India’s NBFC sector is growing fast. NBFCs (Non-Banking Financial Companies) lend money to small businesses, self-employed people, and borrowers who can’t get loans from regular banks. They fill a gap that banks often leave behind.
But the rules governing NBFCs have changed a lot in recent years. The Reserve Bank of India (RBI) has tightened its supervision. New frameworks, stricter reporting rules, and stronger governance requirements are now part of everyday compliance.
This matters for investors.
If you are planning to buy a stake in an NBFC, or take one over entirely, you need to look beyond the profit and loss statement. A company can look healthy on paper and still carry serious compliance risks underneath.
This guide explains exactly what to check before you invest.
Why Compliance Due Diligence Matters More Than Ever
Most investors start by looking at numbers. Revenue. Loan book size. Return on equity. Growth in AUM (Assets Under Management).
These are important. But they don’t tell the full story.
The RBI does not just check profits when it inspects an NBFC. It looks at things like:
- Whether customers were properly identified before lending (KYC)
- Whether the NBFC has systems to detect suspicious transactions (AML)
- Whether the board is doing its job (governance)
- Whether loans are classified correctly (asset quality)
- Whether all required reports were filed on time
An NBFC can be profitable and still fail all of these checks.
When that happens, the new owner inherits all the problems. Regulatory penalties. Clean-up costs. Delays in getting RBI approvals. Even the risk of the licence being cancelled.
Compliance due diligence is not optional. It is the difference between a smart acquisition and an expensive mistake.
Step 1: Understand the Regulatory Layer the NBFC Falls Under
The RBI has divided NBFCs into different categories based on size and risk. This is called the Scale-Based Regulation (SBR) framework.
There are three main layers:
- Base Layer (NBFC-BL)
These are smaller NBFCs. They have fewer compliance obligations compared to larger ones. - Middle Layer (NBFC-ML)
These are larger NBFCs. They need stronger risk management systems and more detailed reporting. - Upper Layer (NBFC-UL)
These are the biggest and most important NBFCs in the country. The RBI watches them most closely. They face the strictest rules.
Why does this matter during due diligence?
Because the rules are different for each layer. An NBFC in the Upper Layer has to meet compliance standards that a Base Layer NBFC does not. If you don’t know which layer the company belongs to, you can’t know whether it is fully compliant.
Start here. Confirm the classification. Then check everything else against the right set of rules.
Step 2: Check the Net Owned Fund (NOF)
Every NBFC must maintain a minimum level of capital called Net Owned Fund (NOF).
For newly registered NBFCs, the RBI requires a minimum NOF of ₹10 crore.
You need to verify this carefully. Ask for:
- Auditor certificates confirming the NOF figure
- Capital infusion records from past years
- Net worth calculations showing how the figure was arrived at
- Details of any historical losses that may have reduced the NOF
If the NOF has declined, the NBFC may need fresh capital soon. That money will come from you, as the new owner.
Factor this into your transaction pricing. A gap in NOF is a gap in your investment.
Step 3: Check Whether RBI Approval Is Needed for the Transaction
This is one of the most overlooked parts of NBFC due diligence.
Not every share purchase or management change can happen freely. In certain situations, the RBI must give its approval before the transaction is completed. This includes:
- A change in who controls the company
- A change in the board of directors
- Transfer of a significant block of shares
- Any change in the ultimate beneficial owner
The RBI applies what it calls a “fit and proper” standard. This means the incoming shareholders and directors must meet certain criteria before the RBI allows the change.
This process takes time. If you wait until after signing the deal documents to think about this, you may face serious delays.
Start the regulatory review early. Before term sheets. Before negotiations get serious.
Step 4: Review the Loan Book in Detail
The loan book is the most valuable part of any NBFC. It often makes up more than 80% of the company’s total value.
You need to understand exactly what is in it.
What types of loans does the company give?
Look at the breakdown. Is it mostly MSME loans? Gold loans? Vehicle loans? Personal loans? Microfinance? Supply chain finance?
Each of these segments has different risk profiles. Know what you are buying.
How healthy is the portfolio?
Use these key ratios to assess quality:
| Indicator | What to Look For |
| Gross NPA | Should be below 3–5% |
| Net NPA | Should be below 2–3% |
| Collection Efficiency | Should be above 95% |
| PAR 30 (loans overdue by 30 days) | Should show no rising trend |
| Provision Coverage Ratio | Must meet RBI norms |
NPA stands for Non-Performing Asset — basically loans where the borrower has stopped paying.
If collection efficiency is falling or the NPA ratio is rising, something is wrong. It could be a weak underwriting process. It could be poor collection systems. Either way, it will cost you money to fix it.
Step 5: Check KYC and AML Compliance
KYC stands for Know Your Customer. AML stands for Anti-Money Laundering.
Both are heavily regulated. And both are areas where many NBFCs fall short.
KYC — What to check:
Does the NBFC verify every customer properly before giving a loan?
Look for:
- PAN verification
- Aadhaar authentication
- Address verification
- Identification of the ultimate beneficial owner in case of business loans
Some customers require extra scrutiny. These include Politically Exposed Persons (PEPs) and customers with high-risk profiles. The NBFC should have separate procedures for these.
AML — What to check:
The NBFC must have a system to detect and report suspicious activity.
Check whether the company:
- Has a functioning transaction monitoring system
- Generates alerts when something unusual happens
- Has a process to escalate concerns internally
- Files reports with the relevant regulators when required
Weak AML controls are a serious red flag. Regulators worldwide are focused on this area. If the NBFC has gaps here, penalties can follow quickly.
Step 6: Verify FIU-IND Compliance
Every NBFC is required to register with the Financial Intelligence Unit of India (FIU-IND).
FIU-IND is the central agency that collects and analyses financial information related to money laundering and related crimes.
NBFCs must submit regular reports to FIU-IND. These include:
- Suspicious Transaction Reports (STRs) — when a transaction looks unusual
- Cash Transaction Reports (CTRs) — for large cash transactions above ₹10 lakh
During due diligence, you should verify:
- That the NBFC is registered with FIU-IND
- That a Principal Officer has been appointed (the person responsible for compliance)
- That a Designated Director is named as required
- That STRs and CTRs have been filed regularly and on time
- That employees have been trained on AML procedures
Many NBFCs have written policies in place. But written policies are not the same as real implementation. Check for actual records. Look at training logs. Ask for filing histories. See if the process is real or just on paper.
Step 7: Check Digital Lending and Fintech Compliance
Many NBFCs today work with fintech companies. These companies are called Lending Service Providers or LSPs.
An LSP might help the NBFC find new customers, assess credit risk, service existing loans, or collect repayments.
The RBI has issued detailed rules for this kind of arrangement. These rules are designed to protect borrowers and ensure transparency.
If the NBFC you are looking at has LSP arrangements, you need to check:
- Is there a proper written agreement with each LSP?
- What data does the LSP collect from customers? Is it stored safely?
- Do customers give informed consent before their data is shared?
- Is the Key Fact Statement (KFS) given to borrowers before any loan is approved?
- Are recovery practices fair and within RBI guidelines?
This area has attracted a lot of regulatory attention. If the NBFC has taken shortcuts here, enforcement action may follow.
Know More: Fintech Compliance Services
Step 8: Review the Technology and Cybersecurity Setup
Today, an NBFC is a technology company as much as a financial company.
The loan origination process, customer onboarding, credit assessment, repayment tracking — all of it runs on software.
You need to assess the quality and security of these systems.
Check:
- What core lending platform does the company use?
- Is the loan management system reliable and scalable?
- How is customer data stored? Is it encrypted?
- Is the system hosted on a secure cloud or in-house server?
Also ask for:
- Vulnerability Assessment and Penetration Testing (VAPT) reports
- Information security audit results
- Disaster recovery test results
A cybersecurity breach is not just a technical problem. It can trigger regulatory action, customer complaints, and serious reputational damage.
If the NBFC has never done a security audit, that is a red flag.
Red Flags That Should Concern Any Investor
Certain findings during due diligence should make you stop and think carefully. Some of these will reduce the value of the company. Others may be deal-breakers entirely.
Watch out for:
- RBI inspection observations that are still open — This means the RBI found problems and they have not been fixed. You will inherit them.
- Late or missing regulatory filings — A pattern of delays shows a weak compliance culture.
- Missing KYC records — If customer files are incomplete, the NBFC is already non-compliant.
- High Gross NPA — Poor loan quality reduces the book’s real value.
- Inadequate provisioning — If the NBFC has not set aside enough money to cover bad loans, the financials are overstated.
- Low collection efficiency — A persistent drop in collections signals operational weakness.
- Large related-party transactions — Loans to promoters, directors, or connected companies deserve close scrutiny.
- Failure to file reports with FIU-IND — A direct regulatory violation that can attract serious penalties.
- Adverse audit observations — If the auditor has flagged problems in writing, take them seriously.
- Weak cybersecurity — Especially critical for NBFCs with digital operations.
- Undisclosed legal cases — Check court records independently. Don’t rely only on what the seller tells you.
Each of these findings should be quantified. How much will it cost to fix? How long will it take? Factor the answers into your offer price or your decision to walk away.
Conclusion
Buying an NBFC is not like buying a regular business.
You are acquiring a regulated financial institution. The RBI will continue to supervise it after the transaction. And you as the new owner will be responsible for everything that follows.
The most successful NBFC investors do not just read the financials. They dig into compliance. They ask uncomfortable questions. They verify records. They assess systems.
The real value of an NBFC does not sit only in its loan book or its profit margins. It sits in the quality of its governance, the soundness of its compliance framework, and its history with the regulator.
Doing proper due diligence takes time. But it is far less expensive than fixing problems you didn’t know you were buying.
Planning to acquire or invest in an NBFC? NBFC Advisory offers end-to-end regulatory due diligence, RBI compliance reviews, and M&A advisory support for investors and acquirers. Connect with NBFC Advisory today to start the conversation before you sign anything.
Need expert guidance?
📞 Call NBFC Advisory: +91 93287 18979
🌐 Visit: nbfcadvisory.com