Consolidation of RBI Directions Ver 2.0
Team Finserv | finserv@vinodkothari.com
Following the consolidation action undertaken by the Department of Regulations (DoR) in November 2025, the Department of Supervision has now undertaken a comprehensive exercise to consolidate existing standalone circulars issued by RBI in supervisory domain into function-wise, entity-specific consolidated Directions for easier navigation and application. The supervisory instructions have been organised into distinct Directions for each type of RE on each supervisory function.
- Compliance Function– Prescribing the guidelines for compliance risk assessment and appointment of the chief compliance officer.
- Concurrent Audit– This is specifically applicable in case of banks and not NBFCs. In case of NBFCs, the Auditor’s Report Directions lays down the disclosures and reporting by auditors of NBFCs
- Cybersecurity, Technology: Risk, Resilience and Assurance- Provides comprehensive guidelines on IT governance and policy, information security and cybersecurity, IT operations, information system audit, BCP, disaster recovery and IT services outsourcing.
- Digital Payments Security Controls- Provides guidelines for credit-card issuing NBFCs on governance and security risk mitigation, authentication framework, fraud risk management, reconciliation mechanism, grievance redressal mechanism, web application, mobile application and card payment security controls.
- Fraud Risk Management- Lays down the process for identification and classification of fraudulent borrowers and the implementation of early warning signals (EWS)
- Internal Audit Function or Risk Based Internal Audit- Provides for harmonised Internal Audit systems and processes to be implemented by larger NBFCs (Deposit Taking and entities having asset size above ₹5000 cr)
- Statutory Audit- Lays down the regulations for appointment of statutory auditors, their eligibility criteria, intimation and reporting to the RBI, etc.
- Supervisory Returns- All regulatory filings and submission of returns to the RBI
- Miscellaneous- Consolidates the instructions for implementation of CFSS, nomination facility to be provided in case of deposit accounts, fair lending practices for charging of interest and the Prompt Corrective Action Framework.
A detailed analysis of the drafts for NBFCs has been covered here-
| Proposed Draft | Existing Circulars | Applicability | Key Changes |
|---|---|---|---|
| Reserve Bank of India (Non-Banking Financial Companies – Compliance Function) Directions, 2026 | Compliance Function and Role of Chief Compliance Officer (CCO) – NBFCs Streamlining of Internal Compliance monitoring function – leveraging use of technology | NBFCs, including HFCs, in the ML and UL. | No major changes.It has been clarified that in the absence of a new product committee, the CCO shall be required to evaluate all new products before they are launched. |
| Reserve Bank of India (Non-Banking Financial Companies – Cybersecurity, Technology: Risk, Resilience and Assurance) Directions, 2026 [IT Directions] | Master Direction – Information Technology Framework for the NBFC Sector (IT Framework)Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023 (IT Governance) | All NBFCs | CICs were not required to comply requirements of IT Governance Framework, the draft IT Directions now mandate CICs to comply with the IT baseline technology standardsFor NBFCs with asset size below ₹ 500 cr-Chapter IV of IT Directions:Use of public key infrastructure (PKI) for ensuring confidentiality of data, access control, data integrity has been made mandatory (earlier recommendatory)Timeline of reporting of cyber incidents to RBI specified as 6 hours (IT Framework did not contain any such timeline)Use of Digital Signature to authenticate electronic records has been made mandatory (earlier recommendatory)For NBFCs with asset size above ₹ 500 cr-Chapter IV of IT Directions, has specified that IT capacity requirements are now to be ensured by ITSC |
