The Reserve Bank of India (RBI) has invited public comments on draft amendment directions aimed at harmonising and consolidating governance instructions relating to risk management, compliance, and internal audit functions across various regulated entities, including commercial banks, small finance banks, payments banks, local area banks, regional rural banks, NBFCs, co-operative banks, and other financial institutions. The proposed framework seeks to strengthen governance standards by clearly defining control and assurance functions, reinforcing the independence and accountability of Chief Risk Officers (CROs), Chief Compliance Officers (CCOs), and Heads of Internal Audit (HIAs), and prescribing fixed tenures, board oversight, and fit-and-proper criteria for key appointments. The draft directions prohibit outsourcing of these core functions, mandate regular internal and external reviews, require enhanced board involvement, and emphasise risk-based internal audits and stronger compliance culture. The amendments, proposed to take effect from January 1, 2027, are intended to ensure greater clarity, consistency, and effectiveness in governance practices across the financial sector.
Reserve Bank of India
Page Contents
- RBI invites comments on Harmonisation and Consolidation of Instructions on Control / Assurance Functions
- Reserve Bank of India (Commercial Banks – Governance) Second Amendment Directions, 2026
- Reserve Bank of India (Small Finance Banks – Governance) Second Amendment Directions, 2026
- Reserve Bank of India (Payments Banks – Governance) Second Amendment Directions, 2026
- Reserve Bank of India (Local Area Banks – Governance) Second Amendment Directions, 2026
- Reserve Bank of India (Regional Rural Banks – Governance) Amendment Directions, 2026
- Reserve Bank of India (All India Financial Institutions – Miscellaneous) Amendment Directions, 2026
- Reserve Bank of India (All India Financial Institutions – Miscellaneous) Amendment Directions, 2026
- Reserve Bank of India (Urban Co-operative Banks – Governance) Second Amendment Directions, 2026
- Reserve Bank of India (Rural Co-operative Banks – Governance) Second Amendment Directions, 2026
- Reserve Bank of India (Non-Banking Financial Companies – Governance) Amendment Directions, 2026
- Reserve Bank of India (Credit Information Companies) Amendment Directions, 2026
- Reserve Bank of India (Asset Reconstruction Companies) Second Amendment Directions, 2026
RBI invites comments on Harmonisation and Consolidation of Instructions on Control / Assurance Functions
Reserve Bank of India has today issued the following draft Amendment Directions for public comments:
i. Reserve Bank of India (Commercial Banks – Governance) Second Amendment Directions, 2026
ii. Reserve Bank of India (Small Finance Banks – Governance) Second Amendment Directions, 2026
iii. Reserve Bank of India (Payments Banks – Governance) Second Amendment Directions, 2026
iv. Reserve Bank of India (Local Area Banks – Governance) Second Amendment Directions, 2026
v. Reserve Bank of India (Regional Rural Banks – Governance) Amendment Directions, 2026
vi. Reserve Bank of India (All India Financial Institutions – Miscellaneous) Amendment Directions, 2026
vii. Reserve Bank of India (Urban Co-operative Banks – Governance) Second Amendment Directions, 2026
viii. Reserve Bank of India (Rural Co-operative Banks – Governance) Second Amendment Directions, 2026
ix. Reserve Bank of India (Non-Banking Financial Companies – Governance) Amendment Directions, 2026
x. Reserve Bank of India (Credit Information Companies) Amendment Directions, 2026
xi. Reserve Bank of India (Asset Reconstruction Companies) Second Amendment Directions, 2026
2. The comments / feedback on the draft Amendment Directions may be submitted by the regulated entities and members of public / other stakeholders on or before July 9, 2026through the following channels:
i) the ‘Connect 2 Regulate’section on the website by following the corresponding hyperlink provided against each document in the page where they are hosted; or
ii) by email (with the subject line ‘Feedback on [full name of the draft Amendment Directions (including the type of Regulated Entity)], as under:
| Regulated Entity | |
| Commercial Banks, Small Finance Banks, Payments Banks, Local Area Banks, Regional Rural Banks and All India Financial Institutions | |
| Urban Co-operative Banks, Rural Co-operative Banks, Non-Banking Financial Companies, Credit Information Companies and Asset Reconstruction Companies |
Brij Raj)
Chief General Manager
Press Release: 2026-2027/431
****
Reserve Bank of India
Reserve Bank of India (Commercial Banks – Governance) Second Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.HGG.GOV.No.__/xx.xx.xxxx/2026-27
June xx, 2026
Reserve Bank of India (Commercial Banks – Governance) Second Amendment Directions, 2026
The Reserve Bank has issuedReserve Bank of India (Commercial Banks – Governance) Directions, 2025 on November 28, 2025.
2. At present, the regulatory instructions with respect to control / assurance functions viz. risk management, compliance and internal audit are contained in various directions / circulars. With a view to strengthening the governance framework for these functions and to ensure greater clarity, consistency and harmonisation in the instructions pertaining to these functions, it has been decided to review and consolidate them under these Directions.
3. Accordingly, in exercise of the powers conferred by Section 35A of the Banking Regulation Act, 1949, and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (Commercial Banks – Governance) Second Amendment Directions, 2026
(2) These Directions shall come into effect from January 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (Commercial Banks – Governance) Directions, 2025 in the manner as specified hereinafter.
(1) In Paragraph 6 of ‘Chapter I – Preliminary’ of the Directions, the following definition shall be deleted:
(1) ‘Chairperson’ means the Chairman / Part-time Chairman of the Board of Directors of a bank.
(2) In Paragraph 6 of ‘Chapter I – Preliminary’ of the Directions, the following definitions shall be inserted:
(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment, as well as the applicable laws, rules and regulations.
(1c) ‘Chairperson’ means the Chairman / Part-time Chairman of the Board of Directors of a bank.
(2a) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank, self-regulatory organisation standards, codes of conduct applicable to a bank’s activities and with the internal control systems laid down to comply with the foregoing.
(2b) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(2c) ‘Compliance Function’ means policies, processes, procedures, systems and personnel dedicated for Compliance.
(2d) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(2e) ‘Control Functions’ mean those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management function, Compliance Function and Internal Audit Function.
(6a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of bank’s internal control, risk management and governance systems and processes.
(6b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of the internal audit.
(6c) ‘Internal Controls’ means a set of rules and controls governing a bank’s organisational/ operational structure, including reporting processes and functions.
(13a) ‘Risk Appetite’ means the aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
(13b) ‘Risk Limits’ means specific quantitative measures or limits that allocate the aggregate risk appetite across business functions, legal entities, specific risk categories, concentrations and other measures.
(13c) ‘Risk Management’ means the processes established to ensure that all risks and associated risk concentrations are identified, measured, analysed, managed, mitigated, monitored and reported on a timely as well as comprehensive basis.
(13d) ‘Risk Management Function’ means policies, processes, procedures, systems and personnel dedicated for Risk Management.
(3) The proviso to Paragraph 4 in respect of ‘Appointment of Chief Risk Officer’ in non-scheduled commercial banks shall be deleted.
(4) The sentence “The bank shall also refer to ‘Guidance Note on Management of Credit Risk’.” in Paragraph 21(3) stands deleted.
(5) Title of Chapter-II (E) and Chapter-III (F) of the Directions, ‘Appointment of Chief Risk Officer’ stands modified to ‘Control Functions: Risk Management, Compliance and Internal Audit’.
(6) Paragraph 29-33 of the Directions stand deleted and instead, the following shall be inserted before Paragraph 34:
2. Control Functions: Risk Management, Compliance and Internal Audit
E1. General
33A. A bank shall establish Risk Management, Compliance and Internal Audit functions, commensurate with its size, complexity and risk / business profile, headed by a Chief Risk Officer (CRO), Chief Compliance Officer (CCO) and Head of Internal Audit (HIA), respectively. In banks which are a part of a group consisting of more than one financial entity, there may be a Group Chief Risk Officer (GCRO) and a Group Chief Compliance Officer (GCCO), responsible for group level risk oversight / compliance and coordination.
33B. The bank shall have policies for each of the three control functions, viz., Risk Management, Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. The said policies shall be approved by the Board and reviewed periodically.
33C. The above functions shall:
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CRO/CCO/HIA for specialised tasks without diluting the accountability of the functions.
33D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board or RMCB/ACB, as applicable, shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
33E. The Risk Management and the Compliance Functions shall be subject to regular internal audit. Further, banks shall develop and maintain a Quality Assurance and Improvement Program (QAIP) covering all aspects of the Compliance and Internal Audit Functions. Banks shall subject the Risk Management Function as also the QAIP of the Compliance and Internal Audit Functions to periodic external review, to benchmark the practices and strengthen the effectiveness of the functions.
E2. Terms of appointment of the CRO / CCO / HIA
33F. The terms of appointment of the CRO / CCO / HIA would be as follows:
(1) Appointing Authority and Rank: A bank shall appoint / designate suitably senior employees, not more than two levels below the MD&CEO, as CRO, CCO and HIA with the approval of the Board.
(2) Knowledge / Experience: CRO, CCO, and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity, and risk profile of the bank.
(3) Age: The age limits for CRO, CCO and HIA to hold office may be prescribed by a bank as part of its internal policy.
(4) Tenure: CRO, CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CRO, CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CRO, CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the bank/group entity nor have any contractual employer-employee relationship with the bank/group entity shall not be appointed/designated as CRO, CCO or HIA or Group CRO/CCO.
E3. Independence of the CRO, CCO and HIA
33G. CRO, CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CRO, CCO and HIA shall:
(1) functionally report to the Board or the respective Board Committee and administratively report to MD & CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or the respective Board Committee at least once in a quarter, without the presence of the Senior Management (including the MD & CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or the respective Board Committee to enable them to communicate concerns without any management interference.
(4) have their final performance review carried out by the Board or the respective Board Committee.
E4. Risk Management Function
33H. The Board shall ensure an effective oversight over the bank’s risk management function. The Board / RMCB shall clearly define the role and responsibilities of the CRO, subject to the following:
(1) The CRO shall be primarily responsible for overseeing the development and implementation of the bank’s Risk Management Function. This shall include enhancements to risk management systems, policies, processes, quantitative models, reports, etc. to ensure that the bank’s risk management capabilities are effective, to fully support its strategic objectives and risk-taking activities.
(2) The CRO shall be an adviser to the authority to whom powers have been delegated to assume risk, e.g. sanctioning credit, making investments, etc. The advice of the CRO shall be supported with proper rationale.
(3) The CRO shall be an invitee to the meetings of the credit sanction / approval committee, without any voting rights in the proceedings thereof.
(4) Assumption of any risk / exposure, contrary to the advice of the CRO, without incorporating adequate risk mitigation measures, shall rest with the next higher authority in the delegation matrix, except where the risk assuming authority is the Board. All such cases shall be reported to the Board / RMCB.
33I. The Risk Management Function shall:
(1) be responsible for overseeing that the bank operates within its risk appetite and for assessing risks and related issues, independent of the business lines.
(2) implement a bank-wide risk strategy aligned with the Board-approved risk appetite, including clear risk limits and structured allocation of risk parameters to business units and risk takers.
(3) ensure robust information infrastructure to support accurate capital and liquidity assessments, granular risk monitoring at business-unit levels, and consolidated reporting across the bank to enable strategic planning and compliance with risk tolerance thresholds.
(4) continuously evaluate risk exposures against defined limits, challenge decisions proposed / taken by the business functions and promptly escalate critical issues to senior management and the Board / RMCB, ensuring timely adjustments to maintain alignment with risk appetite.
(5) enhance the capability of business line managers to identify and assess the risks critically rather than relying on the surveillance conducted by it.
E5. Compliance Function
33J. The Board shall ensure an effective oversight over the bank’s compliance risk.
33K. The Senior Management shall be responsible for effective management of the bank’s compliance risk, including communication of the compliance policy throughout the bank and ensuring that it is observed in letter and spirit. Further, Senior Management shall be responsible for embedding compliance in the business strategy while ensuring risk of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the bank.
33L. A bank shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
33M. The Compliance Function shall:
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the bank and RBI.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or ACB on the effectiveness of compliance
policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control/assurance functions such as Risk Management and Internal Audit, while maintaining its independence.
E6. Internal Audit Function
33N. The Board shall ensure an effective internal audit framework, proportionate to the bank’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
33O. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
33P. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
33Q. The Internal Audit Function shall:
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
33R. Banks shall adopt a Risk-based Internal Audit (RBIA) approach, focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in the Annex VII.
E7. Approval of / Intimation to the Reserve Bank
33S. A bank shall ensure compliance with the following requirements:
(1) CRO: Any appointment (including interim appointment and re-appointment), premature transfer, removal or exit of the CRO, along with the reasons thereof, shall be reported to the Department of Supervision, Reserve Bank of India, within five working days. Intimation of appointment (including interim appointment and re-appointment) shall be accompanied with the CRO’s profile.
(2) CCO and HIA:
(i) In case of any appointment, re-appointment, interim appointment, premature exit, or change in tenure of the CCO or HIA, prior intimation of at least five working days shall be provided to the Department of Supervision.
(ii) In the case of banks classified as Domestic Systemically Important Banks (DSIBs), prior approval from the Department of Supervision, Reserve Bank shall be obtained for the appointment of the CCO, by submitting the request, duly recommended by the Board / ACB, at least five working days prior to such appointment.
(iii) Such intimation / request for approval shall be accompanied by the candidate’s profile and a confirmation from the competent authority stating that the candidate is fit-and-proper.
(iv) The appointment may be communicated to the candidate by the bank only after the lapse of five working days from the date of receipt of intimation / request for approval, by the Department of Supervision, provided no communication to the contrary is received from the Department of Supervision.
(7) Paragraph 59 would stand deleted and instead, the following shall be inserted:
59A. The provisions relating to Risk Management Function, Compliance Function and Internal Audit Function of a PSB, as set out in paragraphs 33A to 33S of these Directions, shall, mutatis mutandis, apply to a PVB.
