Compliance Book_IOB PDF

Summary

This document discusses the different types of banks in India, their roles, and the importance of banks in the economy. It also covers the regulatory framework for banking operations, emphasizing the regulatory authorities and their functions.

Full Transcript

282

MODULE III
REGULATION AND COMPLIANCE
CHAPTERS
15. Regulation in Banks
16. Compliance Function in Banks
17. Compliance Governance Structure
18. Framework for Identification of Compliance Issues & Compliance Risks
 283

CHAPTER 15
REGULATION IN BANKS
STRUCTURE
15.1 Importance of Banks in the Economy
15.2 Role of Banks
15.3 General Principles of Bank Regulation
15.4 Role of Regulator
15.5 Universal Functions for Financial Regulators
15.6 Regulatory Authorities
15.7 Other Bodies Issuing Guidelines
15.8 Important Acts Applicable in India
15.9 Let us Sum up
15.10 Key Words
15.11 Check Your Progress
15.12 Answers to ‘Check your Progress’
 284

OBJECTIVES
In this Chapter the learner will –
Know the importance of banks
Understand the role of banks
Understand the principles of regulation and the role of regulator
Know about other sources of guidelines
15.1 IMPORTANCE OF BANKS IN THE ECONOMY
A bank is a financial institution and a financial intermediary that accepts deposits and channels
those deposits into lending activities, either directly by loaning or indirectly through capital
markets. A bank is the connection between customers that have capital needs and customers
with capital surpluses.
Due to their influence within a financial system and an economy, banks are highly regulated.
Banks operate under fractional reserve banking where they hold a small reserve of the funds
deposited and lend out the rest. They are subject to minimum capital requirements based on
an international set of capital standards, known as the Basel Accords.
Under English common law, a banker is defined as a person who carries on the business of
banking, which is specified as o Conducting current accounts for his customers, o Paying
cheques drawn on him/her, and o Collecting cheques for his/her customers.
15.1.1 Banking Set-up in India
The banking structure in India comprises commercial and cooperative banks. Banks which
are included in the Second Schedule to the Reserve Bank of India Act, 1934 are known as
Scheduled Commercial Banks and Scheduled Cooperative Banks. Most of the banks are
Scheduled banks.
15.1.2 Commercial Banks
Public Sector Banks: where majority stake is held by the Government of India. Examples:
SBI, Bank of India, Canara Bank, etc.
Private Sector Banks: where majority of the share capital of the bank is held by private
individuals or by institutions which promote them. These banks are registered as companies
with limited liability. Examples: ICICI Bank, Axis Bank, HDFC, etc.
Foreign Banks: are registered and have their headquarters abroad but operate some branches
in India. Examples: HSBC, Citibank, Standard Chartered Bank, etc.
Regional Rural Banks: were set up with a view to developing the rural economy by
providing banking facilities.
 285

Local Area Banks: were conceived as low cost structures which would provide efficient
and competitive financial intermediation services in a limited area of operation.
Small Finance Banks: were set up with the objectives of furthering financial inclusion
through high technology and low cost of operations.
Payments Banks: were set up with the objectives of furthering financial inclusion by
providing (i) small savings accounts and (ii) payments/remittance services to unorganised
sector.
15.1.3 Cooperative Banks
These are financial entities which belong to its members, who are at the same time the
owners and the customers of their bank. Co-operative banks are often created by persons
belonging to the same local or professional community or sharing a common interest.
15.2 ROLE OF BANKS
15.2.1 Standard activities
Banks act as payment agents by maintaining deposit accounts, paying cheques, and collecting
cheques, and remittances through other modes. Banks borrow money by accepting funds as
deposits and by issuing debt securities. Banks lend money by making advances, instalments
loans, and investing in debt securities. Banks create new money when they make a loan,
thereby increasing the money supply. This is called multiplier effect.
15.2.2 Risks and Capital
Banks face a number of risks in conducting their business, for instance:
Credit risk: risk of loss arising due to non-recovery of loans.
Liquidity risk: risk that a given security or asset cannot be realised to meet the cash
requirement.
Market risk: risk that the value of an asset portfolio will decrease due to fall in market
prices.
Operational risk: risk arising from business operations.
Reputational risk: risk related to the trustworthiness of the organisation.
Macroeconomic risk: risks related to the economy the bank is operating in.
The capital requirement is a primary bank regulation prescription, to enable banks to
withstand the risks and sustain. The categorization of assets and capital is standardized with
regulatory prescriptions so that it can be adequately risk weighted.
15.2.3 Economic functions
i. Issue of money, in the form of cheques, demand drafts, etc. These claims on banks act as
money.
 286

ii. Netting and settlement of payments – as collecting and paying agents for customers
through interbank clearing and settlement systems and reduce the cost of settlement for
customers.
iii. Credit intermediation – banks borrow and lend back-to-back on their own account. Role
of banks primarily comprises:
(1) Intermediation
(2) Payment systems
(3) Financial services
(4) Life line of economy
15.3 GENERAL PRINCIPLES OF BANK REGULATION
The common objectives of regulating banks are:
a) Prudential - to reduce the level of risk to which bank creditors, mainly depositors, are
exposed
b) Systemic risk reduction - to reduce the risk of disruption from adverse trading conditions
c) Avoid misuse of banks - to reduce the risk of banks being used for criminal purposes
d) To protect confidentiality of customer information
e) Credit allocation - to direct credit to favoured sectors
f) Customer service and Corporate Social Responsibility (CSR) by banks to be maintained
The general principles of banking regulations are described below.
i. Minimum requirements
Certain requirements for financial management are imposed to promote the objectives of the
regulator. These are like maintaining prescribed capital ratios, statutory liquidity ratio, etc.
ii. Supervisory review
Banks need to obtain a license to carry on business as a bank, and the regulator supervises
the banks for compliance with requirements towards regulatory directions and guidelines.
iii. Market discipline
Banks are required to publicly disclose financial and other information, so that depositors
and other creditors are able to assess the level of risk.
15.4 ROLE OF REGULATOR
The role of the regulator is to
i. Set standards for the constituents of the system and review them continually.
 287

ii. Enforce the standards through legislation, policies, rules, and regulations.
iii. Supervise the system which it controls.
iv. Develop markets by encouraging organic growth and facilitating inorganic growth.
15.5 UNIVERSAL FUNCTIONS FOR FINANCIAL REGULATORS
The regulators of financial sector have following specific functions:
i. Prudential regulation for safety and soundness of financial institutions;
ii. Maintaining stability and integrity of the payments system;
iii. Prudential supervision of financial institutions;
iv. Set norms for business regulation (i.e. rules about how firms conduct business with their
customers);
v. Conduct of business supervision;
vi. Make safety net arrangements such as deposit insurance and the lender-of-last-resort
role;
vii. Provide liquidity assistance for systemic stability;
viii. Handling of insolvent institutions; ix. Crisis resolution; and
ix. Handling issues related to market integrity.
15.6 REGULATORY AUTHORITIES
The main regulatory authorities that govern Indian financial system are given below
15.6.1 Reserve Bank of India (RBI)
i. Financial Supervision: The RBI performs this function under the guidance of the Board
for Financial Supervision (BFS), committee of the Central Board of Directors of the RBI.
Primary objective of BFS is to undertake consolidated supervision of the financial sector
comprising commercial banks, financial institutions and non-banking finance companies.
Some of the initiatives taken by BFS include:
a. restructuring of the system of bank inspections,
b. introduction of off-site surveillance,
c. strengthening of the role of statutory auditors, and
d. strengthening of the internal defences of supervised institutions.
The Audit Sub-committee of BFS reviews the system and issue observations pertaining to
concurrent audit, norms of empanelment and appointment of statutory auditors, the quality
and coverage of statutory audit reports, and the important issue of greater transparency and
disclosure in the published accounts of supervised institutions.
 288

ii. Objectives of Regulation: These are mainly-
a) Prudential i.e. to reduce the level of risk to protect depositors,
b) Systemic i.e. to reduce risk of disruption,
c) Control Misusing of banks for Criminal Purposes i.e. Money laundering & proceeds of
Crime,
d) Protection of Confidentiality towards its Customers,
e) Needful Credit allocation to favoured sectors (priority sector),
f) Fair treatment to customers
iii. Risk Based Supervision
The process / programme is conducted through SPARC - Supervisory Program for
Assessment of Risk & Capital. There are TWO major areas of assessment under SPARC -
Risk and Capital,
It is carried out through Off-site analysis of the data & information furnished by Bank
as well as finding of the On-site Inspection for Supervisory Evaluation (ISE). The Risk
assessment covers
- inherent risks,
- risk due to gaps in controls for the inherent risks,
- risks due to gaps in the Governance & Oversight & degree of compliance - to regulatory
requirements.
The observations in RAR report broadly cover:
A. Supervisory Evaluation of Risks & Control Gaps
i) GOVERNANCE & OVERSIGHT which includes
(1) Board
(2) Senior Management
(3) Risk Governance
(4) Internal Audit
(5) Risk Culture
ii) Business Risk
1) Credit
2) Market
 289

