Banks are fundamental to the nation's financial system. The central bank has a critical role to play in ensuring the safety and soundness of the banking system-and in maintaining financial stability and public confidence in this system.

(193 kb)
Date : Sep 23, 2019
Regulatory and Supervisory Expectations on Compliance Function in Banks
(Shri M. K. Jain, Deputy Governor, Reserve Bank of India - Tuesday, August 20, 2019 - at Financial institution Benchmarking and Calibration (FIBAC) 2019 – the Annual Global Banking Conference organised by IBA and FICCI, Mumbai)

Shri Sunil Mehta, Chairman – IBA, Chairmen and Chief Executive Officers of banks, other dignitaries and participants, Good Evening to all. This conference brings in the best minds from the Indian banking fraternity, the technology, knowledge and other service providers together to deliberate the latest developments and future agenda for banks in India. It is indeed a great pleasure to be amongst you here today.

The banking landscape of India is changing rapidly. With the evolution of technology, the entire industry has undergone a massive transformation that has changed the way financial procedures are carried out, and the way financial institutions operate. The collaboration between finance and technology has led to a radical change in several aspects of banking. Financial technology is said to be a disruptive force that in the future is expected to reshape the financial sector, business models and banking structures. This paradigm change has posed significant challenges to the banks as well as the regulators. One of the important challenges is ‘compliance’; a very important aspect for sustainable success story for any banking and financial system. I am going to share my thoughts on this aspect today.

Compliance is defined as the act of following laws, rules, regulations, and various codes of conducts including the voluntary ones. Although most of these arise from external requirements, following the organization’s own internal rules, policies, and procedures, acting in accordance with ethical practices is equally important. A strong compliance culture should also ensure adherence to fair practice codes, manage conflicts of interests, and treat customers fairly, with the larger objective of delivering efficient customer service. Thus, compliance shall go beyond what is legally binding and embrace broader standards of integrity and ethical conduct.

Benefits of good compliance culture

It is very important for banks to demonstrate a good compliance culture to maintain their reputation and win the trust of customers, investors and regulators. Such culture is important for banks to avoid poor conduct and loss of trust.

A good compliance culture can benefit banks in several ways1; which includes: i) low organizational and individual risk; ii) low reputational risk; iii) less hesitance and more confidence among employees while performing their jobs; iv) Helps attract and retain talent and ensure employee engagement. v) improved transparency which enables better decisions; vi) enhanced relationship with regulators and other stakeholders and vii) enhanced valuation among investors;

In a stress tests survey conducted by banks, it was observed that compliance can have some business benefits. Over a third of bankers who have undergone the stress testing program indicated that top benefits of complying with stress testing principles are better informed capital planning decisions, and maintaining2 a forward-looking view of the organization’s risks.

We, therefore, need to embrace compliance if we want customer satisfaction which eventually leads to better return on equity.

Costs of poor compliance culture

Compliance risk is the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities. On the other hand, an effective process would identify compliance risks in each business line, product and process, and devise ways to mitigate such risks. The processes and requirements should be properly documented with a list of do’s and don’ts accompanying the same. The instances of failure to adhere to proper conduct should be converted into case studies and disseminated among the staff for education and entrenchment of desired attitudes.

Banks should eschew the tendency to treat compliance merely as cost and should recognise that proper conduct saves the bank from possible reputational loss and penalties – thus, generates hidden earnings which most banks do not quantify, and hence do not realise. A poor compliance culture may lead to heavy costs to the banks. Globally, from the beginning of the financial crisis and until 2020, penalties and fines on banks is are expected to top USD400 bn. Quinlan and Associates, a Hong Kong-based financial services consultancy estimated that bad behaviour had erased $850 billion in profits for the top 50 global banks since the 2008 financial crisis in the form of write-downs, trading losses, fines and higher compliance costs3. From June 2018 to July 2019, the Reserve Bank has imposed monetary penalties on 76 occasions amounting to ₹ 122.9 crore on various commercial banks operating in India.

However, fear of fines and penalties will not be enough to keep up with the evolving nature of regulations. But a financial management system with built-in control makes compliance an everyday practice that enables the organisation to operate at greater efficiency. In addition, sound governance creates conducive environment for the values of compliance, integrity, trust, and respect for the law; to thrive in the organisation’s culture. As a result, a bank can empower its entire organization to operate with responsibility while maintaining the flexibility necessary to stay ahead of ever-evolving regulations and business challenges.

Compliance culture – Indian scenario

Reserve Bank of India had introduced a system of “Compliance Officer” in banks way back in August 1992, based on recommendations by the Committee on Frauds and Malpractices in Banks (Ghosh Committee). The role of compliance officers came into sharper focus since 1995 when the General Manager in charge of Audit and Inspection was made responsible for the compliance functions, with a requirement for periodic reporting or certification on compliance functions directly to the CMD. However, it was gradually recognized that the circumference of compliance functions in banks needed to be not only enlarged, but also clearly defined, especially in a scenario where successive Annual Financial Inspection Reports prepared by the banking supervisor highlighted a host of compliance deficiencies. RBI’s recognition for the need and importance of compliance functions received a further impetus after Basel Committee on Banking Supervision (BCBS) issued the High Level Paper on Compliance Risk and Compliance Function in Banks in April 2005. These principles formed the basis for our work on issuing rigors for compliance functions in banks, in the year 2007. Subsequent to the financial crisis, the focus on compliance has gone up significantly, especially in the area of conduct, KYC/AML, suitability and appropriateness of banking products offered to a specific customer.

In this context, and acknowledging the benefits offered by a good compliance culture and costs of poor conduct, the compliance culture of Indian banks needs to be strengthened. During the course of the supervisory process, the Reserve Bank has observed various lacunae in the compliance culture of Indian banks. Some of the weaknesses and irregularities observed have been recurring in spite of the averments made by bank managements having carried out remediation. My expectation from the banks is that they make serious efforts towards overall improvement of their compliance function.

It will not be an exaggeration to say that some of the big losses suffered by banks on account of frauds could have been avoided if a good compliance culture was ingrained in respective banks. As defined earlier, compliance also includes adherence to internal policies and procedures of banks. In most cases of frauds, a common thread is non-adherence to internal policies and procedures by employees concerned. Increasing incidences of frauds in recent years, the quantum of amounts involved and also the complexities of modalities adopted highlight the importance of a strong compliance culture in the banks.

Compliance Risk relating to Cybersecurity

On a specific note, in technology driven banking, compliance with cybersecurity guidelines is gaining importance. Generally, cyber resilience frameworks aim to address three broad issues – confidentiality breach (confidential data being stolen), availability breach (systems are intact, but services are made unavailable), and integrity breach (corruption of data or systems affecting the integrity of information and processing methods). Compliance risk relating to these breaches are gaining significance and needs to be addressed on a priority.

Minimum supervisory expectation on compliance culture

Compliance starts at the top. It may be recalled that, in February 2019, I had drawn attention of the CEOs of select banks, wherein the board of directors along with the senior management were urged to set the tone at the top and usher in a strong compliance culture in banks. Compliance should be an integral part of the culture of the organisation; it should not just be the responsibility of staff working in compliance function. It should be a shared responsibility of each staff member of the bank, and business unit of a bank should be equally responsible for any non-compliance. A bank should hold itself to high standards when carrying out business, and at all times strive to observe the spirit as well as the letter of the law. Failure to consider the impact of its actions on its shareholders, customers, employees and the markets may result in significant adverse publicity and reputational damage, even if no law has been broken.

Strong compliance culture is a pre-requisite for an effective compliance function.

If we may further delve into it, a robust compliance culture has the following essential elements-

Tone from the top- Whether the value statements of Board members, senior management are in sync with value demonstration in actions. The Board’s oversight over compliance function should not be limited to framing policies, and its periodic review. A bank’s compliance policy will not be effective unless the Board of Directors promotes values of honesty and integrity throughout the organisation. The Board should also formulate and maintain a quality assurance and improvement program that covers all aspects of the compliance function.

Accountability – The bank’s senior management is responsible for effective adherence to the compliance policy of the bank by the management and staff; and to for ensuring that compliance risk is minimised. Culture of owning the responsibility individually and collectively by board; clear demarcation of accountability of senior management, functional head and operational head; role of business unit as first line of defence and role of internal audit as third level of defence in facilitating robust compliance culture are all important.

Communication: Clarity and transparency should be promoted by making a distinction between general standards for all staff members and rules that only apply to specific groups of staff. An effective compliance culture requires continuous communication of expectations on risk and compliance and practices across the bank; compliance awareness channels for existing and new Board members, senior management and employees; process for containing conduct risk and whistle-blower mechanism.

Incentive Structure: An adequate incentive structure should be in-built in the bank’s decision making systems and processes to achieve the desired compliance culture.

Ex Ante and Forward Looking: Compliance is distinct from other assurance functions viz., risk management and internal audit. The focus of the compliance function should be preventive compliance. By definition, preventive compliance would assess the activities of the bank before hand and prevent non-compliant activities/transactions from being carried out. Compliance should be an ex ante activity and forward looking.

Compliance Organsiation, Authority and Resources: A bank should organise its compliance function and set priorities for managing its compliance risk in a way that is consistent with its own risk management strategy and structures. For instance, some banks may wish to organise their compliance function within their operational risk function, as there is a close relationship between compliance risk and certain aspects of operational risk. Others may prefer to have separate compliance and operational risk functions, but establish mechanisms requiring close co­operation between the two functions on compliance matters. Regardless of how the compliance function is organised within a bank, it should have sufficient authority, stature, independence, resources and access to the Board. Its responsibilities should be clearly specified, and its activities should be subject to periodic and independent review by the internal audit. Management should respect the independence of the compliance function and not interfere with their fulfilment.

Nevertheless, even at the cost of repetition, I would like to stress that compliance is a shared responsibility of each and every staff of the bank.

Importance of Corporate Governance

While feedback mechanisms are important in a bank to permeate a strong compliance culture, enabling environment in a bank that fosters such culture embedded with strong internal control has to emanate from the directions of the Board. Aspects with benefits to the bank not apparent has to be enforced through a top down approach.

Corporate governance determines the allocation of authority and responsibilities by which the business and affairs of a bank are carried out by its board and senior management, including how they: align corporate culture, corporate activities and behaviour with the expectation that the bank will operate in a safe and sound manner, with integrity and in compliance with applicable laws and regulations. In this context, it may be noted that Board should adopt policies in accordance to each bank’s size, complexity, risk appetites, business model and philosophy. Board approved policies should factor in entity specific vagaries. Also, mere adoption of policies does not solve anything. An effective implementation of Board approved policies is essential to percolate down the philosophy embedded in policy throughout the firm. A strong compliance culture has a significant role to play in this context.


Lot of improvement is needed in compliance culture across banks. As a supervisor of banks, the Reserve Bank has keen interest in sound corporate governance and compliance culture, as it is an essential element in the safe and sound functioning of a bank and if not followed effectively may adversely affect the bank’s risk profile. Well governed banks contribute to an efficient and cost-effective supervisory process, as there is less need for supervisory intervention. Such sound culture would help in building organisations that are strong, resilient, disciplined and enjoy the benefits of sustained growth and customer confidence. It will also pre-empt several supervisory actions, and attendant reputational risk, that would follow in case transgressions are detected.

Role of compliance has been gaining wider attention across the globe and it has been acknowledged by the central banks and bankers alike that compliance warrants considerable attention. Regulators, supervisors and international standard setters have become increasingly cognizant of the fact that merely enacting rules and regulations is a futile exercise unless these are complied with, both in letter and spirit, by the regulated entities.

Sound corporate governance and compliance culture will permit the supervisor to place more reliance on the bank’s internal processes. In this regard, supervisory experience underscores the importance of having appropriate levels of authority, responsibility, accountability, and checks and balances within each bank, including those of the board of directors, senior management and the assurance functions by way of risk, compliance and internal audit.

I am hopeful that deliberations over the past two days on emerging trends in banking, changes in global regulatory landscape, the new bankruptcy regime in India and technological innovations affecting the way banks do business would prepare banks to not only cope up with the emerging challenges, but also help banks to use the opportunity provided by the new paradigm to further the agenda of inclusive and compliance oriented banking in the country.


  1. Bank of International Settlements, “Compliance and the compliance function in banks”, BIS (2005)

  2. Bank of International Settlements, “Corporate governance principles for banks – Guidelines”, BIS (2015)

  3. Flanner, Mark. J, “Market Discipline in Bank Supervision”, Chapter 15 of The Oxford Handbook of Banking, First Edition, OUP (2010)

  4. Hagendorff, Jens, “Corporate Governance in Banking”, Chapter 6 of The Oxford Handbook of Banking, Second Edition, OUP (2015)

  5. Mundra, S. S., “Re-emphasizing the Role of Compliance Function In Banks”, Speech delivered at the CAFRAL Conference of Chief Compliance Officers in RBI, Mumbai (2014)

  6. Chakrabarthy, K. C., “Compliance function in banks – back to the basics”, Speech delivered at the launch of certificate programmes on compliance function and training, Mumbai (2013)

  7. Padmanabhan, G., “Emerging Issues in Cyber Security in the Financial Sector”, Speech delivered at the Sri Chithira Thirunal Memorial Lecture Series organised by the State Bank of Travancore, Thiruvananthapuram (2015)