RBI/2022-23/24
Ref.No.DoS.CO.PPG./SEC.01/11.01.005/2022-23

April 11, 2022

The Chairman / Managing Director / Chief Executive Officer
All Non-Banking Financial Companies

Madam / Dear Sir,

Compliance Function and Role of Chief Compliance Officer (CCO) - NBFCs

Please refer to the Reserve Bank’s guidelines on ‘Scale Based Regulation (SBR): A Revised Regulatory Framework for NBFCs’ issued vide Circular Ref.DOR.CRE. REC.No.60/03.10.001/2021-22 dated October 22, 2021¹. As indicated therein, Non-Banking Financial Companies in the Upper Layer (NBFC-UL) and Middle Layer (NBFC-ML) would be required, inter alia, to have an independent Compliance Function and a Chief Compliance Officer (CCO). Accordingly, this Circular shall be applicable to all NBFC-UL and NBFC-ML. NBFCs in the Base Layer (NBFC-BL) shall continue to be governed under the existing guidelines².

2. As part of the overall structure for Corporate Governance, Compliance Function serves a critical role. Accordingly, it has been decided to introduce certain principles, standards and procedures for Compliance Function in NBFC-UL and NBFC-ML, keeping in view the principles of proportionality.

3. NBFC-UL and NBFC-ML shall put in place a Board approved policy and a Compliance Function, including the appointment of a Chief Compliance Officer (CCO), based on the Framework given in the Annex, latest by April 1, 2023 and October 1, 2023, respectively.

4. This Circular shall be placed in the immediate next meeting of the Board of Directors for information and devising an implementation strategy, under the Board’s supervision, in a time-bound manner.

Yours faithfully,

(Arnab Kumar Chowdhury)
Chief General Manager-In-Charge

Encl.: Annex

Annex

Framework for Compliance Function and Role of Chief Compliance Officer in Non-Banking Financial Companies in Upper Layer and Middle Layer (NBFC-UL & NBFC-ML)

1. Introduction

The Compliance Function is an integral part of effective governance, along with the internal control and risk management processes. The NBFCs in Upper Layer and Middle Layer shall treat the prescriptions in the Circular as a set of minimum guidelines only and accordingly frame their guidelines taking into account their corporate governance framework, the scale of operations, risk profile and organizational structure, etc.

2. Compliance Risk

Compliance risk is 'the risk of legal or regulatory sanctions, material financial loss or loss of reputation an NBFC may suffer, as a result of its failure to comply with laws, regulations, rules and codes of conduct, etc., applicable to its activities.

3. Scope and Coverage of Compliance Function

Compliance Function shall ensure strict observance of all statutory and regulatory requirements for the NBFC, including standards of market conduct, managing conflict of interest, treating customers fairly and ensuring the suitability of customer service.

4. Responsibility of the Board and Senior Management

4.1 The Board / Board Committee³ shall ensure that an appropriate Compliance Policy is put in place and implemented. Further, the Board / Board Committee shall prescribe the periodicity for review of Compliance risk.

4.2 The Senior Management shall:

1. carry out an exercise, at least once a year, to identify and assess the major Compliance risk facing the NBFC and formulate plans to manage it;

2. submit to the Board / Board Committee a review at the prescribed periodicity and a detailed annual review of Compliance; and

3. report promptly to the Board / Board Committee on any material Compliance failure while ensuring that appropriate remedial or disciplinary action is taken.

5. Responsibilities of Compliance Function

5.1 Compliance Function shall be responsible for undertaking the following activities at the minimum:

1. Assist the Board and the Senior Management in overseeing the implementation of Compliance Policy, including policies and procedures, prescriptions in Compliance Manuals, internal codes of conduct, etc.

2. Play the central role in identifying the level of Compliance risk in the organisation. The Compliance risks in existing / new products and processes shall be analysed and appropriate risk mitigants put in place. The Chief Compliance Officer (CCO) shall be a member of the 'new product' committee/s. All new products shall be subjected to intensive monitoring for at least the first six months of introduction to ensure that the indicative parameters of Compliance risk are adequately monitored.

3. Compliance Function shall monitor and test Compliance by performing sufficient and representative Compliance testing, and the results of such Compliance testing shall be reported to the Senior Management. It shall periodically circulate the instances of compliance failures among staff, along with the required preventive instructions. Staff accountability shall be examined for major Compliance failures.

4. Ensure compliance of regulatory/ supervisory directions given by RBI in both letter and spirit in a time-bound and sustainable manner. RBI will continue to expect an effective Compliance Program where all Risk Mitigation Plan (RMP) / Monitorable Action Plan (MAP) points are complied with within the timelines prescribed. Unsatisfactory compliance with RMP/MAP may invite penal action from RBI.

5. Attend to compliance with directions from other regulators in cases where the activities of the entity are not limited to the regulation/supervision of RBI. Further, discomfort conveyed to the NBFC on any issue by other regulators, and action taken by any other authorities / law enforcement agencies, shall be brought to the notice of RBI.

6. The Compliance Department may also serve as a reference point for the staff from operational departments for seeking clarifications / interpretation of various regulatory and statutory guidelines.

5.2 The CCO shall be the nodal point of contact between the NBFC and the regulators / supervisors and shall necessarily be a participant in the structured or other regular discussions held with RBI. Further, compliance to RBI inspection reports shall be communicated to RBI necessarily through the office of the Compliance Function.

5.3 In some NBFCs, there may be separate departments / divisions looking after compliance with different statutory and other requirements. In such cases, the departments concerned shall hold the prime responsibility for their respective areas, which shall be clearly outlined. Adherence to applicable statutory provisions and regulations is the responsibility of each staff member. However, the Compliance Function would need to ensure overall oversight.

6. Broad Contours of Compliance Framework in NBFCs

A. Compliance Policy

a. The NBFC shall lay down a Board-approved Compliance Policy clearly spelling out its Compliance philosophy, expectations on Compliance culture, structure and role of the Compliance function, the role of CCO, processes for identifying, assessing, monitoring, managing, and reporting on Compliance risk. The Policy shall be reviewed at least once a year.

b. Broadly, the Policy shall ensure coverage of the following aspects:

1. Measures to ensure the independence of the Compliance function and its right to freely disclose findings and views to senior management, Board / Board Committee;

2. Focus on various regulatory and statutory Compliance requirements;

3. Monitoring mechanism for the Compliance testing procedure;

4. Reporting requirements, including Compliance risk assessment and change in risk profile, etc. to the Senior Management and to the Board / Board Committee;

5. The authority of the Compliance Function to have access to information as specified in Part D below;

6. A mechanism for dissemination of information on regulatory prescriptions and guidelines among staff and periodic updating of operational manuals; and

7. The approval process for all new processes and products by the Compliance Department, prior to their introduction.

B. Compliance Structure

The Compliance Department shall be headed by the Chief Compliance Officer, meeting the requirements prescribed in this Circular. NBFCs are free to adopt their own organizational structure for the Compliance Function. However, the function shall be independent and sufficiently resourced, its responsibilities shall be clearly specified, and its activities shall be subject to periodic and independent review.

C. Compliance Programme

The NBFC shall carry out an annual Compliance risk assessment in order to identify and assess major Compliance risks faced by them and prepare a plan to manage the risks. The annual review, to be carried out by the Senior Management, shall ensure coverage of at least the following aspects:

1. Compliance failures, if any, during the preceding year and consequential losses and regulatory action, as also steps taken to avoid recurrence of the same;

2. Listing of all major regulatory guidelines issued during the preceding year and steps taken to ensure compliance;

3. Compliance with fair practices codes and adherence to standards set by self-regulatory bodies and accounting standards; and

4. Progress in the rectification of significant deficiencies and implementation of recommendations pointed out in various audits and RBI inspection reports.

D. Authority

The CCO and Compliance Function shall have the authority to communicate with any staff member and have access to all records or files that are necessary to enable her / him to carry out entrusted responsibilities in respect of Compliance issues. This authority shall flow from the Compliance Policy of the NBFC.

E. Dual Hatting

i. There shall not be any 'dual hatting,' i.e., the CCO shall not be given any responsibility which brings elements of conflict of interest, especially any role relating to business. The CCO shall generally not be a member of any committee which conflicts her / his role as CCO with responsibility as a member of the committee, including any committee dealing with purchases / sanctions. In case the CCO is a member of any such committee, that would only be an advisory role.

ii. The staff in the Compliance Department shall primarily focus on Compliance Functions. However, the Compliance staff could be assigned some other duties while ensuring that there is no conflict of interest.

F. Qualifications and Staffing of Compliance Function

Apart from having staff with basic qualifications and practical experience in business lines / audit & inspection functions, Compliance Function shall have adequate staff members with knowledge of statutory / regulatory prescriptions, law, accountancy, risk management, information technology, etc. Appropriate succession planning shall be ensured to avoid any future skill gap.

G. Internal Audit & Independent Review of Compliance Function

Compliance risk shall be included in the risk assessment framework of the Internal Audit Function, and Compliance Function shall be subject to regular internal audit. The CCO shall be kept informed of audit findings related to Compliance, which shall serve as a feedback mechanism for assessing the areas of Compliance failures.

H. Supervisory Focus

Examination of Compliance rigor prevalent in the NBFC shall be a part of Reserve Bank's supervisory risk assessment process.

7. Appointment and Tenure of CCO

1. Tenure: The CCO shall be appointed for a minimum fixed tenure of not less than 3 years. However, in exceptional cases, the Board / Board Committee may relax the minimum tenure by one year, provided appropriate succession planning is put in place;

2. Removal: The CCO shall be transferred / removed before completion of the tenure only in exceptional circumstances, with the explicit prior approval of the Board / Board Committee, after following a well-defined and transparent internal administrative procedure;

3. Rank: The CCO shall be a senior executive of the NBFC with a position not below two levels from the CEO. However, in the case of NBFCs-ML, this requirement can be relaxed by one level further. If the NBFC considers necessary, the CCO can also be recruited from the market;

4. Skills: The CCO shall have a good understanding of the industry and risk management practices, knowledge of regulations, legal requirements, and have sensitivity to Supervisory expectations;

5. Stature: The CCO shall have the ability to exercise judgment independently. She / He shall have the freedom and authority to interact with regulators / supervisors directly and ensure compliance;

6. Conduct: CCO shall have a clean track record and unquestionable integrity;

7. Selection Process: Selection of the candidate for the post of the CCO shall be made based on a well-defined selection process and recommendations made by a committee constituted by the Board / Board Committee for the purpose. The Board / Board Committee shall take final decision in the appointment of CCO.

8. Reporting Requirements: A prior intimation to the Senior Supervisory Manager, Department of Supervision, Reserve Bank of India, shall be provided before appointment, premature transfer, resignation, early retirement or removal of the CCO. Such information shall be supported by a detailed profile of the candidate along with the 'Fit and Proper' certification by the MD & CEO of the NBFC, confirming that the person meets the prescribed supervisory requirements and rationale for changes, if any. 'Fit and Proper’ criteria may be examined based on the requirements spelt out in this Circular;

9. Reporting Line: The CCO shall have direct reporting lines to the MD & CEO and / or Board / Board Committee. In case the CCO reports to the MD & CEO, the Board / Board Committee shall meet the CCO at quarterly intervals on a one-to-one basis, without the presence of the senior management, including MD & CEO. The CCO shall not have any reporting relationship with the business verticals. Further, the performance appraisal of the CCO shall be reviewed by the Board / Board Committee.

¹ Section II, para 3.2.3 (g) of the Annex to the Circular delineating the ‘Framework for Scale Based Regulation for Non-Banking Financial Companies’ requires appointment of a Chief Compliance Officer.

² Ref: Master Direction - Non-Banking Financial Company - Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016; and Master Direction - Non-Banking Financial Company – Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016, as applicable.

³ ‘Board Committee’ means ‘Audit Committee of the Board’, wherever applicable under extant Regulations.