Compliance function in banks - ربی - Reserve Bank of India
Compliance function in banks
Ref. DBS. CO.PP.BC 6/11.01.005/2006-07
April 20, 2007
The Chairman / CEO
All Scheduled Commercial Banks (excluding RRBs)
Madam / Dear Sir,
Compliance function in banks
As you are aware, draft guidelines on compliance function in banks were placed on the website vide Ref No. DBS.CO.PP.BC 1/11.01.005/2006-07 dated November 16, 2006. Based on the responses / comments on the draft guidelines received from banks, Self Regulatory Organizations and others, the draft guidelines have been suitably modified.
The guidelines may be implemented in full within a time frame of six months from the date of this circular. The implementation would be subjected to comprehensive review by the Reserve Bank of India during the ensuing Annual Financial Inspection.
Yours faithfully,
(G.Gopalakrishna)
Chief General Manager-in-Charge
Preamble
The banks in India already have certain compliance processes in place in accordance with the recommendations of the Ghosh Committee report of 1992. These processes and the organizational structures through which they operate have been primarily shaped by the existing RBI guidelines to banks as also by the banks’ own standards of internal governance. However, as the present arrangements in the banks show, its evolution as an institutional arrangement has not kept pace with the increasing complexities and sophistication in the banking business. In a number of banks, compliance function is yet to be fully cognizant of the "compliance risk" and the reputational risk arising out of compliance failures causing huge economic costs. Consequently, there is a critical need for the management of that risk as one of the key facets of integrated risk management or enterprise wide risk management framework.
Compliance function in banks is one of the key elements in the banks’ corporate governance structure. The compliance function in banks has to be adequately enabled and made sufficiently independent. The Basel Committee on Banking Supervision (BCBS) document (April 2005) essentially articulates this perception. This circular seeks to introduce certain principles, standards and procedures relating to compliance function consistent with the BCBS document and keeping in view the operating environment in India. This circular also intends to articulate that the compliance function is an integral part of governance along with the internal control and risk management process. For the compliance function to be effective, it must be supported by a healthy compliance culture within the organization. The guidelines are also intended to guide the bank led Financial Conglomerates in managing their "Group wide compliance risk".
In this circular, a set of minimum guidelines have been laid down. There are significant differences among the banks with regard to their scale of operations, their risk profiles and organizational structures. Therefore, the banks should organize their compliance functions and set priorities for the management of the compliance risks in their organization to suit their requirements.
Compliance and Compliance function in Banks
Introduction
The Compliance Function has to ensure strict observance of all statutory provisions contained in various legislations such as Banking Regulation Act, Reserve Bank of India Act, Foreign Exchange Management Act, Prevention of Money Laundering Act etc. as well as to ensure observance of other regulatory guidelines issued from time to time; standards and codes prescribed by BCSBI, IBA, FEDAI, FIMMDA etc; and also each bank's internal policies and fair practices code. Compliance laws, rules and standards generally cover matters such as observing proper standards of market conduct, managing conflicts of interest, treating customers fairly, and ensuring the suitability of customer advice. They typically include specific areas such as the prevention of money laundering and terrorist financing, and may extend to tax laws that are relevant to the structuring of banking products or customer advice.
Compliance laws, rules and standards have various sources, including primary legislation, rules and standards issued by legislators and supervisors, market conventions, codes of practice promoted by industry associations, and internal codes of conduct applicable to the staff members of the bank. For the reasons mentioned above, these are likely to go beyond what is legally binding and embrace broader standards of integrity and ethical conduct.
Each bank, will formulate a Compliance Function for their bank. It shall be the responsibility of bank's Compliance Officer in the bank to assist the top management in managing effectively the compliance risks faced by the bank.
2. Compliance Risk and significance of Compliance Function
2.1The BCBS paper on Compliance and the Compliance Function in Banks (April 2005) defines Compliance risk as "the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities" (together, "compliance laws, rules and standards").
