RBI IT Framework for NBFCs
Best for: All deposit-taking NBFCs and systemically important non-deposit taking NBFCs (NBFC-ND-SI) with asset size of 500 crore INR and above, as regulated by the Reserve Bank of India. If your organization holds an NBFC license from RBI and meets the asset threshold, this framework applies. Core investment companies, infrastructure finance companies, and microfinance institutions registered as NBFCs also fall within scope.
🏛 Reserve Bank of India (RBI), Department of Non-Banking Regulation · RBI IT Framework for NBFCs (2017) Official source →
Get Started
module "..." {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Audit Trail and Log Retention: Verifies CloudTrail coverage across regions, integration with CloudWatch Logs, S3 data event capture, and a 365-day minimum retention policy on log groups. CodeBuild and API Gateway stage logging are also checked. Seven controls total.
- Backup and Recovery: Six controls covering EBS and DynamoDB backup plan enrollment, 35-day minimum retention, point-in-time recovery enablement, and protection against manual recovery point deletion.
- Network Exposure Prevention: Three controls: launch configurations must not assign public IPs, DMS replication instances must not be publicly accessible, and EBS snapshots must not be publicly restorable.
- Encryption in Transit: Checks ACM certificate expiry (flags certs expiring within 30 days) and SSL certificate enforcement on API Gateway stages. Two controls.
- Infrastructure Availability: Confirms health check configuration on Auto Scaling groups behind load balancers and DynamoDB auto-scaling status. Two controls.
What you handle
- Audit Trail and Log Retention: Log review procedures and SIEM alerting rules are yours to define. So is the incident escalation workflow and the audit trail report presented to the Board or IT Strategy Committee.
- Backup and Recovery: Periodic DR drills, Board-approved RTO and RPO documentation, restore procedure testing, and the written BCP/DR plan the framework requires.
- Network Exposure Prevention: Network architecture documentation, VPC flow logs, firewall rules, and periodic penetration testing all sit outside the automated checks. The framework also requires documented segmentation between production and non-production environments.
- Encryption in Transit: Certificate lifecycle management process, encryption at rest for databases and storage, and the overall encryption policy document required by the information security framework.
- Infrastructure Availability: Service SLAs, capacity planning documentation, and availability metric reporting to the IT Strategy Committee.
Controls by Category
Audit Logging and Monitoring (5 controls)
Missing CloudTrail coverage in secondary regions and log groups with sub-365-day retention are the most common findings in this category. Assessors examine whether audit trails are tamper-resistant, span all environments, and are retained long enough to support forensic investigation. The framework's IT audit section treats log availability as a first-order control objective.
compliance.tf module CodeBuild projects should have logging enabledBusiness Continuity and Disaster Recovery (2 controls)
A Board-approved BCP and DR plan is the baseline requirement. Assessors then verify that backup policies cover all critical data stores, that recovery points are protected against manual deletion (an insider risk control), and that point-in-time recovery is enabled on transactional databases. Failing to include secondary data stores in backup plans is the most common gap.
compliance.tf module Encryption and Certificate Management (1 control)
Expired certificates on API endpoints are a recurring finding and easy to miss without active monitoring. Verify ACM expiry alerting is in place and that all API Gateway stages enforce SSL before an assessor surfaces this gap. The framework expects encryption across all sensitive data in transit, with particular weight on customer-facing channels.
Network Security and Access Restriction (1 control)
The review is straightforward: are any resources publicly accessible that should not be? DMS replication instances and public EBS snapshots are specific data leakage vectors the framework's information security section addresses through network segmentation and access restriction requirements.
Additional Controls (51)
AWS IAM (1)
AWS KMS (1)
AWS Lambda (3)
compliance.tf module Lambda functions should be configured with a dead-letter queue compliance.tf module Lambda functions should be in a VPC compliance.tf module Amazon EC2 (5)
compliance.tf module EC2 instance should have EBS optimization enabled compliance.tf module EC2 instances should have IAM profile attached compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module Amazon ECR (1)
Amazon EFS (2)
Amazon EMR (1)
Amazon ElastiCache (1)
Amazon OpenSearch Service (3)
compliance.tf module OpenSearch domains should be in a VPC compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module Amazon RDS (7)
compliance.tf module RDS DB instance automatic minor version upgrade should be enabled compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances should have deletion protection enabled compliance.tf module Database logging should be enabled compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should prohibit public access compliance.tf module Amazon Redshift (6)
compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module Amazon S3 (9)
compliance.tf module S3 bucket cross-region replication should be enabled compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket object lock should be enabled compliance.tf module S3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module Amazon SageMaker (1)
Amazon VPC (1)
Elastic Load Balancing (7)
compliance.tf module ELB application load balancer deletion protection should be enabled compliance.tf module ELB application load balancers should be configured to drop HTTP headers compliance.tf module Application Load Balancer should be configured to drop invalid http headers compliance.tf module ELB application and network load balancers should only use SSL or HTTPS listeners compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module ELB classic load balancers should span multiple availability zones compliance.tf module Other (2)
Related Frameworks
Frequently Asked Questions
Does this framework apply to my NBFC if we are below the 500 crore asset threshold?
RBI has stated that the framework applies to all deposit-taking NBFCs and all NBFC-ND-SI with asset size of 500 crore and above. Smaller NBFCs below this threshold are encouraged to adopt it voluntarily, and RBI may extend mandatory applicability based on evolving risk assessments. If you are close to the threshold, start compliance work now. Crossing it triggers immediate applicability.
What governance structure does the framework require?
The framework mandates an IT Strategy Committee at the Board level (or a Board-approved committee of senior management) responsible for approving IT strategy, budgets, and security policies. The NBFC must also designate a Chief Information Security Officer (CISO) or equivalent role, and the Board must review IT-related risks at least annually. For smaller NBFCs, RBI permits combining these responsibilities with existing governance bodies, but the functions must be explicitly documented.
How does this framework handle cloud and outsourcing arrangements?
The framework dedicates a section to IT outsourcing. NBFCs must conduct due diligence on service providers, include specific security and audit clauses in contracts, ensure data residency compliance, and retain the ability to audit outsourced operations. Cloud deployments are treated as a form of outsourcing, and the NBFC remains fully responsible for compliance regardless of who manages the infrastructure. Board approval is required for material outsourcing arrangements.
Is there a formal certification or attestation process?
No formal certification exists comparable to ISO 27001 or PCI DSS. Compliance is demonstrated through internal and external IT audits, Board-level reports, and RBI on-site inspections. Keep documented evidence ready: IT audit reports, committee minutes, policy documents, and incident reports are what supervisors ask for.
What are the penalties for non-compliance?
RBI can impose penalties under the RBI Act, 1934 and the NBFC regulatory framework, ranging from monetary fines to restrictions on business operations and, in severe cases, cancellation of the Certificate of Registration. RBI has increasingly applied supervisory action frameworks that escalate based on severity and duration of non-compliance. Repeated or material gaps in IT controls also tend to trigger heightened supervisory scrutiny going forward.