What changed
RBI has issued consolidated guidelines on compliance functions, building on earlier circulars from 2007 and 2015.
What it means for you
Banks must now formalize and standardize their compliance function, ensuring CCOs have sufficient independence and tenure to enforce regulations. This reduces the risk of CCOs being removed for raising concerns, strengthening the compliance culture. Lenders will need to update their HR policies and selection processes to meet the new eligibility and tenure requirements, potentially impacting senior-level appointments.
What you must do
- Review and update your bank's compliance policy to align with RBI's requirements, including annual review and a quality assurance program.
- Ensure the CCO appointment process includes a minimum 3-year fixed tenure and meets all eligibility criteria (age, experience, rank, no pending vigilance cases).
- Establish a transparent internal procedure for any premature transfer or removal of the CCO, requiring explicit Board approval.
- Conduct an independent external review of the compliance function's quality assurance program at least once every three years.
Who it affects
All Scheduled Commercial Banks (excluding RRBs), Local Area Banks, Small Finance Banks, Payment Banks, Chief Compliance Officers (CCOs), Board of Directors and Audit Committees
What is the minimum tenure for a CCO under the new guidelines?
The CCO must be appointed for a minimum fixed tenure of at least 3 years. Premature transfer or removal requires explicit Board approval and a well-defined internal procedure.
What are the key eligibility criteria for a CCO?
The CCO must be a senior executive (preferably GM rank or equivalent, not below two levels from CEO), aged not more than 55 years, with at least 15 years of banking/financial services experience including 5 years in audit/finance/compliance/legal/risk management. No pending vigilance cases or adverse RBI observations are allowed.
How often must the compliance policy be reviewed?
The Board-approved compliance policy must be reviewed at least once a year. Additionally, the quality assurance and improvement program for the compliance function must undergo an independent external review at least once every three years.