisition finance and exposures to capital market intermediaries.

The amendments were based on the Draft Reserve Bank of India (Commercial Banks – Capital Market Exposure) Directions, 2025 issued on 24th October, 2025. See an article on the Draft Directions here.

Effective Date

The applicability of the Amendment Directions have been deferred to 1st July, 2026 (from its original effective date of 1st April, 2026), however, may be adopted by a bank prior to that as well in its entirety.

Outstanding loans/ guarantees are permitted to run-down till maturity, however, any fresh loans/ guarantees or renewal of existing loans/ facilities shall be governed by the Amendment Directions.

Navigating through the Amendments

The amendments w.r.t. CMEs have been effected through issuance of the following Amendment Directions:

RBI (Commercial Banks – Credit Facilities) Amendment Directions, 2026 [“CF Amendments”] Conditions w.r.t. Acquisition Finance, Loan against eligible securities, and funding Capital Market Intermediaries
RBI (Commercial Banks – Concentration Risk Management) Amendment Directions, 2026 [“CRM Amendments”] Components of investment exposures and credit exposures in CME and prudential ceilings, exclusions from CME ceilings and 
RBI (Commercial Banks – Financial Statements: Presentation and Disclosures) – Third Amendment Directions, 2026 [“FS Amendments”] Revised format of disclosure of exposure to capital markets
Reserve Bank of India (Commercial Banks – Undertaking of Financial Services) – Amendment Directions, 2026 [“UFS Amendments”] Applicability of conditions on acquisition finance and lending against securities to NBFCs/ HFCs within a bank group. Also see an article on the same here

Permitting Acquisition Finance by Banks

Chapter XI of the extant CF Directions dealt with “Acquisition Finance”. The existing provisions of the said chapter have been omitted and new provisions w.r.t. Acquisition finance has been incorporated therein, prescribing eligibility conditions and compliance requirements w.r.t. Acquisition Finance.

Meaning and Conditions for Acquisition Finance

Acquisition Finance has been defined as:

“Acquisition Finance” shall mean a financial facility or assistance provided to an eligible borrower entity for the purpose of acquiring control in a target company, (including through a scheme of amalgamation or merger). Such funding may also involve refinancing of existing debt of the target company if the refinancing is integral to the acquisition finance. [Para 4(1)(ia)]

The Revised Directions clarify that acquisition finance may be availed with respect to mergers and acquisitions as well.

The operating conditions are laid down in Chapter XI from Para 170A onwards.

Eligibility conditions: Acquiring company and Target company

Acquiring company*

Target company

Financing Parameters

● Indian non-financial company,

● May be listed or unlisted,

● Networth > Rs. 500 crores

    ○ As per sec 2(57) of CA, 2013

●  3 years’ track record of PAT

●  Investment grade rating (BBB- or above) from a CRA [in case of unlisted Acquiring company]

 

Financial criteria to be satisfied at a standalone and consolidated basis

● Domestic or foreign company

● Non-financial company

● Shall not be Related Party to Acquiring company (in case of first-time acquisition of control)

   ○ u/s 2(76) of CA, 2013

   ○ includes entities under common control, common management, or common promoter group, whether directly or indirectly

● Credit assessment based on combined balance sheet of Acquiring co and target co.

● Max 75% of acquisition value can be financed,

● Remaining  by Acquiring company using own funds.

  ○ shall mean internal accruals, sale of assets or redemption of investments, or issuance of fresh equity

  ○does not include Proceeds of any borrowing; instruments having  fixed repayment obligation or put option, any intragroup funding from borrowed funds

● Instruments through which control acquired by Acquiring company shall be free from any encumbrance

● Nature and extent of security cover to be determined by bank

● Post acquisition consolidated debt-equity ratio of Acquiring company shall not exceed 3:1 on a continuous basis

 

*Acquisition finance may be extended to the subsidiary or SPV set up by the Acquiring company, based on the strength of the Acquiring company. In such cases, corporate guarantee from the Acquiring company shall be mandatory.

Note that, while the Directions allow funding of upto 75% of the acquisition value, the same is subject to a more stringent condition of the post-acquisition debt-equity ratio of 3:1. The ratio is based on the consolidated financial position of the Acquiring company together with the Target company, meaning, the same is not only based on the debt position of the Acquiring company, rather, the existing debt of the Target company is also required to be taken into account. This may, in effect, reduce the total amount of acquisition funding that may be availed by the Acquiring company.

Let us consider an example:

  • Target Assets : 1000; Equity: 333, Debt: 666
  • Acquirer buys 100% of Target company, and has no other assets. Debt: 250, Equity 83
  • Consolidated balance sheet Debt becomes 916 against assets of 1000, resulting in the debt-equity ratio breaching the limits

Therefore, the 75% of acquisition value will mostly not be possible, except in cases where the Acquirer has a lower than 3:1 debt-equity ratio.

