Outsourcing is how modern NBFCs stay lean. Customer acquisition through fintech partners, credit assessment through analytics platforms, loan servicing through technology vendors, collections through recovery agents, security monitoring through external SOC teams. The operational model depends on third parties at almost every step. And for most of that time, the regulatory framework governing those relationships was written for a simpler era.

NBFC Outsourcing of Financial Services 2026

On 28 November 2025, the RBI changed that entirely. The Non-Banking Financial Companies Managing Risks in Outsourcing Directions, 2025 came into force immediately, replacing all earlier outsourcing guidelines with a framework that treats every vendor relationship as a direct extension of the NBFC's own regulated operations. The core principle is stated without ambiguity: outsourcing does not dilute regulatory responsibility. Whatever a vendor does on behalf of your NBFC, your NBFC is accountable for it.

There is one hard deadline that every NBFC must be focused on right now. Existing IT outsourcing contracts that predate 28 November 2025 must comply with the new directions by 10 April 2026, or at the time of renewal, whichever comes first. With that deadline arriving in weeks, any NBFC that has not reviewed its legacy IT vendor contracts is running out of time.

What Counts as Outsourcing Under the 2025 Directions

The Outsourcing Directions 2025 define outsourcing broadly and deliberately. Outsourcing means the use of a third party, whether a group company or an external entity, by an NBFC to perform activities on a continuing basis that would normally be undertaken by the NBFC itself, now or in the future. The definition includes agreements for a limited period. A one-year contract with a data analytics vendor is outsourcing. A six-month arrangement with a recovery agent is outsourcing. A group company providing back-office processing is outsourcing.

What this broad definition means practically is that every vendor relationship your NBFC relies on for any operational function must be reviewed against the Outsourcing Directions. The scope covers financial services outsourcing across all NBFC layers, and IT services outsourcing for Middle Layer and above. Base Layer NBFCs are subject to the general provisions of the directions but are not required to comply with Chapter IV, which contains the detailed IT-specific obligations. Middle Layer and Upper Layer NBFCs must comply with everything.

Functions That Cannot Be Outsourced Under Any Circumstances

The Directions 2025 draw a hard line around core management and decision-making functions. These cannot be delegated to any third party regardless of how the arrangement is structured or what the contractual terms say.

• Internal audit is a non-delegable board-level function. An NBFC can co-source its internal audit with an external firm under the supervision of a qualified internal Chief Internal Auditor, but the function itself cannot be transferred to a third party without the NBFC retaining accountability.
• Compliance function management is reserved for the NBFC's own Chief Compliance Officer. External consultants can support the compliance function, but the decision-making authority and board reporting line must remain internal.
• Strategic decision-making functions including setting business direction, determining risk appetite, and making board-level governance decisions cannot be outsourced.
• KYC approval and loan sanctioning decisions cannot be delegated to a service provider. The Directions are explicit that credit decision-making authority rests with the NBFC. A technology platform can present data, score a borrower, and generate a recommendation, but the sanctioning decision must be made by an authorised individual within the NBFC.
• Management of risk, compliance, and other control functions cannot be outsourced in a manner that removes the NBFC's own accountability for those functions.

Board Accountability: The Governance Framework the RBI Will Examine

The Outsourcing Directions 2025 place the Board at the top of the entire outsourcing governance structure. The Board or a Board-delegated committee is responsible for putting in place a framework to evaluate risks and materiality of all existing and prospective outsourcing arrangements, and for monitoring management's actions on those arrangements.

Every NBFC must have a Board-approved outsourcing policy covering the criteria for selecting activities that may be outsourced, the risk assessment methodology for evaluating service providers, the approval authority for different categories of outsourcing, performance monitoring standards, business continuity requirements, and exit strategies. For IT outsourcing, a separate Board-approved IT outsourcing policy is mandatory for Middle Layer and above NBFCs.

The NBFC must maintain a central register of all material outsourcing arrangements. This register must be available for RBI inspection at any time. If a vendor relationship is material enough to appear in this register, it must also be covered by a contract that meets the standards prescribed in the directions. Material outsourcing is assessed based on whether the failure of the vendor would have a significant impact on the NBFC's ability to deliver its services to customers or meet its regulatory obligations.

Outsourcing Obligation	Applicability	Key Requirement	Deadline
Board-Approved Financial Outsourcing Policy	All NBFC layers	Must cover selection, risk assessment, monitoring, exit strategy	28 Nov 2025 (immediate)
Board-Approved IT Outsourcing Policy	Middle Layer and above	Separate policy for IT; Board oversight of IT vendor risk	28 Nov 2025 for new; April 10, 2026 for existing
Central Register of Material Outsourcing	All NBFC layers	All material arrangements listed; available for RBI inspection	28 Nov 2025 (immediate)
Annual Service Provider Review	All NBFC layers	Financial and operational condition of vendor; ability to continue	Ongoing, at least annually
Subcontractor Approval	All NBFC layers	Vendor cannot subcontract without NBFC's prior written approval	28 Nov 2025 (immediate)
Cyber Incident Reporting	Middle Layer and above	RBI notified within six hours of detection by service provider	28 Nov 2025 (immediate)

What Every Outsourcing Contract Must Now Contain

The contract between the NBFC and its service provider is the primary instrument of regulatory control. A contract that does not meet the standards in the Outsourcing Directions 2025 is not just a legal gap. It is a regulatory violation. The RBI will not be satisfied by boilerplate clauses. It will examine whether the contract actually delivers the protections the directions require.

• Clearly defined service levels with measurable performance standards and consequences for breach. Vague commitments to use best efforts are not adequate.
• The NBFC must retain unconditional rights of access to all data, books, records, logs, and alerts relevant to the outsourced service. Any clause that conditions RBI access on vendor consent, confidentiality restrictions, or commercial feasibility is non-compliant. If the RBI cannot inspect the vendor through the NBFC's right of access, that vendor cannot be used.
• The contract must specify exactly how customer data and NBFC data is captured, processed, and stored, with explicit compliance obligations under the Information Technology Act and the Digital Personal Data Protection Act rules.
• The vendor may not subcontract any outsourced activity without the NBFC's prior written approval. All regulatory obligations must be flowed down to subcontractors. The primary vendor remains fully liable for the acts and omissions of its own subcontractors.
• For IT outsourcing, cyber incidents must be reported by the service provider to the NBFC within a timeframe that allows the NBFC to report to the RBI within six hours of detection. This means the vendor notification obligation must be contractually much shorter than six hours.
• Business continuity and disaster recovery obligations must be embedded in the contract, not just referenced in the vendor's own policies. The NBFC must have the right to test the vendor's business continuity and disaster recovery capabilities periodically.
• Exit and transition assistance provisions must be contractually enforceable. The vendor must assist in an orderly transfer to a new service provider at the end of the contract or on termination, and this obligation must survive contract termination.

Data Governance: A Zero-Tolerance Area in the 2025 Directions

Customer data handling is treated as a zero-tolerance area throughout the Outsourcing Directions 2025. The NBFC remains fully responsible for the confidentiality, integrity, and availability of all customer data even when that data is processed or stored by a service provider. There is no transfer of data responsibility through outsourcing.

Data belonging to the NBFC and its customers must not be combined or comingled with data belonging to other clients of the same vendor. In a multi-tenant cloud or technology environment, this obligation is satisfied if there is clear separation and isolation of the NBFC's data so that only personnel authorised by the NBFC can access it. A vendor that processes data for multiple regulated entities must be able to demonstrate through technical and contractual means that each client's data is isolated at all times.

Offshore outsourcing carries additional obligations. Where a service provider is located outside India or processes data on servers outside India, the NBFC must ensure that foreign regulatory authorities cannot access Indian customer data merely because of the processing location. Governing law and dispute resolution clauses in these contracts must not be structured in ways that impede the RBI's supervisory access. The RBI's position is unambiguous: Indian customer data processed offshore remains subject to Indian regulatory sovereignty, and the contract must reflect that.

Specific Rules for Group Entity Outsourcing and Cloud Services

Many NBFCs outsource functions to affiliated companies within the same financial group, treating these arrangements as lower risk than outsourcing to external vendors. The Outsourcing Directions 2025 make clear that this assumption is wrong. Group entity outsourcing is subject to exactly the same due diligence, contractual, and governance requirements as external vendor outsourcing. The fact that the vendor is a related party does not reduce the risk assessment requirement. In some cases, group entity outsourcing creates concentration and conflict-of-interest risks that must be assessed separately.

For cloud-based services, which include Infrastructure as a Service, Platform as a Service, and Software as a Service, the directions require specific controls. Container security must be maintained with standardised tools for managing containers, images, and releases. Encryption keys and Hardware Security Modules must remain under the NBFC's control, not the cloud provider's. The NBFC must have complete visibility into the security architecture of any cloud environment where its data is processed. Security Operations Centres, whether in-house or outsourced, must have their reporting and escalation processes integrated with the RBI's six-hour breach reporting timeline.

Conclusion

The NBFC Outsourcing Directions 2025 have permanently changed the regulatory status of every vendor relationship your NBFC depends on. The April 10, 2026 deadline for IT outsourcing contract compliance is not a distant target. It is a matter of weeks away as of March 2026. Financial outsourcing arrangements have been required to comply since November 28, 2025 and any gaps in those contracts already represent a live regulatory violation.

For NBFC compliance teams, the practical priority is a structured inventory of every material outsourcing arrangement, a gap analysis of each contract against the requirements of the Directions, and a plan to either amend legacy contracts or replace non-compliant ones. The RBI's supervisory teams will examine outsourcing governance as a standalone category during inspections. Governance records, audit trails, vendor risk dashboards, and contract documentation will all be reviewed. Policies on paper without operational substance behind them will not satisfy the regulator.

Immediate Action Required Before April 10, 2026

Prepare a complete inventory of all outsourcing arrangements categorised by financial services and IT services. Identify all IT outsourcing contracts signed before 28 November 2025 and confirm their renewal dates. Contracts renewing before April 10, 2026 must be updated immediately. Contracts not renewing before that date must be updated by April 10, 2026 regardless. Review each contract against the mandatory provisions in the Outsourcing Directions 2025, including RBI inspection rights, subcontractor controls, data isolation, cyber incident notification timelines, and exit provisions. A contract compliance review by a qualified NBFC specialist is strongly recommended to identify gaps that internal teams may miss in the available time.

Frequently Asked Questions

Q1. Does a Base Layer NBFC need to comply with the IT outsourcing provisions of the Outsourcing Directions 2025?

A Base Layer NBFC is required to comply with the general outsourcing provisions of the Outsourcing Directions 2025, which cover financial services outsourcing obligations including the Board-approved policy, due diligence of service providers, contract requirements, monitoring, and customer protection. However, Chapter IV of the Directions, which contains the detailed IT-specific outsourcing obligations, does not apply to Base Layer NBFCs. The IT-specific provisions in Chapter IV, along with the IT-related obligations in Chapter II of the directions, apply only to NBFCs in the Middle Layer and above. This includes the specific cyber incident reporting requirements for IT outsourcing, the detailed cloud computing controls, and the IT-specific contract provisions. A Base Layer NBFC that is growing rapidly and approaching the Middle Layer threshold should implement the full framework proactively, since the Middle Layer obligations apply from the moment the classification changes and there is no grace period for new entrants to the layer.

Q2. Can an NBFC outsource its KYC verification process to a third-party technology vendor?

An NBFC can use a third-party technology platform or vendor to assist with the KYC process, including identity verification, document capture, video customer identification, and data validation. However, the decision to accept or reject a customer's KYC documents and the final approval of a customer's identity for onboarding purposes cannot be delegated to the vendor. The Outsourcing Directions 2025 state explicitly that KYC approval is a function that cannot be outsourced, because it is a regulated decision-making activity that must be performed by or under the authority of the NBFC itself. The technology platform can present verified data, flag discrepancies, and generate recommendations, but a human decision-maker authorised by the NBFC must make the final approval call. The same principle applies to loan sanctioning decisions. An analytics platform can generate a credit score, a risk rating, and a suggested loan amount, but the sanctioning authority cannot reside with the vendor.

Q3. What are the rules for outsourcing to an offshore service provider and what data protections apply?

The Outsourcing Directions 2025 permit outsourcing to offshore service providers but impose specific additional obligations to protect Indian customer data and preserve RBI's supervisory access. The NBFC must ensure that the offshore service provider's location or the fact that data is processed on overseas servers does not allow foreign regulatory authorities to access Indian customer data. The governing law and dispute resolution provisions in the outsourcing contract must not be structured in a way that prevents the RBI from exercising its inspection rights over the outsourced function. In practice, this means the contract must contain an explicit provision that the RBI's right to inspect the service provider's books, data, and systems related to the NBFC's business is unconditional and cannot be refused on grounds of local law, confidentiality, or commercial considerations. If a foreign jurisdiction's laws would prevent the service provider from complying with RBI inspections, that service provider cannot be used for the relevant function. The NBFC must also ensure that customer data stored or processed offshore is isolated from other clients' data and that data sovereignty is maintained through contractual and technical controls aligned with the DPDP Act requirements.