Principle

Indian Position

Remarks

A. Strategies and techniques basic to sound corporate governance

1. Corporate values, codes of conduct and other standards of appropriate behaviour and the system used to ensure compliance with them.

Banks articulate corporate values, codes of conduct and standards of appropriate behaviour, etc., though these may not have been codified in any single document. Banks have also systems to ensure compliance with them.

Within an overall generalised level, the depth and extent of compliance of the standards of corporate governance vary from bank to bank. It is, therefore, desirable that all banks are above a certain benchmark signifying acceptable level of corporate governance. From here, there will have to be a sustained progress towards the best international standards which would need to be achieved within a reasonable timeframe.

2. A well-articulated corporate strategy against which the success of the overall enterprise and the contribution of individuals can be measured.

Banks have well articulated corporate strategy decided by the Board of Directors. In pursuance thereof, performance budgeting system is followed, which measures, monitors and evaluates corporate success and the contribution of business units. Except for performance measurement, monitoring and evaluation for business units, there is no system of accountability for results for individuals with the exception of the CEO, the Zonal / Regional / Branch Heads or Treasury Heads, etc.

It is desirable that performance measurement, currently confined mostly to unit level, is extended downwards up to individuals and a linkage between contribution and remuneration/reward is established. It should be possible to do so easily if a consensus can be achieved between the unions and the management on converting the present flat and performance-unrelated remuneration structure prevalent in most banks into performance-related remuneration structure. A few banks in the private sector have taken a lead in this regard, but they are small and as of now represent a nominal percentage of banking business in the country.

3. Clear assignment of responsibilities and decision-making authorities, incorporating a hierarchy of required approvals from individuals to the board of directors.

Banks have clear delegation of powers to different levels of hierarchy for financial and non-financial sanctions.

4. Establishment of a mechanism for the interaction and cooperation among the board of directors, senior management and the auditors.

The mechanism for interaction and cooperation among the board of directors, senior management and the auditors of the bank is fairly established.

5. Strong internal control systems, including internal and external audit functions, risk management functions independent of business lines, and other checks and balances.

Banks definitely have a strong internal control system; internal and external audit functions and other checks and balances. However, the regulatory framework for risk management function in banks independent of business lines has recently been put in place. Banks are in different stages of implementation of risk management systems.

It is practicable for big banks to undertake risk management as an independent function. However, small banks lack the expertise in this area. They will, therefore, have to be provided encouragement as well as technical support and given special attention so that they can imbibe risk management practices in as short a time as possible. A time-frame of two to three years is considered adequate for the purpose.

6. Special monitoring of risk exposures where conflicts of interest are likely to be particularly great, including business relationships with borrowers affiliated with the bank, large shareholders, senior management, or key decision-makers within the firm (e.g., traders).

There is a statutory provision (Section 20 of the BR Act, 1949) prohibiting loans and advances to directors or to any firm or company in which directors are interested or individuals in respect of whom any of its directors is a partner or guarantor.

However, where transactions are not barred by law, special monitoring of transactions with related parties, including large shareholders is not always subjected to special monitoring.

A similar provision on the lines of Section 20 of the BR Act, 1949, will have to be made in respect of large shareholders too. A definition of large shareholding would, of course, need to be provided.

7. The financial and managerial incentives to act in an appropriate manner offered to senior management, business line management and employees in the form of compensation, promotion and other recognition.

There is no performance-related compensation in public sector banks and, therefore, there is very little incentive or disincentive for good or bad performance. Some private sector banks have made efforts towards performance related compensation. Managerial incentive in the form of promotion and other recognition prevalent in banks both in private and public sectors, has generally proved inadequate.

Please also see comments against A(2) above. Unless performance-related remuneration is introduced in public sector banks, which account for more than 80 per cent of Indian banking system, performance of the system is not expected to improve. All banks must be encouraged to take steps to adopt this approach without any further loss of time.

8. Appropriate information flows internally and to the public.

Internal information flow is quite well established in banks. The standards of banks’ disclosures are improving but still fall short of international standards.

Please see remarks given in Annex 8.

B. Organisational Structure to ensure the following "Forms of Oversight"

1. Oversight by Board of Directors.

The organisational structure enables adequate oversight by Board of Directors.

2. Oversight by individuals not involved in the day-to-day running of the various business areas.

The present system of control and audit in banks enables such oversight.

3. Direct line supervision of different business areas.

Systems are in place which enables direct line supervision of different business areas.

4. Independent risk management and audit functions.

A regulatory framework for risk management function in banks has recently been introduced. Banks are in different stages of implementation of risk management systems.

However, audit functions are well developed. The independence of audit function is described in C(3)(xi)(b) below.

C. Sound Corporate Governance Practices

1. Board to establish strategic objectives and a set of corporate values (‘tone at the top") that are communicated throughout the banking organisation, timely and frank discussion of problems and prohibit/limit conflict of interest, self-dealing and related party transactions.

Most banks follow a budgetary system. Strategic objectives and set of values are often not defined very clearly and their communication throughout the organisation is quite uneven. Long-term problems and hindrances in the way of achieving organisational goals tend to receive attention only at higher levels of management.

Please also see comments at A(6) above.

The banks need to develop mechanisms which can help them ensure percolation of corporate strategic objectives and set values throughout the organisation.

Please also see remarks at A(6) above.

2. Board to set and enforce clear lines of responsibility and accountability for themselves as well as the senior management and throughout the organisation so that there is no unspecified or confusing and multiple accountability and lines of responsibility.

Boards of very few banks are known to enforce clear lines of responsibility and accountability for themselves. In quite a few cases there is not enough clarity about their roles. Much of it is because of the manner in which the boards are constituted. The lines for the responsibility and accountability for senior management and further down in the banks are, however, quite clearly defined leaving little room for unspecified or confusing and multiple accountability and lines of responsibility.

There is an urgent need to follow the best practices in banks in respect of constitution and functioning of the boards.

3. Ensuring that board members are qualified for their positions, have a clear understanding of their role in corporate governance and are not subject to undue influence from management or outside concerns:

Selection for nomination of individuals on banks’ boards is on the basis of his/her qualification considered suitable for the position. There is, however, no practice of pre-induction meeting/briefing or any post-induction orientation. As such, often a proper appreciation of their role in the banks’ corporate governance takes time to develop. Instances of undue influence from management or outside concerns are rare.

This practice can be put in place forthwith.

i. understand their oversight role and duty of loyalty to bank and shareholders.

Boards of Directors sometimes take longer time than expected to understand their role and obligation to the bank and the shareholders. New board members seldom go through any orientation programme.

There is a need to streamline the process of induction of directors into bank boards and their initial orientation. Suitable arrangement can be put in place forthwith.

ii. serve as a "check and balance" to the management.

The boards generally serve as a "check and balance" to the management. All members of the boards individually may not be said to be feeling and conducting themselves as ideally as envisaged.

The process can be self-sustaining once the responsibility and accountability are enforced.

iii. feel empowered to question the management and insist on explanation from the management.

Do

iv. recommend sound practices gleaned from other situations.

Do

v. provide dispassionate advice.

Do

vi. are not over extended.

The system has till recently permitted board membership to an individual in up to 20 companies. This number is now sought to be reduced. Being on a number of boards does result in over-extension in some cases.

Members of Board of Directors are required to give their valuable time to the governance of banks. In this context, there is a need to have some ceiling on the number of boards and the number of committees a director can work at a time. Relative SEBI guidelines limit membership of board/ Committees. Whereas in the case of listed companies this will hold good, the same principle may be adopted in the case of all banking companies.

vii. avoid conflict of interest in their activities with and commitments to other organisations.

The statutory provisions (Section 20 of the BR Act, 1949) prohibit loans and advances to directors or to any firm or company in which directors are interested or individuals in respect of whom any of its directors is a partner or guarantor.

Disclosure of interest by directors is mandatory and in case there is any likelihood of conflict of interest arising, the concerned director is required to abstain from participating in the decision making process relating to that case.

viii. meet regularly with senior management and internal audit to establish and approve policies, and monitor progress towards corporate objectives.

The board meets the senior management and internal audit regularly and establishes and approves policies and monitors progress towards corporate objectives.

ix. abstain from decision making when incapable of providing objective advice.

Yes.

x. do not participate in day-to-day management of the bank.

Yes.

xi. Form committees for:

a. Risk Management Committee

The regulatory guidelines for formation of Risk Management Committee are for a Committee of the Top Executives. Most banks are in a nascent stage of evolving risk management policies and practices.

Comprehensive risk management systems should be put in place in all banks at an early date. A timeframe of two to three years is considered adequate for the purpose.

b. Independent Audit Committee – comprising of external members, oversight of internal and external auditors, their appointment and dismissal, ensuring that management is taking appropriate action, etc.

The present system of constituting an audit committee of the board chaired by one of the non-executive directors is able to ensure performance in these tasks satisfactorily.

Appointment and removal of auditors by the boards of banks has to be with the prior approval of RBI.

c. Compensation Committee – oversight of remuneration of senior management, and other key personnel and ensuring compensation is consistent with bank’s culture, objectives, strategy and control environment.

Public Sector Banks do not have Compensation Committees. The remuneration is fixed at the industry level uniformly for all banks at all levels of management with the approval of the Government of India. However, RBI approves the remuneration of CEOs of private sector banks.

There is a need to review the current practice and link remuneration with performance.

d. Nomination Committee – assessment of board effectiveness and directing the process of renewing and replacing board members

As of now, there is no Nomination Committee of the Board of Directors for nominating directors into the boards of banks, except in the case of some private sector banks. There is also no established system to assess the effectiveness of the functioning of the board members.

The desired change is possible after the ownership of the banks goes out of the government’s fold. The present system of nomination of directors on the boards of banks is expendable.

4. Ensuring that there is appropriate oversight by senior management ("four eyes principle") – senior managers not overly involved in business line decision making, are knowledgeable for their assigned area and willing to exercise control over successful and key employees without the fear of losing them.

The oversight is by Senior Managers who are not overly in the business and are knowledgeable. The oversight and checks and controls carried out by senior management may have no risk of losing an employee since the employment market is very tight. However, this may result in demotivation at the lower level.

5. Effectively utilising the work conducted by internal and external auditors, in recognition of the important control function they provide – recognising their importance and communicating this throughout the bank, enhance the independence and stature of auditors, utilising in a timely and effective manner their findings, ensuring their independence through the head auditor reporting to the board or board’s audit committee, etc.

The importance and independence of internal as well as external audit is well recognised and communicated throughout the bank. Audit in banks is seen as a function independent of operating departments and in most cases the head of audit reports directly to the Chairman/board. External statutory auditors also present their report on the functioning of the bank to its board directly.

The position may be deemed satisfactory.

6. Ensuring that compensation approaches are consistent with the bank’s ethical values, objectives, strategy and control environment – do not overly depend on short-term performance.

There is no performance-related compensation in public sector banks and therefore, there is very little incentive or disincentive for good or bad performance. Some private sector banks have made efforts towards performance-related compensation. Such cases, which are not many, are recent. However, it is difficult to say at this stage with any degree of certainty that these are always consistent with the control environment and is not overly dependent on short-term performance.

See remarks against item A(7) above

7. Conducting corporate governance in a transparent manner – Public disclosure is desirable in the following areas:

i. Board structure (size, membership, qualifications and committees).

While the structure of the board is revealed in the Balance Sheet, details of Committees and qualifications of the directors are not always available publicly.

This practice may be introduced.

ii. Senior management structure (responsibilities, reporting lines, qualifications and experience).

This disclosure is not there.

Indian banks may be encouraged to make this disclosure.

iii. Basic organisational structure.

This disclosure is not there.

Indian banks may be encouraged to make this disclosure.

iv. Information about incentive structure (remuneration policies, executive compensation, bonuses, stock options).

This disclosure is not there.

Indian banks may be encouraged to make this disclosure.

v. Nature and extent of transactions with affiliated and related parties:

1. Government – through laws.

Guidelines and norms for good corporate governance in banks and overall responsible corporate governance are still in formative stages and healthy conventions are still to be built up. There are no laws as such which can be seen as supporting or facilitating corporate governance. It will be some time before tenets of good governance can be enacted in a piece of legislation. The RBI as supervisor and SEBI as capital market regulator are gradually introducing measures which lead to good corporate governance in banks and protection of depositors’ and others’ interests.

