Compliance Risk Assessment

/0 Comments/in , , , /by

Guidance for implementation by NBFCs

Subhojit Shome, Assistant Manager | subhojit@vinodkothari.com

Introduction

The RBI published the Compliance Function and Role of Chief Compliance Officer (CCO) – NBFCs[1] on April 11, 2022 (‘Compliance Circular’) that are applicable on Middle Layer (NBFC-ML) and Upper Layer NBFCs (NBFC-UL) and the deadline to put into place the framework for this function falls due on October 1, 2023 for NBFC-ML and April 1, 2023 for NBFC-UL entities.

The circular brings up the significant aspect of Compliance Risk, a concept that has been for long relevant for Banks[2] and now becomes applicable for specified NBFCs as well. The Compliance Circular define Compliance Risk as follows:

‘the risk of legal or regulatory sanctions, material financial loss or loss of reputation an NBFC may suffer, as a result of its failure to comply with laws, regulations, rules and codes of conduct, etc., applicable to its activities.’

Hence, Compliance Risk goes beyond mere fines and penalties that may arise as a result of compliance irregularities and the Compliance Function needs to consider the entire gamut of adverse events that a company may be exposed to as a result of compliance failures. These may include events with extreme impact such as suspension of business operation or loss of reputation as a result of enforcement action against senior management.

As a crucial piece of being able to anticipate such risks and to put necessary mitigation measures in place the Circular mandates putting in place an effective compliance risk assessment framework and the senior management to review such assessment annually.

Compliance Risk Assessment Process

As part of the overall Compliance Function the company should put in place a compliance risk assessment methodology. Such a methodology should ensure that assessment should be carried out for each of the company’s lines of business/ products (digital lending, SME loans, etc.) and support functions (e.g. information technology department, human resources, etc.). In this regard, the compliance team should compile the universe of compliances including fair practice codes, industry and accounting standards that are applicable to the NBFC and identify the compliance failures that may take place (e.g. inadequate KYC, mis-selling, etc.), i.e. the risk events, and the source of such risks (e.g. operational, management, organisational, regulatory environment, etc.).

We have provided a summarised depiction of the broad methodology in Figure 1.

Figure 1. Compliance Risk Assessment Methodology

Compliance Risk Assessment Report

The goal of the assessment is that adequate risk mitigation measures are put into place by senior management. It is, hence, important that a concise report be presented to them highlighting the areas that need attention including the recommended mitigation plans.

Such a report should reflect the compliance risk profile of the NBFC and the change in such risk profile. The report may make use of data representations (along with relevant commentary), we have provided some illustrative infographics in Figures 2, 3 and 4.

Figure 2: How is the Compliance Risk Spread across the Organisation (illustrative)

Figures 3: Compliance risk score over time – in a narrow range (illustrative)

Figures 4: Compliance risk score over time – spike during FY (illustrative)

Conclusion

As per the RBI Compliance Circular, ‘Compliance Function shall ensure strict observance of all statutory and regulatory requirements for the NBFC, including standards of market conduct, managing conflict of interest, treating customers fairly and ensuring the suitability of customer service.’

It is essential that an NBFC has an adequate structure (refer to our write-up – here) in place to ensure this and the CCO and the Compliance Department play a vital role in this structure by ensuring significant risks get highlighted and adequate internal control measures get put in place.

[1] https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT244C25EB0BBB1E4F91AEB101D425EA639A.PDF

[2] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=3433&Mode=0

You might also like
RBI refines the role of the Compliance-Man of a Bank
Implementation of Compliance Function by NBFC-ML
2022 in retrospect: Regulatory activity in the financial sector
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *