TL;DR

  • RBI’s SBR framework divides NBFCs into four layers with different obligations
  • 15 NBFCs classified as Upper Layer for 2024-25, including Bajaj Finance, LIC Housing
  • Upper and Middle Layer NBFCs must appoint an independent Chief Compliance Officer
  • Only NBFCs with assets above Rs. 100 crore can invoke SARFAESI for secured recovery
  • Upper Layer NBFCs face near-bank governance requirements for collections AI models

Ask the CRO of an Upper Layer NBFC what keeps them up at night in 2026, and collections governance comes up quickly.

The RBI’s Scale Based Regulation (SBR) framework has changed what “good collections governance” is legally required to look like for their tier. And the operational gap between where most NBFCs currently stand and where the SBR framework requires them to be is wider than most compliance teams have publicly acknowledged. At the Upper Layer, the SBR framework makes model risk management a board-level obligation, not an internal data science practice. Every AI or statistical model influencing collections prioritization, contact strategy, or account resolution now sits within a governance structure that the RBI examiner will review, document, and hold the institution accountable for.

The SBR framework was introduced in October 2021 and has been progressively implemented through 2024 and into 2026. Its core logic is proportionality. Smaller NBFCs face lighter governance obligations. Larger, systemically important ones face requirements that increasingly mirror what scheduled commercial banks have had to comply with for years. For collections operations specifically, which touch credit risk, model risk, customer conduct, and regulatory compliance simultaneously, the SBR framework creates obligations that run across all four of those dimensions.

This post maps exactly what the four-tier framework requires at each layer, where collections governance has to change, and what Upper Layer and Top Layer NBFCs need to operationalize right now.

The Four Tiers: What Each Means for Collections

The SBR framework classifies every registered NBFC into one of four layers, based on asset size, activity type, and systemic importance. Each layer carries its own set of governance, compliance, and operational requirements. Understanding where your NBFC sits is the starting point for understanding what collections compliance actually demands of you.

RBI NBFC classification tiers: base layer, middle layer, upper layer, and top layer explained for collections compliance

Base Layer (NBFC-BL)

The Base Layer covers non-deposit taking NBFCs with assets below Rs. 1,000 crore that do not fall into any specialist category. The regulatory burden here is the lightest under the SBR framework. Collections operations at this layer must comply with the RBI’s Fair Practices Code and Recovery Agent Guidelines, but formal model risk management frameworks and board-level model oversight are not mandated.

The practical limitation for collections at this layer is SARFAESI access. Under the amended SARFAESI Act, only NBFCs with a total asset size of Rs. 100 crore or more can invoke SARFAESI enforcement, and only for individual loans of Rs. 50 lakh or above. Base Layer NBFCs below the Rs. 100 crore threshold have no access to SARFAESI and must rely entirely on the DRT route or negotiated settlement for secured NPA recovery.

Middle Layer (NBFC-ML)

The Middle Layer includes all deposit-taking NBFCs regardless of asset size, and all non-deposit taking NBFCs with assets of Rs. 1,000 crore or more. It also includes standalone primary dealers and infrastructure debt fund NBFCs.

At this layer, the compliance requirements step up materially. Middle Layer NBFCs are required to establish an independent compliance function and appoint a Chief Compliance Officer (CCO), with a board-approved policy governing the CCO’s role and authority. The CCO must have direct access to the board and must report compliance risk to senior management independently. The credit risk decisioning layer that determines NPA formation rates becomes directly consequential here: the RBI’s Prompt Corrective Action (PCA) framework applies from the Middle Layer upward, meaning that if an NBFC’s NPA ratios rise beyond defined thresholds, the RBI can impose operational restrictions. Collections efficiency is no longer just a P&L concern at this layer. It is a regulatory trigger point that PCA activates.

Upper Layer (NBFC-UL)

This is where the governance requirements most significantly intensify. The Upper Layer is determined by a structured scoring model using a 70:30 weighting between quantitative factors (size, leverage, interconnectedness) and qualitative factors (funding profile, governance quality). The top ten NBFCs by asset size are automatically placed in the Upper Layer, and the RBI identifies additional NBFCs based on scoring outcomes.

For 2024-25, the RBI classified 15 NBFCs in the Upper Layer, including Bajaj Finance, LIC Housing Finance, Shriram Finance, Tata Capital, Cholamandalam Investment and Finance, L&T Finance, Mahindra and Mahindra Financial Services, Aditya Birla Finance, PNB Housing Finance, HDB Financial Services, and Muthoot Finance. Once classified as Upper Layer, an NBFC remains in that classification for a minimum of five years regardless of subsequent changes to its scoring.

Upper Layer NBFCs face near-bank governance requirements. For collections specifically, this means formal model risk management, independent model validation, board-level collections oversight, and enhanced regulatory reporting, all of which are covered in detail in the sections below.