Charge on acquired stake: operation of section 19(2) of BR Act

Acquisition Finance contemplates creation of security over the securities of the Target company acquired by the Acquiring company. However, section 19(2) of the Banking Regulation Act, 1949 puts a restriction on the creation of charge on a controlling stake in a company. The section reads as:

(2) Save as provided in sub-section (1), no banking company shall hold shares in any company, whether as pledgee, mortgagee or absolute owner, of an amount exceeding thirty per cent. of the paid-up share capital of that company or thirty per cent. of its own paid-up share capital and reserves, whichever is less:

Since acquisition finance is limited to acquisition of “control”, a substantial stake would be involved in every case, especially, where 100% of the Target company is being acquired. Assuming 75% of the acquisition value is being financed by the bank, the condition w.r.t. not holding more than 30% of the paid-up share capital of the (target) company may stand breached. Hence, the Directions use the term “without prejudice to section 19(2) of the BR Act, 1949”, thus, permitting a bank to create charge on as many securities of the entity as is possible without a breach of the requirements under the BR Act. Additional collateral may be sought on the other unencumbered assets of the acquirer and/or target company, and promoter’s personal guarantee, as per the bank’s policy.

Purpose of financing

Permitted for acquiring equity stakes as strategic investments, either leading to

  • acquisition of control through a single or a series of transactions within 12 months from first disbursal of acquisition finance, or
  • increase in stake towards acquiring control over the target company, or
  • acquisition of additional stake crossing substantial thresholds [26%, 51%, 75% or 90% of voting rights], in a target company where control already exists.

The meaning of control is to be taken from section 2(27) of CA, 2013 thus, meaning to include the right to appoint majority of the directors or to control the management or policy decisions exercisable by a person or persons acting individually or in concert, directly or indirectly, including by virtue of their shareholding or management rights or shareholders agreements or voting agreements or in any other manner;

The Revised Directions clarify that the scope of acquisition of target company includes:

  • Acquisition by the Acquiring company directly, or
  • On-lending to its Indian or overseas non-financial subsidiary for such acquisition.

Indirect control through target company

With respect to indirect acquisition of control over subsidiaries or joint ventures, through acquisition of control over the holding target company, the Revised Directions clarify that the criteria w.r.t. creation of potential synergies for the acquirer must be suitably assessed considering all such companies.

Further, the acquisition finance cannot be extended towards acquisition of a target company having any financial entity as its subsidiary or JV.

Inconsistency between conditions for Acquisition Finance and purpose of Acquisition Finance

In the context of first-time acquisition of control, the CF Amendments require that the Target company and Acquiring company shall not be related parties. This would make an Acquiring company to raise funds through Acquisition Finance for acquiring control in its associate, where it already holds significant influence, but not control.

Further, the acquisition of “control” should, generally speaking, mean at least more than 50% of voting rights is acquired by  the Acquiring company, in which case, the 26% threshold as referred to as substantial stake in an existing controlled entity becomes meaningless.

While in case of NBFCs, a change in 26% shareholding is considered as change in control by the RBI, the same is not the case under CA, 2013 – which distinguishes between significant influence and control, and hence, the reference to the definition of control as per CA, 2013 in the CF Amendments has resulted in these inconsistencies. 

Bridge Finance

As regards Acquisition Finance, in case of a listed Acquiring company, the condition w.r.t. funding 25% of acquisition value through internal accruals may be met through bridge finance, subject to the specified conditions.

The Directions define bridge finance as:

“Bridge Finance” shall mean financing a borrower for an interim period, not exceeding one year, for a legitimate business purpose where the borrower has a firm plan and capability to repay such loans by raising financial resources either through issuance of equity, debt or hybrid instruments or by divestiture/hive-off of a part of existing business/assets within the interim period.

The conditions for availing bridge finance are:

  • Repayment of bridge finance shall be done through internal accruals or an equity issue or sale of assets
  • Bridge finance provided by the bank shall be on a secured basis
  • Shall not result in dilution of security coverage for acquisition finance

Valuation requirements

  • Bank to independently assess acquisition value 
  • To be determined by bank-appointed valuer
  • Based on guidelines prescribed under Reg 8(2)(e) of SEBI SAST Regulations for shares not frequently traded, viz., using valuation parameters including, book value, comparable trading multiples, and such other parameters as are customary for valuation of shares of such companies [for both listed and unlisted company].
  • In case of unlisted company, based on lower of the valuation determined as above by two independent valuers