3) Liquidity
4) Operational
5) Other Pillar II
Further observations include Inherent Risk, Policy Environment, Risk identification, Control
Gaps, Monitoring & Review, ICAAP & Stress Testing.
B. Banks are required to submit data / information (data points) towards ISE (RBS) on
quarterly / annually vide Tranche submission:
Data / information No of Frequency Details of data points
Data points
Tranche 1 & 1 A to 784 Quarterly For Data pertaining to Risk and
1F Financial parameters
Tranche 2 386 Annually Consists of 12 Risk related Parameters
and Governance assessment
Tranche III 385 Annually Subjective / Control Gap Parameters
TOTAL 1555
iv. Monetary Authority: It formulates, implements and monitors the monetary policy. The
objective is maintaining price stability and ensuring adequate flow of credit to productive
sectors.
v. Regulator and supervisor of the financial system: It prescribes broad parameters of
banking operations within which the country‘s banking and financial system function.
The objective is to maintain public confidence in the system, protect depositors’ interest
and provide cost-effective banking services to the public. For effective monitoring of the
functioning of banks RBI obtains various periodical returns/ statements from banks and
seek distinct data point information by way TRANCHE under Risk Based Supervision.
Banks are directed to ensure to maintain quality and integrity while submitting these data
point information.
vi. Manager of Foreign Exchange: It oversees the implementation of Foreign Exchange
Management Act, 1999. The objective is to facilitate external trade and payment and promote
orderly development and maintenance of foreign exchange market in India.
vii. Issuer of currency: It issues and exchanges currency and coins, and destroys those not
fit for circulation. The objective is to give the public adequate quantity of quality currency
notes and coins.
viii. Developmental role: It performs a wide range of promotional functions to support
national objectives like financial inclusion, development of MSMEs, etc..
 290

ix. Related Functions: It functions as the banker to the Government and performs merchant
banking function for the Central and the State Governments. It also acts as the banker to
banks and maintains banking accounts of all scheduled banks.
15.6.2 The Securities and Exchange Board of India (SEBI)
The SEBI was established on April 12, 1992 to protect the interests of investors in securities
and to promote the development of, and to regulate the securities market. It undertakes
mainly the following functions:
i. Registration, supervision, compliance monitoring and inspection of all market
intermediaries in respect of all segments of the markets viz. equity, equity derivatives, debt
and debt related derivatives.
ii. Supervising the functioning and operations (except relating to derivatives) of securities
exchanges, their subsidiaries, and market institutions such as Clearing and settlement
organizations and Depositories.
iii. Regulating (a) Issuance and listing of securities, (b) corporate governance and accounting/
auditing standards (c) corporate restructuring through takeovers/buy backs (d) Delisting,
etc.
iv. Registering and regulating mutual funds, venture capital funds, foreign venture capital
investors, and collective investment schemes, including plantation schemes, Foreign
Institutional Investors, Portfolio Managers and Custodians.
v. Monitoring market activity through market systems, data from other departments and
analytical software.
15.6.3 Insurance Regulatory and Development Authority of India (IRDAI)
The IRDA was constituted to regulate and develop insurance business in India. It is
responsible to protect the rights of policyholders. Its role includes the following aspects:
i. Registration of a life insurance company.
ii. Framing regulations on protection of policyholders’ interests.
iii. Specifying the requisite qualifications, code of conduct and practical training for
intermediaries or insurance intermediaries and agents.
iv. Regulating the investment of funds by insurance companies.
v. Regulating the maintenance of margins of solvency.
vi. Specifying the percentage of premium income of the insurer to finance schemes for the
promotion and regulation of certain specified professional organisations;
vii. Specifying the percentage of life insurance business to be undertaken by an insurer in
the rural or social sector.
 291

15.6.4 Pension Fund Regulatory and Development Authority (PFRDA)
The PFRDA was established in 2014 for regulating National Pension Scheme (NPS) open
to employees of Govt. of India, State Governments, private institutions/organizations and
unorganized sectors. Its basic functions are:
i. Regulating the NPS and other pension schemes under its perview.
ii. Approving the schemes, and investment guidelines under these.
iii. Registering and regulating intermediaries.
iv. Protecting the interests of subscribers by appropriate regulations.
v. National Bank for Agriculture and Rural Development (NABARD)
15.6.5 National Bank for Agriculture and Rural development (NABARD)
NABARD was set up by the Government of India as a development bank for promotion and
development of agriculture and integrated rural development. It is an apex institution handling
matters concerning policy, planning and operations in the field of credit for agriculture and
for other economic and developmental activities in rural areas. It is a refinancing agency
for financial institutions offering production credit and investment credit for promoting
agriculture and developmental activities in rural areas.
It has been vested with the powers of inspection of the RRBs, the District Central Cooperative
Banks (Dt.CCB) and the State Co-operative Banks (St.CB) on behalf of the RBI.
15.7 OTHER BODIES ISSUING GUIDELINES
15.7.1 Indian Banks Association (IBA)
The IBA is a body of banks comprising banks of all types as its members. Its main objectives
are:
i. To promote and develop in India sound and progressive banking principles, practices and
conventions and to contribute to the developments of creative banking.
ii. To develop and implement new ideas and innovations in banking services, operations and
procedures.
iii. To organize co-ordination and co-operation on procedural, legal, technical, administrative
or professional problems and practices of banks and the banking industry.
iv. To initiate advance planning for introduction of new systems or services in the banking
industry.
v. To collect, classify and circulate statistical and other information on the structure and
working of the banking system.
15.7.2 Fixed Income Money Market and Derivatives Association of India (FIMMDA)
FIMMDA is association of Market Players and aids the development of the bond, money
and derivatives markets. Its main objectives are:
 292

i. Being the principal interface with the regulators on various issues that impact the
functioning of these markets.
ii. Undertaking developmental activities, such as, introduction of benchmark rates and new
derivatives instruments, etc.
iii. Providing training and development support to dealers and support personnel at member
institutions.
iv. Adopting/ developing international standard practices and a code of conduct.
v. Devising standardized best market practices.
vi. Developing standardized sets of documentation.
15.7.3 Foreign Exchange Dealer’s Association of India (FEDAI)
The FEDAI is an association of Authorised Dealer banks. It is has framed the rules governing
the conduct of inter-bank foreign exchange business among banks vis-à-vis public and
liaison with RBI for reforms and development of forex market. Its other main functions are:
i. Training of Bank Personnel in the areas of Foreign Exchange Business.
ii. Accreditation of Forex Brokers
iii. Announcement of daily and periodical rates to member banks.
15.7.4 The Association of Mutual Funds in India (AMFI)
AMFI is dedicated to developing the Indian Mutual Fund Industry. Its main activities are:
i. To recommend and promote best business practices and code of conduct to be followed by
members and others engaged in the activities of mutual fund and asset management including
agencies connected or involved in the field of capital markets and financial services.
ii. To interact with the SEBI on matters concerning the mutual fund industry.
iii. To represent to the Government, RBI and other bodies on matters relating to the Mutual
Fund Industry.
iv. To develop a cadre of well-trained Agent distributors and to implement a programme of
training and certification for them and other intermediaries.
v. To undertake investor awareness programme on the concept and working of
vi. mutual funds.
15.8 IMPORTANT ACTS APPLICABLE IN INDIA
Banking activity requires handling various finance related matters pertaining to customers
of different constitutions. Banking itself is regulated business. It is important to be aware of
certain important acts.
1) The RBI Act, 1934: It is an Act that constituted Reserve Bank of India. It lays down the
functions of RBI, provisions for its capital, management, provisions relating to acceptance
 293

of deposits from public, prohibition on acceptance of deposits by unincorporated bodies.
Regulation of transactions in derivatives, money market instruments, securities, etc. and
provisions related to monetary policy.
2) The Banking Regulation Act, 1949: It was enacted to consolidate the law relating to
banking. It includes various provisions pertaining to functioning of banks. It defines the
business of banking companies. It contains the provisions related to prohibition on trading,
disposal of non-banking assets, management of banks, certain operations of banking
companies, acquisition of banking undertakings, suspension of business, winding up of
banking companies.
3) The Negotiable Instruments Act, 1881: It is an Act that defines the law relating to
Promissory Notes, Bills of Exchange and Cheques. It covers various provisions related to
dealing with such instruments, the liabilities of various parties, dishonor of instruments,
crossing of cheques, negotiation of instruments, payment of cheques, dishonor of cheques.
4) Foreign Exchange Management Act, 1999: It is a law relating to foreign exchange
with the objective of facilitating external trade and payments and for promoting the orderly
development and maintenance of foreign exchange market in India. It covers the aspects
connected with regulation and management of foreign exchange, authorised persons to deal
in foreign exchange, penalties for contravention of the provisions, and the Directorate of
Enforcement vested with authority for investigations of contraventions.
5) Information Technology Act, 2000: An Act to provide legal recognition for transactions
carried out by means of electronic data interchange and other means of electronic
communication (i.e. electronic commerce). The law also amended the Indian Penal Code,
the Indian Evidence Act, 1872, the Bankers’ Books Evidence Act, 1891 and the Reserve
Bank of India Act, 1934 in the context of recognizing the use of alternatives to paper-based
methods. It contains provisions related to Digital Signature
and Electronic Signature; Electronic Governance; Attribution, Acknowledgement and
Despatch of Electronic Records; Secure Electronic Records and Secure Electronic Signature;
Regulation of Certifying Authorities; and Electronic Signature Certificates.
6) The Income Tax Act, 1961: This is law related to the income-tax. It covers various
provisions based on which the income tax liability is arrived at; treatment of different
types of income, various permitted deductions for different types of assesses, treatment of
loss, avoidance of income-tax, transactions for avoidance of income tax, filing of return
of income-tax, permanent account number, quoting Aadhaar number, undisclosed income,
advance tax payment, tax deduction at source, tax collection at source, wilful attempt to
evade tax, and assessment and appeals.
7) The Companies Act, 2013: This Act replaced the erstwhile The Companies Act, 1956,
and covers various provisions related to the incorporated companies viz, different types of
companies, registration, raising capital, borrowings, acceptance of deposits, registration of
 294

charges, dividends, accounts, audit, directors, Board responsibilities, Board meetings, revival
and rehabilitation, winding up, producer companies, government companies, companies
registered outside India, National Company Law Tribunal and the Appellate Tribunal.
8) The Indian Partnership Act, 1932: It is the law related to partnership firms. It contains
provisions pertaining to nature of partnership, relations of partners to each other and to third
parties, incoming and outgoing partners, and registration of firms.
9) The Limited Liability Partnership Act, 2008: This law pertains to the formation
and regulation of limited liability partnerships. It contains provisions related to Nature of
Limited Liability Partnership; Incorporation; Relations of partners; Extent and Limitation
of Liability of Limited Liability Partnership and Partners; Assignment and Transfer of
Partnership Rights; Conversion into Limited Liability Partnership; Foreign Limited
Liability Partnerships; Compromise, Arrangement or Reconstruction of Limited Liability
Partnerships; and Winding Up and Dissolution.
10) Prevention of Money Laundering Act, 2002: It is an Act to prevent moneylaundering
and to provide for confiscation of property derived from, or involved in, money-laundering.
It contains provisions related to definition of money laundering offence, punishment for
money laundering offence, procedures for investigation and prosecution, authority for it,
obligations of finance sector and certain other businesses for preventing their abuse for
money laundering, establishment of Financial Intelligence Unit and its role.
11) The Unlawful Activities (Prevention) Act, 1967: It is an Act to provide for more
effective prevention of certain unlawful activities of individuals and associations, and for
dealing with terrorist activities. It contains provisions related to Unlawful Associations;
Punishment for Terrorist Activities; Forfeiture of Proceeds of Terrorism or any Property
Intended to be Used for Terrorism; and Terrorist Organisations.
12) Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and
Services) Act, 2016: This Act provides for targeted delivery of subsidies, benefits and
services rendered through the Consolidated Fund of India, or the Consolidated Fund of the
State through assigning of unique identity numbers to the beneficiaries. It contains provisions
for establishing the Unique Identification Authority of India, enrolment of individuals, and
authentication of the enrolled individuals.
13) The Recovery of Debts and Bankruptcy Act, 1993: It is an Act for the establishment
of Tribunals for expeditious adjudication and recovery of debts due to banks and financial
institutions, insolvency resolution and bankruptcy of individuals and partnership firms. It
contains provisions for Procedure of Tribunals; Recovery of Debt Determined by Tribunal;
and Jurisdiction, Powers and Authority of Tribunals.
14) The Securitisation and Reconstruction of Financial Assets and Enforcement of
Security Interest Act, 2002: It is an Act to regulate securitisation and reconstruction of
financial assets and enforcement of security interest and to provide for a Central database
 295

