Deputy Governor Shri Rao, Heads of Assurance functions from Urban Cooperative Banks, and my colleagues from the Reserve Bank of India. A very good morning to all of you.

1. The Reserve Bank of India has been engaging with its supervised entities regularly over matters of governance and effectiveness of assurance functions. We have had a series of engagements with the Boards of Directors of both commercial and cooperative Banks conveying the importance of strong corporate governance and remaining vigilant to ensure the continuing stability of the financial sector. We have also been meeting the heads of assurance functions, recognising the key role these functions play in ensuring the safety and soundness of the banks and promoting regulatory compliance. Today’s conference is an extension of our efforts to engage with assurance functionaries.

2. Assurance functions namely, the risk management, internal audit and compliance functions play a very crucial role, as guardians ensuring the bank operates safely, ethically and within regulatory and legal boundaries. Assurance functionaries, by becoming effective gatekeepers, can give the required comfort to all stakeholders that the bank is on the right track, its systems are strong, its operations are reliable, and its risks are managed effectively. As conscience keepers of the bank, they are intended to detect and prevent any deviations or build-up of any potential risks, safeguard the reputation of the bank and help uphold the trust of its customers and other stakeholders.

3. In the ever-changing landscape of banking, new risks constantly emerge. While traditional risks like credit, market, and liquidity risks remain significant, we now face new challenges such as cybersecurity threats and operational disruptions.

4. The proliferation of digital technologies and the interconnected nature of financial systems have exposed banks to a myriad of cyber threats, ranging from data breaches to malicious ransomware attacks. The potential impact of a successful cyberattack on a bank's operations, reputation, and financial stability cannot be overstated, underscoring the critical importance of robust cybersecurity measures and proactive risk mitigation strategies.

5. Operational risk has also become increasingly complex and pervasive, fuelled by a variety of factors including technological advancements, outsourcing arrangements, and the associated dependencies. Disruptions to critical systems and processes, whether due to cyber incidents, natural disasters, frauds or human error, can have far-reaching consequences for banks, highlighting the need for enhanced operational resilience, backup and recovery testing as well as contingency planning.

6. The dynamics of traditional risks have also changed. For instance, one notable consequence of the digital revolution coupled with wider adoption of social media, is the acceleration of liquidity runs. What used to take days to unfold can now happen in mere hours, all thanks to the pervasive influence of the internet and social media. The incidents of March 2023 in the United States serve as a stark reminder of this reality. As you would recall, a name mix-up of the US bank with a major UCB in India, fuelled by social media misinformation, required a press clarification from the UCB, to quell the rumours.

7. With this dynamic environment, the focus of regulation and supervision is shifting towards activity based. Similar activities having similar risks need to have the same level of regulatory and supervisory oversight, albeit with an element of proportionality to factor the scale and complexity of operations. Therefore, regulations for cooperative banks are becoming harmonised with that for commercial banks, but with certain calibrations wherever required. The expectations from UCBs, especially for corporate governance and effectiveness of assurance functions, are much higher now. As some of our recent enforcement actions would have demonstrated, there is now zero tolerance for poor corporate governance practices such as loans to directors or their relatives.

Expectations from Heads of Assurance

8. From cyber threats to regulatory changes, and from economic uncertainties to technological advancements, UCBs must adapt and stay vigilant, if they are desirous of retaining their relevance in this fast-changing world. This is where risk management, compliance and internal audit, come into play. They need to work hand in hand, identifying, assessing, and mitigating these risks, ensuring that their bank remains resilient and prepared for whatever challenges lie ahead. Therefore, as heads of assurance, you must ensure that you and your teams remain abreast of all the latest developments. This should be used to proactively update your systems and practices so that you remain ahead of the curve.

