Every customer your NBFC onboards is a compliance decision. Getting that decision wrong, accepting a fake identity, skipping a beneficial ownership check, or missing a sanctions screening, does not just create a bad loan. It creates a regulatory violation that can attract penalties of up to Rs. 10 lakh per day and, in serious cases, suspension of your operating licence.

NBFC KYC and AML Compliance 2026

In 2026, KYC and AML compliance for NBFCs is more precisely regulated than at any point before. The RBI updated the KYC Amendment Directions in 2025, introduced revised periodic updation instructions, extended a critical deadline for low-risk customers to June 30, 2026, and tightened sanctions screening requirements. Alongside this, the Digital Personal Data Protection Act, with rules notified in 2025, has begun reshaping how NBFCs handle and store customer identity data.

If your NBFC has not reviewed its KYC and AML framework against the 2025 and 2026 directions, there are almost certainly gaps. This guide walks you through every one of them.

The RBI's KYC Framework for NBFCs: What Governs It in 2026

The primary regulatory document is the Master Direction on Know Your Customer, originally issued in 2016 and updated multiple times since, most recently in August 2025. This master direction governs all aspects of customer identification, due diligence, risk categorisation, beneficial ownership determination, and record maintenance for every NBFC that falls within its scope.

Alongside the master direction, NBFCs are subject to the Prevention of Money Laundering Act, 2002 and the Prevention of Money Laundering Maintenance of Records Rules, 2005, both of which have been amended in recent years. The RBI's KYC directions are explicitly aligned with these PMLA rules, meaning a gap in one framework is almost always a gap in the other. NBFCs must also register with the Financial Intelligence Unit India and report suspicious transactions, cash transactions above prescribed thresholds, and counterfeit currency incidents through the FIU-IND reporting portal.

Customer Due Diligence: Three Levels, Three Different Obligations

Customer Due Diligence is the process by which an NBFC verifies who its customer is, what they intend to do with the financial relationship, and how much risk they represent. The RBI's KYC framework operates on a risk-based approach, dividing customers into low-risk, medium-risk, and high-risk categories. The level of due diligence applied must match the risk level assigned.

Low-Risk Customers

Low-risk customers are individuals whose identity and source of funds can be easily established and whose transactions broadly match the known profile. Salaried employees with salary accounts, pensioners, and small borrowers with limited transaction activity typically fall here. For these customers, simplified due diligence is permitted, though the June 30, 2026 deadline for periodic KYC updation applies and cannot be extended further.

Medium and High-Risk Customers

Medium and high-risk customers require standard and enhanced due diligence respectively. Enhanced due diligence is mandatory for Politically Exposed Persons, their family members, and close associates. The RBI requires NBFCs to determine the source of wealth for all PEPs, not just the source of funds for a specific transaction. High Net Worth Individuals, customers with complex ownership structures, and borrowers from high-risk geographies also attract enhanced due diligence requirements.

For high-risk accounts, the period of enhanced monitoring is tighter and ongoing re-verification is required more frequently than for low-risk customers.

Beneficial Ownership: The 10 Percent Rule That Most NBFCs Are Still Missing

One of the most important changes in the recent KYC amendment is the revision of the beneficial ownership threshold for partnership firms. The threshold has been reduced from 15 percent to 10 percent. Any natural person who owns 10 percent or more of the capital or is entitled to 10 percent or more of the profits of a partnership firm, or who exercises control over its management or policy decisions, must now be identified, verified, and subjected to KYC procedures before the NBFC extends any credit or financial service to that firm.

This is not a minor adjustment. Many NBFC credit appraisal processes built around the old 15 percent threshold are now under-identifying the beneficial owners of their MSME and partnership borrowers. The RBI expects NBFCs to have updated their internal CDD processes to reflect the 10 percent threshold immediately following the amendment. An inspection that finds ongoing use of the 15 percent benchmark will result in an adverse finding.

KYC Obligation	Requirement in 2026	Consequence of Non-Compliance
Periodic KYC Update (Low Risk)	By June 30, 2026 or one year from due date	Penalty up to Rs. 10 lakh per day
Beneficial Ownership Threshold	10% ownership or profit share (reduced from 15%)	CDD failure, adverse inspection finding
Sanctions Screening	Daily verification against UNSC, UAPA, PEP lists	AML violation, FIU reporting obligation triggered
Principal Officer Appointment	Must be management-level; details filed with RBI	Regulatory direction, penalty
Video KYC (V-CIP) Data Storage	All data stored in India, no third-party server retention	Data localisation violation, DPDP Act breach
Suspicious Transaction Reporting	Filed with FIU-IND within prescribed timelines	PMLA violation, criminal liability risk

AML Obligations: Sanctions Screening Is Now a Daily Requirement

Anti-money laundering compliance for NBFCs goes significantly beyond having a policy document. The RBI's updated KYC directions require regulated entities, including NBFCs, to conduct daily verification of their entire customer database against the United Nations Security Council Sanctions Lists, the UAPA Sanctions Lists maintained under the Unlawful Activities Prevention Act, and the Politically Exposed Persons database including family members and close associates of those persons.

Daily screening means the screening system must update its watchlists at least daily and must run all active customers against those lists every day. A customer who was not a sanctions match at onboarding can become one the next morning if a designation is added overnight. The RBI's introduction of Section 54A in the master direction specifically directs NBFCs to use technology tools for name screening, meaning a manual, periodic screening process is no longer considered adequate compliance.

