Ladies and gentlemen, a very good morning,

I am happy to be here this morning and engage with you at this forum. Keeping in view the theme of the event, I thought it would be appropriate to discuss a few issues around the risk, compliance and internal audit, collectively known as assurance functions, as they help identify and manage risks for sustainable growth of financial entities. From a regulatory and supervisory perspective too, Reserve Bank attaches utmost important to the assurance function and therefore, to ensure that there is alignment between our perspectives and to communicate our expectations, we feel a continuing dialogue on this issue is extremely important.

Before we delve into the intricacies of assurance function, let me reflect briefly on the transformative progress and growth witnessed in the Indian financial landscape. In the recent years, we have witnessed remarkable advancements, propelled by digitalization and technological innovations. We are seeing evolving consumer demands and changing needs of a fast-growing economy that challenge the status quo. These dynamics are reshaping the way financial services are delivered, disrupt traditional paradigms and necessitate agile responses from financial industry. The scenario for financial entities thus far looks exciting in terms of opportunities but is likely to be challenging in terms of emerging risks.

In order to sustain this transformation, an enduring commitment to safeguarding financial stability, fostering economic growth, and ensuring consumer protection should remain the prime motive for us all. The Reserve Bank, in its multifaceted role, plays a pivotal role in nurturing an ecosystem where innovation thrives, risks are contained, and consumers are empowered. From formulating monetary policy to regulating and supervising financial institutions, our mandate encompasses a wide array of responsibilities aimed at promoting the integrity and resilience of the financial sector.

One of the hallmarks of an effective regulatory approach is being ahead of the curve by building an ability to foresee potential risks emerging in the system; and pragmatically addressing them. The idea is that the regulations that are framed are proportional; forward looking; and responsive. In doing so, Reserve Bank as a regulator has always been conscious of the fact that the degree of regulation of a financial entity should be commensurate with the perception of risks posed by the entity to the financial system and the scale of its operations. The scale-based regulatory framework for NBFCs and the revised tiered regulatory framework for Urban Co-operative Banks had this premise at its core. Additionally, the regulatory approach has been guided by a combination of activity-based and entity-based regulations to ensure their effectiveness while minimizing unintended consequences. We have tried to leverage the strengths of both these approaches to achieve a more comprehensive and flexible regulatory framework.

We find this hybrid approach particularly valuable in an ever-evolving financial Sector, where innovation and new business models constantly emerge. The flexibility inherent in the hybrid approach has enabled us to adapt swiftly to the changes in the sector without sacrificing the overarching systemic risk management inherent in the entity-based regulations.

The financial ecosystem has to be seen as a reflection of the past changes and the policy choices. These choices are tested continuously for their ability to respond to the emerging challenges. How the system evolves going forward will critically depend on how the various constituents, including the regulatory frameworks, adapt to the changing business environment. In the current milieu, our role as regulator demands that we support the entities in their quest for growth while being mindful of the risks.

Keeping this as a context, let me first share a few thoughts on two key emerging challenges and role of assurance functions in handling these issues. Later, I wish to leave a few thoughts with you on devising a combined assurance framework to bolster the conventional three lines of defence model.

Third party dependencies and operational risks

The first issue that I would like to discuss is the issue of third-party dependence and outsourcing arrangements in regulated entities. Third-party dependencies and digital outsourcing have become integral to the operations and with rapidly evolving technology. Regulated entities are increasingly relying on third-party agencies and outsourcing of their operations to enhance efficiency, reduce costs, and improve customer experience.

However, while third-party dependencies offer several benefits, they also pose certain risks and challenges. One of the primary concerns is selection of the outsourcing partner or in case of digital lending operations, the lending service providers (LSPs). Regulated entities need to assess the reliability, security, and regulatory compliance of their third parties to ensure that they meet the required standards. For example, while digital lending guidelines mandate that REs should ensure that LSPs engaged by them have suitable grievance redressal mechanism on their website or apps, a recent study undertaken by us have found that not all LSPs or apps have that. Poorly managed third-party relationships can expose regulated entities to not only customer dissatisfaction and reputational damage, but may also invite regulatory and supervisory actions.