2.2The compliance area is critically important in identifying, evaluating, and addressing legal and reputational risks. Given the significance of these risks, a strong Group/enterprise-wide compliance programme is a necessity for banks. A group/enterprise-wide compliance programme helps the bank to look at and across business lines and activities of the organization as a whole and to consider how activities in one area of the firm may affect the legal and reputational risks of other business lines and the entire group/ enterprise.
2.3A group/enterprise-wide compliance programme could help management and the Board in understanding where the legal and reputational risks in the organization are concentrated, provide comparisons of the level and changing nature of risks, and identify those control processes that most need enhancement. The compliance function must therefore ensure that controls and procedures capture the appropriate information to allow senior management and the board to better perform their risk management functions on a group-wide basis.
3. Responsibility of the Board and Senior Management
Compliance starts at the top. It will be most effective in a corporate culture that emphasizes standards of honesty and integrity and one in which the board of directors and senior management lead by example.
3.1 Responsibility of the Board of Directors
- The Board would be responsible for ensuring that an appropriate compliance policy is in place in the bank to manage compliance risk and also overseeing its implementation. It has to ensure that compliance issues are resolved effectively and expeditiously by senior management with the assistance of compliance staff. If necessary, the Board may delegate these tasks to the Audit Committee of the Board (ACB) or a specific Board level Committee constituted for the purpose. The Board or ACB or the Board Committee, as the case may be, should review compliance function on a quarterly basis. A detailed annual review should also be placed before the Board/ ACB or the Board level Committee. In order to ensure there is no potential for any conflict of interest and that the activities of the compliance function are subject to independent review, the compliance function and the audit function of the bank should necessarily be kept separate.
3.2 Responsibility of Senior Management
3.2.1 The bank's senior management would be responsible for establishing a written compliance policy that would contain the basic principles to be followed by the management and staff, and would explain the main process by which compliance risk would be identified and managed through all levels of the organization.
3.2.2 The senior management would ensure that appropriate remedial or disciplinary action is taken if breaches are identified.
3.2.3 Senior management should, with the assistance of the compliance function:
- at least once a year, identify and assess the main compliance risk facing the bank and formulate the plans to manage them.
- Submit to the Board/ ACB/ Board Committee, as the case may be, quarterly and annual reviews as prescribed in para 3.1 above, in such a manner as to assist board members to make an informed judgment on whether the bank is managing its compliance risk effectively; and
- report promptly to the board of directors or the ACB on any material compliance failure (e.g. failure that may attract a significant risk of legal or regulatory sanctions, material financial loss, or loss to reputation).
4. The Compliance Policy
4.1A robust compliance system in a bank should include a well documented Compliance Policy, outlining the compliance philosophy of the bank, role and set up of the Compliance Department, composition of its staff and their specific responsibilities. The policy should be reviewed annually by the Board.
4.2 Broadly, the policy should provide for the following aspects:
- Setting up of an independent Compliance Department at the Head Office with a senior executive heading it with adequate support staff and its role and responsibilities specified.
- Compliance structure in controlling offices and branches specifying the role and responsibility of each functionary in the compliance units.
- Measures to ensure independence of the compliance function. It would be necessary that the remuneration of the compliance functionaries is not related to the business line for which they exercise compliance responsibilities though it could generally be related to the financial performance of the bank as a whole.
- Focus of the compliance function on regulatory compliance, statutory compliance, compliance with fair practice codes and other codes prescribed / suggested by self-regulatory organizations, government policies, bank's internal policies and prevention of money laundering and funding of illegal activities.
- Monitoring of and monitoring mechanism for the compliance testing procedure.
- Reporting requirements including reporting of monitoring results, compliance risk assessment, change in the compliance risk profile etc by compliance function to the senior management and the Board of Directors or ACB or the committee of the Board as the case may be.
- Right of the compliance function to have access to information necessary to carry out its responsibilities and for pointing out / looking into possible breaches of compliance policy.
- Relationship between Chief Compliance Officer and heads of other functional departments.
