India Moves to Bolster Bank CCOs
Regulators in India have adopted exhausting new criteria for the appointment of chief compliance officers in the banking sector there, and banks in that country have six months to confirm that their CCOs fit the profile or find a new one.
The Reserve Bank of India (RBI), the country’s central bank and primary banking regulator, published the guidelines on Sept. 11. CCOs should have a term of at least three years; be no older than 55; have at least five years’ experience in audit, compliance, or risk management; and be a senior executive — ideally at the level of general manager, and not to be more than two levels below the CEO.
Indian banks are already supposed to have an independent compliance function, according to previous guidance the RBI published in 2015. “However,” the agency politely noted in this latest guidance, “it is observed that the banks follow diverse practices in this regard. The following guidelines are meant to bring uniformity in approach followed by banks, as also to align the supervisory expectations on CCOs with best practices.”
Translation: not enough banks are taking their compliance function seriously. So the RBI is publishing this new list of duties and expectations so Indian banks fall into line.
Some other interesting items among the RBI’s criteria:
- Hiring. The board will establish an in-house selection committee of senior bank executives to recruit and consider CCO candidates. That selection committee can then recommend specific individuals for the board to consider, but the board itself makes the final decision on the CCO.
- Firing or transfer. The CCO can be transferred or removed before he completes his tenure only in exceptional circumstances, with explicit prior approval of the board, after a “well-defined and transparent internal administrative procedure.”
- Regulatory approval. Banks will need to submit a notice to the RBI of their intent to hire (or transfer or fire) the chief compliance officer before the personnel move is actually made. That submission will need to include a detailed profile of the candidate CCO, along with a “fit and proper” certification from the CEO of the bank confirming that the CCO meets all the RBI’s requirements.
- Reporting lines. The CCO either reports directly to the board, or to the CEO. If the CCO does report to the CEO, then he or she also gets a private meeting with the board’s audit committee at least once a quarter.
- Dual roles. The CCO cannot have any other title that might conflict with his or her duties as a compliance officer. So for example, the CCO could also be the bank’s chief anti-money laundering officer, but not be CFO or internal auditor. The RBI guidance doesn’t explicitly say the CCO can’t also be the general counsel (although that would be my interpretation).
You get the drift here. The RBI has outlined a strong, independent compliance function akin to what we would see in Europe or North America, at least among large firms that take corporate ethics and compliance seriously.
What This CCO Actually Does
Aside from the CCO job criteria, the RBI also devoted a few paragraphs to what a strong compliance function should be able to do.
First, all banks should have a compliance policy, approved by the board and “clearly spelling out [the bank’s] compliance philosophy and expectations on compliance culture.” That policy will cover everything from tone at the top, to accountability, to incentive structures, to the role of the CCO, to processes for identifying, assessing, monitoring, managing and reporting on compliance risk throughout the bank.
Moreover, the RBI said —
This [policy] shall adequately reflect the size, complexity and compliance risk profile of the bank, expectations on ensuring compliance to all applicable statutory provisions, rules and regulations, various codes of conducts (including the voluntary ones) and the bank’s own internal rules, policies and procedures, and creating a disincentive structure for compliance breaches.
So no mailing it in with a compliance policy you lifted from Wikipedia or something; banks will have to put thought into this document. The board will also need to review this compliance policy at least once a year.
The RBI also listed eight duties of the CCO and the compliance function generally:
- To apprise the board and senior management on regulations, rules and standards and new regulatory developments.
- To provide clarity on compliance-related issues.
- To conduct a compliance risk assessment at least once a year, and to develop a risk-based plan for compliance assessment. That plan should go to the audit committee for review, and be made available to internal audit.
- To report promptly to the board and senior management about any major changes in compliance risk.
- To brief the board on compliance failures and to circulate such reports to relevant functional heads.
- To monitor and periodically test compliance. The results of compliance testing should be circulated to the board and senior management.
- To examine the “sustenance of compliance” as an integral part of compliance testing and the annual compliance assessment.
- To ensure compliance with any supervisory observations made by the RBI, in a timely and sustainable manner.
So there we have it: a forceful declaration from the Reserve Bank of India in favor of a strong compliance function. What happens if a bank doesn’t take these guidelines seriously? The guidance doesn’t say. Nor am I sure how seriously banks in India will take statements like this generally. (If anyone out there is familiar with Indian banking compliance, drop me a line at [email protected].)
And as we said at the top: these rules go into effect immediately. For banks that already have a CCO, they have six months to affirm that their current compliance officer meets all these criteria or to start looking for a new CCO who does.