Corporate Overview

Statutory Reports

Financial Statements

Disclaimer

“This Annual Report has been prepared in accordance with Applicable Laws, including applicable Securities and Exchange Board of India (SEBI) and Reserve Reserve Bank of India (RBI regulations and may contain certain forward-looking statements which reflect Bank’s current views and expectations based on available information. These are subject to risks, uncertainties and assumptions and actual outcomes may differ significantly from those anticipated. The Bank does not undertake any obligation to revise or update any such forward looking statements, whether as a result of new information, future events or otherwise. The Annual Report is intended for general informational purposes only and should not be construed as financial, investment, legal or other professional advice and readers are advised to refer to official regulatory filings and consult professional advisors before making any decisions.

Copyright in all materials, text, articles and information contained in this document (other than third party materials, text, articles and information) is the property of and may only be reproduced with permission of the Bank. All rights reserved. “

Annual Report 2024-2025

img Annual Report 2024-2025
Risk
Management

Safeguarding Growth,
Mitigating Risks.

Ujjivan has a strong risk management framework in place to identify, measure, mitigate, and monitor material risks across all our functions. Directed by the Risk Management Committee of the Board (RMCB), we have an adequately staffed risk management team led by our Chief Risk Officer (CRO) to implement the directions of the RMCB and the Board.

Ujjivan has dedicated teams established to assess and monitor enterprise and strategic risks, credit risks, operational risks, market and liquidity risks, and information security risks and emerging risks like AI, Climate Risk and ESG. Our risk management team is primarily based out of our corporate office, with a presence in each of our regional offices to aid in cascading the operational risk framework at a granular level. our Risk Management function is its independence from business sourcing units, with convergence only at the Board level, which is in line with prudential risk management practices.

The RMCB fulfils its roles and duties through various management-level risk committees such as the Credit Risk Management Committee (CRMC), Operational Risk Management Committee (ORMC), Asset Liability and Market Risk Committee (ALCO), Information Security Risk Management Committee, and Business Continuity Management Committee. We also have an Enterprise Risk Management Committee (ERMC) to oversee strategic and emerging risks while maintaining general oversight on audit and compliance matters. These committees are responsible for identifying, measuring, mitigating, and monitoring specific risks, and they direct enhancements and new policy advocacies wherever applicable.

Our Risk Management Framework is based on a clear understanding of our key material risks, disciplined and well-defined risk assessment and measurement procedures, and continuous monitoring. The policies and procedures we establish are continuously benchmarked against best practices. We have oversight on all our material risks through regular monitoring of risk indicators, policy advocacy, and testing of controls for design and effectiveness. Breaches and gaps identified are thoroughly analysed to determine the associated root causes for initiating corrective actions.

Key Developments and Action Taken During the Year

During FY 2024-25, persisting stress in the microfinance sector continued to impact loan origination trends and asset quality. The contraction in growth was primarily due to rising delinquencies, borrower over-leverage across lenders, collection inefficiencies, and weakening asset quality, all of which led to a more cautious approach to growth.

During the year, Self-Regulatory Organisations (SROs), particularly MFIN, took early corrective actions by introducing necessary guardrails for lending practices, applicable to all entities. By January 1, 2025, guardrails on loan amount capping at 2 Lakhs and minimum standards for delinquency status came into effect. By April 1, 2025, a three-lender capping will also be implemented. While these corrective measures are expected to affect the sector in the short term, we remain confident that these initiatives will strengthen the sector's resilience. Green shoots have been observed from the recent performance in March-April 2025. To manage these risks, we updated our credit policies in line with the SRO’s mandate and customised credit lending norms at a state level, considering the inherent and anticipated risks. Additionally, we identified key risk metrics, categorising branches/operating areas based on risk posture. Our collection strategies have been revamped to integrate a data-driven approach for infrastructure allocation, while business development strategies were recalibrated with a risk-based focus. The creation of floating provisions in Q1 FY 2020-21, anticipating future risks and business cyclicality, now validates the foresight envisioned by the Board.

