CAIIB ABM Module D Unit 1 : Compliance Function in Banks

18/08/2023

Table of Contents

CAIIB Paper 1 ABM Module D Unit 1 : Compliance Function in Banks (New Syllabus)

IIBF has released the New Syllabus Exam Pattern for CAIIB Exam 2023. Following the format of the current exam, CAIIB 2023 will have now four papers. The CAIIB Paper 1 (Advanced Bank Management) includes an important topic called “Compliance Function in Banks”. Every candidate who are appearing for the CAIIB Certification Examination 2023 must understand each unit included in the syllabus.

In this article, we are going to cover all the necessary details of CAIIB Paper 1 (ABM) Module D (COMPLIANCE IN BANKS AND CORPORATE GOVERNANCE) Unit 1 : Compliance Function in Banks, Aspirants must go through this article to better understand the topic, Compliance Function in Banks and practice using our Online Mock Test Series to strengthen their knowledge of Compliance Function in Banks. Unit 1 : Compliance Function in Banks

Introduction

Compliance is an independent function that identifies, assesses, monitors and reports on compliance risk to the Bank’s board.

Compliance Risk involves

The risk of legal or
Regulatory sanctions,
Material financial loss, or
Loss of reputation,

A Bank may suffer as a result of its failure to comply with the laws, rules and regulations related self-regulatory organisation standards and code of conduct applicable to its banking activities.
The Compliance Function has to ensure strict observance of all statutory provisions contained in various legislations such as Banking Regulation Act, Reserve Bank of India Act, Foreign Exchange Management Act, Prevention of Money Laundering act, etc., as well as to ensure observance of other regulatory guidelines issued from time to time;
Standards and codes prescribed by BCSBI, IBA, FEDAI, FIMDA, etc., and each bank’s internal policies and fair practices code.
Compliance laws, rules and standards generally cover matters pertaining to observance of laid down rules and standards of market conduct, managing conflict of interest, treating customer fairly and ensuring suitability of the customer advice.

They typically include specific areas such as

The prevention of money laundering act,
KYC norms,
terrorist financing, and
Extend to tax laws relevant to the structuring of banking products
Advisories to customers.
Compliance laws, rules and standards originate from various sources, like primary legislation, rules, standards issued by legislators and regulators/supervisors, market conventions, and code of conduct applicable to staff members of the bank, etc.
Each bank formulates a Policy of Compliance Function for their stakeholders.
It shall be the responsibility of the Compliance Officer of the bank to assist the top management in managing effectively the compliance risk faced by the bank.
The banking landscape of India is changing rapidly.
With the evolution of technology, the entire industry has undergone a massive transformation that has changed the way financial procedures are carried out, and the way financial institutions now operate.

Compliance Risk, Significance Of Compliance Function

Compliance risk in banks arises due to non-adherence to a set of laws, rules, regulations, practices, selfregulatory organisation standards, code of conduct, etc. These can be grouped into internal compliance (applicable to all employees); Regulatory and legal compliance (applicable to bank as a whole).

Significance of compliance function

Promotes orderly behaviour and uniformity in conduct of the stakeholders especially the employees
Reduces systemic vulnerability and resultant chaos in the system
Minimises deviations and aberrations
Identification of violations for prompt corrective action through systemic process
Improves the corporate governance in banks

The BCBS paper on Compliance and the Compliance Function in Banks(April 2005) defines Compliance risk asthe “the Risk of legal or regulatory sanction, material financial loss, or lossto reputation a bank may suffer as a result of itsfailure to comply with laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicable to its banking services” …

Compliance risk arises due to

legal or regulatory sanctions
Material financial loss
Loss of reputation as a result of failure to an organisation comply

Banks to identify, evaluate and address legal and reputational risks and enhance control processes

Penalties imposed by Regulators/Supervisors for non-compliance and the “name & shame” these penalties bring. The risk of RBI Penalties arises due to non-compliance of Prudential and Regulatory Compliance
Integrity and Market Conduct
Legal compliance
Internal compliance

As per Sections 46(4)(i) and 51(1) of the Banking Regulation Act, 1949 – RBI can impose penalty based on the deficiencies in regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the banks with their customers.

Compliance Risk vis-a-vis Other Risks

It can be seen that the compliance Risk is closely interrelated with following risks in banks:

Regulatory Risk:

Regulatory risk refers to the potential consequences to the general public and the bank on account of non-compliance with the regulations. Factors under this risk include financial harm to the consumers; legal, reputation and financial harm to a bank, etc., and the burden of corrective action including potential civil and financial liability/ies. Compliance failure can lead to regulatory enforcement and other actions.

Operational Risk: The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Compliance Risk is “Operational Risk come Alive”
Legal Risk: Legal Risk is “the possibility that lawsuits, adverse judgements or contracts that turn out to be unenforceable can disrupt or adversely affect the operations or conditions of a bank. In other words, legal Risk is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institution’s activities. Compliance failures can lead to regulatory enforcement and other actions.
Reputational Risk: Reputational Risk is a risk that gives negative publicity regarding Bank’s business practices, health, and soundness of operations which may lead to lack of confidence with the Bank resulting in loss of business, revenue or may involve the Bank in litigation. Compliance failure can severely damage reputation, brand and market value leading to liquidity risk and associate effect on running of the organisation. Reputational Risk is the current or prospective risk to earnings and capital arising from adverse perception of the image of the financial institution on the part of the customers, counterparties, shareholders, investors or regulators.
Annihilation Risk: Arising from possibility of regulatory action of closing down business.

Non-Financial Risks

Business Risk: A business risk is a factor that may have a negative impact on the operation or profitability of a given organisation. Business risk may arise due to the internal conditions as well as some external factors. Change in demand for goods and services produced by a company is an external factor.
Strategic Risk: It is the current and prospective impact on earnings or capital arising from adverse business decision, improper implementation of decision, or lack of responsiveness to industry changes.

Compliance Risk relating to Cybersecurity

On a specific note, in technology driven banking, compliance with cybersecurity guidelines is gaining importance. Generally, cyber resilience frameworks aim to address three broad issues –

Confidentiality breach (confidential data being stolen),
Availability breach (systems are intact, but services are made unavailable),
Integrity breach (corruption of data or systems affecting the integrity of information and processing methods). Compliance risk relating to these breaches is gaining significance and needs to be addressed on a priority.

Compliance Policy

Compliance function is one of the key elements in Banks’ corporate governance structure. The compliance function in the bank has to be adequately enabled and made sufficiently independent in accordance with the perception of the Basel Committee on Banking Supervision (BCBS), April 2005.

The compliance policy must speak of certain principles, standards and procedures relating to compliance function consistent with the RBI directions. The policy also must intend to articulate that the compliance function is an integral part of governance along with the internal control and risk management process.
Reserve Bank of India had vide their Circular No RBI/2006-2007/335 REF. DBS.CO.PP.BC 6/11.01.005/2006-07 dated 20.04.2007 advised all banks to formulate and implement Compliance Function Policy for the Bank within 6 months from the date of the circular on the basis of the framework evolved by them. It was also advised that they would subject the implementation of compliance function in the bank to a comprehensive review during the Annual Financial Inspection.
The Compliance policy was required to include the following key elements: Compliance Objective,
Scope of Compliance Function,
Compliance Function at Office/Zonal Office/Branches/Subsidiaries/Foreign Centres,
Role & Responsibilities of Chief Compliance Officer
A bank must have a board approved Compliance Policy. The Policy should clearly spell out – its Compliance Philosophy, Expectations on Compliance Culture (covering Tone from the Top, Accountability, Incentive Structure and Effective Communication and Challenges thereof), Structure and Role of the Compliance Function, Role of CCO, and Processes for identifying, assessing, monitoring, managing and reporting on Compliance Risk throughout the bank.
The Policy shall adequately reflect the size, complexity and compliance risk profile of the bank, expectations on ensuring compliance to all applicable statutory provisions, rules and regulations, various codes of conduct (including the voluntary ones) and the bank’s own internal rules, policies and procedures, and creating a disincentive structure for compliance breaches.
The bank shall also develop and maintain a quality assurance and improvement program covering all aspects of the compliance function. The quality assurance and improvement program shall be subject to independent external review periodically (at least once in three years).
The policy should lay special thrust on building up compliance culture; vetting of the quality of supervisory/regulatory compliance reports to RBI by the top executives, non-executive Chairman/ Chairman and ACB of the bank.
The policy should be reviewed at least once a year.