| Reserve Bank of India (Non-Banking Financial Companies – Digital Payment Security Controls) Directions, 2026 | Master Direction on Digital Payment Security Controls | Card issuing NBFCs | There is additional expectation that Risk and Control Self Assessment (RCSA) shall be conducted by vendors as well and such RCSA should be evaluated by the Credit-Card issuing NBFC.Credit-Card issuing NBFCs are required to comply with a number of technical standards for card payment security. Status of compliance with these standards are to be reported to the ITSC for deliberation and appropriate action. |
| Reserve Bank of India (Non-Banking Financial Companies – Fraud Risk Management) Directions, 2026 | Master Directions on Fraud Risk Management in Non-Banking Financial Companies (NBFCs) (including Housing Finance Companies) FAQs on Master Directions on Fraud Risk Management in Regulated Entities (REs), 2024 | NBFC-ML, NBFC-UL,NBFC-BL having asset size ₹500 crores and aboveHFCs. | No Change. FAQs integrated with the circular. |
| Reserve Bank of India (Non-Banking Financial Companies – Internal Audit Function) Directions, 2026 | Risk-Based Internal Audit (RBIA) | All Deposit taking NBFCs and HFCs Non-Deposit taking NBFCs and HFCs with asset size of ₹5,000 crore and above | No Change |
| Reserve Bank of India (Non-Banking Financial Companies – Statutory Audit) Directions, 2026 | Guidelines for Appointment of Statutory Central Auditors (SCAs)/Statutory Auditors (SAs) of Commercial Banks (excluding RRBs), UCBs and NBFCs (including HFCs) FAQs on Guidelines for Appointment SCAs/ SAs of Commercial Banks (excluding RRBs), UCBs and NBFCs (including HFCs) | NBFCs and HFCs having asset size ₹1000 crores and above | No Change. FAQs integrated with the circular. |
| Reserve Bank of India (Non-Banking Financial Companies – Supervisory Returns) Directions, 2026 | Master Direction – Reserve Bank of India (Filing of Supervisory Returns) Directions – 2024 LIST OF RETURNS SUBMITTED TO RBI | All NBFCs (excluding HFCs) | Change in name of return DNBS09 from DNBS09-CRILC Weekly– RDB return to DNBS09- Return on Defaulted Borrowers.Quarterly return on Large Exposure Framework to be filed quarterly by all NBFCs in the Upper Layer – The earlier requirement was reporting of 10 largest exposures of the entity as against the proposed requirement of reporting the top 20 largest exposures. Change in nomenclature of returns on fraud reporting:FMR-I to FMRFMR-III to FUAFMR-IV to FMR 4Form A Certificate is now proposed to be filed online instead of filing in hard copy/ via email.It is proposed that hard copy of returns (hand/post/courier) or email submissions would not be accepted (i.e., would not be deemed to have been submitted by the NBFC) unless specifically prescribed.Additional returns to be filed by SPDs specified. |
| Reserve Bank of India (Non-Banking Financial Companies – Miscellaneous) Supervisory Directions, 2026 | Implementation of ‘Core Financial Services Solution’ by Non-Banking Financial Companies (NBFCs)Fair Practices Code for Lenders – Charging of InterestCoverage of customers under the nomination facilityPrompt Corrective Action (PCA) Framework for Non-Banking Financial Companies (NBFCs) | Chapter III – All NBFCs including HFCs and MFIsChapter IV – Deposit Taking NBFCs (excl. HFCs)Chapter V- Deposit taking, Non-Depositaking, in Middle, Upper and Top Layers including CICs but excluding NBFCs not accepting/ intending to accept public funds. | The phased manner timelines for implementation of CFSS has been removed since the circular is now effective |
| Reserve Bank of India (Non-Banking Financial Companies – Auditor’s Report) Directions, 2026 | Master Direction – Non-Banking Financial Companies Auditor’s Report (Reserve Bank) Directions, 2016 Provisions related to DNBS-10 (SAC) in Master Direction – Reserve Bank of India (Filing of Supervisory Returns) Directions – 2024 | Applicable to every auditor of an NBFC | Clarified that the auditor is now obligated to report to the RBI instances of non-compliance with all applicable extant directions issued by RBI. Other than the above, no major change except updation of references. |