Control functions in banks: RBI proposes Consolidation exercise

• Payal Agarwal, Partner | corplaw@vinodkothari.com

Draft proposals provide definitional and role clarity, highlighting a comprehensive overhaul of control and assurance functions for banks with unified appointment standards, enhanced Board oversight, and proportional relaxations for specific categories.

Highlights:

• Standardised definitions;
• Unified framework for CRO/CCO/HIA;
• Optional group CRO/CCO;
• Periodic external review mandated for NBFC-UL;
• Flexibility on eligibility criteria for CRO/CCO/HIA;
• Reporting lines clarified;
• Foreign banks: “Comply or explain” relaxation;
• Quarterly Board meetings without Senior Management;
• CRO credit committee role;
• Dual-hatting ambiguity;
• Enhancement of compliance function.

Keeping up with the consolidation exercise undertaken by the RBI last year for the circulars pertaining to Department of Regulation (DoR), RBI announced in its 8th April Statement on Developmental and Regulatory Policies the consolidation of its supervisory instructions. Following the same, draft Directions were issued. Further, for consolidation of instructions issued by the RBI on control functions, viz., compliance, risk management and internal audit, RBI has issued draft Governance Directions, on 10th June, 2026. 

Note that, while the press release refers to ‘Harmonisation and Consolidation of Instructions on Control / Assurance Functions’, the draft Directions go beyond a simple consolidation exercise, rather, includes some changes as compared to the existing circulars of DoS and DBS. The key changes for commercial banks have been discussed below. For NBFCs, refer to our article here. 

Key Proposals under Draft Directions

• Important concepts defined: The draft Directions contains definitions of various relevant concepts in relation to control and assurance functions. 
• Instructions for CRO, CCO and HIA aligned: The draft Directions provide a common set of instructions, eligibility criteria, appointment conditions, reporting lines etc for each of the three heads of the relevant control and assurance functions, viz., Chief Risk Officer (CRO), Chief Compliance Officer (CCO) and Head of Internal Audit (HIA). 
• Group level oversight of CRO and CCO: For banks that are part of a group consisting of more than one financial entity, a Group CRO (GCRO) and Group CCO (GCCO) may be appointed for group level risk oversight/ compliance and co-ordination. This is not a mandatory requirement, however, may be adopted as a part of group-level control and  assurance functions. 
• Periodic external review of control functions: For benchmarking of practices and strengthening effectiveness of the functions, the draft Directions require the risk management function, Quality Assurance and Improvement Program (QAIP) of compliance and internal audit functions to periodic external review. In case of NBFCs, external review is proposed to be mandated for risk management function only, and limited to NBFC-UL entities. 
• Eligibility conditions to be determined by internal policy: The draft Directions omit conditions on minimum no. of years’ of experience and age limitations for appointment of CRO, CCO and HIA. The September, 2020 circular of RBI on Compliance functions in banks and Role of Chief Compliance Officer (CCO) currently requires the CCO to have an overall experience of at least 15 years (including 5 years in audit function) and an age limit of 55 years. The draft Directions require adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity, and risk profile of the bank and age as prescribed in the internal policy of the bank. 
• Employer-employee relationship mandatory: The draft Directions clarify that consultants, advisors, part time auditors or individuals who are neither on the rolls of the bank/group entity nor have any contractual employer-employee relationship with the bank/group entity shall not be appointed/designated as CRO, CCO or HIA or Group CRO/CCO.
• Clarification on reporting lines: The draft Directions makes a distinction between administrative and functional reporting lines, viz., administrative reporting to MD& CEO and functional reporting to board/ board committee. 
• Comply or explain approach for foreign banks: In case of foreign banks, a relaxation is proposed by making the applicability of the instructions on control and assurance functions on a “comply or explain” basis, thus allowing deviations from the requirements, subject to submission of reasonable explanation for prior approval of DoS, RBI.  

Omission of “dual hatting” restriction: can the same person be appointed as CCO or CRO and HIA? 

The draft Directions seem to have omitted the “dual hatting” restrictions, although it requires each of the three designates to be “independent of business lines, free from conflicts of interests…”. The internal audit function, headed by HIA is required to do independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. Hence, it would be counter-intuitive to suggest that the HIA can head the compliance or risk management functions, while being responsible for providing independent assurance on the same. 

Some of our resources on Compliance, Risk Management and Internal Audit functions: 

• Risk-based Internal Audit for NBFCs – Applicability & Implementation
• Risk-based Internal Prescription for Audit Function
• Compliance Risk Assessment