Risk Management

9. Risk management is at the heart of banking. Amidst all the complexities and advancements of finance, we should not forget the timeless wisdom of basic principles of banking such as diversification of risks and prudent liquidity management. Concentration risk whether it be in advances or in funding sources is something that we should be mindful of. Large exposures to a single counterparty or a group of counterparties turning bad can have detrimental consequences. Therefore, the frenzy of some of the UCBs to acquire large corporate exposures which are beyond their bite size, is to be strictly avoided and there is a need to closely monitor the existing ones.

10. It is essential to ensure that there are well documented Board approved policies for important aspects such as identification of target segments and business sectors, acceptable concentration levels, product specific guidelines such as borrower loan eligibility criteria, etc. Risk managers should try to see that these policies are in alignment with the risk that the bank can bear i.e. its risk tolerance. For instance, a loss-making bank with high NPAs should not be giving high risk loans and instead be focussing on recovery efforts.

11. The other aspect I would like to highlight is the meticulous monitoring of risk limits. Frequent breaches in risk limits, coupled with their non-ratification or their routine ratification, poses substantial dangers to the stability and integrity of financial institutions that extend beyond the immediate financial implications. If breaches become normalized or overlooked, employees may perceive risk limits as mere guidelines rather than non-negotiable boundaries, thereby compromising the institution's overall risk awareness. Therefore, it is imperative to address breaches systematically, conduct thorough investigations, hold staff accountable, and implement corrective measures to fortify the risk management practices.

Compliance

12. Next in line is the role of compliance. Compliance should adopt a forward-looking approach to anticipate and prevent non-compliant activities. Rather than reacting to issues after they arise, compliance should strive to identify and address potential compliance risks before they escalate. The compliance function should adopt a ‘regulation-plus’ approach, going beyond mere adherence to the letter of regulatory requirements and instead ensure that the spirit and intent of the regulation is also addressed.

Internal Audit

13. Once appropriate policies and strong internal controls are in place, it is for internal audit to independently verify compliance with the same. Very often we come across deficiencies in the scoping, coverage, and periodicity as well as issues in independence of the internal audit function. Proper scoping should ensure that risks are comprehensively covered. Further, high-risk areas may necessitate more frequent audits, while lower-risk areas may be subject to less frequent but regular assessments.

14. Good quality internal audit reports can provide valuable insights mitigating current risks and anticipating areas of potential risks by evaluating the risk management systems and control procedures prevailing in various areas of a bank’s operations. It can also play an important role in preventing and detecting frauds.

Role of RBI

15. Onsite examinations by RBI are not intended to be fault finding missions and instead to provide an insight into the overall health of the bank. They often pick up issues missed by the internal assurance functions and external audit. We would also like you to give due attention to the Risk Assessment Report (RAR) observations and Risk Mitigation Plans (RMP) issued by the RBI. To ensure sustained compliance, it is important to address the root cause of the observations. Further, there should be no compromise on the agreed timelines for RMPs, and the bank should ensure that all RMP items and RAR observations are comprehensively addressed well before the start of the next inspection cycle. Pending compliance paragraphs is not a desirable situation and may be a reflection of the lack of due attention by the management as well as the Board. Such instances can also invite stern supervisory action.

Conclusion

16. One of the most important facets of effective assurance functions is independence. There are regulations already in place that provide for adequate stature, direct lines of reporting and preventing of dual hatting of assurance functionaries. I would urge you to ensure that these regulations are complied with and that you are not engaged in any role which compromises your independence.

17. Overall, I believe assurance functions, if they work effectively, can create an environment in the bank where adherence to laws, regulations, ethical standards, and internal policies is paramount, and where everyone is committed to doing the right thing. Effective assurance functions are indispensable in promoting trust, integrity, and compliance within the banking sector. By working collaboratively and proactively, we can navigate the challenges ahead and ensure the long-term success of our institutions.

18. I once again extend my sincere regards to all present and wish that going ahead in future we collectively embark on a journey of financial resilience drawing from the key ideas discussed here. I also look forward to listening from you.