NBFC Annual Compliance Checklist Under RBI Guidelines 2026

Every Non-Banking Financial Company (NBFC) registered with the Reserve Bank of India must complete a comprehensive set of annual compliance obligations under the RBI Act, 1934, and the Companies Act, 2013. NBFC annual compliance spans RBI-specific filings on the COSMOS portal (NBS-7, NBS-9, DNBS returns), capital adequacy and NOF maintenance, asset classification and provisioning, Fair Practice Code adherence, KYC/AML obligations under PMLA 2002, and standard company filings including AOC-4, MGT-7, income tax, and GST returns. Failure to meet these requirements triggers penalties under Section 58B of the RBI Act, ranging from fines up to ₹10 lakh to imprisonment up to 5 years for serious violations. RBI can also cancel the Certificate of Registration (CoR) for persistent non-compliance.

This guide covers every annual compliance requirement for NBFCs in India in 2026 under the Scale Based Regulation (SBR) framework, including filing deadlines, step-by-step procedures on the COSMOS and MCA portals, CRAR and NOF calculation methods, penalty structures, and a month-by-month compliance calendar. Total annual compliance cost for most NBFCs ranges from ₹75,000 to ₹3,00,000 depending on the layer classification and asset size.

What is NBFC Annual Compliance?

NBFC annual compliance refers to the complete set of regulatory filings, financial reporting obligations, and governance requirements that every RBI-registered Non-Banking Financial Company must fulfil each financial year. NBFCs operate under a dual regulatory framework: the Reserve Bank of India regulates their financial activities under Chapter IIIB (Sections 45-IA to 45-QA) of the RBI Act, 1934, while the Ministry of Corporate Affairs governs their corporate existence under the Companies Act, 2013.

The compliance obligations are administered through two primary digital portals: the RBI's COSMOS portal (Company-wise Supervisory Monitoring System) at cosmos.rbi.org.in for all RBI-specific regulatory returns, and the MCA V3 portal at mca.gov.in for corporate filings. In addition, all direct and indirect tax filings are made through the Income Tax e-Filing portal at incometax.gov.in and the GST portal at gst.gov.in.

Since October 2022, RBI's Scale Based Regulation (SBR) framework classifies NBFCs into four layers, each with progressively stricter compliance requirements. The layer classification determines the CRAR threshold, provisioning norms, governance mandates, and reporting frequency applicable to each NBFC.

Who Must Comply: NBFC Categories Under SBR Framework

Every entity holding a Certificate of Registration (CoR) from RBI under Section 45-IA of the RBI Act, 1934, must comply with annual compliance obligations. The extent of compliance varies based on the NBFC's layer under the SBR framework.

NBFCs that have not obtained a CoR but are conducting financial activities are operating illegally under Section 45-IA(6). Such entities face prosecution under Section 58B with imprisonment up to 5 years and fines up to ₹10 lakh. If your entity is an unregistered NBFC, apply for NBFC registration with RBI immediately.

NBFC Compliance Calendar for FY 2025-26

The following month-by-month calendar lists every compliance deadline an NBFC must meet during and after the financial year ending 31 March 2026. Set reminders 15 days before each deadline to ensure timely filing.

NBS-7 Return: Quarterly Return of Deposits

The NBS-7 return is a quarterly filing mandatory for all deposit-taking NBFCs (NBFC-D) under the Non-Banking Financial Companies Acceptance of Public Deposits (Reserve Bank) Directions, 2016. This return captures the status of public deposits held by the NBFC.

Filing Details

• Who must file: All NBFC-D (deposit-taking NBFCs) holding a valid CoR
• Frequency: Quarterly (Q1: Apr-Jun, Q2: Jul-Sep, Q3: Oct-Dec, Q4: Jan-Mar)
• Deadline: Within 15 days from the end of each quarter
• Portal: COSMOS at cosmos.rbi.org.in
• Content: Opening balance of deposits, new deposits accepted during the quarter, deposits matured and repaid, closing balance, interest rates offered, and maturity profile

Non-deposit taking NBFCs (NBFC-ND) are exempt from NBS-7 filing. However, if an NBFC-ND accepts any public deposits without RBI authorisation, it constitutes a violation under Section 45-S of the RBI Act and attracts criminal prosecution.