Cybersecurity is another critical area where regulated entities needs to assess the preparedness of third-party service providers to protect their digital assets and customer information. With the increasing frequency and sophistication of cyber-attacks, it is essential for entities to ensure that robust cybersecurity measures are deployed by the service providers to safeguard against threats. Moreover, dependency on third parties can also create vendor lock-in situations, where regulated entities become reliant on a single vendor for critical services. This lack of vendor diversification can increase dependency risks and limit the flexibility of entities to adapt to changing market conditions or technological advancements.

A related aspect here is the operational risk inherent in the entity concerned. Given that operational risk is  a factor in all financial products, activities, processes, and systems, the frameworks adopted by the entities has to address the concerns upfront. For this purpose, it needs to be built on three pillars viz. ‘Prepare and Protect’, ‘Build Resilience’ and ‘Learn and Adapt’. I would urge all of you to evaluate the processes and systems in your organisations vis-à-vis a ‘Guidance Note on Operational Risk Management and Operational Resilience’ issued by RBI which has this three pillar framework at its core.

Customer Conduct & Transparency in Operations

The second issue which I would like to flag is of the customer conduct and transparency in operations of regulated entities. Despite continuous supervisory and regulatory focus, this is one area where the actions on ground by the entities have fallen short of expectations. Certainly, we all understand that poor customer service can have significant repercussions on customers' trust and satisfaction. However, we continue to observe instances of slow response times to customer queries and complaints, lengthy wait times on customer service hotlines and delayed email responses, contributing to customer dissatisfaction.

Some entities continue to face criticism for their lack of transparency regarding fees, charges, and penal provisions associated with their products and services. Customers are often surprised by hidden fees or unclear terms, leading to disputes and complaints. Obviously when such practices have come to our notice, we have acted proactively. The recent instructions on fixation of EMIs or providing a Key Fact Statement (KFS) along with Annual Percentage Rate (APR) are examples where probably transparency at the level of industry would have taken care of the issue itself without the regulator having to step in.

We also continue to receive increased volume of complaints regarding misleading sales practices to attract customers including misrepresentation of product features, false promises of benefits, or aggressive sales tactics that pressure customers into purchasing products they do not need or understand. One unique set of  complaints  relates to  customers encountering difficulties when attempting to close accounts or terminate services. Lengthy and cumbersome account closure procedures, coupled with unclear requirements and documentation, frustrate customers, and prolong their association with the entity against their wishes.

These examples highlight the importance of prioritising and implementing robust mechanisms to address customer concerns promptly, transparently, and effectively. While automation can help in faster response to the complaints, there is an underlying need for an experienced man in the middle to ensure the human touch and understanding in dealing with customer grievances. The Reserve Bank attaches highest importance to these issues and this is an area of regulatory focus. I would urge to all regulated entities also to treat customer complaints with a due gravitas and use it as a feedback mechanism to improve their processes and products.

From three Lines of Defense to a Combined Assurance Model

If one must choose a single expression that epitomises banking business, it has to be ‘risk management’. This is in view of multiple factors including bank’s fiduciary role in respect of depositors, their critical interaction with real economy and financial stability. This critical role is why banking ends up as one of the most regulated sectors. Similarly, the NBFCs and other RBI regulated entities who operate in the financial services segment too are subjected to a calibrated regulatory approach with respect to risk management and assurance functions. A strong risk management system along with an effective oversight by the Board and the senior management provides a substantial degree of regulatory comfort.

Conventionally, the risk management program falls under a broad umbrella of GRC (Governance, Risk, Compliance) providers which include internal audit, compliance, risk, and legal functions. While assurance function is often used synonymously with the internal / external audit, the concept of independent internal controls and the evolving changes in the risk landscape have significantly expanded its meaning.

The Reserve Bank has also issued guidelines on supervisory expectations which asks of the regulated entities to  provide sufficient authority, resources and independence to these functions. The Boards are expected to take an active role in identifying/ approving the head of control and assurance functions. Clear lines of communication between the board and heads of control and assurance functions are also mandated to ensure that information exchange happens regularly, and areas of concern and probable remediation can be identified well within time.

For operationalizing risk management programs, the guidance of Institute of Internal Auditors (IIA) in 2013 known as “Three Lines of Defense” model has been widely used as a foundation. It defined the roles and responsibilities in different assurance branches and their inter-relationships. However, somehow, we often come across these functions operating in silos and eventually this has an impact on the business lines, affecting their productivity.

In a classic three lines of defence mode, the governance framework set out by the Board should ensure that the three lines of defence do the job as expected – much like in the game of football, where the forwards, the midfielder and the defenders should collectively keep the ball in play and ensure that the goalkeeper is not engaged. However, often in large entities, different units start assessing the risks independently, sometimes coming out with separate and often contradictory assessments. Such disparities only increases compliance cost, confusion and paperwork and the story of the risk is lost amidst this. Such a situation fails to provide decision useful inputs to the Board and ends up compromising on the quality of compliance and regulatory outcomes.

Therefore, in today’s dynamic and integrated world, where the business of banking is becoming complex and banks are engaging with several external parties to carry out different functions, a Combined Assurance Model (CAM) which transcends functional and geographical silos may better serve the financial institutions. Such a combined assurance model should integrate assurance processes, strengthen governance oversight and optimize control efficiencies while presenting a coherent story and assessment of risks embedded in the products or processes.

Successful implementation this framework would not only give a more holistic, organised, and accurate view of risk, but could also prove to be more cost-effective and efficient by eliminating duplicative controls and blind spots, through a common risk universe, risk taxonomy and risk ranking. However, it is not easy to implement a combined approach to assurance. One of the key challenges when implementing it is aligning the different activities, scoring and rating methodologies, definitions and co-ordination among multiple stakeholders. Moreover, mapping of multiple requirements across different assurance activities as well as framing of common risk criteria would pose its own complexities. However, in my view the long-term benefits emanating from such an exercise would far outweigh the costs.

Going forward, the design principles for future assurance functions should include addressing the business risk proactively rather than focusing only on regulatory compliance; ensuring a strong and demonstrative commitment towards risk culture objectives by the senior management; and involving assurance functions in decision process without compromising their independence. The combined objective of assurance function should be business enabling, insights-driven and above all, time-efficient. This also requires an upskilling of resources, to stay in step with these changes and to become ex-ante rather than ex-post focused.

Conclusion

In conclusion, I would like to say that it has taken a lot of regulatory initiatives, supervisory rigour, and industry efforts to nurture the confidence and trust of the stakeholders which is reflected in the robust growth of the financial sector in India. Therefore, it has to be our collective responsibility that we continue to nurture this confidence. Further, to continue supporting the India growth story and the credit needs of a developed nation, regulated entities would need huge financial resources. For that, we need to prepare and plan in advance so that we are not caught off-guard when this need arises. To enable a robust and sustainable growth, the silos within the assurance function of the organization should give way to a holistic and single pane risk view.

While RBI will continue to focus on customer-centric regulations to promoting a safe, fair, and transparent financial ecosystem, it bears repetition that enhancing consumer protection, strengthening grievance redressal mechanisms, and promoting transparency should be a collective endeavour of both the regulator and regulated entities.

Thank you. Namskaar!!

[1] Remarks by Shri M Rajeshwar Rao, Deputy Governor, delivered at BFSI Summit organized by CareEdge on July 22, 2024 in Mumbai. Inputs were provided by Pradeep Kumar for preparation of these remarks.