Compliance for non-banking financial companies(NBFCs) looks different in 2026. The Reserve Bank of India replaced the Master Direction on KYC, 2016, with ten sector-specific Master Directions on November 28, 2025, and issued a dedicated NBFC KYC Direction among them. Before that, the 2nd Amendment in August 2025 tightened customer communication standards, and a mid-2025 circular made digital periodic KYC permanent. Most NBFC KYC content on the internet still references the 2016 framework, which means compliance officers pulling up articles for reference are working from outdated rules. This guide lays out what KYC for NBFCs actually requires in 2026, starting with NBFC customer onboarding obligations that apply on day one.
Who Counts as an NBFC for KYC Purposes
The NBFC umbrella covers many different institution types, and the KYC burden does not fall on all of them equally.
RBI’s Four-Layer Scale-Based Framework
Since October 2022, RBI’s Scale-Based Regulation (SBR) framework has classified NBFCs into four layers: Base Layer (NBFC-BL), Middle Layer (NBFC-ML), Upper Layer (NBFC-UL), and Top Layer (NBFC-TL). The layer determines the intensity of prudential and governance regulation, and it indirectly shapes KYC compliance posture because Upper and Middle Layer NBFCs face tighter supervisory scrutiny.
NBFC Categories That Carry Their Own KYC Overlays
Within the layer framework, several categories have additional KYC nuances. NBFC-MFI (microfinance) has group-based verification and household-income assessment rules. Housing Finance Companies (HFCs) have property-linked documentation requirements. Investment and Credit Companies (NBFC-ICC) follow the standard NBFC KYC framework without sector-specific additions. NBFC-P2P (peer-to-peer lending platforms) operate under an additional digital-lending guidelines layer that affects KYC workflows.
Why Category Matters for KYC Design
An NBFC-P2P onboarding flow and an NBFC-HFC onboarding flow look superficially similar but diverge on documentation, consent artefacts, and the CKYC push sequence. Designing a single “one-size-fits-all” NBFC KYC flow without accounting for the sub-category is one of the more common ways KYC programmes fail at audit.
The 2025 NBFC KYC Directions: What Changed
Three regulatory events in 2025 reshape the NBFC KYC baseline, and each one needs a specific operational response.
Sector-Specific Directions Replace One-Size-Fits-All
The Vinod Kothari consolidated analysis of the 2025 Master Directions notes that the 2016 Master Direction has been repealed and replaced by dedicated directions per institution type, with an NBFC-specific KYC Direction now in force. The structural impact is that NBFC compliance teams no longer have to cross-reference bank-centric provisions to find what applies to them; everything NBFC-specific is in one place. Content-wise, the changes are incremental rather than radical, but the clarity gain is meaningful.
August 2025 Amendments: Accessibility and Communication
The 2nd Amendment to the KYC Master Direction issued on August 14, 2025 introduces three obligations NBFCs must honour. First, rejection of any onboarding or periodic updation cannot be automated without reasoned recording; an officer must justify the decision in writing. Second, persons with disabilities cannot be denied banking or financial services through automated digital checks. Third, customers facing re-KYC must receive three advance intimations (at least one by letter) and, after the due date, at least three reminders including one letter.
Digital Periodic KYC, Now Permanent
A mid-2025 circular made digital completion of periodic re-KYC permanent, not a pandemic-era exception. This matters for NBFCs running periodic updation at scale: the entire re-KYC process, from intimation to document submission to approval, can be completed digitally. For low-risk customers whose update has fallen due, RBI has also extended the deadline to June 30, 2026, giving NBFCs extra runway to migrate customers to the digital flow.
Core KYC Obligations for NBFCs
The substance of NBFC KYC has four pillars. Each one has tightened at the edges under the 2025 framework.
Customer Identification Procedure (CIP)
Every customer must be identified at onboarding using an Officially Valid Document (OVD). The OVD list includes Aadhaar, passport, driving licence, voter ID, NREGA job card, and the National Population Register letter. The 2025 Directions clarify that Aadhaar is not mandatory for general KYC except where the customer is claiming a benefit under a scheme notified under Section 7 of the Aadhaar Act. This clarification was always the law after the Puttaswamy judgment but now sits explicitly in the Directions.
Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)
Every customer must be risk-rated at onboarding and periodically thereafter. Low-risk and medium-risk customers undergo standard CDD. High-risk customers, PEPs, and customers from high-risk jurisdictions undergo EDD, which includes deeper source-of-funds analysis and senior management approval for continued relationship. When CDD is performed by a third party, that third party must itself be regulated, supervised, or monitored by a regulator recognised by RBI.
Periodic KYC Updation Timelines
Periodic re-KYC cadence follows risk category: every two years for high-risk customers, every eight years for medium-risk, and every ten years for low-risk (with the low-risk deadline extension to June 30, 2026). Our re-KYC guide covers the operational detail. The shift from the earlier 2/5/10 framework to 2/8/10 is now embedded across the 2025 Directions.
Record-Keeping and Reporting
Customer records must be retained for at least five years after the end of the business relationship. Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) must be filed with FIU-IND under the prescribed thresholds. The August 2025 Amendment added explicit requirements for recording officer justifications on rejected applications, which extends the audit trail NBFCs must maintain.
