RBI Notification

Compliance Function and Role of Chief Compliance Officer CCO in NBFCs

The Reserve Bank of India (RBI) has released a circular on 11^th April, 2022 defining the scope of function and role of a Chief Compliance Officer (CCO) in Non-Banking Financial Companies (NBFCs).  

The fact that Compliance Function serves a critical role in the overall structure of corporate governance; the RBI has decided to introduce certain principles, procedures and standards for compliance function role of CCO in NBFC-UL and NBFC-ML in accordance with the principles of proportionality.

Who is a Chief Compliance Officer (CCO) in NBFC? 

A Chief Compliance Officer^[1] or popularly called as CCO is an official of a bank who is responsible for overseeing and managing the regulatory compliances of the bank and to check whether the employees and the management of the company are in compliance with the applicable laws or not. It assesses and monitors risk and provides compliance advice to the risk management unit.  

Applicability of the circular on Compliance Function and Role of Chief Compliance Officer (CCO) – NBFCs 

This circular is applicable to the following NBFCs which mandates the following to have an independent compliance function and Chief Compliance Officer:

• NBFCs in the Upper Layer (NBFC-UL) and
• NBFCs in the Middle Layer (NBFC – ML)

This circular, however, is not applicable to the NBFCs in the base layer (NBFC – UL) and they will continue to be governed by the existing regulations in place.

What is the framework for compliance function and role of CCO in NBFCs?

The Compliance Function along with risk management processes and internal control form an integral part of corporate governance. The guidelines given in the circular should be seen as a prescriptions and a set of minimum guidelines. The NBFC-UL and NBFC – ML have to frame their guidelines on the lines of this circular and also taking into account their scale of operations, corporate governance framework, organisational structure, risk profile etc.

According to the circular released by RBI, the NBFC-UL and NBFC – ML have been directed to put in place a board approved policy and a Compliance Function along with the appointment of a CCO based on the following framework:

Risk of Compliance

When an NBFC fails to comply with the laws, regulations, rules, Code of Conduct etc. applicable to its activities, such non-compliance invites the risk of regulatory sanctions, loss of reputation and material financial loss to the NBFC.

Coverage and Scope of Compliance Function

The Compliance Function ensures that all the regulatory and statutory requirements applicable to the NBFCs are being strictly observed. The scope of the Compliance Function is extends to observance with the standards of market conduct, treating customers fairly, ensuring the suitability of customer service and managing conflict of interest. 

Responsibilities of the Senior Management and the Board

The primary responsibility of the Board or the Board Committee is to ensure that a proper Compliance Policy has been put in place and implemented. The Board also needs to prescribe the periodicity for review of Compliance risk.

The role of the senior management includes the following:

1. To conduct exercises, at least once a year, to identify and assess the possible compliance risks that the NBFC may face and accordingly design plans to deal with them;
2. Submission of detailed annual review of the compliance to the Board or Board Committee along with the review at the prescribed periodicity; and
3. Prompt reporting of the any material compliance failure to the Board or Board Committee and at the same time ensuring that appropriate remedial or disciplinary action is taken.

Responsibilities of the Compliance Function

1. The Compliance Function shall be entrusted with the fulfilment of the following activities at the minimum:
   1. Assist the Board and Senior management in the overseeing the implementation of the Compliance Policy, and other policies and procedures, internal codes of conduct, prescriptions in Compliance Manuals, etc.
   1. Play a key role in the identification of the level of compliance risk in an organisation. The job of Compliance Function is to identify risks in the existing and new products and processes, analyse them and put in the appropriate risk mitigants in place. A CCO in NBFC shall be a member of the ‘new product’ committee/s. For the first six months, all the new products will be subjected to intensive monitoring for at least first six months of induction to ensure that adequate monitoring is done of the indicative parameters of Compliance Risk.
   1. Compliance Function will monitor and test Compliance by performing adequate Compliance testing and the results of such tests are shared with the senior management. The instances of Compliance failures will be shares with the staff along with the preventive instructions. Accountability of staff shall be examined for major Compliance failures.
   1. To ensure that the regulatory and supervisory directions given by the RBI is followed in letter and spirit in a time bound sustainable manner.
   1. Comply with the directions from other regulators in cases where the activities of the entity are not limited to regulations of RBI.
   1. The Compliance department will serve as a reference point for the staff from seeking clarifications on statutory and regulatory interpretations.  
2. A CCO in NBFC shall be the nodal point of contact between the regulators or supervisors and the NBFC. CCO shall also be a participant in the discussions held with the RBI. The communication to the RBI with respect to the compliance to the RBI inspection report will go through the office of the Compliance Function.
3. There is a possibility that different departments or divisions of the NBFC are looking after the compliance with the regulatory and other requirements. In such cases, the respective departments can continue to hold the prime responsibility of their respective areas which needs to be clearly outlined. It is the responsibility of each staff member to adhere to the applicable statutory provisions and regulations. However, the Compliance Function is supposed to ensure overall oversight.    