Top Layer (NBFC-TL)

The Top Layer is a reserve classification, currently empty, intended for NBFCs in the Upper Layer that exhibit substantially elevated systemic risk. Placement into the Top Layer is at the RBI’s sole discretion and would invoke custom regulatory prescriptions on a case-by-case basis. No NBFC currently sits in this layer, and its inclusion in the framework serves as a structural warning: the SBR framework has room to escalate further if the RBI deems it necessary.

Collections Model Governance Under SBR

This is the area where the gap between current NBFC practice and SBR requirements is widest and most consequential.

Upper Layer NBFCs now need a formal model risk management framework for every AI or statistical model used in collections. Any ai for banks deployment at Upper Layer, whether built internally or sourced from a third-party platform, must satisfy this framework as a precondition for production use. This includes propensity-to-pay models, default prediction models, contact strategy optimization models, and any scoring system that influences how accounts are prioritized, contacted, or resolved. The framework mirrors what the US Federal Reserve’s SR 11-7 guidance requires of US bank model governance, an acknowledgment that collections AI at scale carries systemic risk regardless of geography.

AI model risk management lifecycle in banking including model inventory, validation, monitoring, and governance

The operational requirements are specific:

Model inventory. Every model in production must be catalogued: model name, purpose, owner, development date, last validation date, training data description, and performance metrics. This inventory must be current and accessible for examination. An undocumented model in production is, from an SBR perspective, an unvalidated model, and unvalidated models are a finding.

Model validation. Validation must be conducted by a team or function independent from the model development team. For Upper Layer NBFCs that build collections models internally, this means a separate validation function, not the same data science team reviewing their own work. Model validation must assess conceptual soundness, data quality, predictive performance, and stability across different data periods.

Model monitoring. After deployment, models must be monitored continuously for performance degradation, concept drift, and population shift. A collections propensity model trained on pre-2024 data and not subject to ongoing model monitoring will be silently losing predictive accuracy as borrower behavior patterns evolve. The model risk management framework must define monitoring thresholds and trigger retraining when performance falls below defined floors.

Retraining governance. Each retraining cycle is treated as a new model deployment. It requires documentation, model validation sign-off, and change control approval before the retrained model goes into production.

Model validation requirements under RBI SBR highlighting compliance risks of unvalidated AI models in production

Board-Level Collections Oversight Requirements

The SBR framework elevates collections governance from an operational function to a board-visible risk discipline. For Upper Layer NBFCs, collections performance must be reported to the board risk committee, not just reviewed in management meetings.

Upper Layer NBFCs face enhanced reporting obligations that include detailed risk governance disclosures, stress testing results, and capital planning context on a quarterly basis. For collections specifically, the board reporting pack must include:

  • Collections efficiency by DPD bucket (30, 60, 90, 120, 180+ days past due)
  • NPA formation trends by product and geography
  • Model monitoring metrics for every active collections model (Gini coefficient, precision-recall, population stability index)
  • Compliance violation rates and borrower complaint volumes with resolution timelines
  • Agent conduct monitoring outcomes

This is a governance mechanism, not a reporting exercise. When the board risk committee receives quarterly collections performance data, it is being asked to exercise oversight: to ask questions, demand explanations, and approve corrective action when metrics deteriorate. That requires the data to be accurate, structured, and presented in a format that enables genuine oversight rather than passive acknowledgment.

The CCO framework issued in April 2022 reinforces this. The Chief Compliance Officer must have direct access to the board and must report independently on compliance risk, including collections compliance. For the first time, a collections compliance failure can reach the board’s attention through a channel that does not pass through the collections team’s own reporting structure.

SARFAESI Eligibility Differences by Tier

The SARFAESI Act gives secured lenders the power to recover NPAs without court intervention. But access to this power is not uniform across the NBFC sector.

Under the current framework, SARFAESI eligibility for NBFCs requires a total asset size of at least Rs. 100 crore and an individual loan of at least Rs. 50 lakh. Prior to the 2020 notification, the threshold was Rs. 500 crore in assets and Rs. 1 crore in individual loan size, a bar that excluded the majority of the NBFC sector. The reduction to Rs. 100 crore brought a significant additional portion of the sector into SARFAESI eligibility.

In practical terms, this creates a meaningful distinction across the SBR layers:

  • Base Layer NBFCs below Rs. 100 crore in assets have no SARFAESI access. Secured NPA recovery must go through the DRT route, which is slower and more expensive.
  • Base Layer NBFCs between Rs. 100 crore and Rs. 1,000 crore in assets can use SARFAESI for individual loans above Rs. 50 lakh, giving them access to the faster enforcement mechanism for their larger secured accounts.
  • Middle Layer and Upper Layer NBFCs have full SARFAESI access across their eligible portfolio, a significant operational and recovery advantage for secured lending books.

For NBFCs approaching the Rs. 1,000 crore asset threshold and moving from Base Layer to Middle Layer status, understanding this distinction is commercially important. The transition into Middle Layer brings enhanced governance obligations, but it also brings broader SARFAESI eligibility and the Prompt Corrective Action framework that, counterintuitively, signals to the market that the institution is being supervised closely enough to be caught early if it deteriorates.

What Upper Layer and Top Layer NBFCs Must Do Now

The SBR framework carries current examination expectations, not future roadmap items. For Upper Layer NBFCs, the implementation timelines have passed. NBFCs were given up to 24 months to implement enhanced norms after their initial classification. For NBFCs on the first Upper Layer list published in September 2022, that window closed in September 2024.

NBFC upper layer compliance requirements including model validation, board reporting, CCO oversight, and policy documentation

The specific actions for Upper Layer NBFCs operating collections AI:

Model inventory audit. Identify every model currently influencing collections operations, including credit risk decisioning models that drive NPA classification and enforcement eligibility assessments. Document each one against the model inventory requirements. Flag models that have no recorded validation history for immediate remediation.

Independent model validation for live models. Commission independent model validation for every production collections model that has not been validated by an independent function within the last 12 months. The validation output must meet the documentation standards the RBI examiner will expect.

Board reporting dashboards. Build the quarterly collections governance reporting pack that the board risk committee needs to exercise genuine oversight. This requires integrating data from collections operations, compliance monitoring, and model monitoring performance tracking into a format that is accurate, consistent, and repeatable every quarter.

CCO engagement on collections compliance. Ensure the Chief Compliance Officer’s mandate explicitly covers ai for banks collections workflows, not just traditional agent-based collections. The CCO must have visibility into model decisions, contact strategy outputs, and compliance violation patterns.

Policy documentation. Board-approved policies must reflect the current collections governance framework, including model risk management procedures, agent oversight standards, and escalation protocols. Policies written before the SBR framework was implemented will not pass examination without revision.

The Competitive Advantage of Early Compliance

There is a commercially underappreciated benefit to getting this right ahead of the examination cycle.

NBFCs that have invested in robust collections governance, model inventory, independent model validation, board reporting, and CCO engagement, consistently report cleaner RBI examination outcomes, lower regulatory findings, and stronger investor confidence. Rating agencies and institutional investors increasingly treat governance quality as a proxy for operational risk. An NBFC that can demonstrate a fully documented, independently validated, and board-reported collections AI framework presents a materially lower risk profile than one that cannot.

The cost of retrofitting governance after a regulatory finding is also significantly higher than building it right the first time. Management distraction, remediation work, and potential restrictions on business activity during examination findings all compound into a cost that dwarfs the upfront investment in a proper governance framework.

How iTuring Addresses This

iTuring’s collections governance module is designed specifically for the RBI Scale Based Regulation framework, delivering model risk management, model monitoring, model validation, and credit risk decisioning governance as integrated platform capabilities rather than separate implementation projects. The platform represents ai for banks in the Indian NBFC market that is built around the SBR framework’s governance structure from the architecture up.

The platform maintains a live model inventory for every active collections model, with model validation history, model monitoring performance metrics, and retraining records stored against each entry. Board reporting dashboards generate quarterly governance packs automatically, pulling collections efficiency by DPD bucket, model monitoring trends, and compliance violation summaries into a structured, examination-ready format. Tier-specific workflows ensure that the governance requirements appropriate to each SBR layer are enforced operationally, not just documented in policy.

For Upper Layer NBFCs that need to close the gap between current practice and SBR requirements, iTuring offers a governance readiness assessment that benchmarks your current collections framework against the RBI’s examination expectations.

Regulatory Disclaimer
The information in this blog is provided for general informational purposes only and does not constitute legal, compliance, or regulatory advice. The RBI Scale Based Regulation framework is governed by the Master Direction on Non-Banking Financial Company, Scale Based Regulation (Reserve Bank) Directions, 2023, and related circulars including the April 2022 circular on Compliance Function and Role of Chief Compliance Officer for NBFCs. SARFAESI eligibility criteria are subject to the Securitisation and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002, and subsequent amendments and notifications. Regulatory requirements evolve. NBFCs should monitor RBI communications and consult qualified legal and compliance counsel to ensure current compliance. iTuring’s stated capabilities are based on platform design and client implementations; results may vary depending on NBFC-specific configuration and data environments.

Sources: EnterSlice: RBI NBFC Upper Layer List FY 2024-25 | Vinod Kothari: SARFAESI Act for NBFCs | Aparajitha: RBI Mandate CCO NBFCs | GK Today: NBFC Scale Based Framework PCA | RMA India: NBFC Regulatory Framework | Upstox: RBI Upper Layer NBFC List 2024-25 | Federal Reserve SR 11-7 | GenzCFO: Annual and Quarterly RBI Returns for NBFCs | HSA Legal: SARFAESI Relaxation for NBFCs | SRB Atliboi: Scale Based Regulation NBFCs