India's banking regulator requires its charges to have effective compliance cultures, independent corporate compliance functions and good compliance risk management both at bank and group level. In the face of "diverse practices in this regard," it has issued further guidelines.
The aim of "uniformity" among banks is explicit. The RBI's new policy says: "A bank shall lay down a board-approved compliance policy clearly spelling out its compliance philosophy, expectations on compliance culture covering "tone from the top," accountability, incentive structure and effective communication and challenges thereof, structure and role of the compliance function, [the] role of [the] CCO, processes for identifying, assessing, monitoring, managing and reporting on compliance risk throughout the bank...The bank shall also develop and maintain a quality assurance and improvement programme covering all aspects of the compliance function."
This so-called programme is to be subject to independent external review periodically (at least once in three years). The policy should pay special attention to the building-up of a compliance culture; the vetting of the quality of supervisory/regulatory compliance reports to the regulator by directors of the bank. The policy is to be reviewed at least once a year.
Tenure for the appointment of a CCO
The CCO is to be appointed for a minimum fixed tenure of three years. The audit committee of the board or the managing director and CEO should take stock of this requirement while appointing him or her.
Transfer/removal of a CCO
The CCO may be transferred or removed before the end of his tenure only in exceptional circumstances, with the explicit prior approval of the board after following a well-defined and "transparent" [an undefined term] internal administrative procedure
Who is eligible to be a CCO?
This is to be determined by several factors.
- Rank. The CCO must be a senior executive of the bank, preferably with the rank of a general manager or an equivalent position (not below two levels from the CEO)..
- Age. No older than 55 years.
- Experience. At least 15 years' experience in banking or financial services, out of which a minimum five years has been in audit, finance, compliance, legal or risk management.
- Skills. Needs a good understanding of 'industry' and risk management, a good knowledge of regulations and law and a "sensitivity to supervisors’ expectations."
- Stature. Must be able to exercise judgment independently of others. Ought to have the freedom and authority to interact with regulators/supervisors directly and ensure compliance.
- Other things. No adverse observation from the RBI.