Blog

NBFC Compliance Due Diligence Before Investment or Takeover

India’s NBFC sector is growing fast. NBFCs (Non-Banking Financial Companies) lend money to small businesses, self-employed people, and borrowers who can’t get loans from regular banks. They fill a gap that banks often leave behind.

But the rules governing NBFCs have changed a lot in recent years. The Reserve Bank of India (RBI) has tightened its supervision. New frameworks, stricter reporting rules, and stronger governance requirements are now part of everyday compliance.

This matters for investors.

If you are planning to buy a stake in an NBFC, or take one over entirely, you need to look beyond the profit and loss statement. A company can look healthy on paper and still carry serious compliance risks underneath.

This guide explains exactly what to check before you invest.

Why Compliance Due Diligence Matters More Than Ever

Most investors start by looking at numbers. Revenue. Loan book size. Return on equity. Growth in AUM (Assets Under Management).

These are important. But they don’t tell the full story.

The RBI does not just check profits when it inspects an NBFC. It looks at things like:

  • Whether customers were properly identified before lending (KYC)
  • Whether the NBFC has systems to detect suspicious transactions (AML)
  • Whether the board is doing its job (governance)
  • Whether loans are classified correctly (asset quality)
  • Whether all required reports were filed on time

An NBFC can be profitable and still fail all of these checks.

When that happens, the new owner inherits all the problems. Regulatory penalties. Clean-up costs. Delays in getting RBI approvals. Even the risk of the licence being cancelled.

Compliance due diligence is not optional. It is the difference between a smart acquisition and an expensive mistake.

Step 1: Understand the Regulatory Layer the NBFC Falls Under

The RBI has divided NBFCs into different categories based on size and risk. This is called the Scale-Based Regulation (SBR) framework.

There are three main layers:

  • Base Layer (NBFC-BL)
    These are smaller NBFCs. They have fewer compliance obligations compared to larger ones.
  • Middle Layer (NBFC-ML)
    These are larger NBFCs. They need stronger risk management systems and more detailed reporting.
  • Upper Layer (NBFC-UL)
    These are the biggest and most important NBFCs in the country. The RBI watches them most closely. They face the strictest rules.

Why does this matter during due diligence?

Because the rules are different for each layer. An NBFC in the Upper Layer has to meet compliance standards that a Base Layer NBFC does not. If you don’t know which layer the company belongs to, you can’t know whether it is fully compliant.

Start here. Confirm the classification. Then check everything else against the right set of rules.

Step 2: Check the Net Owned Fund (NOF)

Every NBFC must maintain a minimum level of capital called Net Owned Fund (NOF).

For newly registered NBFCs, the RBI requires a minimum NOF of ₹10 crore.

You need to verify this carefully. Ask for:

  • Auditor certificates confirming the NOF figure
  • Capital infusion records from past years
  • Net worth calculations showing how the figure was arrived at
  • Details of any historical losses that may have reduced the NOF

If the NOF has declined, the NBFC may need fresh capital soon. That money will come from you, as the new owner.

Factor this into your transaction pricing. A gap in NOF is a gap in your investment.

Step 3: Check Whether RBI Approval Is Needed for the Transaction

This is one of the most overlooked parts of NBFC due diligence.

Not every share purchase or management change can happen freely. In certain situations, the RBI must give its approval before the transaction is completed. This includes:

  • A change in who controls the company
  • A change in the board of directors
  • Transfer of a significant block of shares
  • Any change in the ultimate beneficial owner

The RBI applies what it calls a “fit and proper” standard. This means the incoming shareholders and directors must meet certain criteria before the RBI allows the change.

This process takes time. If you wait until after signing the deal documents to think about this, you may face serious delays.

Start the regulatory review early. Before term sheets. Before negotiations get serious.

Step 4: Review the Loan Book in Detail

The loan book is the most valuable part of any NBFC. It often makes up more than 80% of the company’s total value.

You need to understand exactly what is in it.

What types of loans does the company give?

Look at the breakdown. Is it mostly MSME loans? Gold loans? Vehicle loans? Personal loans? Microfinance? Supply chain finance?

Each of these segments has different risk profiles. Know what you are buying.

How healthy is the portfolio?

Use these key ratios to assess quality:

Indicator What to Look For
Gross NPA Should be below 3–5%
Net NPA Should be below 2–3%
Collection Efficiency Should be above 95%
PAR 30 (loans overdue by 30 days) Should show no rising trend
Provision Coverage Ratio Must meet RBI norms

NPA stands for Non-Performing Asset — basically loans where the borrower has stopped paying.

If collection efficiency is falling or the NPA ratio is rising, something is wrong. It could be a weak underwriting process. It could be poor collection systems. Either way, it will cost you money to fix it.

Step 5: Check KYC and AML Compliance

KYC stands for Know Your Customer. AML stands for Anti-Money Laundering.

Both are heavily regulated. And both are areas where many NBFCs fall short.

KYC — What to check:

Does the NBFC verify every customer properly before giving a loan?

Look for:

  • PAN verification
  • Aadhaar authentication
  • Address verification
  • Identification of the ultimate beneficial owner in case of business loans

Some customers require extra scrutiny. These include Politically Exposed Persons (PEPs) and customers with high-risk profiles. The NBFC should have separate procedures for these.

AML — What to check:

The NBFC must have a system to detect and report suspicious activity.

Check whether the company:

  • Has a functioning transaction monitoring system
  • Generates alerts when something unusual happens
  • Has a process to escalate concerns internally
  • Files reports with the relevant regulators when required

Weak AML controls are a serious red flag. Regulators worldwide are focused on this area. If the NBFC has gaps here, penalties can follow quickly.

Step 6: Verify FIU-IND Compliance

Every NBFC is required to register with the Financial Intelligence Unit of India (FIU-IND).

FIU-IND is the central agency that collects and analyses financial information related to money laundering and related crimes.

NBFCs must submit regular reports to FIU-IND. These include:

  • Suspicious Transaction Reports (STRs) — when a transaction looks unusual
  • Cash Transaction Reports (CTRs) — for large cash transactions above ₹10 lakh

During due diligence, you should verify:

  • That the NBFC is registered with FIU-IND
  • That a Principal Officer has been appointed (the person responsible for compliance)
  • That a Designated Director is named as required
  • That STRs and CTRs have been filed regularly and on time
  • That employees have been trained on AML procedures

Many NBFCs have written policies in place. But written policies are not the same as real implementation. Check for actual records. Look at training logs. Ask for filing histories. See if the process is real or just on paper.

Step 7: Check Digital Lending and Fintech Compliance

Many NBFCs today work with fintech companies. These companies are called Lending Service Providers or LSPs.

An LSP might help the NBFC find new customers, assess credit risk, service existing loans, or collect repayments.

The RBI has issued detailed rules for this kind of arrangement. These rules are designed to protect borrowers and ensure transparency.

If the NBFC you are looking at has LSP arrangements, you need to check:

  • Is there a proper written agreement with each LSP?
  • What data does the LSP collect from customers? Is it stored safely?
  • Do customers give informed consent before their data is shared?
  • Is the Key Fact Statement (KFS) given to borrowers before any loan is approved?
  • Are recovery practices fair and within RBI guidelines?

This area has attracted a lot of regulatory attention. If the NBFC has taken shortcuts here, enforcement action may follow.

Know More: Fintech Compliance Services

Step 8: Review the Technology and Cybersecurity Setup

Today, an NBFC is a technology company as much as a financial company.

The loan origination process, customer onboarding, credit assessment, repayment tracking — all of it runs on software.

You need to assess the quality and security of these systems.

Check:

  • What core lending platform does the company use?
  • Is the loan management system reliable and scalable?
  • How is customer data stored? Is it encrypted?
  • Is the system hosted on a secure cloud or in-house server?

Also ask for:

  • Vulnerability Assessment and Penetration Testing (VAPT) reports
  • Information security audit results
  • Disaster recovery test results

A cybersecurity breach is not just a technical problem. It can trigger regulatory action, customer complaints, and serious reputational damage.

If the NBFC has never done a security audit, that is a red flag.

Red Flags That Should Concern Any Investor

Certain findings during due diligence should make you stop and think carefully. Some of these will reduce the value of the company. Others may be deal-breakers entirely.

Watch out for:

  • RBI inspection observations that are still open — This means the RBI found problems and they have not been fixed. You will inherit them.
  • Late or missing regulatory filings — A pattern of delays shows a weak compliance culture.
  • Missing KYC records — If customer files are incomplete, the NBFC is already non-compliant.
  • High Gross NPA — Poor loan quality reduces the book’s real value.
  • Inadequate provisioning — If the NBFC has not set aside enough money to cover bad loans, the financials are overstated.
  • Low collection efficiency — A persistent drop in collections signals operational weakness.
  • Large related-party transactions — Loans to promoters, directors, or connected companies deserve close scrutiny.
  • Failure to file reports with FIU-IND — A direct regulatory violation that can attract serious penalties.
  • Adverse audit observations — If the auditor has flagged problems in writing, take them seriously.
  • Weak cybersecurity — Especially critical for NBFCs with digital operations.
  • Undisclosed legal cases — Check court records independently. Don’t rely only on what the seller tells you.

