As a step towards bringing uniformity in the compliance culture of banks, the Reserve Bank of India (RBI) has prescribed norms for appointment of chief compliance officers (CCOs), whose term has to be at least three years.
The person holding the position should be a senior-level executive, preferable general manager and above.
According to the norms, the CCO will report to the chief executive officer (CEO) and/or the board committee. This is a variance from what was suggested in the discussion paper on governance in commercial banks released by the RBI in June 2020. It had suggested that CCOs will report to the risk management panel of the board which will be responsible for selection, oversight of performance, including performance appraisals, and, if necessary, dismissal of the CCO.
The RBI, in a notification, said the CCO will have direct reporting lines with the managing director (MD) and CEO and/or board/board committee of the bank. The Audit Committee of the Board (ACB) will meet the CCO quarterly on a one-to-one basis, in the absence of the senior management, including the MD and CEO. The CCO will not have any reporting relationship with business verticals nor have any business targets.
Moreover, the performance appraisal of the CCO will be reviewed by the board/ACB, the RBI said. As part of a robust compliance system, banks should have an effective compliance culture, independent corporate compliance function and a strong compliance risk management programme at the bank and group levels.
The person heading such a function should be selected through a process with an appropriate ‘fit and proper’ evaluation criteria.
The banking regulator said a bank should have a board-approved compliance policy, clearly spelling out its compliance philosophy, expectations on compliance culture, accountability, incentive structure and effective communication and challenges.
It should also cover structure and role of the compliance function as well as role of the CCO. Also, there should be processes for identifying, assessing, monitoring, managing and reporting on compliance risk throughout the bank, the RBI said.
The policy should lay special thrust on building the compliance culture. The policy will be reviewed at least once a year.
Referring to the authority of the compliance function, the RBI said the CCO has the authority to communicate with any staff member. It can access all records or files that are necessary to enable it to carry out its responsibilities in respect of compliance issues. The compliance function will be subject to internal audit also.