Compliance Function in Banks: Back to the basics (Inaugural address by Dr. K. C. Chakrabarty, Deputy Governor, Reserve Bank of India at the launch of certificate programmes on Compliance Function and Training on July 12, 2013 in Mumbai)

Mr. S.N. Ananthasubramanian, President, Institute of Company Secretaries of India (ICSI);Mr. Allen Pereira, Director, National Institute of Bank Management (NIBM); Dr. R. Bhaskaran, Chief Executive Officer, Indian Institute of Banking & Finance (IIBF); Mr. S.S. Mundra, CMD, Bank of Baroda; Mr. M.V. Tanksale, CMD, Central Bank of India; other dignitaries, ladies and gentlemen. I am pleased to be amidst you today on the occasion of launch of two new certificate courses by the IIBF viz., Certified Banking Compliance Professional course jointly with the ICSI and Certified Bank Trainer course jointly with NIBM. Human resource management and compliance are two of the major support functions in banks and hence, the courses being launched today are of vital importance for augmenting the skill sets of the bank employees in the respective areas. I am particularly happy to be present here today as the launch of the course on compliance is a sort of a dream come true, a dream which I had shared with the Dr. Bhaskaran when I was the CMD at Punjab National Bank.

2. As you know, all the three institutions involved in evolving the two courses being launched today can boast of an outstanding pedigree. While ICSI is the professional body responsible for developing and regulating the profession of Company Secretaries in India, IIBF has been continuously supporting the cause of development of professionally qualified and competent bankers and finance professionals since its establishment in 1928. NIBM is an autonomous institution established by Reserve Bank of India with a mandate to play a proactive role as a “think-tank” in the banking system. It is, indeed, commendable that these institutions of excellence have decided to collaborate and leverage their respective strengths to jointly offer programmes/ courses to meet the needs of the banking industry and I congratulate all the three institutions on this initiative.

3. I observe that these courses have two distinct components - An examination followed by short class room learning. I also understand that IIBF has developed reading material for these certificate programmes, which should provide useful inputs for the candidates. The Certified Bank Trainer course comprises of two papers – Human Resource Management and Training. As we all know, the Indian banking system today stands at the cusp of an explosive growth. This growth has to be essentially supported by a matching supply of suitably trained manpower. It is in this context that training of the banking personnel assumes great significance. With the evolution of new age banking, even the trainers have to be adequately equipped to deal with new technology and evolving policies. This course attempts to hone the skills of the faculty to enable them to be more effective as trainers. I observe that the Certified Banking Compliance Professional course also comprises of two papers- Risk, Regulation & Governance and Compliance in Banks. After going through the structure of both the courses, I am happy to note that they are very well conceptualized and will assist in strengthening the two crucial functions in banks i.e. training and compliance.

4. Though we all agree that both issues hold equal importance for banks, my observation is that Human Resources Management is a more glamorous subject and people are more interested in discussing it. It is precisely for this reason that, today, I have chosen to speak on the other topic – Compliance, which is considered a rather drab and uninteresting topic and is restricted to cursory Board Room discussions. I intend to share my perspectives on the significance of the compliance function in banks and its evolution in the Indian context. During my talk today, I would also delve on the need for banks to follow the basic compliance principles in order to overcome the challenges posed by the ever-growing complexities of modern day banking.

What does Compliance mean?

5. Before I head into the subject proper, it would be appropriate to understand the import, impact and intent of the term “compliance”. The Merriam-Webster Dictionary defines “compliance” as “(a) the act or process of complying with a desire, demand, proposal, regimen or coercion, (b) conformity in fulfilling official requirements.” In banking parlance, compliance alludes to adherence to a set of laws, regulations, rules, practices, related Self-Regulatory Organization (SRO) standards, and codes of conduct applicable to the various banking activities. To my mind, banking compliance can be broadly segregated in three parts-

a) Internal compliance, including SRO standards

b) Regulatory Compliance

c) Legal Compliance.

The internal compliance means adherence to the internal policies formulated by the Board based on which an internal governance framework would have been laid down. Thus, internal compliance would be applicable to all employees of the bank. The regulatory and legal compliance, on the other hand, is applicable to the bank as a whole- the institution itself would be responsible for ensuring adherence to the extant regulatory instructions and above all, for abiding by the laws of the land, both in letter and spirit.

Why compliance function in banks is important?