2. Securities regulators, stock exchanges – through disclosures and listing requirements.

SEBI as the securities market regulator ensures healthy growth of capital markets and stands for the protection of the interest of shareholders.

SEBI has stipulated disclosure and listing requirements and also reviews these on an on-going basis.

3. Auditors – through audit standards on communications to boards of directors, senior management and supervisors.

The ICAI sets the accounting standards for banks in consultation with RBI.

Standards on communication to Board of Directors, senior management and the Supervisors are, however, yet to be set and stabilise.

4. Banking industry associations – through initiatives relating to voluntary industry principles and agreements on and publication of sound practices.

Banks’ industry level associations like the IBA, FEDAI, FIMMDA, etc., are active in taking initiatives relating to voluntary industry principles and agreements.

E. Role of Supervisors

1. Board of directors and senior management are ultimately responsible for the performance of the bank. Supervisors typically check that a bank is being properly governed and bring to management’s attention any problem that they detect through their supervisory efforts.

The RBI as supervisor checks the governance practices at banks and brings to the management’s attention the problems identified by them.

Because of RBI/government ownership of banks in the public sector, there is some overlap in the role of the RBI as owner/owner’s representative and as the regulator/supervisor. This overlap needs to be corrected so that RBI can perform its regulatory/ supervisory role without any hindrance.

2. Attentive to any warning signs of deterioration in the management of the bank’s activities.

The RBI as supervisor, through on- and off-site supervision mechanisms, is attentive to warning signs of deterioration in management of a bank’s activities.

Government ownership of banks, however, stands in the way of any serious and urgent corrective action on the part of RBI as regulator. Laws of the land and the implied delay in the judicial system have also come in the way even where corrective action like removal of a management not found to be 'fit and proper' was contemplated.

3. Issue guidance to banks on sound corporate governance and pro-active practices.

The RBI as supervisor issues proactive and timely guidance to banks on sound corporate governance practices.

4. Sound corporate governance considers interest of all stakeholders, including depositors, whose interests the supervisors should protect.

The basic spirit of banking supervision in India is to ensure that banks follow principles of sound banking and that the interests of all stakeholders, including depositors, are protected.

5. Should expect banks to implement organisational structure to ensure checks and balances.

The RBI as supervisor ensures that banks have organisational structure to ensure proper checks and balances.

6. Emphasise accountability and transparency.

The RBI as supervisor emphasises accountability and transparency in banks.

The standards of transparency would need to be raised. A fair beginning has been made in this regard but the approach of the banks and the applicable accounting standards will have to be changed for achieving greater transparency in banking operations and accounting.

The stress on accountability largely ends up with efforts to fix accountability for loans/advances that go bad. Accountability for non-performance, at any level including that of the Board of Directors, is nearly absent. This issue needs urgent attention.

7. Determine that board and senior management have in place processes that ensure they are fulfilling all of their duties and responsibilities.

Either on their own or under the guidance of the RBI as supervisor, most banks have put in place processes designed to monitor performance and fulfilment of duties and responsibilities at different levels.

The boards of banks, however, do not seem to subject themselves to any measure of accountability or performance either set by them voluntarily or made applicable to them externally. This leaves them as largely without any accountability either to the institution itself or to the supervisor. The situation calls for correction.

Principle

Indian Position

Remarks

A. Management oversight and the control culture

1.0 The board of directors should have responsibility for approving and periodically reviewing the overall business strategies and significant policies of the bank; understanding the major risks run by the bank, setting acceptable levels for these risks and ensuring that senior management takes the steps necessary to identify, measure, monitor and control these risks; approving the organisational structure; and ensuring that senior management is monitoring the effectiveness of the internal control system. The board of directors is ultimately responsible for ensuring that an adequate and effective system of internal controls is established and maintained.

The boards of banks in India do have the responsibility for approving strategies and policies and setting acceptable levels for risk exposures. It is also their responsibility to ensure that senior management monitors the effectiveness of the internal control system.

1.01 The board of directors provides governance, guidance and oversight to senior management. It is responsible for approving and reviewing the overall business strategies and significant policies of the organisation as well as the organisational structure. The board of directors has the ultimate responsibility for ensuring that an adequate and effective system of internal controls is established and maintained. Board members should be objective, capable, and inquisitive, with a knowledge or expertise of the activities of and risks run by the bank. In those countries where it is an option, the board should consist of some members who are independent from the daily management of the bank. A strong, active board, particularly when coupled with effective upward communication channels and capable financial, legal, and internal audit functions, provides an important mechanism to ensure the correction of problems that may diminish the effectiveness of the internal control system.

Although the principle is unexceptionable, in practice, however, boards generally provide governance and general direction in regard to the setting of broad business strategies. The task of monitoring internal control and operational risk management systems is delegated to the audit committee of the board consisting of non-official directors who are independent from the daily management of the bank. A more focused attention to risks and their systematic identification and management, however, is rather a recent concept. Managements and boards of banks are gearing themselves suitably to understand, measure and control risks.

1.02 The board of directors should include in its activities (i) periodic discussions with management concerning the effectiveness of the internal control systems, (ii) a timely review of evaluations of internal controls made by management, internal auditors, and external auditors (iii) periodic efforts to ensure that management has promptly followed up on recommendations and concerns expressed by auditors and supervisory authorities on internal control weakness, and (iv) a periodic review of the appropriateness of the bank’s strategy and risk limits.

The RBI has prescribed a set of mandatory reviews that need to be undertaken by the board of directors or specialised committees of the board. These include reviews of evaluations of internal and external audits as well as general and special recommendations and concerns expressed in the RBI inspection report, apart from those relating to risk management, credit management, investments, resources and profitability. The system of periodic discussions by the board with the management or follow-up of evaluation and review reports is not very well established.

The attention at the board level paid to evaluation and review reports on internal control systems in the banks is mostly routine and receives limited attention except when a bank has got into some trouble because of failure/ breakdown of the system. Such reviews and evaluation are generally not being used as important tools of management information and control. Boards of most banks, particularly public sector banks would need to undergo an attitudinal change towards such evaluations/ reviews so that they have a better and firmer say in the maintenance and improvement of internal control systems in the banks. In depth discussions on periodic reports on internal control systems of the banks between the management and their boards should be institutionalised. RBI may consider advising all banks to take steps in this regard.

1.03. One option used by banks in many countries is the establishment of an independent audit committee to assist the board in carrying out its responsibilities. The establishment of an audit committee allows for detailed examination of information and reports without the need to take up the time of all directors. The audit committee is typically responsible for overseeing the financial reporting process and the internal control system. As part of this responsibility, the audit committee typically oversees the activities of, and serves as a direct contact for, the bank’s internal audit department and engages and serves as the primary contact for the external auditors. In those countries where it is an option, the committee should be composed entirely of outside directors (i.e., members of the board that are not employed by the bank or any of its affiliates) who have knowledge of financial reporting and internal controls. It should be noted that in no case should the creation of an audit committee amount to a transfer of duties away from the full board, which alone is legally empowered to take decisions.

Banks in India establish an independent audit committee to oversee the internal control system. The audit committee is composed of non-executive members who normally have good knowledge of systems, audits and accounts.

2.0 Senior management should have responsibility for implementing strategies approved by the board; developing processes that identify, measure, monitor and control risks incurred by the bank; maintaining an organisational structure that clearly assigns responsibility, authority and reporting relationships; ensuring that delegated responsibilities are effectively carried out; setting appropriate internal controls policies; and monitoring the adequacy and effectiveness of the internal control system.

Senior management have the responsibility for developing and implementing strategies, structures and processes for managing and controlling risks. They also have the responsibility for setting appropriate internal control policies and monitoring its effectiveness.

2.1. Senior management is responsible for carrying out directives of the board of directors, including the implementation of strategies and policies and the establishment of an effective system of internal control. Members of senior management typically delegate the responsibility for establishing more specific internal control policies and procedures to those responsible for a particular business unit. Delegation is an essential part of management; however, it is important for senior management to oversee the managers to whom they have delegated these responsibilities to ensure that they develop and enforce appropriate policies and procedures.

Internal control strategies, policies and procedures are typically approved by the board and communicated to all levels of the hierarchy for implementation. This ensures consistency of internal control standards across the organisation. Senior management has the responsibility of ensuring implementation by the lower rungs of directives and policies of the board.

2.2 Compliance with an established internal control system is heavily dependent on a well documented and communicated organisational structure that clearly shows lines of reporting responsibility and authority and provides for effective communication throughout the organisation. The allocation of duties and responsibilities should ensure that there are no gaps in reporting lines and that an effective level of management control is extended to all levels of the bank and its various activities.

This condition generally obtains.

2.3 It is important that senior management takes steps to ensure that activities are conducted by qualified staff with the necessary experience and technical capabilities. Staff in control functions must be properly remunerated. Staff training and skills should be regularly. Senior management should institute compensation and promotion policies that reward appropriate behaviours and minimise incentives for staff to ignore or over-ride internal control mechanisms.

Banks generally have well articulated personnel policies providing for planned staff deployment, career path and training. A flat and performance-unrelated remuneration structure is prevalent in most banks, particularly in the public sector. Some private sector banks have made efforts towards performance related compensation. Such cases, which are not many, are recent. However, it is difficult to say at this stage with a reasonable degree of certainty that these are always consistent with the control environment.

3.0 The board of directors and senior management are responsible for promoting high ethical and integrity standards, and for establishing a culture within the organisation that emphasises and demonstrates to all levels of personnel the importance of internal controls. All personnel at a banking organisation need to understand their role in the internal controls process and be fully engaged in the process.

Banks articulate corporate values, codes of conduct, standards of appropriate behaviour, etc., emphasising on importance of internal controls. Bank managements do endeavour to ensure that all levels of personnel understand their roles in the internal controls and are fully engaged in the process.

3.1 An essential element of an effective system of internal control is a strong control culture. It is the responsibility of the board of directors and senior management to emphasise the importance of internal control through their actions and words. This includes the ethical values management displays in their business dealings, both inside and outside the organisation. The words, attitudes and actions of the board of directors and senior management affect the integrity, ethics and other aspects of the bank’s control culture.

Importance of internal controls and a strong control culture is understood and stressed by the banks managements as well as their boards.

3.2 In varying degrees, internal control is the responsibility of everyone in a bank. Almost all employees produce information used in the internal control system or take other actions needed to effect controls. An essential element of a strong internal control system is the recognition by all employees of the need to carry out their responsibilities effectively and to communicate to the appropriate level of management any problems in operations, instances of non-compliance with the code of conduct, or other policy violations or illegal actions that are noticed. This can best be achieved when operational procedures are contained in clearly written documentation that is made available to all relevant personnel. It is essential that all personnel within the bank understand the importance of internal control and are actively engaged in the process.

All banks have comprehensive documentation in the form of operating manuals, checklists or guidelines in regard to operating procedures. These are also generally available with the controllers and to a lesser extent with the first line personnel.

Establishing a strong control culture requires the bank to regularly reorient and train their personnel so that they fully understand the importance of internal controls in their respective stations. The boards of banks should specifically pay attention to creating and sustaining a culture of control in the banks.

3.3 In reinforcing ethical values, banking organisations should avoid policies and practices that may inadvertently provide incentives or temptations for inappropriate activities. Examples of such policies and practices include undue emphasis on performance targets or other operational results, particularly short term ones that ignore longer term risks; compensation schemes that overly depend on short-term performance; ineffective segregation of duties or other controls that could allow the misuse of resources or conceal poor performance; and insignificant or overly onerous penalties for improper behaviours.

There is no performance-related compensation in public sector banks and, therefore, there is very little incentive or disincentive for good or bad performance. The remuneration is fixed at the industry level uniformly for all banks at all levels of management with the approval of the Government of India. However, RBI approves the remuneration of CEOs of private sector banks. The internal control guidelines issued by the RBI emphasises the need for segregation of duties, independent verification of transactions, joint custody of valuables and other operational risk management measures to be adopted and practised by banks. The RBI verifies satisfactory compliance during the on-site process.

3.4 While having a strong internal control culture does not guarantee that an organisation will reach its goal, the lack of such a culture provides greater opportunities for errors to go undetected or for improprieties to occur.

This principle is accepted. RBI currently verifies the internal control system in banks during its on-site inspections. RBI’s move towards a risk based supervision system is expected to help banks focus more attention on internal controls and permeation of control culture.

B. Risk Assessment

4.0 An effective internal control system requires that the material risks that could affect the achievement of the bank’s goals are being recognised and continually assessed. This assessment should cover all risks facing the bank and the consolidated banking organisation (that is, credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk and reputational risk). Internal controls may need to be revised to appropriately address any new or previously uncontrolled risks.

The RBI has issued comprehensive risk management guidelines to banks in terms of which they are required to identify and assess all business and operational risks and formulate and put in place appropriate risk management systems. Scientific risk management is, however, still in the initial stage in most of the banks, particularly the old private sector and public sector banks. The current situation calls for greater orientation of the banks’ managements and their boards towards better understanding of risks and their management.

4.1 Banks are in the business of risk-taking. Consequently, it is imperative that, as part of an internal control system, these risks are being recognised and continually assessed. From an internal control perspective, a risk assessment should identify and evaluate the internal and external factors that could adversely affect the achievement of the banking organisation’s performance, information and compliance objectives. This process should cover all risks faced by the bank and operate at all levels within the bank.

-do-

4.2 Effective risk assessment identifies and considers internal factors (such as the complexity of the organisation’s structure, the nature of the bank’s activities, the quality of personnel, organisational changes and employee turnover) as well as external factors (such as fluctuating economic conditions, changes in the industry and technological advances) that could adversely affect the achievement of the bank’s goals. This risk assessment should be conducted at the level of individual businesses and across the wide spectrum of activities and subsidiaries of the consolidated banking organisation. This can be accomplished through various methods. Effective risk assessment addresses both measurable and non-measurable aspects of risks and weighs costs of controls against the benefits they provide.

-do-

With few exceptions risk management in most public sector and even private sector banks cannot be said to be effective. There is also not much conscious effort in these banks to measure different kinds of risk and decide the level of acceptability of such risks at the board level. While RBI has issued detailed guidelines to banks on risk management, it may consider outlining clearly the role of the boards of banks in risk management. Risk-based supervision of banks by RBI has to be mirrored in their board’s supervision and guidance.

4.3 The risk assessment process also includes evaluating the risks to determine which are controllable by the banks and which are not. For those risks that are controllable, the bank must assess whether to accept those risks or the extent to which it wishes to mitigate the risks through control procedures. For those risks that cannot be controlled, the bank must decide whether to accept these risks or to withdraw from or reduce the level of business activity concerned.

-do-

4.4 In order for risk assessment, and therefore the system of internal controls, to remain effective, senior management needs to continually evaluate the risks affecting the achievement of its goals and react to changing circumstances and conditions. Internal controls may need to be revised to appropriately address any new or previously uncontrolled risks. For example, as financial innovation occurs, a bank needs to evaluate new financial instruments and market transactions and consider the risks associated with these activities. Often these risks can be best understood when considering how various scenarios (economic and otherwise) affect the cash flows and earnings of financial instruments and transactions. Thoughtful consideration of the full range of possible problems, from customer misunderstanding to operational failure, will point to important control considerations.

-do-

Evaluation of risks affecting banks’ strategies and objectives may need to be placed on a formal basis.

C. Control Activities

5.0 Control activities should be an integral part of the daily activities of a bank. An effective internal control structure requires that an appropriate control structure is set up, with control activities defined at every business level. These should include: top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on non-compliance; a system of approvals and authorisations; and a system of verification and reconciliation.

Such checks and controls are in place. However, there is no uniformity in regard to the standards of compliance.

5.1 Control activities are designed and implemented to address the risks that the bank identified through the risk assessment process described above. Control activities involve two steps: (i) establishment of policies and procedures; and (ii) verification that the control policies and procedures are being complied with. Control activities involve all levels of personnel in the bank, including senior management as well as front line personnel. Examples of control activities include: (i) Top level reviews (ii) activity controls (iii) physical controls (iv) compliance with exposure limits (v) approvals and authorisations (vi) verification and reconciliation

Control activities in banks are more procedure driven than risk-management driven. Although the procedures established do manage some risk or the other, compliance with these procedures at the front line levels is not with the understanding and awareness that the objective behind the given procedures is risk management. The quality of compliance, therefore, very often suffers.

5.2 Control activities are most effective when they are viewed by management and all other personnel as an integral part of, rather than an addition to, the daily activities of the bank. When controls are viewed as an addition to the day-to-day operations, they are often seen as less important and may not be performed in situations where individuals feel pressured to complete activities in a limited amount of time. In addition, controls that are an integral part of daily activities enable quick responses to changing conditions and avoid unnecessary costs. As part of fostering the appropriate control culture within the bank, senior management should ensure that adequate control activities are an integral part of the daily functions of all relevant personnel.

-do-

An assessment of the control environment and the involvement of the top management in fostering a strong control culture should be a mandatory part of RBI’s on-site supervisory process for each bank.

5.3 It is not sufficient for senior management to simply establish appropriate policies and procedures for the various activities and divisions of the bank. They must regularly ensure that all areas of the bank are in compliance with such policies and procedures and also determine that existing policies and procedures remain adequate. This is usually a major role of the internal audit function.

-do-

The adequacy and effectiveness of internal control systems, particularly the functioning of the internal audit departments forms a part of RBI’s on-site inspections.

6.0 An effective internal control system requires that there is appropriate segregation of duties and that personnel are not assigned conflicting responsibilities. Areas of potential conflicts of interest should be identified, minimised, and subject to careful, independent monitoring.

This is normally done.

6.1 Segregation of duties is not limited to situations involving simultaneous back and front office control by one individual. It can also result in serious problems when there are not appropriate controls in those instances where an individual has the responsibility for:

• Approval of the disbursement of funds and the actual disbursement;
• Customer and proprietary accounts;
• Transactions in both the ‘banking’ and ‘trading’ books;
• Informally providing information to customers about their positions while marketing to the same customers;
• Assessing the adequacy of loan documentation and monitoring the borrower after loan origination; and,
• Any other areas where significant conflicts of interest emerge and are not mitigated by other factors.

Banks are generally aware of the importance of segregation of duties and such systems are normally in place.

6.2 Areas of potential conflict should be identified, minimised, and subject to careful monitoring by an independent third party. There should also be periodic reviews of the responsibilities and functions of key individuals to ensure that they are not in a position to conceal inappropriate actions.

Most banks have a system of management audit during which responsibilities, functions and performance of key individuals are reviewed. Such exercise also helps to identify and minimise areas of potential conflict as well as chances of concealment of inappropriate actions.

D. Information and Communication

7.0 An effective internal control system requires that there are adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format.

The quality and timeliness of MIS in most of the banks in the public sector and some in the private sector leave much scope for improvement. Low level of computerisation and networking is largely responsible for data quality issues in MIS. The quality of MIS would need to be identified as an area of potential risk both from the point of view of internal control and regulatory oversight.

7.1 Adequate information and effective communication are essential to the proper functioning of a system of internal control. From the bank’s perspective, in order for the information to be useful, it must be relevant, reliable, timely, accessible and provided in a consistent format. Information includes internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Internal information is a part of a record-keeping process that should include established procedures for record retention.

-do-

The RBI has issued detailed guidelines to banks regarding the development and implementation of appropriate record management policies and processes. Banks have generally established policies and procedures in this regard. However, as most of the records continue to be in manuscript form, retrieval, presentation and analysis of data are invariably lagged.

8.0 An effective internal control system requires that there are reliable information systems in place that cover all significant activities of the bank. These systems, including those that hold and use data in an electronic form must be secure, monitored independently and supported by adequate contingency arrangements.

The responsibility of ensuring appropriate information systems covering all activities and the integrity of such systems is enjoined on the senior management of the bank. However, more awareness needs to be promoted among senior management of banks in regard to security, risk and controls in computerised environment.

8.1 A critical component of a bank’s activities is the establishment and maintenance of management information systems that cover the full range of its activities. This information is usually provided through both electronic and non-electronic means. Banks must be particularly aware of the organisational and internal control requirements relating to processing information in an electronic form and the necessity to have an audit trail. Management decision-making could be adversely affected by unreliable or misleading information provided by systems that are poorly designed and controlled.

-do-

The RBI has issued detailed guidance to banks on risks and controls in a computerised environment. The adequacy of controls is verified during the course of on-site inspections.

8.2 Electronic information systems and the use of information technology have risks that must be effectively controlled by banks in order to avoid disruptions to business and potential losses. Since transaction processing and business applications have expanded beyond the use of mainframe computer environments to distributed systems for mission critical business functions, the magnitude of risks has also expanded. Controls over information systems and technology should include both general and application controls. General controls are the controls over the computer system (for example, mainframe, client/ server, and end-user workstations) and ensure their continued, proper operation. General controls include in-house back-up and recovery procedures, software development and acquisition policies, maintenance (change control) procedures, and physical/ logical access security controls. Application controls are computerised steps within software applications and other manual procedures that control the processing of transactions and business activities. Application controls include, for example, edit checks and specific logical access controls unique to a business system. Without adequate controls over information systems and technology, including systems that are under development, banks could experience the loss of data and programmes due to inadequate physical and electronic security arrangements, equipment or systems failures, and inadequate back-up and recovery procedures.

-do-

8.3 In addition to the risks and controls above, inherent risks exist that are associated with the loss or extended disruption of services caused by factors beyond the bank’s control. In extreme cases, since the delivery of corporate and customer services represent key transactional, strategic and reputational issues, such problems could cause serious difficulties for banks and even jeopardise their ability to conduct key business activities. This potential requires the bank to establish business resumption and contingency plans using an alternate off-site facility, including the recovery of critical systems supported by an external service provider. The potential for loss or extended disruption of critical business operations requires an institution-wide effort on contingency planning, involving business management, and not focused on centralised computer operations. Business resumption plans must be periodically tested to ensure the plan’s functionality in the event of unexpected disaster.

-do-

9.0 An effective internal control system requires effective channels of communication to ensure that all staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel.

Policies and procedures affecting duties and responsibilities of staff are communicated to all concerned personnel.

9.1 Without effective communication, information is useless. Senior management of banks need to establish effective paths of communication in order to ensure that the necessary information is reaching the appropriate people. This information relates both to the operational policies and procedures of the bank as well as information regarding the actual operational performance of the organisation.

-do-

9.2 The organisational structure of the bank should facilitate an adequate flow of information-upward, downward and across the organisation. A structure that facilitates this flow ensures that information flows upward so that the board of directors and senior management are aware of the business risks and operating performance of the bank. Information flowing down through an organisation ensures that the bank’s objectives, strategies, and expectations, as well as its established policies and procedures, are communicated to lower level management and operations personnel. This communication is essential to achieve a unified effort by all bank employees to meet the bank’s objectives. Finally, communication across the organisation is necessary to ensure that information that one division or department knows can be shared with other affected divisions or departments.

The organisational structure of banks ensures appropriate multi-directional information flows across the organisation.

E. Monitoring Activities and Correcting Deficiencies

10.0 The overall effectiveness of the bank’s internal controls should be monitored on an ongoing basis. Monitoring of key risks should be part of the daily activities of the bank as well as periodic evaluations by the business lines and internal audit.

Senior management continually monitors overall effectiveness of the bank’s internal controls. However, monitoring of key risks is seldom done on a daily basis. Such monitoring is yet to be accepted in Indian banks as a part of the normal daily operations excepting in the case of market risks for treasury related transactions.

10.1 Since banking is a dynamic, rapidly evolving industry, banks must continually monitor and evaluate their internal control systems in the light of changing internal and external conditions, and must enhance these systems as necessary to maintain their effectiveness. In complex multinational organisations, senior managements must ensure that the monitoring function is properly defined and structured within the organisation.

Periodical reviews of internal control systems in the light of changing internal and external conditions are undertaken by most banks.

10.2 Monitoring the effectiveness of internal controls can be done by personnel from several different areas, including the business function itself, financial control and internal audit. For that reason, it is important that senior management makes clear which personnel are responsible for which monitoring functions. Monitoring should be part of the daily activities of the bank but also include separate periodic evaluations of the overall internal control process. The frequency of monitoring different activities of a bank should be determined by considering the risks involved and the frequency and nature of changes occurring in the operating environment.

Such review, monitoring and approval system prevails at the operating levels. Most banks have introduced the system of internal concurrent auditors who monitor the effectiveness of internal controls on a continuous basis. Internal control has thus been integrated into the operating environment.