of security interests created on property rights. It contains provisions for regulation of
Securitisation and Reconstruction of Financial Assets of Banks and Financial Institutions;
Enforcement of Security Interest; Central Registry; and Registration by Secured Creditors
and other Creditors.
15) The Insolvency and Bankruptcy Code, 2016: It is an Act pertaining to laws relating
to reorganisation and insolvency resolution of corporate persons, partnership firms and
individuals in a time bound manner for maximisation of value of assets of such persons,
to promote entrepreneurship, availability of credit and balance the interests of all the
stakeholders including alteration in the order of priority of payment of Government dues
and to establish an Insolvency and Bankruptcy Board of India
(IBBI). It contains provisions for Insolvency Resolution and Liquidation for Corporate
Persons; Insolvency Resolution and Bankruptcy for Individuals and Partnership Firms;
and Regulation of Insolvency Professionals, Agencies and Information Utilities.
16. The Transfer of Property Act, 1882: It covers various aspects related to the transfer
of property by act of parties. It covers provisions related to transfer of both movable and
immovable property, and sale of immovable property. It also covers provisions for mortgages
of immovable property and charges, and leases of Immovable property. Other aspects
covered in the Act are exchanges and gifts of property, and transfers of actionable claims
i.e. a claim to any debt, other than a debt secured by mortgage of immoveable property or
by hypothecation or pledge of moveable property, or to any beneficial interest in moveable
property.
17. The Legal Services Authorities Act, 1987: This Act was enacted to constitute legal
services authorities to provide free and competent legal services to the weaker sections of
the society to ensure that opportunities for securing justice are not denied to any citizen
by reason of economic or other disabilities, and to organize Lok Adalats to secure that the
operation of the legal system promotes justice on a basis of equal opportunity. It provides
forum for settlement of civil disputes involving monetary value of up to `20 lakh.
18. The Limitation Act, 1963: It has consolidated the proivisions related to the limitation of
suits and other proceedings in relation to a document which entitles the beneficiary to take
action in a court of law.
19. The Consumer Protection Act 2019: The Act replaced the Consumer Protection Act,
1986 retaining te objective of better protection of the interests of consumers. It provides for
a framework aligned to the requirements the radically changed ecosystem and contained
new provisions and also expanded the concept of ‘consumer protection’.
20. The Right to Information Act, 2005: The Act provides for a practical regime for
citizens to get to information under the control of public authorities, in order to promote
transparency and accountability in the working of every public authority. The Act aims at
 296

containing corruption and holding the Governments and their instrumentalities accountable
to the governed by providing access to information
15.9 LET US SUM UP
A bank is the connection between customers that have capital needs and customers with
capital surpluses. Banks which are included in the Second Schedule to the Reserve Bank
of India Act, 1934 are known as Scheduled Commercial Banks and Scheduled Cooperative
Banks.
Banks face a number of risks in conducting their business. The capital requirement is a
primary regulatory prescription, to enable banks to withstand the risks and sustain.
The role of the regulator is to set standards, enforce them, supervise the system, and develop
markets. The regulators of financial sector have specific functions. The main financial sector
regulators are - RBI, SEBI, IRDA, PFRDA. NABARD also has regulatory role. Other bodies
that issue guidelines related to banking activities are IBA, FIMMDA, FEDAI and AMFI. It
is important that a banker is familiar with the provisions of certain laws. For instance - the
RBI Act, 1934; The Banking Regulation Act, 1949; The Negotiable Instruments Act, 1881;
Foreign Exchange Management Act, 1999; Information Technology Act, 2000; The Income
Tax Act, 1961; etc.
15.10 KEY WORDS
financial intermediary; Public Sector Banks; Private Sector Banks; Regional Rural Banks;
Local Area Banks; Small Finance Banks; Payments Banks; Cooperative Banks; Credit
risk; Liquidity risk; Market risk; Operational risk; Reputational risk; Macroeconomic
risk; settlement of payments; Intermediation; Prudential; Systemic risk; Credit allocation;
Corporate Social Responsibility; safety net arrangements; Board for Financial Supervision;
Monetary Authority; supervisor
15.11 CHECK YOUR PROGRESS
1) Which of the following is not one of the major functions of the National Bank for
Agricultural and Rural Development (NABARD)?
a) Conducting inspections of co-operative banks and RRBs
b) Extending assistance to the government and others in matters related to rural
development
c) Providing refinance to lending institutions in rural areas
d) Review of monetary and credit policy
2) Which of the following is not a function of a commercial bank?
a) Registration of charges and mortgages
 297

b) Transactions services
c) Asset transaction
d) Real-time Gross Settlement
15.12 KEY TO ‘‘CHECK YOUR PROGRESS’’
1 (d); 2 (a).
References:
(1) Websites of RBI, SEBI, IRDA, PFRDA, NABARD, IBA, AMFI, FIMMDA, FEDAI
 298

CHAPTER 16
Compliance Function in Banks
STRUCTURE
16.1 Compliance Risk and Significance of Compliance Function
16.2 Compliance Policy
16.3 Compliance Principles, Process and Procedures
16.4 Compliance Programme and Scope of Compliance Function
16.5 Role and Responsibilities of Chief Compliance Officer including disclosure requirements
16.6 Let us Sum up
16.7 Key Words
16.8 Check Your Progress
16.9 Key to ‘Check Your Progress’
 299

OBJECTIVES
In this Chapter the learner will –
Learn about Compliance Risk and Significance of Compliance Function
Know about Compliance Policy
Understand the scope of Compliance Function
Know about the Role of Chief Compliance Officer
16.1 COMPLIANCE RISK AND SIGNIFICANCE OF COMPLIANCE FUNCTION
The BCBS paper on Compliance and the Compliance Function in Banks (April 2005) defines
Compliance risk as the risk of legal or regulatory sanctions, material financial loss, or loss
to reputation a bank may suffer as a result of its failure to comply with laws, regulations,
rules, related self-regulatory organization standards, and codes of conduct applicable to its
banking activities (together, compliance laws, rules and standards).
BCBS paper devised basic principles for Compliance function and all Regulators globally
have adopted the same while formulating Compliance function in Banks and issuing
directions for effective implementation. These principles are:
Principle 1: The Bank‘s Board of Directors (BOD) are responsible for overseeing
and management of the bank‘s compliance risk. The Board should approve the bank‘s
compliance policy which must include a formal document establishing a permanent and
effective compliance function. At least once a year, Board or a committee of the Board
should assess the extent to which the banks are managing its compliance risk effectively.
Principle 2:
The bank‘s senior management is responsible for effective management of the bank‘s
compliance risk.
Principle 3:
The bank‘s senior management is responsible for establishing and communicating a compliance
policy and for reporting to the BOD on the management of the bank‘s compliance risk.
Principle 4:
The bank‘s senior management is responsible for establishing a permanent and effective
compliance function within the bank as part of the bank‘s compliance policy.
Principle 5:
The bank‘s compliance function should be independent.
Principle 6: The bank‘s compliance function should have the resources to carry out its
responsibilities effectively.
 300

Principle 7:
The responsibilities of compliance function are carried out by staff in different departments,
the allocation of responsibilities to each department should be clear.
Principle 8:
The scope and breadth of the activities of the compliance function should be subject to
periodic review by the internal audit function.
Principle 9:
Banks should comply with applicable laws and regulations in all jurisdictions in which they
conduct business.
Principle 10:
Specific tasks of the compliance function may be outsourced, but those must be subject to
appropriate oversight by the head of compliance on continuous basis (periodic review).
The Compliance Risk is closely interrelated with other risks faced by a bank such as:
a) Regulatory Risk: Regulatory Risk refers to the potential consequences to the general
public and the bank on account of non-compliance with the regulation.
b) Operational Risk: Risk arising due to operational activities. It may manifest due to non-
compliance with regulations.
c) Legal Risk: Legal Risk is the possibility that lawsuits, adverse judgments or contracts
that turn out to be unenforceable. Compliance failures can lead to litigation and associated
damages.
d) Reputational Risk: Reputation risk is of negative publicity for the bank‘s business
practices, health, soundness of operations, etc. Compliance failures can damage reputation.
e) Annihilation Risk: Arises from possibility of regulatory action of closing down business.
This could also occur due to major non-compliances.
Given the significance of these risks, a strong group/ enterprise-wide compliance programme
is a necessity for banks. A group/ enterprise- wide compliance programme helps the bank
to look at and across business lines and activities of the organization as a whole and to
consider how activities in one area of the firm may affect the legal and reputational risks
of other business lines and the entire group/enterprise. It also helps in understanding where
the legal and reputational risks in the organization are concentrated, provide comparisons of
the level and changing nature of risks, and identify those control processes that most need
enhancement. The compliance function must ensure that controls and procedures capture
the appropriate information to allow senior management and the board to better perform
their risk management functions on a group-wide basis.
 301