(8) The following explanation stands inserted under Para 72(i) in Chapter-IV (Foreign Banks):
Explanation: For the purposes of Para 33A to 33S, reference to the Board / Board Committees should be read as reference to the controlling office / head office / local management team / executive team / any other similar body, which has oversight over the branch operations in India. Further, such foreign banks shall be subjected to a ‘comply or explain’ approach which shall allow deviations from the said requirements, subject to submission of a reasonable explanation for prior approval of the Department of Supervision, Reserve Bank of India.
(Scenta Joy)
Chief General Manager
*****
Reserve Bank of India
Reserve Bank of India (Small Finance Banks – Governance) Second Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.HGG.GOV.No.__/xx.xx.xxxx/2026-27
June xx, 2026
Reserve Bank of India (Small Finance Banks – Governance) Second Amendment Directions, 2026
The Reserve Bank has issued Reserve Bank of India (Small Finance Banks – Governance) Directions, 2025 on November 28, 2025.
2. At present, the regulatory instructions with respect to control / assurance functions viz. risk management, compliance and internal audit are contained in various directions / circulars. With a view to strengthening the governance framework for these functions and to ensure greater clarity, consistency and harmonisation in the instructions pertaining to these functions, it has been decided to review, and consolidate them under these Directions.
3. Accordingly, in exercise of the powers conferred by Section 35A of the Banking Regulation Act, 1949, and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (Small Finance Banks – Governance) Second Amendment Directions, 2026.
(2) These Directions shall come into effect from January 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (Small Finance Banks – Governance) Directions, 2025 in the manner as specified hereinafter.
(1) In Paragraph 5 of ‘Chapter I – Preliminary’ of the Directions, the following definition shall be deleted:
(1) ‘Chairperson’ means the Part-time Chairman of the Board of Directors of a bank.
(2) In Paragraph 5 of ‘Chapter I – Preliminary’ of the Directions, the following definitions shall be inserted:
(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment, as well as the applicable laws, rules and regulations.
(1b) ‘Chairperson’ means the Part-time Chairman of the Board of Directors of a bank.
(2a) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank, self-regulatory organisation standards, codes of conduct applicable to a bank’s activities and with the internal control systems laid down to comply with the foregoing.
(2b) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(2c) ‘Compliance Function’ means policies, processes, procedures, systems and personnel dedicated for Compliance.
(2d) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(2e) ‘Control Functions’ mean those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function, Compliance Function and Internal Audit Function.
(4a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of bank’s internal control, risk management and governance systems and processes.
(4b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of the internal audit.
(4c) ‘Internal Controls’ means a set of rules and controls governing a bank’s organisational/ operational structure, including reporting processes and functions.
(8a) ‘Risk Appetite’ means the aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
(8b) ‘Risk Limits’ means specific quantitative measures or limits that allocate the aggregate risk appetite across business functions, legal entities, specific risk categories, concentrations and other measures.
(8c) ‘Risk Management’ means the processes established to ensure that all risks and associated risk concentrations are identified, measured, analysed, managed, mitigated, monitored and reported on a timely as well as comprehensive basis.
(8d) ‘Risk Management Function’ means policies, processes, procedures, systems and personnel dedicated for Risk Management.
(3) The proviso to Paragraph 3 in respect of ‘Appointment of Chief Risk Officer’ in non-scheduled commercial banks shall be deleted.
(4) The sentence “The bank shall also refer to ‘Guidance Note on Management of Credit Risk’.” in Paragraph 40 stands deleted.
(5) Title of Chapter-VII of the Directions, ‘Appointment of Chief Risk Officer’ stands modified to ‘Control Functions: Risk Management, Compliance and Internal Audit’
(6) Paragraph 47-51 of the Directions stand deleted and instead, the following shall be inserted before Paragraph 52:
A. Control Functions: Risk Management, Compliance and Internal Audit
A1. General
51A. A bank shall establish Risk Management, Compliance and Internal Audit functions, commensurate with its size, complexity and risk / business profile, headed by a Chief Risk Officer (CRO), Chief Compliance Officer (CCO) and Head of Internal Audit (HIA), respectively. Further, in banks which are a part of a group consisting of more than one financial entity, there may be a Group Chief Compliance Officer (GCCO), responsible for group level compliance and coordination.
51B. The bank shall have policies for each of the three control functions, viz., Risk Management, Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. The said policies shall be approved by the Board and reviewed periodically.
51C. The above functions shall:
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CRO/CCO/HIA for specialised tasks without diluting the accountability of the functions.
51D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board or RMCB/ACB, as applicable, shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
51E. The Risk Management and the Compliance Functions shall be subject to regular internal audit. Further, banks shall develop and maintain a Quality Assurance and Improvement Program (QAIP) covering all aspects of the Compliance and Internal Audit Functions. Banks shall subject the Risk Management Function as also the QAIP of Compliance and Internal Audit Functions to periodic external review, to benchmark the practices and strengthen the effectiveness of the functions.
A2. Terms of appointment of the CRO / CCO / HIA
51F. The terms of appointment of the CRO / CCO / HIA would be as follows:
(1) Appointing Authority and Rank: A bank shall appoint / designate suitably senior employees, not more than two levels below the MD&CEO, as CRO, CCO and HIA with the approval of the Board.
(2) Knowledge / Experience: CRO, CCO, and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity, and risk profile of the bank.
(3) Age: The age limits for CRO, CCO and HIA to hold office may be prescribed by a bank as part of its internal policy.
(4) Tenure: CRO, CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CRO, CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CRO, CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the bank/group entity nor have any contractual employer-employee relationship with the bank/group entity shall not be appointed/designated as CRO, CCO or HIA or Group CCO.
A3. Independence of the CRO, CCO and HIA
51G. CRO, CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CRO, CCO and HIA shall:
(1) functionally report to the Board or the respective Board Committee and administratively report to MD&CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or the respective Board Committee at least once in a quarter, without the presence of the Senior Management (including the MD&CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or the respective Board Committee to enable them to communicate concerns without any management interference.
(4) have their final performance review carried out by the Board or the respective Board Committee.
A4. Risk Management Function
51H. The Board shall ensure an effective oversight over the bank’s risk management function. The Board / RMCB shall clearly define the role and responsibilities of the CRO, subject to the following:
(1) The CRO shall be primarily responsible for overseeing the development and implementation of the bank’s Risk Management Function. This shall include enhancements to risk management systems, policies, processes, quantitative models, reports, etc. to ensure that the bank’s risk management capabilities are effective, to fully support its strategic objectives and risk-taking activities.
(2) The CRO shall be an adviser to the authority to whom powers have been delegated to assume risk, e.g. sanctioning credit, making investments, etc. The advice of the CRO shall be supported with proper rationale.
(3) The CRO shall be an invitee to the meetings of the credit sanction / approval committee, without any voting rights in the proceedings thereof.
(4) Assumption of any risk / exposure, contrary to the advice of the CRO, without incorporating adequate risk mitigation measures, shall rest with the next higher authority in the delegation matrix, except where the risk assuming authority is the Board. All such cases shall be reported to the Board / RMCB.
51I. The Risk Management Function shall:
(1) be responsible for overseeing that the bank operates within its risk appetite and for assessing risks and related issues, independent of the business lines.
(2) implement a bank-wide risk strategy aligned with the Board-approved risk appetite, including clear risk limits and structured allocation of risk parameters to business units and risk takers.
(3) ensure robust information infrastructure to support accurate capital and liquidity assessments, granular risk monitoring at business-unit levels, and consolidated reporting across the bank to enable strategic planning and compliance with risk tolerance thresholds.
(4) continuously evaluate risk exposures against defined limits, challenge decisions proposed / taken by the business functions and promptly escalate critical issues to senior management and the Board / RMCB, ensuring timely adjustments to maintain alignment with risk appetite.
(5) enhance the capability of business line managers to identify and assess the risks critically rather than relying on the surveillance conducted by it.
A5. Compliance Function
51J. The Board shall ensure an effective oversight over the bank’s compliance risk.
51K. The Senior Management shall be responsible for effective management of the bank’s compliance risk, including communication of the compliance policy throughout the bank and ensuring that it is observed in letter and spirit. Further, Senior Management shall be responsible for embedding compliance in the business strategy while ensuring risk of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the bank.
51L. A bank shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing
51M. The Compliance Function shall:
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the bank and RBI.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or ACB on the effectiveness of compliance
policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control/assurance functions such as Risk Management and Internal Audit, while maintaining its independence.
A6. Internal Audit Function
51N. The Board shall ensure an effective internal audit framework, proportionate to the bank’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
51O. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
51P. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
51Q. The Internal Audit Function shall:
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
51R. Banks shall adopt a Risk-based Internal Audit (RBIA) approach, focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in the Annex VII.
A7. Intimation to the Reserve Bank
51S. A bank shall ensure compliance with the following requirements:
(1) CRO: Any appointment (including interim appointment and re-appointment), premature transfer, removal or exit of the CRO, along with the reasons thereof, shall be reported to the Department of Supervision, Reserve Bank of India, within five working days. Intimation of appointment (including interim appointment and re-appointment) shall be accompanied with the CRO’s profile.
(2) CCO and HIA:
(i) In case of any appointment, re-appointment, interim appointment, premature exit, or change in tenure of the CCO or HIA, prior intimation of at least five working days shall be provided to the Department of Supervision.
(ii) Such intimation shall be accompanied by the candidate’s profile and a confirmation from the competent authority stating that the candidate is fit-and-proper.
(iii) The appointment may be communicated to the candidate by the bank only after the lapse of five working days from the date of receipt of intimation, by the Department of Supervision, provided no communication to the contrary is received from the Department of Supervision.
(Scenta Joy)
Chief General Manager
*******
Reserve Bank of India
Reserve Bank of India (Payments Banks – Governance) Second Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.HGG.GOV.No.__/xx.xx.xxxx/2026-27
June xx, 2026
Reserve Bank of India (Payments Banks – Governance) Second Amendment Directions, 2026
The Reserve Bank has issued Reserve Bank of India (Payments Banks – Governance) Directions, 2025 on November 28, 2025.
2. At present, the regulatory instructions with respect to control / assurance functions viz. risk management, compliance and internal audit are contained in various directions / circulars. With a view to strengthening the governance framework for these functions and to ensure greater clarity, consistency and harmonisation in the instructions pertaining to these functions, it has been decided to review and consolidate them under these Directions.
3. Accordingly, in exercise of the powers conferred by Section 35A of the Banking Regulation Act, 1949, and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (Payments Banks – Governance) Second Amendment Directions, 2026.
(2) These Directions shall come into effect from January 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (Payments Banks – Governance) Directions, 2025 in the manner as specified hereinafter.
(1) In Paragraph 4 of ‘Chapter I – Preliminary’ of the Directions, the following definition shall be deleted:
(1) ‘Chairperson’ means the Part-time Chairman of the Board of Directors of a bank.
(2) In Paragraph 4 of ‘Chapter I – Preliminary’ of the Directions, the following definitions shall be inserted:
(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment, as well as the applicable laws, rules and regulations.
(1b) ‘Chairperson’ means the Part-time Chairman of the Board of Directors of a bank.
(3a) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank, self-regulatory organisation standards, codes of conduct applicable to a bank’s activities and with the internal control systems laid down to comply with the foregoing.
(3b) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(3c) ‘Compliance Function’ means policies, processes, procedures, systems and personnel dedicated for Compliance.
(3d) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(3e) ‘Control Functions’ mean those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function, Compliance Function and Internal Audit Function.
(6a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of bank’s internal control, risk management and governance systems and processes.
(6b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of the internal audit.
(6c) ‘Internal Controls’ means a set of rules and controls governing a bank’s organisational/ operational structure, including reporting processes and functions.
(8a) ‘Risk Appetite’ means the aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
(8b) ‘Risk Limits’ means specific quantitative measures or limits that allocate the aggregate risk appetite across business functions, legal entities, specific risk categories, concentrations and other measures.
(8c) ‘Risk Management’ means the processes established to ensure that all risks and associated risk concentrations are identified, measured, analysed, managed, mitigated, monitored and reported on a timely as well as comprehensive basis.
(8d) ‘Risk Management Function’ means policies, processes, procedures, systems and personnel dedicated for Risk Management.
(3) The proviso to Paragraph 3 in respect of ‘Appointment of Chief Risk Officer’ in non-scheduled Payments Banks shall be deleted.
(4) Paragraph 29A-29D shall be inserted after the existing paragraph 29:
C. Risk Management Committee
29A. The Board of the bank shall constitute a Risk Management Committee of the Board (RMCB) with a majority of NEDs.
29B. The Chair of the Board may be a member of the RMCB only if they have the requisite risk management expertise.
29C. The RMCB shall meet at least once in each quarter with a quorum of three members. At least half of the members attending the meeting of the RMCB shall be independent directors of which at least one member shall have professional expertise / qualification in risk management.
29D. Meetings of RMCB shall be chaired by an independent director who shall not be a Chair of the Board or any other committee of the Board.
(5) Title of Chapter-VII of the Directions, ‘Appointment of Chief Risk Officer’ stands modified to ‘Control Functions: Risk Management, Compliance and Internal Audit.
(6) Paragraph 30-33 of the Directions stand deleted and instead, the following shall be inserted before Paragraph 34:
Chapter VII – Control Functions: Risk Management, Compliance and Internal Audit
A. General
33A. A bank shall establish Risk Management, Compliance and Internal Audit functions, commensurate with its size, complexity and risk / business profile, headed by a Chief Risk Officer (CRO), Chief Compliance Officer (CCO) and Head of Internal Audit (HIA), respectively. Further, in banks which are a part of a group consisting of more than one financial entity, there may be a Group Chief Compliance Officer (GCCO), responsible for group level compliance and coordination.
33B. The bank shall have policies for each of the three control functions, viz., Risk Management, Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. The said policies shall be approved by the Board and reviewed periodically.
33C. The above functions shall:
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CRO/CCO/HIA for specialised tasks without diluting the accountability of the functions.
33D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board or RMCB/ACB, as applicable, shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
33E. The Risk Management and the Compliance Functions shall be subject to regular internal audit. Further, banks shall develop and maintain a Quality Assurance and Improvement Program (QAIP) covering all aspects of the Compliance and Internal Audit Functions. Banks shall subject the Risk Management Function as also the QAIP of Compliance and Internal Audit Functions to periodic external review, to benchmark the practices and strengthen the effectiveness of the functions.
B. Terms of appointment of the CRO / CCO / HIA
33F. The terms of appointment of the CRO / CCO / HIA would be as follows:
(1) Appointing Authority and Rank: A bank shall appoint / designate a suitably senior employee, not more than two levels below the MD&CEO, as CRO, CCO and HIA with the approval of the Board.
(2) Knowledge / Experience: CRO, CCO, and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity, and risk profile of the bank.
(3) Age: The age limits for CRO, CCO and HIA to hold office may be prescribed by a bank as part of its internal policy.
(4) Tenure: CRO, CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CRO, CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring – If considered necessary, suitably experienced and competent external candidates may be hired as CRO, CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the bank/group entity nor have any contractual employer-employee relationship with the bank/group entity shall not be appointed/designated as CRO, CCO or HIA or Group CCO.
B. Independence of the CRO, CCO and HIA
33G. CRO, CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CRO, CCO and HIA shall:
(1) functionally report to the Board or the respective Board Committee and administratively report to MD & CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or the respective Board Committee at least once in a quarter, without the presence of the Senior Management (including the MD & CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or the respective Board Committee to enable them to communicate concerns without any management interference.
(4) have their final performance review carried out by the Board or the respective Board Committee.
D. Risk Management Function
33H. The Board shall ensure an effective oversight over the bank’s risk management function. The Board / RMCB shall clearly define the role and responsibilities of the CRO, subject to the following:
(1) The CRO shall be primarily responsible for overseeing the development and implementation of the bank’s Risk Management Function. This shall include enhancements to risk management systems, policies, processes, quantitative models, reports, etc. to ensure that the bank’s risk management capabilities are effective, to fully support its strategic objectives and risk-taking activities.
(2) The CRO shall be an adviser to the authority to whom powers have been delegated to assume risk, e.g. making investments. The advice of the CRO shall be supported with proper rationale.
(3) Assumption of any risk / exposure, contrary to the advice of the CRO, without incorporating adequate risk mitigation measures, shall rest with the next higher authority in the delegation matrix, except where the risk assuming authority is the Board. All such cases shall be reported to the Board / RMCB.
33I. The Risk Management Function shall:
(1) be responsible for overseeing that the bank operates within its risk appetite and for assessing risks and related issues, independent of the business lines.
(2) implement a bank-wide risk strategy aligned with the Board-approved risk appetite, including clear risk limits and structured allocation of risk parameters to business units and risk takers.
(3) ensure robust information infrastructure to support accurate capital and liquidity assessments, granular risk monitoring at business-unit levels, and consolidated reporting across the bank to enable strategic planning and compliance with risk tolerance thresholds.
(4) continuously evaluate risk exposures against defined limits, challenge decisions proposed / taken by the business functions and promptly escalate critical issues to senior management and the Board / RMCB, ensuring timely adjustments to maintain alignment with risk appetite.
(5) enhance the capability of business line managers to identify and assess the risks critically rather than relying on the surveillance conducted by it.
E. Compliance Function
33J. The Board shall ensure an effective oversight over the bank’s compliance risk.
33K. The Senior Management shall be responsible for effective management of the bank’s compliance risk, including communication of the compliance policy throughout the bank and ensuring that it is observed in letter and spirit. Further, Senior Management shall be responsible for embedding compliance in the business strategy while ensuring risk of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the bank.
33L. A bank shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
33M. The Compliance Function shall:
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the bank and RBI.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control/assurance functions such as Risk Management and Internal Audit, while maintaining its independence.
F. Internal Audit Function
33N. The Board shall ensure an effective internal audit framework, proportionate to the bank’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
33O. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
33P. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
33Q. The Internal Audit Function shall:
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
33R. Banks shall adopt a Risk-based Internal Audit (RBIA) approach, focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in the Annex VII.
F. Intimation to the Reserve Bank
33S. A bank shall ensure compliance with the following requirements:
(1) CRO: Any appointment (including interim appointment and re-appointment), premature transfer, removal or exit of the CRO, along with the reasons thereof, shall be reported to the Department of Supervision, Reserve Bank of India, within five working days. Intimation of appointment (including interim appointment and re-appointment) shall be accompanied with the CRO’s profile.
(2) CCO and HIA:
(i) In case of any appointment, re-appointment, interim appointment, premature exit, or change in tenure of the CCO or HIA, prior intimation of at least five working days shall be provided to the Department of Supervision.
(ii) Such intimation shall be accompanied by the candidate’s profile and a confirmation from the competent authority stating that the candidate is the fit-and-proper.
(iii) The appointment may be communicated to the candidate only after the lapse of five working days from the date of receipt of intimation by the Department of Supervision, provided no communication to the contrary is received from the Department of Supervision.
(Scenta Joy)
Chief General Manager
******
Reserve Bank of India
Reserve Bank of India (Local Area Banks – Governance) Second Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.HGG.GOV.No.__/xx.xx.xxxx/2026-27
June xx, 2026
The Reserve Bank has issued Reserve Bank of India (Local Area Banks – Governance) Directions, 2025on November 28, 2025.
2. At present, the regulatory instructions with respect to control / assurance functions like compliance and internal audit are contained in various directions / circulars. With a view to strengthening the governance framework for these functions and to ensure greater clarity, consistency and harmonisation in the instructions pertaining to these functions, it has been decided to review them, and consolidate them under these Directions.
3. Accordingly, in exercise of the powers conferred by Section 35A of the Banking Regulation Act, 1949, and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (Local Area Banks – Governance) Second Amendment Directions, 2026.
(2) These Directions shall come into effect from January 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (Local Area Banks – Governance) Directions, 2025 in the manner as specified hereinafter.
(1) In Paragraph 4 of ‘Chapter I – Preliminary’ of the Directions, the following definition shall be deleted:
(1) ‘Chairperson’ means the Part-time Chairman of the Board of Directors of a bank.
(2) In Paragraph 4 of ‘Chapter I – Preliminary’ of the Directions, the following definitions shall be inserted:
(1a) ‘Assurance‘ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment, as well as the applicable laws, rules and regulations.
(1b) ‘Chairperson’ means the Part-time Chairman of the Board of Directors of a bank.
(3a) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank, self-regulatory organisation standards, codes of conduct applicable to a bank’s activities and with the internal control systems laid down to comply with the foregoing.
(3b) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(3c) ‘Compliance Function’ means policies, processes, procedures, systems and personnel dedicated for Compliance.
(3d) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(3e) ‘Control Functions’ mean those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes the Risk Management Function, the Compliance Function and the Internal Audit Function.
(5a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of bank’s internal control, risk management and governance systems and processes.
(5b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of the internal audit.
(5c) ‘Internal Controls’ means a set of rules and controls governing a bank’s organisational/ operational structure, including reporting processes and functions.
(3) A new chapter viz. Chapter-VI(A) on ‘Control Functions: Compliance and Internal Audit’ stands inserted after Chapter (VI), with the following contents:
Chapter-VI(A) Control Functions: Compliance and Internal Audit
A. General
23A. A bank shall establish Compliance and Internal Audit functions, commensurate with its size, complexity and risk / business profile, headed by a Chief Compliance Officer (CCO) and Head of Internal Audit (HIA), respectively.
23B. The bank shall have policies for Compliance and Internal Audit Functions, clearly articulating the objectives, roles and responsibilities of each function. The said policies shall be approved by the Board and reviewed periodically.
23C. The above functions shall:
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest or business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CCO/HIA for specialised tasks without diluting the accountability of the functions.
23D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board or ACB, shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
23E. The Compliance Function shall be subject to regular internal audit.
B. Terms of appointment of the CCO / HIA
23F. The terms of appointment of the CCO / HIA would be as follows:
(1) Appointing Authority and Rank: A bank shall appoint / designate suitably senior employees, not more than three levels below the MD&CEO, as CCO and HIA with the approval of the Board.
(2) Knowledge / Experience: CCO and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity, and risk profile of the bank.
(3) Age: The age limits for CCO and HIA to hold office may be prescribed by a bank as part of its internal policy.
(4) Tenure: CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the bank nor have any contractual employer-employee relationship with the bank shall not be appointed/designated as CCO or HIA.
C. Independence of the CCO and HIA
23G. CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CCO and HIA shall:
(1) functionally report to the Board or ACB and administratively report to MD&CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or ACB at least once in a quarter, without the presence of the Senior Management (including the MD&CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or ACB to enable them to communicate concerns without any management interference.
(4) have their final performance review carried out by the Board or ACB.
D. Compliance Function
23H. The Board shall ensure an effective oversight over the bank’s compliance risk.
23I. The Senior Management shall be responsible for effective management of the bank’s compliance risk, including communication of the compliance policy throughout the bank and ensuring that it is observed in letter and spirit. Further, Senior Management shall be responsible for embedding compliance in the business strategy while ensuring risk of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the bank.
23J. A bank shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
23K. The Compliance Function shall:
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the bank and RBI.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control / assurance functions such as Internal Audit, while maintaining its independence.
E. Internal Audit Function
23L. The Board shall ensure an effective internal audit framework, proportionate to the bank’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
23M. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
23N. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
23O. The Internal Audit Function shall:
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
(Scenta Joy)
Chief General Manager
*******
Reserve Bank of India
Reserve Bank of India (Regional Rural Banks – Governance) Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.HGG.GOV.No.__/xx.xx.xxxx/2026-27
June xx, 2026
Reserve Bank of India (Regional Rural Banks – Governance) Amendment Directions, 2026
The Reserve Bank has issued Reserve Bank of India (Regional Rural Banks – Governance) Directions, 2025 on November 28, 2025.
2. At present, the regulatory instructions with respect to control / assurance functions viz. risk management, compliance and internal audit are contained in various directions / circulars. With a view to strengthening the governance framework for these functions and to ensure greater clarity, consistency and harmonisation in the instructions pertaining to these functions, it has been decided to review and consolidate them under these Directions.
3. Accordingly, in exercise of the powers conferred by Section 35A of the Banking Regulation Act, 1949, and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (Regional Rural Banks – Governance) Amendment Directions, 2026.
(2) These Directions shall come into effect from January 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (Regional Rural Banks – Governance) Directions, 2025 in the manner as specified hereinafter.
(1) In Paragraph 4 of ‘Chapter I – Preliminary’ of the Directions, the following definition shall be deleted:
(1) ‘Chairman’, in relation to an RRB, means the individual appointed or re-appointed under sub-section (1) of section 11 of The Regional Rural Banks Act, 1976, as the Chairman of that bank.
(2) In Paragraph 4 of ‘Chapter I – Preliminary’ of the Directions, the following definitions shall be inserted:
(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment, as well as the applicable laws, rules and regulations.
(1b) ‘Chairman’, in relation to an RRB, means the individual appointed or re-appointed under sub-section (1) of section 11 of The Regional Rural Banks Act, 1976, as the Chairman of that bank.
(2a) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank, self-regulatory organisation standards, codes of conduct applicable to a bank’s activities and with the internal control systems laid down to comply with the foregoing.
(2b) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(2c) ‘Compliance Function’ means policies, processes, procedures, systems and personnel dedicated for Compliance.
(2d) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(2e) ‘Control Functions’ mean those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function, Compliance Function and Internal Audit Function.
(3a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of bank’s internal control, risk management and governance systems and processes.
(3b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of the internal audit.
(3c) ‘Internal Controls’ means a set of rules and controls governing a bank’s organisational/ operational structure, including reporting processes and functions.
(3d) ‘Risk Appetite’ means the aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
(3e) ‘Risk Limits’ means specific quantitative measures or limits that allocate the aggregate risk appetite across business functions, legal entities, specific risk categories, concentrations and other measures.
(3f) ‘Risk Management’ means the processes established to ensure that all risks and associated risk concentrations are identified, measured, analysed, managed, mitigated, monitored and reported on a timely as well as comprehensive basis.
(3g) ‘Risk Management Function’ means policies, processes, procedures, systems and personnel dedicated for Risk Management.
(3) ‘Risk Management Committee’ in Chapter IV-B would stand replaced by ‘Risk Management Committee of the Board’
(4) Paragraph 20 of the Directions stands deleted and instead, the following shall be inserted:
20A. The Board of a bank shall constitute a Risk Management Committee of the Board (RMCB) with a majority of NEDs.
20B. The Chair of the Board may be a member of the RMCB.
20C. The RMCB shall meet at least once in each quarter with a quorum of three members. At least half of the members attending the meeting of the RMCB shall be non-executive directors of which at least one member shall have professional expertise / qualification in risk management.
20D. Meetings of the RMCB shall be chaired by a director who is not an officer of the Central Government / RBI / NABARD and who shall not be a Chair of the Board or any other committee of the Board.
(5) In paragraph 21 to 25, ‘RMC’ would stand replaced by ‘RMCB’.
(6) A new chapter, viz. Chapter V – ‘Control Functions: Risk Management, Compliance and Internal Audit’ shall be inserted after the existing Chapter IV.
(7) The following shall be inserted before Paragraph 27:
Chapter V – Control Functions: Risk Management, Compliance and Internal Audit
A. General
26A. A bank shall establish Risk Management, Compliance and Internal Audit functions, commensurate with its size, complexity and risk / business profile, headed by a Chief Risk Officer (CRO), Chief Compliance Officer (CCO) and Head of Internal Audit (HIA), respectively.