10.3 Ongoing monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the system of internal control. Such monitoring is most effective when the system of internal control is integrated into the operating environment and produces regular reports for reviews. Examples of ongoing monitoring include the review and approval of journal entries, and management review and approval of exception reports.

--Do--

10.4 In contrast, separate evaluations typically detect problems only after the fact; however, separate evaluations allow an organisation to take a fresh, comprehensive look at the effectiveness of the internal control system and specifically at the effectiveness of the monitoring activities. These evaluations can be done by personnel from several different areas, including the business function itself, financial control and internal audit. Separate evaluations of the internal control system often take the form of self-assessments when persons responsible for a particular function determine the effectiveness of controls for their activities. The documentation and the results of the evaluations are then reviewed by senior management. All levels of review should be adequately documented and reported on a timely basis to the appropriate level of management.

Banks have systems of periodic internal audit and inspection by persons specially designated for the purpose. Such periodic evaluation of internal control systems are properly documented and reviewed by senior managements at different levels. These audits/ inspections are efficient means of determining effectiveness of controls for both the operating level staff as well as the senior management responsible for the effectiveness of the internal control systems.

11.0 There should be an effective and comprehensive internal audit of the internal control system carried out by operationally independent, appropriately trained and competent staff. The internal control function, as part of the monitoring of the system of internal controls, should report directly to the board of directors or its audit committee, and to senior management.

-Do-

11.1 The internal audit function is an important part of the ongoing monitoring of the system of internal controls because it provides an independent assessment of the adequacy of, and compliance with, the established policies and procedures. It is critical that the internal audit function is independent from the day to day functioning of the bank and it has access to all activities conducted by the banking organisation, including at its branches and its subsidiaries.

Such a condition normally obtains in most banks. The frequency of internal audits is normally once a year or in many banks linked to the internal rating accorded to the bank’s branch during the previous inspection. Frequency is also increased whenever there is a change in the management’s perception of risks emanating from the activities at particular branches. Internal audit function is independent from day to day functioning of the bank and has access to all activities conducted by the banking organisation.

11.2 By reporting directly to the board of directors or its audit committee, and to the senior management, the internal auditors provide unbiased information about line activities. Due to the important nature of this function, internal audit must be staffed with competent, well-trained individuals who have a clear understanding of their role and responsibilities. The frequency and extent of internal audit review and testing of the internal controls within a bank should be consistent with the nature, complexity, and risk of the organisation’s activities.

--Do--

11.3 It is important that the internal audit function reports directly to the highest levels of the banking organisation, typically the board of directors or its audit committee, and to senior management. This allows for the proper functioning of corporate governance by giving the board information that is not biased in any way by the levels of management that the reports cover. The board should also reinforce the independence of the internal auditors by having such matters as their compensation or budgeted resources determined by the board or the highest levels of management rather than by managers who are affected by the work of the internal auditors.

The audit/ inspection reports are put up before the audit committee of the board/ the board unaltered in any way by the levels of management that the reports cover. The compensation of the officers conducting the audit inspection or the budgeted resources are not determined by the managers who are affected by the work of the internal auditors.

12.0 Internal control deficiencies, whether identified by business line, internal audit or other control personnel, should be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies should be reported to the senior management and the board of directors.

This position obtains.

12.1 Internal control deficiencies, or ineffectively controlled risks, should be reported to the appropriate person(s) as soon as they are identified, with serious matters reported to senior management and board of directors. Once reported, it is important that management corrects the deficiencies on a timely basis. The internal auditors should conduct follow-up reviews or other appropriate forms of monitoring, and immediately inform senior management or the board of any uncorrected deficiencies. In order to ensure that all deficiencies are addressed in a timely manner, senior management should be responsible for establishing a system to track internal control weaknesses and actions taken to rectify them.

The internal audit department in banks monitors the corrective/ compliance action and submits status reviews to the board/ audit committee.

12.2 The Board of Directors and senior management should periodically receive reports summarising all control issues that have been identified. Issues that appear to be immaterial when individual control processes are looked at in isolation, may well point to trends that could, when linked, become a significant control deficiency if not addressed in a timely manner.

This position obtains.

F. Evaluation of internal control systems by supervisory authorities

13.0 Supervisors should require that all banks, regardless of size, have an effective system of internal controls that is consistent with the nature, complexity, and risk inherent in their on- and off- balance sheet activities and that responds to changes in the bank’s environment and conditions. In those instances where supervisors determine that a bank’s internal control system is not adequate or effective for the bank’s specific risk profile (for example, does not cover all of the principles contained in this document), they should take appropriate action.

RBI requires all banks to have effective internal control systems consistent with the level of their activities and risks. RBI also evaluates the adequacy and effectiveness of the internal control systems in banks and takes necessary follow-up action to ensure that the banks concerned take appropriate corrective action.

13.1 Although the board of directors and senior management bear ultimate responsibility for an effective system of internal controls, supervisors should assess the internal control system in place at individual banks as part of their ongoing supervisory activities. The supervisors should also determine whether individual bank management gives prompt attention to any problems that are detected through the internal control process.

The findings of the supervisory examinations are discussed by RBI with Chairmen and senior management team of banks. Banks are also required to place a copy of the inspection findings along with their strategy for corrective action before their boards/audit committees. RBI also monitors the compliance action taken by the bank.

13.2 Supervisors should require the banks they supervise to have strong control cultures and should take a risk-focused approach in their supervisory activities. This includes a review of the adequacy of internal controls. It is important that supervisors not only assess the effectiveness of the overall system of internal controls, but also evaluate the controls over high-risk areas (e.g., areas with characteristics such as unusual profitability, rapid growth, new business activity, or geographic remoteness from the head office). In those instances, where supervisors determine that a bank’s internal control system is not adequate or effective for that bank’s specific risk profile, they should take appropriate action. This would involve communicating their concerns to senior management and monitoring what actions the bank takes to improve its internal control system.

RBI currently adopts a standardised approach for all banks irrespective of their risk profiles. The RBI has now decided to move over to a risk based approach to supervision, which would have an increased risk focus. A mandatory assessment of the control environment, apart from other areas of risk has been proposed as part of the new system. The supervisor requires the banks to have written policies and procedures as a key communication mechanism.

13.3 Supervisors, in evaluating the internal control systems of banks, may choose to direct special attention to activities or situations that historically have been associated with internal control breakdowns leading to substantial losses. Certain changes in a bank’s environment should be the subject of special consideration to see whether accompanying revisions are needed in the internal control systems. These changes include: (i) a changed operating environment;
(ii) new personnel; (iii) new or revamped information systems; (iv) areas/activities experiencing rapid growth; (v) new technology; (vi) new lines, products, activities (particularly complex ones); (vii) corporate restructuring, mergers and acquisitions; and (viii) expansion or acquisition of foreign operations (including the impact of changes in the related economic and regulatory environments).

Supervisor directs special attention to activities or situations that historically have been associated with internal control breakdowns leading to substantial losses. Changes in bank’s environment are subject to special considerations from the supervisor.

The supervisor’s on-site inspection of banks is at present not fully tailored to specific bank’s environment and is thus not quite individualised. The RBI may consider taking steps so that such inspections are individualised and a more bank-specific approach is adopted in on-site inspections. As this happens, specific changes in particular bank’s operating environment will automatically receive special consideration of the supervisor leading to better evaluation of the bank’s risk management and internal control systems.

13.4 To evaluate the quality of internal controls, supervisors can take a number of approaches. Supervisors can evaluate the work of the internal audit department of the bank through review of its work papers, including the methodology used to identify, measure, monitor and control risk. If satisfied with the quality of the internal audit department’s work, supervisors can use the reports of internal auditors as a primary mechanism for identifying control problems in the bank, or for identifying areas of potential risk that the auditors have not recently reviewed. Some supervisors may use a self-assessment process, in which management reviews the internal controls on a business-by-business basis and certifies to the supervisor that its controls are adequate for its business. Other supervisors may require periodic external audits of key areas, where the supervisor defines the scope. And finally, supervisors may combine one or more of the above techniques with their own on-site reviews or examination of internal controls.

This approach is generally followed in the on-site inspection of banks by the supervisor’s (RBI) inspection teams.

13.5 Supervisors in many countries conduct on-site examinations and a review of internal controls is an integral part of such examinations. An on-site review could include both a review of the business process and a reasonable level of transaction testing in order to obtain an independent verification of the bank’s own internal control processes.

This position obtains.

13.6 An appropriate level of transaction testing should be performed to verify:

• the adequacy of, and adherence to, internal policies, procedures and limits;
• the accuracy and completeness of management reports and financial records; and
• the reliability (i.e., whether it functions as management intends) of specific controls identified as key to the internal control element being assessed.

The on-site assessments are based on the CAMELS model. The focus is on systems, controls and asset evaluation with a high level of transaction testing. However, with a move towards risk-based supervision, the level of transaction testing would be calibrated on the basis of the risk profile of individual banks focusing on areas of higher risks.

13.7 In order to evaluate the effectiveness of the five internal control elements of a banking organisation (or a unit/activity thereof), supervisors should:

• identify the internal control objectives that are relevant to the organisation, unit or activity under review (e.g., lending, investing, accounting);
• evaluate the effectiveness of the internal control elements, not just by reviewing policies and procedures, but also by reviewing documentation, discussing operations with various levels of bank personnel, observing the operating environment, and testing transactions;
• share supervisory concerns about internal controls and recommendations for their improvement with the Board of Directors and management on a timely basis, and;
• determine that, where deficiencies are noted, corrective action is taken in a timely manner.

RBI evaluates the adequacy and effectiveness of internal control elements of banks during the on-site process. Apart from reviewing policies and procedures, the supervisory assessments are made by reviewing documentation, observing operating environment and also testing individual high value transactions on sample basis. The evaluation is factored in the risk assessment of the bank under the CAMELS framework where the component ‘S’ stands for systems and controls.

13.8 Banking supervisory authorities that have the legal basis or other arrangements to direct the scope of and make use of the work of external auditors, often or always do so in lieu of on-site examinations. In those instances, the external auditors should be performing the review of the business process and the transaction testing described above under specific engagement arrangements. In turn, the supervisor should assess the quality of the auditor’s work.

During the annual financial inspections conducted by the RBI of commercial banks, the findings of the external auditors are also reviewed in arriving at its evaluation. However, the findings of the auditors are invariably verified during the inspections.

It would be more efficient if RBI would leverage the findings of the external auditors of the bank. The RBI may also consider the practice of engaging external auditors for specific area audit/ inspection of banks and utilise their reports for supervisory oversight as is done by some other regulators.

13.9 In all instances, bank supervisor should take note of the external auditors’ observations and recommendations regarding the effectiveness of internal controls and determine that bank management and the board of directors have satisfactorily addressed the concerns and recommendations expressed by the external auditors. The level and nature of control problems found by the auditors should be factored into the supervisors’ evaluation of the effectiveness of a bank’s internal controls.

This is done by the supervisor.

13.10 Supervisors should also encourage bank external auditors to plan and conduct their audits in ways that appropriately consider the possibility of material misstatement of banks’ financial statement due to fraud. Any fraud found by the external auditors, regardless of materiality, must be communicated to the appropriate level of management. Fraud involving senior management and fraud that is material to the entity should be reported by the external auditors to the board of directors and/or the audit committee. External auditors may be expected to disclose fraud to certain supervisory authorities or others outside the bank in certain circumstances (subject to national requirements).

External auditors report their audit findings directly to the board of directors of the bank. External auditors are not required to directly report their findings regarding frauds detected to the supervisors (RBI) or any other authority.

13.11 In reviewing the adequacy of the internal control process at individual banking organisations, home country supervisors should also determine that the process is effective across business lines, subsidiaries and national boundaries. It is important that supervisors evaluate the internal control process not only at the level of individual businesses or legal entities, but also across the wide spectrum of activities and subsidiaries within the consolidated banking organisation. For this reason, supervisors should encourage banking groups to use common auditors and common accounting dates throughout the group, to the extent possible.

RBI currently reviews the adequacy of internal control process in banking institutions on a stand-alone basis. In view of distinct supervisory jurisdictions for securities market, housing finance and insurance activities, RBI does not explicitly evaluate internal controls at subsidiaries engaged in these activities. At present, RBI also does not insist on the use of common auditors and common accounting dates throughout groups.

