Embracing meaningful assurance for sustainable growth of the NBFC Sector (Speech by Shri Swaminathan J, Deputy Governor, Reserve Bank of India - May 15, 2024 - at the Conference of Heads of Assurance of Non-Banking Financial Companies (NBFCs) held in Mumbai)

Deputy Governor Shri Rao, Heads of Assurance functions from Non-Banking Financial Companies, and my colleagues from the Reserve Bank of India. A very good morning to all of you.

1. The Reserve Bank of India has been engaging with its supervised entities regularly over matters of governance and assurance functions, conveying the importance of strong organisational governance and remaining vigilant to ensure the continued stability of the financial sector. Assurance functions namely, the risk management, compliance and internal audit, play a very crucial role, as guardians ensuring the regulated entity operates soundly, safely, ethically and within regulatory and legal boundaries. Today’s conference for the heads of assurance functions is an extension of our efforts, recognising the critical role these functions play in ensuring the robustness and resilience of the financial entity itself as well as the overall financial system.

2. The role played by NBFCs in Indian financial sector has been rapidly growing and their share in the credit portfolio has significantly gone up, more so in the last three years. Just a decade ago, in 2013, the total credit extended by NBFCs represented approximately one-sixth of the magnitude of bank credit. However, this proportion has increased to one-fourth¹, indicating a notable acceleration in credit delivery by NBFCs compared to banks. Indeed, NBFCs have emerged as a preferred option for numerous underserved sectors, particularly small businesses and households, due to their ability to provide more feet on street and customer friendly credit solutions. Moreover, NBFCs have embraced technology in a big way to further expedite and streamline their reach and credit delivery process. But this has also brought certain systemic risk, complexity and interconnectedness, which is the reason as to why the Reserve Bank has of late been engaging with this sector more often than before.

3. Hence the theme of my speech today is going to be focussing on the need to ensure effectiveness of assurance functions for sustainable growth. As NBFCs expand in both size and complexity, they must bolster governance and assurance functions to maintain a constant vigil over potential risks and vulnerabilities. It is crucial to ensure that the rapid growth and adoption of technology do not happen by side stepping the importance of robust risk management practices.

4. I also would like to highlight here that the NBFCs operate in a dynamic and challenging environment, facing a multitude of risks that can impact their stability and operational resilience. Let me highlight just three of these which I believe deserve heightened attention.

Cybersecurity and Operational Risks

5. In today’s digital age, cybersecurity threats represent a significant operational risk. The stark reality is that a cybercriminal needs to succeed only once, while organisations must always remain vigilant and resilient. One of the primary cybersecurity risks faced by NBFCs is the threat of data breaches and unauthorized access to sensitive information. There are also other forms of cyberattacks, including malware infections, phishing scams, and ransomware attacks. These attacks can disrupt operations, compromise systems and data integrity, and lead to financial extortion or loss of critical information. To mitigate cybersecurity risks, NBFCs must adopt a proactive and comprehensive approach to cybersecurity. This includes implementing robust cybersecurity policies and procedures, conducting regular risk assessments and vulnerability scans. Deploying advanced security technology tools such as firewalls, encryption, and intrusion detection systems are non-negotiable. Further, providing cybersecurity training and awareness programs for employees, on an ongoing basis, should become a way of life. Risk management and Internal Audit functions have to urgently build on their skill sets so that they are able to assess periodically, the IT and Cyber security stance and preparedness of their entities.

Credit risks from rule-based credit models

6. Many NBFCs are increasingly turning to rule-based credit engines to accelerate the growth of their lending portfolios. While automation can enhance efficiency and scalability, NBFCs should not allow themselves to be blinded by these models. It is crucial to recognize that rule-based credit engines are only as effective as the data and criteria upon which they are built. Overreliance on historical data or algorithms may lead to oversights or inaccuracies in credit assessment, particularly in dynamic or evolving market conditions. Therefore, NBFCs must maintain a clear-eyed perspective on their capabilities and limitations, supplemented by continuous monitoring and validation of credit scoring models. It is incumbent upon the supervised entities to keep the rule engines and models calibrated from time to time taking into account real time learnings and emerging scenarios. It is also imperative to have these models validated periodically, either internally or externally, as the case may be, to ensure that the models stay relevant at all times. I would like to call upon the heads of Risk and Internal Audit here to pay special attention to this requirement.

7. I also would like the heads of risk function to pay attention to their business model that are being adopted for their continued viability and also periodically scan the portfolio mix to prevent any possible build up of risks such as concentration risk. There appears to be a fancy among most NBFCs to do more of the same thing, such as retail unsecured lending, top up loans or capital market funding. Over reliance on such products may bring grief at some point in time later. It is also observed that the risk limits that are fixed for certain category of products or segments, say like unsecured lending, in some entities, is way too high to be sustainable in the long run. I hope risk managers make a professional assessment of such risks that may be building up in their books.

8. Continuing on the effectiveness of risk functions, I would like to reiterate that it is imperative for your internal presentations to the Board to capture forward looking thoughts in risk management. The entities also need to invest in Early Warning Systems, Stress Testing capabilities, Vulnerability Assessments, Monitoring of Cyber Key Risk Indicators, targeted evaluations of compliance with KYC/AML norms and Transaction monitoring capabilities.

Liquidity Risks

9. One of the key risks is liquidity risks arising from concentration of funding sources and maturity mismatches. Reliance on a limited number of funding sources can amplify liquidity vulnerabilities, especially during periods of market stress or disruptions in funding channels. Moreover, maturity mismatches between assets and liabilities can exacerbate liquidity risk, making NBFCs susceptible to funding squeezes or rollover difficulties. Prudent liquidity management practices, including diversification of funding sources, maintaining adequate liquidity buffers, monitoring maturity profiles and putting contingency lines in place are essential to mitigate liquidity risks and ensure uninterrupted operations. Additionally, stress testing and scenario analysis can help NBFCs assess their resilience to adverse liquidity shocks and proactively manage liquidity risks.