6. Let me now turn to the significance of the compliance function in banks. We all agree that laws, customs and codes are meant to bring in a semblance of order and uniformity in conduct of the various stakeholders. Compliance to these ensures orderliness and reduces overall systemic vulnerability. For this, it is imperative that the regulated entities are willing to commit themselves to the laws of the land and comply with the regulations, including self regulations. In securing compliance, regulators have adopted different strategies ranging from codification of laws, rules and regulations (prescriptive), to periodical meetings with the subjects (review mechanism). If, however, one or more of the regulated entities are observed to be non-compliant with the regulations, the supervisory authorities might need to resort to coercive techniques to ensure conformity with the regulations. Thus, fundamentally, whether forced or voluntary, compliance is an essential pre-condition for ensuring order and preventing chaos in systems.

7. Compliance is a theme that pervades all spheres of banking functions. Bankers deal with complicated legal, regulatory and supervisory issues all the time, transcending various spheres of banking operations. It is in this context that a dedicated framework for overseeing the implementation of directions/guidelines issued by the regulator/supervisor is required in the banks. The objective of the compliance function is to minimize the deviations; or when they actually do occur, to ensure that there is a process to promptly respond to and redress the anomalies.

A Few Posers …

8. The overall responsibility for ensuring compliance is with the Banks’ Top Managements although the compliance responsibilities are spread across various functional lines and business locations. I would like to ask a few basic questions here – how does the Top Management satisfy itself that all rules and regulations are being complied with? Is it declaration based? What I mean is whether under your internal procedure, the branch manager merely confirms to the Regional Manager/Zonal Manager that all functions are being performed as per the prescribed rigor; the Regional Manager/ Zonal Manager accepts the same and, in turn, makes a similar declaration to the Head Office, which, ultimately, certifies the same to the Compliance department? Are such declarations taken on face value or is there an internal system of checking the actual veracity of that declaration. In other words, is the compliance process action-based and not merely declaration-based?

9. Reserve Bank of India has issued comprehensive guidelines requiring banks, among others, to develop function-wise compliance manuals. I would like to know how many banks have developed comprehensive compliance manuals and whether an internal process has been instituted to ensure that the manuals are duly adhered to by the business lines.

10. Another issue that I would like to highlight is that of the rank of the compliance officer. I wonder how a less than sufficiently enabled lower level official of the rank of DGM/AGM can effectively interact with GMs, EDs or CMDs to implement or enforce compliance. RBI guidelines on “fit and proper” criteria, which are borne out of the need to establish high standards of corporate governance, categorically mandate that only a senior executive should be appointed as the compliance officer by banks.

11. Let me pose another question here: do banks consider compliance as a cost centre or a revenue generating channel? Answer to that is very obvious. Compliance is treated as a cost and the business verticals consider it more of an impediment than a necessity. I would like to emphasize here that compliance with the prescribed standards, codes, rules and regulations improves the Corporate Governance in banks. The role of the compliance function is to ensure that the rules/ regulations are appropriately incorporated in bank’s internal processes and that each functionary, right from the top to the bottom, appreciates the value of compliance. It is important for the senior executives as well as the line functionaries to realize that compliance failures may lead to serious implications for them, for the business as well as for the system as a whole. In a sense, the need for compliance can, effectively, be equated to the frictional force which, though impedes the progress a bit, is still necessary for movement. Compliance works more as a lubricant which oils the business machinery and keeps it going.

Is compliance a recent phenomenon?

12. Compliance activity has been in existence ever since the first regulation or law was enacted. After all, you cannot have a law/ regulation without an attendant requirement to comply with it. The compliance activity, in earlier times, was integrated with other systems and processes within the banks; however, with banking becoming more complex, the compliance has evolved as an independent function in banks. Let me briefly recount how the compliance function in banks has evolved in the recent history. Reserve Bank of India introduced a system of “Compliance Officer” in banks way back in August 1992, based on the recommendations of the Committee on Frauds and Malpractices in Banks (Ghosh Committee). The role of compliance officers came into sharper focus since 1995 when the General Manager in charge of Audit and Inspection was made responsible for the compliance functions with a requirement for periodic reporting or certification on compliance functions directly to the CMD. However, it was gradually recognized that the circumference of compliance functions in banks needed to be not only enlarged, but very clearly defined, especially in a scenario where successive Annual Financial Inspection Reports prepared by the banking supervisor highlighted a bevy of compliance deficiencies. RBI’s recognition of the need and importance of compliance functions received a further impetus after Basel Committee on Banking Supervision (BCBS) issued the High Level Paper on Compliance Risk and the Compliance Function in Banks in April 2005. These principles formed the basic groundwork for our own work on issuing rigors for compliance functions in banks, in the year 2007.

What is the scope of the compliance process?

13. Banks in India primarily operate under the provisions of the Banking Regulation Act. However, there are several other enactments such as Reserve Bank of India Act, Foreign Exchange Management Act (FEMA), Income Tax Act and Prevention of Money Laundering Act (PMLA) which impact the business of banking. The banks in India have to comply with periodic regulations and directions issued by the Reserve Bank of India, the primary regulator. Further, as Indian Banks are expanding geographically across the borders, they also need to adhere to local laws and regulations applicable in the overseas jurisdictions. There are also industry standards and codes set by BCSBI, FIMMDA, FEDAI and IBA which need to be followed by the banks. With most of the banks having turned public and having been listed on the stock exchanges, they also need to adhere to the listing and disclosure requirements. Also, as banks are undertaking other business/functions such as bancassurance, cross selling of mutual funds, wealth management, etc. they need to adhere to the guidelines issued by other regulators like IRDA, SEBI, PFRDA, etc. I understand that there are about 54 legislations that impact banking business and all of them need some sort of compliance. The compliance function, very often, extends beyond what is legally binding and embraces broader standards of integrity and ethical conduct.

14. Compliance function not just encompasses the banks’ standalone operations but also includes various Para-banking functions, which are conducted within the wider banking group. Consequently, there is a critical need for the management of compliance risk as a Group level risk under an enterprise wide risk management framework.

What is the fall-out of non-compliance?

15. The non-fulfillment of compliance responsibilities is likely to bring to the fore various risks that may have potentially debilitating effects on the bank. The BCBS paper defines Compliance risk as "the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities". The compliance area is, thus, critically important in identifying, evaluating, and addressing legal and reputational risks. The penalties imposed by regulators/supervisors, including RBI, on regulated entities for non-compliance of directions, rules and statutory requirements and the associated “name and shame” that these penalties bring in their wake, are a manifestation of the compliance risk facing banks. These also have ramifications on the perception of the masses about the institutions so penalized. In fact, one of the key functions of the compliance department has to be information dissemination, whereby instances of compliance failures are quickly circulated among the staff along with preventive instructions, especially with an eye on preventing future frauds/ mishaps and other manifestations of compliance risk.

What are the essential ingredients of an effective compliance framework?

16. Let me now turn to what I believe constitutes the basic building blocks of an effective compliance framework. These are: (i) Compliance Policy; (ii) Compliance Structure; (iii) Compliance Manual/ checklist; (iv) Compliance Personnel; and (v) Compliance Audit. The compliance process involves identifying the level of compliance risk in each business line, products & processes, suitably advising the operational functionaries and formulating instructions for mitigation of such risk. The integrity of the compliance process would depend upon how well the compliance architecture has been built up within the organization and whether there is clear identification of responsibility and accountability for the compliance function. If we can get the above basics right, probably the foundation of an effective compliance framework would have been well laid.

17. The role of compliance officers is extremely important to ensure evolution of an appropriate risk mitigation plan by bank Boards. During pre-screening of prospective products and services, compliance function provides vital inputs on possible breaches of regulatory guidelines. Documentation deficiencies, very often, plague the operational efficiency of banks and this could well be the case for compliance function too. In this regard, it is important that regular updates are carried out to the Compliance manuals and detailed check lists are prepared, which will ensure availability of an itemized inventory of “dos and don’ts” which can be followed by every new incumbent in the compliance hierarchy and also help in building institutional memory. Further, in order that the compliance process attains its desired objectives, it is imperative that the Compliance and Audit functions act in a coordinated manner.

18. However, let me state that all banks need not have a uniform internal compliance structure. RBI’s compliance guidelines clearly recognize the differences among the banks with regard to their scale of operations, their risk profiles and organizational structures and, therefore, allow freedom to the management to organize their compliance function best suited to their individual requirements. However, I would like to add a word of caution here. In an ever changing competitive scenario, what we may not do as bankers today may not be such a remote possibility tomorrow and, therefore, the compliance officers have to not only be aware of present set of regulations but also be able to foresee possible impediments to operations going forward. Same is the case with compliance structures, which need to retain flexibility and adaptability to stay in sync with the evolving business environment.

Is there a conflict of interest between the broad operational mandate of banks and the compliance function?

19. Compliance teams are invariably caught in a bind over whether to overlook certain rigors of regulation to facilitate the business or to enforce them zealously. A significant underpinning that can help solve this dilemma is the extent of independence that the compliance officers enjoy. It is imperative that the compliance officers enjoy complete independence so that they can fearlessly put forth their apprehensions on probable compliance deficiencies and pitfalls in various business lines. Towards this end, RBI has prescribed that the remuneration of compliance officers should be independent of the business lines they are responsible for and should be more in alignment with the bank’s overall financial performance. A proactive system of testing for compliance on various points to obviate influences from business lines, enabling direct reporting of compliance aspects by Compliance Heads to Boards of banks, etc. are some of the means to ensure the independence of the compliance function.