26B. The bank shall have policies for each of the three control functions, viz., Risk Management, Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. The said policies shall be approved by the Board and reviewed periodically.
26C. The above functions shall:
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest or business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CRO/CCO/HIA for specialised tasks without diluting the accountability of the functions.
26D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board or RMCB/ACB, as applicable, shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
26E. The Risk Management and the Compliance Functions shall be subject to regular internal audit.
B. Terms of appointment of the CRO / CCO / HIA
26F. The terms of appointment of the CRO / CCO / HIA would be as follows:
(1) Appointing Authority and Rank: A bank shall appoint / designate suitably senior employees, not more than two levels below the Chairman, as CRO, CCO and HIA with the approval of the Board.
(2) Knowledge / Experience: CRO, CCO, and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity, and risk profile of the bank.
(3) Age: The age limits for CRO, CCO and HIA to hold office may be prescribed by a bank as part of its internal policy.
(4) Tenure: CRO, CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CRO, CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CRO, CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the bank nor have any contractual employer-employee relationship with the bank shall not be appointed/designated as CRO, CCO or HIA.
C. Independence of the CRO, CCO and HIA
26G. CRO, CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CRO, CCO and HIA shall:
(1) functionally report to the Board or the respective Board Committee and administratively report to Chairman.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or the respective Board Committee at least once in a quarter, without the presence of the Senior Management (including the Chairman). Even otherwise, they shall have direct and unrestricted access to the Board or the respective Board Committee to enable them to communicate concerns without any management interference.
(4) have their final performance review carried out by the Board or the respective Board Committee.
D. Risk Management Function
26H. The Board shall ensure an effective oversight over the bank’s risk management function. The Board / RMCB shall clearly define the role and responsibilities of the CRO, subject to the following:
(1) The CRO shall be primarily responsible for overseeing the development and implementation of the bank’s Risk Management Function. This shall include enhancements to risk management systems, policies, processes, quantitative models, reports, etc. to ensure that the bank’s risk management capabilities are effective, to fully support its strategic objectives and risk-taking activities.
(2) The CRO shall be an adviser to the authority to whom powers have been delegated to assume risk, e.g. sanctioning credit, making investments, etc. The advice of the CRO shall be supported with proper rationale.
(3) The CRO shall be an invitee to the meetings of the credit sanction / approval committee, without any voting rights in the proceedings thereof.
(4) Assumption of any risk / exposure, contrary to the advice of the CRO, without incorporating adequate risk mitigation measures, shall rest with the next higher authority in the delegation matrix, except where the risk assuming authority is the Board. All such cases shall be reported to the Board / RMCB.
26I. The Risk Management Function shall:
(1) be responsible for overseeing that the bank operates within its risk appetite and for assessing risks and related issues, independent of the business lines.
(2) implement a bank-wide risk strategy aligned with the Board-approved risk appetite, including clear risk limits and structured allocation of risk parameters to business units and risk takers.
(3) ensure robust information infrastructure to support accurate capital and liquidity assessments, granular risk monitoring at business-unit levels, and consolidated reporting across the bank to enable strategic planning and compliance with risk tolerance thresholds.
(4) continuously evaluate risk exposures against defined limits, challenge decisions proposed / taken by the business functions and promptly escalate critical issues to senior management and the Board / RMCB, ensuring timely adjustments to maintain alignment with risk appetite.
(5) enhance the capability of business line managers to identify and assess the risks critically rather than relying on the surveillance conducted by it.
E. Compliance Function
26J. The Board shall ensure an effective oversight over the bank’s compliance risk.
26K. The Senior Management shall be responsible for effective management of the bank’s compliance risk, including communication of the compliance policy throughout the bank and ensuring that it is observed in letter and spirit. Further, Senior Management shall be responsible for embedding compliance in the business strategy while ensuring risk of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the bank.
26L. A bank shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
26M. The Compliance Function shall:
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the bank and RBI/NABARD.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control/assurance functions such as Risk Management and Internal Audit, while maintaining its independence.
E. Internal Audit Function
26N. The Board must ensure an effective internal audit framework, proportionate to the bank’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
26O. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
26P. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
26Q. The Internal Audit Function shall:
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
26R. Banks shall adopt a Risk-based Internal Audit (RBIA) approach, focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in the Annex I.
F. Intimation to NABARD
26S. A bank shall ensure compliance with the following requirements:
(1) CRO: Any appointment (including interim appointment and re-appointment), premature transfer, removal or exit of the CRO, along with the reasons thereof, shall be reported to NABARD, within five working days. Intimation of appointment (including interim appointment and re-appointment) shall be accompanied with the profile of the CRO.
(2) CCO and HIA:
(i) In case of any appointment, re-appointment, interim appointment, premature exit, or change in tenure of the CCO or HIA, prior intimation of at least five working days shall be provided to NABARD.
(ii) Such intimation shall be accompanied by the candidate’s profile and a confirmation from the competent authority stating that the candidate is fit-and-proper.
(iii) The appointment may be communicated to the candidate by the bank only after the lapse of five working days from the date of receipt of intimation by NABARD, provided no communication to the contrary is received from NABARD.
(Scenta Joy)
Chief General Manager
******
Reserve Bank of India
Reserve Bank of India (All India Financial Institutions – Miscellaneous) Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.SOG(SPE).REC.No.__/xx.xx.xxxx/2026-27
June xx, 2026
Reserve Bank of India (All India Financial Institutions – Miscellaneous) Amendment Directions, 2026
The Reserve Bank has issued Reserve Bank of India (All India Financial Institutions – Miscellaneous) Directions, 2025 on November 28, 2025.
2. At present, certain governance requirements applicable to All India Financial Institutions (AIFIs) are part of the respective statutes. Given their unique mandates, AIFIs are exposed to a diverse range of risks emanating from their operations and the sectors they serve. With a view to strengthen the governance framework across AIFIs and to ensure greater clarity and consistency, it has been decided to prescribe certain provisions relating to the three control functions, viz., risk management, compliance and internal audit, including the roles and responsibilities of the heads of these functions.
3. Accordingly, in exercise of the powers conferred by Section 45 L of the Reserve Bank of India Act, 1934, and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (All India Financial Institutions – Miscellaneous) Amendment Directions, 2026
(2) These Directions shall come into effect from January 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (All India Financial Institutions – Miscellaneous) Directions, 2025 in the manner as specified hereinafter.
(1) In Paragraph 4 of ‘Chapter I – Preliminary’ of the Directions, the following definition shall be deleted:
(1) ‘Director’ means a director appointed on the Board of an AIFI.
(2) In Paragraph 4 of ‘Chapter I – Preliminary’ of the Directions, the following definitions shall be inserted:
(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions
with the internal control environment, as well as the applicable laws, rules and regulations.
(1b) ‘Chairperson’ means the Chairman / Chairman and Managing Director/ Part-time Chairman of the Board of Directors of an AIFI.
(1c) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions given by the Reserve Bank, self-regulatory organisation standards, codes of conduct applicable to an AIFI’s activities and with the internal control systems laid down to comply with the foregoing.
(1d) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(1e) ‘Compliance Function’ means policies, processes, procedures, systems and personnel dedicated for Compliance.
(1f) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation an AIFI may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(1g) ‘Control Functions’ mean those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function, Compliance Function and Internal Audit Function.
(1h) ‘Director’ means a director appointed on the Board of an AIFI.
(1i) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of AIFI’s internal control, risk management and governance systems and processes.
(1j) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of the internal audit.
(1k) ‘Internal Controls’ means a set of rules and controls governing an AIFI’s organisational/ operational structure, including reporting processes and functions.
(1l) ‘Risk Appetite’ means the aggregate level and types of risk an AIFI is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
(1m) ‘Risk Limits’ means specific quantitative measures or limits that allocate the aggregate risk appetite across business functions, legal entities, specific risk categories, concentrations and other measures.
(1n) ‘Risk Management’ means the processes established to ensure that all risks and associated risk concentrations are identified, measured, analysed, managed, mitigated, monitored and reported on a timely as well as comprehensive basis.
(1o) ‘Risk Management Function’ means policies, processes, procedures, systems and personnel dedicated for Risk Management.
(3) After paragraph 10, the following Chapter and paragraphs shall be inserted:
Chapter IIIA – Control Functions: Risk Management, Compliance and Internal Audit
A. General
10A. An AIFI shall establish Risk Management, Compliance and Internal Audit functions, commensurate with its size, complexity and risk / business profile, headed by a Chief Risk Officer (CRO), Chief Compliance Officer (CCO) and Head of Internal Audit (HIA), respectively. In AIFIs which are a part of a group consisting of more than one financial entity, there may be a Group Chief Risk officer (GCRO) and a Group Chief Compliance Officer (GCCO), responsible for group level risk oversight / compliance and coordination.
10B. The AIFI shall have policies for each of the three control functions, viz., Risk Management, Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. The said policies shall be approved by the Board and reviewed periodically.
10C. The above functions shall:
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CRO/CCO/HIA for specialised tasks without diluting the accountability of the functions.
10D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board or RMCB/ACB, as applicable shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
10E. The Risk Management and the Compliance Functions shall be subject to regular internal audit.
B. Terms of appointment of the CRO / CCO / HIA
10F. The terms of appointment of the CRO / CCO / HIA would be as follows:
(1) Appointing Authority and Rank: An AIFI shall appoint / designate suitably senior employees, not more than two levels below the MD&CEO, as CRO, CCO and HIA with the approval of the Board.
(2) Knowledge / Experience: CRO, CCO, and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity, and risk profile of the AIFI.
(3) Age: The age limits for CRO, CCO and HIA to hold office may be prescribed by an AIFI as part of its internal policy.
(4) Tenure: CRO, CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CRO, CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CRO, CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the AIFI/group entity nor have any contractual employer-employee relationship with the AIFI/group entity shall not be appointed/designated as CRO, CCO or HIA or Group CRO/CCO.
C. Independence of the CRO, CCO and HIA
10G. CRO, CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CRO, CCO and HIA shall:
(1) functionally report to the Board or the respective Board Committee and administratively report to MD & CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or the respective Board Committee at least once in a quarter, without the presence of the Senior Management (including the MD & CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or the respective Board Committee to enable them to communicate concerns without any management interference.
(4) have their final performance review carried out by the Board or the respective Board Committee.
D. Risk Management Function
10H. The Board shall ensure an effective oversight over the AIFI’s risk management function. The Board / RMCB shall clearly define the role and responsibilities of the CRO, subject to the following:
(1) The CRO shall be primarily responsible for overseeing the development and implementation of the AIFI’s Risk Management Function. This shall include enhancements to risk management systems, policies, processes, quantitative models, reports, etc. to ensure that the AIFI’s risk management capabilities are effective, to fully support its strategic objectives and risk-taking activities.
(2) The CRO shall be an adviser to the authority to whom powers have been delegated to assume risk, e.g. sanctioning credit, making investments, etc. The advice of the CRO shall be supported with proper rationale.
(3) The CRO shall be an invitee to the meetings of the credit sanction / approval committee, without any voting rights in the proceedings thereof.
(4) Assumption of any risk / exposure, contrary to the advice of the CRO, without incorporating adequate risk mitigation measures, shall rest with the next higher authority in the delegation matrix, except where the risk assuming authority is the Board. All such cases shall be reported to the Board / RMCB.
10I. The Risk Management Function shall:
(1) be responsible for overseeing that the AIFI operates within its risk appetite and for assessing risks and related issues, independent of the business lines.
(2) implement an AIFI-wide risk strategy aligned with the Board-approved risk appetite, including clear risk limits and structured allocation of risk parameters to business units and risk takers.
(3) ensure robust information infrastructure to support accurate capital and liquidity assessments, granular risk monitoring at business-unit levels, and consolidated reporting across the AIFI to enable strategic planning and compliance with risk tolerance thresholds.
(4) continuously evaluate risk exposures against defined limits, challenge decisions proposed / taken by the business functions and promptly escalate critical issues to senior management and the Board / RMCB, ensuring timely adjustments to maintain alignment with risk appetite.
(5) enhance the capability of business line managers to identify and assess the risks critically rather than relying on the surveillance conducted by it.
E. Compliance Function
10J. The Board shall ensure an effective oversight over the AIFI’s compliance risk.
10K. The Senior Management shall be responsible for effective management of the AIFI’s compliance risk, including communication of the compliance policy throughout the AIFI and ensuring that it is observed in letter and spirit. Further, Senior Management shall be responsible for embedding compliance in the business strategy while ensuring risk of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the AIFI.
10L. An AIFI shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
10M. The Compliance Function shall:
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the AIFI and RBI.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control/assurance functions such as Risk Management and Internal Audit, while maintaining its independence.
F. Internal Audit Function
10N. The Board shall ensure an effective internal audit framework, proportionate to the AIFI’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
10O. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
10P. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
10Q. The Internal Audit Function shall:
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
10R. AIFIs shall adopt a Risk-based Internal Audit (RBIA) approach, focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in the Annex I.
C. Intimation to the Reserve Bank
10S. An AIFI shall ensure compliance with the following requirements:
(1) CRO: Any appointment (including interim appointment and re-appointment), premature transfer, removal or exit of the CRO, along with the reasons thereof, shall be reported to the Department of Supervision, Reserve Bank of India, within five working days. Intimation of appointment (including interim appointment and re-appointment) shall be accompanied with the CRO’s profile.
(2) CCO and HIA:
(i) In case of any appointment, re-appointment, interim appointment, premature exit, or change in tenure of the CCO or HIA, prior intimation of at least five working days shall be provided to the Department of Supervision.
(ii) Such intimation shall be accompanied by the candidate’s profile and a confirmation from the competent authority stating that the candidate is fit-and-proper.