10. This is an area, we observe, that the Internal Audit functions in most entities, have not measured upto the requirement of periodically auditing the assumptions and inputs that go into calculating various statutory ratios relating to liquidity risk management. We also observe that even in some large NBFCs, there is lack of capacity building in their mid office and back-office functions, which can seriously compromise the assessment and monitoring of the ALM and liquidity risk.

Inadequate attention and independence of assurance functions

11. Amidst the escalating complexity of risks, it is disconcerting to note that NBFCs have the lowest average number of compliance staff relative to their size compared to other sectors like commercial and cooperative banks. Despite regulatory measures aimed at ensuring the autonomy of these functions, it is disheartening to encounter instances where heads of assurance functions are given junior positions within the hierarchy or there is lack of direct access to the Board. Further, instances of dual-hatting with other roles is also observed. Such practices undermine the effectiveness and independence of assurance functions, potentially exposing NBFCs to heightened risks, thereby attracting enhanced regulatory scrutiny.

12. Independence of assurance functions is therefore sacrosanct, and there must be no compromise on this front. Clear delineation of responsibilities and a robust framework for independence are vital to preserving the credibility of your roles. It is imperative that NBFCs prioritize the strengthening of their governance structures, ensuring that heads of assurance functions are positioned appropriately within the organizational hierarchy and granted direct access to the Board. This will not only enhance the credibility and effectiveness of assurance functions but also bolster the overall risk management framework of NBFCs.

13. While we have had interactions with the Board Directors of Banks and NBFCs and shared these expectations, it is also necessary that as heads of assurance functions, each one of you conduct yourselves in a manner in which you don’t diminish or compromise such independence.

Fair and transparent conduct towards customers

14. Customer protection is one of the core elements of policy making at RBI. Given the service-oriented nature of the financial services industry, safeguarding the interests of customers should rank foremost among the priorities of our regulated entities as well.

15. Transparency in pricing is essential to build trust and confidence amongst customers. Towards our ongoing commitment for principle-based regulations, RBI has given the liberty of benchmarking and pricing of loans to the Boards of NBFCs, but the Master Directions in this regard clearly state that rates beyond a certain level maybe seen to be excessive which can neither be sustained nor be considered as conforming to normal financial practice. Therefore, excessive rates will invite supervisory scrutiny.

16. During our onsite examinations last year, we identified instances of unfair practices in charging of interest by many entities. These include charging interest from the date of loan sanction or agreement execution rather than from actual disbursement of the loan, charging interest from the date of the cheque for loans disbursed through cheques, despite handing over the cheque to customers much later, and levying interest for the entire month instead of the period for which the loan was actually outstanding. Additionally, some NBFCs collected advance instalments but calculated interest based on the full loan amount.

17. Wherever such practices came to light, RBI has initiated action including directing these supervised entities to refund such excess charges. However, as heads of assurance functions, it is incumbent upon each of you to serve as custodians of conscience within your respective organizations and ensure that there are no such unfair practices prevalent in your entities which may be detrimental to your customers.

Importance of meaningful assurance

18. Assurance endeavours, especially internal audit and compliance should transcend mere box-ticking exercises and delve into addressing root causes of the issue. By going beyond surface-level checks, assurance functions can uncover the fundamental factors contributing to problems, allowing for more effective and sustainable solutions to be implemented. This proactive approach not only helps mitigate risks but also enhances organizational resilience and fosters a culture of continuous improvement.

19. We have also observed that there are some misguided or intelligent interpretation in the market to circumvent regulations, which poses a significant threat to the integrity of the financial system. When individuals or regulated entities start interpreting regulations to their advantage or for their gain, it undermines the effectiveness of regulatory frameworks and compromises the stability and fairness of the market. Such practices erode trust and confidence in the financial sector, potentially exposing consumers, investors and the broader economy to risks and vulnerabilities. RBI's supervision will review the substance of such transactions over their legal form. Should we encounter instances of such circumvention of regulations, we will not hesitate to initiate appropriate supervisory action, as has been demonstrated in some of our recent actions.

Conclusion

20. Before I conclude, I would like to highlight the importance of assurance functionaries keeping themselves abreast of all the latest developments. In the rapidly evolving landscape of finance and regulation, new challenges, risks, and opportunities emerge with incredible frequency, hence there is a need for continual upgradation of skill sets as well as constant vigil.

21. In conclusion, risk management, internal audit and compliance are necessary for ensuring sustainability of a financial institution’s growth and to protect stakeholders’ interest. If we scan the global history of financial collapses, it is evident that trust is more important in the world of finance than anywhere else. In the absence of diligent assurance functions that are implemented in “letter and spirit”, the threat to breach of stakeholders’ trust is very real and can eventually lead to the collapse of the financial institution itself.

22. In today’s address, I have tried to cover the multifaceted nature of risks facing NBFCs, from cybersecurity threats to liquidity challenges and regulatory compliance issues. In the face of these complexities, it is imperative for NBFCs to adopt a holistic approach to assurance – an approach that transcends mere box-ticking exercises and delves into tackling the root causes. By embracing meaningful assurance practices, NBFCs can identify vulnerabilities, strengthen internal controls, and mitigate risks effectively, thus enhancing their operational resilience and safeguarding the interests of all stakeholders.

23. Thank you.

----

¹ As at March 31, 2023