What is the role of the Top Managements of banks in compliance?

20. Above arguments possibly point to a predominant role for dedicated compliance units in banks. This, however, does not undermine the role of the Top Management in the compliance function. Top Management in banks have a very critical role in ensuring compliance. This was one of the main planks on which the BCBS document articulated its stance on the inter-relationship between compliance functions and corporate governance. Attainment of high standards of compliance underscores the ability of the management to remain accountable and responsible all the time, which is an essential tenet of corporate governance, especially since the process has to be rolled out at the top for employees down below to emulate. The most effective corporate culture emphasizing standards of honesty and integrity is one in which the Board of directors and senior management lead by example. Besides, there has to be an active channel of two-way communication that can transmit the Top Management’s compliance ethos down the hierarchical levels and carry back feedback from the lower level in order to progressively improve bank’s compliance processes.

Would theoretical education help in improving compliance process?

21. While compliance officers often have the prior experience of working in live, operational environments, a sound theoretical grounding in terms of knowledge of laws and statutes and familiarity with the roles and responsibilities can definitely be an added advantage. It is in this context that courses such as the one being launched today could go a long way in educating compliance functionaries on essential aspects of legal compliance, creating documentation related awareness and, in the process, ironing out the chinks in the compliance armor. More than anything else, compliance officers need to know the realms in which they operate, the scope of their functions and how limited or expansive their interaction and reach should be. In sum, they should be aware of when to report and what to report to their respective Boards/Management Committees on compliance failures and then take it forward to the banking regulator and supervisor. Their role is also of moral suasion in convincing Boards to be guided by prudent compliance policies which can, at times, be dragged in different directions by forces of competition, market demands, general business needs and ambitions. It is perfectly desirable to prevent a compliance failure upfront, rather than report the same after the occurrence of a potentially damaging event. Compliance staff should have fair knowledge of law, accountancy and information technology along with adequate practical experience in various business lines and audit / inspection functions to enable them to carry out their duties effectively. In order to keep the compliance staff up-to-date with developments in the areas of banking laws, rules and standards, regular and systematic education/ training in areas such as new products and services introduced in the banking industry, corporate governance, risk management and supervisory practices, etc. are necessary.

Conclusion

22. To conclude, I would emphasize that each bank must develop a robust compliance system with a well documented compliance policy clearly outlining the compliance philosophy of the bank, role and set up of the compliance department, composition of its staff and their specific responsibilities. For the compliance policy to be effective, it is important that the policy is driven by the risk profile of businesses and their stated risk appetite. For the long term stability and survival of the bank, it is important that a healthy compliance culture is developed and percolated down to the lowest level functionaries in the bank. If we follow the basic tenets of compliance, the risk of manifestation of compliance failure would be minimized. We agree that compliance is costly and will involve expenditure, but let me remind you that, in the final analysis, it is non compliance which would prove costly and may endanger the very survival of the institution.

23. The compliance function is acquiring increasing importance in banks on account of growing regulatory complexity and also creating a demand for competent banking compliance professionals. In view of the constantly evolving legal/ regulatory framework, those already working in this area also need to continuously update their knowledge base and skill sets to remain relevant. I believe that the certificate course being launched today would help create a cadre of suitably trained banking compliance professionals. It is also heartening to note that the course would not only be open to bankers who have completed CAIIB but also to the members of ICSI. Given the fact that legal knowledge is essential in ensuring proper compliance, having company secretaries, who are well versed with various laws, as compliance officers would imply having in place the right persons for the right job.

24. Policies and products alone cannot ensure success in banking performance. The performance of banks depends on the quality of staff, their professional competence and also the compliance culture in the bank. This has to be nurtured and kept updated through training and other knowledge management efforts. Banks need a battery of in-house professional trainers to spearhead these efforts and it is here that the Certified Bank Trainer course would come in handy. Since we need a multitude of professional trainers to take forward the task of competence building and to provide mentorship to the bank staff, I feel the scope for this course is also phenomenal.

25. I hope, both the bankers and the ICSI members, realize the potential benefits that these two courses offer and make their optimum use. I believe that these courses have tremendous value in today’s business environment, where the quality of manpower and the compliance culture of banks are two areas that can give competitive advantage to banks, besides contributing to the strength and resilience of individual banks and the entire financial system. I once again congratulate all the three Institutes for their efforts towards launching these two courses at an appropriate time, and wish them all success in their future academic endeavors.

Thank you!