CERSAI Compliance: Practical Guide for Banks, NBFCs & HFCs — Steps, Risks & Automation

TL;DR — What you need to know

CERSAI is India’s central registry for security interests (movable, immovable and intangible). Registration is mandatory to enable out-of-court enforcement under SARFAESI and to prevent multiple lending on the same asset. Recent portal changes now require lenders to disclose source of funds for on-lending/refinance, making systems integration essential. 

What is CERSAI & why it matters

CERSAI (Central Registry of Securitisation, Asset Reconstruction and Security Interest of India) is the legally mandated central registry for registration of security interests created over assets. It was established under the SARFAESI framework to stop frauds arising from multiple mortgages/charges and to improve enforceability of secured loans. Registration is a pre-requisite if a creditor wants to use SARFAESI enforcement. 

Legal foundation & regulator timeline

• The types of security interests to be filed (immovable other than equitable mortgages; hypothecation of plant & machinery, stocks, receivables; and intangible assets; and certain under-construction agreements) were notified by the Central Government and brought onto the CERSAI portal.

• RBI directed banks/FIs to complete filing of subsisting charges by March 31, 2019, and to file current charges on an ongoing basis. That circular also sets out which regulated entities must comply.

• Historically the Central Registry Rules required filing within 30 days of creation; later legislative amendments (Enforcement of Security Interest & Recovery of Debts Laws (Amendment) Act, 2016) changed the enforcement dynamics — registration became essential before SARFAESI enforcement, and the time-limited penalty regime was modified. Read the Rules + amendments when designing SOPs. 

Recent change you cannot ignore (June 2025 update)

CERSAI has introduced a mandatory source-of-funds disclosure for security interest filings (type of lending: own funds / on-lending / refinance; plus IDs for source entity and source security interest where applicable). Lenders must update LOA/loan origination workflows and CERSAI submission formats to populate these fields when they go live. This is a material operational change for refinance/on-lending chains.

What must be registered

• Creation / modification / satisfaction of a security interest in immovable property (except equitable mortgage). 

• Hypothecation of plant & machinery, stocks, book debts/receivables (present & future).

• Security over intangible assets (IP, know-how, licences). 

• Security interests created by assignment of receivables or factoring arrangements (CERSAI’s scope has been extended to non-tangible assets and various mortgage forms).

Consequences of non-registration

• You lose the SARFAESI out-of-court enforcement route for that security interest until/unless it’s registered; this materially weakens secured creditor remedies.

• Registration creates public priority and strengthens claim ranking in recovery/insolvency contexts.

Operational checklist — how lenders should comply

1. Entity & technical readiness

   • Ensure your institution is registered as an entity on the CERSAI portal and has Class-3 DSC(s) for signing. (CERSAI portal + DSC registration steps are supported on the site.) 

2. Data mapping & LO system changes

   • Map loan records to CERSAI fields (borrower PAN, property identifiers, security type, instrument date). Add fields for source-of-funds, source entity ID and source security interest ID for refinance/on-lending. 

3. Workflow & timing

   • Even though earlier statutory time limits were amended, RBI expects current filings to be maintained and subsisting records to be completed — embed filing at ‘post-disbursement legal sign off’ and create an exception path for legacy records. (RBI set March 31, 2019 as a prior deadline for subsisting records.) 

4. Filing method

   • Use the CERSAI portal (online forms or JSON/offline upload). Build API/JSON export from core banking/LOS to avoid manual errors; CERSAI supports JSON offline form upload. Maintain audit logs of submission + transaction IDs.

5. DSC & user control

   • Maintain a DSC lifecycle (issue, recover, revoke) — register DSC tokens and user roles on CERSAI. Rotate tokens on staff change.

6. Reconciliation & controls

   • Daily/weekly reconciliation between loan ledger and CERSAI records (check for successful registration IDs, mismatches, pending/failed uploads). Alert control owners automatically.