NBS-7 Filing Procedure on COSMOS

To file the NBS-7 return, log in to the COSMOS portal using your NBFC's registered credentials. Navigate to the DNBS Returns section, select "NBS-7 Quarterly Return," and choose the applicable quarter. The form requires disclosure of: opening balance of public deposits as on the first day of the quarter, fresh deposits accepted during the quarter (segregated by tenure), deposits matured and repaid, deposits prematurely returned, interest paid on deposits, and closing balance as on the last day of the quarter. You must also report the interest rate range offered (minimum and maximum) and the maturity profile across time buckets (up to 1 year, 1 to 3 years, 3 to 5 years, and above 5 years). The return must be digitally signed by the authorised signatory whose DSC is registered on COSMOS. After submission, download the acknowledgement and file it with your compliance records.

NBS-9 Return: Statutory Auditor Certificate

The NBS-9 is an annual return that requires the NBFC's statutory auditor to certify the company's compliance with RBI Directions. This certificate is a critical compliance document that RBI reviews during its annual supervisory assessment.

What the Auditor Certifies

• Compliance with RBI Directions on acceptance of public deposits (for NBFC-D)
• Adherence to asset classification and provisioning norms
• Maintenance of CRAR at or above the prescribed minimum
• NOF at or above the prescribed minimum of ₹10 crore
• Fair Practice Code implementation and grievance redressal mechanism
• Compliance with concentration of credit/investment norms

The statutory auditor must be a Chartered Accountant appointed under Section 139 of the Companies Act, 2013. The NBS-9 certificate must be filed on the COSMOS portal within 30 days of the audit completion. If the auditor identifies any non-compliance, the NBFC must submit a remediation plan to RBI within 15 days of the adverse observation.

If your NBFC needs to appoint a new statutory auditor, see our guide on changing the company auditor for the step-by-step process and Form ADT-1 filing.

DNBS Annual Returns

Beyond NBS-7 and NBS-9, NBFCs must file various DNBS (Department of Non-Banking Supervision) returns on the COSMOS portal. The return schedule and type depend on the NBFC's SBR layer, deposit status, and asset size.

Key DNBS Returns for FY 2025-26

NBFC-BL with assets below ₹500 crore file fewer returns and at lower frequency (half-yearly or annual) compared to NBFC-ML which files monthly and quarterly returns. Ensure that the authorised signatory's DSC is registered on COSMOS before the filing season begins.

COSMOS Portal Registration and Access

All DNBS returns are filed on the COSMOS (Company-wise Supervisory Monitoring System) portal at cosmos.rbi.org.in. New NBFCs receive COSMOS login credentials from RBI's Regional Office within 30 days of CoR issuance. The portal requires a registered Digital Signature Certificate (DSC) of the authorised signatory. To register or update a DSC: log in to COSMOS, navigate to Entity Management, select "DSC Registration," upload the DSC public key, and verify using OTP. Each NBFC can register up to 3 authorised signatories. If you have lost COSMOS access or need to reset credentials, write to the DNBS department of your RBI Regional Office with a letter signed by the managing director on the NBFC's letterhead along with a copy of the CoR.

Return Filing Errors and Rectification

If errors are discovered in a filed COSMOS return, the NBFC must submit a revised return within 7 days of detecting the error. Log in to COSMOS, navigate to the filed return, select "Revise Return," make the corrections, and resubmit with a covering note explaining the corrections. Repeated revisions or material errors in filed returns are flagged by RBI's automated monitoring system and may trigger an early inspection. To prevent errors, implement a maker-checker workflow where the compliance officer prepares the return and a senior officer (CFO or managing director) reviews and approves before the digital signature is applied.

Fair Practice Code (FPC) Compliance

Every NBFC must adopt a Board-approved Fair Practice Code aligned with RBI's Master Direction on Fair Practice Code for NBFCs. The FPC governs loan application processing, loan appraisal, disbursement, recovery practices, and customer grievance handling.

FPC Requirements

• Loan application processing: Written acknowledgement within 3 working days, sanction or rejection communicated in writing with reasons
• Loan agreement: Must be in the language understood by the borrower, one copy provided to the borrower, all terms clearly stated including interest rate, fees, and penalties
• Interest rate transparency: Annualised interest rate must be disclosed, no hidden charges, prepayment penalty restrictions as per RBI guidelines
• Recovery practices: No intimidation, harassment, or physical coercion. Recovery agents must carry authorisation letters. No recovery calls before 8 AM or after 7 PM
• Grievance redressal: Dedicated Grievance Redressal Officer with contact details displayed on all branches and the website. Resolution timeline of 30 days. Escalation to RBI Ombudsman for unresolved complaints

The NBFC must submit an annual FPC compliance certificate to RBI through the COSMOS portal. The Board must review the FPC annually and update it for any changes in RBI Directions. Non-compliance with FPC norms is a common trigger for RBI penalties and is specifically examined during annual inspections.

Asset Classification and Provisioning Norms

RBI mandates that every NBFC classify its entire loan portfolio into four categories and make provisions against potential loan losses. Accurate asset classification is one of the most critical compliance obligations, directly affecting the NBFC's reported profitability and capital adequacy.

Asset Classification Categories

For NBFC-MFI (Micro Finance Institutions), the NPA classification threshold is 90 days overdue for all qualifying micro-finance loans. NBFC-ML must also maintain additional provisioning for restructured advances at 5% of the outstanding restructured portfolio. The provisioning statement must be filed on COSMOS quarterly and reviewed by the statutory auditor during the annual audit.

Capital Adequacy (CRAR) and NOF Requirements

Capital Adequacy Ratio (CRAR) and Net Owned Fund (NOF) are the two primary financial health indicators that RBI monitors for every NBFC. Falling below either threshold triggers immediate supervisory action.

CRAR Computation

CRAR is calculated as:

CRAR = (Tier I Capital + Tier II Capital) / Total Risk-Weighted Assets x 100

• Tier I Capital: Paid-up equity capital + free reserves + retained earnings - accumulated losses - intangible assets - deferred tax assets (DTA in excess of 10% of Tier I)
• Tier II Capital: Subordinated debt instruments (maximum 50% of Tier I), revaluation reserves (at 55% discount), general provisions and loss reserves (up to 1.25% of risk-weighted assets)
• Risk-Weighted Assets: On-balance sheet assets weighted by risk category (0% for cash and government securities, 20% for bank deposits, 75% for retail lending, 100% for commercial loans, 150% for equity investments)

Minimum CRAR by Layer

Net Owned Fund (NOF) Requirement

NOF is calculated as paid-up equity capital plus free reserves, minus accumulated losses, deferred revenue expenditure, and intangible assets. The minimum NOF for most NBFC categories is ₹10 crore. Specific NOF requirements by NBFC type:

• NBFC (general): ₹10 crore
• NBFC-MFI: ₹5 crore (increasing to ₹10 crore by April 2027)
• NBFC-P2P: ₹2 crore
• NBFC-AA (Account Aggregator): ₹2 crore
• NBFC-Factor: ₹10 crore
• NBFC-IFC (Infrastructure Finance): ₹300 crore

The NOF computation must be certified by the statutory auditor and filed on the COSMOS portal annually. If NOF falls below the minimum at any point during the year, the NBFC must report to RBI immediately and submit a plan to restore NOF within 3 months.

KYC/AML Compliance for NBFCs

NBFCs must comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) norms under the Prevention of Money Laundering Act (PMLA), 2002, and RBI's Master Direction on KYC (updated 2024). KYC/AML compliance is a non-negotiable requirement that RBI examines during every annual inspection.

KYC Obligations

• Customer Identification: Verify identity and address of every borrower and depositor using OVDs (Officially Valid Documents) including Aadhaar, PAN, Passport, Voter ID, and Driving Licence
• Customer Due Diligence (CDD): Risk-based CDD for all customers. Enhanced Due Diligence (EDD) for high-risk categories including PEPs (Politically Exposed Persons), high-value transactions, and customers from high-risk jurisdictions
• Ongoing monitoring: Periodic KYC updates every 2 years for high-risk, 8 years for medium-risk, and 10 years for low-risk customers
• Transaction monitoring: Flag suspicious transactions above ₹10 lakh in cash, or any transaction that appears inconsistent with the customer's profile
• STR filing: File Suspicious Transaction Reports (STR) with the Financial Intelligence Unit (FIU-IND) within 7 working days of detection
• CTR filing: File Cash Transaction Reports (CTR) for all cash transactions above ₹10 lakh with FIU-IND within 15 days of the month end

AML Compliance Structure

Every NBFC must appoint a Principal Officer responsible for AML compliance and STR/CTR filings with FIU-IND. The Principal Officer must be a senior management-level employee (at least AVP or equivalent) with direct reporting access to the Board or Managing Director. The Board must approve the KYC/AML policy and review it annually. All staff must undergo AML training at least once a year, with training records maintained for inspection purposes.

The internal audit must include a specific section on KYC/AML compliance assessment covering: completeness of customer identification records, timeliness of periodic KYC updates, suspicious transaction monitoring effectiveness, CTR filing accuracy, and AML training completion rates. NBFCs must maintain a Risk-Based Approach (RBA) to AML compliance, categorising customers into low, medium, and high-risk segments based on their business profile, transaction patterns, geographic location, and occupation.

Record Retention Requirements

Under PMLA 2002, NBFCs must retain all KYC documents and transaction records for a minimum of 5 years after the business relationship ends. This includes: customer identification records (identity proof, address proof, photographs), account opening forms and declarations, transaction records including amount, date, and parties involved, internal reporting records (STR and CTR copies), and correspondence related to suspicious transactions. RBI may require records to be retained for longer periods in specific cases, especially where an investigation is ongoing. Implement a document management system that tags retention periods and generates alerts before the scheduled destruction of records.

For detailed KYC verification procedures for your NBFC's directors, see our guide on DIR-3 KYC filing.

Annual ROC Filings: AOC-4 and MGT-7

Since NBFCs are companies registered under the Companies Act, 2013, they must complete all standard ROC filings in addition to RBI-specific compliance. The primary annual ROC filings are Form AOC-4 (Financial Statements) and Form MGT-7 (Annual Return).

Form AOC-4: Financial Statements

• Deadline: Within 30 days of the Annual General Meeting
• Contents: Audited Balance Sheet, Profit and Loss Account, Cash Flow Statement, notes to accounts, Board's Report, and Auditor's Report
• Special requirements for NBFCs: Financial statements must include NBFC-specific disclosures such as CRAR, asset classification breakup, provisioning details, and related party transactions
• Signing: Digitally signed by the managing director/CEO, CFO, one director, and the Company Secretary. Certified by the statutory auditor
• Late fee: ₹100 per day of delay, no cap

Form MGT-7: Annual Return

• Deadline: Within 60 days of the AGM
• Contents: Registered office details, principal business activity, share capital structure, shareholding pattern, director and KMP details, meetings held, and compliance certificate
• CS certification: Companies with paid-up capital of ₹10 crore or above, or turnover of ₹50 crore or above, must get MGT-7 certified by a Company Secretary in practice
• Late fee: ₹100 per day of delay, maximum ₹5 lakh

NBFCs must also file Form ADT-1 for auditor appointment, DIR-3 KYC for all directors by 30 September, and Form MSME-1 if the NBFC has outstanding payments to MSME vendors. For a complete guide on ROC annual filings, see our ROC annual filing service.

Board Meeting and AGM Compliance

NBFCs must adhere to strict corporate governance norms for board meetings and the Annual General Meeting under both the Companies Act, 2013, and RBI's governance Directions.

