1. Background

1. Growing size and complexity of India’s financial system underscores the significance of strengthening governance standards in banks. Recent events in a dynamic and rapidly evolving financial landscape have led to increasing scrutiny of the role of promoter(s), major shareholder(s) and senior management vis-a-vis the role of a board. In the context where management plays the role of an agent of a board and the board in turn plays the role of an agent of shareholders, governance failures have brought to fore the impact of quality of governance on efficiency in allocation of resources, protection of depositors’ interest as well as maintaining financial stability.

2. Shareholders of any entity have an objective to maximise return on their capital. However, in financial intermediation this objective is predominantly realised through raising of financial resources from depositors and other debt providers. It is the trust reposed in these entities by providers of financial resources, largely depositors – a key stakeholder, which casts a very high and unique ‘fiduciary’ responsibility on entities such as banks.

3. Therefore, an approval to undertake financial intermediation involves a grant of public policy and public utility privilege. Against this privilege is an expectation of a higher order of responsibility on individuals while in search of returns. Naturally, with this privilege comes a higher order of accountability.

4. Against this backdrop, this document in the form of a ‘Discussion Paper’ has been drafted for being placed in public domain for seeking feedback and suggestions. The objective is to align current regulatory framework with global best practices while being mindful of the context of domestic financial system.

5. The contents in the paper have been compiled after reviewing extant instructions/guidelines/directions of the Reserve Bank and relevant guidance available in public domain including those issued by Basel Committee of Banking Supervision (BCBS), Financial Stability Board (FSB) as well as the Banks Board Bureau.

6. The unique characteristic of financial intermediation and spill over impact of governance failures on real sector has not been missed while drafting the paper. Therefore, the approach has been to set higher aspirational standards in governance for entities engaged in financial intermediation. Such higher standards in turn can create positive impact on providers of capital to these entities.

7. The contents in the paper straddle between principle-based regulation and rule-based regulation, with emphasis on the latter wherever warranted.

8. Relevant provisions of extant statutes/regulations have been reproduced in the interest of compiling different sources in one document.

9. This paper is drafted to encourage discussion and intended for seeking stakeholder feedback. The Reserve Bank will issue the guidelines/directions after considering the feedback.

2. Applicability

1. Applicability of the contents herein will be to entities mentioned below:

1. Private sector banks including Small Finance Banks (SFBs), Payments Banks (PBs), wholly-owned subsidiaries of foreign banks and foreign banks operating in India under branch model.

2. State Bank of India, Nationalised Banks and Regional Rural Banks, except in so far as what is prescribed is not inconsistent with provisions of specific statutes applicable to them or in case where the major shareholder/promoter viz., Government of India retains its instructions.

3. The contents of the discussion paper must be read along with other governing statutes, regulations and licensing conditions applicable to banks and the most stringent shall be followed.

3. Definitions¹

1. In this paper, unless the context otherwise requires: -

1. “board of directors” or “board” means the collective body of directors which supervises management;

2. “chairperson or chair” means the Chairman of board of directors or a committee of board of directors;

3. “control functions” means those functions that do not have a responsibility of revenue generation and have a responsibility independent from revenue generating functions i.e., to provide objective assessment, reporting and/or assurance on revenue generating/risk taking activities. Not all non-revenue generating functions are control functions; assurance functions and internal control functions are together called control functions. Assurance function are control functions performed by second and third line of defence.

4. “Corporate governance” means a set of relationships between a company’s management, its board, its shareholders as well as other stakeholders which provides the structure through which objectives of a company are set, along with the means of attaining those objectives and monitoring performance². It helps define the way authority as well as responsibility are allocated and how decisions are made.

5. “director” means a director appointed to the board;

6. “duty of care” is the duty of each director to decide as well as act on an informed and prudent basis;

7. “duty of loyalty” is the duty of each director to act in good faith in the interest of the bank;

8. “independent director” shall be a director who meet the requirements in Companies Act, 2013³;

9. “internal control system” means a set of rules and controls governing a bank’s organisational/ operational structure, including reporting processes and functions. These are put in place by first line of defence. It does not include assurance functions;

10. ';managing director (MD)” means a Chief Executive Officer (CEO) of a bank who is also appointed by the board as a director and who, by virtue of an agreement with the bank or of a resolution passed by the bank in general meeting or by its board or, by virtue of its memorandum or articles of association, is entrusted with the management of the whole, or substantially the whole of the affairs of the bank. A CEO shall exercise powers subject to the superintendence, control and direction of the board;

11. “non-executive director (NED)” is a member of the board who does not have responsibilities within the bank. All directors other than whole -time directors (WTDs) are part-time NEDs;

12. “risk appetite” is the aggregate level and types of risk a bank is willing to assume to achieve its strategic objectives and business plan. It is decided in advance and within its risk capacity;

13. “Risk Appetite Framework (RAF)” is the overall approach, including policies, processes, controls and systems, through which risk appetite is established, communicated as well as monitored. It includes a risk appetite statement, risk limits, an outline of roles/responsibilities of those overseeing implementations and monitoring of the RAF. The RAF shall consider risks to the bank, as well as to its reputation vis-à-vis depositors, investors and customers. The RAF must be in alignment with the bank’s strategy;

14. “Risk Appetite Statement (RAS)” is a written articulation of the aggregate level and types of risk that a bank will accept, or avoid, to achieve its business objectives. It includes quantitative risk measures expressed relative to earnings, capital, liquidity and other relevant measures as appropriate. It shall also include qualitative statements to address reputation and conduct risks, risks from unethical practices as well as money laundering;

15. “risk capacity” is the maximum amount of risk a bank can assume given its capital base, risk management and control capabilities as well as its regulatory constraints;

16. “risk culture” means bank’s norms, attitudes, behaviors towards risk awareness, risk-taking, risk management and controls that shape decisions on risks. Risk culture influences the decisions of management/employees during the day-to-day activities and has an impact on the risks they assume;

17. “risk governance framework” is a significant part of overall governance framework, the framework through which the board establishes the bank’s strategy as well as risk approach and management takes decisions in adherence to the same; articulate and monitor adherence to overall risk appetite as well as specific risk limits vis-à-vis bank’s strategy; and identify, measure, manage or control risks;

18. “risk limits” are specific quantitative measures or limits based on, for example, forward-looking assumptions that allocate the bank’s aggregate risk appetite to business lines, legal entities as relevant, specific risk categories, concentrations and, as appropriate, other measures;

19. “risk management” are processes established to ensure that all risks, associated risk concentrations are identified, measured, limited/controlled/mitigated and reported on a timely as well as comprehensive basis;

20. “risk profile” is a point-in-time assessment of a bank’s gross risk exposures (i.e. before the application of any mitigants) or, as appropriate, net risk exposures (i.e. after considering mitigants) aggregated within and across each relevant risk category based on current or forward-looking assumptions;

21. “senior management” are those with managerial responsibilities; includes WTDs, CEO, those primarily reporting into a WTD/ CEO; those primarily reporting to the board or committees of the board, including those who are part of the second and third line of defence;

2. All other expressions unless defined herein shall have same meaning as have been assigned to them under various statutes or notifications / instructions / rules / regulations / guidelines/directions issued under various statues or used in commercial parlance.

4. Overall responsibilities of the board of directors

1. The board of a bank has overall responsibility for the bank, including culture, governance framework and approving as well as overseeing management’s implementation of the bank’s strategic objectives. Directors have responsibilities to the bank’s overall interests, regardless of who appoints them⁴.

2. These responsibilities⁵ articulated in following paragraphs in substantive terms are to be met by the board/committees of the board by setting agenda for its meetings and actions emanating therefrom as recorded in minutes of the meetings. The board/ committees of the board shall maintain appropriate records of their proceedings at each meeting, including minutes of meetings, summaries of matters reviewed, main discussions, individual director’s views, dissenting opinions, decisions taken, recommendations made and board resolutions. Minutes of the meetings of the board/committees of the board are to be signed by the chair of the meeting. In all matters related to meetings of the board and its committees’ compliance shall be ensured inter alia with guidance issued from time to time by the Institute of Company Secretaries of India (ICSI).

4.1 Responsibilities of the board - culture and values⁶

1. A fundamental component of good governance is a culture of reinforcing appropriate norms for responsible and ethical behaviour. These norms are especially critical in terms of a bank’s risk awareness, risk-taking behaviour and risk management. To promote a sound culture, the board shall reinforce the “tone at the top” by⁷:

1. playing a lead role in establishing the bank’s culture and values; adhering to values that create expectations that all business shall be conducted in a legal and ethical manner;

2. sustained oversight on adherence to such values by senior management and other employees; ensuring primary responsibility resting with CEO and senior management;

3. confirming that appropriate steps have been or are being taken to communicate throughout the bank the values, professional standards or code of conduct it sets, together with supporting policies;

4. an online process by which every employee in the bank spends at least 60 minutes every year reviewing a conduct training manual before signing the code of conduct statement⁸.

5. recognising that changing behaviour cannot always be achieved through “standard” training and requires involvement of senior leaders who champion the effort; develop programs for staff across all areas of the bank, tailored to the bank’s circumstances that regularly reinforce what the desired values and conduct mean in practice⁹;

6. making certain that the CEO and other WTDs are highly visible in championing the desired values and conduct; that they face material consequences if there are persistent or high-profile conduct and value breaches¹⁰;

7. confirming that employees, including senior management, are aware that appropriate disciplinary or other actions, including those related to compensation¹¹/career progression, will follow unacceptable behaviours including weak management oversight and transgressions including wilful blindness¹²;

8. implementing a feedback system where the board can systematically assess whether the espoused values are communicated, proactively promoted by management and staff at all levels so that the ‘tone at the middle’ as well as throughout the bank is consistent with the ‘tone at the top’¹³;

9. putting in place a comprehensive set of indicators based on objective criterion to monitor and assess adherence of individuals, teams at all levels to bank’s values, desired conduct¹⁴; and

10. ensuring that assessment of adherence to bank’s values and desired conduct is factored in extant performance appraisal system of each employee throughout the bank¹⁵;

2. To put all the above into practice the board shall have oversight of:

i. a code of conduct or comparable policy, which shall:¹⁶

1. define acceptable and unacceptable behaviour;

2. explicitly disallow illegal activity, such as financial misreporting, misconduct, economic crime including fraud, breach of sanctions, money laundering, anti-competitive practices, bribery and corruption, or violation of consumer rights; and

3. it shall make clear that employees are expected to conduct themselves ethically, perform their job with skill, due care and diligence in addition to complying with laws, regulations as well as internal policies of the bank.

ii. bank’s values which shall recognise critical importance of¹⁷:

1. timely and frank discussion; as well as

2. escalation of problems to higher levels within the organisation.

iii. A whistle-blower policy which shall be well operationalised and widely communicated:

1. so that all stakeholders, including employees, shall be encouraged and are able to communicate bona fide concerns about illegal, unethical or questionable practices;

2. with adequate procedures and processes that allows bona fide concerns to be registered in a confidential manner;

3. with the board taking responsibility for ensuring that those who raise concerns are protected from detrimental treatment or reprisals;

4. with board oversight including approval of how, by whom legitimate material concerns shall be investigated and addressed by an objective independent internal or external body or the board itself¹⁸.

3. Material concerns¹⁹ shall also be communicated to the Department of Supervision, Reserve Bank of India.

4. The ultimate responsibility for ensuring accountability for misconduct lies with the board. Therefore, boards shall also oversee compensation system that promote prudent risk-taking behaviour, business practices and identify tools which mitigate / address misconduct²⁰ (e.g. in year adjustment, malus, claw back arrangement, etc.).

4.2 Responsibilities of the board – recognising and managing conflict of interest

1. Conflicts of interest may arise because of various activities/ roles of a bank, or between the interests of a bank or its customers and those of a bank’s directors or senior managers. Conflicts of interest may also arise when a bank is part of a broader group. For example, where the bank is part of a group, reporting lines and information flows between bank, its parent and/or other group entities can lead to emergence of conflicts of interest²¹.

2. Where these conflicts cannot be prevented, they shall be properly managed based on permissibility of relationships or transactions under sound policies consistent with existing statutes and provisions prescribed here²².

3. Accordingly, the board shall ensure that adequate policies, procedures and measures are implemented to identify actual/potential/perceived conflicts of interest. Thereafter, assess their materiality, decide on mitigating measures and communicate any material actual/potential/perceived conflicts of interest to the board. The scope of policies, procedures and measures shall include various categories of staff, directors, shareholders, service providers, business partners and other stakeholders as well as legal or natural persons closely linked to the various categories mentioned²³.

4. The board shall have a formal written ‘conflicts of interest’ policy and an objective compliance process to ensure implementation of the policy. The policy shall inter alia include²⁴: -

1. a director’s duty to avoid, to the extent possible, activities that create/could create/have potential to create appearance of conflicts of interest;

2. examples where conflicts can arise including when serving as a director;

3. a rigorous review and approval process for directors to follow before they engage in certain activities (such as serving on another board) to ensure that such activity will not create a conflict of interest;

4. a director’s duty to promptly disclose any matter that may result, or has already resulted, in a conflict of interest;

5. a director’s responsibility to abstain from voting or influencing in any manner on any matter where the director may have a conflict of interest or where the director’s objectivity or ability to properly fulfil duties to the bank may be compromised;

6. adequate procedures for transactions with related parties so that if at all it must be undertaken it shall be possible to demonstrate without any reasonable doubt²⁵ that it is made on an arm’s length basis; and

7. the way in which the board will deal with any non-compliance with the policy including non-disclosure or inaccurate disclosure be it deliberate or otherwise²⁶.

5. The board shall ensure that transactions with related parties are reviewed to assess risk. These shall be subject to appropriate restrictions to ensure that resources of the bank are not misappropriated or misapplied²⁷.

6. The board shall also oversee and be satisfied with the process by which appropriate public disclosure is made, and/or information is provided to supervisors, relating to the bank’s policies on actual/potential/perceived conflicts of interest. This shall include information on the bank’s approach to disclosing as well as managing actual/potential/perceived conflicts of interest that are not consistent with such policies, and conflicts that could arise because of the bank’s affiliation or transactions with other entities within the group²⁸.

4.3 Responsibilities of the board - risk appetite, management and assurance

1. As part of overall governance framework, the board is responsible for overseeing a strong risk governance framework. A risk governance framework shall include well defined organisational responsibilities for risk management, typically referred to as ‘three lines of defence’²⁹ viz.,

1. first line of defence - the business line;

2. second line of defence - a risk management function and a compliance function independent from the first line of defence; and

3. third line of defence - an internal audit and vigilance function independent from the first and second lines of defence.

2. Depending on the bank’s nature, size, complexity and risk profile of its activities, specifics of how these three lines of defence are structured can vary. However, regardless of the structure, responsibilities for each line of defence shall be well defined and communicated. This shall include those functionaries who do not have any revenue generating role and are part of the first line of defence³⁰.

3. Business units are the first line of defence. They take risks, are responsible and accountable for ongoing management of such risks. This includes identifying, assessing, reporting such exposures considering the bank’s risk appetite, its policies, procedures and controls. The way business line executes its responsibilities shall reflect the bank’s existing risk culture. The board shall promote a strong culture of adhering to limits and managing risk exposures³¹.