Compliance Framework in NBFCs

1. Compliance Policy
2. A Board-approved Compliance Policy shall be laid down by the NBFC clearly spelling out details related its Compliance philosophy, structure and role of the Compliance Function, expectations on compliance culture, role of CCO, processes of identifying, managing, monitoring and reporting on Compliance risk. This policy shall be reviewed at least once a year.
3. The Compliance policy must cover the following aspects:
4. Focus on applicable statutory and regulatory compliance requirements
5. Measures to ensure independence of Compliance Function and its right to freely disclose the findings with the senior management or Board/ Board Committee;
6. A monitoring mechanism for Compliance testing procedure;
7. Reporting requirements including change in risk profile and compliance risk assessment to senior management or Board or Board committee;
8. A mechanism to disperse information on regulatory developments and guidelines among the employees and also the periodically updating operational manuals; and
9. The approval process for all new products and processes by the Compliance Department prior to their introduction;
10. Authority with the Compliance Function should have the authority to gain access to the information as specified in Part D below;

• Compliance Structure

A CCO in NBFC shall head the Compliance department after meeting the requirements prescribed in the circular. NBFCs have been given the freedom to adopt their own organisational structure for the Compliance Function. It must be kept in mind that the Compliance Function should be independent and should be sufficiently resourced, his responsibilities should be clearly defined and its activities are subject to independent and periodic review.

• Compliance Programme

An annual risk Compliance risk assessment shall be carried out by the NBFC on an annual basis in order to identify and assess the major compliance risks and faced by the NBFC and accordingly design a plan to manage such risks. The annual review carried by the senior management must cover the at least the following aspects:

1. The compliance failures that occurred in the previous year and the consequent loss and regulatory action. The steps taken in order to avoid repetition of such a situation in the future;
2.  A list of the major regulatory guidelines issued during the preceding year and the steps taken to ensure compliance;
3. Adherence to the standards set by the self-regulatory bodies and accounting standards and compliance with fair practices codes; and
4. The progress made in the rectification of the significant deficiencies and implementation of recommendations pointed out in various inspection reports of RBI and audits
5. Authority

The CCO and Compliance Function will have the authority to communicate with any of the staff members and gain access to any files and records which are necessary for him/ her to carry out the entrusted responsibilities in respect of the compliance issues. The source of such authority lies in the Company Policy of the NBFC.

• Dual Hatting
• The practice of ‘dual hatting’ must not be done i.e. the CCO should not be given any responsibility which creates conflict of interest especially in any role related to business. In furtherance of this the CCO shall not be a member of any committee which conflicts with its role as CCO with its responsibility as a member of the committee including any committee involved in purchase/ sanctions. In a case where the CCO is a member of any such committee, his role would only be advisory in nature.
• The Compliance department shall only focus on Compliance Functions. However, they can be assigned some other role while ensuring that it does not result in conflict of interest.  
• Qualifications and Staffing of Compliance Function

Just like the staff should be having basic qualifications and practical experiences in business lines/ audit inspection functions, the Compliance Function shall also have adequate staff members having knowledge in statutory/ regulatory guidelines, laws, accountancy, risk management and information technology. Appropriate skill planning should also be done to avoid any future skill gap.

• Internal Audit and Independent Review of Compliance Function

The compliance function shall be subject o regular internal audit and the risk assessment framework of the Internal Audit Function shall include Compliance Risk. The audit findings related to Compliance audit must be shared with the CCO so that the findings serve as a feedback mechanism to assess other areas of Compliance failures.

Tenure and Appointment of CCO

1. Tenure of service: A CCO in NBFC shall be appointed for a minimum term of 3 years and only in exceptional cases can the Board Committee can relax the tenure to one year provided the Board has put in place appropriate succession planning.
2. Removal: A CCO can be removed or transferred before the above-mentioned minimum tenure only in exceptional circumstances where the explicit prior approval has been taken from the Board/ Board Committee after a well-defined and transparent internal administrative procedure has been followed in such removal.
3. Rank: The CCO in NBFCs should be a senior executive of the NBFC and should be at a position which is not below than two levels from that of CEO. In case of a CCO in NBFC-ML, relaxation has been given for one level further. In case, the NBFC feels necessary, CCO can be recruited from outside the organisation also.
4. Required skills: A CCO must be a person who has a good understanding of the industry, well versed with the regulatory requirements and risk management practices and sensitivity to Supervisory expectations.
5. Level of Freedom: A CCO should have the freedom to take decisions independently, be allowed to interact with the regulators independently and ensure compliance of the regulations.
6. Track Record: A CCO should have a clean and unquestionable integrity.
7. Appointment:  A person is selected as a CCO based on a well defined selection process and recommendations made by a committee constituted by the Board or Board Committee for the purpose. The final decision on the appointment shall be taken by the Board Committee only.

Conclusion

The Circular has to be placed in the next meeting of the Board of Directors to inform the board and initiate the process of devising an implementation strategy under the Board’s supervision and that too in a time-bound manner for the mandatory appointment of CCO in NBFCs and their scope and functioning.  

Read Our Article:Compliance functions in banks and Role of Chief Compliance Officer