Prudential Norms and Other compliances applicable on Financing Banks

  • Board-approved Policy on Acquisition Finance – incorporating underwriting benchmarks that address the structural complexities of such transactions, in particular relating to exposure limits, equity contribution, leverage multiples, and cash-flow certainty.
  • Prudential ceilings on Acquisition Finance –  not more than 20% of Bank’s eligible capital base within the aggregate ceiling of 40% on CMEs, both on solo and consolidated basis [Para 98A of CRM Directions]. Bank may adopt a lower ceiling based on its overall risk profile and corporate strategy. 
  • Disclosure in financial statements – disclosure of various forms of CMEs of the bank separately, including acquisition finance, with further segregation of bridge financing for meeting own fund requirements by acquiring companies and financing by overseas branches of the Indian banks etc [Para 10(5)(iia) of FS Directions]

Lending against Eligible Securities

  • Board-approved Policy on lending against eligible securities – specify the criteria for selecting securities as collateral; determining portfolio-level as well as single borrower/group borrower limits; concentration limits for exposure to single securities; LTV/margins and haircuts for different securities; and rules for ongoing valuation and margin calls
  • Lending to individuals, including non-commercial HUFs
Loan-to-Value (LTV) requirements
Nature of security CF Amendments Existing Provisions
Government Securities. incl. T-Bills As per Bank’s Policy 75% in case of equity shares/ convertible debentures (50% if held in physical form)  

In other cases, determined by Bank itself
Sovereign Gold Bonds (SGBs) As applicable to lending against gold/ silver collateral
Listed shares and listed convertible debt securities 60%
Mutual Funds (excluding Debt MFs), Units of ETF (excluding commodity ETFs) and Units of REITs/InVITs 75%
Debt Mutual Funds 85%
Listed Debt Securities 85% – AAA rated 75% – AA-BBB rated
Prudential ceilings
Acquisition of securities in secondary market Maximum upto Rs. 25 lacs Upto Rs. 20 lacs (in case of dematerialised securities) Rs. 10 lacs (in case of physical)
Maximum cap on loans to individuals# Upto Rs. 1 crore for eligible securities other than G-Sec, listed debt and units of debt mutual funds   –
IPO/ FPO/ ESOP financing#
  • Rs. 25 lacs per individual, subject to
  • 25% cash margin (upto 75% can be funded)
  • Rs. 20 lacs per individual, subject to
  • 90% of acquisition value

#The aforesaid limits are applicable at a banking system level as clarified by the Revised Directions.

Lending to Capital Market Intermediaries (CMIs)

  • Meaning of Capital Market Intermediaries:
    • regulated entities undertaking trade execution and market infrastructure services in capital markets, including  broking, clearing, custody, market making or other incidental services
    • shall not include Standalone Primary Dealers and Qualified Central Counterparty (QCCPs)
    • does not include Collective investment schemes such as mutual funds. AIFs, REITs, InvITs, etc.
  • Eligibility criteria for CMIs: shall be registered and regulated by a financial sector regulator, and in compliance with the prudential norms of such regulator
  • Conditions w.r.t. Security:
    • Facilities shall be fully secured, and the value of securities shall be adjusted for haircuts as appropriate based on nature of securities, with a minimum haircut of 40% for equity shares
    • Any guarantee issued shall be secured with minimum collateral of 50% including at least 25%  in cash
    • Eligible securities and cash pledged shall belong to borrower CMI

Restrictions on lending for proprietary trading

The Revised Directions clarify the scope and exclusions from the restrictions on lending to CMIs for acquisition of securities on its own account, including for proprietary trading and investments. The following are permitted on a fully secured basis:

  • Finance to approved market makers in equity and debt securities
  • Working capital finance for warehousing of debt securities, including Government Securities, upto a maximum period of 45 days for fulfilling firm demand/request from its clients
  • Other working capital facilities against a 100 percent collateral of cash, cash equivalents and Government Securities (including T-Bills)

Guarantee may also be issued by banks for proprietary trading subject to the facility being fully secured collateral of cash, cash equivalents and Government Securities (including T-Bills), out of which a minimum 50 per cent shall be cash or fixed deposits maintained with the lending bank. Banks to ensure that guarantees issued for non-proprietary purposes are not used to facilitate proprietary trading.

Concluding Remarks

The amendments are a positive step towards facilitating bank finance for strategic acquisitions by Indian companies, balancing the funding requirements for acquisitions with prudential norms for banks to provide for safeguards against ambitious risky funding exercises.s.