16.2 COMPLIANCE POLICY
Compliance function is one of the key elements in Banks’ corporate governance structure.
The compliance function in the bank has to be adequately enabled and made sufficiently
independent in accordance with the perception of the Basel Committee on Banking
Supervision (BCBS), April 2005.
The compliance policy must speak of certain principles, standards and procedures relating
to compliance function consistent with the RBI directions. The policy also must intend
to articulate that the compliance function is an integral part of governance along with the
internal control and risk management process.
A policy document in the Bank in respect of Compliance guidelines should be formulated /
prepared considering and adopting ingredients contained in various RBI Circulars/ Directions
on compliance to keep pace with the increasing complexities and sophistication in Bank‘s
business. Compliance function needs to be fully cognizant of the “compliance risk” and the
reputational risk arising out of compliance failures causing huge economic costs.
Reserve Bank of India had vide their Circular No RBI/2006-2007/335 REF. DBS.CO.PP.
BC 6/11.01.005/2006-07 dated 20.04.2007 advised all banks to formulate and implement
Compliance Function Policy for the Bank within 6 months from the date of the circular on
the basis of the framework evolved by them. It was also advised that they would subject the
implementation of compliance function in the bank to a comprehensive review during the
Annual Financial Inspection.
The Compliance policy was required to include the following key elements:
I. Compliance Objective,
II. Scope of Compliance Function,
III. Compliance Function at Corporate Office / Zonal Office / Branches/ Subsidiaries /
Foreign Centers,
IV. Role & Responsibilities of Chief Compliance Officer
RBI reviewed the Banks responses and preparedness annually and observed that uniformity in
approach for effective compliance function is needed to align with supervisory expectations
on CCOs with best practices. Accordingly, RBI issued communication on 11th September’
2020 about Compliance Functions in Banks and Role of CCO inter-alia advised following
guidelines for formulation of Compliance Policy:
1) A bank must have a board approved Compliance Policy. The Policy should clearly spell
out - its Compliance Philosophy, Expectations on Compliance Culture (covering Tone from
the Top, Accountability, Incentive Structure and Effective Communication and Challenges
thereof), Structure and Role of the Compliance Function, Role of CCO, and Processes for
identifying, assessing, monitoring, managing and reporting on Compliance Risk throughout
the bank.
 302

2) The Policy shall adequately reflect the size, complexity and compliance risk profile of the
bank, expectations on ensuring compliance to all applicable statutory provisions, rules and
regulations, various codes of conducts (including the voluntary ones) and the bank‘s own
internal rules, policies and procedures, and creating a disincentive structure for compliance
breaches.
3) The bank shall also develop and maintain a quality assurance and improvement program
covering all aspects of the compliance function. The quality assurance and improvement
program shall be subject to independent external review periodically (at least once in three
years).
4) The policy should lay special thrust on building up compliance culture; vetting of the
quality of supervisory / regulatory compliance reports to RBI by the top executives, non-
executive Chairman / Chairman and ACB of the bank.
5) The policy should be reviewed at least once a year.
16.3 COMPLIANCE PRINCIPLES, PROCESS AND PROCEDURES
i. The Compliance Department at the Head Office has the central role in identifying the level
of compliance risk in each business line, products and processes and formulate proposals for
mitigation of such risk. It should circulate the instances of compliance failures among staff
along with preventive instructions.
ii. Inspection/audit findings serve as a feedback mechanism for assessing the areas of
compliance breaches/failures.
iii. The compliance function should ensure that regulatory guidelines/ instructions are
promptly issued/disseminated within the organization, and monitor compliance with these.
Compliance function should vet the guidelines/circulars before these are disseminated
amongst the operational units.
iv. The Compliance Department should serve as a reference point for clarifications/
interpretations of various regulatory and statutory guidelines.
v. The Compliance function should identify, document, assess the compliance risks
associated with banks’ business activities and products, including in all new products and
processes. Appropriate risk mitigants should be put in place before launching. All new
products should be subjected to intensive monitoring for the first six months for indicative
compliance parameters.
vi. Bank should develop function-wise Compliance Manuals, if operating manuals do not
contain specific sections or chapters on compliance.
vii. Compliance officers should have access to all information they require and have the right
to conduct investigation and report the findings to the Chief Compliance Officer (CCO).
 303

viii. There should be close co-ordination and partnership between Compliance and Business
Operations functions. The interaction may be formalized by making the CCO a member of
the various interdepartmental committees in the bank.
ix. The compliance function should monitor and test compliance by representative
compliance testing and the results should be reported to the senior management.
x. It should consider ways to measure compliance risk (e.g. by using performance indicators)
and to enhance compliance risk assessment.
xi. Compliance staff can conduct compliance reviews/ investigations, whenever required.
xii. The code of conduct for employees should envisage dealing with customers in a fair
manner and conducting business operations consistent with rules and regulations. Due
weightage could be given to record of compliance during performance appraisal of staff at
various levels. Staff accountability should be examined for all compliance failures.
16.4 COMPLIANCE PROGRAMME AND SCOPE OF COMPLIANCE FUNCTION
16.4.1 Compliance Programme
i. The compliance programme should be risk-based and ensure appropriate coverage
across businesses and co-ordination among risk management functions. A comprehensive
compliance plans replete with compliance testing and review structures needs to be
implemented.
ii. Banks should carry out an annual compliance risk assessment in order to identify and
assess major compliance risks faced by them and prepare a plan to manage the risks. The
Annual review should broadly cover the following aspects.
a. Compliance failures, consequential losses, regulatory action, and steps taken to avoid
recurrence.
b. Major regulatory guidelines issued during the year and steps taken for compliance.
c. System of internal control to minimize compliance risk.
d. Compliance with fair practices codes and standards of self-regulatory bodies and
accounting standards.
e. Progress in rectification of significant deficiencies pointed out in the internal audit,
statutory audit and RBI inspection reports.
f. Strategy for the next year.
iii. An Annual Report on compliance failures/ breaches should be compiled and placed
before the Board/ACB/Board Committee and circulated to all the functional heads.
iv. A monthly report on the position of compliance risk may be put up to the senior
management/ CEO by the CCO. A brief report on the compliance position may also be
placed before the Board/ACB/Board Committee, on a quarterly basis.
 304

v. Instances of all material compliance failures which may attract significant risk of legal
or regulatory sanctions, financial loss or loss of reputation should be reported to the Board/
ACB/Board Committee promptly.
vi. Adherence and compliance with MAP/RMP prescribed pursuant to the Risk Assessment
Report under Risk Based Supervision processes is very important.
vii. The activities of the compliance function should be subject to annual review by the
internal audit.
16.4.2 Scope of Compliance Function:
The scope of compliance function covers the following:
i. Statutory Compliance: A bank is required to comply with statutory provisions contained in
various legislations especially Banking Regulation Act, Reserve Bank of India Act, Foreign
Exchange Management Act and Prevention of Money Laundering Act etc.
ii. Regulatory Compliance: A bank is required to comply with regulatory guidelines issued
from time to time by the Regulators such as RBI, SEBI, IRDA, etc.
iii. Code of Conduct: A bank has to frame Code of Conduct based on guidelines issued by
organizations like IBA, , FEDAI/FIMDDA, etc. and abide by these.
iv. Accounting Standards: A bank has to abide by those Accounting Standards of ICAI that
are applicable to banks.
v. Listing Agreement: A bank with its shares listed on NSE/BSE has to comply with the
requirements of Listing Agreement with stock exchanges.
vi. Internal Compliances (Process /Policy Compliances): A bank is required to comply with
the internal guidelines, policies, processes related compliances.
16.5 ROLE AND RESPONSIBILITIES OF CHIEF COMPLIANCE OFFICER
(CCO)
The CCO is primarily responsible for overseeing and managing compliance issues within the
bank. Recent RBI guidelines speak few specific directions in regard to appointment and Role
of CCOs. Accordingly, the designated CCO should be selected through a suitable process
with an appropriate Fit & Proper evaluation / selection criterion to manage compliance risk.
Those directions are given as under:
a. Tenor for appointment of CCO - The CCO shall be appointed for a minimum fixed tenure
of not less than 3 years. The Audit Committee of the Board (ACB) / Managing Director
(MD) & CEO should factor this requirement while appointing CCO;
b. Transfer / Removal of CCO - The CCO may be transferred / removed before completion
of the tenure only in exceptional circumstances with the explicit prior approval of the Board
after following a well-defined and transparent internal administrative procedure;
 305

c. Eligibility Criteria for appointment as CCO - Rank - The CCO shall be a senior executive
of the bank, preferably in the rank of a General Manager or an equivalent position (not
below two levels from the CEO). The CCO could also be recruited from market;
d. Age - Not more than 55 years;
e. Experience - The CCO shall have an overall experience of at least 15 years in the banking
or financial services, out of which minimum 5 years shall be in the Audit / Finance /
Compliance / Legal / Risk Management functions;
f. Skills - The CCO shall have good understanding of industry and risk management,
knowledge of regulations, legal framework and sensitivity to supervisors’ expectations;
g. Stature - The CCO shall have the ability to independently exercise judgement. He should
have the freedom and sufficient authority to interact with regulators/supervisors directly and
ensure compliance;
h. Others - No vigilance case or adverse observation from RBI, shall be pending against the
candidate identified for appointment as the CCO.
i. Selection Process - Selection of the candidate for the post of the CCO shall be done
on the basis of a well-defined selection process and recommendations made by the senior
executive level selection committee constituted by the Board for the purpose. The selection
committee shall recommend the names of candidates suitable for the post of the CCO as per
the rank in order of merit and Board shall take final decision in the appointment of CCO;
j. Reporting Requirements - A prior intimation to the Department of Supervision, Reserve
Bank of India, Central Office, Mumbai, shall be provided before appointment, premature
transfer/removal of the CCO. Such information should be supported by a detailed profile
of the candidate along with the fit and proper certification by the MD & CEO of the bank,
confirming that the person meets the above supervisory requirements, and detailed rationale
for changes, if any;
k. Reporting Line - The CCO shall have direct reporting lines to the MD & CEO and/or
Board/Board Committee (ACB) of the bank. In case the CCO reports to the MD & CEO, the
Audit Committee of the Board shall meet the CCO quarterly on one-to-one basis, without
the presence of the senior management including MD & CEO. The CCO shall not have any
reporting relationship with the business verticals of the bank and shall not be given any
business targets. Further, the performance appraisal of the CCO shall be reviewed by the
Board/ACB;
l. Authority - The CCO and compliance function shall have the authority to communicate
with any staff member and have access to all records or files that are necessary to enable
him/her to carry out entrusted responsibilities in respect of compliance issues. This authority
should flow from the compliance policy of the bank;
 306

