How to Prepare for an RBI Inspection: A Practical Checklist for Banks and NBFCs

An RBI inspection — whether on-site or off-site — tests your governance, KYC/AML compliance, capital adequacy, asset quality, IT controls, and regulatory reporting. Most inspection findings are predictable. Companies that prepare year-round rather than scrambling in the week before do significantly better. This checklist covers every major inspection area, with specific documents to have ready and the compliance gaps RBI inspectors most commonly find in 2025.

What happens during an RBI inspection?

Most banks and NBFCs treat an RBI inspection like a surprise exam. The ones that do well treat it like a scheduled audit they've been running themselves all year.

The RBI conducts two main types of supervisory review. Off-site surveillance is continuous — it uses your quarterly and annual returns (NBS-1, NBS-2, NBS-7 for NBFCs; statutory returns for banks) to monitor financial health, asset quality, and exposure concentrations from its end. When the data flags something — a sudden NPA spike, a sharp jump in unsecured lending, missed return filings — it escalates to an on-site inspection.

On-site inspections are conducted by RBI's Department of Supervision (DoS) for commercial banks and its regional offices for NBFCs and cooperative banks. Inspectors arrive with a mandate covering specific risk areas. They will request documentation, interview key personnel, and test whether your stated policies match your actual practices. That last part — the gap between policy on paper and reality on the ground — is where most findings come from.

Since 2023, RBI has intensified inspection frequency for NBFCs in the Middle Layer and Upper Layer under its Scale-Based Regulatory (SBR) framework. Non-compliance with inspection findings now carries escalating penalties, including the possibility of business restrictions and, in serious cases, cancellation of the Certificate of Registration.

Citation capsule: RBI inspections assess six primary areas: governance and board oversight, KYC/AML compliance, capital adequacy and asset quality, regulatory return accuracy, IT systems and cybersecurity, and fair practices in lending. Under the Scale-Based Regulatory framework introduced in 2023, Middle Layer and Upper Layer NBFCs face heightened supervisory scrutiny, with non-compliance penalties that can reach ₹10 lakh per day and include operational restrictions.

What documents should you have ready before the inspection team arrives?

Document readiness is the single fastest way to improve how an inspection goes. Inspectors work on fixed timelines. When they ask for something and you can't produce it within a few hours, that delay itself becomes an observation.

Here is the core document pack that every bank or NBFC should be able to produce on demand:

Governance documents:

1. Board-approved KYC/AML Policy (updated to reflect 2025 RBI KYC Master Directions)

2. Board-approved IT Security Policy and Cyber Resilience Framework

3. Board-approved Fair Practices Code (FPC) and Grievance Redressal Policy

4. Last three years of Board minutes, including Audit Committee minutes

5. Risk Management Committee charter and meeting minutes

6. Appointment letters for Principal Officer (AML), Chief Risk Officer, Chief Compliance Officer (mandatory for Middle/Upper Layer NBFCs)
   

Financial and reporting documents: 7. Last eight quarters of NBS-1, NBS-2, and NBS-9 returns with submission acknowledgements 8. Audited financial statements for the last three years 9. Statutory Auditor Certificate (SAC) filed with RBI — confirm the June 30 filing was on time 10. Asset classification workings and NPA provisioning schedules 11. Capital Adequacy Ratio (CAR) calculations, with Tier-I and Tier-II capital breakdowns 12. ALM (Asset Liability Management) reports for the last four quarters

KYC/AML documents: 13. Customer risk categorisation policy and the actual risk distribution across your portfolio 14. Suspicious Transaction Reports (STRs) filed with FIU-IND in the last 12 months 15. Sample KYC files for 20-30 customers across risk categories (RBI inspectors typically pull these) 16. Record of periodic KYC updates, including how many accounts are overdue for refresh

IT and cybersecurity: 17. Latest IS Audit report (mandatory for NBFCs with assets above ₹500 crore) 18. Business Continuity Plan (BCP) and last test date 19. IT incident log for the last 12 months 20. Third-party vendor contracts covering data access and security obligations

Citation capsule: Companies preparing for RBI inspection should maintain a ready pack of 20 core documents spanning governance policies, board minutes, eight quarters of regulatory returns, NPA provisioning workings, KYC files, STR filings to FIU-IND, and the latest IS Audit report. RBI inspectors typically request these within the first two days of fieldwork. Inability to produce them promptly is itself recorded as an observation.