The Karnataka micro loan and small loan (prevention of coercive action) ordinance, 2025 was notified which was aimed at curbing unethical practices such as usurious pricing and coercive recovery methods used by unregulated MFIs, its potential impact on asset quality and growth trends for regulated entities remains a concern. Although the ordinance explicitly excludes regulated MFI lenders, the risk of misinterpretation by local governments, potentially including regulated entities, still exists.

The shift in the Monetary Policy Committee’s (MPC) stance from hawkish to accommodative marked a significant turning point in FY 2024-25. With inflation rates now under control, the rate-cut cycle commenced during the year, with further cuts anticipated in FY 2025-26. We have incorporated these macroeconomic shifts into our business strategy and profitability assessments, including redrawing deposit mobilisation plans and interest rates to optimise our cost of funds and Net Interest Margin.

Lastly, the reduction in risk weights for consumer credit lending in the MFI segment and NBFC lending by the regulator is expected to drive macroeconomic and credit growth, contributing to the broader goals of financial inclusion. The RBI’s reversal of the action will enable players to develop customised products for the consumer credit segment, specifically targeting under-served and un-served customers. We believe this relaxation in risk weights for MFI consumer credit and NBFC lending will release the necessary capital, channel credit flow to the required segment, and fully align with our mission to serve the un-served and under-served, as well as the nation’s vision of Viksit Bharat by CY 2047.

Risk Management Framework and Implementation

The establishment of best practices in Risk Management, aligned with our nature, size, and complexity, has been an ongoing process since our inception. Some of the field-level policies and processes, particularly the due diligence adopted as an erstwhile NBFC-MFI in identifying locations before starting business and branch-level credit policies, ensured that our geographic expansion strategy incorporated a critical principle to avoid disturbed areas of operations. We believe that risks can only be managed, not eliminated, and therefore prevent excessive risk build-up in connection with our businesses by adhering to the following principles that underpin the risk culture within our organisation:

1

Every risk taken must be approved and fall within our established risk management framework. The emphasis is on practical risk management, distinct from theoretical models, making the framework more effective.

2

Ownership of risk lies with the first line, with our Risk Department maintaining independent oversight. Employees at all levels within our organisation are responsible for managing and escalating risks.

3

Risk is taken within a defined risk appetite/limit framework.

4

Risk should be continuously monitored and managed.

Post the receipt and commencement of banking operations, our journey has been a challenging one. The strength and character of our Risk Management practices have been validated, evidenced by a strong governance and oversight mechanism that helped us navigate the worst effects of two black-swan events demonetisation and the pandemic during our short history of eight years. Our Risk Management practices have evolved over time, with our Board playing a pivotal role in shaping the overall framework. As the operating environment has evolved, the scope, breadth, and depth of deliberation on risk-related matters have expanded.

Initially managing only credit, operational, and liquidity risks during our NBFC days, today, our coverage extends to encompass a broad spectrum of risks, including emerging risks in the industry.

or managing these risks, we follow the ‘three lines of defence’ model: business functions and support verticals form the first line, while the Risk Management unit and Compliance unit form the second line. Internal Audit forms the third line of defence. The evolution of these control functions has reached a significant level of maturity, driven by enhancements based on Board directions and feedback from the Regulator through thematic audits and Annual Financial Inspections. Furthermore, there has been substantial progress in recent years in devolving risk ownership to our major front-line operations, with a robust Risk and Control Self-Assessment (RCSA) process contributing to this progress.

Credit Risk Management Framework

Our credit risk management framework encompasses the identification, measurement, monitoring, and control of credit risk exposures. Product programmes and supporting credit policies are the foundational documents that govern credit risk management. These policies enable us to clearly delineate and define target markets, risk acceptance criteria, documentation norms, pricing, expected profitability, and income assessment methods. Our credit policies outline the credit risk strategy, including the credit risk appetite, maximum permissible tenors, and loan limits.