Each of these findings should be quantified. How much will it cost to fix? How long will it take? Factor the answers into your offer price or your decision to walk away.

Conclusion

Buying an NBFC is not like buying a regular business.

You are acquiring a regulated financial institution. The RBI will continue to supervise it after the transaction. And you as the new owner will be responsible for everything that follows.

The most successful NBFC investors do not just read the financials. They dig into compliance. They ask uncomfortable questions. They verify records. They assess systems.

The real value of an NBFC does not sit only in its loan book or its profit margins. It sits in the quality of its governance, the soundness of its compliance framework, and its history with the regulator.

Doing proper due diligence takes time. But it is far less expensive than fixing problems you didn’t know you were buying.

Planning to acquire or invest in an NBFC? NBFC Advisory offers end-to-end regulatory due diligence, RBI compliance reviews, and M&A advisory support for investors and acquirers. Connect with NBFC Advisory today to start the conversation before you sign anything.

Need expert guidance?

📞 Call NBFC Advisory: +91 93287 18979
🌐 Visit: nbfcadvisory.com

Frequently Asked Questions

What is compliance due diligence in an NBFC transaction?

Compliance due diligence means checking whether an NBFC is following all the rules set by the RBI and other regulators. It goes beyond looking at financial statements. You check KYC records, loan classifications, regulatory filings, governance practices, and more. The goal is to find hidden problems before you complete the transaction.

Is RBI approval required before buying a stake in an NBFC?

It depends on the size of the stake and the nature of the transaction. If the acquisition results in a change of control, a change in management, or a transfer of significant shareholding, prior RBI approval is usually required. The incoming shareholders and directors must also meet the RBI’s fit and proper criteria. Always check this before signing any agreement.

What is the minimum Net Owned Fund (NOF) required for an NBFC?

For newly registered NBFCs, the RBI has set a minimum NOF of ₹10 crore. During due diligence, verify the current NOF through auditor certificates and capital records. If the NOF has fallen below the required level, the company will need fresh capital — and that responsibility will fall on you as the new owner.

What is the Scale-Based Regulation (SBR) framework?

The SBR framework is how the RBI classifies NBFCs based on their size and systemic importance. There are three layers — Base, Middle, and Upper. Each layer has different compliance requirements. Knowing which layer the target NBFC falls under is essential because the rules you need to check against will differ significantly.

What does NPA mean and why does it matter in due diligence?

NPA stands for Non-Performing Asset. These are loans where the borrower has not paid for a certain period. A high NPA ratio means a larger portion of the loan book is at risk. It reduces the real value of the portfolio and may require additional provisioning. During due diligence, check both Gross NPA and Net NPA, along with the provision coverage ratio.

What is FIU-IND and why should investors check FIU-IND compliance?

FIU-IND is the Financial Intelligence Unit of India. Every NBFC is required to register with FIU-IND and submit reports such as Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs). Failure to comply with FIU-IND obligations is a direct violation of the Prevention of Money Laundering Act (PMLA). Investors should check registration status, officer appointments, and filing records as part of due diligence.

What are Lending Service Providers (LSPs) and what risks do they create?

LSPs are fintech companies that work with NBFCs to help with customer acquisition, credit assessment, loan servicing, or collections. The RBI has issued rules requiring transparency and accountability in these arrangements. If an NBFC has LSP partnerships, investors must review the agreements, data sharing practices, customer consent mechanisms, and recovery methods. Weak LSP compliance can attract regulatory scrutiny.

What are the biggest red flags to watch for during NBFC due diligence?

The most serious red flags include open RBI inspection observations, a pattern of late regulatory filings, missing KYC records, high NPA ratios, weak provisioning, large related-party transactions, FIU-IND reporting failures, adverse audit qualifications, and undisclosed litigation. Any one of these should be quantified and either priced into the deal or treated as a reason to reconsider.

How long does NBFC due diligence typically take?

A thorough compliance due diligence exercise for an NBFC generally takes four to eight weeks, depending on the size and complexity of the institution, the quality of its records, and how quickly management provides information. Regulatory due diligence — including RBI filings review, KYC audit, and loan book analysis — should ideally run in parallel with financial and legal due diligence to save time.

Can NBFC Advisory help with the entire due diligence process?

Yes. NBFC Advisory provides end-to-end support for investors and acquirers — from initial regulatory risk assessment and RBI compliance review to loan book analysis, FIU-IND compliance checks, and post-acquisition regulatory strategy. If you are evaluating an NBFC for investment or takeover, connect with NBFC Advisory for a structured, expert-led due diligence process.