Board Meeting Requirements

• Frequency: Minimum 4 board meetings per financial year under Section 173 of the Companies Act, 2013
• Gap: Maximum 120 days between two consecutive board meetings
• Quorum: One-third of total directors or 2, whichever is higher
• Mandatory agenda items: Financial performance review, NPA status, CRAR report, compliance status update, FPC review (at least annually), risk assessment, and policy approvals
• Minutes: Must be recorded within 15 days of the meeting and signed by the chairperson at the next meeting

AGM Requirements

• Deadline: Within 6 months from the end of the financial year (by 30 September for FY ending 31 March)
• Business: Adoption of financial statements, declaration of dividend (if any), appointment of auditor, and appointment/re-appointment of retiring directors
• Notice: 21 clear days' notice to all members with AGM agenda and explanatory statement
• Penalty for non-compliance: Company and every officer in default liable to penalty of ₹1 lakh, plus ₹5,000 per day of continuing default under Section 99

NBFC-ML and above must also constitute an Audit Committee, Nomination and Remuneration Committee, and Risk Management Committee. These committees must meet quarterly and report to the Board. A Chief Compliance Officer (CCO) must be appointed for NBFC-ML and above.

Board Committee Structure for NBFC-ML and Above

The Audit Committee must have a minimum of 3 members, with at least two-thirds being independent directors. The chairperson must be an independent director with financial literacy. The committee reviews internal audit reports, monitors asset quality, examines provisioning adequacy, and oversees the statutory auditor's independence. The Nomination and Remuneration Committee recommends director appointments, evaluates board performance, and establishes remuneration policies for directors and key managerial personnel. It must meet at least twice a year. The Risk Management Committee identifies, assesses, and monitors the principal risks affecting the NBFC including credit risk, market risk, operational risk, and liquidity risk. This committee sets risk appetite, reviews risk policies, and reports to the Board quarterly. NBFC-UL must additionally constitute a Stakeholders' Relationship Committee to address shareholder and depositor grievances.

Minutes and Compliance Documentation

Board meeting minutes must be recorded in a Minutes Book maintained at the registered office under Section 118 of the Companies Act, 2013. Minutes must be drafted within 15 days of the meeting and signed by the chairperson of the meeting or the chairperson of the subsequent meeting. Each set of minutes must contain: the date, time, and venue of the meeting; names of directors present and absent; agenda items discussed; resolutions passed with voting details; and any dissenting views recorded. For NBFC Board meetings, minutes must specifically record discussions on: CRAR and NOF status, NPA review, compliance report from the CCO, FPC complaint summary, and any RBI correspondence received during the quarter. These minutes are reviewed by RBI during on-site inspections, so accuracy and completeness are critical.

Income Tax and GST Returns for NBFCs

NBFCs must comply with both direct and indirect tax obligations. Being companies under the Companies Act, these obligations are in addition to RBI-specific compliance.

Income Tax Compliance

• ITR-6: File the company income tax return by 31 October (for audit cases) on the e-Filing portal at incometax.gov.in. NBFCs are taxed at 25% under the old regime or 22% under Section 115BAA (new regime without exemptions)
• Tax audit: Mandatory under Section 44AB of the Income Tax Act, 1961. Upload Form 3CA-3CD on the e-Filing portal by 30 September
• Advance tax: Pay advance tax in 4 instalments (15 June: 15%, 15 September: 45%, 15 December: 75%, 15 March: 100%). Interest under Section 234B and 234C applies for shortfall
• TDS: Deduct TDS on interest payments (Section 194A), professional fees (Section 194J), rent (Section 194-I), and salaries (Section 192). File quarterly TDS returns in Form 26Q by the 31st of the month following the quarter
• Transfer pricing: If the NBFC has international transactions with associated enterprises, file Form 3CEB (Transfer Pricing Report) by 31 October

GST Compliance

• GST registration: Mandatory for all NBFCs providing financial services. Interest income on loans is exempt from GST, but processing fees, penal charges, and consultancy income attract 18% GST
• GSTR-1: Monthly filing for outward supplies by the 11th of the following month
• GSTR-3B: Monthly filing for tax payment by the 20th of the following month
• GSTR-9: Annual GST return by 31 December
• ITC reversal: NBFCs must reverse Input Tax Credit for exempt supplies (interest income) using Rule 42 and Rule 43 of CGST Rules

If your NBFC has not yet registered for GST, see our GST registration service to get started.

Penalty Structure for NBFC Non-Compliance

NBFC non-compliance triggers penalties under both the RBI Act, 1934, and the Companies Act, 2013. The penalty severity depends on the nature, duration, and impact of the violation.