Supporting credit policies define our willingness and eligibility norms for granting loans, considering factors such as target markets (e.g., New Credit Applications, New to Bank, Repeat loans), demographic, economic, and geographical considerations, and income assessment methods. Customised product programmes and product-specific credit policies allow us to capture the idiosyncratic risks inherent in each product or product group. For instance, a key eligibility norm for sanctioning a Microfinance/Group Loan ensures that our proposed credit exposure is within the cap on the number of lenders and the borrower’s indebtedness limit. Income assessment is undertaken at the household level, differing from the common practice of assessing income at the applicant and co-applicant levels, as is the norm for retail loans.

For housing loans, property proposed for mortgage is a key criterion in determining credit eligibility, though the cash flow assessment remains the determining factor for credit approval. We have similarly customised risk management principles for two-wheeler loans, gold loans, MSME business loans, and corporate lending.

Our Credit Risk unit is independent and is not involved in decision-making nor subject to profit targets. This unit reviews the portfolio quality, credit appraisal standards, and standard operating procedures, providing its findings to senior management. The unit employs a variety of techniques, including Early Warning Systems (EWS), Red Flagging (RFA), file reviews, credit rating systems, collection trackers, industry benchmarking, concentration risks, and credit provisioning models, to assess and report on risk posture and severity trends. Additionally, the unit provides independent feedback and recommendations to enhance policies and processes to mitigate identified risks, and it maintains oversight on NPA management.

In FY 2024-25, we negotiated two NPA asset sales through the Asset Reconstruction Company route in compliance with RBI guidelines, amounting to 270 Crores and 364 Crores. These sales helped optimise our incremental provisioning requirements by approximately ₹ 65 Crores. In accordance with statutory auditor requirements and market practices, we fully provided for the Security Receipts (SR) portion held by us.

Operational Risk Management Framework

Our Operational Risk Management framework is structured around four key themes: 1) Branch/unit level, 2) Corporate Operational Risk Management and Assessment of Risk Postures, 3) Outsourcing Risk Management, and 4) Technology Risk Management. At the branch/unit level, we use a scorecard-based matrix complemented by regular visits from regional teams. These visits provide key triggers for field-level risks arising from non-adherence to processes and policies. The index also informs our Internal Audit team, helping them focus on critical areas during branch audits.

At the corporate level, the ORMU (Operational Risk Management Unit) manages risks proactively through tools such as the Risk and Control Matrix (RCM), Risk and Control Self-assessment (RCSA), Incident Management tracking, Business Continuity Risk Assessment, Root Cause Analysis (RCA), and exception handling mechanisms. These tools help identify deficiencies in Standard Operating Procedures (SOPs) and provide recommendations to the first line for improvements.

A key initiative this year was evaluating the risk postures of each operating unit, expanding beyond the conventional RCSA approach. This exercise included an end-to-end assessment of operating processes, credit discipline, and regulatory compliance.

We have a well-defined Outsourcing Policy and SOP to manage risks arising from third-party dependencies. All material vendors undergo a pre-onboarding risk assessment, conducted jointly with the Information Security Unit. Additionally, a review is mandatory for all material vendors on an annual basis.

For Technology Risk Management, ORMU independently reviews Business Requirement Documents (BRD) for technology/application changes and automation projects. A formal sign-off/acceptance from ORMU is required on any BRD, ensuring that we replicate learnings from other application change management areas. ORMU also participates in the testing phase, performing independent User Acceptance Testing (UAT) to identify gaps in the deliverables versus the proposed changes in the BRD.

