S S Mundra: Re-emphasizing the role of compliance function in banks
The views expressed in this speech are those of the speaker and not the view of the BIS.
Assistance provided by Ms Ranjana Sahajwala in preparation of this address is gratefully acknowledged.
1. Shri G. Gopalakrishna, Director, CAFRAL; Shri P.R. Ravi Mohan, Chief General Manager-in-Charge, Department of Banking Supervision, Reserve Bank of India (RBI) and the conference participants! It is a pleasure for me to deliver the keynote address at this Conference of senior representatives of the compliance departments of commercial banks. Across the globe, it is an accepted fact that compliance is an area that warrants considerable attention. In recent times, the emergence of compliance function as an area of greater focus is an acknowledgement of the damaging impact of non-compliance, not only on an entity's own reputation but, more broadly, also on the confidence in the system. Regulators, supervisors and international standard setters have become increasingly cognizant of the fact that merely enacting rules and regulations is a futile exercise unless these are complied with, both in letter and spirit, by the regulated entities. Not surprisingly, on account of a bigger push from the regulators/supervisors, the compliance function has assumed massive significance within the bank's internal structure and organization. In my address today, I intend to talk about the relevance of compliance function within the bank's overall business strategy, operations and conduct and re-emphasize some of the key elements of the compliance framework that we would want to see in practice in our banks.
Background
2. It has been some time now since the Global Financial Crisis (GFC) first broke in 2008, extending its impact across the globe over time. Indeed, complete recovery of the financial system from the strenuous impact of the Crisis is yet to be accomplished. The years since the Crisis have extensively been dedicated by international standard setters and domestic authorities to both enhancing and reorienting financial sector regulations to ensure the sector's resilience in the face of present and future problems. However, even while standard setters and regulators have remained engaged in plugging the regulatory loopholes, several instances of misconduct on the part of banks continue to come to light, which keep reminding us of the need to refocus on the issue of "compliance" in banks. Let me, therefore, begin by highlighting some of these recent instances of misdemeanors by banks in compliance-related matters which have had debilitating consequences in the form of massive penalties.
Global episodes
3. i) In 2012, JP Morgan Chase & Co was involved in the so-called "London whale" trades in the bank's "Synthetic Credit Portfolio" comprising of credit default swaps and related instruments. The bank's trading strategy, which intended to serve as a hedge against credit risk, was unscrupulously used by its traders to build risky positions, thereby raising doubts about the efficacy of the internal compliance process. In a scathing indictment of the internal control and compliance machinery, Jaime Dimon, the CEO of J. P. Morgan remarked, "Chief Investment Office, particularly the Synthetic Credit Portfolio, should have gotten more scrutiny from both senior management, and I include myself in that, and the Firm-wide Risk control function. - Make sure that people on risk committees are always asking questions, sharing information, and that you have very, very granular limits when you're taking risk. -. In the rest of the company we have those disciplines in place. We didn't have it here."1 The bank eventually lost more than US$ 6 billion and ended up paying US $920 million in penalties for settling probes by the UK and US investigators. As the losses piled up, the bank also misled investors and public through incorrect disclosures and withheld information from the regulators.
ii) Also in 2012, HSBC Holdings was hauled up by regulators of three jurisdictions for Anti-Money Laundering (AML)/Combating Financial Terrorism (CFT) violations in transferring money illegally through its subsidiaries. Several lapses were identified in HSBC's AML compliance which included ignoring internal warnings on inadequacy of internal monitoring systems, mis-categorization of Mexico as a "low risk" country leading to transactions being exempt from detailed monitoring, etc. A fine of US$ 1.9 billion was imposed on HSBC Holdings.
iii) Another gross misdemeanour that surfaced in 2012 involved long term manipulation of the LIBOR rate by multiple banks. The investigations revealed that the rate contributions made by banks to determine the sacrosanct benchmark rate, which is used to settle trillions of dollars of loans and transactions worldwide, was being consistently and deliberately wrongly reported by several banks (Deutsche Bank, Societe Generale, Citigroup, Royal Bank of Scotland, Barclays, UBS, J P Morgan Chase), over a period of time, for monetary gains, in violation of market standards and codes. The manipulated submissions were made with the intention to mislead and present a healthier outlook than the actual position of banks' credit quality, profitability and ability to raise funds. Penalties ranging from US$ 1 to 3 billion were imposed on the banks.
