Notifies new provisions relating to Compliance Functions in Banks and lays down Role of CCO.
By:
Shaivi Bhamaria | Associate
Aanchal Kaur Nagpal | Executive
Introduction
The recent debacles in banking/shadow banking sector have led to regulatory concerns, which are reflected in recent moves of the RBI. While development of a robust “compliance culture” has always been a point of emphasis, RBI in its Discussion Paper on “Governance in Commercial Banks in India’[1] [‘Governance Paper’] dated 11th June 2020 has dealt extensively with the essentials of compliance function in banks. The Governance Paper, while referring to extant norms pertaining to the compliance function in banks, viz. RBI circulars on compliance function issued in 2007[2] [‘2007 circular’] and 2015[3] [‘2015 circular’], placed certain improvement points.
In furtherance of the above, RBI has come up with a circular on ‘Compliance functions in banks and Role of Chief Compliance Officer’ [‘2020 Circular’] dated 11th September, 2020[4], these new guidelines are supplementary to the 2007 and 2015 circulars and have to be read in conformity with the same. However, in case of or any common areas of guidance, the new circular must be followed. Along with defining the role of the Chief Compliance Officer [‘CCO’], they also introduce additional provisions to be included in the compliance policy of the Bank in an effort to broaden and streamline the processes used in the compliance function.
Generally, in compliance function is seen as being limited to laying down statutory norms, however, the importance of an effective compliance function is not unknown. The same becomes all-the-more paramount in case of banks considering the critical role they play in public interest and in the economy at large. For a robust compliance system in Banks, an independent and efficient compliance function becomes almost indispensable. The effectiveness of such a compliance function is directly attributable to the CCO of the Bank.
Need for the circular
The compliance function in banks is monitored by guidelines specified by the 2007 and 2015 circular. These guidelines are consistent with the report issued by the Basel Committee on Banking Supervision (BCBS Report)[5] in April, 2005.
While these guidelines specify a number of functions to be performed by the CCO, no specific instructions for his appointment have been specified. This led to banks following varied practices according to their own tailor-made standards thus defeating the entire purpose of a CCO. Owing to this, RBI has vide the 2020 circular issued guidelines on the role of a CCO, in order to bring uniformity and to do justice to the appointment of a CCO in a bank.
Background of CCOs
The designation of a CCO was first introduced by RBI in August, 1992 in accordance with the recommendations of the Ghosh Committee on Frauds and Malpractices in Banks. After almost 15 years, RBI introduced elaborate guidelines on compliance function and compliance officer in the form of the 2007 circular which was in line with the BCBS report.
According to the BCBS report:
‘Each bank should have an executive or senior staff member with overall responsibility for co-ordinating the identification and management of the bank’s compliance risk and for supervising the activities of other compliance function staff. This paper uses the title “head of compliance” to describe this position’.
Who is a CCO and how is he different from other compliance officials?
The requirement of an individual overseeing regulatory compliance is not unique to the banking sector. There are various other laws that the provide for the appointment of a compliance officer. However, there is a significant difference in the role which a CCO is expected to play. The domain of CCO is not limited to any particular law or its ancillaries, rather, it is all pervasive. He is not only responsible for heading the compliance function, but also overseeing the entire compliance risk[6] in banks.
Role of a CCO in a Bank:
The predominant role of a CCO is to head the compliance function in a Bank. The 2007 circular lays down the following mandate of a CCO:
- overall responsibility for coordinating the identification and management of the bank’s compliance risk and supervising the activities of other compliance function staff.
- assisting the top management in managing effectively the compliance risks faced by the bank.
- nodal point of contact between the bank and the RBI
- approving compliance manuals for various functions in a bank
- report findings of investigation of various departments of the bank such as at frequent intervals,
- participate in the quarterly informal discussions held with RBI.
- putting up a monthly report on the position of compliance risk to the senior management/CEO.
