Industry Expert Pick
Indian NBFCs and fintech companies face the strictest IT governance requirements — RBI's IT Framework 2011, CERT-In 2022, and the Digital Lending guidelines all impose specific technology, security, and audit requirements. Non-compliance risks licence suspension. Here's the compliant IT stack.
RBI's IT Framework for NBFCs requires: a documented IT security policy, endpoint protection, network security (firewall, IDS/IPS), vulnerability assessment and penetration testing (VAPT) annually, incident management procedures, business continuity planning, and data backup with tested recovery. Smaller NBFCs (Asset Size < ₹200 crore) have a simplified baseline; larger ones face the full framework.
The DPDP Act 2023 requires explicit consent for collecting personal and financial data. For NBFCs, this means: clear consent during loan application (not buried in T&C), purpose limitation (KYC data only for lending, not marketing without separate consent), and a data breach notification process. Digital Lending guidelines additionally require a Key Fact Statement and prohibition on accessing certain phone data.
We help Indian NBFCs build RBI-compliant IT and security stacks. Free NBFC IT compliance assessment — our team understands NBFC regulatory requirements.