Two recent regulatory initiatives have advocated/mandated an important and internationally
established governance practice of subjecting the critical Compliance Function in banks to an
external/ independent review:
– In a discussion paper brought out in June 2020 on Governance in Commercial Banks in India
the Reserve Bank of India (RBI) has suggested that an external assessment of the
effectiveness of the Compliance Function shall be undertaken, at least once in 3 years, in
addition to or supplementing the periodic independent review by the Risk Management
Committee of the Board and an independent assessment by Internal Audit.
– This was later mandated by RBI in its fresh guidelines to banks issued on September 11,
2020 regarding Compliance Function in Banks and Role of Chief Compliance Officer when it
required banks to develop and maintain a quality assurance and improvement program for
the Compliance Function and further subject the program to an independent external
review at least once in three years.
Approaching the Review:
Any review or assessment of the Compliance Function has to have a benchmarking anchor in
what is considered widely and authoritatively as sound compliance practice. As such, it
requires going back to the 2005 Basel paper on Compliance and Compliance Framework in
banks. The principles, this group of global regulators set out for Compliance functions and the
broad practices it recommended helped the global evolution of the compliance function in
banks including their regulations 1.
Post the financial crisis in and around 2008, when regulators realized that large financial
institutions were derelict in self-regulation, the hands-on preventive and risk management role
for Compliance (which was always envisaged by regulators but never really enforced) took
precedence. There was thus an insistence on appropriate empowerment for the function.
Compliance thus came to be looked upon as an integral part of the enterprise-wide risk
management and governance framework under what is now evolved as the 3 Lines of Defense
(the 3LoD) approach.
Sound Compliance practice today therefore not only bases itself on the principles laid down by
Basel and the regulations that followed therefrom but also is an increasing recognition that
Compliance at its core has to be a strong Compliance Risk 2 Management function.
We would then suggest that we look at Compliance practices from the following lenses:
Key to this review is not only a rigorous process of understanding the compliance operating
model and expectations around it but more importantly being able to evaluate the Compliance
function against increasingly intense regulatory expectations and evolving and widely accepted
global compliance practices, especially those of banks who have had relatively better success
in managing compliance risks.
For the review to be useful and beneficial, it should result in insightful and rationalized
recommendations for relevant and commensurate enhancements in processes and practices.
- Later, in 2006 this became the basis for RBI to come out with its own guidelines to steer and support the growth of the still-nascent compliance framework in banks in India.
- Defined as the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities