An RBI inspection of an NBFC is not a surprise — it is a structured examination across defined domains. The RBI's inspection teams follow a framework: governance and board oversight, credit risk management, asset quality and provisioning, liquidity and ALM, regulatory compliance and filing, customer protection, and IT and cyber security. The Inspection Readiness Agent AI runs a mock examination across all seven domains every quarter — before the RBI arrives — and produces a findings report that is indistinguishable in structure from what an inspection would produce, identifying every gap while there is still time to close it.
How an RBI NBFC inspection actually works — and what it examines
The RBI's NBFC inspection is conducted by teams from the Department of Non-Banking Supervision (DNBS). Inspectors typically spend 5 to 20 working days at the institution, examining a structured set of domains through document review, data analysis, and interviews with key management personnel. The examination is not a random audit — it follows a programme whose domains are publicly known and whose document requirements are reasonably predictable from the RBI's guidelines and prior inspection precedents.
An institution that prepares for an inspection only after it receives the advance notice — typically 2 to 4 weeks — is an institution that has 2 to 4 weeks to assemble years of compliance history. An institution that runs a mock examination quarterly has a current, accurate picture of its inspection readiness at all times, and uses the time between inspections to close gaps — not to discover them.
"The institution that passes an RBI inspection without incident does not do so because it was lucky. It does so because it was ready — and being ready is a practice, not an event."
The 7 inspection domains and what the Inspection Readiness AI checks in each
Domain 1 — Governance and Board Oversight
G1
Board has independent directors meeting RBI's minimum proportion requirementCurrent Board composition checked: number of independent directors vs total directors, whether the proportion meets the ≥1/3 independent requirement, and whether any independent director's independence has been compromised by recent transactions with the institution.→ Source: MCA director register + Board minutes · Auto-checked
Pass
G2
Risk Management Committee and Audit Committee meetings held at required frequencyBoard committee meeting minutes are checked for the last 4 quarters: did the RMC meet at least quarterly? Did the Audit Committee meet at least 4 times per year? Were minutes recorded within 30 days? Were unresolved action items tracked and followed up?→ Source: Board secretariat system · Flag: any quarter without required meeting
Pass
G3
Credit policy, risk appetite statement, and outsourcing policy reviewed and approved by Board in last 12 monthsKey policies must be reviewed and formally approved by the Board annually. The Inspection Readiness AI checks the date of the most recent Board approval for each policy — and flags any policy whose last Board approval is older than 12 months.→ Flag: risk appetite statement last approved Feb 2024 — 21 months old · Requires renewal
Flag — 21 months
Domain 2 — Credit Risk Management
C1
Credit concentration limits in place and not breached — by sector, geography, and borrower groupThe institution's credit policy specifies maximum concentration limits for any single sector, geography, or connected group of borrowers. The Inspection Readiness AI checks current portfolio concentration against each limit and flags any approach to the limit (80% of the limit = watch) or breach.→ SE personal loan sector: 18% of AUM · Policy limit: 20% · Watch threshold reached
Flag — 90% of limit
C2
Credit exceptions tracked, approved at appropriate authority level, and reported to BoardEvery loan approved outside the standard credit policy parameters is a credit exception — and exceptions must be tracked, approved by the credit authority level specified in the policy, and reported to the Board quarterly. The Inspection Readiness AI cross-references the LOS exceptions log against the Board's exception report to confirm completeness.→ Source: LOS exceptions log + Board exception report · This quarter: 14 exceptions · All Board-reported
Pass
C3
Large exposure reporting — any single borrower exceeding 15% of owned funds reported to BoardRBI norms require that exposures to a single borrower or connected group exceeding 15% of owned funds are specifically reported to and approved by the Board. The Inspection Readiness AI checks current large exposures against the threshold and confirms each is in the Board's exposure report.→ Source: CBS exposure data · No current breach · Largest single exposure: 8.4% of owned funds
