– Anita Baid, Vice President | finserv@vinodkothari.com

RBI has been concerned with the adverse regulatory arbitrage posing systemic risk in the NBFC sector. In order to align the regulatory provisions with the objective of preserving financial stability and reducing systemic risks, a scale based regulatory framework has been introduced which is to be effective from October 1, 2022. The SBR is a calibrated and graded regulatory framework proportional to the systemic significance of NBFCs.

In line with the above, the corporate governance structure of an NBFC also needs to be adequately enabled and made sufficiently independent so that it can ensure strict observance of all statutory and regulatory provisions. The RBI had therefore, to ensure an effective compliance culture, proposed an independent corporate compliance function and a strong compliance risk management programme, along with the appointment of a functionally independent Chief Compliance Officer (CCO), who should be sufficiently senior in the organization hierarchy.

The requirement of an individual overseeing regulatory compliance is not unique and there are various other laws that provide for the appointment of a compliance officer. However, the proposed domain of CCO is not limited to any particular law or its ancillaries, rather, it is all pervasive. The CCO shall not only be responsible for heading the Compliance Function, but also overseeing the entire compliance risk in the NBFC.

Applicability- to whom and from when

The timeline for implementation has been prescribed as April 1, 2023 and October 1, 2023 for NBFC-Upper Layer and NBFC-Middle Layer, respectively.

The RBI has issued the detailed regulation in this regard which states that the same has to be placed in the immediate next meeting of the Board of Directors for information and devising an implementation strategy, under the Board’s supervision, in a time-bound manner.

Immediate Actionables

In accordance with the Framework for Compliance Function and Role of Chief Compliance Officer in NBFCs in Upper Layer and Middle Layer (‘Framework’), NBFC-UL and NBFC-ML are required to put in place (a) a Board approved policy;  and (b) a Compliance Function, including the appointment of a Chief Compliance Officer (CCO), based on the Framework latest by (a) April 1, 2023 in case of UL, and October 1, 2023, in case of ML, respectively (Implementation Date). In order to achieve the same by Implementation Date, the NBFCs ML and UL are required to place, in their forthcoming board meeting, an implmentation strategy.

Immediately upcoming board meeting for most listed NBFCs shall be within middle of May, 2022. Therefore, NBFCs will start preparing an implementation plan for implemeting the Framework by the Implementaton Date. It is obviously neither expected nor feasible that there will be any tangible achievement within or at the next board meeting, however, the pathway to the implemnetation should preferably be laid out in the immediately forthcoming board meeting.

This Board Meeting should consider the following agenda:

Compliance Policy

The Board has to identify the team responsible for review and making amendments to the existing Corporate Governance Policy or drafting a new Compliance Policy taking into account the NBFC’s corporate governance framework, the scale of operations, risk profile and organizational structure, etc.

The Compliance Policy shall clearly spell out the NBFC’s compliance philosophy, expectations on compliance culture, structure and role of the compliance function, the role of CCO, processes for identifying, assessing, monitoring, managing, and reporting on compliance risk. The Policy shall be reviewed at least once a year

The draft of the said Policy shall be approved by the Board before April 1, 2023 or October 1, 2023, as the case may be. Based on the delegation of responsibility, the Board shall prescribe the timelines for approval and adoption of the Policy.

Review of Compliance Risk

The Board shall decide and prescribe the periodicity for review of compliance risk by the Board or Audit Committee (not less than once in a year).

The review of compliance risk shall be carried out by the Senior Management, to identify and assess the major compliance risk facing the NBFC and formulate plans to manage it. Thereafter, it shall be submitted to the Board / Audit Committee alongwith a detailed annual review of compliance.

The coverage of the review shall be as per the Framework.

Further, it shall be ensured that compliance risk is included in the risk assessment framework of the Internal Audit Function, and Compliance Function is also subjected to regular internal audit. Accordingly, the scope of Internal Audit Function shall include compliance risk assessment.

