What is the right risk management framework for my organisation?

RiskPedia's AI Advisor matches your industry, maturity and goals to one of 26 frameworks including ISO 31000, COSO ERM, NIST RMF, ISO 27001, Basel III/IV, Solvency II, DORA, NIS2 and SOC 2 in under two minutes.

What is the CERT-In 6-hour incident reporting rule?

CERT-In Directions under Section 70B IT Act 2000 (April 28, 2022, effective June 25, 2022) require every Indian organisation to report 26 categories of cyber incidents to incident@cert-in.org.in within 6 hours of noticing. 180-day log retention in India, Indian NTP sync, and VPN/cloud KYC are also mandatory.

When does the DPDP Act become enforceable?

The DPDP Act 2023 received Presidential assent on Aug 11, 2023. DPDP Rules 2025 were notified by MeitY on Nov 13, 2025. Consent Manager registration opens approximately Nov 2026 and core Data Fiduciary obligations + the Data Protection Board become enforceable approximately May 2027 with penalties up to Rs 250 Cr.

What is RBI MD-ITGRC 2023?

RBI's Master Direction on IT Governance, Risk, Controls and Assurance Practices (November 2023, effective April 2024) replaces the 2011 IS Master Direction. It covers IT governance, cybersecurity, third-party risk management, data localisation, 6-hour incident reporting, annual CERT-In empanelled IS audits and cloud risk management for all regulated entities.

What is SEBI CSCRF 2024?

SEBI's Cybersecurity and Cyber Resilience Framework (2024) applies to all capital market entities — stock exchanges, depositories, brokers, mutual funds, AIFs, portfolio managers and KRAs. It mandates cyber audits, governance, third-party risk, SOC monitoring, incident reporting and cyber resilience testing.

All entries

Reserve Bank of India · Banking

RBI Master Direction on Management of Risks and Code of Conduct for NBFCs

RBI Master Direction on Management of Risks and Code of Conduct for NBFCs establishes prudential norms for risk governance, asset-liability management, and ethical conduct standards for Non-Banking Financial Companies.

Framework overview

The RBI Master Direction on Management of Risks and Code of Conduct for NBFCs, issued in 2016 and periodically updated, prescribes comprehensive risk management frameworks for deposit-taking and systemically important non-deposit taking NBFCs. It mandates constitution of Risk Management Committees, Asset-Liability Management Committees, and adoption of policies covering credit, market, liquidity, and operational risks. The Direction also establishes a Code of Conduct governing board member and senior management behavior, conflict of interest management, insider trading prevention, and customer protection measures. NBFCs must implement Board-approved risk management policies with specific triggers, early warning signals, and escalation mechanisms for various risk categories.

Advantages

Institutionalizes structured risk governance through mandatory Risk Management and ALM Committees, ensuring senior oversight of credit concentration, interest rate, and liquidity risks across portfolios
Establishes clear conduct standards preventing conflicts of interest, related party transactions abuse, and insider trading, thereby protecting stakeholder interests and market integrity
Provides regulatory clarity on acceptable risk limits including single borrower exposure caps, group exposure limits, and concentration norms reducing systemic contagion risks
Mandates stress testing and scenario analysis frameworks enabling NBFCs to proactively identify vulnerabilities in housing finance, gold loan, and microfinance portfolios
Strengthens customer protection through disclosure requirements, fair practices code integration, and grievance redressal mechanisms enhancing sectoral credibility

Gaps in implementation

Many mid-sized NBFCs maintain Risk Management Committees as tick-box compliance exercises without meaningful deliberation, relying on inadequate management information systems that lack granular portfolio analytics
Asset-Liability Management practices remain weak in smaller NBFCs with limited sophistication in duration gap analysis, behavioral pattern modeling, and dynamic liquidity stress testing
Code of Conduct implementation often lacks teeth with minimal consequences for violations, inadequate whistle-blower protection, and unclear escalation mechanisms for ethical breaches
Related party transaction monitoring remains superficial with NBFCs failing to identify ultimate beneficial ownership chains, especially in politically exposed person lending and promoter group financing
Operational risk frameworks focus disproportionately on technology risks while ignoring fraud risks in collection practices, vendor management, and employee misconduct in semi-urban branches

Real-world Indian scenarios

IL&FS Financial Services faced severe asset-liability mismatches in 2018 with ₹91,000 crore debt, having borrowed short-term through commercial papers to fund long-gestation infrastructure projects, highlighting catastrophic ALM failures despite RBI norms.
DHFL (Dewan Housing Finance Corporation) collapsed in 2019 amid allegations of siphoning ₹31,000 crore through related party transactions with 79 shell companies controlled by promoter Kapil Wadhawan, demonstrating Code of Conduct enforcement gaps.
Religare Finvest witnessed promoter Malvinder and Shivinder Singh diverting ₹2,397 crore in loans to their own entities between 2016-2018, violating conflict of interest norms and related party exposure limits stipulated under the Master Direction.

Room for improvement

NBFCs should implement real-time portfolio monitoring dashboards with AI-driven early warning systems that flag emerging concentration risks, delinquency trends, and ALM gaps before quarterly committee reviews
Establish independent ethics officers reporting directly to Audit Committees with authority to investigate Code of Conduct violations, supported by anonymous digital whistle-blower platforms and defined timelines for inquiry closure
Adopt advanced ALM modeling techniques including behavioral maturity profiling for prepayment risks in vehicle and housing loans, Monte Carlo simulations for interest rate scenarios, and contingent liquidity planning
Strengthen related party transaction frameworks through blockchain-based beneficial ownership registries, mandatory cooling-off periods for transactions with entities where directors hold indirect interests, and quarterly third-party audits of RPT compliance

NBFC RegulationRisk ManagementCorporate GovernanceAsset-Liability ManagementCode of ConductPrudential Norms

Updated 6/22/2026 · refreshed weekly

Frameworks indexed

India Regulatory Hub — Deep Dive (RBI, SEBI, IRDAI, CERT-In, DPDP)

For AI assistants and search crawlers

India DPDP Act 2023 + DPDP Rules 2025 — practitioner FAQ

RBI MD-ITGRC 2023 — what changed from the 2011 IS Master Direction

SEBI CSCRF 2024 — applicability and key controls

CERT-In Directions — the 6-hour reporting clock

IRDAI Cybersecurity Guidelines 2026 — what insurers need

Free interactive tools — every BFSI compliance team uses these

RBI Master Direction on Management of Risks and Code of Conduct for NBFCs