(iii) The appointment may be communicated to the candidate by the AIFI only after the lapse of five working days from the date of receipt of intimation, by the Department of Supervision, provided no communication to the contrary is received from the Department of Supervision.
(Scenta Joy)
Chief General Manager
*******
Reserve Bank of India
Reserve Bank of India (All India Financial Institutions – Miscellaneous) Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.SOG(SPE).REC.No.__/xx.xx.xxxx/2026-27
June xx, 2026
Reserve Bank of India (All India Financial Institutions – Miscellaneous) Amendment Directions, 2026
The Reserve Bank has issued Reserve Bank of India (All India Financial Institutions – Miscellaneous) Directions, 2025 on November 28, 2025.
2. At present, certain governance requirements applicable to All India Financial Institutions (AIFIs) are part of the respective statutes. Given their unique mandates, AIFIs are exposed to a diverse range of risks emanating from their operations and the sectors they serve. With a view to strengthen the governance framework across AIFIs and to ensure greater clarity and consistency, it has been decided to prescribe certain provisions relating to the three control functions, viz., risk management, compliance and internal audit, including the roles and responsibilities of the heads of these functions.
3. Accordingly, in exercise of the powers conferred by Section 45 L of the Reserve Bank of India Act, 1934, and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (All India Financial Institutions – Miscellaneous) Amendment Directions, 2026
(2) These Directions shall come into effect from January 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (All India Financial Institutions – Miscellaneous) Directions, 2025 in the manner as specified hereinafter.
(1) In Paragraph 4 of ‘Chapter I – Preliminary’ of the Directions, the following definition shall be deleted:
(1) ‘Director’ means a director appointed on the Board of an AIFI.
(2) In Paragraph 4 of ‘Chapter I – Preliminary’ of the Directions, the following definitions shall be inserted:
(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment, as well as the applicable laws, rules and regulations.
(1b) ‘Chairperson’ means the Chairman / Chairman and Managing Director/ Part-time Chairman of the Board of Directors of an AIFI.
(1c) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions given by the Reserve Bank, self-regulatory organisation standards, codes of conduct applicable to an AIFI’s activities and with the internal control systems laid down to comply with the foregoing.
(1d) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(1e) ‘Compliance Function’ means policies, processes, procedures, systems and personnel dedicated for Compliance.
(1f) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation an AIFI may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(1g) ‘Control Functions’ mean those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function, Compliance Function and Internal Audit Function.
(1h) ‘Director’ means a director appointed on the Board of an AIFI.
(1i) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of AIFI’s internal control, risk management and governance systems and processes.
(1j) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of the internal audit.
(1k) ‘Internal Controls’ means a set of rules and controls governing an AIFI’s organisational/ operational structure, including reporting processes and functions.
(1l) ‘Risk Appetite’ means the aggregate level and types of risk an AIFI is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
(1m) ‘Risk Limits’ means specific quantitative measures or limits that allocate the aggregate risk appetite across business functions, legal entities, specific risk categories, concentrations and other measures.
(1n) ‘Risk Management’ means the processes established to ensure that all risks and associated risk concentrations are identified, measured, analysed, managed, mitigated, monitored and reported on a timely as well as comprehensive basis.
(1o) ‘Risk Management Function’ means policies, processes, procedures, systems and personnel dedicated for Risk Management.
(3) After paragraph 10, the following Chapter and paragraphs shall be inserted:
Chapter IIIA – Control Functions: Risk Management, Compliance and Internal Audit
A. General
10A. An AIFI shall establish Risk Management, Compliance and Internal Audit functions, commensurate with its size, complexity and risk / business profile, headed by a Chief Risk Officer (CRO), Chief Compliance Officer (CCO) and Head of Internal Audit (HIA), respectively. In AIFIs which are a part of a group consisting of more than one financial entity, there may be a Group Chief Risk officer (GCRO) and a Group Chief Compliance Officer (GCCO), responsible for group level risk oversight / compliance and coordination.
10B. The AIFI shall have policies for each of the three control functions, viz., Risk Management, Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. The said policies shall be approved by the Board and reviewed periodically.
10C. The above functions shall:
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CRO/CCO/HIA for specialised tasks without diluting the accountability of the functions.
10D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board or RMCB/ACB, as applicable shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
10E. The Risk Management and the Compliance Functions shall be subject to regular internal audit.
B. Terms of appointment of the CRO / CCO / HIA
10F. The terms of appointment of the CRO / CCO / HIA would be as follows:
(1) Appointing Authority and Rank: An AIFI shall appoint / designate suitably senior employees, not more than two levels below the MD&CEO, as CRO, CCO and HIA with the approval of the Board.
(2) Knowledge / Experience: CRO, CCO, and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity, and risk profile of the AIFI.
(3) Age: The age limits for CRO, CCO and HIA to hold office may be prescribed by an AIFI as part of its internal policy.
(4) Tenure: CRO, CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CRO, CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CRO, CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the AIFI/group entity nor have any contractual employer-employee relationship with the AIFI/group entity shall not be appointed/designated as CRO, CCO or HIA or Group CRO/CCO.
C. Independence of the CRO, CCO and HIA
10G. CRO, CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CRO, CCO and HIA shall:
(1) functionally report to the Board or the respective Board Committee and administratively report to MD & CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or the respective Board Committee at least once in a quarter, without the presence of the Senior Management (including the MD & CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or the respective Board Committee to enable them to communicate concerns without any management interference.
(4) have their final performance review carried out by the Board or the respective Board Committee.
D. Risk Management Function
10H. The Board shall ensure an effective oversight over the AIFI’s risk management function. The Board / RMCB shall clearly define the role and responsibilities of the CRO, subject to the following:
(1) The CRO shall be primarily responsible for overseeing the development and implementation of the AIFI’s Risk Management Function. This shall include enhancements to risk management systems, policies, processes, quantitative models, reports, etc. to ensure that the AIFI’s risk management capabilities are effective, to fully support its strategic objectives and risk-taking activities.
(2) The CRO shall be an adviser to the authority to whom powers have been delegated to assume risk, e.g. sanctioning credit, making investments, etc. The advice of the CRO shall be supported with proper rationale.
(3) The CRO shall be an invitee to the meetings of the credit sanction / approval committee, without any voting rights in the proceedings thereof.
(4) Assumption of any risk / exposure, contrary to the advice of the CRO, without incorporating adequate risk mitigation measures, shall rest with the next higher authority in the delegation matrix, except where the risk assuming authority is the Board. All such cases shall be reported to the Board / RMCB.
10I. The Risk Management Function shall:
(1) be responsible for overseeing that the AIFI operates within its risk appetite and for assessing risks and related issues, independent of the business lines.
(2) implement an AIFI-wide risk strategy aligned with the Board-approved risk appetite, including clear risk limits and structured allocation of risk parameters to business units and risk takers.
(3) ensure robust information infrastructure to support accurate capital and liquidity assessments, granular risk monitoring at business-unit levels, and consolidated
reporting across the AIFI to enable strategic planning and compliance with risk tolerance thresholds.
(4) continuously evaluate risk exposures against defined limits, challenge decisions proposed / taken by the business functions and promptly escalate critical issues to senior management and the Board / RMCB, ensuring timely adjustments to maintain alignment with risk appetite.
(5) enhance the capability of business line managers to identify and assess the risks critically rather than relying on the surveillance conducted by it.
E. Compliance Function
10J. The Board shall ensure an effective oversight over the AIFI’s compliance risk.
10K. The Senior Management shall be responsible for effective management of the AIFI’s compliance risk, including communication of the compliance policy throughout the AIFI and ensuring that it is observed in letter and spirit. Further, Senior Management shall be responsible for embedding compliance in the business strategy while ensuring risk of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the AIFI.
10L. An AIFI shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
10M. The Compliance Function shall:
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the AIFI and RBI.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control/assurance functions such as Risk Management and Internal Audit, while maintaining its independence.
Internal Audit Function
10N. The Board shall ensure an effective internal audit framework, proportionate to the AIFI’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
10O. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
10P. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
10Q. The Internal Audit Function shall:
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
10R. AIFIs shall adopt a Risk-based Internal Audit (RBIA) approach, focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in the Annex I.
F. Intimation to the Reserve Bank
10S. An AIFI shall ensure compliance with the following requirements:
(1) CRO: Any appointment (including interim appointment and re-appointment), premature transfer, removal or exit of the CRO, along with the reasons thereof, shall be reported to the Department of Supervision, Reserve Bank of India, within five working days. Intimation of appointment (including interim appointment and re-appointment) shall be accompanied with the CRO’s profile.
(2) CCO and HIA:
(i) In case of any appointment, re-appointment, interim appointment, premature exit, or change in tenure of the CCO or HIA, prior intimation of at least five working days shall be provided to the Department of Supervision.
(ii) Such intimation shall be accompanied by the candidate’s profile and a confirmation from the competent authority stating that the candidate is fit-and-proper.
(iii) The appointment may be communicated to the candidate by the AIFI only after the lapse of five working days from the date of receipt of intimation, by the Department of Supervision, provided no communication to the contrary is received from the Department of Supervision.
(Scenta Joy)
Chief General Manager
*******
Reserve Bank of India
Reserve Bank of India (Urban Co-operative Banks – Governance) Second Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.GOV.REC.No.__/18.10.014/2026-27
June xx, 2026
Reserve Bank of India (Urban Co-operative Banks – Governance) Second Amendment Directions, 2026
The Reserve Bank had issued Reserve Bank of India (Urban Co-operative Banks – Governance) Directions, 2025 on November 28, 2025.
2. At present, the regulatory instructions with respect to control / assurance functions viz. risk management, compliance and internal audit are contained in various directions / circulars. With a view to strengthening the governance framework for these functions and to ensure greater clarity, consistency and harmonisation in the instructions pertaining to these functions, it has been decided to review and consolidate them under these directions.
3. Accordingly, in exercise of the powers conferred by Section 35A read with Section 56 of the Banking Regulation Act, 1949, and all other provisions / laws enabling Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (Urban Co-operative Banks – Governance) Second Amendment Directions, 2026.
(2) These Directions shall come into effect on January 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (Urban Co-operative Banks – Governance) Directions, 2025 (hereinafter called as ‘the said Directions’) in the manner as specified hereinafter.
(i) Sub-paragraph (1) of paragraph 4 of the said Directions shall be deleted.
(ii) Before sub-paragraph (2) of paragraph 4 of the said Directions, the following shall be inserted, namely:
“(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment as well as the applicable laws, rules and regulations.
1b) ‘Board’ means the Board of Directors or the governing body of a UCB, by whatever name called, to which the direction and control of the management of affairs of the UCB is entrusted.
(1c) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank, self-regulatory organisation standards, codes of conduct applicable to a UCB’s activities and with the internal control systems laid down to comply with the foregoing.
(1d) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation, ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(1e) ‘Compliance Function’ means policies, processes, procedures, systems, and personnel dedicated for compliance.
(1f) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a UCB may suffer as a result of its failure to comply with laws, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(1g) ‘Control Functions’ means those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function, Compliance Function and Internal Audit Function.”
(iii) After sub-paragraph (2) of paragraph 4 of the said Directions, the following shall be inserted, namely:
“(2a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of the UCB’s internal control, risk management and governance systems and processes.
(2b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of internal audit.
(2c) ‘Internal Controls’ means a set of rules and controls governing a UCB’s organisational / operational structure, including reporting processes and functions.
(2d) ‘Risk Appetite’ means the aggregate level and types of risk a UCB is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
(2e) ‘Risk Limits’ means specific quantitative measures or limits that allocate the aggregate risk appetite across business functions, legal entities, specific risk categories, concentrations and other measures.
(2f) ‘Risk Management’ means the processes established to ensure that all risks and associated risk concentrations are identified, measured, analysed, managed, mitigated, monitored and reported on a timely as well as comprehensive basis.
(2g) ‘Risk Management Function’ means policies, processes, procedures, systems and personnel dedicated for Risk Management.”
(iv) The title of Chapter-II, viz., “Constitution of Board and Appointment of Directors” shall be modified to “Constitution of Board and Appointment of Directors / Managing Director / Chief Executive Officer”.
(v) After paragraph 8, the following shall be inserted, namely:
“8A. The appointment, reappointment, and termination of appointment of a Managing Director / Chief Executive Officer (MD / CEO) shall, in terms of Section 35B(1)(b) read with Section 56 of the Banking Regulation Act, 1949, require the previous approval of the RBI.
8B. Applications in this regard, along with the requisite documents as indicated on the PRAVAAH portal (https://pravaah.rbi.org.in), shall be submitted to the RBI through the portal, at least four months before the expiry of tenure of the incumbent MD / CEO.”
(vi) In paragraph 16 of the said Directions, for the words, symbols and brackets “Since the primary responsibility of risk management lies with the Board, a UCB with an asset size of ₹5000 crore or above (as on March 31 of the previous year)”, the words, symbols and brackets “A UCB having total assets of ₹5000 crore or above (as per the audited balance sheet as on March 31 of the previous financial year)” shall be substituted.
(vii) After Chapter V of the said Directions, the following new Chapter shall be added, namely:
“Chapter V-A Control Functions: Risk Management, Compliance, and Internal Audit
A. General
17A. A UCB having total assets of ₹5000 crore or above (as per the audited balance sheet as on March 31 of the previous financial year) shall establish Risk Management Function, commensurate with its size, complexity, and risk profile, headed by a Chief Risk Officer (CRO).
17B. Every UCB shall establish Compliance and Internal Audit functions, commensurate with its size, complexity and business profile, headed by a Chief Compliance Officer (CCO) and a Head of Internal Audit (HIA), respectively.
17C. A UCB shall have policies for each of the three control functions, viz. Risk Management, Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. These policies shall be approved by the Board and reviewed periodically.
17D. The above functions shall –
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CRO/CCO/HIA for specialised tasks without diluting the accountability of the functions.
17E. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board or RMCB / ACB, as applicable, shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
17F. The Risk Management and the Compliance functions shall be subject to regular internal audit. A Tier 4 UCB shall also subject its Risk Management Function to periodic external review, to benchmark the practices and strengthen the effectiveness of the function.
B. Appointment of CRO, CCO and HIA
17G. A UCB shall adhere to the following terms for appointment of CRO, CCO and HIA:
(1) Appointing authority and rank: A UCB shall appoint / designate suitably senior employees, not more than two levels below the MD / CEO, as CRO, CCO and HIA, with the approval of the Board.
Provided that Tier 1 and Tier 2 UCBs may appoint / designate suitably senior employees as CCO / HIA in accordance with their internal policies.
(2) Knowledge / Experience: CRO, CCO and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity and risk profile of the UCB.
(3) Age: The age limits for CRO, CCO and HIA to hold office shall be prescribed by the UCB as a part of its internal policy.
(4) Tenure: CRO, CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CRO, CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CRO, CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the UCB nor have a contractual employer-employee relationship with the UCB shall not be appointed / designated as CRO, CCO or HIA.
C. Independence of CRO, CCO, and HIA
17H. CRO, CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CRO, CCO and HIA shall –
(1) functionally report to the Board or the respective Board Committee and administratively report to MD / CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or the respective Board Committee at least once in a quarter, without the presence of the Senior Management (including the MD / CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or the respective Board Committee to enable them to communicate concerns without management interference.
(4) have their final performance review carried out by the Board or the respective Board Committee.
D. Risk Management Function
17I. The Board shall ensure an effective oversight over the UCB’s Risk Management Function. The Board / RMCB shall clearly define the role and responsibilities of the CRO, subject to the following:
(1) The CRO shall be primarily responsible for overseeing the development and implementation of the UCB’s Risk Management Function. This shall include enhancements to risk management systems, policies, processes, quantitative models, reports, etc. to ensure that the bank’s risk management capabilities are effective, to fully support its strategic objectives and risk-taking activities.
(2) The CRO shall be an adviser to the authority to whom powers have been delegated to assume risk, e.g., sanctioning credit, making investments, etc. The advice of the CRO shall be supported with proper rationale.
(3) The CRO shall be an invitee to the meetings of the credit sanction / approval committee, without any voting rights in the proceedings thereof.
(4) Assumption of any risk / exposure, contrary to the advice of the CRO, without incorporating adequate risk mitigation measures, shall rest with the next higher authority in the delegation matrix, except where the risk assuming authority is the Board. All such cases shall be reported to the Board / RMCB.
17J. The Risk Management Function shall –
(1) be responsible for overseeing that the UCB operates within its risk appetite and for assessing risks and related issues, independent of the business lines.
(2) implement a bank-wide risk strategy aligned with the Board-approved risk appetite, including clear risk limits and structured allocation of risk parameters to business units and risk takers.
(3) ensure robust information infrastructure to support accurate capital and liquidity assessments, granular risk monitoring at business-unit levels, and consolidated reporting across the UCB to enable strategic planning and compliance with risk tolerance thresholds.
(4) continuously evaluate risk exposures against defined limits, challenge decisions proposed / taken by the business functions and promptly escalate critical issues to senior management and the Board / RMCB, ensuring timely adjustments to maintain alignment with risk appetite.
(5) enhance the capability of business line managers to identify and assess the risks critically rather than relying on the surveillance conducted by it.
E. Compliance Function
17K. The Board shall ensure an effective oversight over bank’s compliance risk.
17L. The Senior Management shall be responsible for effective management of a UCB’s compliance risk, including communication of the compliance policy throughout the bank and ensuring that it is observed in letter and spirit. Further,
Senior Management shall also be responsible for embedding compliance in the business strategy while ensuring that risks of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the UCB.
17M. A UCB shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
17N. The Compliance Function shall –
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the bank and the RBI.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or the ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control / assurance functions such as Risk Management and Internal Audit, while maintaining its independence.
F. Internal Audit Function
17O. The Board shall have an effective internal audit framework, proportionate to the UCB’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
17P. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
17Q. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
17R. The Internal Audit Function shall –
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
17S. A UCB shall adopt Risk-Based Internal Audit (RBIA) approach, focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in Annex I-a.
Provided that for a UCB having total assets of less than ₹500 crore (as per the audited balance sheet as on March 31 of the previous financial year), the adoption of the RBIA approach shall be voluntary.
G. Intimation to the Reserve Bank
17T. A UCB shall ensure compliance with the following intimation requirements:
(1) CRO: Any appointment (including interim appointment and re-appointment), premature transfer, removal, exit or change in tenure of the CRO shall be reported to Department of Supervision, RBI, within five working days. Reporting of appointment including interim appointment and re-appointment shall be accompanied with a profile of the CRO.
(2) CCO and HIA: Any appointment (including interim appointment and re-appointment), premature transfer, removal, exit, or change in tenure of CCO or HIA in a Tier 3 or Tier 4 UCB shall be reported to Department of Supervision, RBI at least five working days in advance. Intimation of appointment / interim appointment / re-appointment shall be accompanied with the candidate’s profile and a confirmation from the competent authority that the candidate is fit and proper for the position. The appointment may be communicated to the candidate only after the lapse of five working days from the date of receipt of intimation by the Reserve Bank, provided no communication to the contrary is received from the Reserve Bank.
(viii) Chapter VII (Appointment of Key Officers) of the said Directions shall be deleted.
(Scenta Joy)
Chief General Manager
*******
Reserve Bank of India
Reserve Bank of India (Rural Co-operative Banks – Governance) Second Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.GOV.REC.No.__/18.10.015/2026-27
June xx, 2026
Reserve Bank of India (Rural Co-operative Banks – Governance) Second Amendment Directions, 2026
The Reserve Bank had issued Reserve Bank of India (Rural Co-operative Banks – Governance) Directions, 2025 on November 28, 2025.
2. At present, the regulatory instructions with respect to control / assurance functions viz. risk management, compliance and internal audit are contained in various directions / circulars. With a view to strengthening the governance framework for these functions and to ensure greater clarity, consistency and harmonisation in the instructions pertaining to these functions, it has been decided to review and consolidate them under these directions.
3. Accordingly, in exercise of the powers conferred by Section 35A read with Section 56 of the Banking Regulation Act, 1949, and all other provisions / laws enabling Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (Rural Co-operative Banks – Governance) Second Amendment Directions, 2026.
(2) These Directions shall come into effect on April 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (Rural Co-operative Banks – Governance) Directions, 2025 (hereinafter called as ‘the said Directions’) in the manner as specified hereinafter.
(i) Sub-paragraph (1) of paragraph 4 of the said Directions shall be deleted.
(ii) Before sub-paragraph (2) of paragraph 4 of the said Directions, the following shall be inserted, namely:
“(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment as well as the applicable laws, rules and regulations.
(1b) ‘Board’ means the Board of Directors or the governing body of an RCB, by whatever name called, to which the direction and control of the management of affairs of the RCB is entrusted.
(1c) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank / NABARD, self-regulatory organisation standards, codes of conduct applicable to an RCB’s activities and with the internal control systems laid down to comply with the foregoing.
(1d) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation, ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(1e) ‘Compliance Function’ means policies, processes, procedures, systems, and personnel dedicated for compliance.
(1f) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation an RCB may suffer as a result of its failure to comply with laws, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(1g) ‘Control Functions’ means those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function, Compliance Function and Internal Audit Function.”
(iii) After sub-paragraph (2) of paragraph 4 of the said Directions, the following shall be inserted, namely:
“(2a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of the RCB’s internal control, risk management and governance systems and processes.
(2b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of internal audit.
(2c) ‘Internal Controls’ means a set of rules and controls governing an RCB’s organisational / operational structure, including reporting processes and functions.
(2d) ‘Risk Appetite’ means the aggregate level and types of risk an RCB is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
(2e) ‘Risk Limits’ means specific quantitative measures or limits that allocate the aggregate risk appetite across business functions, legal entities, specific risk categories, concentrations and other measures.
(2f) ‘Risk Management’ means the processes established to ensure that all risks and associated risk concentrations are identified, measured, analysed, managed, mitigated, monitored and reported on a timely as well as comprehensive basis.
(2g) ‘Risk Management Function’ means policies, processes, procedures, systems, and personnel dedicated for Risk Management.”
(iv) In paragraph 9 of the said Directions, for the words, symbols and brackets “Applications in this regard shall be submitted to RBI through the PRAVAAH portal (https://pravaah.rbi.org.in)”, the words, symbols and brackets “Applications in this regard, along with the requisite documents as indicated on the PRAVAAH portal (https://pravaah.rbi.org.in), shall be submitted to the RBI through the portal, at least four months before the expiry of tenure of the incumbent MD / CEO” shall be substituted.
(v) In paragraph 18 of the said Directions, in place of the word “Annex”, the word “Annex I” shall be substituted.
(vi) In paragraph 28 of the said Directions, after the words “an RCB”, the words and brackets “having total assets of ₹5000 crore or above (as per the audited balance sheet as on March 31 of the previous financial year)” shall be inserted.
(vii) After Chapter V of the said Directions, the following new Chapter shall be added, namely:
“Chapter V-A: Control Functions: Risk Management, Compliance and Internal Audit
A. General
31A. An RCB having total assets of ₹5000 crore or above (as per the audited balance sheet as on March 31 of the previous financial year) shall establish Risk Management Function, commensurate with its size, complexity, and risk profile, headed by a Chief Risk Officer (CRO).
31B. Every RCB shall establish Compliance and Internal Audit functions, commensurate with its size, complexity and business profile, headed by a Chief Compliance Officer (CCO) and a Head of Internal Audit (HIA), respectively.
31C. An RCB shall have policies for each of the three control functions, viz. Risk Management, Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. These policies shall be approved by the Board and reviewed periodically.
31D. The above functions shall –
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CRO/CCO/HIA for specialised tasks without diluting the accountability of the functions.
31E. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board or RMCB / ACB, as applicable, shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
31F. The Risk Management and the Compliance functions shall be subject to regular internal audit. An RCB having total assets of ₹10,000 crores or above shall also subject its Risk Management Function to periodic external review, to benchmark the practices and strengthen the effectiveness of the function.
B. Appointment of CRO, CCO and HIA
31G. An RCB shall adhere to the following terms for appointment of CRO, CCO and HIA:
(1) Appointing authority and rank: An RCB shall appoint / designate suitably senior employees, not more than two levels below the MD / CEO, as CRO, CCO and HIA, with the approval of the Board.
Provided that in case of an RCB having total deposits less than ₹1000 crores (as per the audited balance sheet as on March 31 of the previous financial year), the position of CCO / HIA may be up to three levels below the MD / CEO.
(2) Knowledge / Experience: CRO, CCO and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity and risk profile of the RCB.
(3) Age: The age limits for CRO, CCO and HIA to hold office shall be prescribed by the RCB as a part of its internal policy.
(4) Tenure: CRO, CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CRO, CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CRO, CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the RCB nor have a contractual employer-employee relationship with the RCB shall not be appointed / designated as CRO, CCO or HIA.
C. Independence of CRO, CCO, and HIA
31H. CRO, CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CRO, CCO and HIA shall –
(1) functionally report to the Board or the respective Board Committee and administratively report to MD / CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or the respective Board Committee at least once in a quarter, without the presence of the Senior Management (including the MD / CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or the respective Board Committee to enable them to communicate concerns without management interference.
(4) have their final performance review carried out by the Board or the respective Board Committee.
B. Risk Management Function
31I. The Board shall ensure an effective oversight over the RCB’s Risk Management Function. The Board / RMCB shall clearly define the role and responsibilities of the CRO, subject to the following:
(1) The CRO shall be primarily responsible for overseeing the development and implementation of the RCB’s Risk Management Function. This shall include enhancements to risk management systems, policies, processes, quantitative models, reports, etc. to ensure that the bank’s risk management capabilities are effective, to fully support its strategic objectives and risk-taking activities.
(2) The CRO shall be an adviser to the authority to whom powers have been delegated to assume risk, e.g., sanctioning credit, making investments, etc. The advice of the CRO shall be supported with proper rationale.
(3) The CRO shall be an invitee to the meetings of the credit sanction / approval committee, without any voting rights in the proceedings thereof.
(4) Assumption of any risk / exposure, contrary to the advice of the CRO, without incorporating adequate risk mitigation measures, shall rest with the next higher authority in the delegation matrix, except where the risk assuming authority is the Board. All such cases shall be reported to the Board / RMCB.
31J. The Risk Management Function shall –
(1) be responsible for overseeing that the RCB operates within its risk appetite and for assessing risks and related issues, independent of the business lines.
(2) implement a bank-wide risk strategy aligned with the Board-approved risk appetite, including clear risk limits and structured allocation of risk parameters to business units and risk takers.
(3) ensure robust information infrastructure to support accurate capital and liquidity assessments, granular risk monitoring at business-unit levels, and consolidated reporting across the RCB to enable strategic planning and compliance with the risk tolerance thresholds.
(4) continuously evaluate risk exposures against defined limits, challenge decisions proposed / taken by the business functions and promptly escalate critical issues to senior management and the Board / RMCB, ensuring timely adjustments to maintain alignment with the risk appetite.
(5) enhance the capability of business line managers to identify and assess the risks critically rather than relying on the surveillance conducted by it.
C. Compliance Function
31K. The Board shall ensure an effective oversight over bank’s compliance risk.
31L. The Senior Management shall be responsible for effective management of an RCB’s compliance risk, including communication of the compliance policy throughout the bank and ensuring that it is observed in letter and spirit. Further, Senior Management shall also be responsible for embedding compliance in the business strategy while ensuring that risks of non-compliance are identified and
mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the RCB.
