By Pratik Shah, National Financial Services Leader, EY India
The RBI has proposed a fundamental redesign of the upper-layer classification under the non-banking financial company (NBFC) scale-based regulation framework, signalling a decisive shift in how the sector is identified and supervised. The draft norms move away from the earlier hybrid identification approach—under which upper-layer classification combined the top 10 NBFCs by asset size with a parametric scoring framework—and adopt a largely size-based methodology anchored to a `1 lakh-crore asset threshold.
The revised framework dispenses with the scoring construct, while retaining supervisory discretion to designate entities as upper layer where warranted. Besides, it provides for annual re-identification of upper-layer NBFCs, introduces periodic recalibration of the asset size threshold every five years, and moves to a more rules-based approach, allowing greater mobility over time.
The key shift lies in the elimination of the dual identification framework that combined asset size ranking with a relatively complex scoring methodology. It relied on a weighted mix of quantitative (70%) and qualitative (30%) criteria, spanning metrics such as size, leverage, interconnectedness, complexity, and supervisory judgement. While the approach aimed to capture multidimensional systemic risks, it often led to limited transparency around classification triggers—particularly for institutions operating close to the upper layer threshold. The proposed framework replaces this with a clearer, rules-based construct anchored mainly in asset size, improving predictability while retaining periodic supervisory review.
Retaining supervisory discretion ensures entities with elevated systemic risk, interconnected exposures, or structural complexity can still be brought under the upper layer lens, even if size alone does not fully capture their risk footprint. The ability to review the upper layer status periodically and the removal of the lock-in need fundamentally changes the regulatory approach. Classification is no longer static, but a continuously evolving state linked to balance sheet size and risk profile.
One of key implication of the revised framework is the removal of ownership-linked regulatory distinctions, which had historically created an implicit divergence in how different NBFC segments were treated. In essence, the RBI is moving from an ownership-based regime to a risk-based, activity-neutral regulatory approach, creating a more level playing field across the sector. It reinforces the principle that systemic importance is a function of scale and risk, not ownership structure. The revised framework is expected to narrow this gap by progressively embedding bank like supervisory expectations across four dimensions:
Investment in technology, data, and analytics capabilities, including investments in robust data architectures, risk aggregation engines, and supervisory ready systems to enable more granular, higher frequency, and risk based regulatory reporting beyond periodic filings.
Strengthened enterprise wide risk management, encompassing internal capital adequacy assessment process (ICAAP)-style internal capital assessment, forward looking stress testing and stress prediction, and concentration risk controls—areas where maturity continues to vary even among large NBFCs and where enabling technology becomes increasingly critical.
Enhanced board effectiveness and independence, with greater emphasis on risk expertise, tenure discipline, and accountability, aligned with the RBI focus on effective and proportionate board level oversight.
Reinforced compliance and assurance functions, with a sharper focus on the effectiveness of the second and third lines of defence, supported by digital monitoring tools and accompanied by heightened supervisory scrutiny of outsourcing arrangements, related party exposures, and group linkages.
Upper layer NBFCs will increasingly be expected to operate with bank-like standards of governance, risk management, and supervisory engagement, even as their funding models and regulatory constraints differ from banks. This convergence is likely to reduce regulatory arbitrage. For PSU NBFCs especially, this transition is less about introducing new structures and more about elevating the depth, investing in technology, and ensuring effectiveness of existing frameworks.
The introduction of periodic review and removal of lock-in further embeds balance sheet discipline. Growth beyond the `1 lakh-crore threshold is no longer a one-time regulatory milestone but a state that brings ongoing scrutiny and expectations.
NBFCs will need to move from silo-based risk management to a single, enterprise wide risk framework. This shall require a clear, board approved risk appetite that is structured around practical portfolio limits, concentration caps, and pricing guardrails. Regulators will increasingly look for risk framework that actively guides business decisions and not just compliance reporting. Further, growth decisions will have to be balanced with risk capacity. For PSU NBFCs, this implies faster escalation and tighter accountability within public ownership constraints.
Compliance frameworks will have to evolve from calendar checks to continuous surveillance. This means embedding regulatory thresholds and early warning into core business workflows. NBFCs shall be expected to identify risks early and take radiation action through clear remediation plans.
Strong data and tech foundations will be critical under the revised framework. NBFCs will need centralised data platforms, consistent and near real time MIS across risk, finance, and treasury. Advanced analytics for stress testing, risk aggregation, and early warning identification will increasingly be treated as supervisory essentials. In addition, selective use of newer technologies, including GenAI, can materially strengthen supervisory readiness. Use cases are likely to focus on automated regulatory reporting, intelligent exception detection, early identification of emerging risk patterns, and swift preparation of board and regulatory dashboards.
Static capital buffers will no longer be sufficient. NBFCs will need to adopt forward looking ICAAP frameworks, complemented by rigorous liquidity stress tests and asset liability management models that capture rollover risks and funding concentration. Capital allocation will be increasingly linked to risk adjusted returns. Regulators will assess not just capital adequacy, but whether capital and liquidity metrics meaningfully shape growth, portfolio mix, and funding strategy.
The RBI’s revised upper-layer framework marks a measured but meaningful shift in NBFC regulation. For NBFCs, the message is clear: scale alone will no longer differentiate institutions. Those that embed integrated risk management, stronger governance, and data driven decision making through a clear operating playbook will be better placed to adapt to tighter supervision. More broadly, the framework signals the next phase in the evolution of India’s NBFC sector—one focused on regulatory parity, transparency, and systemic resilience.