compliance.tf
Compliance FrameworksSpecialized Frameworks

RBI IT Framework for NBFCs

Best for: All deposit-taking NBFCs and systemically important non-deposit taking NBFCs (NBFC-ND-SI) with asset size of 500 crore INR and above, as regulated by the Reserve Bank of India. If your organization holds an NBFC license from RBI and meets the asset threshold, this framework applies. Core investment companies, infrastructure finance companies, and microfinance institutions registered as NBFCs also fall within scope.

Mandatory?Mandatory for deposit-taking and systemically important NBFCs regulated by RBI
Who validates?RBI supervisory examination ยท No self-assessment
RenewalAnnual compliance reporting
ScopeNon-Banking Financial Companies; IT governance and security

๐Ÿ› Reserve Bank of India (RBI), Department of Non-Banking Regulation ยท RBI IT Framework for NBFCs (2017) Official source โ†’

Get Started

module "..." {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Audit Trail and Log Retention: Verifies CloudTrail coverage across regions, integration with CloudWatch Logs, S3 data event capture, and a 365-day minimum retention policy on log groups. CodeBuild and API Gateway stage logging are also checked. Seven controls total.
  • Backup and Recovery: Six controls covering EBS and DynamoDB backup plan enrollment, 35-day minimum retention, point-in-time recovery enablement, and protection against manual recovery point deletion.
  • Network Exposure Prevention: Three controls: launch configurations must not assign public IPs, DMS replication instances must not be publicly accessible, and EBS snapshots must not be publicly restorable.
  • Encryption in Transit: Checks ACM certificate expiry (flags certs expiring within 30 days) and SSL certificate enforcement on API Gateway stages. Two controls.
  • Infrastructure Availability: Confirms health check configuration on Auto Scaling groups behind load balancers and DynamoDB auto-scaling status. Two controls.

What you handle

  • Audit Trail and Log Retention: Log review procedures and SIEM alerting rules are yours to define. So is the incident escalation workflow and the audit trail report presented to the Board or IT Strategy Committee.
  • Backup and Recovery: Periodic DR drills, Board-approved RTO and RPO documentation, restore procedure testing, and the written BCP/DR plan the framework requires.
  • Network Exposure Prevention: Network architecture documentation, VPC flow logs, firewall rules, and periodic penetration testing all sit outside the automated checks. The framework also requires documented segmentation between production and non-production environments.
  • Encryption in Transit: Certificate lifecycle management process, encryption at rest for databases and storage, and the overall encryption policy document required by the information security framework.
  • Infrastructure Availability: Service SLAs, capacity planning documentation, and availability metric reporting to the IT Strategy Committee.

Controls by Category

Audit Logging and Monitoring (5 controls)

Missing CloudTrail coverage in secondary regions and log groups with sub-365-day retention are the most common findings in this category. Assessors examine whether audit trails are tamper-resistant, span all environments, and are retained long enough to support forensic investigation. The framework's IT audit section treats log availability as a first-order control objective.

API Gateway stages should have logging enabledCloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudWatch log groups should have retention period of at least 365 dayscompliance.tf moduleCodeBuild projects should have logging enabled

Business Continuity and Disaster Recovery (2 controls)

A Board-approved BCP and DR plan is the baseline requirement. Assessors then verify that backup policies cover all critical data stores, that recovery points are protected against manual deletion (an insider risk control), and that point-in-time recovery is enabled on transactional databases. Failing to include secondary data stores in backup plans is the most common gap.

Backup plans should have minimum frequency and minimum retention configuredDynamoDB tables should have point-in-time recovery enabledcompliance.tf module

Encryption and Certificate Management (1 control)

Expired certificates on API endpoints are a recurring finding and easy to miss without active monitoring. Verify ACM expiry alerting is in place and that all API Gateway stages enforce SSL before an assessor surfaces this gap. The framework expects encryption across all sensitive data in transit, with particular weight on customer-facing channels.

API Gateway stages should not use client SSL certificates

Network Security and Access Restriction (1 control)

The review is straightforward: are any resources publicly accessible that should not be? DMS replication instances and public EBS snapshots are specific data leakage vectors the framework's information security section addresses through network segmentation and access restriction requirements.

DMS replication instances should not be publicly accessiblecompliance.tf module
Additional Controls (51)

AWS IAM (1)

IAM password policies should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (3)

Lambda functions should have concurrent execution limit configuredcompliance.tf moduleLambda functions should be configured with a dead-letter queuecompliance.tf moduleLambda functions should be in a VPCcompliance.tf module

Amazon EC2 (5)

EC2 instances should have detailed monitoring enabledcompliance.tf moduleEC2 instances should have EBS optimization enabledcompliance.tf moduleEC2 instances should have IAM profile attachedcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf module

Amazon ECR (1)

ECR private repositories should have tag immutability configuredcompliance.tf module

Amazon EFS (2)

EFS access points should enforce a root directoryEFS access points should enforce a user identity

Amazon EMR (1)

EMR cluster Kerberos should be enabledcompliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greatercompliance.tf module

Amazon OpenSearch Service (3)

OpenSearch domains should use HTTPScompliance.tf moduleOpenSearch domains should be in a VPCcompliance.tf moduleOpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf module

Amazon RDS (7)

RDS DB instances and clusters should have enhanced monitoring enabledcompliance.tf moduleRDS DB instance automatic minor version upgrade should be enabledcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances should have deletion protection enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf module

Amazon Redshift (6)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon S3 (9)

S3 buckets should not use ACLs for user access controlcompliance.tf moduleS3 buckets should have cross-region replication enabledcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should have object lock enabledcompliance.tf moduleS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf module

Amazon SageMaker (1)

SageMaker notebook instances should not have direct internet access

Amazon VPC (1)

VPC subnet auto assign public IP should be disabledcompliance.tf module

Elastic Load Balancing (7)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB application load balancer deletion protection should be enabledcompliance.tf moduleELB application load balancers should be configured to drop HTTP headerscompliance.tf moduleELB application load balancers should drop invalid HTTP headerscompliance.tf moduleELB application and network load balancers should only use SSL or HTTPS listenerscompliance.tf moduleELB classic load balancers should have cross-zone load balancing enabledcompliance.tf moduleELB classic load balancers should span multiple availability zonescompliance.tf module

Other (2)

ES domains should be in a VPCElasticsearch domain should send logs to CloudWatch

Related Frameworks

RBI Cyber Security Framework โ€” ๐ŸŸก Medium overlap (55%)

The RBI Cyber Security Framework (2016) targets scheduled commercial banks rather than NBFCs but partially overlaps with this framework in areas like incident response, SOC operations, and security monitoring. NBFCs that also hold banking licenses may need to comply with both. The NBFC IT Framework draws heavily from that circular's security expectations.

NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (35%)

NIST 800-53 provides a more granular control catalog. The RBI NBFC framework's IT governance, access control, and audit logging requirements map loosely to NIST control families AU (Audit and Accountability), SC (System and Communications Protection), and CP (Contingency Planning). NIST is far more prescriptive on individual control specifications.

ISO/IEC 27001:2022 โ€” ๐ŸŸก Medium overlap (40%)

The RBI framework explicitly references ISO 27001 as a benchmark for information security management. NBFCs with ISO 27001 certification will find roughly 40% overlap in areas like risk assessment, access control, and incident management, though the RBI framework adds India-specific governance and reporting requirements that ISO 27001 does not address.

Frequently Asked Questions

Does this framework apply to my NBFC if we are below the 500 crore asset threshold?
RBI has stated that the framework applies to all deposit-taking NBFCs and all NBFC-ND-SI with asset size of 500 crore and above. Smaller NBFCs below this threshold are encouraged to adopt it voluntarily, and RBI may extend mandatory applicability based on evolving risk assessments. If you are close to the threshold, start compliance work now. Crossing it triggers immediate applicability.
What governance structure does the framework require?
The framework mandates an IT Strategy Committee at the Board level (or a Board-approved committee of senior management) responsible for approving IT strategy, budgets, and security policies. The NBFC must also designate a Chief Information Security Officer (CISO) or equivalent role, and the Board must review IT-related risks at least annually. For smaller NBFCs, RBI permits combining these responsibilities with existing governance bodies, but the functions must be explicitly documented.
How does this framework handle cloud and outsourcing arrangements?
The framework dedicates a section to IT outsourcing. NBFCs must conduct due diligence on service providers, include specific security and audit clauses in contracts, ensure data residency compliance, and retain the ability to audit outsourced operations. Cloud deployments are treated as a form of outsourcing, and the NBFC remains fully responsible for compliance regardless of who manages the infrastructure. Board approval is required for material outsourcing arrangements.
Is there a formal certification or attestation process?
No formal certification exists comparable to ISO 27001 or PCI DSS. Compliance is demonstrated through internal and external IT audits, Board-level reports, and RBI on-site inspections. Keep documented evidence ready: IT audit reports, committee minutes, policy documents, and incident reports are what supervisors ask for.
What are the penalties for non-compliance?
RBI can impose penalties under the RBI Act, 1934 and the NBFC regulatory framework, ranging from monetary fines to restrictions on business operations and, in severe cases, cancellation of the Certificate of Registration. RBI has increasingly applied supervisory action frameworks that escalate based on severity and duration of non-compliance. Repeated or material gaps in IT controls also tend to trigger heightened supervisory scrutiny going forward.

RBI Cyber Security Framework for UCBs

Previous Page

AWS Generative AI Best Practices v2

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryAudit Logging and Monitoring (5)Business Continuity and Disaster Recovery (2)Encryption and Certificate Management (1)Network Security and Access Restriction (1)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page