31M. An RCB shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
31N. The Compliance Function shall –
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the RCB and the RBI / NABARD.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or the ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control / assurance functions such as Risk Management and Internal Audit, while maintaining its independence.
D. Internal Audit Function
31O. The Board shall have an effective internal audit framework, proportionate to the RCB’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
31P. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
31Q. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
31R. The Internal Audit Function shall –
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
31S. An RCB shall adopt Risk-Based Internal Audit (RBIA) approach, focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in Annex I-A.
Provided that for an RCB having total assets of less than ₹1000 crore (as per the audited balance sheet as on March 31 of the previous financial year), the adoption of the RBIA approach shall be voluntary.
E. Intimation to National Bank for Agriculture and Rural Development (NABARD)
31T. An RCB shall ensure compliance with the following reporting requirements:
(1) CRO: Any appointment (including interim appointment and re-appointment), premature transfer, removal, exit or change in tenure of the CRO shall be reported to NABARD within five working days. Reporting of appointment including interim appointment and re-appointment shall be accompanied with a profile of the CRO.
(2) CCO and HIA: Any appointment (including interim appointment and re-appointment), premature transfer, removal, exit, or change in tenure of CCO or HIA in an RCB having total assets of ₹1000 crore or above shall be reported to NABARD at least five working days in advance. Intimation of appointment / interim appointment / re-appointment shall be accompanied with the candidate’s profile and a confirmation from the competent authority that the candidate is fit and proper for the position. The appointment may be communicated to the candidate only after the lapse of five working days from the date of receipt of intimation by NABARD, provided no communication to the contrary is received from NABARD.”
(viii) The Annex in the said Directions shall be renamed as “Annex I”.
(Scenta Joy)
Chief General Manager
*******
Reserve Bank of India
Reserve Bank of India (Non-Banking Financial Companies – Governance) Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.GOV.REC.No.__/18.10.013/2026-27
June xx, 2026
Reserve Bank of India (Non-Banking Financial Companies – Governance) Amendment Directions, 2026
The Reserve Bank had issued Reserve Bank of India (Non-Banking Financial Companies – Governance) Directions, 2025 on November 28, 2025.
2. At present, the regulatory instructions with respect to control / assurance functions viz. risk management, compliance and internal audit are contained in various directions / circulars. With a view to strengthening the governance framework for these functions and to ensure greater clarity, consistency and harmonisation in the instructions pertaining to these functions, it has been decided to review and consolidate them under these directions.
3. Accordingly, in exercise of the powers conferred by Sections 45JA and 45L of the Reserve Bank of India Act, 1934, Sections 30A of National Housing Bank Act, 1987, Section 6 of Factoring Regulation Act, 2011, and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (Non-Banking Financial Companies – Governance) Amendment Directions, 2026.
(2) These Directions shall come into effect on January 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (Non-Banking Financial Companies – Governance) Directions, 2025 (hereinafter called as ‘the said Directions’) in the manner as specified hereinafter.
(i) In sub-paragraph (3) of paragraph 3 of the said Directions, for the words and figures “7 to 15”, the words and figures “7 to 11, 12 to 15” shall be substituted.
(ii) In sub-paragraph (4) of paragraph 3 of the said Directions, for the words and figures “7(2), 7(3), 8, 9, 16 to 18, 25 to 39, and 41 to 43”, the words and figures “7(3), 8, 11A to 11Q, 16 to 18A, 26 to 39, 41, 42, and 43” shall be substituted.
(iii) In sub-paragraph (5) of paragraph 3 of the said Directions, for the words and figures “7 to 9, 12 to 18, 25 to 40”, the words and figures “7, 8, 11A to 11Q, 18A and 26 to 40” shall be substituted.
(iv) In sub-paragraph (7) of paragraph 3 of the said Directions, after the words and figures “8 to 13”, the words and figures “, and 18A” shall be inserted.
(v) In the Note to sub-paragraph (7) of paragraph 3 of the said Directions, for the words and figures “12 and 13”, the words and figures “12, 13 and 18A” shall be substituted.
(vi) Sub-paragraph (1) of paragraph 5 of the said Directions shall be deleted.
(vii) Before sub-paragraph (2) of paragraph 5 of the said Directions, the following shall be inserted, namely:
“(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment as well as the applicable laws, rules and regulations.
(1b) ‘Clawback’ means a contractual agreement between the employee and the regulated entity in which the employee agrees to return previously paid or vested remuneration to the entity under certain circumstances.”
(viii) After sub-paragraph (2) of paragraph 5 of the said Directions, the following shall be inserted, namely:
“(2a) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank / National Housing Bank (NHB), self-regulatory organisation standards, codes of conduct applicable to an NBFC’s activities and with the internal control systems laid down to comply with the foregoing.
(2b) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation, ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(2c) ‘Compliance Function’ means policies, processes, procedures, systems, and personnel dedicated for compliance.
(2d) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation an NBFC may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(2e) “Control Functions” means those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function, Compliance Function and Internal Audit Function.”
(ix) After sub-paragraph (4) of paragraph 5 of the said Directions, the following shall be inserted, namely:
“(4a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of an NBFC’s internal control, risk management and governance systems and processes.
(4b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of internal audit.
(4c) ‘Internal Controls’ means a set of rules and controls governing an NBFC’s organisational / operational structure, including reporting processes and functions.”
(x) After sub-paragraph (8) of paragraph 5 of the said Directions, the following shall be inserted, namely:
“(8a) ‘Risk Appetite’ means the aggregate level and types of risk an NBFC is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
(8b) ‘Risk Limits’ means specific quantitative measures or limits that allocate the aggregate risk appetite across business functions, legal entities, specific risk categories, concentrations, and other measures.
(8c) ‘Risk Management’ means the processes established to ensure that all risks and associated risk concentrations are identified, measured, analysed, managed, mitigated, monitored and reported on a timely as well as comprehensive basis.
(8d) ‘Risk Management Function’ means policies, processes, procedures, systems, and personnel dedicated for Risk Management.”
(xi) Sub-paragraph (2) of paragraph 7, and paragraph 9 (along with the heading ‘B. Risk Management Committee’) of the said Directions shall be deleted.
(xii) After paragraph 11 of the said Directions, the following shall be inserted, namely:
“D. Control Functions: Compliance and Internal Audit
D.1 General
11A. An NBFC shall establish Compliance and Internal Audit functions, commensurate with its size, complexity and business profile, headed by a Chief Compliance Officer (CCO) and a Head of Internal Audit (HIA), respectively.
11B. An NBFC shall have policies for each of the control functions, including Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. These policies shall be approved by the Board and reviewed periodically.
11C. The above functions shall –
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CCO/HIA for specialised tasks without diluting the accountability of the functions.
11D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board / ACB shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
11E. The Compliance Function shall be subject to regular internal audit.
D.2 Appointment of CCO and HIA
11F. An NBFC shall adhere to the following terms for appointment of CCO and HIA:
(1) Appointing authority and rank: An NBFC shall appoint / designate suitably senior employees, not more than two levels below the MD & CEO, as CCO and HIA, with the approval of the Board.
Provided that in case of an SPD, the position of CCO / HIA may be up to three levels below the MD & CEO.
Provided further that an NBFC-BL may appoint / designate suitably senior employees as CCO / HIA in accordance with its internal policies.
(2) Knowledge / Experience: CCO and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity and risk profile of the NBFC.
(3) Age: The age limits for CCO and HIA to hold office shall be prescribed by the NBFC as a part of its internal policy.
(4) Tenure: CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the NBFC nor have a contractual employer-employee relationship with the NBFC shall not be appointed / designated as CCO or HIA.
D.3 Independence of CCO and HIA
11G. CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CCO and HIA shall –
(1) functionally report to the Board or the ACB and administratively report to MD & CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or the ACB at least once in a quarter, without the presence of the Senior Management (including the MD / CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or the ACB to enable them to communicate concerns without management interference.
(4) have their final performance review carried out by the Board or the ACB.
D.4 Compliance Function
11H. The Board shall ensure an effective oversight over NBFC’s compliance risk.
11I. The Senior Management shall be responsible for effective management of an NBFC’s compliance risk, including communication of the compliance policy throughout the NBFC and ensuring that it is observed in letter and spirit. Further, Senior Management shall also be responsible for embedding compliance in the business strategy while ensuring that risks of non-compliance are identified and
mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the NBFC.
11J. An NBFC shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
11K. The Compliance Function shall –
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the NBFC and the RBI / NHB, as applicable.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or the ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control / assurance functions such as Risk Management and Internal Audit, while maintaining its independence.
D.5 Internal Audit Function
11L. The Board shall have an effective internal audit framework, proportionate to the NBFC’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
11M. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
11N. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
11O. The Internal Audit Function shall –
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
11P. An NBFC shall adopt Risk-Based Internal Audit (RBIA) approach, focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in Annex I-A.
Provided that for an NBFC – BL, the adoption of the RBIA approach shall be voluntary.
D.6 Intimation to the RBI / NHB
11Q. Any appointment (including interim appointment and re-appointment), premature transfer, removal, exit, or change in tenure of CCO or HIA in an NBFC-ML and above shall be reported to Department of Supervision, RBI (NHB in case of HFCs), at least five working days in advance. Intimation of appointment (including interim appointment and re-appointment) shall be accompanied with the candidate’s profile and a confirmation from the competent authority stating that the candidate is fit and proper for the position. The appointment may be communicated to the candidate only after the lapse of five working days from the date of receipt of intimation by the Reserve Bank / NHB, provided no communication to the contrary is received from the Reserve Bank / NHB.”
(xiii) After paragraph 18 of the said Directions, the following shall be inserted, namely:
“18A. Risk Management Committee
(1) An NBFC having total assets of ₹5000 crore or above (as on March 31 of the previous financial year) shall constitute a Risk Management Committee of the Board (RMCB). The RMCB shall be responsible for evaluating the overall risks faced by the NBFC including liquidity risk and shall report to the Board.
E. Control Function: Risk Management
D.1 General
18B. An NBFC having total assets of ₹5000 crore or above (as on March 31 of the previous financial year) shall establish a Risk Management Function, commensurate with its size, complexity, and risk profile, headed by a Chief Risk Officer (CRO).
18C. The NBFC shall have a Risk Management Policy, clearly articulating the objectives, roles and responsibilities of the Risk Management Function. The policy shall be approved by the Board and reviewed periodically.
18D. The provisions of paragraphs 11C and 11D shall apply mutatis mutandis to Risk Management Function.
18E. The Risk Management Function shall be subject to regular internal audit.
D.2 Appointment of CRO
18F. Subject to the provisions of paragraph 18A, the provisions of paragraph 11F shall apply mutatis mutandis to the appointment of CRO.
D.3 Independence of CRO
18G. The provisions of paragraph 11G shall apply mutatis mutandis to independence of CRO.
D.4 Risk Management Function
18H. The Board shall ensure an effective oversight over the NBFC’s Risk Management Function. The Board / RMCB shall clearly define the role and responsibilities of the CRO, subject to the following:
(1) The CRO shall be primarily responsible for overseeing the development and implementation of the NBFC’s Risk Management Function. This shall include enhancements to risk management systems, policies, processes, quantitative models, reports, etc. to ensure that the NBFC’s risk management capabilities are effective, to fully support its strategic objectives and risk-taking activities.
(2) The CRO shall be an adviser to the authority to whom powers have been delegated to assume risk, e.g., sanctioning credit, making investments, etc. The advice of the CRO shall be supported with proper rationale.
(3) The CRO shall be an invitee to the meetings of the credit sanction / approval committee, without any voting rights in the proceedings thereof.
(4) Assumption of any risk / exposure, contrary to the advice of the CRO, without incorporating adequate risk mitigation measures, shall rest with the next higher authority in the delegation matrix, except where the risk assuming authority is the Board. All such cases shall be reported to the Board / RMCB.
18I. The Risk Management Function shall –
(1) be responsible for overseeing that the NBFC operates within its risk appetite and for assessing risks and related issues, independent of the business lines.
(2) implement a NBFC-wide risk strategy aligned with the Board-approved risk appetite, including clear risk limits and structured allocation of risk parameters to business units and risk takers.
(3) ensure robust information infrastructure to support accurate capital and liquidity assessments, granular risk monitoring at business-unit levels, and consolidated reporting across the NBFC to enable strategic planning and compliance with risk tolerance thresholds.
(4) continuously evaluate risk exposures against defined limits, challenge decisions proposed / taken by the business functions and promptly escalate critical issues to senior management and the Board / RMCB, ensuring timely adjustments to maintain alignment with risk appetite.
(5) enhance the capability of business line managers to identify and assess the risks critically rather than relying on the surveillance conducted by it
D.5 Intimation to the RBI / NHB
18J. Any appointment (including interim appointment and re-appointment), premature transfer, removal, exit or change in tenure of the CRO shall be reported to Department of Supervision, RBI (NHB in case of HFCs), within five working days. Intimation of appointment (including interim appointment and re-appointment) shall be accompanied with the candidate’s profile.”
(xiv) Paragraphs 19 to 25 of the said Directions (along with the headings ‘D. Appointment of Chief Risk Officer’ and ‘E. Appointment of Chief Compliance Officer’) shall be deleted.
(xv) After paragraph 41 of the said directions, the following shall be added, namely:
“41A. An NBFC-UL shall subject its Risk Management Function to periodic external review, to benchmark the practices and strengthen the effectiveness of the function.”
(Scenta Joy)
Chief General Manager
*******
Reserve Bank of India
Reserve Bank of India (Credit Information Companies) Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.GOV.REC.No.__/18.10.016/2026-27
June xx, 2026
Reserve Bank of India (Credit Information Companies) Amendment Directions, 2026
The Reserve Bank had issued Reserve Bank of India (Credit Information Companies) Directions, 2025 on November 28, 2025.
