2. Regulatory framework
This section catalogues every regulation that bites on an NBFC running SME working-capital lending in India. It is organised by subject rather than by circular, because in practice an engineer or compliance officer asks “what rules apply to my disbursement screen” — not “what does circular XYZ.123 say”.
Every page below answers the same questions:
- Rule summary — what the rule actually requires, in plain English.
- Source citation — RBI circular number, date, link via
rbi.org.in. - Applicability — which NBFC layers / which products / which flows.
- Product implications — what your product / UX must look like.
- System implications — what your code must do / what data must be captured.
- Documents that must be generated.
- Workflow that must exist.
- Reports that must be produced.
- Audit evidence required.
Table of regulations
Section titled “Table of regulations”| Page | Covers | Key sources |
|---|---|---|
| 2.1 NBFC registration and classification | CoR, NOF, NBFC types | RBI Master Direction – SBR Directions, 2023 |
| 2.2 Scale-Based Regulation | Base / Middle / Upper / Top layer obligations | DOR.CRE.REC.No.60/03.10.001/2021-22, 22 Oct 2021 |
| 2.3 Digital Lending Guidelines | LSP / DLA / borrower disclosures / fund flow / cooling-off | DOR.CRE.REC.66/21.07.001/2022-23, 2 Sep 2022 |
| 2.4 LSP obligations and KFS | LSP perimeter, Key Fact Statement standard format | DL Guidelines + FAQs |
| 2.5 DLG / FLDG | 5% cap, structure, accounting, disclosure | DOR.CRE.REC.21/21.07.001/2023-24, 8 Jun 2023 |
| 2.6 Co-lending guidelines | CLM-1, CLM-2, written agreement, customer interface | FIDD.CO.Plan.BC.No.8/04.09.01/2020-21, 5 Nov 2020 |
| 2.7 KYC, CKYC, CERSAI | KYC Master Direction; CKYC upload; CERSAI security registration | KYC MD DBR.AML.BC.No.81/14.01.001/2015-16 (as amended) |
| 2.8 Account Aggregator rules | NBFC-AA framework, consent artefact, FI-FIP-FIU roles, data use | RBI NBFC-AA Master Direction Sep 2016 (as amended); DPDP Act 2023 |
| 2.9 Bureau reporting | Mandatory monthly reporting to all 4 bureaus; data quality | CICRA 2005; RBI directions to CICs |
| 2.10 Asset classification, NPA, provisioning | SMA-0/1/2/NPA timelines; daily classification; provisioning grid | IRACP norms for NBFCs (latest version on rbi.org.in) |
| 2.11 Fair Practices, grievance, recovery | FPC; recovery agent rules; ombudsman; time-of-day; harassment ban | RBI FPC for NBFCs; Internal Ombudsman MD |
| 2.12 Data privacy (DPDP Act 2023) | Notice, consent, purpose limitation, breach reporting, data principal rights | Digital Personal Data Protection Act 2023 |
| 2.13 IT / cybersecurity Master Direction | IT governance, risk, controls, audit, BCP, incident reporting | RBI IT MD, 7 Nov 2023 |
| 2.14 Outsourcing of IT / financial services | Board-approved policy, MSA, audit rights, exit | RBI Outsourcing of IT Services MD, 10 Apr 2023 |
| 2.15 Compliance calendar | Annual / quarterly / monthly returns and reports | RBI / SBR returns schedule |
Regulatory architecture in one diagram
Section titled “Regulatory architecture in one diagram” ┌─────────────────────────────────┐ │ RBI – DoR, FIDD, DPSS, CGM │ │ (NBFC reg, payments, fintech) │ └────┬──────────┬─────────────────┘ │ │ Scale-Based Regulation Digital Lending + DLG (entity level) (product/flow level) │ │ ┌───────▼──────────▼───────┐ │ Your NBFC entity │ └───────┬──────────────────┘ │ ┌───────────────┼──────────────────┐ │ │ │ KYC / CKYC IRACP / SBR Cap FPC / Grievance / Recovery (onboarding) (book quality) (borrower conduct) │ │ │ └───────────────┼──────────────────┘ │ Bureau reporting (CICRA) │ │ CKYCR / CERSAI / NESL │ Account Aggregator (consent) │ DPDP (personal data) │ IT MD + Outsourcing MD (tech + vendors)How to use this section
Section titled “How to use this section”- Engineering — every page has a system implications block. Treat each item there as an acceptance criterion for the relevant feature.
- Compliance — every page has a documents / workflow / audit block. Use as your control framework.
- Product — every page has a product implications block. Use to write UX requirements.
- Credit — focus on Asset classification, Bureau reporting, DLG, Recovery.
What’s intentionally out of scope here
Section titled “What’s intentionally out of scope here”- Banking-only regulations (e.g., NDTL / SLR / CRR for scheduled commercial banks). NBFCs are governed differently.
- AIF / SEBI rules — see Managed credit for pointers.
- FEMA / cross-border — relevant if foreign capital, foreign investors, or cross-border lending. Out of scope for a domestic SME WC business.
- Income tax / GST specifics on lending — large enough subject for separate treatment; major touchpoints are noted in the accounting module.
- Specific state lending laws — money-lending Acts of certain states (e.g., Karnataka, Tamil Nadu) historically applied to unregulated lenders; an RBI-registered NBFC is largely outside scope, but check state-specific carve-outs for any state where the NBFC operates physically.
A note on currency of citations
Section titled “A note on currency of citations”RBI updates Master Directions continuously. Every page below cites the most recent significant circular known to this spec but always verify on rbi.org.in for the version in force on the date you act. Compliance officers should not rely on this site as a substitute for the live RBI text.