iv) In May 2014, the Federal Reserve Board (FRB) imposed a US$100 million penalty on Credit Suisse for unsafe and unsound practices as well as a failure to comply with the banking laws governing its activities in the US. A "cease and desist" order requiring the bank to promptly address deficiencies in its oversight, management, and controls governing compliance with U.S. laws has also been issued.
v) More recently in August 2014, Standard Chartered Bank has been penalised US$ 300 million by the Department of Financial Services, US for its failure to remediate AML compliance problems, as required in the 2012 settlement with the New York State Department of Financial Services (NYDFS). The bank had failed to review high-risk transactions even two years after the 2012 settlement, where it had agreed to reform its practices. Other sanctions and the requirement of further enhancing due diligence for AML compliance have also been imposed. Way back in 2012, NYDFS had observed that the bank was permitting US$ transactions with certain restricted countries and had also hidden such transactions from the regulators. It was alleged that the bank's actions left the US financial system vulnerable to terrorists, corrupt regimes and deprived law enforcement investigators of crucial information used to track all manner of criminal activity. The bank agreed to pay a negotiated penalty with an express agreement to reform its practices with regard to monitoring of high-risk transactions, which it failed to do till 2014.
Domestic incidents
4. Closer home, instances of non-compliance have also troubled the Indian banking sector. Let me recount some instances:
i) A few years ago, in 2007-08, several banks were found involved in mis-selling complex derivative products to unsophisticated and naïve customers, blissfully unaware of the risks involved in these products. Guidance on customer suitability and appropriateness provided in RBI's comprehensive guidelines on derivatives were ignored by banks in their pursuit of business and profits. Penalties were imposed on several banks.
ii) In 2013, several Indian banks were penalised by RBI for non-adherence to certain KYC/ AML requirements such as customer identification procedure, risk categorization, periodical review of risk profiling of account holders, periodical KYC updation, KYC for walk-in customers, etc.
iii) Non-compliance with set rules, both regulatory and internal, has also resulted in a rise in the number of frauds in banks. In July 2014, RBI imposed penalties on 12 banks for their non-compliance with regulatory guidelines in the conduct of the loan and current accounts of M/s Deccan Chronicle Holdings Ltd. These lapses on the part of banks facilitated the company in defrauding the banks.
iv) More recent instances of some banks having been embroiled in frauds and misappropriation relating to the fixed deposits created by them have come to light. These frauds could be attributable to a possible lack of adequate due diligence and non-adherence to internal norms and procedures.
5. The above examples of compliance failures not only raise issues of confidence and business ethics and cast a negative reputational impact, but also lead to deleterious outcomes in the form of losses, fines and penalties, strictures and restrictions. The reputational risk emanating from events of non-compliance and the consequent imposition of penalties needs to be viewed seriously.
Increasing significance of compliance
6. Post crisis, considerable progress has been made in enhancing and refining regulatory/supervisory standards, the gradual implementation of which will be achieved in stages till 2019. An important aspect of the reform measures is a greater focus on ensuring compliance with the standards across jurisdictions on a sustained basis. The compliance function is where all this comes together - ensuring that all applicable rules, regulations and standards are adhered to and implemented coherently, consistently and in the right spirit.
7. At the global level, international standard setters such as the Basel Committee on Banking Supervision (BCBS) and the Financial Stability Board (FSB) have now put in place peer review mechanisms to ensure that national jurisdictions comply with international standards in right measure and spirit. These are in addition to the existing assessments of compliance of jurisdictions to international standards done by the International Monetary Fund (IMF)/World Bank, under the Financial Sector Assessment Programs (FSAPs). Within national jurisdictions, regulators/supervisors and financial sector entities have realized the significance of the compliance function in ensuring good conduct of business at the entity level and facilitating a safe and sound banking system at the systemic level. Consequently, assessment of compliance is increasingly being focused on in supervisory oversight.
Is compliance a specific risk area?
8. The Basel Committee on Banking Supervision, in its guidance "Compliance and the Compliance function in banks", issued in April 2005 states "the compliance function is an independent function that identifies, assesses, advises on, monitors and reports on the bank's compliance risk, that is, the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities".
9. What is the "compliance risk" referred to above? Is it an independent risk that banks need to manage just as they manage credit risk, market risk or operational risk? Is it a subset of another risk or is it simply a function that needs to be performed as part of banking business? In the era of traditional banking business, simple products, and intense regulation, compliance was relatively simple. Banks had to comply with the provisions of the specific Acts and regulations set by the regulators. Compliance then could be identified simply as a function to be discharged as part of business. However, with globalization, liberalization, increased adoption and integration of IT in the business processes along with the introduction of new, innovative and complex products, the compliance function has gained in stature and significance. While compliance may still not be considered an independent "risk" function, over the last few years, it has definitely evolved as an independent function in banks that impacts other risk/s.
10. Compliance is generally considered to be a part of operational risk. Under Basel II, operational risk is defined as "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk" (Basel Committee on Banking Supervision 2006, p. 144). Legal risk itself is defined as "including, but-not limited to, exposure to fines, penalties or punitive damages resulting from supervisory actions, as well as private settlements" (Basel Committee on Banking Supervision 2006, p. 130). From this definition of legal risk one can see that compliance risk forms part of it and consequently is also considered to be a part of operational risk under Basel II/III.
What does compliance entail?
11. Let me now elaborate upon what compliance function really entails. In the present day context, compliance function encompasses several dimensions. I will discuss some of these in detail:
i) Prudential and regulatory compliance
Prudential and regulatory compliance includes compliance with directives and guidance of the regulator. For banks, this includes regulations emanating from the various departments of RBI, for example, regulations relating to income recognition, asset classification, provisioning, restructuring, capital adequacy, liquidity, disclosures, priority sector lending, exposure norms, etc.
For banks whose activities transcend the other segments of the financial sector(whether carried out departmentally or through subsidiaries) compliance with applicable regulations of other domestic regulators, viz. Securities and Exchange Board of India (SEBI), Insurance Regulation and Development Authority (IRDA), Pension Fund Regulation and Development Authority (PFRDA) also form part of prudential and regulatory compliance. For banks that have overseas operations in the form of branches, subsidiaries or joint ventures, compliance with prudential and regulatory norms of host country regulators is also important.
ii) Integrity and market conduct
In order to ensure the integrity of the financial system and to guard against its misuse for illegal purposes, compliance with AML and CFT rules has assumed great significance globally. The AML/CFT rules are based upon the Financial Action Task Force (FATF) recommendations. It is incumbent upon banks to diligently ensure compliance with these rules. AML/CFT compliance in banks is assiduously assessed by regulators/supervisors to ensure that the safety and soundness of the institution and whole of the financial sector is not being compromised on account of non-compliance with these rules.
Market conduct guidelines are also issued by various self-regulatory organizations within the financial sector. In India, we have the Banking Codes and Standards Board of India (BCSBI), Indian Banks Association (IBA), Foreign Exchange Dealers Association of India (FEDAI), Fixed Income Money Markets and Derivatives Association of India (FIMMDA), etc. that provide guidelines/guidance on various aspects relevant to the structuring of banking products. Such guidance, being based on good market conduct, also needs to be complied with. I must also sound a note of caution here. The inability of the financial market players to ensure fair treatment to consumers and their indulgence in unfair market practices has forced some of the jurisdictions to create a separate market conduct regulator. This has happened in UK, France, Australia and South Africa and there is no reason why it could not be replicated in India, if we did not mend our ways quickly. A separate regulator would mean additional regulatory and compliance burden for the banks. This should give you an added incentive to comply with the current regulations.
iii) Legal compliance
Compliance with various applicable laws and rules relating to the setting up of banks, tax laws and other legal enactments form an important part of compliance. In India, for example, compliance with the applicable provisions of the Banking Regulation Act 1949, Reserve Bank of India Act 1934, Foreign Exchange Management Act 1999, etc. is mandatory.
iv) Internal compliance
The prudential and regulatory compliance requirements, market conduct and integrity standards, and legal compliance requirement coupled with bank specific issues all culminate in various internal rules and policies. In recent times, there has been a growing trend towards encouraging banks to create their own internal control framework through a network of policies and procedures that would be best suited to meet the specific needs of the organization. It is crucial for banks to ensure that internal compliance is adhered to with the same commitment as required for ensuring prudential, regulatory as well as legal compliance. No doubt, the primary position relating to internal compliances rests with the business area/unit within the bank. However, a pro-active role by the compliance function will provide strong impetus to internal compliance as well.
RBI guidelines on compliance function in banks
12. In 2007, RBI issued guidelines to banks on the compliance function based on the Basel Committee guidance. The guidelines articulated the minimum requirements for putting in place an effective compliance function in banks. The guidelines also intended to guide bank-led "Financial Conglomerates" in managing their "Group wide compliance risk". Acknowledging the significant differences among banks with regard to their scale of operations, their risk profiles and organizational structures, the guidelines exhorted banks to organize their compliance functions and set priorities to manage their compliance risks.