NBFC Compliance Checklist for FY 2025-26

Use this checklist to track every compliance obligation. Review it monthly and mark each item as completed with the filing date and acknowledgement number.

RBI/COSMOS Filings

• NBS-7 filed for Q1, Q2, Q3, Q4 (NBFC-D only)
• NBS-9 Statutory Auditor Certificate filed
• CRAR return filed quarterly
• NPA classification return filed quarterly
• ALM return filed (quarterly for NBFC-ML, half-yearly for NBFC-BL)
• Monthly returns filed (NBFC-ML and above)
• FPC compliance certificate submitted
• Branch information return filed (if applicable)
• NOF computation certificate submitted

Corporate/ROC Filings

• AOC-4 filed within 30 days of AGM
• MGT-7 filed within 60 days of AGM
• DIR-3 KYC filed for all directors by 30 September
• ADT-1 filed for auditor appointment (if changed)
• MSME-1 filed (if MSME vendor payments outstanding)
• AGM held by 30 September
• Minimum 4 board meetings held with max 120-day gap
• Board committees (Audit, NRC, RMC) met as per schedule

Tax Filings

• Advance tax paid in 4 instalments
• Tax audit report (3CA-3CD) uploaded by 30 September
• ITR-6 filed by 31 October
• Quarterly TDS returns (26Q) filed
• GSTR-1 filed monthly
• GSTR-3B filed monthly
• GSTR-9 annual return filed by 31 December

Policy and Governance

• Fair Practice Code reviewed and updated by the Board
• KYC/AML policy reviewed and updated annually
• Grievance Redressal Officer details published on website and branches
• Staff AML training conducted
• Interest rate policy reviewed by the Board
• Related party transaction policy reviewed
• IT security and cyber security policy reviewed (NBFC-ML and above)

Common Mistakes in NBFC Annual Compliance

Under-Provisioning for Non-Performing Assets

Many NBFCs classify borderline overdue loans as "Standard" to avoid provisioning impact on profitability. RBI inspections specifically look for evergreening patterns where fresh loans are disbursed to the same borrower to mask NPAs. When RBI reclassifies these assets during inspection, the NBFC faces mandatory additional provisioning that can erode capital by 2% to 5% of the loan book, potentially breaching CRAR thresholds. Maintain conservative asset classification and provision at least 10% above the regulatory minimum for sub-standard assets.

Missing COSMOS Filing Deadlines

COSMOS returns have strict quarterly and monthly deadlines that differ from the annual ROC calendar. New NBFCs often track only ROC deadlines and miss the 15-day window for NBS-7 or the monthly return deadlines for NBFC-ML. Each missed COSMOS return generates an automatic alert at RBI's Regional Office and counts as a compliance failure in the next inspection report. Assign a dedicated compliance officer to track all COSMOS deadlines separately.

Inadequate KYC Documentation

RBI inspections frequently flag incomplete KYC files where borrower identity or address proof is missing, expired, or not updated within the prescribed period. For NBFCs with large retail loan portfolios, maintaining 100% KYC compliance across thousands of borrower files is operationally challenging. Implement a KYC management system that flags upcoming re-verification dates and generates automated reminders to branch-level officers.

Not Appointing a Chief Compliance Officer (CCO)

NBFC-ML and above must appoint a CCO who reports directly to the Board or the Managing Director. The CCO cannot hold dual roles or be the same person as the CFO or Company Secretary. Many NBFCs in the Middle Layer overlook this requirement or assign it informally to an existing executive. RBI inspections check for formal CCO appointment letters and Board resolutions. The CCO must have a minimum of 5 years' experience in compliance or risk management.

Delayed Board Committee Constitution

When an NBFC transitions from NBFC-BL to NBFC-ML (crossing ₹1,000 crore in assets), it must constitute Audit Committee, Nomination and Remuneration Committee, and Risk Management Committee within 3 months. Many NBFCs delay this transition, continuing to operate with NBFC-BL governance structures. RBI flags this as a material compliance failure and may impose business restrictions until the governance structure is corrected.

