NBFC Borrower Tier Classification under RBI Scale-Based Regulation (SBR)

Terra Insight Reconciliation Infrastructure

Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →

Published 12 June 2026

Domain expertise

TDS Reconciliation GST Input Credit Platform Settlements NACH Batch Matching Bank Reconciliation Form 26AS Matching ERP Integrations Enterprise Finance Ops

Reviewed by

Navin Krishnan

Managing Director & Founder — Terra Insight

Ex Amazon India · Intuit QuickBooks · Tata nexarc

ISO 27001:2022 Patent Pending Incorporated 2024

Knowledge Card

Problem

RBI Scale-Based Regulation places every NBFC in one of four layers — Base, Middle, Upper, Top — based on size, activity, and systemic interconnectedness. Each layer applies a different capital, governance, and disclosure regime. Asset classification turns NPA at 90 DPD across all layers. Borrower-level tagging discipline is the single source of truth that drives capital, exposure, classification, and disclosure simultaneously.

How It's Resolved

Tag every loan account at the borrower level with category, product, sanction, tenor, outstanding, DPD, classification stage, provisioning, and connected-party flag. Refresh tagging on every disbursement, prepayment, restructuring, and at day-end. Compute NPA at 90 DPD overdue. Aggregate borrower exposures across products to enforce single-counterparty and group caps. Produce layer-specific reports — capital adequacy, large exposures, concentration, related-party — from this tagged dataset.

Configuration

SBR layer parameter for the entity (Base, Middle, Upper, Top) driving threshold rules. Borrower master with category, sanction limit, and group code. DPD classification matrix mapped to provisioning percentage. Connected-party register feeding the related-party report.

Output

Daily DPD classification flow into asset-classification register, layer-specific quarterly returns (concentration, large exposure, capital adequacy), audit-ready borrower-level tag history, and synchronised provisioning movements.

The RBI Scale-Based Regulation (SBR) framework, issued in October 2021 and effective from October 2022, restructured the prudential regime for non-banking financial companies. Before SBR, NBFCs operated under a category-driven regime — Asset Finance Company, Loan Company, Investment Company, Infrastructure Finance Company, and so on — each with broadly similar rules. SBR replaced the activity-cut with a size-and-systemic-importance cut. The layer an NBFC sits in now defines almost every prudential parameter that matters: capital, governance, exposure caps, classification, and disclosure. Asset tagging at the borrower level is the operational discipline that keeps all of these in sync.

Quick reference: the four SBR layers

Layer	Covers	Capital	NPA trigger
Base (NBFC-BL)	Non-deposit-taking, asset size below threshold, lower-complexity	Standard NBFC CRAR	90 DPD
Middle (NBFC-ML)	Deposit-taking, non-deposit above threshold, HFC, IFC, primary dealers	Standard NBFC CRAR with enhanced norms	90 DPD
Upper (NBFC-UL)	RBI-identified on systemic-importance scoring	CET1 minimum 9% of RWA, bank-like LEF	90 DPD
Top (NBFC-TL)	Activated only on extreme risk identification	Bespoke supervisory rules	90 DPD

How RBI assigns the layer

For Base and Middle Layer the classification is rule-based — driven by deposit-taking status, asset size threshold, and activity. For Upper Layer it is scoring-based: RBI runs an annual scoring exercise across size, interconnectedness, substitutability, complexity, and supervisory inputs, and publishes the list of identified NBFCs. Once identified, an NBFC remains in the Upper Layer for at least five years; it can move down only if its scoring stays below the threshold for a sustained period and the supervisory view supports a step-down.

The Top Layer is not populated by default. RBI activates it only if an NBFC’s risk profile warrants extreme prudential treatment.

NPA at 90 DPD across all layers

SBR aligned NBFC asset classification with the banking norm. A loan account is NPA when interest or principal remains overdue for more than 90 days from the contractual due date. The earlier 180 DPD treatment that some categories operated under has been withdrawn. The 90 DPD trigger applies uniformly to Base, Middle, and Upper layers from the prescribed cutover dates.

Sub-classification follows the standard ageing matrix:

Sub-standard: NPA up to 12 months
Doubtful 1: NPA more than 12 months and up to 24 months
Doubtful 2: NPA more than 24 months and up to 36 months
Doubtful 3: NPA more than 36 months
Loss: identified by management or auditor as uncollectible

Provisioning runs in parallel — secured and unsecured portions of each bucket attract different percentages per the standard NBFC matrix.

Borrower-level asset tagging: the operational anchor

Layer-specific reports — Large Exposure, concentration of advances, related-party transactions, sector exposure, group structure — all roll up from borrower-level data. The tagging discipline that supports these reports must hold every active loan to a borrower-master record with at least:

Borrower category (individual, MSME, corporate, NBFC, bank, sovereign, others)
Product type (term loan, working capital, vehicle loan, gold loan, home loan, BNPL, others)
Original sanction limit, current outstanding, original tenor, residual tenor
Current DPD bucket and classification stage
Provisioning held against the account
Connected-party flag and group code
Sector code (NIC classification) for sector-exposure reporting

Refresh of the tag must run at every system event — disbursement, prepayment, restructuring, settlement — and at day-end for active accounts. Without daily refresh, the DPD bucket reported by the loan-management system drifts from reality within a week.

Middle and Upper Layer NBFCs face significant disclosure on related-party transactions. The group code on the borrower master must reflect the full group structure — parent, holding company, sister concerns, key managerial personnel, and their relatives. Loan exposures, deposits accepted, leases, services, and any other dealings with a related party roll up under that group code for the quarterly disclosure to the board and the annual disclosure in financial statements.