- the audit function should keep the Head of compliance informed of audit findings related to compliance.
The 2020 circular adds additional the following responsibilities on the CCO:
- Design and maintenance of compliance framework,
- Training on regulatory and conduct risks,
- Effective communication of compliance expectations
Selection and Appointment of CCO:
The 2007 circular is ambiguous on the qualifications, roles and responsibilities of the CCO. In certain places the CCO was referred to as the Chief Compliance officer and some places where the words compliance officer is used. This led to difficulty in the interpretation of aspects revolving around a CCO. However, the new circular gives a clear picture of the expectation of RBI from banks in respect of a CCO. The same has been listed below:
Basis | 2020 circular | 2007 circular |
Tenure | Minimum fixed tenure of not less than 3 years | The Compliance Officer should be appointed for a fixed tenure |
Eligibility Criteria for appointment as CCO | The CCO should be the senior executive of the bank, preferably in the rank of a General Manager or an equivalent position (not below two levels from the CEO). | The compliance department should have an executive or senior staff member of the cadre not less than in the rank of DGM or equivalent designated as Group Compliance Officer or Head of Compliance. |
Age | 55 years | No provision |
Experience | Overall experience of at least 15 years in the banking or financial services, out of which minimum 5 years shall be in the Audit / Finance / Compliance / Legal / Risk Management functions. | No provision |
Skills | Good understanding of industry and risk management, knowledge of regulations, legal framework and sensitivity to supervisors’ expectations | No provision |
Stature | The CCO shall have the ability to independently exercise judgement. He should have the freedom and sufficient authority to interact with regulators/supervisors directly and ensure compliance | No provision |
Additional condition | No vigilance case or adverse observation from RBI, shall be pending against the candidate identified for appointment as the CCO. | No provision |
Selection* | 1. A well-defined selection process to be established 2. The Board must be required to constitute a selection committee consisting of senior executives 3. The CCO shall be appointed based on the recommendations of the selection committee. 4. The selection committee must recommend the names of candidates suitable for the post as per the rank in order of merit. 5. Board to take final decision in the appointment of the CCO. | No provision |
Review of performance appraisal | The performance appraisal of the CCO should be reviewed by the Board/ACB | No provision |
Reporting lines | The CCO will have direct reporting lines to the following: 1. MD & CEO and/or 2. Board or Audit Committee | No provision |
Additional reporting | In case the CCO reports to the MD & CEO, the Audit Committee of the Board is required to meet the CCO quarterly on one-to-one basis, without the presence of the senior management including MD & CEO. | No provision |
Reporting to RBI | 1. Prior intimation is to be given to the RBI in case of appointment, premature transfer/removal of the CCO. 2. A detailed profile of the candidate along with the fit and proper certification by the MD & CEO of the bank to be submitted along with the intimation, confirming that the person meets the supervisory requirements, and detailed rationale for changes. | No provision |
Prohibitions on the CCO | 1. Prohibition on having reporting relationship with business verticals 2. Prohibition on giving business targets to CCO 3. Prohibition to become a member of any committee which brings the role of a CCO in conflict with responsibility as member of the committee. Further, the CCO cannot be a member of any committee dealing with purchases / sanctions. In case the CCO is member of such committees, he may play only an advisory role. | No provision |
*The Governance paper had proposed that the Risk Management Committee of the Board will be responsible for selection, oversight of performance including performance appraisals and dismissal of a CCO. Further, any premature removal of the CCO will require with prior board approval. [Para 9(6)] However, the 2020 circular goes one step further by requiring a selection committee for selection of a CCO.
Dual Hatting
Prohibition of dual hatting is already applicable on the Chief Risk Officer (‘CRO’) of a bank. The same has also been implemented in case the of a CCO.
