NBFC KYC and AML Compliance 2026: New RBI Rules, Deadlines, Requirements and Compliance

NBFC KYC and AML Compliance in 2026 has become a critical regulatory priority, requiring NBFCs to strengthen customer verification, transaction monitoring, sanctions screening, and data governance to meet RBI, PMLA, and...

A Written by Admin Jun 19, 2026 8 min read
NBFC KYC and AML Compliance 2026: New RBI Rules, Deadlines, Requirements and Compliance

NBFC KYC and AML Compliance 2026 has become one of the most important regulatory responsibilities for Non-Banking Financial Companies operating in India. With the Reserve Bank of India continuously strengthening its regulatory framework and introducing amendments to customer identification, beneficial ownership verification, sanctions screening, and periodic KYC update requirements, NBFCs are now expected to maintain a far more robust compliance structure than ever before.

The compliance landscape in 2026 is significantly different from what it was a few years ago. Regulatory authorities are no longer satisfied with basic customer onboarding procedures. Instead, they expect NBFCs to implement comprehensive risk-based compliance systems capable of identifying suspicious activities, detecting money laundering risks, monitoring sanctions exposure, and maintaining accurate customer records throughout the lifecycle of the relationship. Failure to comply with these obligations can expose an NBFC to substantial financial penalties, regulatory restrictions, reputational damage, and, in severe cases, cancellation of its Certificate of Registration.

The latest amendments introduced by the RBI, along with the evolving requirements under the Prevention of Money Laundering Act (PMLA) and the Digital Personal Data Protection Act (DPDP Act), have fundamentally changed how NBFCs manage customer verification, data storage, transaction monitoring, and reporting obligations. As a result, every NBFC must reassess its existing compliance framework and identify areas requiring immediate improvement before regulatory inspections reveal deficiencies.

This article explains the complete framework of NBFC KYC and AML Compliance 2026, covering RBI regulations, beneficial ownership rules, periodic KYC update requirements, sanctions screening obligations, Video KYC compliance, AML reporting duties, and key compliance actions that every NBFC must implement.

Regulatory Framework Governing NBFC KYC and AML Compliance 2026

The foundation of NBFC KYC and AML Compliance 2026 rests primarily on the Reserve Bank of India's Master Direction on Know Your Customer. Originally introduced in 2016 and subsequently updated through various amendments, the Master Direction continues to serve as the principal regulatory framework governing customer identification, due diligence procedures, risk categorization, beneficial ownership verification, record maintenance, and monitoring requirements for regulated entities.

The RBI has introduced multiple amendments over the years to align the KYC framework with evolving financial crime risks, technological advancements, and international standards relating to anti-money laundering and counter-terrorism financing. The amendments introduced during 2025 further expanded compliance expectations, requiring NBFCs to adopt more sophisticated monitoring and verification mechanisms.

Apart from RBI regulations, NBFCs are simultaneously governed by the Prevention of Money Laundering Act, 2002 (PMLA), and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. These laws impose independent obligations relating to customer identification, suspicious transaction reporting, maintenance of records, and reporting of prescribed transactions to regulatory authorities. Since RBI directions are closely aligned with PMLA requirements, non-compliance in one area often results in violations under multiple regulatory frameworks.

Additionally, the implementation of the Digital Personal Data Protection Act has introduced a new layer of compliance obligations concerning the collection, processing, storage, retention, and protection of customer information. This development is particularly significant for NBFCs using digital onboarding processes and Video Customer Identification Procedures.

Why NBFC KYC and AML Compliance 2026 is more important than ever?

Financial institutions have become one of the primary targets for identity fraud, money laundering schemes, shell company structures, terrorist financing networks, and cyber-enabled financial crimes. Criminals increasingly exploit weaknesses in customer onboarding processes to gain access to financial systems and move illicit funds through seemingly legitimate transactions.

The RBI has repeatedly emphasized that KYC compliance should not be viewed as a simple document collection exercise. Instead, it is a critical risk management function that protects the financial system from abuse. Every customer relationship established by an NBFC creates a potential compliance exposure. If customer verification procedures are inadequate, the institution may unknowingly facilitate fraudulent activities or become involved in regulatory investigations.

The consequences of non-compliance have become increasingly severe. Regulatory authorities now possess enhanced powers to impose substantial penalties, issue corrective action directives, restrict business operations, and initiate enforcement proceedings against institutions that fail to maintain adequate compliance controls. Therefore, implementing a strong KYC and AML framework is not merely a regulatory requirement but also an essential business necessity.

June 30, 2026: Critical Deadline for Periodic KYC Updation

One of the most important developments affecting NBFC KYC and AML Compliance 2026 is the RBI's extension of the periodic KYC updation timeline for low-risk customers. The regulator has provided additional time to complete the KYC renewal process while ensuring that customer accounts continue operating under appropriate monitoring arrangements.

Under the revised framework, low-risk customers are required to complete their periodic KYC update by one year from their scheduled due date or by June 30, 2026, whichever occurs later. This extension provides operational flexibility to NBFCs while ensuring that customer records remain accurate and up to date.

