RBI NBFC

The Non-Banking Finance Companies (NBFCs) in India are key players in the country’s economy, growing in size and complexity over the years. As the industry has matured over the years, so has its need to have a Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, benchmarked to best practices.


In lieu of this, RBI issued a Master Directions and Guidelines for Non-Banking Financial corporations, to resolve weakness in the cybersecurity governance framework mainly driven by the demand and need for mitigating the cyber threats coming out of evolving technology adopted by these corporations.


As per the new directive, the NBFCs are expected to enhance security measures to ensure the safety and security of the customers and NBFC. The corporations may have already implemented some of the requirements as stated in the directive, however a periodic formal gap analysis is necessary in a timely manner, to ensure compliance with the directive. The analysis is to be conducted by a CERT-IN empaneled organization.

The focus of the IT framework is mainly on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The guidelines are categorized into two parts depending on the NBFCs asset size:


Section-A: NBFCs with assets size above 500 crore -

  • IT Governance

  • IT Policy

  • Information and Cyber Security

  • IT Operations

  • IS Audit

  • Business Continuity Planning

  • IT Services Outsourcing

Section-B: NBFCs with assets size below 500 crore -

Similar but simpler requirements compared to Section A !

As a CERT-In Empaneled Security Auditor, QRC  is authorized to help you understand, manage and comply with RBI Guidelines & Circulars that are released on a periodic basis.

Audit Approach

RBI NBFC

Business Understanding

Evaluating business process and environment to understand the in-scope elements

RBI NBFC

Audit Scope Finalization

Detailed questionnaire is shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls.

RBI NBFC

Initial/Readiness Assessment

As per the Master Direction - Information Technology Framework for the NBFC Sector directive, we will conduct an initial audit of all the storage locations which comprise of any payment related data.

RBI NBFC

Risk Assessment

Identifying and analysing the risks in the information security posture.

RBI NBFC

Data Flow Assessment

Conducting thorough systems analysis to evaluate data flow and possible leakages

RBI NBFC

Remediation Support

As per the assessment, and the identification of the sensitive data, QRC will provide remediation support for complying with the RBI mandate.

RBI NBFC

Scans And Testing

Identify critical vulnerabilities in your system with a robust testing approach

RBI NBFC

Evidence Review

Review of the evidence collected to assess their maturity, in line with the compliance

RBI NBFC

Final Audit

Post remediation, we conduct a final audit and review your evidence as identified during the audit. On successful closure, we will share the confirmation letter that all assets defined as per the scope meet the prescribed guidelines.

RBI NBFC

Concise Reporting

Our team documents a comprehensive report detailing all findings covered during the assessment cycle.

Related Updates




LinkedIn Facebook Twitter Youtube

We use cookies to enhance your user experience. By continuing to browse, you hereby agree to the use of cookies. Know more Privacy Policy & Cookies Policy.

X