RBI: Role of COO –Discussion on compliance function in banks

RBI: Role of Chief Compliance Officer (COO)–Discussion on compliance function in banks

Reserve Bank of India vides its communication dated September 11, 2020, informed that in order to have an effective compliance culture, independent corporate compliance function, and a strong compliance risk management program at the bank and group level, an independent compliance function is required to be headed by a designated Chief Compliance Officer (CCO) selected through a suitable process with an appropriate ‘fit and proper’ evaluation/selection criteria to manage compliance risk effectively.

The details of various functions of eligibility, age, qualification or the functioning of the compliance officer have been given in the following web:

https://taxguru.in/rbi/compliance-functions-banks-role-chief-compliance-officer-cco.html

The basic intention of this article will obviously convey the various information given by RBI about a chief compliance officer, a new senior-level appointment of complicated nature with enormous responsibility in the quicksands of banking frauds, increasing NPAs, and lack of talents at various levels of Indian banks at transformational levels, as the experts call them.

Let me give basic details of the chief compliance officer and will have a complete discussion on compliance function in banks which is absent in Indian banks today.

• The CCO shall be appointed for a minimum fixed tenure of not less than 3 years. The Audit Committee of the Board (ACB) / Managing Director (MD) & CEO should factor this requirement while appointing CCO.

Eligibility criteria:

• Rank– The CCO shall be a senior executive of the bank, preferably in the rank of a General Manager or an equivalent position (not below two levels from the CEO). The CCO could also be recruited from the market;
• Age– Not more than 55 years;
• Experience– She/He shall have an overall experience of at least 15 years in the banking or financial services, out of which minimum 5 years shall be in the Audit / Finance / Compliance / Legal / Risk Management functions;
• Skills– The CCO shall have a good understanding of industry and risk management, knowledge of regulations, legal framework, and sensitivity to supervisors’ expectations;
• Stature– The CCO shall have the ability to independently exercise judgment. He should have the freedom and sufficient authority to interact with regulators/supervisors directly and ensure compliance;
• Others– No vigilance case or adverse observation from RBI, shall be pending against the candidate identified for appointment as the CCO.
• Selection Process– Selection of the candidate for the post of the CCO shall be done on the basis of a well-defined selection process and recommendations made by the senior executive level selection committee constituted by the Board for the purpose.

What about reporting requirements? Will he/she be allowed to function independently, the purpose for which the recruitment is being done?

I am not surprised that prior intimation will be sent to RBI about this recruitment. However, how is the reporting line up for this senior-level officer?

 Reporting Line – The CCO shall have direct reporting lines to the MD & CEO and/or Board/Board Committee (ACB) of the bank. In case the CCO reports to the MD & CEO, the Audit Committee of the Board shall meet the CCO quarterly on a one-to-one basis, without the presence of the senior management including MD & CEO.

The CCO shall not have any reporting relationship with the business verticals of the bank and shall not be given any business targets. Further, the performance appraisal of the CCO shall be reviewed by the Board/ACB.

As per normal management policies, compliance function shall have the authority to communicate with any staff member and have access to all records or files that are necessary to enable him/her to carry out entrusted responsibilities in respect of compliance issues. This authority should flow from the compliance policy of the bank. This policy ensures that the officer will have free rein in discharging his function.

I do not meddle with the duties and responsibilities of the above officer than reproducing the same from the said communication.

The duties and responsibilities of the compliance function – These shall include at least the following activities:

i. To appraise the Board and senior management on regulations, rules, and standards, and any further developments.

ii. To provide clarification on any compliance-related issues.

iii. To conduct an assessment of the compliance risk (at least once a year) and to develop a risk-oriented activity plan for compliance assessment. The activity plan should be submitted to the ACB for approval and be made available to the internal audit.

iv. To report promptly to the Board / ACB / MD & CEO about any major changes/observations relating to the compliance risk.

v. To periodically report on compliance failures/breaches to the Board/ACB and circulating to the concerned functional heads.

vi. To monitor and periodically test compliance by performing sufficient and representative compliance testing. The results of the compliance testing should be placed to Board/ACB/MD & CEO.

vii. To examine the sustenance of compliance as an integral part of compliance testing and annual compliance assessment exercise.

viii. To ensure compliance of Supervisory observations made by RBI and/or any other directions in both letter and spirit in a time-bound and sustainable manner.

Let me add some more information before we indulge in serious discussions about the appointment of this senior officer and what has been the experience of the banking industry in the compliance function.