G. Roles and responsibilities of External auditors

14.0 While the primary purpose of the external audit function is to give an opinion on the annual accounts of a bank, the external auditor must choose whether to rely on the effectiveness of the bank’s internal control system. For this reason, the external auditors have to obtain an understanding of the internal control system in order to assess the extent to which they can rely on the system in determining the nature, timing and scope of their own audit procedures.

The external auditors assess and comment on the adequacy and effectiveness of the internal control systems in banks.

14.1 The exact role of external auditors and the processes they use vary from country to country. Professional auditing standards in many countries require that audits be planned and performed to obtain reasonable assurance that financial statements are free of material misstatement. Auditors also examine, on a test basis, underlying transactions and records supporting financial statement balances and disclosures. An auditor assesses the accounting principles and policies used and significant estimates made by management and evaluates the overall financial statement presentation. In some countries, external auditors are required by the supervisory authorities to provide a specific assessment of the scope, adequacy and effectiveness of a bank’s internal control system, including the internal audit system.

Professional auditing standards in India require audits to be performed in a way that reasonable assurance is obtained that the financial statements provide a true and fair view of the banks condition and that the statement is free of material misstatements. The auditors specifically comment on the consistency of accounting policies adopted by the bank and their conformance with generally accepted accounting principle.

14.2 One consistency among countries, however, is the expectation that external auditors will gain an understanding of a bank’s internal control process to the extent that it relates to the accuracy of the bank’s financial statements. The extent of attention given to the internal control system varies by auditor and by bank; however, it is generally accepted that material weaknesses identified by the auditors should be reported to management in confidential management letters and, in many countries, to the supervisory authorities. Furthermore, in many countries, external auditors may be subject to special supervisory requirements that specify the way that they evaluate and report on internal controls.

The auditing profession in India is governed by standards of professional conduct and ethics prescribed by the ICAI. While weaknesses in internal control are communicated either orally or in writing to the management, there is no practice of external auditors directly communicating their observations and concerns to the supervisors.

Principle

Indian Position

Remarks

A. Establishing an appropriate credit risk environment

1. The board of directors should have responsibility for approving and periodically reviewing the credit risk strategy and significant credit risk policies of the bank. The strategy should reflect the bank’s tolerance for risk and the level of profitability the bank expects to achieve for incurring various credit risks.

The board of directors of banks in India review and approve the loan policies of banks, which cover credit risk policy and strategy. However, as scientific risk management is in a nascent stage of development, Indian banks have not focused the credit risk strategy in their loan policies.

Banks will have to put in place a sound risk management system within as short a timeframe as possible, but in any case not exceeding two to three years. With stabilisation of risk management systems, banks will be required to revisit their loan policies and articulate credit risk management strategies in it.

2. Senior management should have responsibility for implementing the credit risk strategy approved by the board of directors and for developing policies and procedures for identifying, measuring, monitoring and controlling credit risk. Such policies and procedures should address credit risk in all of the bank’s activities and at both the individual credit and portfolio levels.

As stated above, Indian banks have not yet focused the credit risk strategy in their loan policies.

With stabilisation of risk management systems being put in place by banks, senior management of banks will be required to implement the credit risk strategy approved by the board.

3. Banks should identify and manage credit risk inherent in all products and activities. Banks should ensure that the risks of products and activities new to them are subject to adequate risk management procedures and controls before being introduced or undertaken, and approved in advance by the board of directors or its appropriate committee.

Banks in India do identify the credit risk in most of the products and activities and take approval of the boards of directors. However, the management of credit risk is yet to be on scientific lines.

B. Operating under a sound credit granting process

4. Banks must operate under sound, well-defined credit granting criteria. These criteria should include a clear indication of bank’s target market and a thorough understanding of the borrower or counterparty, as well as the purpose and structure of credit, and its source of repayment.

Banks in India do have a sound and well-defined credit granting system.

5. Banks should establish overall credit limits at the level of individual borrowers and counterparties, and groups of connected counterparties that aggregate in a comparable and meaningful manner different types of exposures, both in the banking and trading book and on and off the balance sheet.

Banks have set up maximum exposure limits to individual and group borrowers within the ceilings prescribed by the regulator, which is in line with international best practices.

6. Banks should have a clearly established process in place for approving new credits as well as the amendment, renewal and re-financing of existing credits.

Banks in India have clearly established processes for approving new credits and renewal of existing credits.

7. All extension of credit must be made on an arm’s length basis. In particular, credits to related companies and individuals must be authorised on an exception basis, monitored with particular care and other appropriate steps taken to control or mitigate the risks of non-arm’s length lending.

Banks in India are statutorily prohibited to make connected lending to their directors or the parties in which the directors are interested. Lending to related companies, i.e., banks’ own subsidiaries are at arm’s length basis with no concessions.

C. Maintaining an appropriate credit administration, measurement and monitoring process

8. Banks should have in place a system for ongoing administration of their various credit risk-bearing portfolios.

Banks in India have in place a system for ongoing administration of their credit risk-bearing portfolios.

9. Banks must have in place a system for monitoring the condition of individual credits, including determining the adequacy of provisions and reserves.

Banks in India have system for monitoring individual credits. However, the determination of provisions for loan losses are formulae-based.

10. Banks are encouraged to develop and utilise an internal risk rating system in managing credit risk. The rating system should be consistent with nature, size and complexity of a bank’s activities.

Banks in India have developed internal risk rating systems in managing credit risk, which is consistent with their nature of activities.

11. Banks must have information systems and analytical techniques that enable management to measure the credit risk inherent in all on- and off-balance sheet activities. The management information system should provide adequate information on the composition of the credit portfolio, including identification of any concentrations of risk.

While banks in India have information systems to measure credit risk and concentration risk in all on-balance sheet exposures, the information system is not developed to capture off-balance sheet activities.

12. Banks must have in place a system for monitoring the overall composition and quality of the credit portfolio.

Banks in India have systems in place for monitoring the overall composition and quality of credit portfolio.

13. Banks should take into consideration potential future changes in economic conditions when assessing individual credits and their credit portfolios, and should assess their credit risk exposures under stressful conditions.

Though banks in India do generally take into consideration potential future changes in economic scenario while assessing individual credits, its impact on the credit portfolio under stressful conditions is not analysed in a sophisticated manner.

D. Ensuring adequate controls over credit risk

14. Banks must establish a system of independent, ongoing assessment of the bank’s credit risk management processes and the results of such reviews should be communicated directly to the board of directors and senior management.

As stated earlier, Indian banks are yet to develop a risk focus in their credit risk management processes.

15. Banks must ensure that the credit-granting function is being properly managed and that credit exposures are within levels consistent with prudential standards and internal limits. Banks should establish and enforce internal controls and other practices to ensure that exceptions to policies, procedures and limits are reported in a timely manner to the appropriate level of management for action.

This practice is there in Indian banks.

16. Banks must have a system in place for early remedial action on deteriorating credits, managing problem credits and similar workout situations.

This practice is there in Indian banks.

E. The role of supervisors

17. Supervisors should require that banks have an effective system in place to identify, measure, monitor and control credit risk as part of an overall approach to risk management. Supervisors should conduct an independent evaluation of a bank’s strategies, policies, procedures and practices related to the granting of credit and the ongoing management of the portfolio. Supervisors should consider setting prudential limits to restrict bank exposures to single borrowers or groups of connected counterparties.

RBI, the supervisor has issued comprehensive risk management guidelines in banks in October 1999. As stated earlier, scientific credit risk management systems are yet to stabilise in Indian banks. Through on- and off-site supervisory systems, RBI conducts independent evaluation of a bank’s strategies, policies, procedures and practices related to the granting of credit and the ongoing management of the portfolio. RBI has also set up prudential limits to restrict bank exposures to single borrowers or groups of connected counterparties.

Principle

Indian Position

Remarks

A. Definition and uses of rating system

1. Internal Rating approach should normally take into account the following :

1. Borrowers probability of default (PD),i.e. the probability that the borrower may not be able to fully/ partially meet his commitment towards principal and interest;
2. The facility’s loss given default (LGD), i.e., the percentage of exposure that is lost when the default occurs;
3. The level of exposure at the time of default (EAD);
4. The credit’s expected loss (EL), which is the function of these variables. EL equals default probability times the loss given default. This is the loss that is expected to devolve on the bank in respect of an asset, on the basis of historical data;
5. The unexpected loss (UL) associated with these and possibly due to other characteristics of the borrowers and exposures. Unexpected loss represents the volatility in the rate of recovery and deviations from the estimated probability of default at certain confidence levels. While reserves and provisions are expected to take care of the expected loss component, the unexpected loss is to be covered by Economic Capital.

1. The Internal Rating approach, as practised by most of the banks in India, measures the risk by quantitative mode.
2. Such a system presently takes into account only the probability of default.
3. A system for measuring expected and unexpected losses is yet to be put in place in most banks.
4. The important inputs in risk rating systems of banks in India are financial analysis, projections and sensitivity and incidence of industrial and management risks.
5. RBI guidelines on risk management systems in banks state that risk management process should encompass quantifying the risk through estimating expected loan losses i.e., the amount of loan losses that bank would experience over a chosen time horizon and unexpected loan losses.

The objective of risk quantification systems like credit ratings should be to establish a scientific basis to assess and price credit risk taking into account the "expected loss" and to critically estimate the requirements of Economic Capital (Risk Capital) based on estimations of "unexpected loss".

Banks in India need to adopt at an early date systems of internal rating requiring measurement of PD, LGD and EAD. The present MIS of banks will therefore have to be suitably redesigned and their systems enabled to capture the required data in convenient and reliable manner.

2. Banks have different approaches to rating system because of factors such as

1. Differing emphasis on quantitative and qualitative risk factors;
2. Importance of each institution’s credit culture and historical experience;
3. Differing judgements regarding complexity and opaqueness of risks associated with each transaction;
4. Differing responses to inherent difficulties in quantifying loss characteristics;
5. Different risk management and other uses to which rating information and risk measures are put.

1. Banks in India normally follow internal rating systems in which both qualitative and quantitative risks factors are measured and taken into account. These systems are, however, simple and not in a position to assess more opaque risks attached with complex transactions.
2. Risk measurement techniques are yet to be used for quantifying loss characteristics as such.

With growing size and complexity of operations and increasing orientation of banks towards management of risks, there is a need for banks in India to restructure their rating systems enabling these to capture market dynamics.

B. Basic architecture of Internal Rating Based approach to capital

Internal Rating Based approach to regulatory capital should have three basic elements :

1. To become eligible for IRB approach, a bank has to demonstrate that its Internal Rating system and processes are in accordance with minimum standards and sound practice guidelines which will be set up by Basel Committee. These guidelines would ensure the quality, usefulness and integrity of the key statistics that would form the basis of the bank’s capital requirements.
2. If the bank’s internal system/ procedures meet these requirements, bank need to provide to supervisors exposure amounts and estimates of key loss statistics association with these exposures (such as PD) by internal rating grade. These exposures would include both outstanding balances as well as some percentage of committed but undrawn amounts. Banks would provide information based on their own rating systems, in accordance with minimum standards and sound practice guidelines that would be set forward by the Basel Committee.
3. Based on the banks’ estimate of Probability of Default (PD) and estimates of Loss Given Default (LGD) and other potential asset characteristics, banks’ exposure would be assigned to capital "buckets". Each bucket would have a risk weight that incorporates unexpected loss associated with estimates of PD, LGD and other losses. These risk weights would be developed by bank supervisors taking into account intrinsic risk of the asset and minimising incentives for banks to bias the assignment of Internal Rating, or to engage in capital arbitrage.

1. RBI, in their guidelines for Risk Management Systems in Banks, have stipulated that credit risk management process should be articulated in bank’s loan policy, duly approved by the board.
2. This process for banks in India can start only after Basel Committee sets forward the minimum standards and sound practice guidelines for Internal Rating approach.

1. Any successful approach in this context would require familiarity of the functionaries with the rating process.
2. A comprehensive risk rating system should serve as a single joint indicator of diverse risk factors.
3. In the Indian context it would be necessary to strengthen the MIS and data collection machinery in banks to ensure integrity and reliability of the data is beyond doubt.
4. The ratings should facilitate the functionaries by informing them of the quality of loan at any moment of time.

C. Range of Practice in the Rating System Structure

1. Range in Rating Systems

1. Average number of grades reported by banks covering non-impaired corporate loan is 10. The range normally falls between 2 and 20.
2. Average number of problem grades reported by banks is 3.
3. The measure of ability of well-functioning rating system is the largest percentage of total rated exposures falling in a single grade. On an average, banks normally have 30 per cent of rated exposure within a single grade.

1. Banks in India have normally between 6-8 rating grades for non-impaired corporate loans.
2. Banks in India have normally 3 rating grades for problem loans.
3. This could be the position for banks in India also. However we need to get more data on this aspect of the present rating system of banks in India.

D. A key element of rating system structure is the focus on characteristic of the
borrower (obligor) as opposed to specific details of transaction/ facility

1. Majority of banks have adopted an explicit obligor dimension, that is, they assign a rating which reflect the risk that borrower will default on any of its obligations.
2. One third of the banks utilise a two dimensional rating, i.e., the ratings system includes both an obligor grade and a facility grade. Facility grades for different loans could differ based on collateral taken, seniority or other structural attributes of the loan.
3. Among those banks with two-dimensional rating systems, a small number appears to assign an obligor rating and a second "LGD" rating that explicitly evaluates likely recovery rates for each transaction in the event that a default were to occur.
4. In practice, even banks which have only an obligor rating system in place, may implicitly take into consideration the riskiness of facilities for pricing, profitability analysis and in allocation of economic capital; in such cases, facility type LGD is mechanically derived based on the type of loan, the presence and type of collateral, and possibly other factors, in effect, outside of the rating system.
5. In light of the above practices, it would appear that only a small minority of banks take no consideration of facility characteristics in their grading process.

Internal Rating Systems in the Indian banking system is mostly with obligor dimension. This rating reflects the risk that the borrower will default in any of its obligations. Rating of individual facilities is yet uncommon although some banks, in recent years, have introduced differential pricing for term loans through an unique benchmark rate. However, despite the prevalence of ‘only obligor’ rating system, most banks in India do take into consideration, through analysis of quantitative and qualitative data, the riskiness of different facilities, profitability analysis of the various lines of business of the obligor, quality of the management, developments at the industry/ business levels, etc., in arriving at the rating.

E. Categories of Rating Process

a) Statistical-based processes:

b) Constrained expert judgement processes:

c) Expert judgement process:

Banks in India use a combination of both statistical based processes and constrained expert judgement processes. The expert judgement process is not in vogue especially for large corporates.

F. Risk factors considered in assigning grades

1. Main considerations in assessing borrowers :

1. Financial statements such as balance sheets, income statements, cash flow statements, etc. Those banks relying heavily on the statistical default models use specific type of financial data (e.g., specific ratios that described leverage, debt service coverage, and the like), while those banks relying on more judgemental analysis may allow discretion to the rater on analysis of these data.
2. Historical and trend data of the above financial statements. Some banks use three or more years of data.
3. Industry and peer group analysis. In this case supporting industry analysis is provided by internal economic analysis units or outside vendors, so that the different raters within the same institution would tend to incorporate a common view of the industry’s outlook across all borrowers.
4. Management experience and competence (especially in areas where constrained expert judgement is used)
5. Ownership structure, reputation, quality of financial information provided, the purpose for which the loan is provided, environmental liabilities, etc.
6. Country risk in case of cross border lending. Country risk is universally considered using a "sovereign ceiling" rule (the rating of the counterparty cannot exceed the rating of the sovereign in which it is incorporated or has its principal place of business.

2. Main considerations in assessing facilities :

i. Facility characteristics such as third party guarantee, collateral and seniority/ subordination of the obligations are taken into account taken into account while assigning a grade to an exposure and/or analysing internal profitability or capital allocations.

ii. Most banks allow bank guarantees to affect the rating by effectively transferring the risk to the guarantor, or, alternatively, using the more favourable of the borrower or guarantor rating.

iii. Banks providing facility grades generally did not consider the liquidity of the instrument being rated in assigning that grade.

iv. The decision to take a provision for loan losses is also considered explicitly as a factor in assigning facility ratings.

v. Maturity of the facility is considered in allocating economic capital for credit risk.

3. Use of statistical default models :

Normally internally developed models are used. These models also appear to rely on similar inputs such as balance sheet ratios, trend analysis etc. In some banks vendors provided models such as KMV’s Credit Monitor are used. These are being used primarily for large corporate and international borrowers.

4. Use of external rating :

Wherever available, external rating is used is assigning internal grades, mainly in cases where expert judgement based process of internal rating is used. Normally these external ratings are available only for large corporates and mainly in North America and UK.

All these factors are taken into account by banks in India while assigning grades to the borrowers in most cases.

1. These factors are taken into account by banks in India while assessing facilities for the borrowers.

 

2. Some of the banks in India go by the principle that availability of collateral should not influence the risk rating as collaterals help in taking a business decision while credit rating facilitates a credit decision.

Use of default models is still not common in Indian banking.

In India, external ratings are used more in investment decisions rather than in credit rating process. In India also, the ratings are available only for big corporates.

G. Time Horizon

a) Majority of the banks described the time horizon for internal rating as one year or in many cases the maturity of transaction is question. Many banks described the horizon as ambiguous, or alternatively allow raters to determine the horizon on a case-by-case basis.

b) Banks follow "either point in time" or "through the cycle" orientation. In the former process, the rating reflects an assessment of borrower’s current conditions or most likely future conditions over the chosen time horizon. The latter process requires the assessment of borrower’s riskiness based on worst case scenario (i.e., its conditions under stress). In this case, a borrower’s rating would tend to stay the same over the course of the credit/ business cycle.

c) Banks claiming to use a "through the cycle" process, are likely to take into account longer term negative prospects and unlikely to rely very heavily on long term projections of improvement in borrower’s ability to repay as a basis for assigning a favourable internal rating. Of course, such perspective is wholly consistent with sound credit risk management.

Indian banks normally assign an internal rating for one year after which it will be revised/ renewed.

Indian banks follow "point in time" orientation for rating process.

H. Measuring Loss Characteristics by Grade

1) Banks attempt to estimate the loss characteristics of internal rating grades for various reasons including :

1. Allowing for more accurate pricing, profitability and performance analysis.
2. Monitoring the structure and migration of the loan portfolio.
3. Assisting in the loan loss reserving process.
4. Providing an input to portfolio credit risk models and economic capital allocation process.
5. Evaluating the accuracy and consistency of rating criteria (i.e., to determine whether different assets in the same grade have the same loss characteristics).

While only a very few banks in India have developed internal rating systems, even those that have such a system are yet not attempting to estimate the loss characteristics of different grades. One big hurdle in this area has been lack of availability of reliable data which is due to manual operations. Unless the risk management systems of banks in India are raised to a sufficiently high level of detail and sophistication, the objectives behind measuring loss characteristics by grade as stated here will not receive the desired focus.

The banks have just begun adopting risk management systems with any degree of sophistication. It will be some time, say another 3/5 years before the whole banking system can expect to come to the level of risk management envisaged in the note. This presupposes total computerisation and the right kind of MIS. The bigger banks must however be encouraged to expedite the process of transition from the elementary levels of risk management to levels of greater sophistication more expeditiously. In this they may not be having in-house expertise and may therefore be encouraged to obtain external assistance, e.g., from consultants, etc.

I. Methods for estimating loss characteristics

Rating systems rely on criteria that are expected to provide information about a borrower’s/facility’s perceived riskiness or loss characteristics. The process of inferring loss characteristics requires information about borrower and asset characteristics as well as information about historical loss experience that can be used to associate loss characteristics to grades. These requirements can be met in the following two ways.

1. Banks can analyse its internal data on loss experience of various asset classes over a sufficiently long period.
2. If a bank has reconciled its grading with those of external credit assessment institution, then it can use the institution’s published data on loss experience. A key consideration in relying on such external data is the comparability of such data to a bank’s own portfolio. Comparability could become difficult due to reasons such as differences in the composition of the bank’s own portfolio, the potential differences between the performance of publicly traded bonds and that of loans .

As above

J. Survey Results on Probability of Default (PD)

1) Many banks did not have sufficient data for specifying loss characteristic based on their own default history but a number relied on internal data for analysing the performance of borrower segments such as retail or middle market customers. Though many banks have initiated data gathering over the past five years, majority of banks rely on data provided by major rating agencies, public data banks or consulting company’s data.

2) To use the data provided by external agencies, banks must assume correspondence between their rating grades and those of external agencies by ‘mapping’ to the grades of the latter.

3) This is more easily done in case of borrowers who have issued publicly rated bonds, as the ratings of various financial data by external agencies can be easily compared with grades given internally for the same borrower.

4) There are difference in banks’ approach towards the conceptual definitions of defaults and loss in assigning ratings. The Models Task Force will continue to analyse the degree to which the use of such different definitions of default and loss at banks, and in the data sources used to quantify the loss characteristics of each internal grade, affect the comparability of PD estimates within the banks, as well as across banks and countries.

5) Many banks have started to track the migration of loans between rating grades. Some banks are relying on this data in checking the calibration of PD and LGD, and validating the internal consistency of the rating process.

6) Some banks are using statistical default models for calculating average PDs for each internal grades. Such models are in assigning and/or reviewing the assignment of internal grades.

1. Banks in India are yet to use their internal default data to arrive at PD, though some banks are attempting this process.
2. In view of the wide network of branches and the fact that many of the branches in rural and semi-urban areas have not been computerised, many operational constraints are faced by banks in building up a reliable database.

Banks in India have yet to begin using statistical default models for calculating average PDs for each internal rating grade.

K. Survey results on Loss Given Default (LGD)

1) One third of banks apply facility-specific LGD estimates to their exposures for use in internal capital allocation and/or profitability analysis system. Among the remaining majority of banks, many indicated that they did not at present estimate LGD, possibly because they do not at present operate capital allocation or profitability analysis system that make use of LGD estimates.

2) General factors considered important for estimating LGD are as under :

i) Borrower’s attributes (such as borrower’s grade, country of incorporation, size, industrial sector and other factors which may affect the unsecured value remaining in the defaulted borrower, whether it continues to operate after default or is in liquidation)

ii) Facility characteristics(including the existence of credit mitigation techniques such as seniority of the structure, realisable value of the collateral taken, and the value of any other forms of credit risk mitigation such as third party guarantee)

iii) Bank specific characteristics (such as the internal policy towards recovery), and

iv) Exogenous factors (such as the economic cycle)

3) With respect to secured facilities, banks use a variety of techniques and data sources to arrive at estimates of the value of both financial and physical forms of collateral. Some banks distinguish between "normal" and "forced sale" valuations. Some banks also request, based on the terms of the contract, additional collateral and /or other risk mitigants to maintain the expected recovery ratio.

4) As regards data used for measuring LGD, nearly all banks rely on data from their own historical records.

5) Like in the case of quantifying PDs, those banks seeking to quantify LGD also retain different definitions of what constitutes "default" as well as "loss", and relied on different assumptions about direct and indirect costs, and the time taken to ultimate workout.

N.B.: Models Task Force found survey responses insufficient to glean a consensus on a common framework or "right" LGD estimate for loans of various types. Hence it has urged banks to collect data on LGD as part of an overall approach to assessing and measuring more systematically the amount of credit risks to which they are exposed.

Banks in India are yet to go in for LGD estimates though some banks are making efforts in this direction.

It is desirable that banks build historical data base on the portfolio quantity and provisioning/ charge off to equip themselves to price the risk.

L. Survey Results on Exposure at Default (EAD)

1. It would appear that those banks that typically estimate EAD for facilities with uncertain drawdown, such as a standby line of commitment were those banks that were using some form of capital allocation model. In these cases, EAD is equated to the sum of (1) balances actually drawn and (2) committed but undrawn exposures multiplied by a factor of "x". Key variables having a bearing on the EAD estimate included current outstandings, committed funds, facility structure, and borrower ratings. In the calculation of conversion factor few banks made distinctions in terms of maturity.
2. To an even greater degree than with LGD, banks rely heavily on internal data and studies based on their own historical experience while estimating EAD values. The banks that estimate a facility’s EAD for use in capital allocation and profitability systems do so based only loosely on historical or statistical analysis, and incorporate substantial elements of business judgement and conservatism into these figures.

Banks in India are yet to go for estimation of EAD, though some banks are attempting on these lines.

M. Applications of Rating systems

The rating system is normally used in the following areas:

1) Management Reporting: Normally a summary reporting is made to senior management for the purposes of monitoring the risk composition of the rated portfolios. In some cases the report can contain borrower specific information, such as shifts in rating classes for a single customer.