Pass
Domain 3 — Asset Quality and Provisioning
A1
NPA classification computed from correct first-overdue date — not statement dateThe Provisioning AI's classification log is checked: are DPD counts computed from the actual first-overdue date? A sample of 50 accounts is cross-checked manually — the CBS first missed payment date against the DPD count in the classification database. Any systematic offset indicates a DPD computation error.→ Source: Provisioning AI classification log · Sample: 50 accounts · All match first-overdue date
Pass
A2
Provision coverage ratio above 70% for Doubtful and Loss accountsWhile IRACP rates specify the minimum provision for each category, RBI inspectors also look at the aggregate provision coverage ratio for the NPA book. A coverage ratio below 70% signals potential under-provisioning relative to the risk being carried, even if individual account provisions are at the IRACP minimum.→ Current provision coverage: 84.2% · Below 85% monitoring threshold · ₹24Cr additional provision flagged
Flag — 84.2%
A3
Write-off policy exists, is Board-approved, and write-offs in last 12 months follow the policyEvery write-off must follow the institution's Board-approved write-off policy — typically requiring the account to have been in Doubtful D3 or Loss for a specified period, exhaustion of recovery efforts, and senior management or Board approval. The Inspection Readiness AI checks that every write-off in the last 12 months has a corresponding Board or committee approval on file.→ 8 write-offs in 12 months · All with approval documentation · Policy compliant
Pass
Domain 4 — Regulatory Compliance and Filing
R1
All regulatory returns filed on time — no late filings in the examination periodThe Risk Reporting AI's filing calendar is checked: every return due in the last 12 months, its filing date, and whether the filing was on time. Late filings are an immediate adverse finding. The inspection also checks whether the data in each return is consistent with the financial statements filed for the same period.→ 0 late filings in 12 months · All returns consistent with financial statements
Pass
R2
Fair Practices Code quarterly report accurately reflects complaint volumes and conduct incidentsThe FPC quarterly report is cross-referenced against the Grievance AI's complaint database for the same period. Any discrepancy between the complaint count in the report and the complaint count in the database — including complaints that were not classified and therefore not included — is flagged.→ Q2 FPC report: 842 complaints · Grievance AI database: 846 complaints · 4-complaint gap · Investigate
Flag — 4-complaint gap
R3
CIBIL credit information returns filed monthly — all borrower accounts reportedEvery active borrower must be reported to CIBIL monthly with their current payment status. The Inspection Readiness AI checks the CIBIL submission report against the CBS account list — any accounts in the CBS that do not appear in the CIBIL submission are a reporting gap. A large gap may result in an adverse bureau reporting finding.→ This month: CBS 48,412 accounts · CIBIL submission: 48,412 · No gap
Pass
Domain 5 — Customer Protection
P1
100% of complaints acknowledged within 24 hours — no FPC acknowledgement breachThe Grievance AI's acknowledgement timestamp log is checked: every complaint received in the last 12 months, the time of receipt, and the time of acknowledgement. Any complaint acknowledged more than 24 hours after receipt is a confirmed FPC breach. The log is cross-checked against the FPC report.→ Last 12 months: 1,840 complaints · 1,840 acknowledged within 24 hours · 0 breaches
Pass
P2
No active collection conduct complaints pending beyond 30 days without Ombudsman notificationAny complaint open beyond 30 days without the borrower having been notified of the Ombudsman escalation right is an FPC violation. The Inspection Readiness AI checks every open complaint against its 30-day clock and confirms the Ombudsman notification was sent before day 31.→ 0 complaints past 30 days without Ombudsman notification · Proactive Day 28 notifications confirmed
Pass
P3
KYC complete for all active borrowers — no accounts with expired or incomplete KYCKYC documents for all active accounts are checked for completeness and currency. KYC for individual borrowers must be renewed every 10 years (periodic KYC update). The Inspection Readiness AI flags any account where KYC is incomplete or where the periodic update is overdue.→ 284 accounts flagged for periodic KYC update due in next 90 days · Action triggered