Lastly, in terms of Business Continuity, our Business Continuity Management Policy (BCMP) ensures that contingency plans are in place to restore normal business functions if applications are disrupted during any disaster or crisis. Our Disaster Recovery (DR) drills for IT applications are rigorous, conducted for each application under various scenarios, ensuring the continuous delivery of key products and services to our customers. We are guided by the provisions laid out in our Fraud Risk Management Policy, which is designed to provide efficient internal oversight on frauds and establish a framework for Fraud Risk Management. The primary objective of this policy is to foster and sustain an anti-fraud culture across our organisation. The policy emphasises the importance of pre-empting fraud occurrences and detecting irregular, suspicious, and fraudulent practices proactively. This is achieved through the monitoring of transactions and activities at appropriate levels across our operations and branches. Some of the current fraud detection mechanisms available within our organisation are outlined below:

We have also put in place a Staff Accountability Policy, to be read in conjunction with our SOPs on disciplinary proceedings, code of conduct, whistleblower policy, Prevention of Sexual Harassment (POSH), and Occupational Health and Safety policy. The Staff Accountability Policy provides a legitimate mechanism to cultivate a strong risk culture within our organisation.

For liquidity risk management, we compute and monitor key ratios such as the Liquidity Coverage Ratio, Net Stable Funding Ratio, Structural Liquidity Statement (SLS), stock liquidity ratio, CRR and SLR maintenance, call/ notice borrowing limits, counterparty limits, and cash/ funding gap analysis, among others. These thresholds are monitored daily or fortnightly, as applicable, and any breaches are escalated as per our internal policy norms for corrective actions. We are at an advanced stage in automating the preparation of SLS reports and will progressively automate the computation of key liquidity ratios like Liquidity Coverage Ratio and Net Stable Funding Ratio. The current manual computation process is periodically audited, and there are necessary controls in place to ensure full compliance in preparing these key regulatory ratios. We have also established specific frameworks for behavioral analysis on core and volatile deposits, prematurity and rollover trends, revolving credit facilities, and SMA collections. Stress testing, interest rate risk management, and treasury risk management are specific areas managed by the ALM team within the risk unit.

While the management of Pillar I risks and other traditional risks, such as credit, market, operational, liquidity, concentration, outsourcing, and technology risk, is broadly managed at the silo level, the Enterprise Risk Management (ERM) unit provides oversight on Pillar II risks with active involvement from the first line. We maintain independent oversight into the strategic plan, drawing independent inferences on capital budgeting and planning to sustain the business plan. Additionally, we assess Risk-Adjusted Return on Capital (RAROC) to track strategic shifts, monitor our Performance Index and Risk Appetite Framework, and develop a capital allocation framework that links pricing, profitability, and shareholder value creation. We continuously benchmark our balance sheet and provide integrated risk reporting. The management of emerging risks, such as model risk and climate-induced financial risks, has also been initiated under the ERM framework.

A key area where the ERM unit is actively involved is in propagating our risk culture. Detailed surveys and Focus Group Discussions (FGDs) are held with respondents to understand and evaluate the prevailing risk culture, identify areas requiring improvement in policy or processes, and pinpoint knowledge gaps and people-specific risks. Based on this feedback, we have identified areas where our Learning and Development (L&D) initiatives need to be strengthened. In FY 2024-25, we conducted our first formal risk culture survey with top management personnel. Going forward, we plan to conduct bank-wide surveys and subject-specific surveys on an ongoing basis.

A significant addition to our Risk Management Framework in FY 2024-25 was the creation of a dedicated unit for Risk Analytics & Monitoring (RAM), reporting directly to the Chief Risk Officer (CRO). This unit was specifically created to address the growing need for data/ analytics-led decision-making in risk-related matters. Positioned and operated as a second line of defense, the RAM unit avoids conflicts of interest and strengthens independent oversight. The Terms of Reference (ToR) for the RAM unit are to standardise and report Risk Intelligence dashboards and undertake predictive analytics in the Credit Risk (statistical scorecards, credit KRI dashboards, etc.) and Market Risk (Value at Risk models) areas. The outputs and findings of the RAM unit are integrated into the silo-level risk management units such as Credit Risk, Asset Liability Management, Market Risk Management, and Operational Risk and thus contribute to creating a robust risk management lifecycle within our organisation.

