The Reserve Bank of India issued its comprehensive NBFC–Know Your Customer Directions, 2025 on November 28, 2025, subsequently updated on December 29, 2025. This Master Direction consolidates and supersedes all prior KYC instructions applicable to Non-Banking Financial Companies — representing the most significant overhaul of NBFC KYC compliance in recent years.
This analysis translates every provision into the language auditors speak: what to test, what data to pull, what red flags signal a problem, and what real-world failures demonstrate the consequences of non-compliance.
📌 Key Takeaways
1.Sanctions screening is daily — not monthly, not at onboarding. Each missed day = separate violation.
2.Blocking low-risk accounts before June 30, 2026 is itself a violation — even if KYC is overdue.
3.V-CIP vendor must retain zero data. Most fintech V-CIP vendors currently retain video data — a direct RBI violation.
4.Designated Director ≠ Principal Officer. Same person holding both roles = automatic regulatory violation.
5.CKYCR upload within 10 days — not in weekly batches. Check your CKYCR upload compliance rate.
🔴 Critical Provisions (Risk Tier 1)
These 7 provisions carry the highest enforcement risk — criminal liability under PMLA, daily penalty exposure, and direct inspection scrutiny.
Audit Procedure
Pull complete new account list for last 12 months
Cross-reference introducer names against existing customer database
Flag duplicate address + different PAN combinations
Test for accounts with no transactions within 90 days of opening
Check video/audio recordings for V-CIP — match face to OVD
Red Flags
Multiple accounts sharing same mobile number or email
Introducer linked to unusually high number of new accounts
OVD address differs from GPS location captured during V-CIP
Account opened same day as large credit — no relationship history
Enforcement Case
DHFL — ₹34,000 Crore Benami Account Fraud
DHFL created approximately 2.6 lakh fictitious borrower accounts using real names and addresses of existing customers without their knowledge. Loans were disbursed to these ghost borrowers and funds diverted to promoter entities. The "bungalow project" — a cluster of fake accounts in Bandra, Mumbai — was the primary vehicle. Key detection failure: no address verification field visits, no introducer verification, batch CKYCR uploads masking individual account anomalies.
Audit Procedure
Request sanctions screening system logs for last 90 days
Verify screening is run against UNSC, UAPA, and internal PEP lists daily
Check that new list updates are integrated within 24 hours of UNSC publication
Confirm existing portfolio is re-screened — not just new customers
Verify escalation matrix and freeze protocol exists and has been tested
Red Flags
Screening logs show gaps — even one missed day = separate violation
Only new customers screened, existing portfolio excluded
No documented process for handling UNSC list updates
Screening vendor confirms weekly batch runs, not daily
Audit Procedure
Pull system timestamps: KYC completion vs. account activation
Test sample of 50 new accounts — confirm OVD verification preceded first transaction
Check for any "pending KYC" accounts that received credit
Verify Beneficial Owner identification was completed at onboarding
Red Flags
Account activation timestamp precedes KYC verification timestamp
Loans disbursed to accounts with incomplete CDD
BO identification missing for accounts with corporate customers
System allows bypassing KYC step with "supervisor override"
Audit Procedure
Review STR filing register — date of suspicion vs. date of filing
Confirm no tipping-off occurred — check customer communication logs around STR dates
Verify Principal Officer is separately designated from Designated Director
Test threshold monitoring alerts for CTR — transactions above ₹10 lakhs
Red Flags
STR filed more than 7 days after suspicion arose
Account closure or transaction reversal immediately before STR filing
Same person is both Designated Director and Principal Officer
No STRs filed in last 12 months despite high-risk customer base
🟠 High Risk Provisions (Risk Tier 2)
Audit Procedure
Request CERT-In VAPT certificate — check date (must be current)
Confirm video/audio data is stored only on India-based servers
Verify vendor contract explicitly prohibits data retention by vendor
Test liveness detection — check if system can be bypassed by photo
Confirm GPS coordinates are captured and stored per session
Red Flags
VAPT certificate expired or from non-CERT-In empanelled firm
Vendor contract silent on data retention — vendor retains video
Servers located outside India (check hosting contract)
No GPS data captured — V-CIP completed from foreign location possible
Audit Procedure
Pull CKYCR upload log — calculate days between account opening and upload
Identify any accounts where upload exceeded 10 days
Check if uploads are batched weekly (violation) vs. daily
Verify CKYCR number is stored in core system post-upload
Red Flags
Upload logs show weekly batch runs — every late account = violation
Accounts with no CKYCR number despite being open for 30+ days
CKYCR portal access credentials shared across teams
No reconciliation between core system and CKYCR portal
🟡 Moderate Risk Provisions (Risk Tier 3)
Audit Procedure
Obtain Board-approved KYC policy — check approval date
Verify policy covers all 16 provisions of this Direction
Confirm policy was updated after the November 2025 Direction
Check Board minutes reflect KYC policy review
Red Flags
Policy last updated before November 28, 2025 — doesn't cover new Direction
Policy exists but staff unaware of contents
No annual review mechanism documented
⚖️ Regulatory Disclaimer
Always refer to the original RBI circular (DOR.AML.REC.No.280/14.01.003/2025-26) as the definitive regulatory guidance. This analysis is for professional compliance and audit use only and does not constitute legal or regulatory advice. Consult qualified legal counsel for specific regulatory decisions.