- Independence of the compliance function from audit function and clarity on their respective roles.
- Mechanism for dissemination of information on regulatory prescriptions and guidelines among operational staff and periodic updating of operational manuals to incorporate changes in regulatory and legal etc., prescriptions.
- Approval process for all new processes and products by the Compliance Department prior to their introduction.
- Right of the compliance function to freely disclose its findings and views to senior management, Board / ACB or the Committee of the Board.
5. The Compliance structure
5.1. Depending on its branch network, size and complexity of the business operations, sophistication of products and services offered etc, every bank should decide on the organizational structure and composition of its compliance unit. The structure may, however, be laid down within the overall framework of these guidelines and should avoid all potential conflicts of interest.
5.2 A Compliance Department having formal status should be set up at the Head Office of the bank, (in the case of foreign bank branches it should be at the bank’s Principal Office in India). The compliance department should have an executive or senior staff member of the cadre not less than in the rank of DGM or equivalent designated as Group Compliance Officer or Head of Compliance with overall responsibility for coordinating the identification and management of the bank's compliance risk and supervising the activities of other compliance function staff. He should report to the senior management of the bank but have the right to report directly to the Board of Directors or ACB or the committee of the Board, as the case may be.
5.3 The Compliance Officer in a bank should be appointed for a fixed tenure, as laid down in the bank’s compliance policy, and during that tenure, he may be removed / transferred only with the approval of the Board and through an internal administrative procedure in which his negligence in discharging compliance function or his serious acts of omission and commissions in other financial or administrative matters is established and recorded in a transparent manner.
5.4 The Board, Audit Committee of the Board or any other Board Committee as the case may be, should be kept informed of any change in the Chief Compliance Officer as also the reason for the change in the incumbent. The Reserve Bank of India shall be kept informed of the name of the Chief Compliance Officer as also any change thereof, as and when it takes place.
5.5 In the case of larger banks, compliance staff may be located within operating business lines. Internationally active banks (including foreign banks having a presence in India) may also have group and local compliance officers reporting to their own Regional / Global Head while closely working with the local CEO on regulatory / compliance issues.
5.6 Some banks may wish to organize their compliance function within their operational risk function, as there is a close relationship between compliance risk and certain aspects of operational risk. Others may prefer to have separate compliance and operational risk functions, but establish mechanisms requiring close cooperation between the two functions on compliance matters.
5.7 The Compliance Department should be provided with adequate staff. Further, each Department in the Head Office and controlling offices and the branches (and / or Strategic Business Units (SBUs) in the case of certain banks as considered appropriate depending on their business delivery model) should have distinct compliance function and the functions should be undertaken by specifically identified / designated compliance official who would report to the Chief Compliance Officer.
5.8 The staff in the Compliance Department at the Head Office as also Compliance Officers at controlling offices and branches / SBUs should primarily focus on compliance functions. However, in small sized banks with limited branch network, the compliance staff could be assigned some other duties while ensuring that there is no conflict of interest. Under no circumstances, the compliance staff should be assigned audit/inspection duty as it gives rise to serious conflict of interest in view of the fact that all products and processes are expected to be cleared by the Compliance Department and its audit needs to be carried out independently by separate set of staff.
5.9 In some banks, the entire compliance responsibilities may not be carried out by the compliance department and may be vested in different departments depending on the business model, size; structure etc. Compliance function staff who reside in operating business units or in local subsidiaries may have a reporting line to operating business unit management or local management, but it may be ensured that they also have a reporting line through to the head of compliance as regards their compliance responsibilities. In cases where compliance function staff reside in independent support units (e.g. legal, financial control, risk management), a separate reporting line from staff in these units to the head of compliance may not be necessary. However, these units should co-operate closely with the head of compliance.
5.10 In all such cases, there should invariably be an appropriate mechanism for co-ordination among these departments to enable the Chief Compliance Officer to perform the assigned responsibilities effectively.
