Banks are required to have an effective compliance culture, independent corporate compliance function and a strong compliance risk management programme at bank and group level
Compliance functions in banks and Role of Chief Compliance Officer (CCO)
Ref. No. DoS.CO.PPG./SEC.02/11.01.005/2020-21
September 11, 2020
The Chairman / Managing Director & Chief Executive Officer
All Scheduled Commercial Banks (Excluding RRBs)
All Local Area Banks and
All Small Finance Banks and Payment Banks
Madam / Dear Sir,
Compliance functions in banks and Role of Chief Compliance Officer (CCO)
Please refer to the guidelines on compliance functions vide our circulars DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 and DBS.CO.PPD.10946/11.01.005/2014-15 dated March 04, 2015.
2- As part of robust compliance system, banks are required, inter-alia, to have an effective compliance culture, independent corporate compliance function and a strong compliance risk management programme at bank and group level. Such an independent compliance function is required to be headed by a designated Chief Compliance Officer (CCO) selected through a suitable process with an appropriate ‘fit and proper’ evaluation/selection criteria to manage compliance risk effectively.
However, it is observed that the banks follow diverse practices in this regard. The following guidelines are meant to bring uniformity in approach followed by banks, as also to align the supervisory expectations on CCOs with best practices.
2.1 Policy – A bank shall lay down a Board-approved compliance policy clearly spelling out its compliance philosophy, expectations on compliance culture covering Tone from the Top, Accountability, Incentive Structure and Effective Communication & Challenges thereof, structure and role of the compliance function, role of CCO, processes for identifying, assessing, monitoring, managing and reporting on compliance risk throughout the bank. This shall, inter-alia, adequately reflect the size, complexity and compliance risk profile of the bank, expectations on ensuring compliance to all applicable statutory provisions, rules and regulations, various codes of conducts (including the voluntary ones) and the bank’s own internal rules, policies and procedures, and creating a disincentive structure for compliance breaches. The bank shall also develop and maintain a quality assurance and improvement program covering all aspects of the compliance function. The quality assurance and improvement program shall be subject to independent external review periodically (at least once in three years). The policy should lay special thrust on building up compliance culture; vetting of the quality of supervisory / regulatory compliance reports to RBI by the top executives, non-executive Chairman / Chairman and ACB of the bank, as the case may be. The policy shall be reviewed at least once a year;
2.2 Tenor for appointment of CCO – The CCO shall be appointed for a minimum fixed tenure of not less than 3 years. The Audit Committee of the Board (ACB) / Managing Director (MD) & CEO should factor this requirement while appointing CCO;
2.3 Transfer / Removal of CCO – The CCO may be transferred / removed before completion of the tenure only in exceptional circumstances with the explicit prior approval of the Board after following a well-defined and transparent internal administrative procedure;
2.4 Eligibility Criteria for appointment as CCO –
Rank – The CCO shall be a senior executive of the bank, preferably in the rank of a General Manager or an equivalent position (not below two levels from the CEO). The CCO could also be recruited from market;
Age – Not more than 55 years;
Experience – The CCO shall have an overall experience of at least 15 years in the banking or financial services, out of which minimum 5 years shall be in the Audit / Finance / Compliance / Legal / Risk Management functions;
Skills – The CCO shall have good understanding of industry and risk management, knowledge of regulations, legal framework and sensitivity to supervisors’ expectations;
Stature – The CCO shall have the ability to independently exercise judgement. He should have the freedom and sufficient authority to interact with regulators/supervisors directly and ensure compliance;
Others – No vigilance case or adverse observation from RBI, shall be pending against the candidate identified for appointment as the CCO.
2.5 Selection Process – Selection of the candidate for the post of the CCO shall be done on the basis of a well-defined selection process and recommendations made by the senior executive level selection committee constituted by the Board for the purpose. The selection committee shall recommend the names of candidates suitable for the post of the CCO as per the rank in order of merit and Board shall take final decision in the appointment of CCO;
2.6 Reporting Requirements – A prior intimation to the Department of Supervision, Reserve Bank of India, Central Office, Mumbai, shall be provided before appointment, premature transfer/removal of the CCO. Such information should be supported by a detailed profile of the candidate along with the fit and proper certification by the MD & CEO of the bank, confirming that the person meets the above supervisory requirements, and detailed rationale for changes, if any;
2.7 Reporting Line – The CCO shall have direct reporting lines to the MD & CEO and/or Board/Board Committee (ACB) of the bank. In case the CCO reports to the MD & CEO, the Audit Committee of the Board shall meet the CCO quarterly on one-to-one basis, without the presence of the senior management including MD & CEO. The CCO shall not have any reporting relationship with the business verticals of the bank and shall not be given any business targets. Further, the performance appraisal of the CCO shall be reviewed by the Board/ACB;
2.8 Authority – The CCO and compliance function shall have the authority to communicate with any staff member and have access to all records or files that are necessary to enable him/her to carry out entrusted responsibilities in respect of compliance issues. This authority should flow from the compliance policy of the bank;
2.9 The duties and responsibilities of the compliance function – These shall include at least the following activities:
To apprise the Board and senior management on regulations, rules and standards and any further developments.
To provide clarification on any compliance related issues.
To conduct assessment of the compliance risk (at least once a year) and to develop a risk-oriented activity plan for compliance assessment. The activity plan should be submitted to the ACB for approval and be made available to the internal audit.
To report promptly to the Board / ACB / MD & CEO about any major changes / observations relating to the compliance risk.
To periodically report on compliance failures/breaches to the Board/ACB and circulating to the concerned functional heads.
To monitor and periodically test compliance by performing sufficient and representative compliance testing. The results of the compliance testing should be placed to Board/ACB/MD & CEO.
To examine sustenance of compliance as an integral part of compliance testing and annual compliance assessment exercise.
To ensure compliance of Supervisory observations made by RBI and/or any other directions in both letter and spirit in a time bound and sustainable manner.
2.10 Internal Audit – The compliance function shall be subject to internal audit;
2.11 Dual Hatting – There shall not be any ‘dual hatting’ i.e. the CCO shall not be given any responsibility which brings elements of conflict of interest, especially the role relating to business. Roles which do not attract direct conflict of interest like role of anti-money laundering officer, etc. can be performed by the CCO in those banks where principle of proportionality in terms of bank’s size, complexity, risk management strategy and structures justify that;
2.12 The CCO shall not be member of any committee which brings his/her role in conflict with responsibility as member of the committee, including any committee dealing with purchases / sanctions. In case the CCO is member of a committee, he/she may have only advisory role;
2.13 Typical core elements of the mandate of CCO must include the design and maintenance of compliance framework, training on the regulatory and conduct risks, and effective communication of compliance expectations, etc.;
2.14 The bank’s Board of Directors shall be overall responsible for overseeing the effective management of the bank’s compliance function and compliance risk. The MD & CEO shall ensure the presence of independent compliance function and adherence to the compliance policy of the bank.
3. The instructions contained in the circular would come into effect immediately from the date of this circular and any new appointment shall be governed by the instructions contained herein. In respect of banks already having a CCO, they may follow the indicated processes for selection of CCO within a period of six months and are free to reappoint the current incumbent as the CCO if she/he meets all the requirements.
4. This circular supplements the guidelines issued by Reserve Bank of India on April 20, 2007 and March 04, 2015 and for any common areas of guidance, the prescription of this circular shall be followed.
(Ajay Kumar Choudhary)
Chief General Manager