Chair of the event, Shri M Damodaran; Chairman, IRDAI, Shri Ajay Seth; Chairman, PFRDA, Shri S Ramann; WTM, SEBI, Shri Kamlesh Varshney and other distinguished guests, colleagues, ladies, and gentlemen. A very good morning to all of you.

2. I am pleased to be here today for the 10th edition of the Gatekeepers of Governance Summit, as conferences like these provide an invaluable platform for the stakeholders to articulate and understand each other’s perspectives. I thank the organisers for this opportunity.

3. Our theme today is simple to ask but hard to answer: “Regulatory gaps and overlaps: do they exist?” I am inclined to agree that they do exist and I propose to address this in two parts, viz. from the standpoint of organisations and thereafter as Regulators.

4. Most organisations often respond to governance questions by redrawing organisation charts, tweaking reporting lines, and updating committee charters. These fixes do help, but only to a point.

5. Business models, technology, and vendor chains change faster than boxes on a slide. As firms expand, digitise, outsource, and integrate, two patterns keep showing up: overlaps - two teams or two regulators asking for the same thing; and gaps - a new product, partner, or dataset sitting outside or at the perimeter of any policy.

6. If we keep editing diagrams without analysing the root cause, we treat symptoms and miss the cause. In my view, the reason, therefore, is “intent”. When intent is strong and governance is lived in spirit, overlaps simplify and gaps close. When intent is weak, the reflex is to add more rules and procedures – multiplying work but losing sight of the real risk. The real question is how deeply good governance is internalised in everyday decisions and board oversight.

7. With that lens, let me focus on five practices that I feel matter most:

1. Boards must own outcomes, not paperwork.
2. Independence should be in substance.
3. Look through the group, not just the entity.
4. Protect and empower the control functions.
5. Governance gap analysis with real remediation.

Let me briefly elaborate on each of these five aspects

8. Firstly, boards must own outcomes, not paperwork. A diverse and independent board keeps an organisation on track by overseeing compliance, risk, culture, and ethics. Directors must exercise their duty of care and duty of loyalty, and they must own outcomes¹. Boards must set risk appetite and outcome goals, and require independent assurance - risk, compliance, and internal audit - to test what matters and report findings, root causes, and their closure.

9. Secondly, independence is not a label; it is the ability to challenge. It is a posture backed by time, information, and courage. Independent directors should be able to challenge strategy, controls, financials, and risk, and to question the assumptions behind forecasts. Our anonymous 2024 survey amongst boards of banks revealed that many boards prefer consensus, and a meaningful minority of directors hesitate to voice dissent. The Chair’s role, therefore, is to draw out quieter views and keep challenge safe.

10. Thirdly, in large conglomerates, risk does not stop at the boundaries of individual entities. Boards should see the whole, not just the parts. Two steps help. First, ring-fence critical entities so a local problem does not become a group crisis. Second, enforce strict related-party policies. Such transactions can be legitimate, but they need transparency, fairness, and arm’s-length terms. Sound rationale and good documentation are evidence of thought and a tool for future learning, not a bureaucratic burden.

11. Fourthly, the three lines of defence must be real. Business lines own risk. Risk management and compliance provide challenge and guardrails. Internal audit tests the system independently. The Heads of assurance functions (the Chief Risk Officer, Chief Compliance Officer, and Head of Internal Audit) must have access to the board and to any business line that can create material risk. They should have adequate budgets and full access to information. Decisions on their appointment and removal should rest with the board. Weak lines of defence are to be seen as a board failure, not a staffing glitch.

12. In an anonymous supervisory survey of assurance heads, most reported strong board backing, but almost half said resources do not match their bank’s size and complexity. It is essential to give assurance heads independence, stature, and adequate resources. Otherwise, assurance stays ornamental.

13. Finally, markets move faster than rules and regulations. A periodical governance gap analysis helps organisations see where their policies and frameworks stand against industry best practices - spotting weaknesses, strengthening compliance, and improving risk management².

A system-wide perspective

14. Modern business is not tidy. A listed company can be part of a conglomerate with banks, NBFCs, insurers, brokers, payment firms, tech subsidiaries, overseas arms, and associates. The regulatory map is equally rich: Company law and MCA, Securities regulation and listing rules, Sectoral regulators for banking, insurance, pension, competition law, insolvency, accounting and audit oversight, market conduct rules, data and cyber requirements, and multiple enforcement agencies. Add international obligations, exchanges, depositories, SROs, and state-level authorities.

15. In such a world, some overlap is inevitable. That is not a bug. Overlaps can also act as layers of safety net, ensuring that if one control misses an issue, another may catch it. The real problem, may arise from conflicting rules, duplicated compliance, and uncoordinated enforcement which is avoidable. At the same time, new activities, new technologies, and new business models can fall between the cracks.

16. So yes, both gaps and overlaps exist. The task for regulators is to work together, minimising harmful overlaps and closing material gaps, without impeding innovation. In that spirit, let me offer three principles, may be aspirational in parts, for optimising overlaps and gaps.

17. Firstly, regulators must balance entity and activity-based regulation. Regulate the activity wherever it happens, and keep stronger rules for entities that hold public trust. If an app offers investment advice, the advisory guardrails should apply, even if the provider is not a traditional intermediary. If two activities create the same risk, they should face the same rules - regardless of the label or the provider.

18. The second principle is proportionality. Regulators should scale requirements to risk and complexity. A small, simple firm should not bear the same burden as a large, interconnected group; systemically important players should meet higher capital, liquidity, control, and disclosure standards. Proportionality keeps oversight credible and optimal.

19. The third is to strive towards outcome-based regulation, calibrated to market maturity. Where feasible, make and apply rules to protect outcomes - fair customer treatment, resilience, true and fair financials - rather than locking in processes or technologies. For instance, whether onboarding is on paper or biometric, the test is the same: was the customer identified correctly, and was consent captured? However, calibration matters. Outcomes-based rules work best where supervision and enforcement are strong and markets are mature.

Conclusion

20. In conclusion, addressing regulatory gaps and overlaps is a journey of continuous improvement that demands constant reflection, adaptation, and courage to challenge the status quo. When intent is strong, the gaps bridge, overlaps simplify, and governance transcends mere compliance to become our shared conscience.

Thank you. Jai Hind.

¹ Corporate Governance Principles for Banks, BCBS, BIS (https://www.bis.org/bcbs/publ/d328.pdf)

² William, L. (2006). Governance Gap Analysis. DM Review, 16 (8): 30.