Flag — 284 due soon
Domain 6 — Outsourcing and LSP Governance
O1
LSP vendor register current and inspection-ready — all LSPs with current annual DDThe LSP Governance AI's vendor register is checked: is every active LSP on the register? Does every active LSP have a completed annual due diligence within the last 12 months? Is there any LSP operating without a current contract or with a contract missing required clauses?→ Aarya Recovery: contract overdue Nov 4 · Score 52 below 55 threshold · Board escalated · Critical finding
Fail — Aarya contract
O2
No LSP operating on institution's behalf without a Board-approved outsourcing policy sanctionEvery LSP relationship must fall within the scope of the institution's Board-approved outsourcing policy. Functions that the outsourcing policy prohibits from being outsourced may not be delegated to an LSP. The Inspection Readiness AI checks each LSP's functions against the outsourcing policy's permitted functions list.→ All 5 active LSPs within outsourcing policy scope · No prohibited function outsourced
Pass
Domain 7 — IT and Cyber Security
T1
IT security policy Board-approved and current — penetration testing completed in last 12 monthsThe institution's IT security policy must be Board-approved and current. A penetration test of the core systems must be conducted annually. The Inspection Readiness AI checks the policy approval date and the most recent penetration test report date and confirms both are within the required window.→ IT security policy: Board-approved Aug 2025 · Penetration test: Jun 2025 (passed) · Both current
Pass
T2
BCP tested and recovery time objectives met — DR test within last 12 monthsThe institution's Business Continuity Plan and Disaster Recovery plan must be tested annually, with documented test results. The Inspection Readiness AI checks the most recent BCP and DR test dates and whether the test results showed recovery within the institution's defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective).→ BCP test: Sep 2025 (within 12 months) · DR test: Jul 2025 · Both within RTO/RPO · Pass
Pass
T3
All cyber incidents reported to RBI within 6 hours of detection as required by RBI cyber frameworkRBI's cybersecurity framework requires NBFCs to report cyber security incidents to the RBI within 6 hours of detection. The Inspection Readiness AI checks the incident log for the last 12 months and confirms every reportable incident was notified within the required window.→ 2 reportable incidents in 12 months · Both reported within 6 hours · Compliant
Pass
The quarterly mock exam scorecard
Mock RBI Examination Scorecard — Q3 FY2025–26 · Karnataka NBFC
Examination date: Nov 14, 2025 · 24 checks across 7 domains · Run time: 18 minutes
Domain 1 · Governance
67%
Domain 2 · Credit Risk
67%
Domain 3 · Asset Quality
67%
Domain 4 · Regulatory Filing
67%
Domain 5 · Customer Protection
67%
Domain 6 · LSP Governance
50%
Domain 7 · IT and Cyber
100%
16Checks passed
7Flags raised
1Fails (critical)
73%Overall readiness
● 73% readiness — 1 critical finding (Aarya Recovery) · 7 flags requiring action before next examination · 16 checks clean · All findings with remediation assignments generated
7Inspection domains — governance, credit risk, asset quality, filing, customer protection, LSP, IT
16Checks passed cleanly — with evidence available for each that would satisfy an RBI inspector's request
7Flags raised — each assigned to the responsible team with a remediation deadline before the next quarter
1Critical finding — Aarya Recovery contract overdue · Would be an adverse finding in a live inspection
The finding the inspector discovers is the finding that becomes an adverse observation. The finding the institution discovers first becomes a remediated gap.
A mock examination that surfaces a critical finding — an LSP contract overdue since November 4 — is not a failure. It is precisely what the quarterly mock examination is designed to do. The institution has until December 31 to resolve it before any RBI inspection would encounter it. An RBI inspector discovering the same overdue contract during a live examination produces an adverse observation in the inspection report, potentially triggering a corrective action directive. The difference between an adverse observation and a remediated gap is whether the institution found it first. The Inspection Readiness Agent AI ensures the institution always finds it first.