5.11 The compliance function should also attend to the compliance of directions from other regulators (IRDA, SEBI etc) in those cases where the activities of the bank are not limited to the banking sector. For example, a bank which is acting as a corporate agent for distribution of other companies’ insurance products may receive direction from IRDA, which should be a part of the compliance function. Further, discomfort conveyed to the bank on any issue by other regulators, should be brought to the notice of the Reserve Bank of India.
5.12 The Chief Compliance Officer should be the nodal point of contact between the bank and the regulator. Regardless of how the compliance function is organized within a bank, it should be independent and sufficiently resourced, its responsibilities should be clearly specified and its activities should be subject to periodic and independent review.
5.13 Apart from the basic qualifications, the Compliance staff should preferably have fair knowledge of law, accountancy and information technology and also adequate practical experience in various business lines and audit/inspection functions to enable them to carry out their duties effectively. In order to keep the compliance staff up-to-date with developments in the areas of banking laws, rules and standards, regular and systematic education and training in new products and services introduced in the banking industry as well as in the areas of corporate governance, risk management, supervisory practices etc. may be considered.
6. Compliance principles, process and procedures
6.1 The Compliance Department at the Head Office should play the central role in the area of identifying the level of compliance risk in each business line, products and processes and issue instructions to operational functionaries / formulate proposals for mitigation of such risk. It should periodically circulate the instances of compliance failures among staff along with preventive instructions.
6. 2 Inspection/audit findings should serve as a feedback mechanism for the Compliance Department for assessing the areas of compliance breaches/failures. The Chief Compliance Officer should be an invitee to the meetings of the ACB. A check-list on the compliance aspect may be made part of the inspection report for the inspectors / concurrent auditors to verify the level of compliance. The audit function should keep the Head of compliance informed of audit findings related to compliance.
6.3 Compliance function should vet the guidelines / circulars issued, for compliance with regulatory guidelines before these are disseminated amongst the operational units. The compliance function should incorporate a robust mechanism to:
i) ensure that regulatory guidelines / instructions are promptly issued / disseminated within the organization.
ii) monitor compliance with the regulatory guidelines/ instructions
6.4 The Compliance Department should serve as a reference point for the bank's staff from operational departments for seeking clarifications/ interpretations of various regulatory and statutory guidelines
6. 5 The Compliance function should on a pro active basis identify, document, assess the compliance risks associated with banks' business activities and products. The compliance risks in all new products and processes should be thoroughly analyzed and appropriate risk mitigants by way of necessary checks and balances should be put in place before launching. The Chief Compliance Officer should be a member of the 'new product' committee/s to ensure that the new products / processes have clearance from all perspectives including compliance. All new products should be subjected to intensive monitoring for the first six months of introduction to ensure that the indicative parameters of compliance risk are adequately monitored.
6.6 Banks should develop function-wise Compliance Manuals duly approved by the Chief Compliance Officer if their operating manuals do not already contain specific sections or chapters on compliance and provide these to the staff associated with the respective functions.
6.7 The Compliance Department should, at frequent intervals, interact with Legal Department, Operational Risk Management Department, Taxation Department and Audit/Inspection Department of the bank to take stock of the latest developments. Compliance officers should have access to all information they require and have the right to conduct investigation and report the findings to the Chief Compliance Officer. The Chief Compliance Officer shall necessarily be a participant in the quarterly informal discussions held with RBI. In case no quarterly meeting is held, he should meet the Chief General Manager, DBS in charge of the concerned bank at Central Office of RBI, once in every quarter of the year, to discuss compliance issues.
6.8 The compliance functionary should be looked at as a friend, philosopher and guide by the business units. There should be close co-ordination and partnership between Compliance and Business Operations functions. The interaction may be formalized by making the Chief Compliance Officer a member of the various inter-departmental committees in the bank.
6.9 The compliance function should monitor and test compliance by performing sufficient and representative compliance testing and the results of such compliance testing should be reported to the senior management.