However, the extension does not reduce compliance responsibilities. NBFCs remain obligated to maintain continuous monitoring of customer relationships during the extension period. Customer transactions must continue to be reviewed to ensure consistency with the customer's known profile and risk classification. Any unusual activity identified during this period must be investigated according to established AML procedures.

Another important aspect of the revised framework relates to customer communication obligations. Before imposing restrictions on accounts due to pending KYC updation, NBFCs must follow a structured notification process designed to provide customers with sufficient opportunity to complete compliance requirements.

Customer Communication Requirements for KYC Updation

The RBI has introduced detailed communication requirements that every NBFC must follow before taking action against customers who have not completed periodic KYC updation. These requirements emphasize customer awareness and procedural fairness.

NBFCs must issue at least three separate reminder communications before applying any restrictions to customer accounts. The objective is to ensure that customers receive adequate notice and have sufficient time to update their information. Importantly, at least one of these reminders must be sent through a physical communication channel such as a letter delivered to the customer's registered address.

Failure to follow the prescribed communication process can itself constitute a compliance violation, even if the customer ultimately fails to complete KYC updating. Therefore, institutions must maintain proper documentation demonstrating that all required notifications were issued within prescribed timelines.

Risk-Based Customer Due Diligence Framework

A core component of NBFC KYC and AML Compliance 2026 is the risk-based Customer Due Diligence (CDD) framework. The RBI requires NBFCs to classify customers according to their risk profile and apply due diligence measures that are proportionate to the identified level of risk.

The risk-based approach recognizes that not all customers present the same level of money laundering or terrorist financing risk. Consequently, compliance resources should be allocated according to the nature of the customer relationship, transaction patterns, ownership structures, geographic exposure, and other relevant risk indicators.

Customers are generally categorized into low-risk, medium-risk, and high-risk groups, with each category requiring different levels of scrutiny and ongoing monitoring.

Low-Risk Customer Due Diligence

Low-risk customers generally include individuals whose identity, occupation, source of income, and financial activities can be readily verified through reliable documentation. Such customers typically maintain straightforward financial relationships and demonstrate transaction behavior that aligns with their known profile.

Examples often include salaried employees, pensioners, small borrowers, and individuals with limited transaction activity. Since the risk associated with these customers is comparatively lower, the RBI permits simplified due diligence measures in certain situations.

Nevertheless, low-risk classification does not eliminate compliance obligations. Customer information must remain current, periodic KYC update requirements must be satisfied, and transaction monitoring must continue throughout the customer relationship. Any significant changes in customer behavior may require reassessment of the risk classification and implementation of enhanced due diligence measures where appropriate.

Medium-Risk and High-Risk Customer Due Diligence

Customers presenting elevated risk characteristics require more extensive verification procedures and enhanced monitoring arrangements. Medium-risk and high-risk customers often include individuals or entities with complex ownership structures, significant transaction volumes, cross-border financial activities, or exposure to higher-risk jurisdictions.

Enhanced Due Diligence (EDD) becomes particularly important when dealing with Politically Exposed Persons (PEPs), their family members, and close associates. These relationships require deeper scrutiny because individuals holding prominent public positions may be exposed to heightened corruption, bribery, or misuse-of-office risks.

The RBI expects NBFCs to obtain a complete understanding of both the source of funds and the broader source of wealth associated with high-risk customers. This distinction is important because a specific transaction may appear legitimate even when the customer's overall wealth accumulation pattern raises concerns.

High-risk customers must also be subjected to more frequent reviews, enhanced transaction monitoring, periodic re-verification procedures, and closer scrutiny of unusual activities. The monitoring process should remain continuous rather than being limited to the onboarding stage.

Beneficial Ownership Requirements: The Revised 10 Percent Threshold

One of the most significant regulatory developments impacting NBFC KYC and AML Compliance 2026 is the revision of the beneficial ownership threshold applicable to partnership firms.

Historically, certain compliance processes were designed around a higher ownership threshold. However, regulatory amendments have reduced the threshold to 10 percent, significantly expanding the number of individuals who qualify as beneficial owners and must therefore be identified and verified.

Under the revised framework, any natural person who directly or indirectly owns at least 10 percent of the capital of a partnership firm, is entitled to 10 percent or more of its profits, or exercises effective control over management or policy decisions must be treated as a beneficial owner. Such individuals must undergo complete identification and verification procedures before the NBFC establishes a business relationship or extends financial services.

The reduction in the threshold has substantial implications for MSME lending, partnership financing, and business customer onboarding. Many legacy systems were originally configured around earlier ownership thresholds and may no longer identify all relevant beneficial owners. Consequently, NBFCs must review and update their onboarding workflows, due diligence procedures, risk assessment frameworks, and compliance documentation to ensure alignment with current regulatory requirements.

Share
A
Written by Admin
View all posts
Free callback
Get Free Consultation

Talk to a senior CA about your situation.

Confidential. No spam.

WhatsApp