2) Pricing: The types of applications range from calculation of cost of funds to assigning grade specific risk premiums. At some more sophisticated institutions, the cost of capital is explicitly considered in pricing decisions.

3) Decisions on reserve levels: One third of the banks relate the level of reserves to the rating classes. Remaining banks also implicitly consider the rating information when determining reserves.

4) Economic capital allocation: About half the banks surveyed use rating information for attributing economic capital to product or business lines.

5) Compensation for relationship managers: One third of the banks base compensation for relationship managers on ratings. A number of banks which calculate risk adjusted return on economic capital on rating information also noted that they base incentive-based compensation on this measure.

6) Setting of credit limits: More than half the banks indicated that limits are set based on rating categories. A few banks explicitly noted that loan approval authority is tied to rating categories.

1. The rating system is being put to similar use by some banks in India also.





2. Internal rating grades are used for pricing by some banks.




3. In the Indian system, reserves are created/provisions made on the rating of individual accounts and not in aggregate for a whole grade. Even though a uniform reserve is created for all standard assets, this reserve is the same across different grades as long as the relative advances are standard, i.e., performing.
4. This is being attempted here




5. Neither the compensation package nor performance accountability is in any manner related to the rating categories.

 

6. Internal rating grades are not being used for this purpose. The exposure limits to borrowers and sanctioning powers are mostly independent of the rating category in which a particular loan proposal may be falling.

The banks which are not following this practice as of now may be advised by RBI to do so.

N. Oversight and Control of Internal Rating System

1. Though primary responsibility for initially proposing rating for borrowers varied widely, ratings for large corporates must be approved by credit staff, although the rating may be initially proposed by relationship managers.
2. Most of the banks indicated that credit culture was very important in ensuring accuracy and consistency of rating assignments.
3. All the credit decisions are documented adequately.
4. There was little information provided on loan review units, although some banks indicated that loan review staff reviewed loans on a sampling basis, usually, from riskier loans or in growing areas of lending concentration.
5. All banks conduct a formal review of each risk rating at least once a year. The frequency of review depends on the riskiness of the loan and collateral.
6. In addition to formal review, many use credit scoring model as a monitoring tool to identify exposures whose riskiness may be increasing and thus potentially prompt further review.
7. Normally all the rating systems are developed internally, sometimes in cooperation with outside consultants.

 

8. Many banks emphasised that their systems continue to undergo additional enhancements in a periodical manner.
9. All rating systems are extensively documented and the documentation is made available to relevant staff.

 

10. A third of the banks do backtesting of their internal rating process and use these results to modify either the rating process or the PDs associated with each grade.

1. Some banks follow this practice here as well whereby rating is initially recommended by the relationship manager and reviewed by the credit department.
2. Strong credit culture is in place in many of the banks in India.
3. All credit decisions are documented adequately.
4. Many banks in India conduct credit audits of large loans within three to six months of sanction and disbursal.
5. All banks conduct formal renewal of risk rating once a year. Periodical reviews are done on risky exposures.
6. Periodical review of ratings system is also undertaken.

 

7. The rating systems are mostly being developed internally. Some banks use scoring models to identify riskiness of exposures.
8. This is true of India as well.

 

9. The rating systems are well documented and the documentation is made available to the concerned staff.
10. The rating processes are reviewed periodically but backtesting is not yet in vogue.

O. Future steps for supervisors

1) Supervisors need to consider the following :

1. More closely aligning regulatory capital charges to underlying risk.
2. Ensuring that the new supervisory standards provide incentives for banks to continue to refine risk measurement processes.
3. Ensuring that banks do not move away from established sound credit management policies, and
4. Addressing the degree of comparability of rating systems and their output.

2) In order to arrive at uniform method for Internal Rating, the following have to be considered by the supervisors:

1. Key measurement uncertainties, together with different techniques and data sources which represent source of measurement inconsistency should be considered explicitly in an IRB framework.
2. There appears to be relatively limited set of data sources and techniques available to banks for estimating loss characteristics such as PD, LGD and EAD.
3. Banks seem to have greater difficulty in attributing LGD estimates to their exposures that they have for PD.
4. Different approaches used by banks in assigning internal rating will require different approaches to supervisory review and validation.
5. While many banks have developed advanced risk measure capabilities, it is not clear whether the information so derived is genuinely integrated to the risk management of the bank.

Systematic risk management has only recently been introduced in Indian banks. Most banks are in the process of setting up a system which is simple. Sophistication will be introduced only with passage of time as the banks increase that affinity with the existing system and have improved their MIS substantially. Most of the concepts discussed here are yet to be introduced to the banks.

1. Allocation of economic capital on the basis of risk or variability of returns has gained international acceptance and supervisors are planning to evaluate the internal capital adequacy assessment of banks.
2. Banks in India would have to formulate a medium term strategy to implement Risk Aggregation and Capital Allocation mechanism.
3. RBI may consider guiding the banks to more sophisticated risk management concepts in a time bound manner. It may consider directing some more capable and better equipped banks to adopt higher practices without waiting for the whole banking system. Such banks acting as leaders could provide models for other banks to convert to.

No.

Principle

Indian Position

Remarks

1.

Before conducing business with HLIs, a bank should establish clear policies that govern its involvement with these institutions consistent with its overall credit risk strategy. Banks should ensure that an adequate level of risk management, consistent with their involvement with HLIs, is in place.

Indian banks do not generally have dealings with Highly Leveraged Institutions as defined in the BIS Paper. With increasing globalisation, the possibility of such interactions taking place, and on an increasing scale, cannot be ruled out. It is, therefore, felt necessary to have necessary guidelines in this regard in place.

2.

A bank that deals with HLIs should employ sound and well-defined credit standards which address the specific risks associated with HLIs.

-- do --

3.

A bank taking on OTC derivatives positions vis-à-vis HLIs should develop meaningful measures of credit exposure and incorporate these measures into its management decision-making process.

-- do --

4.

Effective limit setting depends on the availability of meaningful exposure measurement methodologies. In particular, banks should establish overall credit limits at the level of individual counterparties that aggregate different types of exposures in a comparable and meaningful manner.

-- do --

5.

A bank interacting with HLIs should align collateral, early termination and other contractual provisions with the credit quality of HLIs, taking into account the particular characteristics of these institutions such as their ability to rapidly change trading strategies, risk profiles and leverage. In doing so, banks may be able to control credit risk more pre-emptively than is the case when such provisions are driven solely by net asset values.

-- do --

Principle

Indian Position

Remarks

I. FOUNDATIONS FOR SOUND ACCOUNTING

1. A bank should adopt a sound system for managing credit risk.

Effective risk management and control policies are essentially related to sound and timely accounting and valuation of loans. To be able to prudently value loans and to determine appropriate allowances, it is particularly important that banks have a system in place to reliably classify all loans on the basis of risk. A credit risk classification system may include degrees of credit deterioration, borrowers’ current financial position and paying capacity, the current value and realisability of collateral, and other factors that affect the prospect for collection of principal and interest.

Accounting and valuation process must be complemented by effective internal control in bank’s lending operations.

The regulatory requirement for banks in India is to classify loans on the basis of risk in a four-tiered asset classification system, viz., Standard, Sub-standard, Doubtful and Loss.

The classification is primarily based on an objective criterion of record of recovery of interest and principal and an assessment of probability/chances of recovery in future.

A Standard asset is one which does not indicate any problems and which does not carry more than normal risk attached to the business. An asset becomes non-performing (NPA) when it ceases to repay interest and/or instalment (principal) for a period of two quarters, i.e., 180 days (to be reduced to 90 days with effect from 31 March 2004) in a financial year.

A Sub-standard asset is one which has been classified as NPA for a period not exceeding 18 months.

A Doubtful asset is one which has remained NPA for a period exceeding 18 months.

A Loss asset is one where loss has been identified by the bank or its auditors, internal or external or by the RBI in its inspection report. In other words, such an asset is considered uncollectible and of such little value that its continuance as a bankable asset is not warranted although there may be some salvage or recovery value.

Advances need not go through the progression of Substandard to Doubtful to Loss; but, could be straightaway classified as Doubtful or Loss where there are potential threats to recovery.

Loan loss allowances (provisions) are generally based on standardised formula as given below:

Sub-standard assets – 10 per cent

Doubtful assets – 100 per cent for the unsecured portion and 20 per cent, 30 per cent and 50 per cent on the secured portion if the loan remains in doubtful category up to 1 year, 1 to 3 years and more than 3 years respectively.

Loss assets – 100 per cent

Keeping in line with international best practices, a general allowance of 0.25 per cent is also created for Standard assets.

The exercise of accounting/classification of loans into the four categories is carried out on an on-going basis and for the purpose of valuation, allowances (provisions) are created at the time of annual closing of balance sheet.

Banks also have proper internal control systems approved by the Board of Directors for recording, documentation, loan review procedures, etc.

The position of loan classification in India is objective, based on record of recovery of interest and principal coupled with an assessment about their realisability. Although internationally in most banking systems, an asset is classified into Sub-standard category after 90 days’ of payment delinquency, Indian banks are expected to adopt this practice only from 31 March 2004. This is largely due to the current trade/business practices followed in the country, which permits a long payment cycle. Further, the Indian loan classification is conservative in as much as the value of collaterals is not taken into account for risk classification of loans. However, while creating allowances for Doubtful assets, the value of collaterals is reckoned at a progressive discount up to 3 years only beyond which there is no further discounting of the value of collaterals. If the loan does not migrate to Loss category (for which 100 per cent provision is required to be made), the accounts remains under-provided as after 3 years on a debt in Doubtful category a maximum of 50 per cent provision is created on the portion of the debt which is considered as secured. This loophole needs to be plugged in the context of limitations in the legal situation prevailing in the country in the realisation of collaterals.

This should be gradually increased to international standards.

2. Judgements by management relating to the recognition and measurement of impairment should be made in accordance with documented policies and procedures that reflect such principles as consistency and prudence.

Recognition and measurement of loan impairment cannot be totally based on specific rules and involve a mix of formal rules and judgement by management. Judgements are necessary but should be prudently limited and documented and applied consistently over time.

Basic guidelines for risk classification of loans have been provided by the central bank, i.e., RBI. In addition, banks have their own documented policies of loan classifications which are formulated with the RBI guidelines as base. The policies are, therefore, well documented and objectively followed. While the value of judgements in risk classification of loans is not denied, their role in the process is limited and not pronounced.

3. The selection and application of accounting policies and procedures should conform to fundamental accounting concepts, like true and fair view, reliability, prudence, materiality, consistency, accrual basis of accounting, etc.

The selection and application of accounting policies and procedures by Indian banks conform to fundamental accounting concepts.

II. ACCOUNTING FOR LOANS

Recognition, derecognition and measurement

4. A bank should recognise a loan, whether originated or purchased, in its balance sheet when, and only when, the bank becomes a party to the contractual provisions of the loan.

The Indian banking system follows this practice.

5. A bank should remove a loan (or a portion of a loan) from its balance sheet when, and only when, the bank loses control of the contractual rights that comprise the loan (or a portion of the loan). A bank loses such control if it realises the rights to benefits specified in the contract, the rights expire or the bank surrenders those rights.

The Indian banking system follows this practice.

6. A bank should measure a loan, initially, at cost.

The Indian banking system follows this practice.

Impairment – recognition and measurement

7. A bank should identify and recognise impairment in a loan or a collectively assessed group of loans when it is probable that the bank will not be able to collect, or there is no longer reasonable assurance that the bank will collect, all amounts due according to the contractual terms of the loan agreement. The impairment should be recognised by reducing the carrying amount of the loan(s) through an allowance or charge-off and charging the income statement in the period in which the impairment occurs.

• Loan should be reviewed for impairment on a regular basis.
• Based on all relevant factors – debtor’s payment record, overall financial condition and resources, debt service capacity, financial performance, net worth and future prospects, prospect of support from guarantors, current and stabilised cash flows, value of underlying collateral, country risk, etc.
• Collateral should be valued on a prudent basis.
• Weaknesses in legal system and other obstacles that make it difficult to ensure rights should be taken into account.
• Recognition of impairment should be considered whenever circumstances cause uncertainty about a borrower’s ability to repay all amounts due according to the contractual terms of the loan agreement.
• As an exception, loans need not be identified as impaired when the loan is fully secured, and there is reasonable assurance that collection efforts will result in repayment in a timely manner of principal and interest.
• Loans which are not delinquent at all also need to be reviewed for deterioration in credit quality.
• If the borrower is about to default and the bank advances additional funds to meet its current payment obligations, and there is a reasonable assurance that the borrower will be able to repay all principal and interest in full, or that the loan is fully secured and collection efforts will achieve the same result, the loan need not be classified as impaired.
• A loan is a restructured loan when there is a modification in the terms of loan, e.g., reduction in interest from that originally agreed or a reduction in principal amount. A loan extended or renewed at a stated interest rate equal to the current interest rate for new debt of similar risk is not a restructured troubled loan.