Compliance Principles, Process And Procedures

The Compliance department at the Head office should play the central role in the area of identifying the level of compliance risk in each business line, products and processes and issue instructions to operational functionaries/formulate proposals for mitigation of such risk. It should periodically circulate the instances of compliance failures among staff along with instructions for prevention in future.
Inspection/audit findings should serve as a feedback mechanism for the Compliance department for assessing the areas of compliance breaches/failures.
The compliance function should incorporate a robust mechanism to: (i) ensure that regulatory guidelines/instructions are promptly issued/disseminated within the organisation. (ii) monitor compliance with the regulatory guidelines/instructions.
The Compliance department should serve as a reference point for the bank’s staff from operational departments for seeking clarifications/interpretations of various regulatory and statutory guidelines.
The Compliance function should on a proactive basis identify, document, assess the compliance risks associated with banks’ business activities and products. The compliance risks in all new products and processes should be thoroughly analyzed and appropriate risk mitigants by way of necessary checks and balances should be put in place before launching. The Chief Compliance officer should be a member of the ‘new product’ committee/s to ensure that the new products/processes have clearance from all perspectives including compliance. All new products should be subjected to intensive monitoring for the first six months of introduction to ensure that the indicative parameters of compliance risk are adequately monitored.
Banks should develop function-wise Compliance manuals in co-ordination with compliance department, if their operating manuals do not already contain specific sections or chapters on compliance and make available these to the staff associated with the respective functions.
The Compliance department should, at frequent intervals, interact with legal department, operational Risk management department, Taxation department and audit/Inspection department of the bank to take stock of the latest developments.
Compliance officers should have access to all information they require and have the right to conduct investigation and report the findings to the Chief Compliance Officer. The CCO shall necessarily be a participant in the informal discussions held with RBI. The compliance functionary should be looked at as a friend, philosopher and guide by the business units. There should be close co-ordination and partnership between Compliance and Business operations functions. The interaction may be formalised by making the Chief Compliance Officer a member of the various interdepartmental committees in the bank, in the capacity as invitee.
The compliance function should monitor and test compliance by performing sufficient and representative compliance testing and the results of such compliance testing should be reported to the senior management.
It should also consider ways to measure compliance risk (e.g., by using performance indicators) and use such measurements to enhance compliance risk assessment.
Compliance staff should be empowered to conduct compliance reviews/investigations whenever required. The authority to use external experts for the purpose of investigation, if required, should be left to the discretion of the Chief Compliance Officer.
The compliance function should be free to report to senior management on any irregularities without fear of disfavour from management or other staff members. Although its normal reporting line should be to senior management, the compliance function should also have the right of direct access to the board of directors or to the audit committee of the board by-passing normal reporting lines. RBI has advised that CCO should meet the Audit Committee of Board at least annually, to apprise them to assess the extent to which the bank is managing its compliance risk effectively.
An annual Report on compliance function including failures/breaches should be compiled and placed before the Board/ACB/Board Committee. Non-compliance with any regulatory guidelines and administrative actions initiated against the bank and or corrective steps taken to avoid recurrence of the lapses should be disclosed in the annual report of the banks.
The code of conduct for employees should envisage working towards earning the trust of the society by dealing with customers in a fair manner and conducting business operations consistent with rules and regulations. Due weightage could be given to record of compliance during performance appraisal of staff at various levels. Staff accountability should be examined for all compliance failures.