What are the most common RBI inspection findings in 2025?

Knowing what inspectors typically find is more useful than any generic checklist. These are the gaps that appear most frequently across NBFC and bank inspections right now.

1. KYC files that haven't been updated within the required period. The RBI KYC Master Directions require periodic re-verification of customer data — high-risk customers every two years, medium-risk every eight years. In practice, most institutions have a backlog. Inspectors pull a random sample and check update dates. Even a 15-20% non-compliance rate in the sample gets flagged as a systemic finding.

2. STR filing delays or gaps. Suspicious Transaction Reports to FIU-IND must be filed within seven working days of the suspicion arising. Inspectors cross-reference your transaction monitoring alerts against your STR log. If alerts were generated but STRs weren't filed — or were filed late — that's a serious AML finding.

3. Returns filed late or with data inconsistencies. NBS-1 and NBS-2 filings often show rounding errors or classification differences when compared to audited financials. RBI inspectors reconcile these. Discrepancies suggest weak financial controls and invite deeper scrutiny.

4. Board and committee meetings not held at required frequency. The Audit Committee and Risk Management Committee must meet at minimum once a quarter. Board meetings must happen as required under Companies Act and SBR norms. Missing one meeting doesn't automatically result in a major finding, but a pattern of last-minute meetings with rubber-stamp minutes does.

5. IT controls that look good on paper but haven't been tested. A BCP that was last tested three years ago, or a penetration test report that's 18 months old, signals that IT governance is theoretical rather than operational.

6. Digital lending violations. Since the RBI's Digital Lending Guidelines (2022) came into force, inspectors specifically check whether first loss default guarantees (FLDGs) are within permitted limits, whether loan servicing accounts are handled correctly, and whether fintech LSP (Loan Service Provider) partnerships are documented and supervised.

Citation capsule: The six most common RBI inspection findings in 2024-25 are: outdated KYC files beyond the periodic renewal deadline, delayed or missing STR filings to FIU-IND, data inconsistencies between regulatory returns and audited financials, board/committee meetings not held at required frequency, untested IT controls and outdated BCP documents, and violations of the 2022 Digital Lending Guidelines in NBFC-fintech partnerships.

How do you close compliance gaps before the inspection team arrives?

There is honest work and there is inspection theatre. Honest work is fixing the actual gap. Inspection theatre is generating paperwork that makes it look like the gap doesn't exist — which inspectors, who see this constantly, can spot within the first day.

The right approach is a pre-inspection internal audit — ideally 60-90 days before any anticipated inspection — that goes through each of the six risk areas above and produces a genuine findings report with corrective action plans (CAPs) that have been signed off by the Audit Committee.

Why does this matter? Because when an RBI inspector finds something you've already found and are already fixing, the conversation is entirely different from when they find something you didn't know about. The first scenario shows a functioning governance system. The second suggests a control environment that only works when someone external is watching.

RBI inspection checklist

Here is a practical 90-day pre-inspection preparation sequence:

1. Day 1-15: Reconcile all regulatory return filings. Check NBS-1/NBS-2 against audited accounts. Flag any discrepancies and prepare a reconciliation note.
   

2. Day 15-30: Run a KYC gap analysis. Pull a stratified sample across risk categories. Identify accounts overdue for periodic KYC update and prioritise high-risk accounts for immediate remediation.
   

3. Day 30-45: Review the AML transaction monitoring system. Check alert disposition — are all alerts being reviewed and dispositioned? Is the STR filing log complete?
   

4. Day 45-60: Test IT controls. Confirm BCP was tested in the last 12 months. Pull the latest IS Audit report. If the audit was done more than 12 months ago, commission a fresh one.
   

5. Day 60-75: Board and committee review. Confirm meeting frequency. Ensure minutes adequately document key decisions, risk discussions, and audit committee challenge of management.
   

