BLOGS

NBFC

Non-Banking Financial Company (NBFC)

The Reserve Bank of India (RBI) has introduced comprehensive guidelines for cybersecurity in the Non-Banking Financial Company (NBFC) sector. These guidelines aim to enhance the cybersecurity framework and strengthen data protection measures in NBFCs, safeguarding the financial system from cyber threats. With the growing digital landscape and increasing reliance on technology, these guidelines play a crucial role in ensuring the resilience of NBFCs against cyberattacks and promoting a secure financial ecosystem.

By adhering to the RBI's NBFC cyber security guidelines, businesses in the NBFC sector can proactively address emerging cyber threats, implement effective risk management practices, and ensure the confidentiality, integrity, and availability of critical financial data. These guidelines provide a comprehensive roadmap for NBFCs to enhance their cybersecurity posture, stay resilient in the face of evolving threats, and contribute to the overall stability of the financial sector.

The Non-Banking Finance Company (NBFC) sector has witnessed substantial growth and complexity over time. As the NBFC industry evolves and expands, it is crucial to align its Information Technology/Information Security (IT/IS) framework, Business Continuity Planning (BCP), Disaster Recovery (DR) Management, IT audit, and other aspects with industry best practices.

To foster safety, security, and operational efficiency in processes, guidelines on the IT framework for the NBFC sector have been developed. While some NBFCs may have already implemented certain requirements mentioned in the circular, a formal gap analysis is necessary to assess the existing status and comply with the stipulations outlined in the circular. NBFCs are expected to establish a time-bound action plan to bridge any gaps identified and ensure adherence to the guidelines.

The proposed IT framework focuses on areas such as IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning, and IT Services Outsourcing. The directions provided in the circular are divided into two sections: Section-A applies to all NBFCs with asset size above ₹500 crore (considered systemically important), while Section-B pertains to NBFCs with asset size below ₹500 crore.

NBFCs are advised to present these directions, along with a comprehensive gap analysis and proposed action plan, to their Board by September 30, 2017.

Systemically important NBFCs are required to comply with the Master Directions by June 30, 2018, while other NBFCs (with asset size below ₹500 crore) must comply by September 30, 2018.

Different Types/Categories of NBFCs Registered with RBI

  • Asset Finance Companies 
  • Investment Company 
  • Loan Company
  • Infrastructure Finance Companies
  • Systemically Important Core Investment Company 
  • Infrastructure Debt Fund - Non-Banking Financial Company
  • Non-Banking Financial Companies - Micro Finance Institutions
  • Non-Banking Financial Company – Factors
  • Mortgage Guarantee Companies
  • NBFC- Non-Operative Financial Holding Company


Ampcus Cyber's Approach to Deliver NBFC compliance for businesses

Ampcus Cyber's approach to delivering NBFC compliance for businesses begins with a structured project kickoff meeting. This phase sets the foundation for a successful compliance engagement and involves the following key steps:

Requirement Gathering

We engage with the NBFC's stakeholders to gather information about their specific compliance needs and objectives. This includes understanding the regulatory framework applicable to the NBFC, its business processes, IT infrastructure, and existing security measures.

Project Scope Definition

Based on the gathered requirements, we define the scope of the compliance project. This includes identifying the relevant regulations and guidelines that the NBFC needs to comply with, as well as any specific focus areas or concerns raised by the stakeholders.

Resource Allocation

We allocate a dedicated team of experienced cybersecurity professionals with expertise in NBFC compliance. This team will work closely with the NBFC's internal stakeholders, IT staff, and other relevant personnel to ensure effective collaboration throughout the project.

Project Planning

We create a detailed project plan that outlines the activities, milestones, and timelines for achieving NBFC compliance. This plan takes into account the complexity of the NBFC's operations, the scope of the compliance requirements, and any specific deadlines or regulatory timelines that need to be met.

Stakeholder Communication

We establish regular communication channels with the NBFC's stakeholders, including management, IT teams, and compliance officers. This ensures that everyone is informed about the project's progress, any challenges or risks identified, and the actions needed to achieve compliance.

Documentation Review

We conduct a thorough review of the NBFC's existing policies, procedures, and documentation related to information security and regulatory compliance. This helps us understand the current state of compliance, identify any gaps or deficiencies, and develop a roadmap for improvement.