6. 10 It should also consider ways to measure compliance risk (e.g. by using performance indicators) and use such measurements to enhance compliance risk assessment.
6. 11 Compliance staff should be empowered to conduct compliance reviews/investigations, whenever required. The authority to use external experts for the purpose of investigation, if required, should be left to the discretion of the Chief Compliance Officer.
6. 12 The compliance function should be free to report to senior management on any irregularities without fear of disfavour from management or other staff members. Although its normal reporting line should be to senior management, the compliance function should also have the right of direct access to the board of directors or to the Audit Committee of the board or a committee of the Board, as the case may be, bypassing normal reporting lines. It may be useful for the board or the Audit Committee or the special Committee of the Board to meet with the head of compliance at least annually, as this will help the board or board committee to assess the extent to which the bank is managing its compliance risk effectively.
6.13 An Annual Report on compliance failures/breaches should be compiled and placed before the Board/ACB/Board Committee and circulated to all the functional heads. Non-compliance with any regulatory guidelines and administrative actions initiated against the bank and or corrective steps taken to avoid recurrence of the lapses should be disclosed in the annual report of the banks.
6.14 The code of conduct for employees should envisage working towards earning the trust of the society by dealing with customers in a fair manner and conducting business operations consistent with rules and regulations. Due weightage could be given to record of compliance during performance appraisal of staff at various levels. Staff accountability should be examined for all compliance failures.
7.The Compliance Programme
7.1The responsibilities of the compliance function should be carried out under a compliance programme that sets out its planned activities. The compliance programme should be risk-based and subject to oversight by the head of compliance to ensure appropriate coverage across businesses and co-ordination among risk management functions.
7.2.The compliance function may have specific statutory responsibilities (e.g. fulfilling the role of anti-money laundering officer). Banks should carry out an annual compliance risk assessment in order to identify and assess major compliance risks faced by them and prepare a plan to manage the risks. The Annual review should broadly cover the following aspects.
- Compliance failures, if any during the preceding year and consequential losses and regulatory action as also steps taken to avoid recurrence of the same.
- List of all major regulatory guidelines issued during the preceding year and steps taken by the bank to ensure compliance.
- Independence of compliance function
- Scope of compliance procedures and processes,
- System of internal control to minimize compliance risk.
- Compliance with fair practices codes and adherence to standards set by self regulatory bodies and accounting standards.
- Progress in rectification of significant deficiencies pointed out in the internal audit, statutory audit and RBI inspection reports and position of implementation of recommendations made therein.
- Strategy for the next year including restructuring of compliance department, if necessary, posting/transfer/training of staff.
7.3.Apart from the exhaustive annual review, a monthly report on the position of compliance risk may be put up to the senior management/CEO by the Chief Compliance Officer. A brief report on the compliance position may also be placed before the Board/ACB/Board Committee, as the case may be on a quarterly basis.
7.4.Instances of all material compliance failures which may attract significant risk of legal or regulatory sanctions, financial loss or loss of reputation should be reported to the Board/ACB/Board Committee promptly.
7.5.The activities of the compliance function should be subject to annual review by the internal audit. Compliance risk shall be included in the risk assessment methodology of the internal audit function and the audit programme shall cover the adequacy and effectiveness of the bank's compliance function including testing of controls commensurate with the perceived level of risk.
8.Guidance and education
The compliance function should advise and assist the senior management on compliance laws, rules and standards, including keeping them informed on developments by establishing written guidance to staff on the appropriate implementation of compliance laws, rules and standards through policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines.
9.Cross Border issues
Banks may choose to carry on business in various jurisdictions for a variety of legitimate reasons. In such cases, it should be ensured that they comply with applicable laws and regulations in all such jurisdictions and that the organization and structure of the compliance function and its responsibilities are consistent with local legal and regulatory requirements. It is for local businesses to ensure that compliance responsibilities specific to each jurisdiction are carried out by individuals with the appropriate local knowledge and expertise, with oversight from the head of compliance in co-operation with the bank’s other risk management functions.