Compliance Programme

The responsibilities of the compliance function should be carried out under a compliance programme that sets out its planned activities. The compliance programme should be risk-based and subject to oversight by the head of compliance to ensure appropriate coverage across businesses and co-ordination among risk management. In view of the increased focus on compliance review in the supervisory process of RBI, a comprehensive compliance plans replete with compliance testing and review structures needs to be implemented.
The compliance function may have specific statutory responsibilities (e.g., fulfilling the role of anti-money laundering officer). Banks should carry out an annual compliance risk assessment in order to identify and assess major compliance risks faced by them and prepare a plan to manage the risks. The annual review should broadly cover the following aspects.
Compliance failures, if any during the preceding year and consequential losses and regulatory action as also steps taken to avoid recurrence of the same.
list of all major regulatory guidelines issued during the preceding year and steps taken by the bank to ensure compliance.
Independence of compliance function.
Scope of compliance procedures and processes.
System of internal control to minimise compliance risk.
Compliance with fair practices codes and adherence to standards set by self-regulatory bodies and accounting standards.
Progress in rectification of significant deficiencies pointed out in the internal audit, statutory audit and RBI inspection reports and position of implementation of recommendations made therein.
Strategy for the next year including restructuring of compliance department, if necessary, by posting/transfer/training of staff.
Adherence and compliance with Monitorable Action Plan/Risk Mitigation Plan (MAP/RMP) prescribed pursuant to the annual Financial Inspection/Risk Based Supervision processes is very important. Compliance units may specifically devise a time bound strategy to ensure that compliance on all specified points is achieved within the time frame.
Apart from the exhaustive annual review, a monthly report on the position of compliance risk may be put up to the senior management/CEO by the Chief Compliance officer. A brief report on the Compliance position may also be placed before the Board/ACB/Board Committee, as the case may be on a quarterly basis.
Instances of all material compliance failures which may attract significant risk of legal or regulatory sanctions, financial loss or loss of reputation should be reported to the Board/ACB/Board Committee promptly.
The activities of the compliance function should be subject to annual review by the internal audit mechanism. Compliance risk shall be included in the risk assessment methodology of the internal audit function and the audit programme shall cover the adequacy and effectiveness of the bank’s compliance function including testing of controls commensurate with the perceived level of risk.
Guidance and Education: The compliance function should advise and assist the senior management on compliance laws, rules and standards, including keeping them informed on developments by establishing written guidance to staff on the appropriate implementation of compliance laws, rules and standards through policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines.
Cross-Border Issues: Banks may choose to carry on business in various juris dictions for a variety of legitimate reasons. In such cases, Banks carrying on business in different jurisdictions should ensure to comply with applicable laws and regulations and that the organisation and structure of the compliance function and its responsibilities are consistent with local legal and regulatory requirements.

Scope Of Compliance Function

The Laws, rules and standards applicable to banking generally cover matters such as observing proper standards of market conduct, managing conflicts of interest, settling Government taxes, treating customers fairly and ensuring the suitability of customer advice. Scope of Compliance function includes the following:

Statutory Compliance to Banking Regulation Act, Reserve bank of India Act, Foreign Exchange Management act, Prevention of Money Laundering Act, etc.
Regulatory Compliance to guidelines issued by the Regulators such as RBI, SEBI, IRDA, etc.
Code of Conduct to be abided based on the guidelines issued by organisations like IBA, BCSBI, FEDAI/FIMDDA, etc.
Accounting standards to be abided as framed by ICAI as applicable to the bank.
Listing Agreement In case of bank wishing to list its securities on a stock exchange, it has to sign an agreement prescribed by Securities and Exchange Board of India (SEBI) called listing agreement. The Bank going Public with its share capital, has to list its shares at NSE/BSE and as such the bank shall comply with the requirement of Listing Agreement with Stock Exchange
Internal Compliances/Process Compliances/Policy Compliances as codified in bank’s instruction manual/Circular/Policies.