Quick Bytes on Union Budget 2026

/0 Comments/in , , , , , , , , , /by
Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [430.99 KB]

Our Resources

  1. Buyback taxation rationalised with limited relief to promoter shareholders
  2. State of Climate Finance: Domestic Resources Insufficient to Bridge Funding Gaps 
  3. Microfinance and NBFC-MFIs in Economic Survey 2026
  4. Economic Survey 2026: Key Insights on Infrastructure Financing

Every Business is a Data Business: Applicability of DPDP Act to Non-Financial Entities

/0 Comments/in , , , , /by

-Archisman Bhattacharjee | finserv@vinodkothari.com

Introduction

The Digital Personal Data Protection Act, 2023 (“DPDPA”), along with the Digital Personal Data Protection Rules, 2025 (“DPDP Rules’, “Rules”), establishes India’s first comprehensive and rights-based data protection regime. The Act’s applicability extends far beyond financial institutions; it encompasses any entity, large or small, digital or traditional, that processes digital personal data. Although public discourse frequently associates data protection obligations with banks, fintech companies, and large technology entities, the DPDPA’s scope is intentionally crafted to be broad and sector-agnostic. As a result, non-financial entities operating in fields such as FMCG, real estate, healthcare, hospitality, education, retail, and even small kirana shops using basic digital systems are brought squarely within its regulatory ambit.

This wide applicability stems from the Act’s fundamental design. It regulates processing, not industry classification. As long as an entity processes any digital personal data, whether it is a customer’s name and phone number, an employee’s email address, a patient’s medical record, or a tenant’s identity document, the DPDPA applies, unless a statutory exemption is granted.

This article examines the applicability of the DPDPA to non-financial entities, analyses the lawful bases for processing personal data, evaluates sector-specific implications, discusses whether corporate data is included within the scope of “personal data”, and explores the operational and regulatory obligations, including security safeguards, deletion timelines, and Data Principal rights. A supporting analysis of Section 17 of the DPDPA which empowers the Central Government to exempt certain entities is also provided, along with the practical question of whether small businesses such as kirana stores may eventually be exempted.

Statutory Foundation for Applicability to Non-Financial Entities

The applicability of the DPDPA flows from Section 3, which states that the Act applies to the processing of digital personal data (including personal data which is collected physically and digitised later) within the territory of India and to processing outside India if the processing is connected with any activity of offering goods or services to data principals within the territory of India. There is no carve-out or exception based on the nature of the business, regulatory environment, or industry classification of the entity. Consequently, companies operating in sectors such as fast-moving consumer goods (FMCG), real estate, hospitality, e-commerce, education, healthcare, and professional services must comply with the Act if they process digital personal data.

The definition of “personal data” under Section 2(t) is intentionally broad, referring to any data about an identified or identifiable individual. This broad definitional standard ensures that even the most basic identifiers such as, names, phone numbers, email addresses, login credentials, and customer records fall within the purview of the Act. As a result, non-financial entities that process personal information of customers, employees, patients, visitors, students, tenants, or vendors automatically become “data fiduciaries” under Section 2(i) and must meet all obligations imposed by the Act.

The core philosophy underlying the DPDPA is processing-centric regulation. The Act deliberately avoids distinguishing entities based on their business sector, risk level, or regulatory regime. Instead, it focuses on the fundamental principle that any organisation handling personal data plays a significant role in the digital ecosystem. Non-financial entities have dramatically increased collection and utilisation of personal data for purposes such as digital marketing, analytics, supply-chain management, customer engagement, employee administration, and third-party platform integrations. This reality makes them equally capable of causing privacy harms or security breaches as financial institutions, and hence equally subject to regulation.

Moreover, non-financial sectors operate extensive digital infrastructure, such as e-commerce platforms, CRMs, ERPs, AI-based analytics systems, CCTV surveillance networks, and biometric verification systems, that rely heavily on personal data. These systems are vulnerable to cyberattacks, unauthorised access, data misuse, profiling, and identity theft. By bringing them fully within the regulatory framework, the DPDPA ensures a uniform accountability standard across the Indian digital economy.

Impact on Small Entities and the Prospect of Exemptions

Small business owners including kirana shops, local merchants, fitness coaches, small doctor’s clinics, tuition centres, neighbourhood restaurants and small real-estate brokers frequently engage in personal data processing such as storing customer phone numbers for order delivery, maintaining digital records for loyalty schemes, providing receipts digitally etc. The Act, as it stands, does not grant automatic exemptions for such entities. They are expected to issue notices, collect valid consent where applicable, respect withdrawal, ensure reasonable security safeguards, and delete data once the purpose is achieved.

This creates a compliance burden that many micro-enterprises lack the resources to fulfil. The proportionality concerns are evident: penalties under the Act may reach hundreds of crores, even though government statements indicate that penalties will be imposed only where there is significant negligence or wilful misconduct. 

The presence of Section 17(3), however, signals clear legislative recognition that small entities may require differentiated treatment. It remains reasonably likely that the government may, in future, exempt certain classes of micro-entities processing minimal personal data from certain provisions of the Act as provided under Section 17(3) and declare them as “low-risk data fiduciaries” with reduced compliance requirements.

Such exemptions would be consistent with global practice: for instance, GDPR permits reduced compliance obligations for small data volumes and uses a risk-based approach. Until notifications are issued, however, all entities including small merchants who are processing digital personal data,  remain subject to the Act.

Modes of Data Processing: Consent and Legitimate Uses

Under the DPDPA, the only lawful basis for processing personal data without consent is the limited set of “legitimate uses” specified under Section 7. Unlike earlier drafts of the Bill or international frameworks like the GDPR, “contractual necessity” or “contractual obligation” is not included as a legitimate use under the enacted DPDPA. This is a deliberate departure from global practice and means that entities cannot rely merely on contractual engagement to justify processing of personal data without consent.

Consent therefore becomes the primary lawful basis for most private-sector organisations, especially in non-financial sectors. Consent must meet the requirements of Section 6 and must be preceded by a detailed notice under Section 5. Withdrawal of consent must be as easy as its grant, placing significant obligations on data fiduciaries.

Legitimate uses under Section 7 remain narrow and apply primarily to scenarios such as compliance with law or judicial orders, medical emergencies, safeguarding individuals during disasters, and other notified public-interest functions. Most routine commercial operations in FMCG, real estate, healthcare, retail, and education do not fall within legitimate use and therefore require consent-based processing.

Applicability on Non-Financial Sector entities

Applicability in the FMCG Sector

FMCG companies, both digital-first and traditional, routinely collect and process large volumes of personal data, often through online portals, mobile applications, loyalty cards, e-commerce platforms, and promotional events. Customer names, phone numbers, addresses, behavioural data, purchase histories, and feedback form the core of their data-driven marketing strategy. Because “contractual necessity” is not a legitimate use under the DPDPA, almost all customer-facing processing requires consent, particularly marketing, profiling, analytics, and preference tracking

Additionally, FMCG entities store substantial employee personal data, which may be processed under legitimate uses for employment However, indefinite retention of customer data after fulfilment of the purpose is expressly prohibited under Section 9, mandating regular deletion or anonymisation.

FMCG entities must ensure:

  1. Clear and accessible privacy notices at all customer touchpoints
  2. Consent for marketing communications and behavioural profiling
  3. Data minimisation—avoiding excessive or persistent tracking
  4. Right to withdrawal and grievance redressal mechanisms
  5. Deploy consent banners for digital marketing
  6. Maintain opt-out mechanisms
  7. Train sales agents on data minimisation
  8. Delete customer data after loyalty programme completion

Applicability in the Real Estate Sector

The real estate sector handles sensitive personal data of prospective buyers, tenants, investors, and visitors, including identification documents, financial details, contact numbers, and biometric or CCTV data for access control in residential and commercial complexes. Most of this data is collected for contractual and compliance purposes under RERA, municipal laws, or verification procedures, placing it within the scope of legitimate uses. Yet, marketing of new projects, cold calling, and database sharing with brokers or partners require explicit consent.

A major compliance challenge in this sector is data retention, since developers often maintain personal records of customers long after project completion or sale. Section 9 makes it clear that data fiduciaries cannot retain personal data beyond the period necessary to satisfy the purpose for which it was collected, unless mandated by law. Real estate entities must therefore implement strict retention schedules and erasure policies.

Given that contractual obligation is not a legitimate use, real estate entities must:

  1. Obtain explicit consent for collection of identity documents and contact details
  2. Provide detailed notices explaining the purpose of collection of each category of data
  3. Securely store documentation, especially digital scans of IDs
  4. Establish retention and deletion policies for old applications, unconverted leads, or completed transactions
  5. Obtain consent before collecting identity proofs
  6. Encrypt storage of buyer documentation
  7. Delete lead data after reasonable time if unconverted
  8. Update customer agreements with DPDPA disclosures
  9. Ensure breach notifications and incident reporting mechanisms

Limited circumstances, such as government-required land/property registration processes, may fall under legitimate use.

Applicability in the Medical and Healthcare Sector

Healthcare providers including hospitals, clinics, diagnostic centres, telemedicine platforms, and wellness service providers process exceptionally sensitive categories of personal data, such as health records, medical histories, prescriptions, laboratory results, insurance information, and emergency contact details. While the DPDPA does not create a separate class of sensitive personal data (unlike GDPR’s Article 9), it indirectly imposes a heightened duty of care through Section 8, which mandates reasonable security safeguards for all personal data.

Most healthcare processing is covered under legitimate uses, particularly when it is necessary to provide medical treatment, respond to emergencies, or ensure patient safety. However, collecting personal data for promotional communication, wellness packages, and non-essential data analytics require explicit consent. Healthcare entities must also be mindful of strict deletion timelines under Section 9, ensuring that data is retained only for statutory medical record retention periods and not beyond.

Medical entities must:

  1. Implement the highest level of security safeguards mandated under the Rules
  2. Minimise collection of data not directly required for treatment
  3. Provide deletion rights once data retention laws (such as clinical establishment rules) permit deletion
  4. Ensure breach notifications and incident reporting mechanisms

Applicability to Other Non-Financial Sectors

A wide range of other sectors also fall fully under the Act’s scope. The hospitality industry collects personal data for guest registration, reservations, and government-mandated identity verification, and must ensure consent for digital marketing, loyalty schemes, or data sharing with travel partners. The e-commerce sector relies heavily on personal data for order fulfilment, logistics, and grievance redressal, but requires explicit consent for recommendation engines and personalised advertising. Educational institutions process student data for academic administration and compliance, requiring parental consent for processing of minors’ data under the DPDP Rules. Manufacturing and industrial entities may process limited personal data, but employee data, vendor contact details, CCTV surveillance footage, and visitor logs still bring them under the scope of the Act.

Processing of employee and vendor related data

Processing of employee and vendor personal data requires a nuanced understanding under the DPDPA, because the lawful bases and practical compliance mechanisms differ significantly for each category. In the case of employees, section 7(i) of the Act expressly recognises employment-related purposes as a legitimate use, thereby permitting employers to process the personal data of their employees including candidates, full-time staff, contractors, interns and potential employees without requiring explicit consent, so long as such processing is necessary for recruitment, attendance management, payroll, statutory compliance, or performance evaluation. However, any processing that goes beyond what is necessary for employment for instance, wellness programmes, optional benefits, behavioural analytics, or promotional features must still be based on consent.

However, in contrast, vendor employee related personnel data (names, email IDs, mobile numbers of points of contact) does not fall within any legitimate use category, and contractual necessity is not recognised as a lawful ground under the DPDPA. This leads to a practical challenge: vendors must supply personal data of their representatives for coordination and performance of commercial contracts, yet obtaining individual notices and explicit consent from each representative is often impracticable, and mere inclusion of consent language in the vendor contract does not satisfy the statutory requirement of explicit, informed consent.

To mitigate this, businesses can adopt a multi-layer compliance model. First, during vendor onboarding, companies can require the vendor entity to nominate authorised representatives, and mandate that the vendor obtain explicit consent from those individuals before sharing their information. The obligation can be placed contractually on the vendor to:

  1. inform its representatives of the purposes for which their data will be processed,
  2. provide them with the Data Fiduciary’s privacy notice, and
  3. obtain explicit, affirmative consent before disclosing the data. 

While the DPDPA requires explicit consent from the Data Principal, it does not prohibit consent being obtained through an authorised intermediary, provided the intermediary can demonstrate that the individual has indeed given such consent. Second, companies may maintain a publicly accessible privacy notice (e.g., on their website) that applies to all external stakeholders including vendor personnel setting out the purposes of processing, retention periods, rights, and grievance redressal mechanisms. Though a notice must still be “made available,” a standardised publicly available notice reduces the administrative burden of issuing individualised notices in every instance. Third, when communication is initiated with a vendor’s representative for the first time, companies should send a brief digital notice, via email or SMS, giving the individual access to the privacy notice and explaining that their data has been provided by their employer for coordination of contractual activities. This satisfies the obligation of informing the Data Principal even if consent was collected upstream by the vendor. Finally, systems must allow vendor personnel to request correction or deletion of their details, and a replacement representative can be nominated by the vendor entity, enabling ongoing compliance without business disruption.

Treatment of Corporate Data and Email IDs as “Personal Data”

The DPDPA’s definition of personal data applies strictly to natural persons, and therefore corporate data that does not identify an individual lies outside its scope. However, the boundary can be complex. Email addresses such as firstname.lastname@company.com or name@gmail.com clearly identify specific individuals and therefore may fall within the definition of personal data. Similarly, phone numbers, employee codes linked to individuals, or vendor representative names constitute personal data.

Conversely, generic email addresses such as info@company.com, support@business.com, or legal@gmail.com cannot be traced to a specific individual and therefore would not be considered personal data. This interpretation aligns closely with GDPR Recital 26, which clarifies that data relating to legal persons or generic organisational identifiers does not constitute personal data unless it directly identifies a natural person. Non-financial entities must thus carefully classify their corporate data based on identifiability to avoid over- or under-compliance.

Security Obligations, Data Principal Rights and Deletion Requirements

All non-financial entities qualifying as data fiduciaries must comply with Section 8’s mandate to implement reasonable security safeguards, including organisational policies, encryption standards, access controls, periodic audits, vulnerability assessments, and incident response mechanisms. Data breaches must be reported both to the Data Protection Board and to affected data principals in accordance with the DPDP Rules, 2025. Larger non-financial entities may be designated as Significant Data Fiduciaries under Section 10, requiring them to appoint Data Protection Officers, conduct Data Protection Impact Assessments, and undergo independent data audits.

Data principals are granted a suite of rights under Sections 11 to 15, including the right to access information about processing, seek correction or erasure of personal data, nominate a representative for emergency situations, and obtain a grievance resolution in a timely manner. These rights create substantial operational obligations for non-financial entities, which must set up dedicated channels and workflows to address such requests.

Retention and deletion are governed explicitly by Section 9, which requires that personal data be erased once the purpose has been fulfilled and no legal obligation justifies continued retention. This provision significantly impacts sectors that historically maintained extensive archives of customer and employee data with no defined deletion timeline. The DPDP Rules, 2025, require periodic data retention assessments and impose specific timelines for erasure following the withdrawal of consent or completion of purpose.

Conclusion

The DPDPA represents a transformative shift by imposing uniform obligations across all entities that process digital personal data, regardless of the industry in which they operate. Non-financial entities often overlooked in discussions of data protection engage in extensive personal data processing through their digital platforms, operational systems, and customer engagement mechanisms. As a result, they are equally bound by statutory requirements governing lawful processing, consent mechanisms, legitimate uses, security safeguards, erasure obligations, and individual rights. The DPDP Rules, 2025, further operationalise these requirements, placing significant compliance responsibilities on non-financial sectors that must now adopt structured governance frameworks, update internal policies, and strengthen technical safeguards.

As India moves closer to an integrated digital economy, the DPDPA’s application to non-financial sectors ensures that privacy protection becomes a universal standard rather than a sector-specific obligation, aligning the country’s data governance landscape more closely with global frameworks such as the GDPR, while addressing local needs through its own unique regulatory philosophy. 

As Justice D.Y. Chandrachud observed in the landmark judgment of K.S. Puttaswamy v. Union of India:

“In the digital economy, every entity that touches personal data becomes a gatekeeper of privacy.”

This statement has become a defining reality in today’s data-driven landscape.

Our other related resources:

Bank group NBFCs fall in Upper Layer without RBI identification

/0 Comments/in , , , , /by

– Dayita Kanodia | finserv@vinodkothari.com

RBI on December 5, 2025 issued RBI (Commercial Banks – Undertaking of Financial Services) (Amendment) Directions, 2025 (‘UFS Directions’) in terms of which NBFCs and HFCs, which are group entities of Banks and are therefore undertaking lending activities, will be required to comply with the following additional conditions:

  1. Follow the regulations as applicable in case of NBFC-UL (except the listing requirement)
  2. Adhere to certain stipulations as provided under RBI (Commercial Banks – Credit Risk Management) Directions, 2025 and RBI (Commercial Banks – Credit Facilities) Directions, 2025

The requirements become applicable from the date of notification itself that is December 5, 2025. Further, it may be noted that the applicability would be on fresh loans as well as renewals and not on existing loans. The following table gives an overview of the compliances that NBFCs/HFCs, which are a part of the banking group will be required to adhere to:

Common Equity Tier 1RBI (Non-Banking Financial Companies – Prudential Norms on Capital Adequacy) Directions, 2025Entities shall be required to maintain Common Equity Tier 1 capital of at least 9% of Risk Weighted Assets.
Differential standard asset provisioning RBI (Non-Banking Financial Companies – IncomeRecognition, Asset Classification and Provisioning) Directions, 2025Entities shall be required to hold differential provisioning towards different classes of standard assets.
Large Exposure FrameworkRBI (Non-Banking Financial Companies – Concentration Risk Management) Directions, 2025NBFCs/HFCs which are group entities of banks would have to adhere to the Large Exposures Framework issued by RBI.
Internal Exposure LimitsIn addition to the limits on internal SSE exposures, the Board of such bank-group NBFCs/HFCs shall determine internal exposure limits on other important sectors to which credit is extended. Further, an internal Board approved limit for exposure to the NBFC sector is also required to be put in place.
Qualification of Board MembersRBI (Non-Banking Financial Companies – Governance)Directions, 2025NBFC in the banking group shall be required to undertake a review of its Board composition to ensure the same is competent to manage the affairs of the entity. The composition of the Board should ensure a mix of educational qualification and experience within the Board. Specific expertise of Board members will be a prerequisite depending on the type of business pursued by the NBFC.
Removal of Independent DirectorThe NBFCs belonging to a banking group shall be required to report to the supervisors in case any Independent Director is removed/ resigns before completion of his normal tenure.
Restriction on granting a loan against the parent Bank’s sharesRBI (Commercial Banks – Credit Risk Management) Directions, 2025NBFCs/HFCs which are group entities of banks will not be able to grant a loan against the parent Bank’s shares. 
Prohibition to grant loans to the directors/relatives of directors of the parent BankNBFCs/HFCs will not be able to grant loans to the directors or relatives of such directors of the parent bank. 
Loans against promoters’ contributionRBI (Commercial Banks – Credit Facilities) Directions,2025Conditions w.r.t financing promoters’ contributions towards equity capital apply in terms of Para 166 of the Credit Facilities Directions. Such financing is permitted only to meet promoters’ contribution requirements in anticipation of raising resources, in accordance with the board-approved policy and treated as the bank’s investment in shares, thus, subject to the aggregate Capital Market Exposure (CME) of 40% of the bank’s net worth.  
Prohibition on Loans for financing land acquisitionGroup NBFCs shall not grant loans to private builders for acquisition and development of land. Further, in case of public agencies as borrowers, such loans can be sanctioned only by way of term loans, and the project shall be completed within a maximum of 3 years. Valuation of such land for collateral purpose shall be done at current market value only.
Loan against securities, IPO and ESOP financingChapter XIII of the Credit Facilities Directions prescribes limits on the loans against financial assets, including for IPO and ESOP financing. Such restrictions shall also apply to Group NBFCs. The limits are proposed to be amended vide the Draft Reserve Bank of India (Commercial Banks – Capital Market Exposure) Directions, 2025. See our article on the same here
Undertaking Agency BusinessReserve Bank of India (Commercial Banks – Undertaking of Financial Services) Directions, 2025 NBFCs/HFCs, which are group entities of Banks can only undertake agency business for financial products which a bank is permitted to undertake in terms of the Banking Regulations Act, 1949. 
Undertaking of the same form of business by more than one entity in the bank groupUFS DirectionsThere should only be one entity in a bank group undertaking a certain form of business unless there is proper rationale and justification for undertaking of such business by more than one entities. 
Investment RestrictionsRestrictions on investments made by the banking group entities  (at a group level) must be adhered to. 