Failure to Update RBI on Changes in Management

NBFCs are required to obtain prior RBI approval before appointing or changing the managing director, whole-time director, or CEO. Section 45-IA(4) of the RBI Act mandates that RBI must be satisfied about the "fit and proper" status of the proposed management. Any change in directors holding 10% or more shareholding must also be reported to RBI. Failure to obtain prior approval for management changes is treated as a serious compliance violation and can result in a show-cause notice for CoR cancellation. File the required intimation with the DNBS department of the RBI Regional Office at least 30 days before the proposed appointment date, along with the candidate's declaration in the prescribed format, police verification certificate, and credit information report from CIBIL.

Ignoring Related Party Transaction Reporting

NBFCs must report all related party transactions (RPTs) to the Board and obtain prior approval for material RPTs exceeding the threshold prescribed under Section 188 of the Companies Act, 2013, and RBI's Corporate Governance Directions. NBFC-ML and above must formulate a Board-approved Related Party Transaction Policy and disclose all RPTs in the financial statements as per Ind AS 24. Common compliance failures include: not identifying all related parties correctly, not obtaining prior Board approval for material RPTs, and inadequate disclosure in AOC-4 filings. RBI inspections specifically examine RPTs for potential fund diversion and connected lending violations.

RBI Inspection Preparation Guide

RBI conducts annual on-site inspections for NBFC-ML and above, and periodic inspections (every 2 to 3 years) for NBFC-BL. The inspection team, typically comprising 3 to 5 officers from the DNBS department, reviews all aspects of the NBFC's operations over a period of 2 to 4 weeks.

Documents to Keep Ready for Inspection

• Corporate documents: Certificate of Registration, Memorandum and Articles of Association, Board resolutions, committee minutes, and compliance calendar
• Financial records: Audited financial statements for the last 3 years, trial balance, CRAR computation sheets, NOF certificates, and provisioning calculations
• Loan portfolio: Complete loan register with sanction dates, disbursement amounts, repayment schedules, NPA classification status, and provisioning for each account
• KYC files: Customer KYC records (sample set as directed by inspectors), AML training records, STR/CTR filing records with FIU-IND
• FPC compliance: Fair Practice Code document, grievance register, recovery agent authorisation letters, customer complaint resolution records
• COSMOS filing records: Acknowledgements of all COSMOS returns filed, any correspondence with RBI regarding returns
• Policy documents: Board-approved policies for credit, risk, ALM, IT security, outsourcing, and related party transactions

Post-Inspection Process

After the on-site inspection, RBI issues an Inspection Report within 60 to 90 days listing observations, compliance gaps, and required corrective actions. The NBFC must respond within the timeline specified (typically 30 days) with an action plan addressing each observation. Unresolved observations from the previous inspection carry forward as repeat findings, which attract stricter penalties. If the inspection reveals material violations, RBI may issue a show-cause notice under Section 45-IA(6) for CoR cancellation or impose business restrictions including a ban on new loan disbursement, branch opening freeze, or dividend restriction.

Key Changes in NBFC Compliance for 2026

Enhanced Digital Lending Compliance

Following RBI's Digital Lending Guidelines (September 2022, updated 2025), NBFCs operating through digital lending platforms must ensure full compliance with borrower-facing disclosures, cooling-off period provisions, and restrictions on accessing borrower mobile data. All digital lending must happen through the NBFC's own app or a regulated Lending Service Provider (LSP). The Key Fact Statement (KFS) must be provided to every borrower before loan disbursement, disclosing the All-Inclusive Cost (AIC) in annualised terms.

Updated Provisioning for Infrastructure NBFCs

NBFC-IFC (Infrastructure Finance Companies) and NBFC-IDF (Infrastructure Debt Funds) must comply with updated provisioning norms for project finance loans from April 2026. Standard asset provisioning for under-construction projects increases to 5% from the earlier 0.40%, reducing to 2.5% once the project commences commercial operations. This change significantly impacts CRAR for infrastructure-focused NBFCs.

Climate Risk Disclosure for NBFC-UL

NBFC-UL must begin climate-related financial disclosures aligned with the Task Force on Climate-related Financial Disclosures (TCFD) framework from FY 2025-26 onwards. This includes governance of climate risks, strategy for managing climate-related financial risks, risk management processes, and metrics including carbon footprint of the lending portfolio. The disclosure must be included in the Annual Report.

Harmonised Regulatory Framework Transition

RBI is progressively harmonising NBFC regulations with banking norms under the SBR framework. For 2026, key changes include tighter concentration norms for NBFC-ML (single borrower exposure limit reduced to 20% of Tier I capital from 25%), mandatory LCR (Liquidity Coverage Ratio) maintenance for NBFC-UL at 85% (increasing to 100% by 2027), and enhanced disclosure requirements in financial statements aligned with Ind AS 109 (Financial Instruments).

Strengthened IT and Cyber Security Framework

RBI's updated IT governance framework requires NBFC-ML and above to implement a comprehensive cyber security policy approved by the Board, conduct annual vulnerability assessment and penetration testing (VAPT), report cyber incidents to CERT-In within 6 hours and to RBI within 48 hours, and maintain a Business Continuity Plan with annual testing. The NBFC must appoint a Chief Information Security Officer (CISO) responsible for IT risk management. NBFC-BL with assets above ₹500 crore must also comply with the basic IT governance requirements including data backup, access control, and incident response procedures.

Revised Microfinance Lending Norms

NBFC-MFIs must comply with the revised microfinance lending framework effective from April 2025. Key changes include: removal of the pricing cap (previously 10% to 12% margin), replaced by a Board-approved pricing policy; household income ceiling increased to ₹3 lakh per annum for rural and ₹4 lakh for urban borrowers; total indebtedness cap per household at 50% of annual household income; and mandatory assessment of household income before every loan sanction. NBFC-MFIs must report compliance with these norms quarterly on the COSMOS portal.

NBFC Annual Compliance Cost Breakdown

NBFC Compliance by Entity Type

Different types of NBFCs have varying compliance requirements beyond the standard filings. The table below highlights the specific additional obligations for major NBFC categories.

If your NBFC category requires specific compliance guidance beyond the standard checklist covered above, consult with a regulatory expert who specialises in that particular NBFC type. Generic compliance services may miss category-specific RBI Directions that apply exclusively to your entity.

Related Resources

• NBFC Registration Service -- Apply for RBI Certificate of Registration for your NBFC
• Private Limited Company Compliance -- Annual compliance for companies under the Companies Act, 2013
• ROC Annual Filing Service -- AOC-4, MGT-7, and DIR-3 KYC filing assistance
• Compliance Health Check -- Pre-inspection compliance audit for NBFCs and companies
• GST Registration -- Register your NBFC for GST compliance
• RBI NBFC List -- Verify your NBFC's registration status on the RBI website
• MCA V3 Portal -- File ROC annual returns online

Summary

NBFC annual compliance under RBI guidelines requires fulfilling obligations across three regulatory bodies: RBI (COSMOS returns, CRAR, NOF, asset classification, FPC, KYC/AML), MCA (AOC-4, MGT-7, board meetings, AGM), and CBDT/GST (ITR-6, TDS returns, GSTR-1, GSTR-3B, GSTR-9). The compliance intensity varies by the SBR layer: NBFC-BL has the lightest requirements with 9% CRAR and 0.25% standard asset provisioning, while NBFC-ML requires 15% CRAR, 0.40% provisioning, monthly COSMOS returns, and full corporate governance structure including Audit Committee, Risk Management Committee, and a Chief Compliance Officer. Total annual compliance cost ranges from ₹75,000 for a small NBFC-BL to over ₹4,00,000 for a large NBFC-ML with multiple branches and a complex loan portfolio. Non-compliance attracts penalties up to ₹10 lakh under Section 58B of the RBI Act, 1934, with ₹25,000 per day for continuing violations, and the risk of CoR cancellation and criminal prosecution for serious violations including unauthorised deposit acceptance. Start compliance preparation by April each year, complete the statutory audit by July, schedule the AGM in the first week of September, and file all ROC returns by November to stay ahead of every deadline. Maintain a compliance calendar, assign a dedicated compliance officer, and conduct quarterly internal reviews to ensure no obligation is missed.