16.5.1 Duties and Responsibilities of CCO
The duties and responsibilities of the compliance function and role of CCO includes the
following aspects:
i. To apprise the Board and senior management on regulations, rules and standards and any
further developments.
ii. The CCO should be an invitee to the meetings of the ACB.
iii. To provide clarification on any compliance related issues.
iv. To conduct assessment of the compliance risk (at least once a year) and to develop a risk-
oriented activity plan for compliance assessment. The activity plan should be submitted to
the ACB for approval and be made available to the internal audit.
v. To report promptly to the Board / ACB / MD & CEO about any major changes / observations
relating to the compliance risk.
vi. To periodically report on compliance failures/breaches to the Board/ACB and circulating
to the concerned functional heads. The CCO can use external experts for the purpose of
investigation.
vii. To monitor and periodically test compliance by performing sufficient and representative
compliance testing. The results of the compliance testing should be placed to Board/ACB/
MD & CEO.
viii. The CCO should have the right of direct access to the Board or ACB or a committee of
the Board, by passing normal reporting lines. The Board or the ACB or a Committee of the
Board should meet with the CCO at least annually.
ix. To examine sustenance of compliance as an integral part of compliance testing and annual
compliance assessment exercise.
x. The Chief Compliance Officer should be a member of the ‘new product’ committee/s
to ensure that the new products / processes have clearance from all perspectives including
compliance. All new products should be subjected to intensive monitoring
for the first six months of introduction to ensure that the indicative parameters of compliance
risk are adequately monitored.
xi. At frequent intervals, interact with Legal Department, Risk Management Department,
Finance & Taxation Department and Inspection & Audit Department to take stock of the
latest changes in compliances and new areas of compliances.
xii. To ensure compliance of Supervisory observations made by RBI and/or any other
directions in both letter and spirit in a time bound and sustainable manner.
xiii. To be the nodal point of contact between the bank and the RBI, and other Regulators.
 307

xiv. Non-compliance with any regulatory guidelines and administrative actions initiated
against the bank and/ or corrective steps taken to avoid recurrence of the lapses should be
disclosed in the annual report of the banks.
16.5.2 Other aspects of the Role of CCO
i. Dual Hatting: There shall not be any ‘dual hatting’ i.e. the CCO shall not be given any
responsibility which brings elements of conflict of interest, especially the role relating
to business. Roles which do not attract direct conflict of interest like role of antimoney
laundering officer, etc. can be performed by the CCO in those banks where principle of
proportionality in terms of bank‘s size, complexity, risk management strategy and structures
justify that;
ii. The CCO shall not be member of any committee which brings his/her role in conflict with
responsibility as member of the committee, including any committee dealing with purchases
/ sanctions. In case the CCO is member of a committee, he/she may have only advisory role;
iii. Typical core elements of the mandate of CCO must include the design and maintenance
of compliance framework, training on the regulatory and conduct risks, and effective
communication of compliance expectations, etc.;
iv. CCO should coordinate with Senior Supervisory Manager (RBI team head for conducting
RBS) comprehensively for providing necessary Banks’ information /data to SSM and team
members for smooth and meaningful conduct of RBS.
v. All the disclosure requirements in terms of Regulatory Guidelines i.e. RBI, SEBI or other,
shall be ensured by CCO within the timelines prescribed for the regulation.
16.5.3 Disclosure requirement in respect of divergence in the asset classification and
provisioning beyond specified threshold under Risk Assessment Report (RAR)
Compliance function should ensure that the concerned department makes necessary disclosures
in a prescribed format in respect of divergence, if any, in the asset classification and provisioning
beyond specified threshold under Risk Assessment Report (RAR) of the Bank
Not later than 24 hours upon receipt of Final RAR in compliance with the SEBI
Circular No. CIR/CFD/CMD1/120/2019 October 31, 2019
In the Notes to Accounts in the ensuing Annual Financial Statements published immediately
following communication of such divergence in compliance with RBI Notification No.
RBI/2016-17/ 283; DBR.BP.BC.No.63/ 21.04.018/ 2016-17 dated April 18, 2017.
16.5.4 Compliance in respect of reporting of Strictures / Show Cause Notices (SCNs) /
Cautionary Advice issued / Imposition of penalty on Bank / Subsidiary
Any adverse action against Bank exposes towards reputational risk, therefore, the
Compliance Function should ensure that such Strictures / Show Cause Notices (SCNs) /
 308

Cautionary Advice / Imposition of penalty must be attended to by the concerned functional
department in a time bound manner.
The concerned functional department should undertake the root cause analysis for the
reasons resulted in Strictures / Show Cause Notices (SCNs) / Cautionary Advice issued
/ Imposition of penalty against the Bank and appraise the Board about the reasons and
corrective actions.
Compliance Department at Corporate / Central Office level must be single point of contact
for RBI and other regulators with CCO as its helm.
16.6 LET US SUM UP
Compliance risk as the risk of legal or regulatory sanctions, material financial loss, or loss
to reputation a bank may suffer as a result of its failure to comply with laws, regulations,
rules, etc. A strong group/ enterprise-wide compliance programme is a necessity for banks.
A bank must have a board approved Compliance Policy that is reviewed at least once a year.
The policy should lay special thrust on building up compliance culture.
The Compliance Department at the Head Office has the central role in identifying the level
of compliance risk in each business line, products and processes and formulate proposals
for mitigation of such risk. There should be close co-ordination and partnership between
Compliance and Business Operations functions.
The compliance programme should be risk-based and ensure appropriate coverage across
businesses and co-ordination among risk management functions. The scope of compliance
function covers both external and internal compliances. The CCO is primarily responsible
for overseeing and managing compliance issues within the bank.
16.7 KEY WORDS
Compliance Function; Compliance Risk; Regulatory Risk; Operational Risk; Legal Risk;
Reputational Risk; Annihilation Risk; Compliance Policy; compliance culture; Compliance
Programme; Accounting Standards; Code of Conduct; Listing Agreement; Chief Compliance
Officer.
16.8 CHECK YOUR PROGRESS
1) Possibility of regulatory action of closing down business is _____risk a) Annihilation
b) Legal
c) Operational
d) Regulatory
2) Which of the following is a statutory regulation?
a) Guidelines from SEBI
 309

b) Guidelines from RBI
c) Legislation under RBI act
d) Guidelines from IRDA
16.9 KEY TO ‘‘CHECK YOUR PROGRESS’’
1 (a); 2 (c)
References:
1) RBI Circular DBS. CO.PP.BC 6/11.01.005/2006-07 dated April 20, 2007 - Compliance
function in banks
(https://rbi.org.in/scripts/NotificationUser.aspx?Mode=0&Id=3433)
2) RBI Circular DBS.CO.PPD.10946/11.01.005/2014-15 dated March 04, 2015 - Compliance
function in banks
(https://rbi.org.in/scripts/NotificationUser.aspx?Mode=0&Id=9598)
3) RBI Circular DoS.CO.PPG./SEC.02/11.01.005/2020-21 dated September 11, 2020 -
Compliance functions in banks and Role of Chief Compliance Officer (CCO)
(https://rbi.org.in/scripts/NotificationUser.aspx?Mode=0&Id=11962)
4) BCBS Guidelines, 29th April 2005, ‘Compliance and the compliance function in
banks’ (https://www.bis.org/publ/bcbs113.htm)
 310

CHAPTER 17
COMPLIANCE GOVERNANCE STRUCTURE
STRUCTURE
17.1 Organizational Structure – GRC Framework
17.2 Responsibility of the Board and Senior Management
17.3 Compliance Structure at the Corporate Office and Functional Departments
17.4 Compliance Structure at Field Levels
17.5 Internal Controls/ Measures and its Importance
17.6 Whistle Blower Mechanism
17.7 Let us Sum up
17.8 Key Words
17.9 Check Your Progress
17.10 Key to ‘Check Your Progress’
 311

OBJECTIVES
In this Chapter the learner will –
Understand the GRC framework in an organization
Know about the responsibility of the Board and Senior Management
Learn about the compliance structure in an organsiation
Understand the importance of internal controls/ measures
17.1 ORGANIZATIONAL STRUCTURE – GRC FRAMEWORK
17.1.1 GRC - Framework
Growing regulatory environment, higher business complexity and increased focus on
accountability have led enterprises to pursue a broad range of governance, risk and
compliance initiatives across the organization. These initiatives get planned and managed in
silos, which potentially increases the overall business risk for the organization, apart from
duplication of efforts and spiralling of costs. Governance, Risk, and Compliance process
through control, definition, enforcement, and monitoring aims to coordinate and integrate
these initiatives.
The Governance, Risk and Compliance (GRC) framework includes three elements.
i. Governance: This is the oversight role and the process by which companies manage and
mitigate business risks. The governance process within an organization includes elements
such as definition and communication of corporate control, key policies, enterprise risk
management, regulatory and compliance management and oversight (e.g., compliance
with ethics and options compliance as well as overall oversight of regulatory issues). It
requires evaluating business performance through balanced scorecards, risk scorecards and
operational dashboards.
ii. Risk Management: It enables an organization to evaluate all relevant business and
regulatory risks and controls, and monitor mitigation actions in a structured manner.
With the recent jump in regulatory mandates and increasingly activist shareholders, many
organizations have become sensitized to identifying and managing areas of risk in their
business: whether it is financial, operational, IT, brand or reputation related risk. Companies
are looking to systemically identify measure, prioritize and respond to all types of risk in the
business, and then manage any exposure accordingly.
iii. Compliance: This ensures that an organization has the processes and internal controls
to meet the requirements imposed by governmental bodies, regulators, industry mandates
or internal policies. An initiative to comply with a regulation typically begins as a project
as companies race to meet deadlines to comply with that regulation. However, compliance
is not a one-time event - organizations realize that they need to make it into a repeatable
 312

process. When an organization is dealing with multiple regulations at the same time, a
streamlined process of managing compliance with each of these initiatives is critical, or
else, costs can spiral out of control and the risk of noncompliance increases.
17.1.2 Integrated GRC Approach
Even though, each initiative of an entity individually follows the governance, risk and
compliance process, the software solutions deployed to enable these processes, were selected
in a very tactical manner. As a result, organizations ended up with numerous systems to
manage individual governance, risk and compliance initiatives, each operating in its own
silo.
By taking an integrated GRC process approach and deploying a single system to manage
the multiple governance, risk and compliance initiatives across the organization, several
benefits, indicated below can result.
i. Positive impact on organizational effectiveness providing a clear process and a single
point of reference.
ii. Eliminating redundant work.
iii. Providing a single version of the truth to employees, management, auditors and regulatory
bodies
iv. Significantly reducing the cost of compliance.
17.1.3 Organisational Structure
A bank should have a structure that ensures proper corporate governance, risk management
and compliance in its functioning. For this purpose, the broad structure followed is based on
the concept of ‘Three Lines of Defence’. Broad organisation structure of a bank structured
on this basis is as shown below.
Fig. 17.1 Organisational Structure
 313

The responsibility of compliance rests with every individual in the bank – from the Directors
to the frontline executives.
i. The Board of Directors has the ultimate responsibility to ensure that the bank‘s business
and activities are conducted in compliance with all applicable laws/ regulations/ codes and
internal policies.
ii. The Senior Management is responsible for ensuring compliance in day to day activities.
iii. The first line of defence (i.e. various business/ operations/ support functions) implement
the compliance requirements in carrying out the business activities.
iv. The second line of defence (i.e. Compliance and Risk functions) monitor on ongoing
basis the compliance by the first line and provide required guidance.
v. The third line of defence viz. Audit function provides the assurance to the Board and
Senior Management on the status of compliance based on periodical audit exercises.
The structure of compliance function depends on the branch network, size and complexity
of the business operations, sophistication of products and services offered etc,
The Organizational structure of Compliance function could be as under:
Independent Compliance Department headed by Chief Compliance Officer
Compliance Function at Verticals at Corporate Office.
Compliance Function at Field Offices
- Zonal Offices
- Regional Offices
- Branches
17.2 RESPONSIBILITY OF THE BOARD AND SENIOR MANAGEMENT
Compliance starts at the top. It will be most effective in a corporate culture that emphasizes
standards of honesty and integrity and one in which the board of directors and senior
management lead by example.
17.2.1 Responsibility of the Board of Directors
i. Ensure an appropriate compliance policy is in place, and oversee its implementation.
ii. Ensure compliance issues are resolved effectively and expeditiously by Senior Management.
iii. Ensure there is no potential for any conflict of interest, the compliance function is subject
to independent review, and the compliance and the audit functions are being kept separately.
iv. Review compliance functions on a quarterly basis and an annual review of compliance
status is carried out.
v. Compliance failures may be reviewed by Boards/Management Committees and appropriate
remedial measures may be taken.
 314

vi. The Board may delegate these tasks to the Audit Committee of the Board (ACB).
The Companies Act, 2013 casts the responsibility on the Directors to devise proper systems
to ensure compliance with the provisions of all applicable laws. This is to be confirmed
in the Directors’ Responsibility Statement to be included in the Directors’ report to the
Shareholders.
17.2.2 Responsibility of Senior Management
i. Establish a written compliance policy containing the basic principles for compliance, the
main process for identifying and managing compliance risk.
ii. Ensure that all regulatory directions, instructions and guidelines are duly incorporated
and formulated as per the size, volume and spread of business.
iii. ensure that policy address the proper reporting mechanism at various levels of controls.
iv. Ensure that appropriate remedial or disciplinary action is taken if breaches are
identified.
v. At least once a year, identify and assess the main compliance risk and formulate plans to
manage them.
vi. Submit to the Board/ACB, quarterly and annual reviews, to enable them to make an
informed judgment on management of compliance risk, and report promptly to the Board or
the ACB any material compliance failure.
17.3 COMPLIANCE STRUCTURE AT THE CORPORATE OFFICE AND
FUNCTIONAL DEPARTMENTS
17.3.1 Compliance Department at Corporate Office
At the Corporate Office, an independent Compliance Department is set up, headed by a senior
executive as Chief Compliance Officer/ Head Compliance. It has the overall responsibility
for coordinating identification of Compliance issues and management of the bank‘s
compliance risk. It shall frame an appropriate mechanism for coordination among various
functional departments/ field offices/ branches of the bank to enable the CCO to perform
effectively. The Compliance Department shall be staffed adequately with well-qualified
persons. Compliance staff shall preferably have fair knowledge of Law, Accountancy and
Information Technology and adequate practical experience in various business lines and
audit/inspection functions. Compliance Department should have close co-ordination with
the operations risk function on compliance matters.
Within the scope set for the compliance function, the Compliance Department at Corporate
Office should coordinate with all functions at group level including subsidiaries and overseas
establishments and undertake the duties and responsibilities for achieving the objective of
the compliance function, specifically:
i. To identify the business functions of the bank that fall under each statutory and regulatory
guideline.
 315

ii. To assess the level of compliance risk in each business line, product and process into
High, Medium and Low Risk and accordingly formulate proposals for mitigation of the risk.
iii. To ensure prompt dissemination of statutory and regulatory guidelines and instructions
for compliance to Functional departments / Verticals for onward circulation to all controlling
offices down the line and also ascertain effecting system level modifications, if needed, so as
to submit compliance of each RBI direction to ACB on prescribed frequency.
iv. To evolve strategies and develop systems for communication and transfer of information
on compliance matters between branches to Zonal Compliance Departments and from Zonal
Compliance Departments / Overseas Compliance Departments/ Corporate Office functional
departments to itself and vice versa.
v. To ensure that the functional departments have their policies with function wise compliance
parameters for information of the staff associated with the functions and also list out various
returns to be submitted by the bank to the statutory and regulatory authorities.
vi. To circulate periodically the instances of compliance failures to H.O. departments and
Branches/Offices along with preventive instructions.
vii. To monitor all new products and process intensively for 6 months from introduction
thereof, to ensure that the indicative parameters of compliance risk are adequately met. The
convenor of the Product Group Committee, should monitor and advise gaps on operational
& compliance front, if any, in coordination with I&A Department.
viii. To provide a checklist on the compliance aspects to the inspectors/concurrent auditors
to verify the level of compliance in domestic branches. The Inspection/Audit findings related
to compliance should be scrutinized and appropriate corrective measures are to be taken in
case of any compliance breaches/failures.
ix. To co-ordinate with the SSM Team of RBI in conducting Risk Based Supervision (RBS).
The department should co-ordinate with all the departments for periodic submission of the
Data under Tranche pertaining to the RBS. The department should review / interact with the
concerned functional department for correctness of the data for Tranche and shall ensure
vetting by a committee of senior officials before its submission to RBI.
x. To provide guidance in respect of cross border business undertaken by the bank, to the
operational departments (in consultation with the Head of the International Division) so that
they ensure compliance of such business activity with the legal and regulatory guidelines
prevalent in the respective jurisdiction.
xi. To scrutinise the RBS report and ensure time bound submission of compliance / replies
to the observations of Risk Assessment Report / Major Area of Financial Divergence / Major
Area of Non-Compliance/ Risk Mitigation Plan to RBI and also devise a time bound strategy
to ensure that the compliance on all Action points of the Risk Mitigation Plan (RMP) is
achieved within the given time line.
 316

xii. To ensure sustainability of compliance to RBI observations, the compliance department
should ensure that I&A Department conducts audit in respect of execution of different action
points / compliances by Branches / functional departments at Corporate Office in respect
of Risk Mitigation Plans (RMPs) and observations vide Risk Assessment Report (RAR) of
RBI.
xiii. To ensure formulation / updation of compliance rules (CRs) in co-ordination with principal
functional departments for all banking functions and their operational implementation in
terms of statutory guidelines covering especially pertaining to KYCAML-CFT guidelines,
Deposits and Services, Advances and FEMA Guidelines. The department shall also ensure
submission of CRs by the Branches / Zones on monthly / quarterly basis and onward
reporting to ACB.
xiv. The Banks having overseas establishments should have an overseas compliance set up
and undertake the following compliance functions for overseas establishments: -
a) to ensure that the overseas branches are using updated and reviewed policies, not more
than a year, specifically in respect of KYC- AML policy as well as compliance policy.
b) to obtain periodic certifications/confirmation from overseas establishments and strengthen
the monitoring process from corporate office with measures as under-.
i. Obtention of Compliance Sustainability Tracker covering various compliance matters of
overseas branches and report the status to the Top Management periodically as prescribed
vide policy,
ii. Obtention of monthly certificates / confirmations on position of Regulatory Violations /
Enforcement Actions / Imposition of Penalties, if any, for non- compliance issues at overseas
centers.
c) To ensure that the compliance officers at overseas branches are conducting an independent
compliance testing and submit the report periodically, currently at quarterly intervals.
d) To ensure that overseas branches are submitting the reports of compliances to the
regulators’ observations/ issues raised in regulatory examinations to their regulators on time.
e) To report compliance status/emerging compliance issues at overseas centers to the Top
Management & ACB / Board and co-ordinate with the overseas branches/International
Division for timely compliance of directions thereof.
xv. To prepare an Annual Report on compliance failures/breaches and place before the
Board/ACB and also circulate to amongst the concerned departments.
17.3.2 Compliance Structure at Functional Departments
The Functional Departments at Corporate Office shall have a senior functionary to act as
Compliance Officers for managing compliance risk pertaining to their functional area. They
 317

shall report to the Compliance Department, and coordinate with it. The key functions of this
functionary are:
i. To identify compliance requirements/ issues pertaining to their Functional Department
based on regulatory/statutory guidelines.
ii. To act on compliance issues identified by Compliance Department.
iii. To monitor compliance of all regulatory and statutory guidelines as well as internal
policy guidelines and report to CCO any breaches/non-compliances observed.
iv. To ensure timely submission of regulatory returns as per the calendar of returns.
v. To interact with Compliance Department for any clarification.
vi. To extend necessary cooperation in the process of compliance testing.
vii. To share their views/ suggestions arising out of their experience and knowledge of
Compliance in their functional area.
viii. To associate with the training programmes/ workshops arranged by Compliance
Department.
ix. To ensure implementation of all regulatory/statutory guidelines by the Functional
Department.
17.4 COMPLIANCE STRUCTURE AT FIELD LEVELS
17.4.1 At Branches
The Branch Manager and the branch staff play a crucial role in compliance as branches are the
delivery and service points. Conflict of interest between managing the compliance risk and
business development cannot be avoided at this level. It must be ensured that this potential
conflict is not allowed to come in the way of compliance as well as delivery of services
and business, Appropriate mechanism with written SOP must be put in place. The Branch
Manager, Service Managers and other officers are primarily responsible for compliance of
rules and regulations. The Branch Manager will be the Compliance Officer for his branch.
17.4.2 At Zonal/ Regional Offices
Zonal/Regional Heads will perform the role of Compliance Officers in their respective
jurisdictions. The departmental heads in a ZO/RO are equally responsible for managing the
compliance pertaining to their functional area. They are required to apprise the Zonal/Regional
Head about the level of compliance and breaches observed, if any, so that prompt corrective
action is taken. These incidents should be reported to the Compliance Department. They
shall be responsible for compliance to lay down systems, procedures, rules and guidelines
for Regional Office as well as for all the branches reporting to Regional Office. They shall
also be responsible for submission of compliance reports to the Compliance Department for
 318

the ZO/RO and to monitor submission of these reports by the branches. They also have a
role of handholding, trouble shooting and monitoring for compliance matters at branches.
17.5 INTERNAL CONTROLS/ MEASURES AND ITS IMPORTANCE
An area that plays a crucial role in the control of a compliance risk is its system of internal
controls. Effective internal controls enhance the safeguards against system malfunctions,
errors in judgment and fraud. Without proper controls in place, management will not be able
to identify and track its exposure to risk.
Six aspects of internal controls need attention:
i. Information Systems: Effective controls are essential to ensure the integrity, security, and
privacy of information contained on the bank‘s computer systems. There should also be a
tested contingency plan for any failure of the computer systems.
ii. Segregation of Duties: There should be adequate segregation of duties in every area of
operation for dual or multiple controls.
iii. Audit Programme: An effective audit function and process should be independent,
reporting to the board without conflict or interference with management. An annual audit
plan is necessary to ensure that all risk areas are examined, and that those areas of greatest
risk receive priority. Follow-up of any unresolved issues is essential, e.g., examination of
exceptions should be covered in subsequent reports.
iv. Record Keeping: A bank must maintain records of required information/ documents not
only for compliance with legal requirements but also for the control purposes. The records
and accounts should reflect its actual financial condition and accurate results of operations.
v. Protection of Physical Assets: A principal method of safeguarding assets is to limit access
by authorized personnel. Protection of assets can be accomplished by developing operating
policies and procedures for cash control, joint custody (dual control), teller operation, and
physical security of the computer.
vi. Education of Staff: Bank staff should be thoroughly trained in specific daily operations.
A training programme tailored to meet management‘s needs should be in place and cross-
training programmes for office staff should be present. Risk is controlled when the bank is
able to maintain continuity of operations and service to members.
Actionable towards the objective of compliance framework and monitoring, may be
enumerated as under:
Theme Key components for assessment
Effective Board-approved Compliance policy formulating compliance-related
governance responsibilities of governance committees and framing THREE lines of
defence (namely, business, operations & finance; compliance & risk; and
internal audit)
 319

Theme Key components for assessment
Reporting procedure with defined SOPs to the Board (or committee
thereof), including results of compliance program, regulatory reporting
such as RBS, etc.
Strengthening Role of business and operations in compliance management – role,
the first line of enablement infrastructure, including documentation of processes, risks
defence and controls
Scope and coverage of concurrent audit
Compliance Compliance function in line with the RBI directions Risk-based
processes and Compliance monitoring and testing program, and its convergence with the
systems (second Bank‘s other control and assurance programs such as concurrent audits,
line of defence) internal audits, operational/enterprise risk and control assessments, etc.

IT systems for compliance management, automation of key compliance
controls and indicators/alerts
Role of internal Scope and coverage of internal audit function, as the third line of
audit (third line defence and source of objective feedback on the compliance health in
of defence) the organization
Thematic Implementation of KYC AML CFT policy updated in terms of Master
compliances Direction of RBI along with AML/CFT program addressing other leading
industry standards across the three lines of defence with appropriate
structural MIS in place
Implementation of other compliance changes i.e. proactive fraud risk
management, early warning signals for credit risk, information and cyber
security measures, etc., as considered relevant by the bank

17.6 WHISTLE BLOWER MECHANISM
Regulation 4(2)(d)(iv) of SEBI (LODR), 2015 provides for the listed entity to devise an
effective Whistle Blower mechanism viz. Whistle Blower Policy enabling stakeholders,
including individual employees and their representative bodies, to freely communicate their
concerns about illegal or unethical practices. The vigil mechanism shall provide for adequate
safeguards against victimization of director(s) or employee(s) or any other person who avail
the mechanism and also provide for direct access to the chairperson of the audit committee
in appropriate or exceptional cases. These Regulations also require that the details should be
displayed on the website. The ACB is required to review the functioning of this mechanism
and the Annual Report should contain its details with an affirmation that no personnel have
been denied access to the audit committee.
RBI in its guidelines on Fraud Classification and Reporting has stipulated that Employees
should be encouraged to report fraudulent activity in an account, along with the reasons in
support of their views, to the appropriately constituted authority, under the Whistle Blower
 320

Policy of the bank. Protection should be available to such employees under the Whistle
Blower policy of the bank so that the fear of victimisation does not act as a deterrent. (RBI
Circular No. DBS.CO.CFMC.BC.No.1/23.04.001/2015-16 dated July 01, 2015).
Apart from the legal and regulatory requirement, a whistle blower mechanism, if appropriately
administered, is a useful tool in bringing about healthy compliance culture. The thought that
one‘s conduct is under watch, encourages persons to act in a manner as expected by the
norms and deregulations.
17.6.1 Components of Whistle-Blower Policy
There are four broad components of whistle-blower policy:
i. A Whistle Blower: A Whistle Blower is a person who raises a concern about wrongdoing
occurring in an organisation or body of people. This person may be an employee, a customer
or even from general public. The revealed misconduct may be classified in many ways; for
example, a violation of a law, rule, regulation and/or a direct threat to public interest, such
as fraud, health/safety violations, and corruption. Sometimes a Whistle Blower may raise
the issue with the regulatory or legal authority.
ii. A wrongful or unethical practice: The wrongful practice or unethical conduct that is
sought to be covered under the Whistle-Blower policy is expected to be grave and serious
in nature, and may involve several parties. It is not intended to be alternative to consumer
grievance redressal mechanism. These practices may concern serious disregard to the law
of the land (e.g., dealing in narcotics), a crime against human rights (e.g., child trafficking,
dealing in human organs), corruption of a high order (e.g., supply/use of substandard or
expired medicines in a hospital), compromise of the organisational values (e.g., bribery,
unfair trade practices) and similar serious acts.
iii. An authority: The policy defines a specific process to be followed for escalation of
information regarding the wrongful or unethical practice. The person/ authority to which
the communication may be sent, the manner of sending communication and the manner
in which the information received would be dealt with is clearly defined in the policy.
The authority which deals with the information provided by a Whistle-Blower must be
independent, senior and responsible - and the policy must provide for confidentiality of the
information as well as the identity of the informer.
iv. A policy: A Whistle-Blower policy is thus an internal policy on access to the appropriate
designated authority, by persons who wish to report on unethical or improper practices. The
policy is intended to create a platform for alerting the management of the company or those
charged with the Governance of the company about potential issues of serious concern, by
ensuring confidentiality, protection and expedient action. The Whistle-Blower must have a
direct access to the Chairman of the Audit Committee for reporting on wrong doings by the
senior management.
 321

The success of the Whistle-Blower Policy largely depends upon various factors viz. the
level of tone at the top and the signals that it sends down the level, organisational philosophy
and code of conduct; whistle-blower policy campaigning, orientation and awareness in the
organisation.
The Whistle-Blower Policy should clearly state that:
i. Anonymity of the informant will be maintained.
ii. The authenticity of the information will be confirmed and there will be no reprisal for
reporting the information.
iii. Appropriate and disciplinary action will be taken after investigation and on confirmation
of the information.
17.7 LET US SUM UP
Enterprises to pursue a broad range of governance, risk and compliance initiatives across
the organization. Taking an integrated GRC process approach and deploying a single system
to manage the multiple governance, risk and compliance initiatives across the organization,
yields several benefits. The broad structure followed for GRC is based on the concept of
‘Three Lines of Defence’. Compliance function may be structured in different ways
depending on the organization‘s size volume of business, etc.
Compliance starts at the top. The Board of Directors and the Senior Management have the
ultimate responsibility for compliance.
The Compliance Department at the Corporate Office has the overall responsibility for
coordinating identification of Compliance issues and management of the bank‘s compliance
risk. The Functional Departments at Corporate Office shall have a senior functionary to act as
Compliance Officers for managing compliance risk. His role is to ensure implementation of
all regulatory/statutory guidelines by the Functional Department. Compliance responsibility
is to be assigned to functionaries at each branch, and each zonal/ regional office. Effective
internal controls enhance the safeguards against system malfunctions, errors in judgment
and fraud. Whistle blower mechanism is required in each company. It can be an important
measure for early detection of deviant behavior.
17.8 KEY WORDS
Governance; Risk management; Integrated GRC; Three Lines of Defence; First Line of
Defence, Second Line of Defence, Third Line of Defence, Compliance failures; Internal
controls; Information Systems; Whistle Blower Policy; unethical.
17.9 CHECK YOUR PROGRESS:
(1) In the compliance hierarchy the audit committee is placed
(a) Before the CMD
 322