4. In this context, the board shall require that the bank maintains a robust finance function which is responsible for accounting and financial data. The finance function, inter alia, plays a critical role in ensuring that business performance is accurately recognised and reported to the board, management as well as business lines that will use such information as a key input to risk as well as business decisions. Therefore, even though being part of the first line of defence, the finance function shall have sufficient authority, stature, independence, resources and access to the board³².

5. The second line of defence includes an independent and effective risk management function. The risk management function complements the first line of defence through its monitoring and reporting responsibilities. Among other things, it is responsible for overseeing the bank’s risk-taking activities, assessing risks and issues independently from the first line of defence. The function shall promote importance of business line managers i.e. those having revenue generating responsibilities, in identifying and assessing risks critically rather than relying only on surveillance conducted by the risk management function³³. The function shall also have sufficient authority, stature, independence, resources and access to the board³⁴.

6. The second line of defence also includes an independent and effective compliance function. The compliance function shall, inter alia, routinely monitor compliance with all applicable statutes, governance rules, regulations, codes and policies. The board shall approve compliance policies that are communicated to all staff. The compliance function shall assess extent to which policies are observed and inform to the first line of defence as well as the board on how the bank is managing its ‘compliance risk’. The function shall also have sufficient authority, stature, independence, resources and access to the board ³⁵.

7. The third line of defence consists of an independent internal audit function, as well as an independent vigilance function. An internal audit function, among other things provides independent review together with objective assurance on effectiveness of the bank’s first and second lines of defence. Internal auditors must be competent, appropriately trained and not involved in developing, implementing or operating the first or second line of defence functions. As for the vigilance function, its main objective is to assist the board to achieve its goal by ensuring that all transactions are carried out as per systems, procedures while minimising the scope of malpractices/misconduct and misuse of funds³⁶.

8. Within the above scheme of things, an effective risk governance framework must be operated through³⁷:

1. a strong risk culture;

2. a well-developed risk appetite articulated through a RAS; and

3. well-defined responsibilities for internal control functions and assurance functions including risk management.

9. The bank’s risk appetite shall be developed and conveyed to reinforce a strong risk culture. The risk governance framework shall outline actions to be taken when stated risk limits are breached, including disciplinary actions for excessive risk-taking, escalation procedures and board of director notification³⁸.

10. The board shall take an active role in defining the risk appetite, ensuring its alignment with the bank’s strategic, capital, financial plans and compensation practices. The bank’s risk appetite shall be defined by considering the competitive along with regulatory landscape as well as the bank’s long-term interests, risk exposure and ability to manage risk effectively ³⁹.

11. The bank’s risk appetite shall be clearly conveyed through a RAS that can be easily understood by all relevant parties viz., the board itself, senior management, employees and the Reserve Bank⁴⁰. The bank’s RAS shall:

1. include both quantitative and qualitative considerations;

2. establish types of risk both at an individual and aggregate level that the bank is willing to assume in advance to achieve its business activities within its risk capacity;

3. define the boundaries and business considerations in accordance with which the bank is expected to operate when pursuing its business strategy; and

4. communicate the board’s risk appetite effectively throughout the bank, linking it to daily operational decision-making, establishing means to raise risk issues and strategic concerns across the bank.

12. The development of an effective RAS shall be driven by both top-down board leadership and bottom-up management involvement. While leadership for setting up the risk governance framework will rest with the risk management function, successful implementation depends upon effective interactions between the board, senior management, operating businesses, finance function and risk management. The board must oversee the bank’s adherence to the RAS, risk policy and risk limits⁴¹.

13. The board shall approve an approach, oversee the implementation of key policies pertaining to the bank’s capital adequacy assessment process including capital raising plans, liquidity plans, compliance policies/obligations, and the internal control system⁴²;

14. The RAF and risk culture must include a framework for identifying misconduct followed by remedial measures. The process for managing misconduct risk through compensation system must include at minimum, ex ante process that embed non-financial assessment criteria such as the quality of risk management, degree of compliance with laws and regulations⁴³.

15. The board shall ensure that the second and third lines of defence are properly positioned, staffed, resourced to carry out their responsibilities independently, objectively as also effectively. In the board’s oversight of the risk governance framework, the board shall regularly review key policies and controls with senior management. The reviews shall include the heads of second and third lines of defence. These reviews shall identify significant risks, determine areas that need improvement and undertake remedial measures where needed ⁴⁴.

16. To achieve desired objective at least one meeting of the board must be exclusively focussed towards fulfilling this responsibility of the board towards ‘risk appetite, management and assurance’, details of which have been articulated above.

4.4 Responsibilities of the board - oversight of senior management⁴⁵

1. When it comes to oversight of management, responsibilities of the board are as follows:

(i) Determine role/responsibilities of the CEO, WTDs and other senior management functionaries⁴⁶;

(ii) Select as well as oversee performance of WTDs, CEO and other senior management functionaries of all the three lines of defence⁴⁷;

(iii) Provide oversight of senior management, hold members of senior management accountable for their actions. Enumerate possible consequences (including dismissal) if those actions are not aligned with the board’s performance expectations. This includes adhering to the bank’s values, risk appetite and risk culture, under all circumstances. In doing so, the board shall⁴⁸ -

1. monitor that senior management’s actions are consistent with the strategy and policies approved by the board, including the risk appetite;

2. meet regularly with senior management;

3. through its independent directors, at least once every year, undertake a formal interaction with the senior management functionaries who are not directors on the board⁴⁹.

4. question and critically review explanations including information provided by senior management;

5. set appropriate performance and remuneration standards for senior management consistent with long-term strategic objectives along with financial soundness of the bank;

6. assess whether senior management’s collective knowledge together with expertise remain appropriate given the nature of business and bank’s risk profile; and

7. ensure that appropriate succession plans are in place for senior management positions, also be actively engaged in succession plans for CEO and other key positions, as appropriate.

4.5 Other responsibilities of the board

1. A board also has ultimate responsibility for the bank’s business strategy, financial soundness, key personnel decisions and internal organisation⁵⁰.

2. The board shall establish and be satisfied with the bank’s organisational structure. This will enable the board to carry out its responsibilities, facilitate effective decision-making and good governance. This includes clearly laying out key responsibilities along with authorities of the board itself, followed by that of senior management including those in the second and third line of defence ⁵¹. In other words, ensure that there is a clear demarcation of duties/responsibilities between the board and management⁵², as also between each of the three lines of defence⁵³;

3. The members of the board shall exercise their ‘duty of care’ and ‘duty of loyalty’ to the bank under applicable regulatory/supervisory standards⁵⁴.

4. Accordingly, the board shall⁵⁵: -

1. actively engage in affairs of the bank including keep up with material changes in the bank’s business and external environment as well as act in a timely manner to protect long-term interests of the bank;

2. oversee development of as well as approve the bank’s business objectives, strategy and monitor their implementation;

3. oversee implementation of the bank’s governance framework as well as periodically review to ensure that the framework remains appropriate considering material changes to the bank’s size, complexity, geographical footprint, business strategy, markets and regulatory requirements;

4. Oversee the process of statutory/regulatory/other requisite disclosures as well as internal and external communications⁵⁶;

5. approve the quarterly, half yearly and annual financial statements;

6. require at least an independent review of the finance function by the internal audit function annually and an external review once in three years⁵⁷;

7. ensure a formal and transparent board nomination/appointment/election process⁵⁸;

8. oversee the bank’s approach to compensation, including monitoring as well as reviewing executive compensation besides assessing whether it is aligned with bank’s risk culture and risk appetite⁵⁹;

9. oversee integrity, independence and effectiveness of the bank’s whistle-blower policies/procedures⁶⁰;

10. periodically review customer service aspects such as mis-selling including third-party products, laying down appropriateness of products to different customer segments, understanding broad trends, concentration in growth of customer grievances and their resolution etc⁶¹; and

11. ensure that an appropriate compliance policy is in place in the bank to manage compliance risk and overseeing its implementation.

12. ensure that compliance issues are resolved effectively and expeditiously by senior management with assistance of compliance staff⁶².

5. The board as well as the senior management shall facilitate the independent directors to perform their role effectively as a member of the board and as a member of a committee of the board⁶³.

6. In discharging its responsibilities, the board shall consider legitimate interests of depositors, shareholders and all other stakeholders. Further, it shall also ensure that it maintains an effective relationship with the regulators and supervisors⁶⁴.

4.6 Duties of a director ⁶⁵

1. To discharge various responsibilities, duties of a director shall inter alia include: -

1. disclose to the board other directorships, memberships of bodies, interest in other entities, activities and keep the board apprised of all changes therein⁶⁶;

2. disclose to the board the nature of interest, direct or indirect, in a contract or arrangement or any proposed contract or arrangement to be entered between the bank and any other person.

3. intimate any interest in advance to the chair of the board/committee of the board;

4. provide the list of relatives as defined in the Companies Act, 2013 and rule 4 of the Companies (specification of definition) rules, 2014⁶⁷;

5. ensure confidentiality of the agenda papers/notes⁶⁸;

6. use such degree of skill as may be reasonable to expect from a person with the same knowledge or experience as well as a board level position;

7. keep informed about the business, activities and financial status of the bank;

8. seek appropriate orientation/induction and regularly update/refresh skills, knowledge as well familiarity with the bank⁶⁹;

9. strive to attend general meetings⁷⁰;

10. pay sufficient attention, ensure that adequate deliberations are held before arriving at a decision including those related to approving related party transactions and assure that the same are in the interest of the bank⁷¹;

11. help in bringing independent judgment to bear on the board’s deliberations, especially on issues of strategy, performance, risk management, resources, key appointments and standards of conduct;

12. ascertain to ensure that the bank has an adequate and functional vigil mechanism⁷²;

13. report concerns about unethical behaviour, actual or suspected fraud, or violation of the bank’s policy⁷³;

14. safeguard the interests of all stakeholders particularly depositors and minority shareholders⁷⁴;

15. attend meetings of the board/committees of the board with fair regularity and conscientiously fulfil obligations as director;

16. not seek to influence any decision of the board for any consideration other than in the interests of the bank;

17. assist the bank in implementing best governance practices⁷⁵;

18. refrain from any action that would lead to loss of independence⁷⁶;

19. be free from any business or other relationship which could materially interfere with the exercise of independent judgment in matters brought before the board or entrusted by the board;

20. express views/opinions at board meetings without any fear or favour and without any influence on exercise of independent judgment;

21. to act in good faith as well as in the interests of the bank and not for any collateral purpose;

22. not to evade responsibility about matters entrusted by the board;

23. not achieve or seek to achieve any undue gain or advantage either to oneself/ one’s relatives, partners or associates⁷⁷;

24. not interfere in the WTDs and other management functionaries performance of duties;

25. not interfere in the day-to-day functioning of the bank⁷⁸;

26. not approach or influence any decision including sanction of any kind of facility from the bank⁷⁹;

27. not participate in board/ committee of the board discussions in which interest could be attributed directly or indirectly⁸⁰;

28. not disclose confidential information, including commercial secrets, technologies, advertising and sales promotion plans, unpublished price sensitive information, unless such disclosure is expressly approved by the board or required by law⁸¹;

29. not assign, transfer, sublet or encumber rights and obligations as director of the bank to any third party;

30. not involve in any matter relating to personnel administration whether it is appointment, transfer, posting or a promotion or redressal of individual grievances of any employee⁸²; and

31. not sponsor any loan proposal, buildings and sites for bank's premises, enlistment or empanelment of contractors, architects, lawyers, or any other third parties⁸³.

5. Board’s structure and practices⁸⁴.

1. To fulfil its responsibilities, the board shall define appropriate governance structures and practices for its own work. It shall put in place the means for such practices to be followed as well as periodically review the same for ongoing effectiveness.

2. The board shall structure itself in terms of leadership, size and the use of committees to effectively carry out its oversight role/other responsibilities. To ensure that the board has the time and means to cover all necessary subjects in sufficient depth with robust discussion of issues, the board shall appoint members to committees with the goal of achieving an appropriate mix of skills and experience. The combination of skills along with experience shall allow the committees to fully understand, objectively evaluate and bring fresh thinking to the relevant issues.

3. Towards setting out its organisation, rights, responsibilities and key activities, the board shall maintain/periodically update bank's memorandum or articles of association, or any resolution passed by the bank in general meeting.

4. To support its own performance, the board shall carry out regular assessments – alone or with the assistance of external experts – of the board, its committees and individual board members. The board shall:

1. periodically review its structure, size, composition as well as committees’ structures and coordination;

2. assess the ongoing suitability of each board member periodically (at least annually), also considering his or her performance on the board to ensure they are ‘fit and proper’.

3. either separately or as part of these assessments, periodically review the effectiveness of its own governance practices/procedures, determine where improvements may be needed, and make any necessary changes; and

4. use the results of these assessments as part of the ongoing improvement efforts of the board and, where required by the supervisor, share results with the supervisor.

5.1 Committees of the board

1. One such important structure and practice is through the formation of committees of the board. The decision taken by a committee of the board will be considered as a decision of the board unless and until the board or the committee specifically requires the final decision on a matter to be taken by the board⁸⁵. While it is for the board to decide on the number, type, composition and responsibility of the committees, the composition as well as mandate at the minimum of committees which have a supervisory role such Audit Committee, Risk Management Committee as well as the Nomination and Remuneration Committee of the board are detailed as follows⁸⁶.

5.1.1 Audit Committee of the Board (ACB)

1. The board shall constitute the ACB made up of only NEDs. The ACB shall meet with a quorum of three members of which two-thirds will be independent directors. Accordingly, the ACB will be made up of at least three NEDs and two-thirds independent directors⁸⁷.

2. All members shall be financially literate (i.e. will have the ability to understand a balance sheet, an income statement, a cash flow statement as well as the notes attached thereto), have at least one member with accounting or related financial management expertise (i.e., experience of applying accounting standards to arrive at various financial statements and the understanding of internal controls/ procedures of financial reporting or requisite professional certification in accounting, or any other comparable experience or background which results in the individual’s financial sophistication, including having been a CEO, CFO or head of internal audit (HIA)⁸⁸.

3. The meetings of the ACB will be chaired by an independent director⁸⁹ who shall not chair any other committee of the Board⁹⁰. The chair of the bank shall not be a member of the committee⁹¹. The chair of the committee shall be present at Annual General Meeting to answer shareholder queries⁹². The committee shall meet at least six times a year and not more than sixty days shall elapse between two meetings⁹³. The head of the internal audit function shall act as the secretary to the committee and will report to the committee⁹⁴.

4. The committee shall normally meet without the presence of the executives or senior management functionaries except for the secretary. However, at its discretion and as/when needed shall invite any of the WTDs, head of finance function, vigilance function, risk function, compliance or any senior management functionary or any executive or a representative of an auditor/ audit firm including statutory auditor to be present at its meetings in whole or in part⁹⁵.

5. The role of the ACB is to assist the board, inter alia, in the following:

i. oversight of bank’s financial reporting process, timely disclosure of its financial information to ensure that the financial statements are correct, sufficient, credible and seek the highest levels of transparency⁹⁶;

ii. satisfy the adequacy of internal financial controls⁹⁷ as well as provide oversight in financial risks. To do so put in place a framework of internal financial controls/attendant compliance systems to ensure timely and accurate recording of all transactions⁹⁸;

iii. reviewing accounting policies/systems in the bank with a view to ensuring greater transparency in the bank's accounts and adequacy of accounting controls⁹⁹;

iv. reviewing with the management, the annual/half yearly/quarterly financial statements and auditor's report, wherever applicable, thereon before submission to the board for approval, with reference to¹⁰⁰: -

1. changes, if any, in accounting policy and practices which may have significant bearing on financial statements;

2. major accounting entries involving estimates based on the exercise of judgment by management;

3. significant adjustments made in the financial statements arising out of audit findings;

4. matters required to be included in the director’s responsibility statement to be included in the board’s report in terms of Section 134(3)(c) of the Companies Act, 2013;

5. compliance with listing/disclosure and other legal requirements relating to financial statements;

6. disclosure of related party transactions; and

7. modified opinion(s) in the draft audit report.

v. reviewing, with the management, the statement of uses / application of funds raised through an issue (public issue, rights issue, preferential issue, etc.), the statement of funds utilised for purposes other than those stated in the offer document / prospectus / notice together with the report submitted by the monitoring agency monitoring the utilisation of proceeds of a public or rights issue, and making appropriate recommendations to the board to take up steps in this matter¹⁰¹;

vi. approving the appointment of CFO after assessing the qualifications¹⁰², experience and background, etc. of the candidate¹⁰³;

vii. appointment, reappointment, removal, remuneration and terms of appointment of auditors/firms/consultants engaged to provide independent assurance over the correctness as well as adequacy of the financial reporting¹⁰⁴;

viii. reviewing/monitoring auditor’s independence, performance and effectiveness of audit process¹⁰⁵;

ix. discussion with auditors, about the nature and scope of audit as well as post-audit discussion to ascertain any area of concern¹⁰⁶;

x. specifically focus on reconciliation of various accounts with transactions undertaken within the bank as well as interbank, arrears in balancing of books and all other major areas of house-keeping¹⁰⁷;

xi. reviewing/overseeing the operation of the internal inspection/audit function in the bank - the system, its quality and effectiveness in terms of follow-up¹⁰⁸;

xii. reviewing adequacy of the internal audit function, including the structure of the internal audit function, staffing, seniority of the official heading the function, reporting structure, coverage and frequency of internal audit¹⁰⁹;

xiii. conduct periodical reviews, of the internal audit undertaken by it vis-à-vis the approved audit plan. The performance review shall also include an evaluation of the effectiveness of internal audit in mitigating identified risks¹¹⁰;

xiv. to ensure that internal audit reports are made available to the ACB without management filtering¹¹¹;

xv. investigate any matter under its mandate as also any matter referred to it by the board¹¹²;

xvi. reviewing the findings of any internal investigations by the internal auditors or/and the vigilance functionaries into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board¹¹³;

xvii. reviewing information on violations by various functionaries in exercise of discretionary powers¹¹⁴;

xviii. put in place as well as implement a policy for fixing accountability for breach of internal controls, unsatisfactory compliance, delay in compliance, non-rectification of deficiencies, omissions, gross negligence on the part of even internal audit and external audit officials/firms/agencies to detect serious irregularities (which come to light later)¹¹⁵;

xix. if any serious acts of omission or commission are noticed in the working of the appointed external firms, their appointments may be cancelled after giving them reasonable opportunity to be heard and the fact shall be reported to Department of Supervision, RBI as well as The Institute of Chartered Accountants of India (ICAI)¹¹⁶.

xx. reviewing penalties imposed / penal action taken against bank under various statutes and action taken for corrective measures¹¹⁷;

xxi. reviewing report on revenue leakage detected by Internal / External Auditors, status of recovery thereof - reasons for undercharges and steps taken to mitigate revenue leakage¹¹⁸;

xxii. approving or any subsequent modification of transactions of the bank with related parties¹¹⁹;

xxiii. put in place an effective fraud risk assessment as well as management system which inter alia involves monitoring/reviewing all the frauds of Rs. One Crore and above to¹²⁰;

1. identify the systemic lacunae if any that facilitated perpetration of the fraud and put in place measures to plug the same;

2. identify the reasons for delay in detection, if any, reporting to top management of the bank and RBI;

3. monitor progress of recovery position and investigations,

4. ensure that staff accountability is examined at all levels in all the cases of frauds and staff side action, if required, is completed quickly without loss of time.

5. Review the efficacy of the remedial action taken to mitigate recurrence of frauds, such as strengthening of internal controls.

xxiv. every year review and approve the policy/plan/ scope of various forms of audit inter alia including Statutory Audit, Concurrent Audit, Information System Audit, EDP Audit, Migration Audit etc., as well as the performance of the auditors besides take necessary measures to suitably strengthen the system^{121 122}.

xxv. ensure that all transactions undertaken by the bank together with the information flow there to are covered by an external audit and that all transactions are indeed reflected in the books of accounts of the bank¹²³.

xxvi. important features brought out during audits both internal as well as external shall be placed before the ACB in all its meetings¹²⁴.

xxvii. approve policies, processes as well as supervise implementation to recognise and approve related party transactions to ensure that the transactions meet the ‘arm’s length’ test^{125 126}.

xxviii. approve policies in relation to the implementation of the Insider Trading Code and to supervise implementation of the same¹²⁷.

xxix. ensure implementation of a credible whistle blower mechanism that allows employees, directors or any other person to report concerns about unethical behavior, violation of code of conduct, actual or suspected fraud. This mechanism (a) shall also include acceptance of anonymous complaints that appear prima facie bona-fide and (b)shall deny protection to whistleblowers if the disclosures are made directly to the media. This mechanism to be reviewed at least annually¹²⁸.

xxx. ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws, regulations, other problems identified by auditors and other control functions¹²⁹.

xxxi. reviewing at least once in three years, through third-party opinions on the design and effectiveness of the overall financial risk governance framework as well as internal control system¹³⁰.

xxxii. formulate/maintain a quality assurance and improvement programme. It should cover all aspects of the internal audit function including both internal and external assessment of the internal audit function for adherence to the internal audit policy, objectives together with expected outcomes. The internal assessments may be undertaken every year and external assessments at least once in three years¹³¹.

6. To perform its role, ACB shall have power to obtain professional advice from external sources, have full access to information contained in the records of the bank, seek information from any employee, obtain outside legal or other professional advice and secure attendance of outsiders with relevant expertise, if it considers necessary¹³².

5.1.2 Risk Management Committee of the Board (RMCB)

1. The board shall constitute a RMCB made up of only NEDs. The RMCB shall meet with a quorum of three members and two-thirds will be independent directors. Accordingly, the RMCB will be made up of at least three NEDs. Two-thirds will be independent directors of which one member shall have risk management expertise (i.e., direct/supervisory/regulatory oversight of the risk management function in the banking, financial services and insurance industry)^{133 134}.

2. Meetings of RMCB will be chaired by an independent director who shall not be a chair of any other committee of the Board. Chairperson of the bank shall not be a member of the committee. The committee shall meet at least six times a year and not more than sixty days shall elapse between two meetings¹³⁵. CRO shall function as the secretary of RMCB and will report into the committee¹³⁶. Head of Compliance shall also report to the RMCB¹³⁷.

3. The role of the RMCB is to assist the board, inter alia, in the following:

i. ensure accurate internal as well as external data to be able to identify, assess, mitigate risk, make strategic business decisions, determine capital and liquidity adequacy

ii. set the ‘Risk Appetite’ of the bank based on its ‘Risk Capacity’. This is to be done by way of formulation of the RAF and RAS of the bank¹³⁸;

iii. based on the “Risk Appetite” agreed upon, allocate business unit wide and risk taker wise risk limits¹³⁹.

iv. hold the first line of defence accountable for breaches in the risk limits¹⁴⁰;

v. ensure a system where:

1. risk management functionaries should not be charged with overseeing activities for which they previously held any revenue generating responsibility or participated in business decision-making or approval process¹⁴¹.

2. to have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank’s activities explicitly mandate the role of risk functionaries including the CRO to that limited to an ‘Advisor’ to the sanctioning authority i.e., the authority who has been delegated the powers to assume risk¹⁴².

3. if there is a difference of opinion between the ‘advisor’ and the sanctioning authority, the decision making will be escalated to the sanctioning authority at the next higher level¹⁴³.

vi. decide the composition as well as the mandate of various senior management level sub committees for specific risks including Asset Liability Management Committee¹⁴⁴.

vii. ensure that risk management function reports material exemptions, monitor positions to ensure that risk assumed remain within the framework of limits and controls or within exception approval¹⁴⁵.

viii. put in place governance structures that helps avoidance of potential possibility of compromise by officers/executives of unequal stature in a committee system of assuming risk leading to the senior most officer deciding the issue and the rest merely falling in line¹⁴⁶.

ix. ensure clear segregation between risk origination (front office), risk underwriting (mid-office) and risk documentation/operations functions (back office). These functions shall have separate reporting lines and are geographically separated – thus reducing the ability to influence the other¹⁴⁷.

x. if need be, allocate to a committee of the board which will undertake management function, the sanctioning powers to assume risk.¹⁴⁸

xi. reassure that there is no excessive, unquestioned dependence on the opinions of third parties including but not limited to advocates, valuers, auditors, etc., by ensuring that the opinions are verified properly and cautiously by, inter alia, cross checking the opinion by mandating that more than one opinion is sought. Further, put in place a process of black listing of third parties with suspected credentials including alerting other entities in the financial intermediation space¹⁴⁹.

xii. put in place and review a technology enabled system to track adherence to covenants. It shall be possible to do so before as well as after assuming exposure to ensure necessary compliance and to ensure that waivers granted are as per laid down guidelines¹⁵⁰.

xiii. evaluate internal controls and risk management systems¹⁵¹;

xiv. regularly evaluate the risk faced by the bank through the overall risk profile¹⁵².

xv. reassure that internal controls¹⁵³:

1. are indeed designed, among other things to ensure that each key risk has a policy, process or other measure, as well as ensure that such policy, process or other measure is being applied and works as intended;

2. helps the bank follows its various policies, applicable laws and regulations;

3. is helping ensure process integrity, compliance and effectiveness;

4. in financial as well as management information is reliable, timely and complete;

5. place reasonable checks on managerial and employee discretion; and

6. include adequate escalation procedures

xvi. introduce oversight of a risk culture dash board with reports to track progress across key culture attributes, indicators to track the frequency along with the treatment of both self-reported control and risk problems as well as whistle-blowing incidents¹⁵⁴.

xvii. ensure that adequate risk management processes are in place to assess risk and performance relative to initial projections. To adapt the risk management treatment as the business matures and before, a new product, service, business line or third- party relationship or major transaction is undertaken¹⁵⁵.

xviii. ensure that reputation risks including conduct risks are captured across various businesses of the bank through quality data and systems¹⁵⁶.

xix. put in place risk reporting systems which are dynamic, comprehensive, accurate and draws on a range of underlying assumptions.

xx. ensure that risk monitoring and reporting shall not only occur at the disaggregated level (including material risk residing in subsidiaries or other group entities on which there is exposure) but shall also be aggregated to allow for an integrated perspective of risk exposures to convey bank-wide risk, individual portfolio risks besides other risks in a concise as well as meaningful manner¹⁵⁷.

xxi. ensure that reports accurately identify external environment, market conditions, trends that may have an impact on the bank’s current or future risk profile, communicate risk exposures and results of stress tests or scenario analyses¹⁵⁸.

xxii. provoke a robust discussion of, for example, the bank’s current exposures, prospective exposures (particularly under stressed scenarios), risk/return relationships, risk appetite and limits¹⁵⁹.

xxiii. risk reporting systems shall be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions¹⁶⁰.

xxiv. challenge the assumptions used in and potential shortcomings of risk models as well as various analyses¹⁶¹.

xxv. ensure a sufficiently robust data infrastructure, data architecture, information technology infrastructure – that is in sync with developments such as balance sheet and revenue growth; increasing complexity of the business, risk configuration or operating structure; geographical expansion; mergers and acquisitions; or the introduction of new products or business lines¹⁶².

xxvi. ensure that the ultimate responsibility for the assessment of risks is with the bank even while tools such as external credit ratings or externally purchased risk models and data are used as inputs into a more comprehensive assessment¹⁶³.

xxvii. promote a strong risk culture by¹⁶⁴:

1. ongoing communication about risk issues, including the bank’s risk strategy, throughout the bank;

2. promoting risk awareness including encouraging open challenge/communication about risk-taking across the organisation as well as vertically to and from the board;

3. ensuring that the first line of defence actively communicates/consults with the second line of defence on management’s major plans and activities so that the functions can effectively discharge their responsibilities;

4. ensuring that the board is sufficiently informed while at the same time ensuring that the management and those responsible for the risk management function avoid voluminous information that can make it difficult to identify key issues;

5. guiding the risk management function in presenting information in a concise, understandable and fully contextualised/prioritised manner;

6. assisting the board in assessing the process for maintaining the accuracy, relevance and timeliness of the information it receives along with determining if additional or less information is needed;

7. ensuring avoidance of organisational “silos” that can impede effective sharing of information across an organisation and can result in decisions being taken in isolation from the rest of the bank; and

8. ensuring that material risk-related ad hoc information that requires immediate decisions/ reactions/ suitable measures and activities at an early stage is promptly presented to the concerned senior management functionaries in the first line of defence including the heads of internal control functions.

xxviii. establish effective communication/coordination with the audit committee to facilitate the exchange of information, effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank¹⁶⁵.

xxix. formulate the compliance policy of the bank, containing the basic principles, the main processes by which compliance risks are to be identified and managed through all levels of the organisation¹⁶⁶.

xxx. undertake quarterly reviews, to make an informed judgment on whether the bank is managing its compliance risk effectively. In doing so review the scope of compliance procedures and processes, mechanism for measurement/ assessment of compliance risk of the bank, reporting requirements, compliance risk, change in the compliance risk profile¹⁶⁷.

5.1.3 Nomination and Remuneration Committee (NRC)

1. The board shall constitute the NRC made up of only NEDs. The NRC shall meet with a quorum of three members of which not less than one- half will be independent directors of which one will be a member of the RMCB. Accordingly, the NRC will be made up of at least three NEDs of which at least half will be independent directors. The meetings of the NRC will be chaired by an independent director. The Chairperson of the bank shall not chair the Committee¹⁶⁸. The committee shall meet at least six times a year and at least once every sixty days¹⁶⁹. The head of the human resource function will report into the committee and shall act as the Secretary to the Committee¹⁷⁰.

2. The role of the NRC is to assist the board, inter alia, in the following:

i. in ensuring that the structure, size, competencies, skills at the board and its committees support the strategic objectives as well as statutory/ regulatory requirements¹⁷¹;

ii. to put in place an induction/ orientation process for newly appointed non-executive directors¹⁷²;

iii. The induction process shall include reviewing whether board candidates: (i) possess the knowledge, skills, experience and, particularly in the case of non-executive directors, independence of mind given their responsibilities on the board and in the light of the bank’s business as well as risk profile;(ii) have a record of integrity and good repute; (iii) have sufficient time to fully carry out their responsibilities; and (iv) have the ability to promote a smooth interaction between board members¹⁷³

iv. to help directors understand their duties as well as to discharge their duties to the best of their abilities, once every year, based on a gap assessment, undertake a formal programme for the board of directors. The programme shall also inter alia include content on changes in applicable laws, regulations, compliance requirements, macroeconomic policy, financial markets, risk management, emerging developments / challenges facing the financial services sector, latest managerial techniques and technological developments¹⁷⁴;

v. through a diversity policy inter alia ensure that committees of the board¹⁷⁵:

1. are not dominated by any one individual or group of individuals;

2. are manned by those with desirable competencies required as per the role of the committee; and

3. meet the statutory requirements.

vi. for determining qualifications, positive attributes and independence of a director¹⁷⁶;

vii. Specifically reviewing whether board candidates¹⁷⁷ have any conflict of interests that may impede their ability to perform their duties independently and objectively, are subject to undue influence from other persons (such as management or other shareholders), past or present positions held as well as personal, professional or other economic relationships with other members of the board or management (or with other entities within the group);

viii. notifying after the review inter alia the Department of Supervision, Reserve Bank of India, when a board member ceases to be qualified or is failing to fulfil his or her responsibilities¹⁷⁸

ix. formulate/adopt a comprehensive compensation policy for the board of directors¹⁷⁹ and the management functionaries.

x. formulation of criteria and policy:¹⁸⁰

1. to determine ‘fit and proper’ of each category of directors¹⁸¹;

2. on remuneration of directors, senior managerial personnel besides other employees to ensure that the level as well as composition of remuneration is sufficient to attract, retain and motivate personages of the quality required to run the bank prudently;

3. for evaluation of performance effectiveness of the board, board committees, chairman of the board, chairman of the committees, board members, WTDs, NEDs, independent directors, senior management and other employees;

4. establishing clear relationship of remuneration to performance through appropriate performance benchmarks; and

5. Succession planning of senior management functionaries and board of directors.

xi. identifying the minimum and desirable qualification¹⁸² as well as persons who are qualified to take on board level or senior management level roles in accordance with the criteria laid down, and recommend to the board of directors their appointment along with the terms of appointment¹⁸³;

xii. based on the annual performance evaluation decide to extend/not to extend/terminate the term of appointment of¹⁸⁴:

1. an independent director,

2. non-independent NEDs,

3. WTDs, and

4. senior management functionaries

xiii. put in place a policy on learning and development for the directors as well as senior management¹⁸⁵;

xiv. as per the laid down policy, conduct annual evaluation of performance of the board, board committees, chair of the board, chair of the committees, board members, WTDs, NEDs, senior management functionaries and other employees¹⁸⁶.

xv. facilitate the performance evaluation of independent directors which shall be done by the entire board of directors, excluding the director being evaluated¹⁸⁷;

xvi. carry out due diligence to determine if such person is considered ‘fit and proper’ as per its own laid down criteria for being appointed as director of the bank;¹⁸⁸

xvii. Based on the outcome of periodical assessment of functioning of board members, and various committees, take appropriate corrective measures e.g. through training, skill development interventions, change in assignment, removal from committee/board¹⁸⁹;

xviii. devote sufficient time, budget, other resources for this purpose, and draw on external expertise as needed¹⁹⁰.

xix. review all the above at least on an annual basis against the charter/ mandate given by board and submit an annual report to the board¹⁹¹

xx. Further, as a quality assurance, effectiveness measurement and enhancement initiative, external assessments shall be undertaken at least once in three years¹⁹².

5.1.4 Stakeholders Relationship Committee (SRC)¹⁹³

1. In addition to its extant mandate, the SRC shall also have oversight on matters of depositor interest, customer service, suitability and appropriateness as well as various grievance redressal mechanism thereto.

5.1.5 Committees of the board performing management function¹⁹⁴

1. Should the board constitute/have constituted committee(s) such as Management Committee and/or Executive Committee and/or Credit Committee and/or Investment Committee or any other committee by whatever name called which has a mandate to assume risks, then it shall consist of directors who are not part of either ACB, RMCB or NRC. These committees which has a mandate to assume risks will exercise powers delegated by the board as recommended by the RMCB. The non – executive Chairperson of the board shall not be part of the Committee. Should such committee(s) include more than one WTD, then no WTD shall have a role in the performance appraisal of the other WTD.

5.2 Composition of the Board

1. Board of directors of a bank shall comprise not less than six directors and not more than 15 directors with majority being independent directors¹⁹⁵. The board shall meet at least six times a year and at least once every sixty days¹⁹⁶. All meetings of the board should have a majority of independent directors¹⁹⁷ and shall meet with a quorum of five members¹⁹⁸. The board shall not have more than three directors who are directors of companies which among themselves are entitled to exercise more than 20% of the total voting rights of all the shareholders of the bank¹⁹⁹;

2. It must be ensured that the minutes of the meeting of the board as well as its committees are so recorded that it shall be possible to appreciate the quality of deliberations including individual directors view on the matter, independence of directors, critical decisions made, dissenting views expressed and discussed within the decision-making process²⁰⁰. In this regard, the Department of Supervision, RBI will specifically require to be satisfied that the independence of the director is not just in form but also in substance²⁰¹.

3. Within six months of issuance of the guideline/directions on the matter by the Reserve Bank (basis this discussion paper), the composition of board and its committees shall be complied with.

5.3 Role of the Chair

1. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair shall possess the requisite experience, competencies and personal qualities to fulfil these responsibilities. The chair shall ensure that board decisions are taken on a sound and well-informed basis. The chair shall promote critical discussion, ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair shall dedicate sufficient time to the exercise of his or her responsibilities²⁰².

2. The bank shall ensure that the chair of its board shall be an independent director²⁰³. The Chairman of the Board shall also be present at Annual General Meeting. The appointment of the Chair of a banking company shall be with the previous approval of the Reserve Bank and be subject to such conditions as the Reserve Bank may specify while giving such approval.

6. Qualification and selection of board members

1. Board members shall remain qualified, individually and collectively, for their positions. They shall understand their oversight and governance role. They shall be able to exercise sound and objective judgment about the affairs of the bank²⁰⁴.

6.1 Board members’ qualifications

1. The board shall comprise of individuals with a balance of skills, diversity and expertise. The board shall collectively possess the necessary qualifications commensurate with size, complexity and risk profile of the bank²⁰⁵. Some of the other considerations of a statutory and regulatory nature to be mindful of are as follows.

2. At least half the number of members of the board of a banking company shall consist of persons^{206 207}, who: -

(i) have special knowledge or practical experience in respect of one or more of the following matters namely accountancy, agriculture and rural economy, banking, co-operation, economics, finance, law, small scale industry, information technology, payment and settlement systems, human resources, risk management, business management, any other matter in the opinion of the Reserve Bank, be useful to the banking company:

of which, at least one director shall represent agriculture and/or rural economy, and another shall represent cooperation and/or small-scale industry (this proviso shall not apply to a banking company which has been granted license for carrying on payments bank business), and

(ii) shall not

1. have ‘substantial interest’ in, or relate to, whether as employee, manager or managing agent - i) any company, not being a company registered under section 8 of the Companies Act, 2013 or ii) any firm which carries on trade, commerce or industry and which in either case is not a small scale industrial concern, or

2. be proprietors of any trading, commercial or industrial concern, not being a small-scale industrial concern.

3. After ruling out any conflicts of interest due to two entities operating in the same competitive space, and ensuring adherence to other statutory requirements, a director on the board of an entity other than a bank may be considered for appointment as director on the board of a bank, subject to the following conditions^{208 209}: -

1. not the owner of an NBFC or NBFI²¹⁰, [i.e. shareholding (single or jointly with relatives, associates etc.) shall not exceed 50%],

2. neither the promoter nor related to the promoter of an NBFC or NBFI,

3. not an investor with managerial control²¹¹ in an NBFC or NBFI

4. not a full-time employee in an NBFC or NBFI.

5. the NBFC or NBFI does not enjoy a financial accommodation from the bank.

4. In addition to the disqualifications prescribed in Banking Regulation Act, 1949 and Companies Act, 2013 or other applicable statutes for being appointed as director, the additional standards²¹², at a minimum are as follows: -

1. shall not be a member of the board of any bank or the Reserve Bank or an entity holding any other bank either directly or through an intermediate entity;

2. shall not be holding the position of a Member of Parliament or State Legislature or Municipal Corporation or Municipality or other local bodies²¹³;

3. shall neither have any professional relationship/business connection (such as audit/legal/advisory services/advisor/consultant etc) with the bank or any entity holding any other bank, nor shall be engaged in activities which might result in a conflict of interests with the bank. A candidate being considered for a board position can submit a declaration that such relationships shall be severed before appointment as a director of the bank;

4. shall not be under adverse notice of any regulatory or supervisory authority/agency, or law enforcement agency or a professional body.

5. The total continuous tenure of an NED on the board, including the tenure as a Chair shall not exceed eight years. Thereafter, if considered necessary and desirable by the board, the person could be considered for re-appointment in the same bank after a minimum gap of three years. All NEDs including the Chairman can be on the board of a bank till attaining 70 years of age^{214 215}.

6.2 Board members’ selection

1. From the personage who is being considered for appointment/re-appointment as director, the bank shall obtain necessary information, a ‘Declaration and Undertaking, containing at least the contents in the format listed by RBI²¹⁶.

2. Thereafter, the NRC, basis the information provided in the signed declaration, shall carry out due diligence/ scrutiny to determine if such person is considered ‘fit and proper’ as per its own laid down criteria for being appointed as director of the bank²¹⁷. These criteria shall include suitability for the post by way of qualifications, technical expertise, track record, integrity, and other ‘fit and proper’ criteria.

3. For assessing integrity and suitability features like criminal records, financial position, civil actions initiated to pursue personal debts, refusal of admission to or expulsion from professional bodies, sanctions applied by regulators or similar bodies, previous questionable business practices etc should be considered. The Board of Directors may, therefore, evolve appropriate systems for ensuring ‘fit and proper’ norms for directors, which shall include calling for information by way of self-declaration, verification reports from market, etc. As part of the due diligence/scrutiny references shall be made, where considered necessary to the appropriate authority / persons to establish compliance or otherwise with the ‘fit and proper’ criteria²¹⁸.

4. In case where a member of the NRC has either proposed or seconded the name of a person for appointment as a director on the bank’s board, such member of the NRC shall not be part of the exercise of conduct of due diligence in respect of the person proposed to be appointed as a director. In all such cases, the bank shall nominate another director, as a temporary member of the NRC, to conduct the exercise of due diligence, to avoid conflict of interest and ensure adherence to good governance principles²¹⁹.

5. The board through the NRC must draw assurance beyond doubt that actual/ potential / perceived conflict has been disclosed as well as recognised, following which adequate measures have been taken to mitigate the perception of possibility of a director influencing a decision²²⁰.

6. The NRC’s discussions shall be properly recorded as formal minutes of the meeting and the voting, if done, shall also be noted.²²¹

7. Before a person assumes the role of a director, a ‘Deed of Covenant’ must be signed between the director and the CEO or any other person authorised by the board. The covenant, a document approved by the board, shall inter alia incorporate the contents of the guideline/directions to be issued on the matter by the Reserve Bank (basis this discussion paper) setting clearly the obligations/responsibilities of the director as well as the obligations/responsibilities of the bank and its management²²².

8. Every year as on 31st March, a declaration to the effect that the information already provided by a director has not undergone any change shall be taken on record. Where the director informs that there is change in the information provided earlier, the bank shall obtain from such director a fresh ‘Declaration and Undertaking’ incorporating the changes. Thereafter, NRC shall re-examine his/her being ‘fit and proper’ to continue as director. The due diligence in respect of the members of the NRC shall be carried out by the board itself and the members of the NRC (being interested parties) shall not be involved in the process²²³.

9. The bank shall ensure compliance to Section 20 of the B R Act as well as the restrictions on grants of loans and advances to directors which shall be governed by the Circular DBR.No.Dir.BC.10/13.03.00/2015-16 dated July 1, 2015 as updated from time to time.

10. In addition, the bank shall put in place a system of safeguards, including proper disclosure of the director’s or director’s firm’s clients, and not participating in bank’s decisions involving director’ or directors firm’s clients. The director shall be required to compulsorily dissociate from the entire process and this shall be part of the covenant to be signed between with the director by the bank²²⁴.

11. A director must make a full and proper disclosure of his interests including directorships in business entities, with the director personally distancing from including not participating in decisions involving entities in which one is interested²²⁵.

12. It shall be ensured not to award any professional work to a person who was a director of the bank, for a period of two years after demitting office as such director²²⁶.

13. While scrutinising the application of candidates being considered for appointment/re-appointment as directors, the NRC of a banking company shall at the minimum adopt the criteria prescribed by RBI in August 2019 for elected directors of PSBs and suitably modified for a banking company. However, existing directors may be allowed to complete their current terms as per the pre-revised criteria²²⁷.

14. The matters regarding composition of the board of the banking company²²⁸ including changes as and when they happen, shall continue to be referred by the bank to the Department of Supervision, Reserve Bank of India.

7. Senior Management

7.1 Role and expectations

1. The senior management functionaries are responsible/ accountable to the board for sound and prudent management of day-to-day operations of the bank. These functionaries shall necessarily be clearly identified as belonging to one of the three lines of defence. To avoid conflict of interest within first line of defence, a functionary in non-revenue generating function shall not be sub-ordinate to a functionary who has revenue generating responsibilities. However, the head of a non-revenue generating function within first line of defence can report into the CEO of the bank²²⁹.

2. To ensure independence of non-revenue generating function following conditions shall be met²³⁰:

1. their staff does not perform any operational tasks that fall within the scope of activities the non-revenue generating functions are intended to monitor and control;

2. they are geographically separate from activities they are assigned to monitor and control.

3. Senior management shall provide adequate oversight of those they manage besides ensuring that their activities are consistent with the business strategy, risk appetite and policies approved by the board²³¹.

4. Senior management must contribute substantially to a bank’s sound governance through personal conduct i.e. by helping establish the “tone at the top” along with the board²³².

5. Senior management is also responsible for delegating duties to staff and shall establish a management structure that promotes accountability as also transparency throughout the bank. This includes ensuring that appropriate remedial or disciplinary action is taken if breaches are identified²³³.

6. Consistent with the directions given by the board /committees of the board, the senior management is responsible for implementation of business strategies, risk management systems, risk culture, processes, controls for managing risks – both financial and non-financial – to which the bank is exposed to as also concerning which it is responsible for complying with laws, regulations as well as internal policies. This includes an effective overall system of internal controls as well as comprehensive and independent risk management, compliance, audit and vigilance functions²³⁴.