Banks in India identify and recognise impairment in a loan on an ongoing basis primarily based on objective basis of record of recovery. Availability of collateral is not considered while recognising impairment of loans. However, banks have been given certain flexibilities in respect of loans which are restructured. In this context it may be added that the definition of a restructured loan and its treatment in the Indian banking system is more conservative than envisaged in the BIS paper, e.g., a loan in which even if only a reschedulement is permitted after the concerned unit has commenced production is considered as restructured. Also, a restructured loan is not treated as standard until 12 months after the restructuring and its satisfactory performance during the period.

The legal system in India is at present not conducive for effective enforceability of the lenders’ rights. It is uncertain and time-consuming. There is no certainty that the collaterals will be realisable within a definite and reasonable time frame. In this background, it is not considered prudent to rely on collaterals while recognising impairment in loans.

There is a case for granting more flexibility to bank management in recognition and measurement of impaired loans than the extant rule based method allows.

When legal system improves helping effective enforceability of the lenders rights, greater flexibility and reliance on availability security in considering impairment of loans should be allowed.

8. A bank should measure an impaired loan at its estimated recoverable amount.

Acceptable methods for calculating estimated recoverable amount are:

• The present value of expected future cash flows discounted at an appropriate interest rate.
• The fair value of the collateral to the extent the loan is collateral dependent.
• The observable market price.

A bank should measure the estimated recoverable amount of a restructured troubled loan taking into account the cost of all concessions at the date of restructuring.

For a group of small homogeneous loans, the extent of impairment should be determined on a portfolio basis by applying formulae.

When latent losses are known to exist, but they cannot be ascribed to individual loans, general allowances (provisions) should be established.

General allowances (provisions) should be replaced by specific allowances or charge-offs immediately when the impairment in loan becomes apparent.

Past experience and current economic and other relevant conditions, etc., should be taken into account in determining general allowances.

General allowances should be determined by using one or several of a number of methodologies including:

• Applying a formulae based on analysis of arrears, ageing of balances, past loss experience, etc.
• Migration analysis
• Various statistical methodologies.
• Estimating impairment in the group based on the bank’s judgement of the impact of recent events and changes in economic conditions, etc.

Bank should review the assumptions used against actual experience at regular intervals.

An impaired loan should only be restored to unimpaired status when the contractual amount of principal and interest is deemed to be fully collectible in accordance with the terms of loan agreement. This should take place when the loan has become regular and has remained so for a reasonable period, or the loan becomes well secured and is in the process of collection.

Banks in India measure impaired loans net of the provisions created for the impairments. The provisions created are formulae based.

Indian banks are presently not following this method.

Indian banks do not take into account the value of collateral in estimating recoverable amount

There are still no secondary markets for loans to determine observable market price.

Banks determine impairment for each account separately and not on portfolio basis.

This is being followed.

As of now, general provisions are created on a formulae basis.

RBI has issued Risk Management Guidelines to banks in October 1999 wherein banks have been advised to set up loan review mechanism for determining, inter alia, the adequacy of loan loss provisioning.

The extant rule based provisioning requirements need to be tightened and gradually brought at par with the internationally accepted standards in this regard. On the secured portion of doubtful debts provision beyond 50 per cent will have to be stipulated if the condition and realisabilty of collaterals so demand. Over a period of time, the formulae-based system of classification and provisioning will have to give way to a more closer to reality assessment of the realisabilty of assets, relying on a risk assessment based system.

Banks should be asked to adopt this approach and determine impairment on portfolio basis also. In such cases a higher provisioning on standard loans in particular portfolio should be considered.

While at present a formulae based system for provisioning on impaired loans is being followed, the extent of provisioning is not being determined scientifically based on any analysis of arrears, ageing of balances, migration analysis or the various statistical methodologies. While some small private sector banks have made a recent move in this direction, public sector banks constituting more than 80 per cent of the system continue to base their provisioning on the specific guidelines given by RBI. The banks should be asked and encouraged to place their system of provisioning on more scientific lines, closer to actual situation. Now that they have already put a credit risk management system in place, it should not be difficult for them to adopt analytical and statistical methods. RBI should also consider issuing suitable guidelines. Migration to a suitable provisioning system can be achieved in the next two financial years, i.e., by the end of March 2003 and RBI should attempt to lead the banks towards that.

Adequacy of the overall allowance

9. The aggregate amount of specific and general allowances should be adequate to absorb estimated credit losses associated with the loan portfolio.

A bank should maintain an overall allowance at a level that is adequate to absorb credit losses. The adequacy of specific and general allowances should be reviewed in preparation of annual or more frequent interim reports, if warranted, to ensure adequacy of allowances with current information about the collectibility of loan portfolio. A bank should not understate or overstate loan losses in order to achieve a desired level of earning in current or future reporting periods.

Assessment of appropriate level of allowances necessarily includes a degree of subjectivity. However, exercise of management discretion should be subject to established policies and procedures, in a consistent manner over time, in conformity with objective criteria and be supported by adequate documentation.

The method of determining overall allowance should ensure the timely recognition of loan losses, based not only on historical loss experience but also current factors that are likely to cause losses associated with the bank’s portfolio. There must be proper documentation.

Ratio analysis as to the relationship between overall allowances to past due and impaired loans, and to total loans, over time and across institutions, can be useful as a supplemental check or tool for evaluating the overall reasonableness of allowances.

The present provisions are rule-based and as of now, not so much based on analytical and statistical methods. These, therefore, tend to be ad hoc and do not always bear close relationship with the realisable value of assets.

RBI has issued Risk Management Guidelines to banks in October 1999 wherein banks have been advised to set up loan review mechanism for determining, inter alia, the adequacy of loan loss provisioning.

Please see remarks at paragraph 8 above.

In preparing its future guidelines on provisioning, RBI may undertake this ratio analysis for the system as a whole. It may also, while asking banks to report to it their respective relative figures, instruct them to undertake such an analysis on their own and make it a part of their mandatory disclosures.

Income recognition

10. A bank should recognise interest income on an unimpaired loan on an accrual basis using the effective interest rate method.

Banks in India recognise interest on unimpaired loans on accrual basis. Effective interest rate method is however not being used.

11. When a loan is identified as impaired, a bank should cease accruing interest in accordance with the terms of the contract.

• Interest on impaired loan should not contribute to net income if doubt exists concerning the collectibility of loan principal or interest.
• Uncollected interest that has been previously accrued should be reversed or included in the loan balance with an adequate specific allowance established against it.
• When an impaired loan is carried at the present value of expected future cash flows, interest may be accrued and reported in net income.
• If present value method is applied, but interest is not accrued to reflect updated present values, bank may adjust the allowances.
• If allowed by law or regulators, cash interest payments received on an impaired loan for which accrual of interest has ceased may be reported as interest income on cash basis as long as the recorded investment in loan less any specific allowance is deemed fully collectible in a timely manner.
• A loan on which a bank has ceased to accrue interest should only be restored to accrual status when the loan has returned to unimpaired status unless the loan has been restructured or the loan has been acquired at a discount that relates to its credit quality.

An impaired loan that has been restructured so as to be reasonably assured of repayment and performance according to its modified terms, may be returned to accrual status.

Banks do not charge and take into income statement interest income on loans which have been identified as non-performing (impaired).

Banks follow this practice.

Banks in India do not carry impaired loans on present value method and therefore do not accrue interest and report in net income.

Not applicable since banks do not use present value method.

The practice in India is to treat any cash interest payment received on an impaired loan for which accrual of interest has ceased, as interest income. This is done notwithstanding the fact that the recorded amount of the loan may not be deemed collectible in a timely manner.

This practice is being followed by banks in India.

The position in India is more conservative. A restructured loan remains in sub-standard category for one year (non-accrual) before being returned to accrual status.

This practice should be modified so that interest received is treated as such, only if the loan is deemed fully collectible on a timely basis.

III. PUBLIC DISCLOSURE

12. Disclosures in a bank’s annual financial reports should be adapted to the size and nature of the bank’s operations in accordance with the materiality concept.

As a minimum, banks should disclose their accounting policies and practices, credit risk management, credit exposures to different types of loans and credit quality (including past due and impaired loans, changes in credit quality and changes in allowances).

Banks in India are making standard disclosures as per the guidelines given by RBI. While the quality and extent of disclosures have been gradually improving, and the management note to the balance sheet is now expected to cover a number of areas about which disclosures have not been made in the past, generally qualitative changes in the portfolio including its credit quality do not yet form part of disclosures.

At present, all banks irrespective of their size, scope and complexity of operations, are required to make the same disclosures. RBI may take urgent steps to introduce the concept of materiality in the matter of disclosures.

Accounting policies and practices

13. A bank should disclose information about the accounting policies, practices and methods it uses to account for loans.

This practice is being followed.

14. A bank should disclose information on the accounting policies and methods it uses to determine specific and general allowances, and it should explain the key assumptions it uses.

Banks in India, as mentioned against principle 9 above, disclose information on the accounting polices and methods they use to determine specific and general allowances, which is totally rule-based as set out by RBI, the regulator/supervisor. In the circumstances, there is no explanation regarding the assumptions used in making the allowances.

Credit risk management

15. A bank should disclose qualitative information on its credit risk management and control policies and practices.

Although most banks are not making these disclosures, they are gradually moving in that direction.

Banks should be asked to make these disclosures in their management’s Note to the Balance Sheet.

Credit exposures

16. A bank should disclose information about loans by major categories of borrowers.

Business segment-wise disclosure of loans is available in the Balance Sheet. Exposures to sensitive sectors are also disclosed.

17. A bank should disclose information about loans by geographic areas.

Indian banks do not make such disclosure. Their exposures are mostly within the domestic boundaries.

18. A bank should disclose information about significant concentrations of credit risk.

Indian banks do not make this disclosure.

This should be introduced urgently.

19. A bank should disclose summary information about its contractual obligations with respect to recourse arrangements and the expected losses under those arrangements.

An estimate of losses under recourse arrangement does not at present form part of normal disclosures in banks’ balance sheets.

This practice needs to be introduced in the Indian banking system at the earliest. RBI may advise banks suitably and guide them to adopt this practice within next two years.

Credit quality

20. A bank should disclose impaired and past due loans by major categories of borrowers and the amounts of specific and general allowances established against each category.

Indian banks do not make this disclosure.

Business segment-wise general and specific provisions should be disclosed. RBI may advise banks suitably and guide them to adopt this practice within next two years.

21. A bank should disclose geographic information about impaired and past due loans including, if practical, the related amounts of specific and general allowances.

Indian banks do not make this disclosure. However, their exposures are mostly within the domestic boundaries.

22. A bank should disclose a reconciliation of changes in the allowances for loan impairment.

Movements in provisions do not yet form a part of disclosure by Indian banks.

These disclosures should be introduced urgently.

23. A bank should disclose balances of loans on which the accrual of interest – in accordance with the terms of the original loan agreement – has ceased because of deterioration in credit quality.

Banks are now required to disclose in their published annual accounts under notes on accounts, information in respect of total loan and also standard and sub-standard assets subjected to restructuring, etc., undertaken during the year.

24. A bank should disclose summary information about troubled loans that have been restructured during the year.

Do

IV. ROLE OF SUPERVISORS

25. Banking supervisors should evaluate the effectiveness of a bank’s policies and practices for assessment of loan quality.

Through on-site inspection and off-site returns, RBI evaluates banks’ policies and practices for assessment of loan quality based on the regulations set by it.

26. Banking supervisors should be satisfied that the methods employed by a bank to calculate allowances produce a reasonable and appropriately prudent measurement, on a timely basis, in accordance with appropriate policies and procedures.

Through on-site inspection and off-site returns, RBI satisfies that the methods employed by the bank to calculate allowances are as per its guidelines. The position in this regard is deemed satisfactory.