From Basel Committee to RBI
The Basel committee on the banking supervision document (April 2005) focused on, among others, the compliance system in banks as a defence against certain risks. It defined compliance risk as "the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicableto its banking activities." Globally, banks were advised to initiate measures to strengthen the internal compliance system.
As a sequel to this, the Reserve Bank of India (RBI) started laying stress on a standardised compliance system in Indian banks. It was to be part of corporate governance. In its April 2007 circular it lays down the function of the compliance division and the role of the chief compliance officer (CCO) as under:
The Compliance Function has to ensure strict observance of all statutory provisions contained in various legislations such as the Banking Regulation Act, Reserve Bank of India Act, Foreign Exchange Management Act, Prevention of Money Laundering Act, etc. as well as to ensure observance of other regulatory guidelines issued from time to time; standards and codes prescribed by BCSBI, IBA, FEDAI, FIMMDA, etc; and also each bank's internal policies and fair practices code. Compliance laws, rules and standards generally cover matters such as observing proper standards of market conduct, managing conflicts of interest, treating customers fairly, and ensuring the suitability of customer advice. They typically include specific areas such as the prevention of money laundering and terrorist financing, and may extend to tax laws that are relevant to the structuring of banking products or customer advice.
The formal machinery for compliance in banks was introduced after the 2007 RBI circular.
Working of the Compliance System
The guidelines given in the said circular are very instructive. These contain, among others, certain protocols to be observed by the banks to enhance the effectiveness of the system. The following deserve special attention:
Every bank was mandated to set up a full-fledged compliance division. The division would report to the CEO (chief executive officer) without fear or favour. To ensure this, the CCO will have direct access to the bank’s BoD (board of directors) and the audit committee of the BoD (ACB). According to RBI, the CCO is the key person in charge of the compliance division of the bank.
The division will submit an annual report to the BoD/ACB, apart from a monthly report to the CEO. The bank is also required to conduct an annual compliance risk assessment for the bank as a whole. The guidelines require the compliance division to report to the BoD/ACB or a committee of the board instances of all material compliance failures which may attract significant risk of legal or regulatory sanctions, financial loss or loss of reputation (emphasis supplied).
According to RBI, the CCO is the nodal point of contact between the bank and the regulator. Regardless of how the compliance function is organised within a bank, it should be independent and sufficiently resourced, its responsibilities should be clearly specified and its activities should be subject to periodic and independent review (RBI circular of 20 April 2007).
The compliance division is also subject to audit by the internal audit department to evaluate if it has worked according to the RBI’s mandate.
With experience, the system was refined from time to time. By September 2020, the status of the CCO was upgraded to that of the general manager and, since then, outsiders could be recruited for the job subject to the RBI guidelines (RBI circular of September 2020).
The Experience of 15 Years: All Is Not Well
The compliance system has been in place now for over 15 years. Yet, several reports that are in the public domain confirm that there is much to be desired in making it really meaningful. If the mandate of RBI were followed in its letter and spirit, the instances of non-compliance of guidelines would not have taken place. Some banks could not have become habitual offenders. Although the amount of penalty is a fleabite for the banks, the failure to comply exposes the banks to greater risk.
A few incidents reported in RBI’s recent press releases imposing penalties are instructive.
A PSB (public sector bank) sanctioned a term loan to a company without undertaking due diligence on the viability and bankability of the projects; according to RBI findings, there was a risk of revenue streams being inadequate to meet the debt service obligations. If the risk materialised, the loan could become NPA (non-performing asset).
A bank opened many savings bank accounts in the name of ineligible entities. Maybe they were opened for purposes other than legitimate banking.
A bank did not pay interest on its daily deposit scheme which was closed prematurely before its duration of 24 months; it charged for SMS alerts not on an actual usage basis but at a flat rate; it failed to preserve the records regarding the identity and address of the customers; it also failed to restrain its recovery agents from using strong-arm tactics against delinquent borrowers—acts like these affect the trust the banking public have in the banks. When trust is affected, the bank suffers a reputational risk.
In one bank, credit facilities were sanctioned to parties with whom the decision-making person was connected. The decision, on the face of it, entailed a conflict of interest which could make the bank vulnerable to loan losses.
When a bank failed to report a fraud within the stipulated time or it failed to classify a transaction as fraudulent, it would have wider ramifications. The person involved might tamper with the records, he may commit a similar fraud elsewhere; the law enforcement agencies might not be able to bring him to justice. There is both reputational and financial risk to the bank.
Current Shortcomings and the Risks
The purposes of a standardised compliance machinery are laudable. An effective compliance system could safeguard the bank against several risks in its operations.
The reality, however, gives a different picture. The frequency of penalties imposed on banks of diverse stables and the similarities of the irregularities that attracted the regulator’s scrutiny are indications that the compliance system is yet to percolate down to the REs (regulated entities).
It is plain that the banks flout important guidelines of the statutory regulators. Such violations could expose them to more serious fallout: like a criminal liability for being accomplices in money laundering, a loan becoming irrecoverable when the borrower’s projected income generation is bloated resulting in little disposable income to repay the loan and customers becoming alienated due to customer unfriendly actions that will affect its reputation.
In recent years, the share of NPAs has been coming down; but the additions to NPAs have not abated. On record, these additions are taken care of by adequate provisions from the earnings, thereby making inroads into their profits. This situation in the long run can erode the sustaining capacity of banks.
The Practical Problems
In principle, the CCO is an independent authority; in reality, can he rise above the compulsions of subordinate-boss dynamics? He reports to the CEO and the BoD. But, as the BoD does not have the knowledge of the day-to-day working of the bank, it will have to act as per the briefing by the CEO. Unless the CEO allows the CCO to operate independently without fear or disfavor, the CCO will think twice before he puts his findings in black and white.
The CCO can also be overwhelmed by the combined force of the top management and may be persuaded to dilute his findings to shield certain senior officials involved in malfeasance.
Further, the CCO generally goes by the certification provided by the field-level executives heading specific operational areas. Once the executive concerned vouchsafes the compliance, the CCO has only to collate all the information.
The team attached to the CCO generally does not have adequate domain expertise to evaluate doubtful transactions warranting deeper scrutiny. As it is, that team is lent by the management without any rigorous selection procedure to assess their expertise and suitability.
There is also an overlapping of internal audit and compliance functions. Audit is to basically evaluate if the operations and the day-to-day functioning of the bank are in conformity with the extant guidelines- both internal and statutory. It is undertaken comprehensively by officials with hands-on experience in the operations. If there are serious failures, the audit department has to give its findings to the top management for corrective action and fixing accountability. The compliance division too, looks at the extent to which the bank has complied with the guidelines and regulations. Such scrutiny is, however, based on information received. The differences are in the depth of scrutiny and in the reporting system.
Suggested Measures
Two possible measures that could be thought of are listed below:
a. Strengthening the bank’s compliance team with domain experts
b. Creating grassroots awareness of the need to comply with the institution’s system and guidelines.
One caveat will be in order: For over 30 years, the PSBs have had outsiders posted as CVOs. The selection and posting are done by the central vigilance commission, generally from among eligible bank officials. They have a fixed tenure, they report directly to the bank CEO and the BoD. Has this made a perceptible transformation and promoted a vigilance culture in the banks? It is a tricky question to answer.
The challenges relating to meaningful and effective compliance have to be fought on a long-term basis by imbibing a culture of compliance right from the grassroots. Until that is achieved, the compliance function will continue to be ineffectual in meeting its lofty goals.
You may also want to read…
(TR Bhat is former general secretary of All India Bank Officers' Confederation (AIBOC) and former officer of Corporation Bank)