Information Security

With the ever-increasing global threat landscape, we recognise the significance of a robust information security structure and have therefore implemented advanced technologies to safeguard our customers' interests. We have orchestrated tools in such a way that actions by malicious intruders are quickly identified and do not go undetected. Our security strategy revolves around adhering to global governance standards, implementing advanced cybersecurity frameworks, adopting proactive threat detection measures, and ensuring a strong data protection mechanism on an ongoing basis.

Our Information Security programme is aligned with RBI guidelines on cyber/information security and is ISO 27001 certified. With the Information Security Committee overseeing the programme, the following aspects are regularly reviewed:

img
Regulatory Compliance:

We strictly adhere to RBI’s cybersecurity framework and emerging data protection laws. Our robust information security policies and procedures mandate operations in a secure manner, applicable to every personnel working in the organisation.

img
Third-Party Risk Management:

Vendors and third-party entities undergo rigorous security assessments prior to onboarding to minimise supply chain risks. We monitor their attack surface scores using customised tools and periodically alert them to improve these scores.

img
Regular Audits & Assessments:

Internal and external audits validate our security controls, ensuring compliance with regulatory and operational security requirements. We conduct regular risk assessments to identify and mitigate potential vulnerabilities and threats to Ujjivan.

A comprehensive risk management framework enables us to proactively address security threats across our IT infrastructure. Our risk and infrastructure security team focuses on:

Our Security Operations Center (SOC) also known as the Blue Team, operates 24/7 to detect, analyse and respond to cybersecurity threats. The Blue Team leverages on the following approaches:

  • MITRE ATT&CK Framework for mapping adversarial tactics and improving detection mechanisms.
  • Threat Hunting to proactively identify hidden threats within the network.
img
Vulnerability assessments

to identify and mitigate system weaknesses.

img
Cloud security

measures to protect data hosted in hybrid cloud environments.

To assess the effectiveness of our security controls, our Red Team conducts real-world attack simulations. These ethical hacking exercises help us uncover vulnerabilities and enhance our resilience against sophisticated cyber threats. Their key areas of oversight include adversary emulation and threat modeling to mimic the tactics of real world attackers, as well as application and network penetration testing to identify security gaps in our banking platforms.

img
Secure configuration

reviews of critical applications, databases, and network infrastructure.

img
Attack surface

management to monitor external threats targeting our digital presence.

Data Protection and Privacy

With the implementation of DPDP act 2023, we have appointed a Data Protection Officer (DPO) to have an active oversight on:

  • Privacy impact assessments and gap assessments for all systems handling personal data
  • Data classification and automation implementation
Security Awareness and Training

Security awareness is prioritised across all levels of our organisation. Our training programmes are designed to equip employees, partners, and vendors with the knowledge to identify and mitigate cybersecurity risks. Employees are required to complete information security courses and assessments through internal learning tools on a mandatory basis. We regularly conduct phishing simulations to test and evaluate employee vigilance against fraudulent emails. Third-party security awareness is also consistently circulated to ensure compliance with banking security policies. Additionally, we conduct cyber hygiene emails, data privacy workshops, and social media campaigns to promote best practices in cybersecurity and handling sensitive data.

Recognition and Accolades

We have won several awards and accolades during the financial year, including:

  • Best Security Team of the Year 2024: CISO Conclave & Awards
  • Cybersecurity Excellence Award: BankTechX Factor
  • Champion for Ethical Data Fiduciary: DPO Club
  • Best Zero Trust Security Team: Alpha Sec
  • Quantic: 4th Edition Cybersecurity Excellence Awards 2025 - Best Team Project in Cloud Security Implementation
  • Best IT Risk Management: IBA
ESG
Awards and Accolades