Accepted KYC Methods for NBFCs
NBFCs can onboard customers through several verification methods, each with its own operational profile.
Aadhaar-Based eKYC
Aadhaar OTP-based eKYC returns demographic data from UIDAI after the customer authenticates with a one-time password. Biometric Aadhaar eKYC, where the customer authenticates with a fingerprint or iris scan at a point-of-service, is also permitted for NBFCs that qualify as authentication user agencies. Both methods produce an instantly-verifiable KYC record.
Digital KYC (D-KYC) With Live Photo
D-KYC is the method where an NBFC officer captures a live photograph of the customer along with the original document, geo-tags the capture, and certifies the process digitally. It is the standard non-face-to-face path where V-CIP is not feasible. The live photo is a real-time capture, not a stored image, and the geo-tag and timestamp must match the certification record.
Video-Based Customer Identification Process (V-CIP)
V-CIP is the real-time video interaction where the customer’s identity is verified over a live video session. Our guide to RBI video KYC guidelines covers the detailed requirements. The 2025 Directions clarify that requiring specific facial gestures (blinking, smiling, frowning) is not mandatory for liveness checks, a small but meaningful accessibility change for differently-abled customers. NBFCs that run high volumes typically deploy a dedicated video KYC API rather than building the V-CIP capability in-house.
CKYC Registry Lookup and Upload
Every NBFC must query the Central KYC Records Registry before running fresh KYC on a customer, and upload the completed KYC record to CKYCR within ten working days. The CKYC record upload API is typically how this is operationalised in the tech stack. The logic is straightforward: if a CKYC record exists and is current, reuse it; if not, run fresh KYC and push the result to CKYCR.
KYC for NBFC Sub-Categories
Three sub-categories have KYC obligations that go beyond the standard NBFC framework.
NBFC-MFI: Microfinance KYC Specifics
Microfinance KYC sits on top of the March 2022 RBI microfinance framework. The framework requires household-income assessment and a 50% cap on loan repayment obligation to household income, which adds an income-verification step that other NBFC categories do not have. Joint Liability Groups (JLGs) and Self-Help Groups (SHGs) are common borrower structures, and each member requires individual KYC even within a group loan structure.
Housing Finance Companies (HFCs)
HFC KYC includes the standard NBFC identification procedure plus property-linked documentation: title deeds, encumbrance certificates, and property valuation reports. HFCs came under direct RBI oversight (from NHB) in 2019, and their KYC obligations are now fully aligned with broader NBFC expectations with the property-specific overlay retained.
NBFC-P2P and Digital Lending NBFCs
P2P platforms and digital lending NBFCs operate under RBI’s Digital Lending Guidelines in addition to the KYC Direction. Lending Service Providers (LSPs) and Digital Lending Apps (DLAs) that participate in the onboarding flow have their own responsibilities, and the KYC captured during onboarding must be linked to a Key Fact Statement (KFS) that the borrower acknowledges before disbursal.
Common Compliance Failures and How to Avoid Them
Two failure patterns account for the majority of KYC-related supervisory observations NBFCs receive.
Stale Periodic Updation
Customers whose KYC is due for periodic updation and has not been refreshed are the single most common audit finding. The root cause is usually operational rather than policy: NBFCs know the cadence but do not have a trigger engine that flags customers approaching the update window and drives outreach. The August 2025 Amendment’s three-intimation, three-reminder requirement is now the explicit audit checklist for outreach.
Weak CKYC Synchronisation
The second common observation is a gap between the NBFC’s internal customer record and the CKYCR record for the same customer. This happens when a customer update is recorded internally but not pushed to CKYCR, or when CKYCR is updated and the NBFC’s system does not refresh from it. A well-designed KYC programme runs CKYCR queries on a defined cadence for high-risk customers and treats divergence as a compliance incident, not a data-quality ticket.
Building a Scalable NBFC KYC Programme
For NBFCs scaling past the first few thousand customers a month, KYC becomes an engineering problem as much as a compliance problem.
Tech Stack Components
A production NBFC KYC programme has three layers. Capture (document, face, liveness) handles the customer-facing onboarding. Verification (OCR, ID authentication, AML and sanctions screening, DigiLocker fetch, and Aadhaar eKYC) runs behind the capture. Case management (manual review queues, audit trail, CKYCR push) closes the loop. Decoupling these three lets compliance teams change verification rules without touching the capture UI.
Governance and Audit Trail
Every NBFC must have a board-approved KYC policy, a Principal Officer and Designated Director with named accountability, and an audit log that captures every onboarding decision including the data points and the rationale for approvals, rejections, and manual reviews. Governance is where smaller NBFCs often lose ground at RBI inspection: the policy exists but implementation drift is not surfaced at board level.
Staying Compliant in 2026 and Beyond
The direction of travel is clear. KYC is moving from a batched, documentary exercise to a continuous, data-driven process. The 2025 Directions, digital periodic KYC, and the tightening around re-KYC communication all push in the same direction. NBFCs that build their KYC stack around event-driven updates and strong CKYCR integration will find themselves ahead of the next supervisory wave rather than reacting to it.
To see how HyperVerge helps NBFCs meet the 2025 Directions with Aadhaar eKYC, V-CIP, DigiLocker fetch, and CKYCR integration in a single flow, sign up for a product walkthrough.
