INDIA January 2018 FINANCIAL SECTOR ASSESSMENT PROGRAM DETAILED ASSESSMENT OF OBSERVANCE BASEL CORE PRINCIPLES FOR EFFECTIVE BANKING SUPERVISION Prepared By This Detailed Assessment Report was prepared in the Monetary and Capital context of an IMF-World Bank Financial Sector Markets Department, IMF Assessment Program (FSAP) in India during March and Finance and Markets 2017. It contains technical analysis and detailed Global Practice, World information underpinning the FSAP’s findings and Bank recommendations. Further information on the FSAP can be found at http://www.imf.org/external/np/fsap/fssa.aspx, and www.worldbank.org/fasp. INTERNATIONAL MONETARY FUND THE WORLD BANK INDIA CONTENTS Glossary ____________________________________________________________________________________________ 3 EXECUTIVE SUMMARY ___________________________________________________________________________ 6 INTRODUCTION AND METHODOLOGY _________________________________________________________ 7  A.  Information and Methodology Used for Assessment __________________________________________ 8 INSTITUTIONAL AND MARKET STRUCTURE ____________________________________________________ 9 PRECONDITIONS FOR EFFECTIVE BANK SUPERVISION ______________________________________ 11  A.  Sound and Sustainable Macroeconomic Policies ____________________________________________ 11  B.  Framework for Financial Stability Policy Formulation ________________________________________ 12  C.  A Well-Developed Public Infrastructure______________________________________________________ 12  D.  Framework for Crisis Management, Recovery, and Resolution_______________________________ 13  E.  Public Safety Net _____________________________________________________________________________ 14  F.  Effective Market Discipline ___________________________________________________________________ 15 MAIN FINDINGS ________________________________________________________________________________ 15  A.  Responsibilities, Objectives, Powers, Independence, and Accountabilities (CPs 1–2) ________ 15  B.  Ownership, Licensing, and Structure (CPs 4–7) ______________________________________________ 16  C.  Ongoing Supervision (CPs 8–10, 12, 15) _____________________________________________________ 16  D.  Corrective and Sanctioning Powers (CP 11) __________________________________________________ 17  E.  Cooperation and Cross-Border Banking Supervision (CPs 3, 13) _____________________________ 18  F.  Corporate Governance (CP 14) _______________________________________________________________ 18  G.  Capital, Risks, Problem Assets, Provisions and Large Exposure (CPs 16–19, 22–25) __________ 19  H. Other Regulation, Accounting, and Disclosure (CPs 20, 26–29) _______________________________ 20 DETAILED ASSESSMENT ________________________________________________________________________ 22 SUMMARY COMPLIANCE OF BASEL CORE PRINCIPLES _____________________________________ 183 RECOMMENDED ACTIONS AND AUTHORITIES COMMENTS _______________________________ 193 A.  Authorities’ Response to the Assessment ___________________________________________________ 197  BOX 1. The 2012 Revised Core Principles _______________________________________________________________ 9  TABLES 1. Detailed Assessment __________________________________________________________________________ 23  2. Summary Compliance with the Basel Core Principles_________________________________________ 183  3. Recommended Actions _______________________________________________________________________ 193  2 INDIA Glossary AFS Available for Sale ACB Audit Committee of the Board AFI Annual Financial Inspection ALCO Asset Liability Committee ALM Asset Liability Management AMA Advanced Measurement Approach BBB Banks Board Bureau BCP Business Continuity Planning BCSBI Banking Codes and Standards Board of India BFS Board for Financial Supervision BIA Basic Indicator Approach BR Act Banking Regulation Act CCB Capital Conservation Buffer CDD Customer Due Diligence CEO Chief Executive Officer CET1 Common Equity Tier 1 CFR Central Fraud Registry CMD Chairman and Managing Director CPC Credit Policy Committee CPR Consolidated Prudential Report CRAR Capital to Risk-Weighted Assets Ratio CRF Credit Risk Rating Framework CRILC Central Repository of Information on Large Credits CRMD Credit Risk Management Department CRO Chief Risk Officer CTR Cash Transaction Report DBR Department of Banking Regulation DBS Department of Banking Supervision DICGC Deposit Insurance and Credit Guarantee Corporation D-SIB Domestic Systemically Important Bank EaR Earnings at Risk EoL Exchange of Letters EWG Early Warning Group (under FSDC-SC) EWS Early Warning System FATF Financial Action Task Force FC Financial Conglomerate FDMC Financial Data Management Centre FIU-IND Financial Intelligence Unit—India