Read our write-up on other amendments introduced for banks and their group entities here.

Other resources:

  1. FAQs on Large Exposures Framework (‘LEF’) for NBFCs under Scale Based Regulatory Framework
  2. New NBFC Regulations: A ready reckoner guide
  3. New Commercial Bank Regulations: A ready reckoner guide

RBI norms on intra-group exposures amended

/0 Comments/in , , , /by

– Payal Agarwal | payal@vinodkothari.com

Aligns intra group exposure norms with Large Exposure Framework; junks a 2016 framework for “large borrowers”

On 4th December, 2025,  less than a week after the massive consolidation exercise of RBI regulations, the RBI carried out amendments vide Reserve Bank of India (Commercial Banks – Concentration Risk Management) Amendment Directions, 2025, thus amending the recently consolidated Reserve Bank of India (Commercial Banks – Concentration Risk Management) Directions, 2025

Applicability of the Amendment Directions 

  • 1st January, 2026 – for Repeal of provisions on Enhancing Credit Supply for Large Borrowers through Market Mechanism. 
  • 1st April, 2026 – for other amendments
    • Banks may decide to implement such amendments from an earlier date
    • In case of any breach in exposure limits pursuant to the Amendment Directions, the exposures to be brought down within 6 months from the date of issuance of the Amendment Directions, i.e., 3rd June, 2026. 

Intent behind the Amendments and Key changes 

  • Repeal of requirements pertaining to credit supply to Large Borrowers through Market Mechanism (draft Circular proposing such repeal can be accessed here)
    • This is based on the Statement on Developmental and Regulatory Policies dated 1st October, 2025, wherein the extant guidelines pertaining to Large Borrowers were proposed to be withdrawn, in view of the reduced share of credit from the banking system to such large borrowers, and existence of LEF to address the concentration risks at an individual bank level. 
    • The repeal relates to a 2016 Notification (forming part of Chapter IV of the existing Concentration Risk Management Directions), whereby certain “specified borrowers” were identified, meaning those entities which had borrowed, on an aggregate from the banking system, including by way of private placed debt instruments, in excess of Rs 10000 crores.
    • There is a notable difference between LEF and the “specified borrowers” as covered by the 2016 Notification – the latter relates to large borrowers on an aggregate basis, whereas LEF still looks at the size of exposure relative to the Tier 1 capital of a single lender. However, the “specified borrower” regime is said to have lost its relevance. 
  • Alignment of requirements w.r.t. Intra-group transactions and exposures (ITEs) with the Large Exposure Framework (LEF) [see press release on the proposed amendments here]
    • Computation of exposure under ITEs to be made consistent with that under LEF 
    • Linking exposure thresholds for ITEs with Tier 1 capital instead of existing paid-up capital and reserves. 
  • Clarifications w.r.t. prudential treatment of exposures of foreign bank branches operating in India to their group entities

A track change version of the Reserve Bank of India (Commercial Banks – Concentration Risk Management) Directions, 2025, as amended vide the present Amendment Directions can be accessed here. 

RBI (Commercial Banks – Concentration Risk Management) Directions, 2025 – as amended –Download

Refer to our other resources here:

  1. 2025 RBI (Commercial Banks – Governance) Directions – Guide to Understanding and Implementation
  2. RBI Master Directions 2025:Consolidated RegulatoryFramework for NBFCs
  3. New NBFC Regulations: A ready reckoner guide