The Reserve Bank of India (RBI) has found three weaknesses in entities regulated by it during supervisory exercises in recent years. These are compliance, risk management and internal audit, Deputy Governor MK Jain said in a recent speech.
“Failure/delay in detection and reporting of non-compliances, persisting sub-par compliance, deficiencies in compliance testing with respect to inadequate coverage and limited transaction testing, persisting irregularities due to non-addressing of root causes and not ensuring sustainability of compliance were observed,” Jain said in a speech at CAFRAL on March 10 which was uploaded on the RBI website on Tuesday.
He also observed that the compliance setup was not resourced adequately with required number and quality of staff in many cases.
Jain said RBI’s supervision observed a disconnect between the risk appetite framework as approved by the Board and actual business strategy and decision making.
He said a weak risk culture was amplified by absence of guidance from the senior management; there was improper risk assessment, and repeated exceptions to risk policies. Conflict of interest was also evident. especially in related party transactions and absence or faulty enterprise-wide risk management.
Commenting on internal audit, Jain said the audit process was unable to capture irregularities, there were instances of non-coverage of certain areas under scope of audit, and that compliance and audit were not collaborating with each other.
“…lack of ownership and accountability, inadequate review of practices that require alignment to address interests of all stakeholders, non-compliance/delay in compliance with audit observations were some of the major concerns identified,” he said.
He said the banks’ Board must look at cyber risk as an enterprise-wide risk management issue, instead of a pure IT security issue, due to its firm-wide implications.
“RBI has mandated banks to have awareness training programmes for their Board of Directors and senior leadership team and to familiarise them with IT and relevant cybersecurity concepts. The Board must start looking at cyber risk as an enterprise-wide risk management issue, rather than a pure IT security issue, owing to its firm-wide implications,” Jain said.
The comments from the deputy governor come at a time when there have been several instances of cyber fraud involving bank customers who lost their money.
Jain said a bank’s Board needs concise, accurate and timely reports to help it perform its fiduciary responsibilities.
He also said that it is important to ensure that financial institutions are Board driven and do not end up being dominated by individuals.
“Experience has shown that this leads to undesirable consequences,” he said.
He said that the banking regulator expects effective engagement and support from the top management of the bank.
“The board should engage with the oversight and assurance functions and assure them of direct and unfettered access. The “tone from the top” would set the pace for a sound organization culture that values honesty and integrity,” Jain who handles the supervision department in RBI, among others, said.
To read the full story, Subscribe Now at just Rs 249 a month