Every NBFC must appoint a Principal Officer at management level whose sole designated responsibility includes ensuring AML compliance and furnishing information and reports to the Director, Financial Intelligence Unit India. The Principal Officer's details must be formally communicated to the RBI, and any change in this officer must be notified without delay.

Video KYC in 2026: New Rules Under the DPDP Act

Video Customer Identification Process, or V-CIP, has become a mainstream onboarding method for NBFCs operating digital lending platforms. In 2026, the compliance obligations around video KYC have become more demanding, not less, because the Digital Personal Data Protection Act rules notified in 2025 have layered new data governance obligations on top of the existing RBI requirements.

Under the RBI master direction, V-CIP sessions must simulate a real-time face-to-face interaction, the customer must be physically present in India during the session, and the system must employ active liveness detection to prevent deepfake or pre-recorded video fraud. All video recordings, audit logs, and customer metadata collected during a V-CIP session must be stored in India. No data can reside on third-party servers. If your NBFC uses a cloud-based video KYC vendor, the contractual and technical obligation to pull all data onto your own servers immediately after the session is completed must be in place.

The DPDP Act introduces an additional dimension: explicit, informed consent for data processing. Every customer whose biometric or personal data is collected through video KYC must be given clear notice of what data is collected, why it is collected, how long it will be retained, and what rights they have. The consent record itself must be maintained and must be producible during a regulatory examination.

Conclusion

KYC and AML compliance in 2026 is a daily operational function for every NBFC, not a onboarding formality. The June 30, 2026 deadline for low-risk customer KYC updation is a hard deadline with real penalties attached. The beneficial ownership threshold change to 10 percent requires immediate updates to your credit appraisal and CDD processes. Daily sanctions screening is no longer a best practice. It is a regulatory requirement. And video KYC must now meet both RBI data localisation rules and the DPDP Act consent framework simultaneously.

An NBFC that treats KYC as a form-filling exercise and AML as a once-a-year policy review is building a compliance liability that grows quietly until it becomes visible to the RBI during an inspection or through a suspicious transaction report. The cost of getting this wrong now is far higher than the cost of getting it right.

Action Required Before June 30, 2026

Review your periodic KYC status across all customer categories and confirm that low-risk customer updation communications have been sent with the mandatory three-notification structure. Update your beneficial ownership identification process to reflect the 10 percent threshold. Confirm that your sanctions screening system runs daily against current UNSC, UAPA, and PEP lists. Review your video KYC vendor contract for DPDP Act data localisation compliance. Verify that your Principal Officer's details are current and filed with the RBI. A compliance gap assessment by a qualified NBFC specialist before June 2026 is strongly recommended.

Frequently Asked Questions

1. What is the June 30, 2026 KYC deadline and which customers does it apply to?

The RBI has extended the periodic KYC updation deadline specifically for low-risk customers. Under the revised instructions, a low-risk customer now has until one year from the date their KYC update was originally due, or June 30, 2026, whichever date falls later. Low-risk customers are typically individuals whose identity and income sources can be easily verified and whose transaction patterns are straightforward and predictable. During the extended period, their accounts remain operational but must be kept under regular monitoring. The NBFC must send structured reminder communications before restricting any account, with at least three advance notifications issued at appropriate intervals, including a minimum of one notification by physical letter. Simply waiting for the June 2026 deadline without issuing the required notifications is itself a compliance failure, even if the account is eventually updated before the deadline passes.

2. How does the beneficial ownership threshold change from 15 percent to 10 percent affect NBFC lending to partnership firms?

The revision of the beneficial ownership identification threshold from 15 percent to 10 percent means that any natural person who owns 10 percent or more of a partnership firm, or is entitled to 10 percent or more of its profits, or exercises control over its management or policy decisions, must now be identified and subjected to full KYC and Customer Due Diligence procedures before the NBFC provides any financial service to that firm. In practical terms, a partnership firm with five equal partners previously had no individual crossing the 15 percent threshold, which allowed some NBFCs to skip beneficial owner verification entirely. Under the 10 percent rule, each of those five equal partners is now a beneficial owner who must be individually verified. NBFCs that have not updated their credit appraisal forms, credit policy, and CDD procedures to reflect this lower threshold are non-compliant with the current KYC directions, and this gap will be visible during an RBI inspection of their MSME or SME loan files.

3. What are the data storage rules for video KYC under the 2026 framework and how does the DPDP Act change them?

Under the RBI's existing KYC master direction, all data collected during a Video Customer Identification Process session, including video recordings, audio, documents, and customer metadata, must be stored on servers located within India. No data can remain on the servers of a third-party technology provider after the session is completed. The NBFC must contractually ensure that its video KYC vendor transfers all data to the NBFC's own systems immediately upon session completion. The Digital Personal Data Protection Act rules notified in 2025 add an entirely new obligation on top of this. Under the DPDP framework, every customer whose personal and biometric data is processed through video KYC must receive a clear privacy notice explaining what data is collected, the purpose of collection, the retention period, and the customer's rights including the right to withdraw consent and the right to erasure. The consent given by the customer must be documented and the record must be maintained. For NBFCs using external video KYC vendors, the data processing agreement with the vendor must be reviewed to ensure it reflects both the RBI localisation requirement and the DPDP Act consent and notice obligations simultaneously.