A common operational gap: a borrower is added to the loan-management system but the group code is left blank, the related-party report misses the exposure, and the quarterly disclosure is incomplete. Audit will catch this; supervisory inspection will catch it; the remediation involves restating prior disclosures, which is a reportable event.

Try aggregating borrower exposures across products to identify single-counterparty concentration using the framework in the three-way match exception cost calculator — the same aggregation discipline applies.

Layer-specific governance

Middle Layer requires Audit, Risk, Nomination and Remuneration, and Asset-Liability Management committees of the board. A Chief Compliance Officer is mandatory; a Chief Risk Officer is mandatory above the ₹5,000 crore asset threshold. Internal audit must be functional. Fair Practices Code, customer grievance redressal, and information security framework apply with stricter monitoring.

Upper Layer adds: listing on a recognised stock exchange within three years of identification, CET1 minimum at 9% of risk-weighted assets, Differential Standard Asset Provisioning where applicable, Large Exposure Framework caps, ICAAP, and the bank-like supervisory engagement under the Senior Supervisory Manager regime.

Audit evidence required across layers

At each quarter-end the NBFC must produce:

Borrower-level asset register with classification stage and provisioning
NPA register with bucket movements during the quarter
Concentration of advances by borrower, group, and sector
Related-party transaction register with rolled-up exposures by group code
Large-exposure report (Middle Layer enhanced, Upper Layer LEF-style)
Capital adequacy computation aligned to the layer’s CRAR or CET1 norm

This pack is the single most-requested artefact in statutory audit, internal audit, and RBI inspection — and it can only be produced from disciplined borrower-level tagging that has held up across the quarter.

How TransactIG handles SBR reporting

TransactIG configures the SBR layer as an entity-level parameter that drives downstream report shapes — Base, Middle, or Upper. The engine ingests loan-master data, refreshes DPD at day-end, applies the classification matrix, computes provisioning, aggregates exposures by borrower and group code, and produces the quarterly layer-specific reports from the same data lineage. Connected-party flags drive the related-party report; sector codes drive concentration; sanction-limit ageing drives the LEF report. Layer transitions — Middle to Upper, for example — are a configuration change, not a code change.

Primary reference: Reserve Bank of India — where the Scale-Based Regulation framework and Master Direction are published.

Frequently Asked Questions

What are the four layers under SBR?

The RBI Scale-Based Regulation framework, effective from October 2022, classifies NBFCs into four layers. NBFC-Base Layer (NBFC-BL) covers non-deposit-taking NBFCs with asset size below the threshold and lower-complexity activities. NBFC-Middle Layer (NBFC-ML) covers deposit-taking NBFCs, non-deposit-taking NBFCs with asset size above the threshold, and standalone primary dealers, housing finance, and infrastructure finance companies. NBFC-Upper Layer (NBFC-UL) covers NBFCs identified by RBI based on scoring on parameters of size, interconnectedness, complexity, and supervisory inputs. NBFC-Top Layer (NBFC-TL) is reserved for NBFCs that pose extreme risk and is populated only if RBI activates it. The layer determines the prudential, governance, and disclosure regime applicable.

When does an asset turn NPA under SBR?

SBR aligned NBFC asset-classification norms with the bank framework. A loan account is classified as Non-Performing Asset (NPA) when interest or principal remains overdue for more than 90 days from the due date. This is uniform across the Base, Middle, and Upper layers — the 90 DPD trigger applies to all SBR-covered NBFCs from the prescribed cutover date. The earlier 180 DPD relaxation that some NBFCs operated under has been withdrawn. Sub-classification into Substandard, Doubtful 1/2/3, and Loss follows the standard ageing matrix, and provisioning runs in parallel.

What is the asset-tagging discipline that supports SBR compliance?

Every loan account must be tagged at the borrower level with at least: borrower category (individual, MSME, corporate, NBFC, bank, sovereign), product type, original sanction limit, original tenor, current outstanding, current DPD, asset classification stage, provisioning held, and connected-party flag. The tag must be refreshed daily where the account is active and at each system event — disbursement, prepayment, restructuring, settlement. Without disciplined tagging the layer-specific reports (large exposures, concentration risk, related-party exposure) cannot be produced from the loan-management system without manual recomputation.

What governance obligations apply at the Middle Layer?

Middle Layer NBFCs must constitute Audit, Risk, Nomination and Remuneration, and Asset-Liability Management committees of the board. They must have a Chief Compliance Officer, a Chief Risk Officer where assets exceed ₹5,000 crore, and a functional internal audit. Disclosure obligations expand: related-party transactions, large exposures, concentration of advances by sector and borrower, and group structure must be reported. NPA classification at 90 DPD applies. Provisioning runs at the standard NBFC matrix. Investor information and customer protection norms (including the Fair Practices Code) apply with stricter monitoring.

What additional rules apply at the Upper Layer?

Upper Layer NBFCs are subject to bank-like prudential norms. Common Equity Tier 1 (CET1) capital must be at least 9% of risk-weighted assets. Differential Standard Asset Provisioning may apply to specified exposures. Large Exposure Framework — modelled on the banking LEF — caps single-counterparty and group exposures. Listing on a recognised stock exchange is required within three years of identification. Internal Capital Adequacy Assessment Process (ICAAP) becomes mandatory. The qualitative supervisory engagement intensifies — the Senior Supervisory Manager regime applies, with quarterly reviews and an annual Risk-Based Supervision cycle.