7. Senior management functionaries who are part of first line of defence shall respect the independent duties of the risk management, compliance, internal audit, vigilance functions and shall not interfere in their exercise of such duties²³⁵.

8. A senior management functionary shall provide the board with information it needs to carry out its responsibilities, including to supervise senior management and to assess the quality of performance of a senior management functionary. In this regard, the concerned senior management functionary shall keep the board regularly and adequately informed of material matters, including²³⁶:

1. changes in business strategy, risk strategy/risk appetite;

2. the bank’s performance and financial condition;

3. breaches of risk limits or compliance rules;

4. internal control failures;

5. legal or regulatory concerns; and

6. issues raised because of the bank’s whistleblowing procedure.

9. Senior management shall be adherent to the board approved code of conduct, meet the expectations of operational transparency to stakeholders while at the same time maintaining confidentiality of information to foster a culture of good decision-making²³⁷.

10. Senior management shall make disclosures to the board of directors relating to all, financial and commercial transactions where they have personal interest that may have an actual/potential/perceived conflict of interest with the bank²³⁸.

11. Restrictions on grants of loans and advances to senior management shall be governed by the Circular DBR. No. Dir.BC.10/13.03.00/2015-16 dated July 1, 2015 as updated from time to time.

12. The CEO and/ or senior management functionaries of the bank shall inter alia²³⁹: -

i. apprise a NED about: -

1. board procedures including identification of legal and other duties of director and required compliances with statutory obligations;

2. control systems and procedures;

3. voting rights at board meetings including matters in which director shall not participate because of one’s interest, direct or indirect therein;

4. qualification requirements as well as provide copies of Memorandum and Articles of Association

5. all policies and procedures;

6. insider dealing restrictions;

7. delegation of authority or constitution of/terms of reference of various committees of the board;

8. appointments of senior executives and their authority;

9. remuneration policy;

10. deliberations of committees of the board; and

11. communicate any changes in delegation of authority, senior management, policies, procedures, control systems, applicable regulations including but not limited to Memorandum and Articles of Association of the bank.

ii. provide to the board including the director all information which is reasonably required for them to carry out their functions/ duties as a director of the bank and to take informed decisions in respect of matters brought before the board for its consideration or entrusted to the director by the board or any committee thereof;

iii. make the following disclosures on –

1. all relevant information for taking informed decisions in respect of matters brought before the board

2. strategic business plans/forecasts as well as implementation of strategic initiatives and plans;

3. organisational structure of the bank and delegation of authority;

4. management controls and systems including procedures;

5. economic features and marketing environment;

6. information and updates as appropriate on bank’s products;

7. information and updates on major expenditure;

8. periodic reviews of performance of the bank; and

iv. provide to director’s periodic reports on the functioning of internal control system including effectiveness thereof;

v. communicate outcome of board deliberations to directors/ concerned personnel; and

vi. prepare and circulate to directors in a timely manner the individual agendas as well as minutes of the meetings of the board/committees of the board.

7.2 Selection/appointment

1. Senior management functionaries shall be selected based on standards of knowledge and/or experience as well as a search and selection criteria established for the position by the NRC with approval of the board. The selection can be through an appropriate internal promotion and / or lateral hiring process to identify an internal or external candidate suitable for the position. The process for identification of each senior management functionary is to be vested with the NRC of the board with the approval of the board. The identification shall also include assessment of ‘fit and proper’ requirement as carried out for directors of the board.

2. The bank shall have an internal policy regarding succession planning in senior management. Senior management functionaries shall have the necessary experience, competencies and integrity to manage the businesses including people under their supervision²⁴⁰. They shall receive access to regular training to enhance their competencies and stay up to date on developments relevant to their areas of responsibility²⁴¹.

3. The organisation, procedures, decision-making of senior management shall be clear, transparent and designed to promote effective management of the bank. This includes clarity on role, authority and responsibility of various positions within senior management, including WTDs and CEO²⁴². Entities incorporated in India shall have a CEO who can also be the MD of the bank²⁴³.

4. Appointment/re-appointment/termination of appointment of WTDs and CEO of a banking company shall be with the previous approval of the Reserve Bank²⁴⁴. The application for re-appointment must be made to RBI at least six months²⁴⁵ prior to completion of tenure of current incumbent and at least four months prior in case of appointment. The application of appointment shall have names of two personages in the order of preference. Before submitting the applications, banks shall complete its own assessment including the ‘fit and proper’ requirement as carried out for directors of the board²⁴⁶.

5. The upper age limit for CEO/WTDs of banks is 70 years. Beyond this nobody can continue in the post. Within the overall limit of 70 years, individual bank’s board can prescribe, as an internal policy, a lower age limit for CEO/WTDs²⁴⁷.

6. To build a robust culture of sound governance practice, professional management of banks and to adopt the principle of separating ownership from management, it is desirable to limit the tenure of the WTDs or CEOs. Therefore, it is felt that 10 years is an adequate time limit for a promoter / major shareholder of a bank as WTD or CEO of the bank to stabilise it’s operations and to transition the managerial leadership to a professional management. This will not only help in achieving the separation of ownership from management but also reinforce a culture of professional management. Further, in the overall interest of good governance, a management functionary who is not a promoter / major shareholder can be a WTD or CEO of a bank for 15 consecutive years. Thereafter, the individual shall be eligible for re-appointment as WTD or CEO only after the expiration of three years. During this three-year period the individual shall not be appointed or associated with the bank in any capacity, either directly or indirectly, advisory or otherwise. On the date of issuance of the guideline/directions on the matter by the Reserve Bank (basis this discussion paper), banks with WTDs or CEO who have completed 10 or 15 years shall have two years or upto the expiry of the current tenure, whichever is later, to identify and appoint a successor.

7. The CEO shall be a person who has special knowledge and practical experience of the working of a bank or a financial institution, or financial, economic or business administration. However, a person shall be disqualified for being a CEO²⁴⁸, if he/she

1. is also, a director of any company other than a subsidiary of the bank, or a company registered under section 8 of the Companies Act, 2013, or

2. is also, a partner of any firm which carries on any trade, business or industry, or

3. has substantial interest in any other company or firm, or

4. is a director, manager, managing agent, partner or proprietor of any trading, commercial or industrial concern, or

5. is engaged in any other business or vocation.

8. Risk management

1. An independent risk management function is one of the key elements in the governance structure and is part of the second line of defence. This function is responsible for ensuring that the bank operates within its risk -appetite²⁴⁹.

2. Should a bank be part of a group, then the board of the bank, through its RMCB, is responsible for establishing a group wide enterprise risk management system.

3. The risk management function and its functionaries shall:

1. be accountable and report only to the RMCB²⁵⁰;

2. not be involved in revenue generation/assuming risks/internal controls and have no responsibilities related to first line of defence or the compliance function or the third line of defence²⁵¹;

3. clearly articulate the risk capacity of the bank²⁵²;

4. implement an enterprise-wide risk governance framework which shall include policies, supported by appropriate control procedures/processes, designed to ensure that a bank’s risk identification, aggregation, monitoring, mitigation capabilities are commensurate with the bank’s size, complexity and risk profile²⁵³;

5. based on the risk capacity, arrive at the risk appetite for the bank after engaging with functionaries in the first line of defence²⁵⁴;

6. further dis-aggregate/ allocate the risk – appetite down to ‘business unit level’ and ‘risk taker’ level limits²⁵⁵;

7. put in place policies and processes to identify individual, aggregate, emerging risks as well as for assessing these risks including measuring the bank’s exposure to them²⁵⁶;

8. the policies shall be consistent with broader business strategies, capital strength, management expertise and overall willingness to assume risk i.e. within parameters set by the RAF²⁵⁷;

9. put in place an effective organisational structure of the risk management function that provides for staffing by adequate and qualified/experienced employees, with knowledge of risk disciplines/ access to knowledge, market scenarios, products along with sufficient authority to carry out the assignments effectively and objectively²⁵⁸;

10. have unfettered access to all business lines that have potential to generate risk to the bank as well as to relevant risk-bearing subsidiaries and affiliates²⁵⁹;

11. have full unconditional access to banks records, physical properties, management information systems and minutes of all consultative/decision-making bodies²⁶⁰;

12. provide an independent assurance to the board, through the RMCB, without any management filtering, on the quality/effectiveness of a bank’s internal controls and other risk mitigants put in place by the first line of defence to manage various risks²⁶¹;

13. on an ongoing basis, monitor risk-taking activities, risk exposures in line with the risk limits, risk appetite and corresponding capital or liquidity needs²⁶²;

14. establish an early warning or trigger system for breaches of the bank’s risk appetite as well as ‘business unit level’ and ‘risk taker’ level limits²⁶³;

15. influence and, when necessary, challenge decisions taken by the first line of defence that give rise to material risk²⁶⁴;

16. be able to ensure timely and effective readjustment of risks by senior management to be within the agreed risk limits/ risk-appetite²⁶⁵;

17. ensure strong and credible framework for reporting, monitoring, managing risks through well laid out procedures²⁶⁶;

18. put in place approval process for all new processes and products prior to their introduction²⁶⁷; and

19. ensure that risk culture pervades across the bank. This must be done through interventions, including meticulous issuance of instructions, continuous, mandatory training to the concerned staff on the instructions as well as by bringing to notice of the staff instances of risk management failures and breaches of risk limits along with preventive instructions²⁶⁸;

4. The head of the risk management function, to be designated as ‘Chief Risk Officer’(CRO), shall report to the RMCB which will be responsible for selection, oversight of performance including performance appraisals and, if necessary, dismissal of the CRO. Any premature removal of the CRO shall only be with prior approval of the board and shall be disclosed publicly. The reasons for such removal shall be disclosed to the Department of Supervision, Reserve Bank of India²⁶⁹.

5. The role and responsibilities of the CRO shall be clearly defined. The CRO shall inter alia have the overall responsibility for coordinating the identification, management, mitigation of the bank's risk and supervising the activities of other risk management staff. The CRO has responsibility for overseeing development and implementation of the bank’s risk management function. This includes ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models, reports as necessary to ensure that the bank’s risk management capabilities are effective to fully support its strategic objectives and all its risk-taking activities²⁷⁰.

6. The CRO’s responsibilities also include managing/ participating in key decision-making processes (e.g. strategic, capital and liquidity planning, new products/services, compensation design/operation). The CRO is expected to support the board in oversight of the bank’s RAF and translating it into a risk limits structure. The CRO, together with RMCB, shall be actively engaged in monitoring performance relative to risk-taking and risk limit adherence²⁷¹.

7. The CRO shall be a senior official in hierarchy with equivalence no less than those at one level below the WTDs/CEO. The CRO shall have the ability to interpret as well as articulate risk in an understandable manner as well as an ability to effectively engage the board, RMCB and management in constructive dialogue on key risk issues. The CRO will function as a secretary to the RMCB. The CRO shall have the necessary and adequate professional qualification /experience in the areas of risk management. The risk management functions budget shall be proposed by the RMCB and approved by the board. The compensation of risk management functionaries shall be proposed jointly by RMCB as well as NRC and approved by the board²⁷².

8. The risk management functionaries shall have direct access to the RMCB²⁷³.

9. In foreign banks operating in India as branches, the CRO in India shall play the role played by RMCB as far as the risk management function is concerned and shall report to risk management function in the controlling office/ head office²⁷⁴.

10. Incorporating all the above requirements, the board of the bank, through RMCB, is responsible for establishing a comprehensive risk management policy. This policy inter alia shall contain the basic principles, explain the main processes by which risks are to be recognised, measured, monitored, mitigated and managed across the organisation. The activities will be subject to periodic and independent review by the RMCB annually in addition to an independent assessment of the risk management function by the internal audit function. Further, as part of quality assurance, once in three years an external assessment shall also be undertaken.

9. Compliance²⁷⁵

1. An independent compliance function is a key element in the governance structure and is also part of the second line of defence. This function is responsible for ensuring that the bank operates with integrity in compliance with applicable laws and regulations²⁷⁶.

2. In supporting values, policies, processes that help ensure that a bank acts responsibly and fulfils all applicable obligations, the compliance function shall proactively assess compliance risk faced by various activities undertaken by the first line of defence together with ensuring remediation on gaps observed during the assessment²⁷⁷.

3. Compliance risk²⁷⁸ is ';the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer because of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards and codes of conduct applicable to its activities';.

4. Should a bank be part of a group, then the board of the bank, through its RMCB, is responsible for establishing a group wide enterprise compliance management system.

5. The compliance function and its functionaries shall²⁷⁹:

1. be accountable and report only to the RMCB;

2. be independent of any responsibilities related to the first line of defence, the risk management function and the third line of defence;

3. assess compliance risk in all activities undertaken by the first line of defence;

4. have sufficient standing, skills, resources, authority within the bank to enable it to carry out the assignments effectively and objectively;

5. collectively have or can access knowledge, skills, resources commensurate with the business activities and risks of the bank;

6. have full and unconditional access to banks’ records, physical properties, management information systems, minutes of all consultative/ decision-making bodies;

7. be empowered to conduct compliance reviews / investigations, whenever required;

8. provide an independent assurance to the board, through the RMCB, without any management filtering, on quality and effectiveness of the bank’s internal controls put in place to manage compliance risk by the first line of defence;

9. be able to ensure timely as well as effective correction of compliance risk assessment gap issues by senior management as well as escalation processes including enforcement and disciplinary process including dismissal;

10. ensure that regulatory guidelines/instructions/directions are promptly issued/ disseminated within the organisation (including senior management), with clarifications should the need arise;

11. put in place approval process for all new processes and products by the compliance function prior to introduction;

12. rather than mere remediation on gaps being pointed out by Reserve Bank, there shall be pro-active approach towards compliance;

13. ensure that compliance culture pervades across the bank, reinforced through interventions, including issuance of instructions meticulously, followed by continuous and mandatory training to the concerned staff on the instructions as well as by bringing to notice of the staff, instances of compliance failure along with preventive instructions;

14. act as contact point within the bank for compliance queries from staff members including provide guidance to staff on the appropriate implementation of applicable laws, rules, standards in the form of policies, procedures and other documents such as compliance manuals, internal codes of conduct, practice guidelines. All these with an objective to ensure that solutions offered facilitate the first line of defence to achieve the business objectives in a fully compliant manner; and

15. put in place a mechanism to ensure that compliance to various supervisory requirements as communicated by the Reserve Bank from time to time, are achieved within the specified timeframe.

6. The head of compliance function, to be designated as ‘Chief Compliance Officer (CCO)’, shall report to the RMCB which will be responsible for selection, oversight of performance including performance appraisals and, if necessary, dismissal of CCO. Any premature removal of the CCO shall only be with prior approval of the board and shall be disclosed publicly. The reasons for such removal shall be disclosed to the Department of Supervision, Reserve Bank of India²⁸⁰.

7. The role and responsibilities of the CCO shall be clearly defined. The CCO shall have the overall responsibility for identification, management, mitigation of the bank's compliance risk and supervising activities of other compliance function staff. The CCO shall have the ability to interpret and articulate compliance risk in an understandable manner as well as to effectively engage the board, RMCB, management in constructive dialogue on key compliance risk issues²⁸¹.