Internal Audit – The compliance function shall be subject to internal audit;

Dual Hatting – There shall not be any ‘dual hatting’ i.e. the CCO shall not be given any responsibility which brings elements of conflict of interest, especially the role relating to business. Roles which do not attract direct conflict of interest like the role of anti-money laundering officer etc. can be performed by the CCO in those banks where the principle of proportionality in terms of bank’s size, complexity, risk management strategy, and structures justify that;

The CCO shall not be a member of any committee which brings his/her role in the conflict with responsibility as a member of the committee, including any committee dealing with purchases/sanctions. In case the CCO is a member of a committee, he/she may have an only advisory role;

Typical core elements of the mandate of CCO must include the design and maintenance of compliance framework, training on the regulatory and conduct risks, and effective communication of compliance expectations, etc.;

The bank’s Board of Directors shall be overall responsible for overseeing the effective management of the bank’s compliance function and compliance risk. The MD & CEO shall ensure the presence of independent compliance function and adherence to the compliance policy of the bank.

Discussion on compliance in banks

RBI vide its communication dated April 20, 2007, introduced the concept of compliance function as part of the internal governance of a bank.

The Compliance Function has to ensure strict observance of all statutory provisions contained in various legislations such as the Banking Regulation Act, Reserve Bank of India Act, Foreign Exchange Management Act, Prevention of Money Laundering Act, etc. as well as to ensure observance of other regulatory guidelines issued from time to time; standards and codes prescribed by BCSBI, IBA, FEDAI, FIMMDA, etc.; and also each bank’s internal policies and fair practices code.

 Compliance laws, rules, and standards generally cover matters such as observing proper standards of market conduct, managing conflicts of interest, treating customers fairly, and ensuring the suitability of customer advice.

They also include specific areas like the prevention of money laundering and terrorist financing and may extend to tax laws that are applicable to banking products or customer advice.

Is there a compliance risk also?

This has been defined by RBI in its communication issued in April 2005.

RBI defines Compliance risk as “the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities” (together, “compliance laws, rules, and standards”).

With the creation of a bigger bank as a panacea to all banking issues in India, the compliance function for the whole organization may require a relook. It is obvious that many banks before amalgamation failed to observe the general compliance function and failed to generate the required profits for the banks concerned.

Let us look at its practical utility and submission of reports to all its stakeholders.

Let me raise certain questions which will explain any one’s apprehension.

• Almost all applicable laws have been mentioned as the guidance for the CCO to ensure follow up at banks. Does it mean Law departments, Foreign exchange department, or other vital departments will not bother to adhere to them? I presume CCO to work as a coordination officer with enormous powers to enforce his directions.
• RBI has a phobia to insist on a rank of an officer like General Manager rather than a professional degree like Chartered Accountant, Company Secretary, or a Certified Management Accountant or even an advocate. Technically, many high school graduate holders became GMs during my tenure in banks. General Manager does not mean an expert, particularly to enforce a plethora of laws, almost all applicable rules, and regulations, etc. RBI may have to show an accommodating stature in this regard. Its insistence on an expert must be the standard than an exception.
• Though RBI always talks of huge tasks on any senior management, will the management of many private sector /public sector banks explain how huge frauds, risk managements like even closure of banks or highly inefficient functioning of banks requiring huge sums of capital/funds to be input into banks for their survival?
• The top management of all banks with merit as the only means rather than a survivor attitude should be appointed.
• Will the auditors clearly specify in their audit reports when the banks failed in their compliance functions and how did the new concept of CCO help it to discover the discrepancy in the system and whether the issues were solved.
• If the CMD of the banks are themselves involved in many scandals, will the new CCO or the audit committee have the liberty to write to the government as part of whistleblower policies of the banks to support their survival?

Conclusion

The following guidelines issued by RBI in 2007 never had any effect on big banks and huge frauds continue to pour in. However, let the individual banks evolve their own compliance risk, develop plans to mitigate them through their CCO or his/her department to be managed by professionals.

“The Chief Compliance Officer should be the nodal point of contact between the bank and the regulator. Regardless of how the compliance function is organized within a bank, it should be independent and sufficiently resourced, its responsibilities should be clearly specified and its activities should be subject to periodic and independent review.

Apart from the basic qualifications, the compliance staff should preferably have a fair knowledge of the law, accountancy, and information technology and also adequate practical experience in various business lines and audit/inspection functions to enable them to carry out their duties effectively. In order to keep the compliance staff up-to-date with developments in the areas of banking laws, rules and standards, regular and systematic education and training in new products and services introduced in the banking industry as well as in the areas of corporate governance, risk management, supervisory practices, etc. may be considered.”

Let RBI being the harbinger of good corporate governance policies, do supervise the introduction of these policies and emphatically inform us when these banks fail to follow these principles and details of action initiated against the top management or the Board?

Disclaimer: The views in this article belong to my vision of banks and neither do they represent taxguru.in nor RBI. Anyone can refer to the RBI web site for clear instructions on banking.