7. Subsidiary / on-lending coordination

   • For refinance/on-lending, obtain source entity IDs and source security IDs in advance (new portal fields require this). Coordinate with upstream lenders and include contractual obligations to share CERSAI IDs. 

8. Audit trail & retention

   • Keep a signed copy of the security instrument, the CERSAI submission receipt, and the DSC audit trail for at least the length of the exposure plus statutory limitation for enforcement actions.

Template SOP

• Trigger: Legal completes security creation → Compliance creates CERSAI record within 3 business days.

• Owner: Legal drafts; Ops/Back-office executes upload; Compliance verifies receipt & registers Transaction ID in LOS.

• Exceptions: If portal rejects, support ticket raised and remediation within 48 hours.

• Legacy remediation: Prioritize high risk/large exposures; monthly legacy sweep until <1% backlog.
  (Adapt timelines to your risk appetite — regulator deadlines are prescriptive for subsisting records historically.)

Automation & tech playbook

Practical, high-impact automations that reduce risk and cost:

1. Pre-file validation layer

   • Auto-validate borrower PAN, property identifiers, instrument dates, and KYC matches before calling CERSAI. Reject / queue records with missing fields.

2. JSON export & scheduled uploads

   • Auto-generate portal-ready JSON from LOS/loan origination, sign with stored DSC programmatically (tokenized vault); push via portal offline upload. CERSAI supports JSON/offline form upload.

3. Source-of-fund mapping for on-lending

   • Add a normalized master for source entities and maintain mapping to their CERSAI Entity IDs/IDs for source security — required by the 2025 change.

4. Event alerts & SLAs

   • Trigger alerts for failed submissions, missing DSC token, or missing source IDs. Enforce SLA to close exceptions (e.g., 48 hours).

5. Periodic reconciliation & reporting

   • Automated daily reconciliation and a monthly compliance report for audit and RBI reporting needs.

6. Audit & eDiscovery exports

   • One-click export bundle: signed instrument, submission receipt, JSON, reconciliation report — useful for recovery teams and legal processes.

Why this matters commercially: reduced enforcement friction, fewer recovery surprises, and lower legal costs — plus stronger competitive positioning on structured/refinanced credit products.

Common mistakes & how to avoid them

• Treating CERSAI as a ‘one-off’ filing. Fix: integrate into loan workflow so registration is default, not manual.

• Missing source-of-fund fields in refinance chains. Fix: create a source-entity master and contractual obligations to provide CERSAI IDs.

• DSC mismanagement (lost tokens, staff change). Fix: DSC lifecycle and vaulting.

Quick FAQ

Q — Is CERSAI registration mandatory for all secured loans?
A — For loans where SARFAESI enforcement may be used (and for the types of security notified by the government), yes — registration is required for using SARFAESI enforcement; RBI also expects banks/FIs to register current and subsisting charges.

Q — How soon should we file?
A — Historically rules required filing within 30 days; amendments changed the enforcement and penalty regime. Practically, treat registration as immediate post-creation (many banks enforce within days) and reconcile legacy records as per RBI guidance.

Q — What documents & technical requirements are needed?
A — Signed loan/security documents, borrower KYC, property identifiers, DSC (Class-3). CERSAI portal accepts online forms and JSON/offline uploads.

Sources & further reading

• RBI circular: Filing of Security Interest relating to Immovable (other than equitable mortgage), Movable and Intangible Assets in CERSAI (Dec 27, 2018) — includes types of security interests and RBI deadline for subsisting records.

• CERSAI official portal (About / Entity Registration / FAQs) — portal guidance, JSON/offline upload and entity registration steps. 

• SARFAESI (Central Registry) Rules, 2011 — statutory rules that set out filing forms and historic timelines. 

• Vinod Kothari (deep legal/technical commentary on CERSAI & amendments). Useful for complex legal interpretation. 

• IndiaLaw LLP (June 11, 2025) — notice on mandatory source-of-fund fields added to CERSAI filings (operational impact).