Role & Responsibilities Of Chief Compliance Officer (CCO)

RBI, in recent past has modified/issued guidelines about role and responsibility of Chief Compliance Officer in the Banks. These include appointment, tenor, eligibility, skills, selection process, reporting lines, responsibilities, etc. These guidelines have been issued for the sake of uniformity of the overall compliance function in all Banks. These are reproduced hereunder, from the notification RBI/2020-21/35 (ref DoS.CO.PPG./SEC.02/11.01.005/2020-21 dated 11.09.2020)

Tenor for appointment of CCO: The CCO shall be appointed for a minimum fixed tenure of not less than 3 years. The Audit Committee of the Board (ACB)/Managing Director (MD) & CEO should factor this requirement while appointing CCO;
Transfer/Removal of CCO: The CCO may be transferred/removed before completion of the tenure only in exceptional circumstances with the explicit prior approval of the Board after following a well-defined and transparent internal administrative procedure;
Eligibility Criteria for appointment as CCO –
Rank: The CCO shall be a senior executive of the bank, preferably in the rank of a
General Manager or an equivalent position (not below two levels from the CEO). The CCO could also be recruited from market;
Age: Not more than 55 years;
Experience: The CCO shall have an overall experience of at least 15 years in the banking or financial services, out of which minimum 5 years shall be in the Audit/Finance/Compliance/Legal/ Risk Management functions;
Skills: The CCO shall have good understanding of industry and risk management, knowledge of regulations, legal framework and sensitivity to supervisors’ expectations;
Stature: The CCO shall have the ability to independently exercise judgement. He should have the freedom and sufficient authority to interact with regulators/supervisors directly and ensure compliance;
Others: No vigilance case or adverse observation from RBI, shall be pending against the candidate identified for appointment as the CCO.
Selection Process: Selection of the candidate for the post of the CCO shall be done on the basis of a well-defined selection process and recommendations made by the senior executive level selection committee constituted by the Board for the purpose. The selection committee shall recommend the names of candidates suitable for the post of the CCO as per the rank in order of merit and Board shall take final decision in the appointment of CCO;
Reporting Requirements: A prior intimation to the Department of Supervision, Reserve Bank of India, Central Office, Mumbai, shall be provided before appointment, premature transfer/removal of the CCO. Such information should be supported by a detailed profile of the candidate along with the fit and proper certification by the MD & CEO of the bank, confirming that the person meets the above supervisory requirements, and detailed rationale for changes, if any;
Reporting Line: The CCO shall have direct reporting lines to the MD & CEO and/or Board/Board Committee (ACB) of the bank. In case the CCO reports to the MD & CEO, the Audit Committee of the Board shall meet the CCO quarterly on one-to-one basis, without the presence of the senior management including MD & CEO. The CCO shall not have any reporting relationship with the business verticals of the bank and shall not be given any business targets. Further, the performance appraisal of the CCO shall be reviewed by the Board/ACB;
Authority: The CCO and compliance function shall have the authority to communicate with any staff member and have access to all records or files that are necessary to enable him/her to carry out entrusted responsibilities in respect of compliance issues. This authority should flow from the compliance policy of the bank;

The duties and responsibilities of the CCO as Head of Compliance Function – These shall include at least the following activities:

To apprise the Board and senior management on regulations, rules and standards and any further developments.
To provide clarification on any compliance related issues.
To conduct assessment of the compliance risk (at least once a year) and to develop a risk oriented activity plan for compliance assessment. The activity plan should be submitted to the ACB for approval and be made available to the internal audit.
To report promptly to the Board/ACB/MD & CEO about any major changes/observations relating to the compliance risk.
To periodically report on compliance failures/breaches to the Board/ACB and circulating to the concerned functional heads.
To monitor and periodically test compliance by performing sufficient and representative compliance testing. The results of the compliance testing should be placed to Board/ACB/MD & CEO.
To examine sustenance of compliance as an integral part of compliance testing and annual compliance assessment exercise.
To ensure compliance of Supervisory observations made by RBI and/or any other directions in both letter and spirit in a time bound and sustainable manner.

Other Important Responsibilities/Functions

Ensure formulation/updation of compliance rules (CRs) in co-ordination with principal functional departments for all banking functions and their operational implementation in terms of statutory guidelines covering especially pertaining to: