Regulatory compliance is a very challenging task for bankers. Digital banking adds to the complexity . Banks need to go beyond regulatory compliance to be safe and successful in digital banking , as regulation is always a caching up game. Police cannot outsmart thief.
2. Banking – challenging times
• Powerful forces are reshaping the banking industry. Customer
expectations, technological capabilities, regulatory
requirements, demographics and economics are creating an
imperative to change. Banks and credit unions need to get
ahead of these challenges and retool if they are to find success
in the upcoming decade.
-- By Jeffry Pilcher, CEO/President & Publisher of The
Financial Brand
• Competition from old and new banks and fintech
companies
• Economic environment , High NPAs , low growth
• Banking industry is going through a very challenging time
• Banks respond by going Digital
2
3. Digital - in banking space
• Digital is all about making what can be seen unseen –
making services so smooth and seamless that it becomes
invisible to the customer.
• Digital players like Google, Apple, Facebook and Amazon
may become a new kind of bank. These new banks are
different from traditional or digital banks, because they are
focused on mobile wallets or integrated payment services,
and not on savings. Also, with these banks, you won’t be
able to take cash out of your bank account: it’s all about
digital payments.
• There is a big difference between offering specific
financial services and being a bank
• Partnership between fintech companies is a strong
possibility
3
4. Digital evolution in Banking
• Computerization - ALPM , TBA , CBS
• ATM /CDM/ POS / CARDs – Debit / Credit /Wallets
• Internet banking , Mobile banking
• NFC , Wearable – for outdoor micro payments
• SMAC ( social , Mobile , analytics , cloud) dominating
product development, delivery and customer engagement
• Data analytics / Business intelligence /CRM/ Machine
learning/Robots
• Biometrics/ multi factor authentication for safety of
consumer interaction .
• Security standards, ISO 27001, COBIT, NIST , COSO
4
5. Digital push & Key drivers
• Accurate customers need assessment - combining rich,
varied data from within and from social media -with
powerful analytics tools and techniques
• Big Data and Analytics
• Customizing products dynamically to suit individual needs
• designing content tailored for smartphones leveraging the
functionality like GPS, camera and access to fast internet
- can be a major hook in engaging potential customers ,
also as a acquisition tool.
• Centralization and Automation of various operations and
processes enforcing speed and effective controls
• Adoption of cloud to reduce cost and time to Market
5
6. Digital Challenges
• Indian banking industry is focusing on connecting the dots between
business, operations, technology and regulatory dimensions of the
sector.
• Challenges from entry of small banks , payment banks and non
traditional players – latest technology and no legacy baggage
• innovations in the payment space such as mobile money, e-wallets
and payment aggregators , collaborating with the exploding e-
commerce segment are taking away bank’s cash flows and revenue
streams
• Fintech companies are setting new standards in innovation, time to
market, and customer experience raising demand on banks
• Unbundling of banking into small segments
• Peer to peer Lending , social media
• Crypto currency / Bit coin
• Managing Risks arising out of digital
• Complying with regulatory framework on digital areas
• Innovate of Perish in fast changing digital world
6
7. Compliance and compliance risk
Definition:
• Compliance literally means `obedience’ or ‘dutifulness’. It was essentially about complying with
regulation and conduct business ethically.
• RBI vide its circular dated April 20, 2007, had emphasized on the need to put in place an
institutional arrangement which was commensurate with the increasing complexities and
sophistication with the banking business. Thus, compliance as a distinct function of the bank
evolved
• RBI recognized that compliance function was yet to be fully cognizant of the "compliance risk"
and the reputational risk arising out of compliance failures causing huge economic costs.
• BCBS (2005) had defined compliance risk as being
“the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a
bank may suffer as a result of its failure to comply with laws, regulations, rules, related
self-regulatory organization standards, and codes of conduct applicable to its banking
activities.
7
8. Compliance function- Objective
• Regulatory Compliance function is meant for:
protecting the banks against breaches of the law, codes and procedures,
and ethics covering issues such as ‘KYC’, Anti-money laundering, Market
Abuse, conflicts of interest and security of information.
• Public perception about compliance standards of an organization has a
great bearing on the market capitalization of the company. Eg : ITC ,
TCS, Infosys
• Ghosh Committee report of 1992 introduced compliance in banking ; RBI
issued guidelines .
• Recommendations of BCBS
8
9. Regulatory Compliance : Universe
• Important statutes :
Banking Regulation Act
Companies Act
Reserve Bank of India Act,
Foreign Exchange Management Act,
Prevention of Money Laundering Act
Information Technology Act
• Regulations by RBI, IRDA and other regulators
• standards and codes prescribed by:
BCSBI, IBA, FEDAI, FIMMDA etc;
• Bank's internal policies and fair practices code.
• International standards- Basel II/III
• SOX
9
10. BCBS – 10 principles for compliance
1. The bank’s board of directors is responsible for overseeing the management of the
bank’s compliance risk. The board should approve the bank’s compliance policy,
including a formal document establishing a permanent and effective compliance
function. At least once a year, the board or a committee of the board should assess the
extent to which the bank is managing its compliance risk effectively.
3. The bank’s senior management is responsible for establishing and communicating a
compliance policy, for ensuring that it is observed, and for reporting to the board of
directors on the management of the bank’s compliance risk.
5. The bank’s compliance function should be independent.
6. The bank’s compliance function should have the resources to carry out its
responsibilities effectively.
8. The scope and breadth of the activities of the compliance function should be subject to
periodic review by the internal audit function.
10
11. Responsibilities of compliance function
• To assist senior management in managing the compliance risks
• Advise senior management;
• Provide guidance & education on compliance issues;
• Identify, measure and assess compliance risks;
• Monitor and test compliance and report the findings through the
reporting line in accordance with the bank’s internal risk management
procedures.
• It is widely believed that compliance should always be at the forefront
of the employees’ thinking thus underlining the role of “awareness
cultivation”.
11
12. Regulatory Compliance - Challenges
• Globalization
• Issues with the corporate governance of complex institutions
• Continuously changing understanding of sound operational
management
• Existence of disparate systems – Failure of the systems to talk to
each other and data integrity issues prevent taking a holistic view on
risk and compliance.
• Cyber threats
• Parallel compliance and risk initiatives lead to duplication of efforts
• Numerous and Changing laws and regulations
• Ongoing evolution of products
• Determination with governments and regulators to fight money
laundering, terrorist financing and other illegal financial transactions
12
13. Compliance – Challenges- 2
• Regulations are mostly re-active and play catching up game
• Organizations and their advisors invent innovative ways to circumvent
regulations. The asset quality study conducted by RBI last year in Indian
banks is a classic example of this.
• Internationally Basel committee norms were introduced to improve
governance and compliance standards. Mostly big foreign banks
circumvent that by innovative products like derivatives which none
understood and regulations were not there on them till big banks started
collapsing.
• Rating agencies, the defective governing mechanism , further
contributing to the failure
• Basel- II though good, failed in preventing crisis , because of this
catching up game and tricks of such big organizations.
• Competitive business environment and faulty incentive structure in the
corporate sector.
• Scale and scope of both business and regulations makes compliance
challenging
• Increasing compliance failures, regulatory fines, personal legal sanctions
for their management.
13
14. Challenges: Multitude of Regulations
• Looked at in isolation, a piece of regulation is a relatively simple affair
– a legal document containing text that describes what needs to be
done, by whom, when, and how. Compliance officer can decide what
needs to be done to comply and also to demonstrate to the
management and regulator.
• Multiple regulations, both global as well as regional, have forced
banks to look at increasing their resilience around data management.
• Regulators are moving from standardized reports based supervision to
seeking access to granular underlying data for assessment of the
bank’s risk positions.
• The expanding ambit of regulatory initiatives such as anti-money
laundering, automated data flow, Basel norms, Foreign Account Tax
Compliance Act, etc have a common underlying theme of providing
accurate and reliable data in a timely manner.
• Financial regulators around the world are seeking to ensure banks
conduct themselves with a higher level of professionalism and do not
facilitate illegal activities through their services
• Standardized regulatory tools in the industry supported by a strong
data governance structure will become a norm in the industry.
14
15. Cyber security Compliance
• In the digital world, securing critical data, transactions as well as
operations will mean working beyond the traditional network walls
• Adversaries range from nations states and organised crimes to
proactive hacktivists and insiders and also with no resource constraint
• Cyber risk management in the business ecosystem is a complex issue,
requiring board and managers to engage sophisticated techniques, and
new skills and capabilities to be embedded in the people.
• With the advent of digital technologies, the amount of data is going to
multiply, further increasing the complexity of data management.
• Those that are able to build trust with customers and other stakeholders
for their digital strategies will be successful.
• Cyber security needs to be treated as an enterprise-wide risk for which
banks will need to develop a clear risk appetite
• Various department employees at all levels (from C-suite to junior
management) will require education about cyber threats as cybercrime
will no longer be just the domain of the IT or network security function.
15
16. RBI Additional regulations - on digital
• Report on internet banking laid down clear
regulations for strict compliance for banking offering
internet banking under following broad categories:
• 1. Operational risk issues
• 2. Cross border issues
• 3. Customer protection and confidentiality issues
• 4. Competitiveness and profitability issues
• Requires Board approved note to be submitted to
RBI
• Have clear information security policies in place
• Regular external audits of information security
• Adherence to Guidelines on Risks and Controls in
Computers and Telecommunications
16
17. Guidelines on cyber security
• Policy on information classification, storage and archiving
• Policy on record maintenance
• Adoption of standards for information security
management like ISO 27001 , COSO , COBIT, NIST etc.,
• SOX compliance in applicable cases
• Policy, strategy, Role definition and overseeing executive
committee on cyber security.
• Independent CISO of sufficiently senior management with
dotted line reporting to CEO
• I S Audit function with CISA qualified Auditors
• Independent cyber security audit
• Policy on outsourced financial services , annual
independent audits, reporting to Board and RBI
17
18. RBI Mandate on regulatory reporting
• The RBI, in 2010, had mandated banks to implement ADF for
more than 150 regulatory returns to be submitted at regular
intervals. RBI advised using the same ADF platform for
generating MIS reports also
• Data cleansing to ensure accuracy and consistency of data.
• Connection between systems to ensure seamless data flow.
Manual intervention should be avoided
• Supervisor moving from CAMELS to RBS . The new process
depends both on onsite supervision as well as offsite
monitoring . Requires flow of large volumes of information
from banks regularly including standard Tr-1, IA, 2 and 3
covering operational data as well as information on
compliance.
• RBI risk rating of banks depends mostly on data submitted
• Ensuring accurate , consistent and timely data is the need of
the hour .
18
19. RBI Mandate -2
• Master directions and periodic circulars
• Guidelines on KYC/AML , account opening, operations ,
Customer service
• Credit risk management
• Fraud detection and reporting
• Cash transactions
• Digital Payment systems
• Forex guidelines, FEMA
• Taxation
• Gopalakrishna committee recommendations on
information technology areas
• RBI Directions on cyber security
• Fraud risk management policy and startegy
19
20. Regulatory compliance - Imperatives
• With several global regulatory bodies shifting their focus on the strength
and capability of IT systems and the state of technology in financial
institutions, it has become imperative for banks as well as larger financial
institutions to develop an integrated IT system as a solution (instead of
the earlier piece-meal approach) that will not only help with the current
regulatory guidelines but also any future developments
• with the banking system becoming complex by the day and with the
growing presence of Indian banks globally, there is a stronger need for
Indian banks to start focusing on areas such as data governance and
integrated management information system ( MIS) across all business
and all regions so that sound business decisions can also be taken based
on the accurate information and regulatory compliance also can be
ensured.
• With numerous digital forays like social media , web sites, market places,
mobiles APPs , internet banking , banks need to develop capabilities to
comprehensively track all compliance requirements and risk events.
• Banks need to go much beyond the regulatory compliance and put proper
framework in place to take care of unknown/potential threats/exploits.
20
21. Regulatory Compliance - framework
• Each line function should have a strong compliance unit ,
identifying , recording , testing and reporting all compliance
requirements
• Clear definition as to the role of respective lines of business and
of centralized GRC functions with regard to compliance
responsibilities.
• Centralized compliance dept must he headed by a senior ,
independent functionary and a robust reporting and escalating
system be put in place
• Have formal co-ordination between line of business, Op risk ,
compliance and audit functions.
• Put in place an end to end compliance framework listing all the
regulatory mandates and easily accessible and understandable
to all the stakeholders for ready reference.
• Governance oversight from senior Management and Board
21
22. Compliance : Way Forward
• Compliance function in banks is one of the key elements in the banks'
corporate governance structure. It has to be adequately enabled and made
sufficiently independent.
• Include PPT in the compliance framework
• Each bank has to devise it’s own compliance program, around the culture of
the organization, involving all levels of functionaries.
• Skilled and trained staff. Staff should have clear understanding of banks
business operations as well as regulatory compliance requirements against
these activities.
• Evolve GRC framework with long term strategies to address Compliance risks
around evolving areas of Channels, products, customers, operations.
• Data quality, MIS , centralized operations management using technology.
• Inculcate compliance culture. In any compliance initiative, people are the
weakest link. Provide training and implement incentive and accountability
policies for ensuring a compliance culture
• As business is on technology platform , Technological capabilities to be
leveraged to address the Governance, Risk and Compliance initiatives.
• Implement automated compliance management and testing systems
22