8. The CCO shall be a senior official in hierarchy with equivalence no less than those at one level below the WTDs or one level below the CEO. The CCO shall have necessary and adequate professional qualification /experience in areas of compliance risk management. The compliance functions budget shall be proposed by the RMCB and approved by the board. The compensation of compliance functionaries shall be proposed jointly by the RMCB as well as NRC and approved by the board²⁸².

9. Compliance functionaries shall have direct access to the RMCB²⁸³.

10. In foreign banks operating in India as branches, the CCO in India shall play the role played by RMCB as far as the compliance function is concerned and shall report to the compliance function in the controlling office/ head office²⁸⁴.

11. Incorporating all the above requirements, the board of the bank, through the RMCB, is responsible for establishing a compliance policy. This policy inter alia shall contain basic principles and shall explain the processes by which compliance risks are to be identified and thereafter managed across the organisation. The effectiveness of the compliance function will be subject to independent review by the RMCB at least annually. This will be in addition to the annual independent assessment of the compliance function by the internal audit function²⁸⁵. Further, as part of quality assurance, once in three years an external assessment shall also be undertaken.

12. In cases where a bank is present across multiple jurisdictions, compliance with applicable laws and regulations in all such jurisdictions be ensured. The organisational structure of the compliance function as well as its responsibilities shall be consistent with host country legal and regulatory requirements. It must be ensured that compliance responsibilities specific to each jurisdiction are carried out by individuals with appropriate knowledge and expertise of the host country requirements, with oversight of the CCO²⁸⁶.

10. Secretary to the board²⁸⁷

1. All banks whether listed or otherwise, shall have a Company Secretary who is bound by the professional standards of a Company secretary. The secretary shall report to the Chair of the board.

2. The management of the bank shall not be involved in performance assessment of the company secretary. The performance assessment of the company secretary shall be undertaken by the NRC based on the feedback provided by the Chair of the board. The company secretary shall work closely with the compliance function of the bank. However, there shall be a distinct separation of roles, duties and reporting lines. The role of the head of compliance function is specific to the role expected of the bank being an RBI regulated entity while the role of the company secretary is to be defined by the fact that a bank is also a company or body corporate.

3. The company secretary must ensure that the management makes available the agenda items within the time frame stipulated by the board, its committees and the minutes of the meetings of the board as well as the committees of the board are recorded as per the professional standards required.

4. All banks including those not listed and/ or operating as branches shall undertake secretarial audit in line with provisions of section 204 of the Companies Act, 2013 the scope of which shall include compliance to guidelines/directions emanating from this Discussion Paper. The Secretarial Audit report shall be made available to the ACB which shall have an oversight over compliance to various gaps reported by the audit²⁸⁸.

5. The budget as well as the compensation of the functionaries in the Company Secretariat shall be recommended jointly by ACB as well as NRC and approved by the board.

11. Internal Audit

1. An effective and efficient internal audit function constitutes the third line of defence in the system of controls. Unlike the second line of defence which though independent, also have an advisory role, the internal audit function shall not have any advisory role²⁸⁹.

2. The internal audit function and its functionaries shall:

1. be accountable and report only to the board through the ACB²⁹⁰;

2. be independent of audited activities i.e., have no responsibilities related to the first line of defence, the second line of defence and the vigilance function²⁹¹;

3. audit all activities undertaken by the first line of defence, the second line of defence and the vigilance function²⁹²;.

4. have sufficient standing, skills, resources and authority within the bank to enable auditors to carry out their assignments effectively and objectively²⁹³;

5. collectively have or can access knowledge, skills and resources commensurate with business activities and risks of the bank²⁹⁴;

6. require internal auditors to adhere to professional standards applicable in India²⁹⁵;

7. have full unconditional access to records, physical properties of the bank and entities with which there are outsourcing engagements, including access to management information systems, minutes of all consultative/decision-making bodies²⁹⁶;

8. provide an independent assurance to the board, through the ACB on quality and effectiveness of internal controls put in place by the first line of defence²⁹⁷;

9. provides independent assurance to the board, through the ACB on effectiveness of risk management, compliance, vigilance, governance systems and processes²⁹⁸; and

10. be able to ensure timely as well as effective correction of audit issues by senior management through escalation processes including enforcement and disciplinary process including dismissal²⁹⁹

3. The ACB can choose to receive internal audit reports with or without management filtering³⁰⁰.

4. The communication channels between internal audit and all the other functions shall encourage reporting of negative as well as sensitive findings. All serious deficiencies shall be reported to the appropriate level of functionaries in the first and second line of defence as soon as they are identified. Significant issues posing a threat to the bank’s business shall be promptly brought to the notice of ACB and thereafter to the board³⁰¹.

5. The internal audit function shall not be outsourced. However, where required, experts including former employees can be hired on contractual basis subject to the ACB being reassured that such expertise do not exist within the audit function of the bank. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function³⁰².

6. In addition to the extant instructions of the Reserve Bank on statutory audit, and in the interest of auditor independence, an external auditor / audit firm undertaking any assignment in a bank should not be given any other assignment in the same bank for a period of at least one year from the completion of the assignment³⁰³.

7. The head of internal audit function to be designated ‘Head – Internal Audit (HIA)’, with reporting line to the ACB³⁰⁴. The ACB will be responsible for selection, oversight of performance including performance appraisals and, if necessary, dismissal of the HIA. Any premature removal of the HIA shall only be with prior approval of the board and shall be disclosed publicly. The reasons for such removal shall be disclosed to the Department of Supervision, Reserve Bank of India³⁰⁵.

8. The role and responsibilities of the HIA shall be clearly defined. The HIA shall have overall responsibility for coordinating the identification of control gaps in the first line of defence, the second line of defence, the vigilance function as well as supervising the activities of other internal audit function staff. The HIA shall have the ability to interpret and articulate the various control gaps in an understandable manner to effectively engage the board, ACB, management in constructive dialogue on key control gap issues³⁰⁶.

9. The HIA shall be a senior official in hierarchy with equivalence no less than those at one level below the WTDs / CEO. The HIA shall have necessary professional qualification /experience in areas of audit functions. The budget of internal audit function shall be recommended by ACB and approved by the board³⁰⁷. The compensation of the internal audit functionaries shall be recommended jointly by ACB as well as NRC and approved by the board³⁰⁸.

10. Internal audit functionaries shall have direct access to the ACB³⁰⁹.

11. Incorporating all the above requirements, the board of the bank, through the ACB, is responsible for establishing an internal audit policy. This policy inter alia shall contain the basic principles and explain main processes by which internal control gaps are to be identified through all levels of the bank³¹⁰.

12. In foreign bank’s operating in India as branches, the HIA in India shall play the role played by ACB as far as the audit function is concerned. The HIA shall report into the internal audit function in the controlling office/ head office and shall be subject to the superintendence, control, direction of the controlling / head office. The CEO shall be responsible for effective oversight of statutory, regulatory and audit compliance in respect of all operations in India.³¹¹

12. Vigilance³¹²

1. The vigilance functions shall broadly include (i) Preventive vigilance; (ii) Surveillance and detection; and (iii) Punitive vigilance³¹³.

2. The bank shall formulate a vigil/whistle blower policy for directors, employees and third parties to report genuine concerns. The vigil mechanism shall provide for adequate safeguards against victimisation of director(s) or employee(s) or any other person who avail the mechanism and in appropriate or exceptional cases provide for direct access to the chair of the ACB/ chair of the board³¹⁴.

3. Specifically,³¹⁵:

(i) appropriate procedures shall exist for all staff to report potential or actual breaches of regulatory requirements, internal governance arrangements, through a specific, independent and autonomous channel;

(ii) reporting to take place outside regular reporting lines viz.,

1. in case of breaches by staff: through an independent internal whistleblowing procedure in addition to instructions issued by the RBI under the Protected Disclosures Scheme for Private Sector and Foreign banks vide DO DBS. FrMC No. BC 5 /23.02.011 /2006-07 dated April 18, 2007 updated from time to time; and

2. in case of unusual events: through mechanisms for employees to elevate and report concerns when they feel discomfort about products or practices, even where they are not making a specific allegation of wrongdoing. It is not necessary that reporting staff has evidence of it, but a level of initial certainty that provides sufficient reason to launch an investigation.

(iii) the integrity, independence, effectiveness of internal alert policies, procedures including those policies and procedures intended to protect staff who raise concerns from being victimised, e.g. retaliation, discrimination or other types of unfair treatment, because they have disclosed reportable breaches as also take appropriate measures against those responsible for any such victimisation;

(iv) staff who raise internal flags that lead to material risks being mitigated is rewarded without disclosing the identity;

(v) information provided by staff via alert procedures is, if appropriate, made available to the concerned functions, the committees of the board and the board in an anonymised way;

(vi) internal alert procedures:

1. are documented (e.g. staff handbooks);

2. provides clear rules and is technologically enabled to ensure that confidentiality is guaranteed in all cases in relation to the person who reports the breaches committed within the bank, unless disclosure is required by law in a context of further investigations or subsequent judicial proceedings;

3. shall ensure that confirmation of receipt to staff who raised potential or actual breaches is provided;

4. have clear time lines for taking appropriate actions for the breaches reported.

5. shall ensure that potential or actual breaches raised are assessed and escalated, including as appropriate to the concerned competent authority or law enforcement agency;

6. shall ensure tracking of the outcome of reported breaches;

7. shall include specific procedures for receipt of reports on breaches and their follow-up; and

8. provision to escalate to the chair of the ACB and if it persists, to the chair of the board;

(vii) the risk management, compliance and the internal audit function shall each independently verify that these policies, mechanisms, procedures are correctly implemented besides provide requisite feedback to the Vigilance Function;

(viii) a process shall be in place to identify material risk takers within the bank as also to identify high risk roles across functions in the bank and have the vigilance personnel randomly audit material risk takers and employees in high risk roles, transactions or business units;

(ix) have a recognition and tracking process to attribute revenue generated by each employee;

(x) advanced analytics shall be implemented so that employee specific information such as updates of income as well as assets/wealth is captured, and preventive/pro-active vigilance can be initiated;

(xi) specific default limits for staff accountability assessment is reviewed and amounts lower than the default limit is subject to employee specific pattern monitoring;

(xii) a tracking process in place for number of risk limit breaches for each employee per year;

(xiii) an undercover surveillance team is operational to observe behaviour of those employees in front line who engage with customers and other stakeholders;

(xiv) there shall exist a carefully designed feedback exercise which provides robust insight on each employee with capability to expose questionable behaviours;

(xv) the conventional wisdom on legal impediments which too often lead to “no action” being recommended by internal teams shall be demonstrably challenged;

(xvi) process in place to review/ revisit all policy documents, standard operating procedure manuals to ensure that there are no instructions which are vague, incomplete and are capable of multiple interpretations;

(xvii) employees shall be trained/retrained on function/desk specific standard operating procedures, processes through e-learning modules, contents of which are prepared based on policy, processes, manuals and the concerned employee is required to complete the same successfully before taking up the assigned function/job;

(xviii) decisions which prima facie are not in tune with extant instructions are recorded with the reasons behind the decisions. This shall be practiced across all levels including the board;

(xix) employees shall be empowered to report instances of oral instructions based on which they have been compelled to undertake any actions that would be a breach of any laid down policy/process/guideline/statute/regulations etc;

(xx) intelligent alerts, MIS, warnings on suspect transactions, intelligence, etc. shall be in place in every aspect of operations; and

(xxi) systematic annual assessments shall be undertaken on whether employees are aware of escalation processes and believe the environment is open to critical challenge.

4. The vigilance function of the bank shall be headed by an officer to be designated as Chief of Internal Vigilance (CIV). CIV shall be a senior official in hierarchy with equivalence no less than those at one level below a WTD or one level below a CEO. CIV shall have necessary professional qualification /experience in areas of vigilance function and ability to inspire confidence among personnel in the bank. The budget of vigilance function shall be recommended by ACB and approved by the board. The compensation of the vigilance functionaries shall be recommended jointly by the ACB as well as NRC and approved by the board.

5. The CIV’s reporting line shall be to ACB. Vigilance functionaries shall have direct access to the ACB³¹⁶. ACB shall be responsible for selection, oversight of performance including performance appraisals and, if necessary, dismissal of the CIV. Any premature removal of the CIV shall only be with the prior approval of the board and shall be disclosed publicly. The reasons for such removal shall be disclosed to the Department of Supervision, Reserve Bank of India³¹⁷.

6. Incorporating all the above requirements at a minimum, the board of the bank, through the ACB, is responsible for establishing an internal vigilance policy. This policy inter alia shall contain the basic principles as well as explain the main processes by which preventive vigilance, surveillance/detection and punitive vigilance is to be practiced³¹⁸.

7. In foreign bank’s operating in India as branches, the CIV in India shall play the role played by ACB when it comes to matters of vigilance. The CIV shall report into the vigilance function in the controlling office/ head office³¹⁹.

13. Compensation

1. Compensation systems form a key component of governance incentive structure through which a board promotes good performance, conveys acceptable risk-taking behaviour and reinforces a bank’s culture. The board, through its NRC, is responsible for oversight of management’s implementation of compensation system for the entire bank. In addition, the board, through its NRC, shall regularly monitor and review outcomes to assess whether the bank-wide compensation system is creating desired incentives. The NRC shall review the compensation plans, processes and outcomes at least annually³²⁰.

2. While compensation of WTDs as well as other employees³²¹ of a banking company shall be governed by the guidelines in DOR.Appt.BC.No.23/29.67.001/2019-20 dated November 04, 2019 as amended from time to time, the NRC shall, with the approval of the board of directors also formulate and adopt a comprehensive compensation policy for the NEDs³²².

3. In addition to sitting-fees as also expenses related to attending meetings of the board and its committees as per extant statutory requirements/practices, the policy shall provide for payment of compensation to NED’s as per the provisions in the Banking Regulation Act, 1949 and the Companies Act, 2013.

4. For granting remuneration to a part-time non-executive Chairman, prior approval of the RBI will be required under Section 10B(1A) (i) and 35B of the Banking Regulation Act, 1949. Banks are required to make disclosure on remuneration paid to the directors on an annual basis at the minimum, in their Annual Financial Statements. The basis including the performance metrics used to determine the remuneration of the directors shall also be disclosed³²³.

14. Interpretation

1. Based on stake holder feedback, the Reserve Bank will issue necessary directions/ guidelines and subsequently, if it considers necessary, issue clarifications in respect of any matter covered in the directions/guidelines. The interpretation of any provision of the directions/guidelines given by the Reserve Bank shall be final and binding on the parties concerned.

15. Transition

1. The new guidelines/ direction shall come into effect within a period of six months after being placed on website of the Reserve Bank (i.e. https://www.rbi.org.in) or April 01, 2021, whichever is later. During the period banks shall ensure that its Memorandum of Association/Articles of Association/ any agreements/ board of director or shareholder resolutions/ composition of the board and the committees of the board are consistent with the new guidelines/directions as well as applicable statutes/regulations.

16. Disclosure and transparency

1. Disclosure and transparency is also an important tenet of good governance. Various disclosure requirements prescribed by regulators are the minimum standards. Therefore, banks are encouraged to voluntarily push the boundaries on this front.

17. Repeal

1. With the issue of the directions/guidelines on Governance in commercial banks, basis the feedback received to this paper, some of the extant instructions/guidelines/directions issued by the Reserve Bank could stand repealed.

¹ BCBS –Corporate governance principles for banks, July 2015 with modifications for emphasis and clarity.

² See the glossary of corporate governance-related terms in Organisation for Economic Co-operation and Development (OECD), Experiences from the Regional Corporate Governance Roundtables, 2003.

³ In the case of nationalised banks, directors nominated by the Government under clauses (g) and (h) of sub-section (3) of section 9 of the Banking Companies (Acquisition and Transfer of Undertakings) Acts, 1970/1980 -are treated as independent directors as per instructions issued by Ministry of Finance, Government of India to these banks on August 30, 2019.

⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 56

⁵ DBR No.BC.93/29.67.001/2014-15 dated May 14, 2015 and DBR No.BC.95/29.67.001/2014-15 dated May 28, 2015 articulates ‘seven critical themes’ in place of ‘calendar of reviews’. These themes have already been included as part of the responsibilities.

⁶ Culture includes risk culture. As per Guidance on ‘Supervisory Interaction with Financial Institutions on Risk Culture - A Framework for Assessing Risk Culture’, April 2014, indicators for assessing risk culture can be grouped under four broad criteria viz: (i) Tone from the top; (ii) Accountability; (iii) Effective Communication and Challenge; and (iv) Incentive Structure. This discussion paper covers the four criteria. While the ‘tone from/at the top’ is specifically articulated in 4.1, the remaining categories are covered in different segments across the paper.

⁷ BCBS –Corporate governance principles for banks, July 2015 – para # 30;

⁸ Recommendations of the Banks Board Bureau, March 2018

⁹ Banking conduct and culture- a call for sustained and comprehensive reform – Group of 30, July 2015

¹⁰ Banking conduct and culture- a call for sustained and comprehensive reform – Group of 30, July 2015

¹¹ The word ‘compensation’ and the word ‘remuneration’ are used interchangeably and has the same meaning in this document.

¹² Banking conduct and culture- a call for sustained and comprehensive reform – Group of 30, July 2015

¹³ Recommendations of the Banks Board Bureau, March 2018

¹⁴ Banking conduct and culture- a call for sustained and comprehensive reform – Group of 30, July 2015

¹⁵ Banking conduct and culture- a call for sustained and comprehensive reform – Group of 30, July 2015

¹⁶ BCBS –Corporate governance principles for banks, July 2015 – para # 31

¹⁷ BCBS –Corporate governance principles for banks, July 2015 – para # 32

¹⁸ BCBS –Corporate governance principles for banks, July 2015 – para # 32

¹⁹ BCBS –Corporate governance principles for banks, July 2015 – para # 32

²⁰ Supplementary Guidance to the FSB Principles and Standards on Sound Compensation Practices, March 2018

²¹ BCBS –Corporate governance principles for banks, July 2015 – para # 80

²² BCBS –Corporate governance principles for banks, July 2015 – para # 82

²³ Recommendations of the Banks Board Bureau, March 2018

²⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 83

²⁵ Added for emphasis and clarity

²⁶ Added for emphasis and clarity

²⁷ BCBS –Corporate governance principles for banks, July 2015 – para # 27

²⁸ BCBS –Corporate governance principles for banks, July 2015 – para # 84&85

²⁹ BCBS –Corporate governance principles for banks, July 2015 – para # 38

³⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 39. Added for emphasis and clarity

³¹ BCBS –Corporate governance principles for banks, July 2015 – para # 40

³² BCBS –Corporate governance principles for banks, July 2015 – para # 41 & 26. Added for emphasis and clarity.

³³ BCBS –Corporate governance principles for banks, July 2015 – para # 41

³⁴ Added for emphasis and clarity

³⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 42

³⁶ BCBS –Corporate governance principles for banks, July 2015 – para # 43; Content added for emphasis and clarity.

³⁷ BCBS –Corporate governance principles for banks, July 2015 – para # 33; Content added for emphasis and clarity.

³⁸ BCBS –Corporate governance principles for banks, July 2015 – para # 34

³⁹ BCBS –Corporate governance principles for banks, July 2015 – para # 35 & 26

⁴⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 36

⁴¹ BCBS –Corporate governance principles for banks, July 2015 – para # 37 & 26; Content added/modified for emphasis and clarity.

⁴² BCBS –Corporate governance principles for banks, July 2015 – para # 26

⁴³ Supplementary Guidance to the FSB Principles and Standards on Sound Compensation Practices, March 2018

⁴⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 44

⁴⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 45 & 46

⁴⁶ Added for emphasis and clarity

⁴⁷ BCBS –Corporate governance principles for banks, July 2015 – para # 45; Content added/modified for emphasis and clarity

⁴⁸ BCBS –corporate governance principles for banks, July 2015 – para # 46

⁴⁹ Added for emphasis and clarity

⁵⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 23

⁵¹ BCBS –Corporate governance principles for banks, July 2015 – para # 24. Content modified for emphasis and clarity.

⁵² SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

⁵³ Content modified for emphasis and clarity.

⁵⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 25

⁵⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 26

⁵⁶ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

⁵⁷ BCBS –Corporate governance principles for banks, July 2015 – para # 26; Content modified for emphasis and clarity.

⁵⁸ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

⁵⁹ BCBS –Corporate governance principles for banks, July 2015 – para # 26;

⁶⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 26

⁶¹ DBR No.BC.93/29.67.001/2014-15 dated May 14, 2015 and DBR No.BC.95/29.67.001/2014-15 dated May 28, 2015 articulates ‘seven critical themes’ in place of ‘a calendar of reviews’.

⁶² DBS. CO.PP. BC 6/11.01.005/2006-07 dated April 20, 2007 on compliance function in banks.

⁶³ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

⁶⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 28

⁶⁵ DBOD. No.BC. 116 / 08.139.001/2001-02 dated June 20, 2002 implementation of recommendations of Dr. Ganguly Group Report including a model form of ';Deed of Covenants '; to be signed between a director and the bank;

⁶⁶ Contents modified for emphasis and clarity.

⁶⁷ Contents added/modified for emphasis and clarity.

⁶⁸ DBOD.No.BC.94/16.13.100/92 dated March 9, 1992 on Do's and Don’t's for directors

⁶⁹ Companies Act, 2013

⁷⁰ Companies Act, 2013

⁷¹ Companies Act, 2013

⁷² Companies Act, 2013

⁷³ Companies Act, 2013

⁷⁴ Companies Act, 2013; The content “particularly depositors” added for emphasis.

⁷⁵ Companies Act, 2013

⁷⁶ Companies Act, 2013

⁷⁷ Companies Act, 2013

⁷⁸ DBOD.No.BC.94/16.13.100/92 dated March 9, 1992 on Do's and Don’t's for directors

⁷⁹ DBOD.No.BC.94/16.13.100/92 dated March 9, 1992 on Do's and Don’t's for directors

⁸⁰ DBOD.No.BC.94/16.13.100/92 dated March 9, 1992 on Do's and Don’t's for directors

⁸¹ Companies Act, 2013

⁸² DBOD.No.BC.94/16.13.100/92 dated March 9, 1992 on Do's and Don’t's for directors

⁸³ DBOD.No.BC.94/16.13.100/92 dated March 9, 1992 on Do's and Don’t's for directors

⁸⁴ BCBS –Corporate governance principles for banks, July 2015 – Principle # 3 and Para #57, 58, 59 & 78

⁸⁵ Added for emphasis and clarity

⁸⁶ Added for emphasis and clarity

⁸⁷ DOS.No.BC.14/Admn. /919/16.13.100/95 dated September 26, 1995; SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015; BCBS - Corporate governance principles for banks, July 2015 – para # 68;

⁸⁸ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015; the content “notes attached thereto” has been added for emphasis and the content “other senior officer with financial oversight responsibilities” appearing in the regulation has been substituted with the content “or head of internal audit (HIA)”

⁸⁹ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

⁹⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 68

⁹¹ BCBS –Corporate governance principles for banks, July 2015 – para # 68 which inter alia states that chair of the board cannot be a chair of any other committee. Further, countries such as United Kingdom do not allow the chair of board to be a member of the ACB.

⁹² SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

⁹³ Added for emphasis; As per SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, the audit committee shall meet at least four times in a year and not more than one hundred and twenty days shall elapse between two meetings

⁹⁴ As per SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, the Company Secretary shall act as the secretary to the audit committee

⁹⁵ As per SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, the audit committee at its discretion shall invite the finance director or head of the finance function, head of internal audit and a representative of the statutory auditor and any other such executives to be present at the meetings of the committee, provided that occasionally the audit committee may meet without the presence of any executives of the listed entity

⁹⁶ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

⁹⁷ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

⁹⁸ Added for emphasis

⁹⁹ RBI Circular DOS.No.5/16.13.100/94 dated April 09, 1994 on ooverseeing the Internal Audit Function in Banks - Setting up of Audit Committee of Boards

¹⁰⁰ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

¹⁰¹ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

¹⁰² DBR.Appt.No.BC.68/29.67.001/2016-17 dated May 18, 2017 prescribes the Minimum Qualification and Experience for CFO & CTO

¹⁰³ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

¹⁰⁴ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

¹⁰⁵ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

¹⁰⁶ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

¹⁰⁷ DOS.No.BC.14/Admn./919/16.13.100/95 dated September 26, 1995 on Audit Committee of the Board of Directors – Reconstitution

¹⁰⁸ DOS.No.BC.14/Admn./919/16.13.100/95 dated September 26, 1995 on Audit Committee of the Board of Directors – Reconstitution

¹⁰⁹ DBS.ARS.BC.No.4/08.91.020/2010-11 dated November 10, 2010 on Calendar of Reviews of ACB

¹¹⁰ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

¹¹¹ BCBS –Corporate governance principles for banks, July 2015 – para # 142

¹¹² Companies Act, 2013

¹¹³ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

¹¹⁴ DBS.ARS.BC.No.4/08.91.020/2010-11 dated November 10, 2010 on Calendar of Reviews of ACB

¹¹⁵ DOS.No.5/16.13.100/94 dated April 09, 1994

¹¹⁶ DBS.CO.ARS.No.BC.2/08.91.021/2019-20 dated September 18, 2019

¹¹⁷ DBS.ARS.BC.No.4/08.91.020/2010-11 dated November 10, 2010 (Calendar of Reviews)

¹¹⁸ DBS.ARS.BC.No.4/08.91.020/2010-11 dated November 10, 2010 (Calendar of Reviews)

¹¹⁹ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

¹²⁰ DBS.FGV(F).No.1004/23.04.01A/2003-04 dated January 14, 2004

¹²¹ DBS.ARS.BC.No.4/08.91.020/2010-11 dated November 10, 2010 (Calendar of Reviews)

¹²² Added for emphasis

¹²³ Added for emphasis

¹²⁴ DBS.CO.ARS.No.BC.2/08.91.021/2019-20; dated September 18, 2019

¹²⁵ Added for emphasis; Also refer to Guidance Note on Related Party Transactions issued by ICSI

¹²⁶ Alternatively, banks could consider an independent ‘Conduct Review Committee’ to be constituted for approval/reporting of such transactions.

¹²⁷ Added for emphasis

¹²⁸ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015; certain contents added for emphasis and clarity

¹²⁹ Added for emphasis

¹³⁰ Added for emphasis

¹³¹ Added for emphasis

¹³² Companies Act, 2013

¹³³ Considering that the risk management function performs a key role in the overall governance framework, the RMCB is entrusted with a very critical supervisory role. Hence, composition of the RMCB, which leads the second line of defence, is now being upgraded to the same lines of that of the ACB, which leads the third line of defence in a bank. As per DBOD.No.BP.520/21.04.103/2002-03 October 12, 2002, the Risk Management Committee will be a Board Level Subcommittee including CEO and heads of Credit, Market and Operational Risk Management Committees. As per SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015: The majority of Risk Management Committee shall consist of members of the board of directors and two-thirds shall be independent directors in case of a listed entity.

¹³⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 71

¹³⁵ Modelled on the lines of the ACB as risk management is a key supervisory function of the board especially in the financial intermediation space.

¹³⁶ Added for emphasis

¹³⁷ Added for emphasis

¹³⁸ BCBS –Corporate governance principles for banks, July 2015 – para # 36

¹³⁹ BCBS –Corporate governance principles for banks, July 2015 – para # 36

¹⁴⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 40

¹⁴¹ BCBS –Corporate governance principles for banks, July 2015 – para # 107

¹⁴² BCBS –Corporate governance principles for banks, July 2015 – para # 107 and contents added for emphasis and clarity

¹⁴³ Added for emphasis and clarity

¹⁴⁴ Added for emphasis and clarity

¹⁴⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 122

¹⁴⁶ Recommendations of the Banks Board Bureau, March 2018

¹⁴⁷ Recommendations of the Banks Board Bureau, March 2018

¹⁴⁸ DBOD.No.BP.(SC).BC.98/21.04.103/99 dated October 07, 1999 on risk management inter alia on credit approving authority

¹⁴⁹ Recommendations of the Banks Board Bureau, March 2018

¹⁵⁰ Recommendations of the Banks Board Bureau, March 2018

¹⁵¹ BCBS –Corporate governance principles for banks, July 2015 – para # 115

¹⁵² BCBS –Corporate governance principles for banks, July 2015 – para # 113

¹⁵³ BCBS –Corporate governance principles for banks, July 2015 – para # 115 & 116

¹⁵⁴ Recommendations of the Banks Board Bureau, March 2018

¹⁵⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 123

¹⁵⁶ BCBS –Corporate governance principles for banks, July 2015 – para # 114

¹⁵⁷ BCBS –Corporate governance principles for banks, July 2015 – para # 129

¹⁵⁸ BCBS –Corporate governance principles for banks, July 2015 – para # 129

¹⁵⁹ BCBS –Corporate governance principles for banks, July 2015 – para # 129

¹⁶⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 130

¹⁶¹ BCBS –Corporate governance principles for banks, July 2015 – para # 120

¹⁶² BCBS –Corporate governance principles for banks, July 2015 – para # 117

¹⁶³ BCBS –Corporate governance principles for banks, July 2015 – para # 118

¹⁶⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 126,127,128,131

¹⁶⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 75

¹⁶⁶ DBS.CO.PP.BC 6/11.01.005/2006-07 dated April 20, 2007 on compliance function in banks

¹⁶⁷ DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 (where responsibility is assigned to the Board)

¹⁶⁸ Companies Act, 2013; SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015; RBI - Compensation Guidelines November 2019; BCBS –Corporate governance principles for banks, July 2015; Content added for emphasis and clarity

¹⁶⁹ In line with the other key committees viz., ACB and RMCB

¹⁷⁰ Added for emphasis and clarity

¹⁷¹ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 and Companies Act, 2013

¹⁷² Added for emphasis and clarity

¹⁷³ BCBS –Corporate governance principles for banks, July 2015 – para # 51

¹⁷⁴ Added for emphasis and clarity

¹⁷⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 77

¹⁷⁶ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 Part D

¹⁷⁷ DBOD.No.BC.116/08.139.001/2001-02 dated June 20, 2002 implementation of recommendations of Dr. Ganguly Group Report

¹⁷⁸ Added for emphasis and clarity

¹⁷⁹ DBR.No.BC.97/29.67.001/2014-15 on Compensation of Non-executive Directors of Private Sector Banks dated June 1, 2015 places a cap on non-executive Director compensation.

¹⁸⁰ Companies Act, 2013; SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015; DBOD.No.BC.105/08.139.001/2003-04 dated June 25, 2004 on 'fit and proper' criteria for directors of banks

¹⁸¹ DBOD.No.BC.105/08.139.001/2003-04 dated June 25, 2004 on 'fit and proper' criteria for directors of banks

¹⁸² DBR.Appt.No.BC.68/29.67.001/2016-17 dated May 18, 2017 on Minimum Qualification and Experience for CFO & CTO vide its circular and DBR.Appt.No: 9/29.67.001/2019-20 dated August 2, 2019 on 'fit and proper' criteria for elected directors in PSBs

¹⁸³ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (PART D)

¹⁸⁴ Companies Act, 2013

¹⁸⁵ Added for emphasis and clarity

¹⁸⁶ Companies Act, 2013

¹⁸⁷ Companies Act, 2013

¹⁸⁸ Various instructions/ guidelines on ‘fit and proper’ issued by RBI being the minimum requirement.

¹⁸⁹ Added for emphasis and clarity

¹⁹⁰ Added for emphasis and clarity

¹⁹¹ Added for emphasis and clarity

¹⁹² Added for emphasis

¹⁹³ DBOD.No.BC.116/08.139.001/2001-02 dated June 20, 2002 implementation of recommendations of Dr. Ganguly Group Report; SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (regulation No. 20); other requirements added for emphasis and clarity.

¹⁹⁴ Added for emphasis and clarity in the interest of separating the supervisory function of the board from the management function of the board

¹⁹⁵ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015; Companies Act, 2013.

¹⁹⁶ As per Companies Act, 2013, the board of directors shall meet at least four times a year, with a maximum time gap of one hundred and twenty days between any two meetings

¹⁹⁷ Added for emphasis and clarity considering the licensing conditions for small finance banks, payment banks and universal banks require a majority of independent directors.

¹⁹⁸ Added for emphasis and clarity considering the extant instructions of RBI already prescribe a minimum quorum of three for certain committees of the board such as ACB and NRC.

¹⁹⁹ Section 16 of BR Act

²⁰⁰ Added for emphasis and clarity

²⁰¹ Added for emphasis and clarity

²⁰² BCBS –Corporate governance principles for banks, July 2015 – para # 61

²⁰³ Added for emphasis and clarity

²⁰⁴ BCBS –Corporate governance principles for banks, July 2015 – principle 2

²⁰⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 48

²⁰⁶ Section 10A(2) of BR Act

²⁰⁷ DBR.Appt.BC.No.39/29.39.001/2016-17 dated November 24, 2016 on Special Knowledge or Practical Experience useful to Banking Companies

²⁰⁸ DBOD.No.BC.116/08.139.001/2001-02 dated June 20, 2002 on Ganguly Committee

²⁰⁹ DBOD.No.BC.No.21/08.95.005-94 dated March 5, 1994 and DBOD.No.BC.82/08.95.005/94 dated July 1, 1994 and on Board of Directors

²¹⁰ Non-banking financial institutions (NBFI) are entities engaged in hire purchase, financing, investment, leasing, money lending, chit/kuri business and other para banking activities such as factoring, primary dealership, underwriting, mutual fund, insurance, pension fund management, investment advisory, portfolio management services, agency business etc.

²¹¹ DBR.Appt.No: 9/29.67.001/2019-20 dated August 2, 2019 on 'fit and proper' criteria for elected directors in PSBs with added emphasis and clarity

²¹² DBOD.No.BC.116/08.139.001/2001-02 dated June 20, 2002 on implementation of recommendations of Dr. Ganguly Group Report and DBR.Appt.No: 9/29.67.001/2019-20 dated August 2, 2019 on 'fit and proper' criteria for elected directors in PSBs with contents added for emphasis and clarity

²¹³ bodies such as Notified Area Council, City Council, Panchayat, Gram Sabha, Zila Parishad, etc.

²¹⁴ Added for emphasis and clarity.

²¹⁵ In case of nationalised banks, a non-official director cannot continuously serve beyond a period of six years as per the clause 9 (2) & (4) of the Nationalised Banks Scheme

²¹⁶ RBI Circular DoR.Appt.No.58/29.67.001/2019-20 dated March 31, 2020

²¹⁷ RBI guidelines on ‘fit and proper’ being the minimum requirement

²¹⁸ DBOD.No.BC.116/08.139.001/2001-02 dated June 20, 2002 on implementation of recommendations of the Consultative Group of Directors of Banks / Financial Institutions (Dr. Ganguly Group) and DBOD.No.BC.105/08.139.001/2003-04 dated June 25, 2004 on 'fit and proper' criteria for directors of banks

²¹⁹ DBOD.No.913/08.139.001/2007-08 dated June 19, 2006 on ‘fit and proper’ criteria for directors of banks

²²⁰ Added for emphasis and clarity

²²¹ RBI Circular on 'fit and proper' criteria for directors of banks DBOD.No.BC.No.47/29.39.001/2007-08 dated November 01, 2007

²²² DBOD.No.BC.105/08.139.001/2003-04 dated June 25, 2004 on 'fit and proper' criteria for directors of banks and content added for emphasis and clarity

²²³ DBOD.No.BC.60/08.139.001/2004-2005 dated December 16, 2004 on 'fit and proper' criteria

²²⁴ DBR.Appt.No: 9/29.67.001/2019-20 dated August 2, 2019 on 'fit and proper' criteria

²²⁵ DBR.Appt.No: 9/29.67.001/2019-20 dated August 2, 2019 on 'fit and proper' criteria

²²⁶ DBR.Appt.No: 9/29.67.001/2019-20 dated August 2, 2019 on 'fit and proper' criteria

²²⁷ DBR.Appt.No: 9/29.67.001/2019-20 dated August 2, 2019 on 'fit and proper' criteria

²²⁸ Section 10A of the B R Act

²²⁹ BCBS –Corporate governance principles for banks, July 2015 – para # 87; Recommendations of the Banks Board Bureau, March 2018 ; Contents added for emphasis and clarity.

²³⁰ Recommendations of the Banks Board Bureau, March 2018

²³¹ BCBS –Corporate governance principles for banks, July 2015 – para # 91

²³² BCBS –Corporate governance principles for banks, July 2015 – para # 91

²³³ BCBS –Corporate governance principles for banks, July 2015 – para # 92 and DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on compliance function;

²³⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 93

²³⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 93

²³⁶ BCBS –Corporate governance principles for banks, July 2015 – para # 93 & 94

²³⁷ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015

²³⁸ SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 with added emphasis and clarity

²³⁹ DBOD. No.BC. 116 / 08.139.001/2001-02 dated June 20, 2002 on implementation of recommendations of Dr. Ganguly Group Report

²⁴⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 90;

²⁴¹ BCBS –Corporate governance principles for banks, July 2015 – para # 50, 88 & 89

²⁴² BCBS –Corporate governance principles for banks, July 2015 – para # 88

²⁴³ Added for emphasis and clarity

²⁴⁴ Section 35B of BR Act, 1949

²⁴⁵ DoR.Appt.No.58/29.67.001/2019-20 dated March 31, 2020 on appointment of CEO/MD/PTC

²⁴⁶ Added for emphasis and clarity

²⁴⁷ DBOD.APPT.BC.No.40/29.39.001/2014-15 dated September 9, 2014;

²⁴⁸ Section 10B(4) of BR Act, 1949

²⁴⁹ BCBS –Corporate governance principles for banks, July 2015 – para # 105

²⁵⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 105; DBOD.No.BP.(SC).BC.98/21.04.103/99 dated October 07, 1999 on risk management

²⁵¹ BCBS –Corporate governance principles for banks, July 2015 – para # 106

²⁵² BCBS –Corporate governance principles for banks, July 2015 – para # 36

²⁵³ BCBS –Corporate governance principles for banks, July 2015 – para # 105 &112

²⁵⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 36

²⁵⁵ Principles for An Effective Risk Appetite Framework, Financial Stability Board

²⁵⁶ BCBS –Corporate governance principles for banks, July 2015 – para # 106

²⁵⁷ DBOD.No.BP.(SC).BC.98/21.04.103/99 dated October 07, 1999 on risk management

²⁵⁸ BCBS –Corporate governance principles for banks, July 2015 – para # 107; DBOD.No.BP.(SC).BC.98/21.04.103/99 dated October 07, 1999 and DBOD. No. BP. 520 /21.04.103/2002-03 dated October 12, 2002 on risk management

²⁵⁹ BCBS –Corporate governance principles for banks, July 2015 – para # 106

²⁶⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 141

²⁶¹ BCBS –Corporate governance principles for banks, July 2015 – para # 123

²⁶² BCBS –Corporate governance principles for banks, July 2015 – para # 105

²⁶³ BCBS –Corporate governance principles for banks, July 2015 – para # 105

²⁶⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 105

²⁶⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 105

²⁶⁶ DBOD.No.BP.(SC).BC.98/21.04.103/99 dated October 07, 1999 and DBOD. No. BP. 520 /21.04.103/2002-03 dated October 12, 2002 on risk management

²⁶⁷ DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on compliance function in the bank

²⁶⁸ BCBS –Corporate governance principles for banks, July 2015 – para # 34&126

²⁶⁹ DBR.BP.BC.No.65/21.04.103/2016-17 dated April 27, 2017, with modifications for emphasis and clarity.

²⁷⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 109

²⁷¹ BCBS –Corporate governance principles for banks, July 2015 – para # 109

²⁷² BCBS –Corporate governance principles for banks, July 2015 – para # 108; DBR.BP.BC.No.65/21.04.103/2016-17 dated April 27, 2017 with modifications for emphasis and clarity

²⁷³ DBR.BP.BC.No.65/21.04.103/2016-17 dated April 27, 2017

²⁷⁴ Added for emphasis and clarity

²⁷⁵ DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on compliance function

²⁷⁶ BCBS –Corporate governance principles for banks, July 2015 – para # 132

²⁷⁷ DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 with modifications for emphasis and clarity

²⁷⁸ BCBS paper on Compliance and the Compliance Function in Banks (April 2005)

²⁷⁹ DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on compliance functions; with modifications modeled on similar principles for Risk Management function

²⁸⁰ DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on compliance functions with modifications modelled on similar principles for Risk Management function

²⁸¹ DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on compliance functions with modifications modelled on similar principles for Risk Management function

²⁸² DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on compliance functions with modifications modelled on similar principles for Risk Management function

²⁸³ DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on compliance functions which requires reporting to ACB – which has third line of defence mandate, as against compliance function which is a second line of defence function.

²⁸⁴ Added for emphasis and clarity

²⁸⁵ DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on compliance function; BCBS –Corporate governance principles for banks, July 2015 – para # 133, and modifications for emphasis and clarity

²⁸⁶ DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on compliance function

²⁸⁷ DBOD. No.BC. 116 / 08.139.001/2001-02 dated June 20, 2002 on implementation of recommendations of Dr Ganguly Group Report has coverage of the role of Secretary to the Board. Contents added for emphasis and clarity.

²⁸⁸ Added for emphasis and clarity

²⁸⁹ Added for emphasis and clarity

²⁹⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 139

²⁹¹ BCBS –Corporate governance principles for banks, July 2015 – para # 139

²⁹² Added for emphasis and clarity

²⁹³ BCBS –Corporate governance principles for banks, July 2015 – para # 139

²⁹⁴ BCBS –Corporate governance principles for banks, July 2015 – para # 141

²⁹⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 141

²⁹⁶ BCBS –Corporate governance principles for banks, July 2015 – para # 141

²⁹⁷ BCBS –Corporate governance principles for banks, July 2015 – para # 138; content added for emphasis and clarity

²⁹⁸ BCBS –Corporate governance principles for banks, July 2015 – para # 138

²⁹⁹ Added for emphasis and clarity

³⁰⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 142 with partial modification

³⁰¹ Added for emphasis and clarity

³⁰² DBOD.NO.BP. 40/ 21.04.158/ 2006-07 dated November 03, 2006 on outsourcing and DBS.CO.PPD.05/11.01.005/2016-17 dated August 25, 2016 on internal audit with modifications for emphasis and clarity

³⁰³ Content added for emphasis and clarity in the interest of enhancing auditor independence. As per DBS.ARS.No.BC. 02/ 08.91.001/ 2008-09 dated December 31, 2008 “Audit firms should not undertake statutory audit assignment while they are associated with internal assignments in the bank during the same year. In case the firms are associated with internal assignment it should be ensured that they relinquish the internal assignment before accepting the statutory audit assignment during the year” and DBS.ARS.No.BC.7/08.91.001/2006-07 dated April 24, 2007 as per which “'Banks may take their own decision in this regard, in consultation with the Audit Committee of the Board / Board in the matter of allotment of special assignments to their statutory auditors.'

³⁰⁴ DBS.CO.PP.BC . 10 /11.01.005/2002-03 dated December 27, 2002 guidance note on Risk Based Internal Audit

³⁰⁵ BCBS –Corporate governance principles for banks, July 2015 – para # 142

³⁰⁶ Added for emphasis and clarity

³⁰⁷ Added for emphasis and clarity

³⁰⁸ Added for emphasis and clarity

³⁰⁹ BCBS –Corporate governance principles for banks, July 2015 – para # 142

³¹⁰ Added for emphasis and clarity

³¹¹ To be read along with DBS.ARS.BC.No.3/08.91.020/2011-12 dated October 04, 2011

³¹² To be read along with DBS.CO.FrMC. BC.No.9/23.04.001/2010-dated May 26, 2011.

³¹³ DBS.CO.FrMC. BC.No.9/23.04.001/2010 dated May 26, 2011 on Internal Vigilance in Private Sector / Foreign Banks

³¹⁴ Recommendations of the Banks Board Bureau, March 2018

³¹⁵ Recommendations of the Banks Board Bureau, March 2018

³¹⁶ Added for emphasis and clarity

³¹⁷ Added for emphasis and clarity

³¹⁸ Added for emphasis and clarity

³¹⁹ Added for emphasis and clarity

³²⁰ BCBS –Corporate governance principles for banks, July 2015 – para # 143 with modifications for emphasis and clarity

³²¹ Sections 10 (1) (b) (iii), 10 (2) and 35B of BR Act, 1949

³²² DBR.No.BC.97/29.67.001/2014-15 dated June 1, 2015

³²³ DBR.No.BC.97/29.67.001/2014-15 dated June 1, 2015 with modifications for emphasis and clarity.