Compliance does not end with licensing or initial setup. Both NBFCs and LSPs are subject to continuous regulatory and statutory obligations. These obligations ensure transparency, protect customers, and allow regulators to monitor systemic stability. For startups, maintaining robust reporting systems and governance mechanisms is critical to avoid penalties, reputational risks, and interruptions in operations.

<aside>

🔄 Uniform Standards: NBFCs answer directly to RBI, but LSPs must demonstrate equivalent standards through their contracts. The compliance burden is therefore “indirect but binding.”

</aside>

1️⃣ Entity Obligations

1. NBFC Direct Obligations

NBFCs face the heaviest reporting and oversight requirements:

• Supervisory Returns (DNBS / COSMOS): Mandatory periodic filings under the Master Direction – Reserve Bank of India (Filing of Supervisory Returns) Directions, 2024. These include financial statements, prudential compliance metrics, exposure norms, fraud monitoring, and sectoral reports.

• Statutory Audits: Annual statutory audits under the Companies Act, 2013, and concurrent audits as prescribed by RBI. Independent auditors must confirm compliance with prudential norms, asset classification, provisioning, and governance frameworks.

• RBI Inspections: NBFCs are subject to on-site inspections by RBI examiners, who evaluate books of account, compliance with scale-based regulation, adherence to KYC/AML, IT security, and customer protection frameworks.

• Ongoing Prudential Compliance: Continuous adherence to capital adequacy norms, leverage ratios, provisioning standards, corporate governance guidelines, and fraud reporting frameworks (including Master Directions on Fraud Risk Management).

• Reporting of Digital Lending Apps (DLAs) to RBI

  • The RE must submit details of all Digital Lending Apps (DLAs) owned by it or operated via its LSPs through the RBI’s Centralised Information Management System (CIMS) portal.
  • The initial deadline for this reporting is by 15 June 2025.
  • The RE must ensure the data submitted is accurate and remains up to date, and the Chief Compliance Officer or a designated official must certify that the DLA-data is correct.
  • The RBI will publish the list of DLAs on its website, based on the submitted data (without separate verification).

• Reporting of Credit Information to Credit Information Companies (CICs)

  • The RE must report all loans disbursed via its digital lending activity (whether direct or through LSPs/DLAs) to Credit Information Companies.
  • This includes short-term, unsecured, secured, merchant-platform, deferred payment credit and similar digital credit products.

• Ongoing Update/Monitoring of DLA & Outsourcing Arrangements

  • The RE must maintain a register of all DLAs it uses (own or third-party) and update the list in CIMS whenever there is addition or discontinuation of DLAs.
  • As part of its certification, the RE must verify the compliance of the DLAs and LSPs with the Directions.

• NBFCs fall within the meaning of "Credit Institutions" (CIs) under the Master Direction – Reserve Bank of India (Credit Information Reporting) Directions, 2025, and are required to comply with the applicable provisions therein. For a cursory overview of the regulation, click here:

  Overview of the Credit Information Reporting Directions, 2025

2. LSP Contractual Extensions

LSPs are not directly supervised by RBI, but they are contractually bound to support the RE’s reporting obligations under the Directions. Typical ongoing obligations include:

• Portfolio Reporting: Regular submission of loan portfolio data (originations, repayments, delinquencies) to the NBFC.

• Technology & App Usage Metrics: Reporting of DLA performance, user data (in compliance with privacy norms), and integration effectiveness. LSPs must furnish accurate details of their Digital Lending Apps (DLAs) and related borrower-facing platforms to the partnering NBFC/RE for submission on the RBI’s CIMS portal.

• Customer Protection Metrics: Grievance redressal statistics, complaint resolution timelines, and red-flag escalation to the NBFC’s nodal officer. Where LSPs have a direct borrower interface, they must maintain and report grievance metrics (complaints received, resolved, pending) to the RE.

• Contractual Audits: NBFCs often require periodic compliance certifications from LSPs, including IT security audits and customer data handling reviews. LSPs must maintain complete audit trails of data collected, processed, and transmitted to the RE.

• LSPs must enable accurate transmission of loan data to CICs through their RE partner.

• LSPs must certify compliance with data localization, deletion, and retention obligations to their RE.

  <aside>

  📖 RBI’s Crackdown on Unauthorized Lending Apps

  In 2023, Indian authorities banned 94 digital lending apps, which were flagged for predatory practices, data misuse, and links to foreign entities. This enforcement demonstrates the risks of operating without NBFC affiliation and underscores RBI's insistence on strict regulatory alignment.

  </aside>

2️⃣ General Statutory & Tax Obligations (Both NBFCs & LSPs)

Beyond sector-specific compliance, fintech entities must maintain ongoing corporate and fiscal obligations:

• MCA Annual Filings: Filing of annual returns, financial statements, and other company law compliances.

• Tax Filings:

  • GST returns (monthly/quarterly, as applicable)
  • TDS/TCS remittances and quarterly statements
  • Income tax returns and advance tax payments
  • Transfer pricing disclosures, if applicable

• Other Regulatory Interfaces:

  Filings with ROC, Registrar of Shops & Establishments, and labour authorities, depending on the entity’s size and footprint.

3️⃣ Other Relevant Compliances for Startups

The Indian startup ecosystem falls under the purview of multiple laws and regulations across various sectors. To navigate this landscape effectively, this section of the toolkit will guide early-stage founders towards relevant compliances spanning across environmental protection, labour standards, consumer rights, data privacy, goods and services tax (GST), intellectual property (IP) rights, foreign exchange management (FEMA), information technology (IT) protocols, and stamp duty obligations, that the start-ups must adhere to. Understanding and fulfilling these diverse compliance mandates is crucial for the sustainable growth and legal standing of start-ups in India.

A comprehensive list of such compliances can be accessed here.

<aside>

📕 Applicable Frameworks

<aside>

Entities should comply with the following statutory and regulatory instruments for ongoing reporting and compliance:

1. Master Direction – Reserve Bank of India (Filing of Supervisory Returns) Directions, 2024
2. RBI Scale-Based Regulation (SBR) Framework
3. Master Directions on Fraud Risk Management & Monitoring of Frauds in NBFCs
4. Companies Act, 2013 – Annual Return and Financial Statement Filings
5. Income Tax Act, 1961 – Corporate Income Tax, TDS, GST compliances
6. RBI Master Directions on IT Framework & Outsourcing (periodic IT/security audits) </aside>

</aside>

<aside>

🏛️Enforcement Reality

Regulators closely scrutinize non-compliance with ongoing obligations. RBI has penalized NBFCs for misreporting supervisory returns and failing to maintain statutory auditors’ independence. MCA has disqualified directors for repeated defaults in annual filings. Tax authorities impose interest and penalties for delays in GST or TDS compliance.

</aside>

<aside>

⚠️ Note the disclaimers regarding the document's limitations and the need for professional legal advice.

</aside>

With the compliance cycle complete, founders should also reflect on broader strategic considerations that drive sustainability:

***Beyond Compliance Considerations.***

Or return to Step 6: Data Protection & Technology Compliance.

Or revisit the Toolkit Flow Overview to see the entire roadmap at a glance, or return to the Toolkit Homepage.