2. In line with the Reserve Bank’s ongoing efforts to strengthen governance framework of regulated entities and align it with the evolving best practices, it has been decided to issue directions related to Compliance Function and Internal Audit Function for Credit Information Companies (CICs).
3. Accordingly, in exercise of the powers conferred by Section 11 of the Credit Information Companies (Regulation) Act, 2005, and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (Credit Information Companies) Amendment Directions, 2026.
(2) These Directions shall come into effect on April 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (Credit Information Companies) Directions, 2025 (hereinafter called as ‘the said directions’) in the manner as specified hereinafter.
(i) Sub-paragraph (1) of paragraph 4 of the said directions shall be deleted.
(ii) Before sub-paragraph (2) of paragraph 4 of the said directions, the following shall be inserted, namely:
“(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board or its committees on the compliance of business functions with the internal control environment as well as the applicable laws, rules and regulations.
(1b) ‘Company’ means a company defined under section 3 of the Companies Act, 1956 or corresponding section under the Companies Act, 2013.
(1c) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank, self-regulatory organisation standards, codes of conduct applicable to a CIC’s activities and with the internal control systems laid down to comply with the foregoing.
(1d) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(1e) ‘Compliance Function’ means policies, processes, procedures, systems, and personnel dedicated for compliance.
(1f) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a CIC may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(1g) ‘Control Functions’ means those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function (if any), Compliance Function and Internal Audit Function.”
(iii) After sub-paragraph (3) of paragraph 4 of the said directions, the following shall be inserted, namely:
“(3a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of the CIC’s internal control, risk management and governance systems and processes.
(3b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of the internal audit.
(3c) ‘Internal Controls’ means a set of rules and controls governing a CIC’s organisational / operational structure, including reporting processes and functions.”
(iv) After chapter VI, the following new chapter VI-A shall be added, namely:
“Chapter VI-A Compliance and Internal Audit Functions
A. General
36A. A CIC shall establish Compliance and Internal Audit Functions, commensurate with its size, complexity and business profile, headed by a Chief Compliance Officer (CCO) and a Head of Internal Audit (HIA), respectively.
36B. A CIC shall have policies for each of the control functions, viz. Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. These policies shall be approved by the Board and reviewed periodically.
36C. The above functions shall –
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CCO / HIA for specialised tasks without diluting the accountability of the functions.
36D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board or the ACB shall review the control functions on an ongoing basis to ensure their continued relevance and effectiveness.
36E. The Compliance Function shall be subject to regular internal audit.
B. Appointment of CCO and HIA
36F. A CIC shall adhere to the following terms for appointment of CCO and HIA:
(1) Appointing authority and rank: A CIC shall appoint / designate suitably senior employees, not more than three levels below the MD & CEO, as CCO and HIA, with the approval of the Board.
(2) Knowledge / Experience: CCO and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity and risk profile of the CIC.
(3) Age: The age limits for CCO and HIA to hold office shall be prescribed by the CIC as a part of its internal policy.
(4) Tenure: CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the CIC nor have a contractual employer-employee relationship with it shall not be appointed / designated as CCO or HIA.
C. Independence of CCO and HIA
36G. CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CCO and HIA shall –
(1) functionally report to the Board or the ACB and administratively report to MD & CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or the ACB at least once in a quarter, without the presence of the Senior Management (including the MD & CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or the ACB to enable them to communicate concerns without management interference.
(4) have their final performance review carried out by the Board or the ACB.
D. Compliance Function
36H. The Board shall ensure effective oversight over CIC’s compliance risk.
36I. The Senior Management shall be responsible for effective management of a CIC’s compliance risk, including communication of the compliance policy throughout the CIC and ensuring that it is observed in letter and spirit. Further, Senior Management shall also be responsible for embedding compliance in the business strategy while ensuring that risks of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the CIC.
36J. A CIC shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or the ACB. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
36K. The Compliance Function shall –
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the CIC and the RBI.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or the ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control / assurance functions such as Risk Management (if any) and Internal Audit, while maintaining its independence.
E. Internal Audit Function
36L. The Board shall have an effective internal audit framework, proportionate to the CIC’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
36M. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
36N. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
36O. The Internal Audit Function shall –
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
36P. A CIC may voluntarily adopt Risk-Based Internal Audit (RBIA) approach focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in Annex VII-A.
F. Intimation to the Reserve Bank
36Q. Any appointment (including interim appointment and re-appointment), premature transfer, removal, exit, or change in tenure of CCO or HIA shall be reported to Department of Supervision, RBI within five working days. Reporting of appointment including interim appointment and re-appointment shall be accompanied with a profile of the CCO / HIA.”
(Scenta Joy)
Chief General Manager
*******
Reserve Bank of India
Reserve Bank of India (Asset Reconstruction Companies) Second Amendment Directions, 2026
RBI/DOR/2026-27/__
DOR.GOV.REC.No.__/18.10.006/2026-27
June xx, 2026
Reserve Bank of India (Asset Reconstruction Companies) Second Amendment Directions, 2026
The Reserve Bank had issued Reserve Bank of India (Asset Reconstruction Companies) Directions, 2025 on November 28, 2025.
2. In line with the Reserve Bank’s ongoing efforts to strengthen governance framework of regulated entities and align it with the evolving best practices, it has been decided to issue directions related to Compliance Function and Internal Audit Function for Asset Reconstruction Companies (ARCs).
3. Accordingly, in exercise of the powers conferred by Sections 3, 9, 10, 12 and 12A of the Securitisation and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002 (54 of 2002), and all other provisions / laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.
(1) These Directions shall be called the Reserve Bank of India (Asset Reconstruction Companies) Second Amendment Directions, 2026.
(2) These Directions shall come into effect on April 1, 2027.
(3) These Directions shall modify the Reserve Bank of India (Asset Reconstruction Companies) Directions, 2025 (hereinafter called as ‘the said Directions’) in the manner as specified hereinafter.
(i) After sub-paragraph (1) of paragraph 4 of the said Directions, the following shall be inserted, namely:
“(1a) ‘Assurance’ means those activities which provide independent confirmation and confidence to the Board of Directors or its committees on the compliance of business functions with the internal control environment, as well as the applicable laws, rules and regulations.”
(ii) After sub-paragraph (3) of paragraph 4 of the said Directions, the following shall be inserted, namely:
“(3a) ‘Compliance’ means the state of being in accordance with the applicable laws, regulations, rules, directions issued by the Reserve Bank, self-regulatory organisation standards, codes of conduct applicable to an ARC’s activities and with the internal control systems laid down to comply with the foregoing.
(3b) ‘Compliance Culture’ means the set of values, attitudes, and behaviours that are promoted and demonstrated throughout the organisation, ensuring that adherence to laws, regulations, internal standards, and ethical norms is routinely prioritised and embedded throughout the organisation’s operations and decision-making.
(3c) ‘Compliance Function’ means policies, processes, procedures, systems, and personnel dedicated for compliance.
(3d) ‘Compliance Risk’ means the risk of legal or regulatory sanctions, material financial loss, or loss to reputation an ARC may suffer as a result of its failure to comply with laws of the land, regulations, rules, directions given by Reserve Bank, related self-regulatory organization standards, and codes of conduct applicable to its activities.
(3e) ‘Control Functions’ means those functions that have a responsibility independent from business functions to provide objective assessment, reporting and/or assurance. This includes Risk Management Function, Compliance Function and Internal Audit Function.”
(iii) After sub-paragraph (7) of paragraph 4 of the said Directions, the following shall be inserted, namely:
“(7a) ‘Internal Audit Function’ means an activity that provides independent assurance to the Board or its committees on the quality and effectiveness of an ARC’s internal control, risk management and governance systems and processes.
(7b) ‘Internal Audit Plan’ means the document that defines the scope, coverage, areas, frequency, etc. of internal audit.
(7c) ‘Internal Controls’ means a set of rules and controls governing an ARC’s organisational / operational structure, including reporting processes and functions.”
(iv) After paragraph 131 of the said Directions, the following shall be inserted, namely:
“D. Control Functions: Compliance and Internal Audit
D.1 General
131A. An ARC shall establish Compliance and Internal Audit Functions, commensurate with its size, complexity and business profile, headed by a Chief Compliance Officer (CCO) and a Head of Internal Audit (HIA), respectively.
131B. An ARC shall have policies for each of the control functions, viz. Compliance and Internal Audit, clearly articulating the objectives, roles and responsibilities of each function. These policies shall be approved by the Board and reviewed periodically.
131C. The above functions shall –
(1) have the necessary authority and autonomy to discharge their responsibilities effectively.
(2) be independent of the business lines, free from conflicts of interest and business targets. Accordingly, they shall neither be involved in revenue generation nor have the remuneration of their staff linked to the business area being overseen.
(3) have unrestricted access to all business areas and records.
(4) not be outsourced, being core activities. However, external experts may be engaged under the oversight of CCO / HIA for specialised tasks without diluting the accountability of the functions.
131D. As part of the overall corporate governance framework, the Board is responsible for overseeing the control functions. The Board must set the ‘tone at the top’ and ensure that these functions are adequately resourced and maintain their independence. Further, the Board / ACB shall review control functions on an ongoing basis to ensure their continued relevance and effectiveness.
131E. The Compliance Function shall be subject to regular internal audit.
D.2 Appointment of CCO and HIA
131F. An ARC shall adhere to the following terms for appointment of CCO and HIA:
(1) Appointing authority and rank: An ARC shall appoint / designate suitably senior employees, not more than three levels below the MD & CEO, as CCO and HIA, with the approval of the Board.
(2) Knowledge / Experience: CCO and HIA shall possess adequate domain knowledge and relevant experience in the respective fields, commensurate with the size, complexity and risk profile of the ARC.
(3) Age: The age limits for CCO and HIA to hold office shall be prescribed by the ARC as a part of its internal policy.
(4) Tenure: CCO and HIA shall ordinarily be appointed for a fixed tenure of not less than three years.
(5) Premature transfer / removal: Any transfer or removal of CCO and HIA prior to the completion of the stipulated tenure shall be subject to the approval of the Board.
(6) External Hiring: If considered necessary, suitably experienced and competent external candidates may be hired as CCO or HIA. However, consultants, advisors, part time auditors or individuals who are neither on the rolls of the ARC nor have a contractual employer-employee relationship with the ARC shall not be appointed / designated as CCO or HIA.
D.3 Independence of CCO and HIA
131G. CCO and HIA shall function with independence, objectivity and free from conflict of interest. In particular, CCO and HIA shall –
(1) functionally report to the Board or ACB and administratively report to MD & CEO.
(2) not be assigned business targets or have their remuneration linked to the performance of any business line.
(3) meet the Board or ACB at least once in a quarter, without the presence of the Senior Management (including the MD / CEO / WTD). Even otherwise, they shall have direct and unrestricted access to the Board or ACB to enable them to communicate concerns without management interference.
(4) have their final performance review carried out by the Board or ACB.
D.4 Compliance Function
131H. The Board shall ensure an effective oversight over ARC’s compliance risk.
131I. The Senior Management shall be responsible for effective management of an ARC’s compliance risk, including communication of the compliance policy throughout the ARC and ensuring that it is observed in letter and spirit. Further, Senior Management shall also be responsible for embedding compliance in the business strategy while ensuring that risks of non-compliance are identified and mitigated, and for promoting compliance culture. Reviews and reporting should be regular and meaningful, with frequency based on the risk profile of the ARC.
131J. An ARC shall maintain a compliance programme supported by an annual compliance risk assessment placed before the Board or ACB, as applicable. The Compliance Function shall monitor and test compliance by inter-alia performing sufficient and representative compliance testing.
131K. The Compliance Function shall –
(1) ensure adherence to statutory and regulatory requirements, fair customer treatment, and sound market conduct. The CCO shall be the nodal point of contact between the ARC and the RBI.
(2) proactively identify, assess, and manage compliance risks, and provide independent assurance to the Board or ACB on the effectiveness of compliance policies, controls, and remediation of breaches, to be in state of compliance and for the improvement in compliance culture.
(3) vet internal policies and communications, act as a reference point for regulatory interpretation, and coordinate with other control / assurance functions such as Risk Management and Internal Audit, as applicable, while maintaining its independence.
D.5 Internal Audit Function
131L. The Board shall have an effective internal audit framework, proportionate to the ARC’s risk profile with adequate resources and independence. Staff posted to the Internal Audit Function should ordinarily have a tenure of at least three years.
131M. The Senior Management shall be responsible for ensuring effectiveness of the Internal Audit Function. It must facilitate the independence of audit, provide full access and act promptly on audit findings. The Senior Management shall ensure that internal auditors have sufficient knowledge and training appropriate to the entity’s risks.
131N. The Internal Audit Function shall provide independent evaluation of governance, risk management, compliance, internal controls, business lines, support functions, outsourced activities, etc., ensuring assurance across the entire organisation. All significant activities shall be audited over a defined cycle (ordinarily not exceeding three years), with high-risk areas reviewed more frequently.
131O. The Internal Audit Function shall –
(1) follow systematic methodologies aligned with professional standards, using tools such as data analytics, thematic reviews, and automated monitoring, with proper documentation.
(2) coordinate with risk management, compliance, and external auditors while retaining independent judgment, ensuring clear distinction of responsibilities.
131P. An ARC may voluntarily adopt Risk-Based Internal Audit (RBIA) approach focusing on areas of higher risk, materiality, systemic relevance, and supervisory concerns as given in Annex V-A.
D.6 Intimation to the Reserve Bank
131Q. Any appointment (including re-appointment and interim appointment), premature transfer, removal, exit, or change in tenure of CCO or HIA in an ARC shall be reported to Department of Supervision, RBI within five working days. Reporting of appointment including interim appointment and re-appointment shall be accompanied with a profile of the CCO / HIA.”
(v) The paragraph 155 of the said Directions (along with the heading “A. Internal Audit”) shall be deleted.
(Scenta Joy)
Chief General Manager