6. Day 75-90: Compile the document pack (see checklist above). Appoint a single inspection coordinator. Brief key personnel — the Principal Officer, CRO, CFO, and IT head — on what they'll be asked.
   

Citation capsule: A 90-day pre-inspection preparation programme covers six sequential workstreams: regulatory return reconciliation, KYC gap analysis with prioritised remediation of high-risk accounts, AML alert and STR log review, IT control testing including BCP and IS Audit currency, board meeting frequency verification, and document pack compilation. Companies completing this programme before an RBI inspection consistently produce fewer first-time findings and face smaller corrective action requirements.

What is the difference between an RBI inspection and an internal audit?

This question comes up often — and the answer matters for how you resource each.

An internal audit is conducted by your own team (or an outsourced firm like Spectra) and reports to your Audit Committee. Its job is to find gaps, test controls, and recommend fixes — on your terms, at your frequency, before regulators arrive. The findings stay internal unless you choose to share them.

An RBI inspection is conducted by the regulator. Findings go into an inspection report that your board must acknowledge and respond to. If findings are serious enough, they are escalated to supervisory action. There is no option to decide what to fix and what to defer — the regulator's corrective action timeline applies.

The two functions should operate hand-in-hand. Your internal audit is the rehearsal. The RBI inspection is the performance. If your internal audit is finding the same things the RBI finds, your internal audit isn't independent or rigorous enough.

The table below summarises the key differences:

Citation capsule: Internal audit and RBI inspection are complementary but distinct functions. Internal audit is self-initiated, confidential, and reports to the audit committee. RBI inspection is regulatory, places findings in an official record, and carries binding corrective action timelines. Companies where internal audit findings closely mirror RBI inspection findings typically have ineffective internal audit programs — a well-run function should pre-empt most regulatory findings.

What changed in the RBI regulatory framework in 2024-2025?

The regulatory landscape has shifted considerably and if your compliance program is still calibrated to pre-2023 requirements, you have gaps you don't know about.

Scale-Based Regulation (SBR) for NBFCs (2023 onwards): NBFCs are now classified into four layers — Base, Middle, Upper, and Top — based on asset size and systemic risk. Middle Layer and above must appoint a Chief Compliance Officer, a Chief Risk Officer, and maintain enhanced governance. Upper Layer NBFCs face near-bank-level regulatory requirements.

New KYC Master Directions (November 2025): In November 2025, RBI replaced the 2016 KYC Master Directions with 10 new sector-specific directions — separate frameworks for commercial banks, NBFCs, payment banks, cooperative banks, and others. The new directions align with current FATF standards, clarify that Aadhaar is not mandatory for general KYC, and introduce specific provisions for digital onboarding and cross-border operations. If your KYC policy still references the 2016 Master Direction, update it immediately.

Cyber Resilience Framework (2024): RBI's updated cybersecurity guidelines require banks and NBFCs above ₹500 crore in assets to have a Board-approved Cyber Risk Management Policy, a documented incident response plan, and annual penetration testing. Incidents above a defined threshold must be reported to RBI within six hours.

Digital Lending Guidelines compliance checks: Inspections in 2024-25 have specifically targeted whether NBFCs' fintech partnerships comply with the Digital Lending Guidelines — particularly around first loss default guarantees, the use of regulated entities as co-lending partners, and borrower consent frameworks.

NOF threshold increase: Net Owned Funds for NBFCs must reach ₹10 crore by March 2027. If you're currently below this threshold, your capital plan needs to show a credible path to compliance.

Citation capsule: Five regulatory changes materially affecting RBI inspection readiness in 2024-25 are: Scale-Based Regulation requiring CCO/CRO appointments for Middle and Upper Layer NBFCs; new sector-specific KYC Master Directions issued November 2025 replacing the 2016 framework; updated Cyber Resilience Framework mandating annual penetration testing and six-hour incident reporting; Digital Lending Guideline compliance checks in fintech partnerships; and the NOF increase to ₹10 crore by March 2027.

Frequently Asked Questions