Risk Assessment

We perform a comprehensive risk assessment to identify and evaluate the potential threats and vulnerabilities faced by the NBFC. This assessment helps in prioritizing security controls, implementing risk mitigation measures, and aligning the compliance efforts with the specific risk profile of the NBFC.

Reporting and Presentation

We provide regular progress reports and presentations to the NBFC's management and stakeholders, highlighting key findings, risks, and recommended actions. These reports serve as a valuable tool for decision-making, resource allocation, and monitoring the overall compliance progress.

Connect With Ampcus Cyber for RBI-NBFC compliance

Ready to ensure RBI-NBFC compliance for your business? Connect with Ampcus Cyber today and let our experienced team of cybersecurity professionals guide you through the process. With our in-depth knowledge of the regulatory landscape and expertise in NBFC compliance, we are equipped to address your specific needs and help you achieve a robust security posture. Contact Ampcus Cyber now and embark on a journey towards RBI-NBFC compliance excellence.

CONTACT US
(703) 310-6237

FAQs

1 What is a Non-Banking Financial Company (NBFC)?

A Non-Banking Financial Company (NBFC) is a type of financial institution that provides financial services and products similar to traditional banks, but without holding a banking license. NBFCs play a crucial role in the financial system by catering to the diverse financial needs of individuals and businesses. Here are some key characteristics of NBFCs:

Financial Services: NBFCs offer a wide range of financial services such as loans, advances, investments, asset financing, acquisition of shares and stocks, leasing, hire-purchase, insurance business, chit fund activities, and more. They engage in financial activities similar to banks, except for accepting demand deposits.

Regulation: NBFCs are regulated by the regulatory authority of the country, such as the Reserve Bank of India (RBI) in India. The regulatory framework ensures that NBFCs adhere to specific guidelines, capital adequacy requirements, risk management practices, and customer protection norms.

Non-Deposit Taking or Deposit Taking: NBFCs can be categorized into non-deposit taking and deposit taking entities. Non-deposit taking NBFCs do not accept deposits from the public, while deposit taking NBFCs can accept deposits from individuals and businesses, subject to certain regulatory conditions and limitations.

Diverse Operations: NBFCs can specialize in various financial activities and cater to specific sectors or markets. Some examples of specialized NBFCs include microfinance institutions, housing finance companies, infrastructure finance companies, equipment leasing companies, and factoring companies.

Complementary Role: NBFCs often complement the services provided by banks and other financial institutions. They bridge the gaps in the financial ecosystem by extending credit to underserved sectors, providing flexible financing options, supporting small and medium-sized enterprises (SMEs), and facilitating financial inclusion.

Risk Management: NBFCs are required to have robust risk management frameworks to assess and mitigate various risks associated with their financial activities. This includes credit risk, liquidity risk, market risk, operational risk, and compliance risk.

Customer Base: NBFCs serve a diverse customer base, including individuals, businesses, self-employed professionals, and organizations across different sectors. They offer customized financial solutions tailored to the specific needs of their customers.

NBFCs contribute significantly to the overall financial stability and economic growth of a country. They provide an alternative source of funding, promote entrepreneurship, facilitate capital formation, and enhance access to financial services for a wide range of stakeholders.

2 What is NBFC guideline for Policy for Information System Audit (IS Audit)?

The Reserve Bank of India (RBI) has provided guidelines for the Policy for Information System Audit (IS Audit) to ensure the effective management of IT infrastructure in Non-Banking Financial Companies (NBFCs). These guidelines aim to enhance the security, confidentiality, integrity, and availability of information systems within NBFCs. Key aspects of RBI's NBFC guideline for IS Audit policy include:

Objective: The objective of the IS Audit is to assess the effectiveness of controls in place to safeguard the organization's IT infrastructure and ensure the confidentiality, integrity, and availability of information.

Internal Audit Integration: IS Audit should be an integral part of the internal audit system of NBFCs. The framework should align with the guidance issued by professional bodies such as ISACA, IIA, and ICAI. ICAI has published the "Standard on Internal Audit (SIA) 14: Internal Audit in an Information Technology Environment" that provides relevant standards and practices.

Coverage: The IS Audit should cover various areas, including the policy and oversight of IT systems, adequacy of processes and internal controls, business continuity planning, disaster recovery, and compliance with legal and statutory requirements.

Personnel: NBFCs can conduct the IS Audit using their internal team. In cases where internal expertise is insufficient, external agencies with IT/IS audit expertise may be appointed. The auditors should possess the required skills and understanding of legal and regulatory requirements. Independence and accountability should be ensured, especially when engaging external professional service providers.

Periodicity: The frequency of IS Audit should ideally be based on the size and operations of the NBFC. However, it should be conducted at least once a year, preferably before the statutory audit, ensuring timely availability of IS audit reports.

Reporting: The framework should clearly define the reporting structure, specifying whether it is to be reported to the Board or a Committee of the Board, such as the Audit Committee of the Board (ACB).

Compliance: NBFC management is responsible for taking appropriate actions in response to reported observations and recommendations from the IS Audit. The framework should outline responsibilities for compliance, reporting lines, timelines for submission of compliance, and authority for accepting compliance. It may also provide audit-mode access for auditors, inspectors, or regulatory authorities.

Computer-Assisted Audit Techniques (CAATs): NBFCs should adopt a suitable combination of manual techniques and CAATs for conducting the IS Audit. CAATs can be particularly useful in critical areas, enabling effective detection of control weaknesses, revenue leakage, monitoring customer transactions, and assessing areas with significant financial, regulatory, or legal implications.

RBI's NBFC guideline for IS Audit policy emphasizes the importance of robust IT infrastructure controls, risk mitigation, compliance, and maintaining the confidentiality, integrity, and availability of information systems within NBFCs.

3 What is difference between banks & NBFCs?

Non-Banking Financial Companies (NBFCs) and banks perform similar financial functions, there are several key differences between the two. Here are some of the main distinctions:

Legal Structure and Regulation: Banks are authorized and regulated under banking laws, such as the Banking Regulation Act, while NBFCs are governed by specific regulations applicable to non-banking financial institutions. Banks are typically incorporated as banking corporations, whereas NBFCs can be registered as companies under the Companies Act.

Deposit Acceptance: Banks have the ability to accept demand deposits from the public, which are withdrawable on demand by the depositor. NBFCs, on the other hand, are categorized as deposit-taking or non-deposit taking. Non-deposit taking NBFCs do not accept public deposits, while deposit-taking NBFCs can accept deposits subject to regulatory conditions and limitations.

Lending and Credit Activities: Both banks and NBFCs engage in lending and credit activities. However, banks have the advantage of access to low-cost funds through deposit mobilization, allowing them to lend from a stable source of funds. NBFCs, on the other hand, rely on sources such as borrowings, debentures, and market borrowings for their lending activities.

Payment and Settlement Systems: Banks have the capability to issue checks, drafts, and other negotiable instruments that facilitate payment and settlement transactions. NBFCs, as non-banking entities, do not have the same authority to issue such instruments.

Regulation and Prudential Norms: Banks are subject to comprehensive prudential norms, capital adequacy requirements, and liquidity regulations prescribed by the regulatory authorities. These norms ensure the stability and solvency of banks and protect the interests of depositors. NBFCs also have regulatory guidelines and requirements, but they may not be as stringent as those applicable to banks.

Access to Central Bank Facilities: Banks have access to central bank facilities, such as liquidity support and refinancing options, which provide additional stability during financial stress. NBFCs do not have direct access to these facilities and rely on their own sources of funding and liquidity management.

Public Perception and Trust: Banks generally enjoy a higher level of public trust and confidence due to their extensive regulation, deposit guarantee schemes, and longstanding presence in the financial system. NBFCs may face challenges in gaining the same level of public perception and trust, particularly for non-deposit taking entities.

It is important to note that while NBFCs and banks have these differences, they both contribute to the overall financial system by fulfilling diverse financial needs, providing credit, and supporting economic growth. The specific roles and functions of banks and NBFCs may vary across jurisdictions based on local regulations and market conditions.

4 What are systemically influential NBFCs?

Systemically important NBFCs refer to Non-Banking Finance Companies whose asset size, as indicated in their last audited balance sheet, amounts to ₹500 crore or more. The classification of these NBFCs as systemically important stems from the recognition that their operations and activities can significantly impact the financial stability of the broader economy.