(b) After the CMD and before the board
(c) After the board
(d) Not important to be rigid
(2) At the branch level the most important hurdle in being compliant is (a) Conflict of interest.
(b) Lack of awareness of regulations.
(c) Laid back attitude.
(d) Lack of coordination amongst staff.
17.10 KEY TO ‘‘CHECK YOUR PROGRESS’’
1 (b); 2 (a)
References:
1. RBI Circular DBS. CO.PP.BC 6/11.01.005/2006-07 dated April 20, 2007 - Compliance
function in banks
(https://rbi.org.in/scripts/NotificationUser.aspx?Mode=0&Id=3433)
2. RBI Circular DBS.CO.PPD.10946/11.01.005/2014-15 dated March 04, 2015 - Compliance
function in banks
(https://rbi.org.in/scripts/NotificationUser.aspx?Mode=0&Id=9598)
3. RBI Circular DoS.CO.PPG./SEC.02/11.01.005/2020-21 dated September 11, 2020 -
Compliance functions in banks and Role of Chief Compliance Officer (CCO)
(https://rbi.org.in/scripts/NotificationUser.aspx?Mode=0&Id=11962)
4. BCBS Guidelines, 29th April 2005, ‘Compliance and the compliance function in banks’
(https://www.bis.org/publ/bcbs113.htm)
 323

CHAPTER 18
FRAMEWORK FOR IDENTIFICATION OF COMPLIANCE ISSUES AND
COMPLIANCE RISKS
STRUCTURE
18.1 Compliance Culture
18.2 Compliances Issues
18.3 Compliance Risk
18.4 Inherent Risk, Control Risk and Residual Risk
18.5 Compliance Testing
18.6 Reasons for Compliance Failures
18.7 Let us Sum up
18.8 Key Words
18.9 Check Your Progress
18.10 Key to ‘Check Your Progress’
Appendix
10. Indicative list of Compliance Rules (CRs) for Advances
 324

OBJECTIVES
In this Chapter the learner will –
Understand compliance culture
Learn about compliance issues
Understand the compliance risk
Know the reasons for compliance failures
18.1 COMPLIANCE CULTURE
Global Financial Crisis 2008 – Observation
Serious deficiencies in prudential oversight and financial regulation in the period before the
crisis were accompanied by major governance failure within Banks
The Corporate culture evolves and settles within working environment. The compliance
function, a paramount for any financial institution, is needed to be engrafted with corporate
culture effectively. Such macro and micro level implementation in Banks must pave way for
evolution of compliance culture to deliver regulatory objectives suitably and sustainably.
Culture can be understood explicitly as culmination of –
Ethics and Values which define character, scale of ownership, a system of principles
governing morality and conduct thereon,
Attitudes, Habits & Mind-sets etc. of the staff at all levels which are imbibed over a period
involving beliefs and feelings towards disposition,
Assumptions & heritage in respect various business products & models,
Expectations and Aspirations in terms of regulatory standards
All these above said parameters shape day to day functioning of banks while dealing with
different kind of clients.
18.1.1 General Drivers of the culture
1) From the top:
Creating a culture where each one realises the ownership and perform with due responsibility,
such values should be set in normal working. These standards should be demonstrated by
the top management vide their actions and provide directions to the employees down the
line.
2) Adopting Best Practices and mend behaviour:
These translates into business practices i.e. how delegations are used at different levels, how
schemes are implemented and customers are responded to their needs. Therefore, translating
culture into practices is essential.
 325

3) Skill Development, Trainings and Motivation through Reward:
The compliance department must be duty bound to develop needed skills among their
employees through trainings and reward and these should be on-going tools and methods to
ensure needful performance and influence at appropriate level.
The leadership with adequate oversight, strategy at various levels in the Institution as per
hierarchy, delegations duly defined with approved policies, embedding of control measures,
skill development through trainings and rewards are the key ingredients.
The evolution of compliance culture in PSBs is essential with increasing concerns about
Governance, Risk & Compliance (GRC) pertaining to various regulations from Banking
and Market regulators as well as Investigating Agencies. The pace in the path of needful
compliance should be effective and in tune with regulatory aspirations. RBI in the matter
have given concrete prescriptions in the recent past clearly and substantially stating about-
- Need for Effective Compliance culture
- Independent Corporate Compliance Function
- Strong Compliance Risk Management Programme
Over and above, RBI has issued the detailed directions with serious outset tone i.e. Robust
Compliance System along with prescription based ingredients.
The PSBs’ endeavours need more attention, skill and regular oversight by their senior
management. The information dissemination pertaining to regulatory directions / concerns
at various level from Top management to functionaries in field is extremely helpful in
evolving Compliance Culture.
A culture of compliance in an organization, especially a bank, is crucial. Compliance must
be visibly embraced by senior management and built into the hiring and training process.
Right metrics can make the culture of compliance concrete. It is important to address such
questions as: Who delivers the compliance message - line or staff? How senior are the
messengers? How often do they address compliance issues? Culture, like other aspects of
compliance processes, can be managed and measured over time. This report shows how
banks around the world are building more effective compliance programmes. It describes
the current state of compliance and how banks are struggling to understand and improve
the effectiveness of their programmes in order to meet the challenges which may come in
the way or in future. The Indian financial regulators always emphasize the importance of an
organization‘s culture of compliance,. Having a robust culture of compliance can help firms
avoid severe financial consequences.
18.1.2 What is a “robust culture of compliance?”
It is an overall environment that fosters ethical behaviour and decision-making. Even the
most clearly written, comprehensive compliance program is destined for failure without such
 326

an environment. Here are 10 typical attributes that regulators look for to gauge ‘compliance
culture’.
i. Tone at the top: This is the most important hallmark of a culture of compliance. Regulators
are increasingly meeting with senior management during examinations to get a sense of
their engagement in compliance. Tone at the top is often evidenced by the processes for
making critical decisions.
ii. Integration across the enterprise is key: Risks in banking are both complex and often
inter-related. To ensure that risk is managed thoughtfully across the enterprise, compliance
must work closely and communicate well with all risk areas and businesses.
iii. Silos: The compliance department should not be walled off from the rest of the
organisation. Is compliance staff present when business decisions are made? Does the firm
seek their input? Firms with a strong culture of compliance would answer yes to both.
iv. Power: Regulators also look at who holds power in the firm. Is the chief compliance
officer (CCO) part of senior management? Is the compliance department independent? Is it
respected? Or does the CCO sit in a back office, neither seen nor heard? When discussing an
issue, who wins - business or compliance?
v. Cowboys: Does the organisation reward risk-taking without limits? Are rewards based
solely on financial performance? In a strong culture of compliance, risks are taken within
the organization‘s tolerance for risk.
vi. Resources: Compliance costs money. Is the compliance program appropriately structured
and sufficiently funded?
vii. Employee Buy-In: Once the compliance infrastructure is established, it is the employees
who carry out the mandate. The firm‘s culture of compliance must be embedded in the
culture of the employees. To facilitate employee buy-in, organisations should have a zero
tolerance policy for employee misconduct.
viii. Living Compliance Program: The compliance program must be tailored to the
organisation‘s business and risks; it must be tested and modified; and it must be enforced.
ix. Technology: Does the organisation look for ways to automate compliance and limit human
error, as it does with portfolio and risk management? How are workflows and documents
managed?
x. Documentation: Regulators love documentation and so should organisations to establish
their commitment to compliance. Good record keeping reflects a strong compliance culture.
18.2 COMPLIANCE ISSUES
The responsibilities are carried out under a Compliance Programme that sets out its planned
activities such as the review of compliance risk assessment in specific products/processes
 327

to which the Regulator attaches importance, compliance testing, and educating staff on
compliance matters/ activities.
The Compliance Programme should cover the following:
a) Identify major compliance issues to be addressed on priority basis
b) Coordinate with Internal Audit department for simultaneous identification of key
compliance issues based on their findings.
c) Develop testing and monitoring procedures for assessing extent of compliance in various
activities.
d) Review policies by the functional departments based on the experience gained during
implementation of the policy.
e) Create awareness and educate staff on Compliance function.
f) The Bank shall carry out at least annual compliance risk assessment in order to identify
and assess major compliance risks faced by the bank and prepare a plan to manage the same.
The compliance function should consider ways to measure compliance risk (e.g. by using
performance indicators) and use such measurements to enhance compliance risk assessment.
The basis for identification of compliances in any product/process is:
(i) Regulatory guidelines
(ii) Laws and statutes
(iii) System and information security
(iv) Internal controls
Based on RBS cycles in all Banks, RBI has analysed the position / status of compliance
and identified following areas which require greater oversight by the Board /Top / Senior
Management in Banks:
a) Risk Based Supervision (RBS) – Specific template – CCO is responsible for ensuring
total compliance with all guidelines specified;
b) Compliance Function & Audit should necessarily be kept separate;
c) Board/ACB/Board level committees/ Internal Audits should regularly review compliance
functions;
d) Staffing of Compliance Department and succession planning is a matter of concern and
recent guidelines should be adhered
e) Compliance with RAR observations, Monitorable Action Plans / RMPs
f) Evaluate the compliance risk in each business line at periodic intervals
g) Copies of compliance furnished to RBI Inspection Reports to be sent to CCO
 328

h) Staff accountability and policies for non-compliance
i) Compliance should not be seen as an activity of the compliance department alone but as
a culture that should pervade across the banks.
18.2.1 Un-authorized Operation of Internal / Office accounts
The RBI observations in the matter are as under:
a) Banks in general, do not have policy for opening, operating, reviewing, monitoring,
reconciliation and provisioning of internal / office accounts. SOP document remains missing
in this regard. Common mapping to link GL/PL heads remain missing.
b) Entry is Sundry / Suspense accounts are not made on POINTING basis.
c) Large cash deposits of customer accounts are routed through internal / office accounts to
bypass CTR / STR rules.
d) System level changes are effected for operation in the accounts without SOP / authority.
The compliance function must identify the risk factors and embed necessary changes to
control these gaps.
18.3 COMPLIANCE RISK
The Basel Committee on Compliance Function defines Compliance risk as the risk of legal
or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer
as a result of its failure to comply with laws, regulations, rules, related self- regulatory
organization standards, and codes of conduct applicable to its banking activities (together,
compliance laws, rules and standards).
Another aspect of compliance is the area of operational risk control. Operational risk is
defined as the risk of loss resulting from inadequate or failed internal processes, people and
systems or from external events. The definition includes legal risk but excludes strategic
and reputational risk. Operational risk can arise from a wide range of external events like
power failures, floods or earthquakes, or terrorist attacks. Operational risk can arise also
from internal events such as the potential for failures or inadequacies in any of the Bank‘s
processes and systems or those of its outsourced service providers.
Historically the compliance function did not understand and model processes for risk
management. Compliance documented and met requirements, and found and resolved
issues. Most often complian