Hence, the CCO cannot be given any responsibility which gives rise to any conflict of interest, especially the role relating to business. However, roles where there is no direct conflict of interest for instance, anti-money laundering officer, etc. can be performed by the CCO. In such cases, the principle of proportionality in terms of bank’s size, complexity, risk management strategy and structures should justify such dual role. [para 2.11 of the 2020 circular]
Role of the Board in the Compliance function
Role of the Board
The bank’s Board of Directors are overall responsible for overseeing the effective management of the bank’s compliance function and compliance risk.
Role of MD & CEO
The MD & CEO is required to ensure the presence of independent compliance function and adherence to the compliance policy of the bank.
Authority:
The CCO and compliance function shall have the authority to communicate with any staff member and have access to all records or files that are necessary to enable him/her to carry out entrusted responsibilities in respect of compliance issues.
Compliance policy and its contents
The 2007 circular required banks to formulate a Compliance Policy, outlining the role and set up of the Compliance Department.
The 2020 circular has laid down additional points that must be covered by the Compliance Policy. In some aspects, the 2020 circular provides further measures to be taken by banks whereas in some aspects, fresh points have been introduced to be covered in the compliance policy, these have been highlighted below:
1. Compliance philosophy: The policy must highlight the compliance philosophy and expectations on compliance culture covering:
- tone from the top,
- accountability,
- incentive structure
- Effective communication and Challenges thereof
2. Structure of the compliance function: The structure and role of the compliance function and the role of CCO must be laid down in the policy
3. Management of compliance risk: The policy should lay down the processes for identifying, assessing, monitoring, managing and reporting on compliance risk throughout the bank.
The same should adequately reflect the size, complexity and compliance risk profile of the bank, expectations on ensuring compliance to all applicable statutory provisions, rules and regulations, various codes of conducts and the bank’s own internal rules, policies and procedures and must create a disincentive structure for compliance breaches.
4. Focus Areas: The policy should lay special thrust on:
- building up compliance culture;
- vetting of the quality of supervisory / regulatory compliance reports to RBI by the top executives, non-executive Chairman / Chairman and ACB of the bank, as the case may be.
5. Review of the policy: The policy should be reviewed at least once a year
Quality assurance of compliance function
Vide the 2020 circular, RBI has introduced the concept of quality assurance of the compliance function Banks are required to develop and maintain a quality assurance and improvement program covering all aspects of the compliance function.
The quality assurance and improvement program should be subject to independent external review at least once in 3 years. Banks must include in their Compliance Policy provisions relating to quality assurance.
Thus, this would ensure that the compliance function of a bank is not just a bunch of mundane and outdated systems but is improved and updated according to the dynamic nature of the regulatory environment of a bank.
Responsibilities of the compliance function
In addition to the role of the compliance function under the compliance process and procedure as laid down in the 2007 the 2020 circular has laid down the below mentioned duties and responsibilities of the compliance function:
- To apprise the Board and senior management on regulations, rules and standards and any further developments.
- To provide clarification on any compliance related issues.
- To conduct assessment of the compliance risk (at least once a year) and to develop a risk-oriented activity plan for compliance assessment. The activity plan should be submitted to the ACB for approval and be made available to the internal audit.
- To report promptly to the Board/ Audit Committee/ MD & CEO about any major changes / observations relating to the compliance risk.
- To periodically report on compliance failures/breaches to the Board/ACB and circulating to the concerned functional heads.
- To monitor and periodically test compliance by performing sufficient and representative compliance testing. The results of the compliance testing should be placed before the Board/Audit Committee/MD & CEO.
- To examine sustenance of compliance as an integral part of compliance testing and annual compliance assessment exercise.
- To ensure compliance of Supervisory observations made by RBI and/or any other directions in both letter and spirit in a time bound and sustainable manner.
Actionables by Banks:
Links to related write ups –
[1] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=49937
[2] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=3433&Mode=0
[3] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=9598&Mode=0
[4] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11962&Mode=0
[5] https://www.bis.org/publ/bcbs113.pdf
[6] According to BCBS report, compliance risk is the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities”