RBI/DOR/2026-27/__
DOR.GOV.REC.No.__/18.10.013/2026-27

June xx, 2026

Reserve Bank of India (Non-Banking Financial Companies - Governance) Amendment Directions, 2026

The Reserve Bank had issued Reserve Bank of India (Non-Banking Financial Companies - Governance) Directions, 2025 on November 28, 2025.

2. At present, the regulatory instructions with respect to control / assurance functions viz. risk management, compliance and internal audit are contained in various directions / circulars. With a view to strengthening the governance framework for these functions and to ensure greater clarity, consistency and harmonisation in the instructions pertaining to these functions, it has been decided to review and consolidate them under these directions.

3. Accordingly, in exercise of the powers conferred by Sections 45JA and 45L of the Reserve Bank of India Act, 1934, Sections 30A of National Housing Bank Act, 1987, Section 6 of Factoring Regulation Act, 2011, and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.

(1) These Directions shall be called the Reserve Bank of India (Non-Banking Financial Companies - Governance) Amendment Directions, 2026.

(2) These Directions shall come into effect on January 1, 2027.

(3) These Directions shall modify the Reserve Bank of India (Non-Banking Financial Companies - Governance) Directions, 2025 (hereinafter called as ‘the said Directions’) in the manner as specified hereinafter.

(i) In sub-paragraph (3) of paragraph 3 of the said Directions, for the words and figures “7 to 15”, the words and figures “7 to 11, 12 to 15” shall be substituted.

(ii) In sub-paragraph (4) of paragraph 3 of the said Directions, for the words and figures “7(2), 7(3), 8, 9, 16 to 18, 25 to 39, and 41 to 43”, the words and figures “7(3), 8, 11A to 11Q, 16 to 18A, 26 to 39, 41, 42, and 43” shall be substituted.

(iii) In sub-paragraph (5) of paragraph 3 of the said Directions, for the words and figures “7 to 9, 12 to 18, 25 to 40”, the words and figures “7, 8, 11A to 11Q, 18A and 26 to 40” shall be substituted.

(iv) In sub-paragraph (7) of paragraph 3 of the said Directions, after the words and figures “8 to 13”, the words and figures “, and 18A” shall be inserted.

(v) In the Note to sub-paragraph (7) of paragraph 3 of the said Directions, for the words and figures “12 and 13”, the words and figures “12, 13 and 18A” shall be substituted.

(vi) Sub-paragraph (1) of paragraph 5 of the said Directions shall be deleted.

(vii) Before sub-paragraph (2) of paragraph 5 of the said Directions, the following shall be inserted, namely:

“(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment as well as the applicable laws, rules and regulations.

(1b) ‘Clawback’ means a contractual agreement between the employee and the regulated entity in which the employee agrees to return previously paid or vested remuneration to the entity under certain circumstances.”

(viii) After sub-paragraph (2) of paragraph 5 of the said Directions, the following shall be inserted, namely:

“(2a) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank / National Housing Bank (NHB), self-regulatory organisation standards, codes of conduct applicable to an NBFC’s activities and with the internal control systems laid down to comply with the foregoing.

(2b) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation, ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.

(2c) ‘Compliance Function’ means policies, processes, procedures, systems, and personnel dedicated for compliance.

(2d) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation an NBFC may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.

(2e) “Control Functions” means those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function, Compliance Function and Internal Audit Function.”

(ix) After sub-paragraph (4) of paragraph 5 of the said Directions, the following shall be inserted, namely:

“(4a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of an NBFC’s internal control, risk management and governance systems and processes.

(4b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of internal audit.

(4c) ‘Internal Controls’ means a set of rules and controls governing an NBFC’s organisational / operational structure, including reporting processes and functions.”

(x) After sub-paragraph (8) of paragraph 5 of the said Directions, the following shall be inserted, namely:

“(8a) ‘Risk Appetite’ means the aggregate level and types of risk an NBFC is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.

(8b) ‘Risk Limits’ means specific quantitative measures or limits that allocate the aggregate risk appetite across business functions, legal entities, specific risk categories, concentrations, and other measures.

(8c) ‘Risk Management’ means the processes established to ensure that all risks and associated risk concentrations are identified, measured, analysed, managed, mitigated, monitored and reported on a timely as well as comprehensive basis.

(8d) ‘Risk Management Function’ means policies, processes, procedures, systems, and personnel dedicated for Risk Management.”

(xi) Sub-paragraph (2) of paragraph 7, and paragraph 9 (along with the heading ‘B. Risk Management Committee’) of the said Directions shall be deleted.

(xii) After paragraph 11 of the said Directions, the following shall be inserted, namely:

“D. Control Functions: Compliance and Internal Audit

D.1 General

11A. An NBFC shall establish Compliance and Internal Audit functions, commensurate with its size, complexity and business profile, headed by a Chief Compliance Officer (CCO) and a Head of Internal Audit (HIA), respectively.

11B. An NBFC shall have policies for each of the control functions, including Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. These policies shall be approved by the Board and reviewed periodically.

11C. The above functions shall -

(1) have the necessary authority and autonomy to discharge their responsibilities effectively.

(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.

(3) have unrestricted access to all business areas and records.

(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CCO/HIA for specialised tasks without diluting the accountability of the functions.

11D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board / ACB shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.

11E. The Compliance Function shall be subject to regular internal audit.

D.2 Appointment of CCO and HIA

11F. An NBFC shall adhere to the following terms for appointment of CCO and HIA:

(1) Appointing authority and rank: An NBFC shall appoint / designate suitably senior employees, not more than two levels below the MD & CEO, as CCO and HIA, with the approval of the Board.

Provided that in case of an SPD, the position of CCO / HIA may be up to three levels below the MD & CEO.

Provided further that an NBFC-BL may appoint / designate suitably senior employees as CCO / HIA in accordance with its internal policies.

(2) Knowledge / Experience: CCO and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity and risk profile of the NBFC.

(3) Age: The age limits for CCO and HIA to hold office shall be prescribed by the NBFC as a part of its internal policy.

(4) Tenure: CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.

(5) Premature transfer / removal: Any transfer or removal of CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.

(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the NBFC nor have a contractual employer-employee relationship with the NBFC shall not be appointed / designated as CCO or HIA.

D.3 Independence of CCO and HIA

11G. CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CCO and HIA shall –

(1) functionally report to the Board or the ACB and administratively report to MD & CEO.

(2) not be assigned business targets or have their remuneration linked to the performance of any business line.

(3) meet the Board or the ACB at least once in a quarter, without the presence of the Senior Management (including the MD / CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or the ACB to enable them to communicate concerns without management interference.

(4) have their final performance review carried out by the Board or the ACB.

D.4 Compliance Function

11H. The Board shall ensure an effective oversight over NBFC’s compliance risk.

11I. The Senior Management shall be responsible for effective management of an NBFC’s compliance risk, including communication of the compliance policy throughout the NBFC and ensuring that it is observed in letter and spirit. Further, Senior Management shall also be responsible for embedding compliance in the business strategy while ensuring that risks of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the NBFC.

11J. An NBFC shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.

11K. The Compliance Function shall –

(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the NBFC and the RBI / NHB, as applicable.

(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or the ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.

(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control / assurance functions such as Risk Management and Internal Audit, while maintaining its independence.

D.5 Internal Audit Function

11L. The Board shall have an effective internal audit framework, proportionate to the NBFC’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.

11M. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.

11N. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.

11O. The Internal Audit Function shall –

(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.

(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.

11P. An NBFC shall adopt Risk-Based Internal Audit (RBIA) approach, focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in Annex I-A.

Provided that for an NBFC – BL, the adoption of the RBIA approach shall be voluntary.

D.6 Intimation to the RBI / NHB

11Q. Any appointment (including interim appointment and re-appointment), premature transfer, removal, exit, or change in tenure of CCO or HIA in an NBFC-ML and above shall be reported to Department of Supervision, RBI (NHB in case of HFCs), at least five working days in advance. Intimation of appointment (including interim appointment and re-appointment) shall be accompanied with the candidate’s profile and a confirmation from the competent authority stating that the candidate is fit and proper for the position. The appointment may be communicated to the candidate only after the lapse of five working days from the date of receipt of intimation by the Reserve Bank / NHB, provided no communication to the contrary is received from the Reserve Bank / NHB.”

(xiii) After paragraph 18 of the said Directions, the following shall be inserted, namely:

“18A. Risk Management Committee

(1) An NBFC having total assets of ₹5000 crore or above (as on March 31 of the previous financial year) shall constitute a Risk Management Committee of the Board (RMCB). The RMCB shall be responsible for evaluating the overall risks faced by the NBFC including liquidity risk and shall report to the Board.

D. Control Function: Risk Management

D.1 General

18B. An NBFC having total assets of ₹5000 crore or above (as on March 31 of the previous financial year) shall establish a Risk Management Function, commensurate with its size, complexity, and risk profile, headed by a Chief Risk Officer (CRO).

18C. The NBFC shall have a Risk Management Policy, clearly articulating the objectives, roles and responsibilities of the Risk Management Function. The policy shall be approved by the Board and reviewed periodically.

18D. The provisions of paragraphs 11C and 11D shall apply mutatis mutandis to Risk Management Function.

18E. The Risk Management Function shall be subject to regular internal audit.

D.2 Appointment of CRO

18F. Subject to the provisions of paragraph 18A, the provisions of paragraph 11F shall apply mutatis mutandis to the appointment of CRO.

D.3 Independence of CRO

18G. The provisions of paragraph 11G shall apply mutatis mutandis to independence of CRO.

D.4 Risk Management Function

18H. The Board shall ensure an effective oversight over the NBFC’s Risk Management Function. The Board / RMCB shall clearly define the role and responsibilities of the CRO, subject to the following:

(1) The CRO shall be primarily responsible for overseeing the development and implementation of the NBFC’s Risk Management Function. This shall include enhancements to risk management systems, policies, processes, quantitative models, reports, etc. to ensure that the NBFC’s risk management capabilities are effective, to fully support its strategic objectives and risk-taking activities.

(2) The CRO shall be an adviser to the authority to whom powers have been delegated to assume risk, e.g., sanctioning credit, making investments, etc. The advice of the CRO shall be supported with proper rationale.

(3) The CRO shall be an invitee to the meetings of the credit sanction / approval committee, without any voting rights in the proceedings thereof.

(4) Assumption of any risk / exposure, contrary to the advice of the CRO, without incorporating adequate risk mitigation measures, shall rest with the next higher authority in the delegation matrix, except where the risk assuming authority is the Board. All such cases shall be reported to the Board / RMCB.

18I. The Risk Management Function shall -

(1) be responsible for overseeing that the NBFC operates within its risk appetite and for assessing risks and related issues, independent of the business lines.

(2) implement a NBFC-wide risk strategy aligned with the Board-approved risk appetite, including clear risk limits and structured allocation of risk parameters to business units and risk takers.

(3) ensure robust information infrastructure to support accurate capital and liquidity assessments, granular risk monitoring at business-unit levels, and consolidated reporting across the NBFC to enable strategic planning and compliance with risk tolerance thresholds.

(4) continuously evaluate risk exposures against defined limits, challenge decisions proposed / taken by the business functions and promptly escalate critical issues to senior management and the Board / RMCB, ensuring timely adjustments to maintain alignment with risk appetite.

(5) enhance the capability of business line managers to identify and assess the risks critically rather than relying on the surveillance conducted by it

D.5 Intimation to the RBI / NHB

18J. Any appointment (including interim appointment and re-appointment), premature transfer, removal, exit or change in tenure of the CRO shall be reported to Department of Supervision, RBI (NHB in case of HFCs), within five working days. Intimation of appointment (including interim appointment and re-appointment) shall be accompanied with the candidate’s profile.”

(xiv) Paragraphs 19 to 25 of the said Directions (along with the headings ‘D. Appointment of Chief Risk Officer’ and ‘E. Appointment of Chief Compliance Officer’) shall be deleted.

(xv) After paragraph 41 of the said directions, the following shall be added, namely:

“41A. An NBFC-UL shall subject its Risk Management Function to periodic external review, to benchmark the practices and strengthen the effectiveness of the function.”

(Scenta Joy)
Chief General Manager