The Heads of Assurance functions in Banks should adopt a ‘regulation-plus’ approach, whereby compliance must go beyond mere adherence to regulatory requirements, said Swaminathan J, Deputy Governor, RBI.

Further, Compliance Officers should also give due attention to the Risk Assessment Report (RAR) observations and Risk Mitigation Plans (RMP). 

The assurance functions at banks are manned by Chief Compliance Officers, Chief Risk Officers, and Heads of Internal Audit. The are responsbile for safeguarding financial integrity and promoting regulatory compliance.

The compliance function in a bank is an integral part of corporate governance, as it can affect the bank’s reputation with its shareholders, customers, employees and the markets, according to BIS.

“The Compliance function is at the forefront of ensuring the integrity of banking operations. I would urge you to adopt a ‘regulation-plus’ approach, where the institution not only meets but exceeds regulatory expectations.

“.…Compliance officers must endeavour to ensure that products, processes, and outcomes fully comply not only with the letter of the law or regulation, but also the spirit and intent,” Swaminathan said.

This approach ensures not only regulatory compliance but also the cultivation of a culture that prioritizes ethical conduct and sound business practices.

The Deputy Governor emphasised that as custodians of financial stability, the heads of assurance functions must be acutely alert to the risks emanating from both familiar and unforeseen sources.

“Risks may be inherent in the business model such as over-concentration to a particular sector or sources of funding. They could also arise due to inadequate oversight over operations, more so in vulnerable areas like outsourcing.

“The growing use of technology and the pervasive digitalisation of finance bring forth new challenges, notably in the form of cyber-security risks. Then there is also the ever-growing threat of climate risks,” said Swaminathan.

In this milieu, assurance functions, acting as the extended arms of (RBI’s) supervision, are crucial in identifying, escalating, and facilitating the proactive management of risks and preventing them from ballooning into a crisis, he added.

Supervisory action

To ensure sustained compliance with RAR, Swaminathan said it is important to address the root cause of the observations.

Further, there should be no compromise on the agreed timelines for RMP, and the bank should ensure that all RMP and RAR observations are comprehensively addressed well before the start of the next inspection cycle.

“Pending compliance paragraphs is not a desirable situation and may be a reflection of the lack of due attention by the management as well as the Board. Such instances can also invite stern supervisory action,” he warned.

The Deputy Governor said risk management should ensure that the strategic business and capital plans are properly aligned with the risk appetite of the bank. 

Highlighting the importance of meticulous monitoring of risk limits, the Deputy Governor said frequent breaches in risk limits, coupled with their non-ratification or their routine ratification, poses substantial dangers to the stability and integrity of financial institutions that extend beyond the immediate financial implications.

“If breaches become normalized or overlooked, employees may perceive risk limits as mere guidelines rather than non-negotiable boundaries, thereby compromising the institution’s overall risk awareness.

“Therefore, it is imperative to address breaches systematically, conduct thorough investigations, and implement corrective measures to fortify the risk management practices,” he said.

As regards internal audit, the central bank has very often come across deficiencies in the scoping, coverage, and periodicity as well as issues in independence of the internal audit function.

“Proper scoping, periodicity, and independence in risk-based internal audit are essential components of a robust governance and risk management framework,” Swaminathan said.