The CCO shall be kept informed of audit findings related to compliance, which shall serve as a feedback mechanism for assessing the areas of compliance failures.

Annual Compliance Assessment

As discussed above, the review of compliance risk is to be carried out by the Senior Management- the periodicity of this exercise is to be decided by the Board. However, the same must be done atleast once in a year. Thereafter, the report of the aforesaid review shall be submitted to the Board / Audit Committee at the prescribed periodicity and a detailed annual review of compliance shall be mandatorily carried out.

This annual review, to be carried out by the Senior Management, shall ensure coverage of at least the following aspects:

The process flow of the Complliance Risk Assessment shall be as follows:

1. Identification and listing of the compliance failures occured during the review period, this would include lapses in areas of regulatory/statutory, legal, accountancy, risk management, information technology, etc;
2. Specifying the consequential losses and regulatory action taken for the respective complaince failures;
3. Listing down the steps that has been taken to avoid recurrence of the aforesaid compliance failures;
4. Listing of all major regulatory guidelines issued during the review period;
5. Listing down the steps taken and identifying the department or committee or personnel responsible to ensure compliance with the major regulatory amendments;
6. Review of the practices followed by the NBFC as per the adopted fair practices codes;
7. Review of the practices followed by the NBFC as per the standards set by self-regulatory bodies and accounting standards, to the extent applicable on the NBFC;
8. Listing of significant deficiencies pointed out in various audits and RBI inspection reports;
9. Review of the progress in the rectification of aforesaid deficiencies and implementation of recommendations.

Role of Senior Management

The Board has to prescribe the role and responsibilities of the Senior Management, as per the Framework. This would include carrying out an exercise, at least once a year, to identify and assess the major compliance risk facing the NBFC and formulate plans to manage it.

The report of the aforesaid review shall be submitted to the Board / Audit Committee at the prescribed periodicity and a detailed annual review of Compliance. Further, senior management shall report promptly to the Board / Audit Committee on any material Compliance failure while ensuring that appropriate remedial or disciplinary action is taken.

Compliance Function

Compliance function is the sum total of systems procedures and organisation infrastructure which ensures the following: (a) Observance of all statutory and regulatory requirement (b) Standard of market conduct (c) Systems of managing conflict of interest (d) Dealing customer fairly (e) Ensuring suitability of customer service

The Board shall adopt an organizational structure for the Compliance Function or prescribe a timeline to finalise the same. In this regard, the existing compliance team shall be evaluated against the requirements under the Framework. In case there are separate departments / divisions looking after compliance with different statutory and other requirements, the departments concerned shall hold the prime responsibility for their respective areas, which shall be clearly outlined. Adherence to applicable statutory provisions and regulations would be the responsibility of each staff member. However, the Compliance Function would need to ensure overall oversight.

The Compliance Function shall include staff with basic qualifications and practical experience in business lines / audit & inspection functions. It shall have adequate staff members with knowledge of statutory / regulatory prescriptions, law, accountancy, risk management, information technology, etc. Appropriate succession planning shall be ensured to avoid any future skill gap. The Compliance Function shall be independent and sufficiently resourced, its responsibilities shall be clearly specified, and its activities shall be subject to periodic and independent review.

One of the prime responsibilities of the Compliance Function is to ensure compliance of regulatory/ supervisory directions given by RBI in both letter and spirit in a time-bound and sustainable manner. RBI will continue to expect an effective Compliance Program where all Risk Mitigation Plan (RMP)/Monitorable Action Plan (MAP) points are complied with within the timelines prescribed.

The aim of supervisory follow-up would be to ensure that NBFCs take corrective action in time to remedy or mitigate any significant risks that have been identified during the supervisory process. The major device in this respect would be the MAP. MAPs will include actions to be taken by the NBFC, remedial actions that would be outlined would be tied explicitly to the areas of high risks identified in the risk profiling as well as the supervisory process and should lead to improvements in the systems and controls environment. Key individuals/departments would have to be made accountable for each of the action points. If actions and timetable set out in the MAP are not met, or there is unsatisfactory compliance with RMP/MAP, the same may invite penal action from RBI.

Another question that comes up is that how large should the compliance function be? The answer to the question will lie in the organisational needs of the NBFC. Compliance cannot be imposed disproportional to the needs of the entity. It is importnat to bear in mind the principle of proportionality which is stated in para 2 of the RBI Circular.

Can the compliance function be outsourced?

The simple answer should be in the negative. Compliance is a part of the core risk management function of the entity; the question of outsourcing it does not arise. However, specific areas – for exmple, preparation of a compliance framework, policy, checklist, or periodical review, etc., may  be outsourced. The following important extract from the Basel circular may be relevant: “Compliance should be regarded as a core risk management activity within the bank. Specific tasks of the compliance function may be outsourced, but they must remain subject to appropriate oversight by the head of compliance.”

Compliance Function Vs Compliance Department

Is it the intent of the regulator that there is a separate department within the entity called compliance department, or is it the function that is more relevant? The spirit of the compliance framework lies in compliance  being a focused function.  Hence, the exact designation or the nomenclature does not matter. Para 6 of the Basel standard says: “The expression “compliance function” is used in this paper to describe staff carrying out compliance responsibilities; it is not intended to prescribe a particular organisational structure.” The RBI also states: “NBFCs are free to adopt their own organizational structure for the Compliance Function. However, the function shall be independent and sufficiently resourced, its responsibilities shall be clearly specified, and its activities shall be subject to periodic and independent review.” Further, para 34 of the Basel document clarifies: “Not all compliance responsibilities are necessarily carried out by a “compliance department” or “compliance unit”. Compliance responsibilities may be exercised by staff in different departments.” In short, what the regulator requires is a “compliance function” and not necessarily a “compliance department”, housed as such within the organisational structure.

Appointment and Functions of CCO

The Board shall lay down a well defined selection process and constitute or prescribe a timeline for the constitution of a committee for the selection of the candidate for the post of the Chief Compliance Officer, as a head of the Compliance Department. 

The Board / Audit Committee shall take final decision in the selection and appointment of CCO based on a well-defined selection process and recommendations made by a committee. The appointment must be ensured before the Implementation Date. The qualifications and requirements to be satisfied by the CCO shall be as per the Framework. CCO shall be a senior executive of the NBFC with a position not below two levels from the CEO, appointed for a minimum fixed tenure of not less than 3 years ( If the NBFC considers necessary, the CCO can also be recruited from the market)

A prior intimation (along with detailed profile of the candidate and the ‘Fit and Proper’ certification by the MD & CEO) to the Senior Supervisory Manager, Department of Supervision, Reserve Bank of India, shall be provided before appointment.

Role of CCO

As per the Framework, an indicative list of the role /fucntios of the CCO shall be as follows:

1. Head the Compliance Function
   1. Supervise the activities of other compliance function staff
   2. Approving compliance manuals for various functions
2. Overall responsibility for coordinating the identification and management of the compliance risk
   1. Obtain information of audit findings related to Compliance
   2. Communicate with staff members and have access to all records or files in respect of compliance issues
   3. Periodically reporting on the position of compliance risk to the senior management
   4. Assisting the senior management in managing effectively the compliance risks faced by the NBFC
3. Act as the nodal point of contact between the NBFC and the RBI
   1. Interact with regulators / supervisors directly and ensure compliance
   2. Participate in structured or regular discussions held with RBI

The CCO shall generally not be a member of any committee which conflicts her / his role as CCO with responsibility as a member of the committee, including any committee dealing with purchases / sanctions. In case the CCO is a member of any such committee, that would only be an advisory role.

At the same time, it is expected that the CCO should be a member of the “new products committee” and all new products should be under the surveillance of the CCO for at least 6 months of introduction. What are the new products being talked about? A product is, appropriately in context, an asset side product (for example, a pay day loan, or a vendor credit facility) which is introduced by the entity. These new products may have regulatory challenges, as also issues relating to fair practices, customer service etc. Therefore, these products should have the sign-off of the CCO. The reference to a “new product  committee” in para 5.1 (ii) does not signal that the regulator expects such a committee to exist. However, the intent is that the introduction of new products must have adequate involvement of the CCO.

Manning the Compliance Function

The Framework is applicable to all ML and UL entities. It is not difficult to appreciate that many of the ML entities may have crossed the asset size of Rs 1000 crores, but the real  buzz of activity may be scanty. Further, many NBFCs do not have regular customer interface, particularly in case of investment-focused entities. Therefore, it may not be possible for the NBFC to put in place a focused CCO, who is dedicated to the compliance function only.

There are compliances required under various other laws. For example, every company has to have a company secretary, who, as per sec. 205 (1) (a) of the Act, is also responsible for the compliance function.Listed entities are required by SEBI to have a compliance officer, who is mostly the company secretary. Hence, the question arises – can the CS or Compliance Officer for listing regulations also be the CCO as per the Framework? The key lies in the following words from the Framework: “CCO shall not be given any responsibility which brings elements of conflict of interest, especially any role relating to business.” These words clarify what is dual hatting – having two functions is not dual hatting. Dual hatting will arise when one single person is responsible for business, as also for compliance. The intent becomes clear from the following para from the Basel circular on Compliance and Compliance Functions in Banks: “The independence of the head of compliance and any other staff having compliance responsibilities may be undermined if they are placed in a position where there is a real or potential conflict between their compliance responsibilities and their other responsibilities. It is the preference of the Committee that compliance function staff perform only compliance responsibilities. The Committee recognises, however, that this may not be practicable in smaller banks, smaller business units or in local subsidiaries. In these cases, therefore, compliance function staff may perform non-compliance tasks, provided potential conflicts of interest are avoided” [para 28 of Basel Committee on Banking Supervision- Compliance and the compliance function in banks]^[1]. The principle from which this requirement emerges is the principle of independence. Hence, a company secretary also ensures compliance with corporate laws; we see no conflict in handling the compliance function under the Framework too.

Fit and Proper Criteria

The Fit and Proper criteria shall be examined based on the requirements spelt out in the Framework-

Tenure	Minimum fixed tenure of not less than 3 years
Transfer/ Removal	Only in exceptional circumstances, with the explicit prior approval of the Board / Audit Committee, after following a well-defined and transparent internal administrative procedure
Ranking	A senior executive of the NBFC with a position not below two levels from the CEO (In the case of NBFCs-ML, this requirement can be relaxed by one level further)
Skills	Good understanding of the industry and risk management practices, knowledge of regulations, legal requirements, and have sensitivity to supervisory expectations
Stature	CCO shall have the ability to exercise judgment independently. Also, shall have the freedom and authority to interact with regulators / supervisors directly and ensure compliance
Conduct	CCO shall have a clean track record and unquestionable integrity
Reporting Line	CCO shall have direct reporting lines to the MD & CEO and / or Board / Audit Committee. The CCO shall not have any reporting relationship with the business verticals

Who should the CCO report to?

In terms of organisational structure, it will be okay for the CCO to report to such person as the entity may determine. However, the CCO must have its own independence, and where there are deviations/exceptions that the CCO comes across, the CCO should be able to report either to the Board or the Audit Committee. [VKC comment: In our view, the reporting by the CCO should have more appropriately been to the Risk Committee, if any, because compliance is a risk under the Risk Committee].

---

^[1] https://www.bis.org/publ/bcbs113.pdf

Our resources on SBR: https://vinodkothari.com/sbr/