13. The guidelines stipulate that the compliance function has to necessarily be an integral part of governance framework along with the internal control and risk management process. Further, for the function to be effective, it is necessary that compliance is not merely viewed as a responsibility of an individual or a department, but is supported by a healthy compliance culture within the organization. The guidelines clarify that the compliance function should have the right of direct access to the Board of Directors or to the Audit Committee/other Committee of the Board. Further, the Board or the Audit Committee or the special Committee of the Board could meet with the head of compliance at suitable intervals to assess the extent to which the bank is managing its compliance risk effectively. Thus, there is equal emphasis on ensuring independence of the compliance function and ensuring that it pervades all activities of the enterprise.
14. The guidelines provide for having in place a Board approved compliance policy, a clear structure for the compliance department/unit, quality, tenure and location of compliance staff and the responsibility of the Board and senior management in ensuring an effective compliance culture in the bank. Banks need to nominate Chief Compliance Officers to function as the nodal point of contact between the bank and the regulator.
15. It is heartening to note that all banks in India now have in place dedicated compliance personnel, a compliance unit or a full-fledged compliance department depending upon their size and business. In many banks, the compliance unit/department is a separate unit with interaction/cooperation mechanisms for interaction with the risk management department and direct reporting lines to the Board/Committee. I only urge proactive action from the compliance department personnel and support from bank managements in nurturing a thriving compliance culture within their respective organizations.
RBI assessment of efficacy of compliance process in banks
16. As I mentioned earlier, compliance assessment is an integral part of supervisory oversight. Over the last few years, increasing attention is being paid by RBI on the extent, nature and quality of compliance by banks to various applicable rules and regulations; both under the annual financial inspection (AFI) process as well as the recently introduced risk-based supervision (RBS) process. In both approaches, compliance assessment plays an important role in the final rating assigned to a bank.
i) Compliance review under AFI
Under the AFI process, a detailed review of the compliance function, its working and the status of bank's compliance with extant statutory, legal, regulatory, market conduct and other applicable Acts is undertaken. Based on the key deficiencies, a Monitorable Action Plan (MAP) is prepared for each bank in consultation with the bank, laying down action points, clear deliverables and timelines. The progress made by the bank in achieving compliance is closely monitored by RBI.
ii) Compliance review under RBS
Starting 2013, the supervision of several banks is being undertaken under the RBS approach. One of the key assessments made under RBS is the extent of a bank's compliance to the existing statutes, regulations and norms. Specific information relating to a bank's compliance with various laws, rules and regulatory guidelines is called for from the bank (Tranche 3 information), which is assessed off-site, supplemented by a subsequent on-site review. Based on the compliance risk identified, a Risk Mitigation Plan (RMP) is prepared for each bank in consultation with the bank, laying down the roadmap for mitigating identified risks with clear timelines. RMPs are rigorously monitored by RBI.
Conclusion
17. Let me conclude by underscoring the need for a sound compliance function in a bank. The compliance function is at the center of value creation in a bank, strengthening public confidence, preserving and enhancing its reputation, and maintaining the integrity of its business and management. In effectively performing this function, in my view, compliance needs to be supported unconditionally through engagement from the top, which includes the Board and the senior management. The "tone from the top" would set the pace for a sound compliance culture that values honesty and integrity. This would also entail strengthening the edifice of the function, which includes a well-rounded compliance structure with appropriate IT and quality HR resources in terms of number of qualified staff, training and skill development, independence, interaction with other areas and clear and direct reporting. Another crucial element for the success of compliance function is inculcation of strong ethics within the organization, which can override profit motive and business target considerations.
18. Finally, from the regulator's perspective, compliance is absolutely non-negotiable. Full compliance with all applicable laws, rules and regulations is a must. This belief has to find roots at the top and steadily percolate to all levels in a bank. Going forward, the compliance function in banks will need to play a greater and more proactive role in business operations as well as risk management. Let me remind that the cost of non-compliance has been steadily rising as seen from the instances I recounted earlier.
Before I close, I would like to once again thank CAFRAL and Shri Gopalakrishna for inviting me to this Conference and wish the deliberations all success.
Thank You!
1 Report of JPMorgan Chase & Co. Management Task Force Regarding 2012 CIO Losses (http://files.shareholder.com/downloads/ONE/2272984969x0x628656/4cb574a0-0bf5-4728-9582-625e4519b5ab/Task_Force_Report.pdf)