FSB Financial Stability Board FSDC Financial Stability and Development Council FSDC-SC Financial Stability and Development Council Sub-Committee FSR Financial Stability Report 3 INDIA FSU Financial Stability Unit GDP Gross Domestic Product GOI Government of India HQLA High Quality Liquid Assets HRMD Human Resource Management Department HTM Held to Maturity ICAAP Internal Capital Adequacy Assessment Program ICAI Institute of Chartered Accountants of India Ind AS Indian Accounting Standards IRDAI Insurance Regulatory and Development Authority of India IRF Inter-Regulatory Forum IRISc Integrated Risk and Impact Scoring IRRBB Interest Rate Risk in the Banking Book JLF Joint Lenders’ Forums KYC Know Your Customer LCR Liquidity Coverage Ratio LEF Large Exposures Framework LoC Letter for Cooperation LRM Loan Review Mechanism MC Master Circular MCLR Marginal Cost of Funds Lending Rate MD Master Direction MIS Management Information System MoF Ministry of Finance MoU Memorandum of Understanding MPC Monetary Policy Committee MVE Market Value of Equity NBFC Nonbanking Financial Companies NDTL Net Demand and Time Liabilities NHB National Housing Bank NI Act Negotiable Instrument Act NIM Net Interest Margin NOC No Objection Certificate NOFHC Non-Operative Financial Holding Company NPA Nonperforming Asset PBs Payments Banks PCA Prompt Corrective Action PEPs Politically Exposed Persons PFRDA Pension Fund Regulatory and Development Authority PMLA Prevention of Money Laundering Act PSBs Public Sector Banks PSL Priority Sector Lending PSSA Payment and Settlement Systems Act RAR Risk Assessment Report 4 INDIA RBI Reserve Bank of India RBI Act Reserve Bank of India Act RC Resolution Corporation RCAP Regulatory Capital Assessment Program Res Regulated Entities RFA Red Flagged Account ROA Return on Asset ROFS Risk of Failure Score RP Related Party RPT Related Party Transaction RRBs Regional Rural Banks RTI Act Right to Information Act RWAs Risk-Weighted Assets SBH Act State Bank of Hyderabad Act SBI Act State Bank of India Act SDA Standardized Duration Approach SDL State Development Loan SEBI Securities and Exchange Board of India SDR Strategic Debt Restructuring SFBs Small Finance Banks SMA Special Mention Account SoC Statement of Cooperation SPARC Supervisory Program for Assessment of Risk and Capital SREP Supervisory Review and Evaluation Process SSM Senior Supervisory Manager STR Suspicious Transaction Report SUCBs Scheduled Urban Cooperative Banks UBO Ultimate Beneficial Owner VAPT Vulnerability Assessment and Penetration Tests WTDs Whole-Time Directors 5 INDIA EXECUTIVE SUMMARY1 1. The RBI is to be commended for the remarkable progress in strengthening banking supervision since the last FSAP. Supervision and regulation by the RBI remain strong and have improved in recent years. A key achievement is implementation of a risk-based supervisory approach that uses a complex supervisory assessment framework to guide the intensity of supervisory actions and the allocation of supervisory resources. Also, most of the Basel III framework (and related guidance) has been implemented and cooperation arrangements, both domestically and cross-border, are now firmly in place. The system-wide asset quality review (AQR) and the strengthening of prudential regulations in 2015 testify to the authorities’ commitment to transparency and a more accurate recognition of banking risks. 2. Prudential regulations are broadly aligned to the requirements of the BCP. They reflect closely the international standards and best practices in the areas of capital adequacy framework as well as market, interest rate, and operational risks. The RBI is also phasing in, consistent with the timelines established by the Basel Committee, international standards on liquidity risk (the Liquidity Coverage Ratio) and large exposure limits, with the latter being particularly important given large concentration risks in the banking sector. 3. The introduction of IFRS 9 provides an opportunity to strengthen loan classification and provisioning rules. The RBI may need to maintain a prudential filter as a regulatory floor after the introduction of accounting expected loan-loss provisioning in April 2018. In this context, the RBI should review its existing classification and provisioning rules to ensure they are calibrated in line with actual losses and cure rates. The RBI should also reassess the need for amending special loan categories that could weaken the loan classification and provisioning adequacy. Given the high level of nonperforming assets (NPAs) in the system, the authorities should consider a more proactive approach to ensure that banks, via adequate provisioning, have proper incentives to tackle NPAs and to free up balance sheets for more productive lending. 4. The Supervisory Program for Assessment of Risk and Capital (SPARC) is gradually becoming an effective supervisory tool. SPARC was introduced in 2013 as the main instrument for risk-based supervision and deploys a good mix of onsite and offsite supervisory tools, feeding into an ongoing process that is both comprehensive and forward-looking. Upon external validation of its models, SPARC will become fully enforceable, including for determining capital add-ons, which are presently computed, but not enforced. 5. More remains to be done to make supervision more conclusive and capable of “leaning against the wind.” The RBI plans to introduce shortly an updated Prompt Corrective Action (PCA) framework incorporating more prudent risk tolerance thresholds and to establish a 1 This Detailed Assessment Report has been prepared by Hee Kyong Chon (IMF), Charles Taylor, and Jan Willem Van der Vossen (both external experts). The report was prepared before the announcement of a major bank recapitalization plan. For details, see ‘Staff Supplement’ and ‘Statement by the Executive Director for India’ in ‘India: Financial System Stability Assessment’ (December 21, 2017). 6 INDIA new Enforcement Department in the coming months.2 These enhancements, together with the existing cadre of competent and dedicated supervisors and comprehensive information databases recently established (i.e., Central Repository of Information on Large Credits (CRILC)), will provide the RBI with a robust supervisory enforcement framework. This needs to be backed by a supervisory attitude that is proactive and capable of “leaning against the wind,” leading to conclusive supervisory actions and effective supervision. 6. Some previously observed weaknesses concerning the independence of the RBI and the inherent conflict of interest when supervising public sector banks (PSBs) remain. The RBI enjoys a large degree of operational autonomy, but amendments to several legal provisions, and formal grounding of RBI independence in the RBI Act, would provide greater legal certainty. The RBI’s legal powers to supervise and regulate PSBs are also constrained—it cannot remove PSB directors or management, who are appointed by the government of India (GOI), nor can it force a merger or trigger the liquidation of a PSB; it has also limited legal authority to hold PSB Boards accountable regarding strategic direction, risk profiles, assessment of management, and compensation. Legal reforms are thus highly desirable to empower the RBI to fully exercise the same responsibilities for PSBs as now apply to private banks, and to ensure a level playing field in supervisory enforcement. 7. Further strengthening bank governance—a new area of focus of the revised BCP— should be a key priority. Consistent with the recommendations contained in the Indradhanush Plan and the 2014 Nayak Commission Report, over the near term the Banks Board Bureau (BBB) should be empowered to appoint and remove senior management of PSBs, drawing from a broad set of qualified banking professionals, assuming the role presently carried out by the Ministry of Finance. Over the longer term, in this context, the requirement that PSB Boards include ex officio RBI officials should be removed. INTRODUCTION AND METHODOLOGY 8. This assessment of the implementation of the BCP in India has been completed as part of the Financial Sector Assessment Program (FSAP), which has been undertaken by the International Monetary Fund (IMF) and the World Bank (WB) in 2017, at the request of the Indian authorities. The scope of the assessment is the scheduled commercial banks, and the assessment reflects the regulatory and supervisory framework in place as of the completion of the assessment. It is not intended to analyze the state of the banking sector or crisis management framework, which are addressed by other assessments conducted in this FSAP. 9. An assessment of the effectiveness of banking supervision requires a review not only of the legal framework, but also a detailed examination of the policies and practices of the institutions responsible for banking regulation and supervision. In line with the BCP methodology, the assessment focused on the RBI and did not cover the specificities of regulation 2 The revised PCA framework and Enforcement Department have since been introduced in April, 2017. 7 INDIA and supervision of other financial intermediaries, which are addressed by other assessments conducted in this FSAP. A. Information and Methodology Used for Assessment 10. This assessment was against the standard issued by the Basel Committee on Banking Supervision (BCBS) in 2012. Since the past BCP assessment, which was conducted in 2011, the BCP standard has been revised. The revised Core Principles (CPs) strengthen the requirements for supervisors, the approaches to supervision, and the supervisors’ expectations of banks through a greater focus on effective risk-based supervision and the need for early intervention and timely supervisory actions. Furthermore, the 2012 revision placed increased emphasis on corporate governance and supervisors’ conducting sufficient reviews to determine compliance with regulatory requirements and thoroughly understanding the risk profile of banks and the banking system. This assessment was thus performed according to a significantly revised content and methodological basis, compared to the previous BCP assessment carried out in 2011 (Box 1). 11. Both essential and additional criteria (AC) have been assessed, but only essential criteria (EC) have been graded by the assessors. To assess compliance, the BCP Methodology uses a set of EC and AC for each principle. The EC were usually the only elements by which to gauge full compliance with a CP. The AC are recommended as the best practices against which the authorities of some more complex financial systems may agree to be assessed and graded. 12. Grading is not an exact science and the CPs could be met in different ways. The assessment of compliance with each principle is made on a qualitative basis. Compliance with some criteria may be more critical for effectiveness of supervision, depending on the situation and circumstances in a given jurisdiction. Emphasis should be placed on the commentary that should accompany each Principle grading, rather than on the grading itself. 13. The assessment team held extensive meetings with RBI officials, as well as the MoF, the industry, and other relevant counterparts who shared their views with the assessors. The team also reviewed the framework of laws, regulations, and supervisory guidelines. The RBI provided self-assessments of the CPs and comprehensive questionnaires filled out by the authorities. The RBI also facilitated access to supervisory documents and files, staff, and systems. 14. The assessment team appreciated the excellent cooperation, including extensive provision of internal guidelines, supervisory files, and reports. In particular, the team would like to thank the RBI staff who responded to the extensive and detailed request promptly and accurately during the assessment at a time when supervisory staff were burdened by many supervisory and regulatory initiatives related to resolving stressed bank assets. 8 INDIA Box 1. The 2012 Revised Core Principles The revised BCPs reflect market and regulatory developments since the last revision, taking account of the lessons learned from the financial crisis in 2008/2009. These have also been informed by the experiences gained from FSAP assessments as well as recommendations issued by the G-20 and the FSB, and take into account the importance now attached to: (i) greater supervisory intensity and allocation of adequate resources to deal effectively with systemically important banks; (ii) application of a system-wide, macro perspective to the microprudential supervision of banks to assist in identifying, analyzing, and taking pre-emptive action to address systemic risk; (iii) the increasing focus on effective crisis preparation and management, and recovery and resolution measures for reducing both the probability and impact of a bank failure; and (iv) fostering robust market discipline through sound supervisory practices in the areas of corporate governance, disclosure, and transparency. The revised BCPs strengthen the requirements for supervisors, and the approaches to supervision and supervisors’ expectations of banks. The supervisors are now required to assess the risk profile of the banks not only in terms of the risks they run and the efficacy of their risk management, but also the risks they pose to the banking and financial systems. In addition, the supervisors need to consider how the macroeconomic environment, business trends, and the build-up and concentration of risks inside and outside the banking sector may affect the risks to which individual banks are exposed. While the BCP set out the powers that supervisors should have to address safety and soundness concerns, there is heightened focus on the actual use of the powers in a forward-looking approach through early intervention. The number of principles has increased from 25 to 29. The number of essential criteria has expanded from 196 to 231. This includes the amalgamation of previous criteria (which means the contents are the same), and the introduction of 35 new essential criteria. In addition, for countries that may choose to be assessed against the additional criteria, there are 16 additional criteria. While raising the bar for banking supervision, the CPs must be capable of application to a wide range of jurisdictions. The new methodology reinforces the concept of proportionality, both in terms of the expectations on supervisors and in terms of the standards that supervisors impose on banks. The proportionate approach allows assessments of banking supervision that are commensurate with the risk profile and systemic importance of a wide range of banks and banking systems. INSTITUTIONAL AND MARKET STRUCTURE 15. The Indian financial sector has expanded rapidly since the last FSAP, although its structure remains broadly unchanged. The financial system’s assets have doubled in nominal terms since 2011, reaching close to 90 percent of GDP at end-2015. Banks account for about two-thirds of the financial system, and 72 percent of banking assets are held by the PSBs. Banks are required to hold large buffers of government securities (20.5 percent of assets), with loans accounting for about 60 percent of bank assets. Linkages with international financial markets remain limited, in part reflecting limits on capital account convertibility. The PSBs are the dominant providers of credit to corporates, with private banks more retail-oriented; smaller regional banks and cooperative credit institutions provide financial services to low- and middle- income households. All credit institutions are required to extend a material portion of their credit to state-determined priority sectors (priority sector lending (PSL)). 9 INDIA 16. India’s financial sector is supervised and regulated by four main agencies. The RBI is the central bank and oversees the banking sector, other deposit-taking institutions, and payment and securities clearance systems. The Securities and Exchange Board of India (SEBI) oversees capital markets, including all exchange-based trading. The Insurance Regulatory and Development Agency of India (IRDAI) oversees the insurance market. Finally, the Pension Fund Regulatory and Development Agency (PFRDA) oversees the pension funds market. In addition, the Financial Markets Commission (FMC) oversees the commodity derivatives markets, and the National Housing Bank (NHB) has oversight responsibilities for the housing finance companies. The Ministry of Finance (MOF) serves as the main financial sector policy body and the Minister of Finance chairs the Financial Stability and Development Council (FSDC), which is responsible for coordination among the financial sector regulators. 17. The RBI oversees the banking sector. The banking sector consists of 21 PSBs, 20 private sector banks (PVBs), 46 foreign banks (FBs) as branches and 39 representative offices, 56 regional rural banks, 1,562 urban cooperative banks, and 93,913 rural cooperative banks, in addition to cooperative credit institutions such as primary agricultural credit societies and a small number of newly formed niche banks, such as payments banks and small finance banks. The RBI’s supervisory function operates under the guidance of the Board for Financial Supervision (BFS). The Board was constituted in November 1994 as a committee of the RBI’s central Board of directors. As a bank supervisor, the RBI prescribes broad parameters of banking operations within which the country's banking system functions. The RBI’s aims to maintain public confidence in the system, protect depositors' interest and to ensure that the banking system provides cost-effective services to the public. 18. Corporate and banking sector vulnerabilities have risen sharply since 2011 and present a risk to financial stability. Large corporate investments during the 2000s in key industrial sectors were financed by PSBs, with bank lending to infrastructure and metals now accounting for 14.1 percent and 6.1 percent respectively of gross loans for the commercial banks; and 16.1 percent and 7.3 percent of gross loans for PSBs as of December 2016; and Indian corporates becoming one of the most leveraged among emerging markets. Deteriorating global and domestic conditions in FY2013/14 took a toll on corporate debt repayment capacity across sectors; this was compounded by bottlenecks in infrastructure project approvals, and oversupply in the steel industry. As a result, the PSBs’ stressed assets—the sum of NPAs and restructured loans—reached 15.8 percent of gross loans at end-2016. Risks to the banking sector remain elevated, and some banks are struggling with deterioration in asset quality and low profitability, while their capital positions may remain insufficient to support higher credit growth. 10 INDIA PRECONDITIONS FOR EFFECTIVE BANK SUPERVISION A. Sound and Sustainable Macroeconomic Policies 19. The Indian economy has recorded strong growth in the recent past, supported by robust macroeconomic policies. The implementation of wide-ranging policies to correct imbalances and build buffers after the Taper Tantrum woes of mid-2013, together with robust capital inflows and low commodity prices, reduced India’s external vulnerabilities, with current account deficits averaging 1.4 percent of GDP over the past three years. The RBI has adopted a flexible inflation targeting regime (August 2016), with a formal inflation target band, and introduced a statutory Monetary Policy Committee (September 2016). The stance of monetary policy has been consistent with achieving the interim inflation targets. 20. Fiscal and structural reforms are also expected to improve economic fundamentals and increase predictability of the business environment. Fiscal policies envisage a gradual return to consolidation. The implementation of the pan-India Goods and Services Tax is expected to help create a single national market and enhance the efficiency of intra-Indian movement of goods and services. The authorities are also systematically tackling supply-side bottlenecks and promoting broader structural reforms. The recent major currency exchange initiative is expected to bring more economic activities into the formal sector and to spur digitalization of financial transactions, although it has strained consumption and business activity in the short term. 21. Several policy initiatives to address the build-up of risks in the banking system have been taken:  Asset quality review: In 2015 an extensive RBI-led Asset Quality Review (AQR) took place, covering the loan portfolios of the 36 largest banks, comprising 93 percent of the total loans in the banking system. In light of the AQR’s findings, many banks were advised to clean up their books by recognizing the impairments and completing the provisioning by March 2017. The AQR revealed significant quantities of NPAs, and the authorities are considering how to address this issue and provide additional capital to banks that have become undercapitalized.  Corporate debt restructuring schemes: The RBI introduced three new schemes in 2015 to facilitate debt-equity swaps and other forms of loan restructuring—5:25 Refinance Scheme; Strategic Debt Restructuring (SDR); and Scheme for Sustainable Structuring of Stressed Assets (S4A).  Insolvency regime: The 2016 Insolvency and Bankruptcy Code unifies bankruptcy treatment of corporates and individuals under a single law and aims to reduce debt resolution to 180 days from 4.3 years currently. The 2016 Bill on Enforcement of Security Interest and Recovery of Debts aims to support faster bank asset recovery.  Banking sector revitalization. The government’s Indradhanush Plan, announced in 2015, was intended to revitalize the PSB sector by injecting capital and improving PSBs’ governance, 11 INDIA autonomy from government, risk controls, and capacity to deal with stressed assets. Greater consolidation of the 27 PSBs is also being considered as a way to address weak PSBs.  Development of corporate funding alternatives. The RBI liberalized regulations on external commercial borrowings (ECBs) by corporates in 2015, including fewer end-use restrictions and higher debt ceilings, and in 2016, it allowed infrastructure companies and certain NBFCs to tap the ECBs. Also, a new framework introduced in 2015 sanctions the issuance of rupee- denominated (Masala) bonds overseas. More broadly, the 2016 RBI Measures for Development of Fixed Income and Currency Markets proposes a plan to develop India’s corporate bond and currency derivatives market. B. Framework for Financial Stability Policy Formulation 22. The Financial Stability and Development Council (FSDC) in India is the apex-level body tasked with maintaining financial stability. The FSDC was established in 2010 as a non- statutory body in charge of ensuring inter-agency coordination for financial stability, along with financial sector development and inclusion mandates. The FSDC is chaired by the finance minister, and its members include the heads of all the financial sector regulators (RBI, SEBI, PFRDA, and IRDAI) and key representatives from the MOF. All decisions are reached through consensus, while their implementation lies with the relevant participating domestic authority. There is no explicit mechanism under the FSDC to consider potential trade-offs between its various mandates (see FSB Peer Review of India, 2016). The FSDC’s sub-committee (FSDC-SC) is the executive arm of the committee and is chaired by the RBI governor. Under the FSDC-SC, there are permanent technical groups to promote inter-agency cooperation (i.e., the Inter-Regulatory Technical Group discusses issues relating to financial stability risks; the Inter-Regulatory Forum coordinates cross-sectoral policies on financial conglomerates; the Early Warning Group (EWG) analyzes signals of stress in the financial system). 23. The RBI has taken important steps to develop the toolkit for macroprudential policy. Given the largely bank-based financial system, macroprudential analysis and policy are mainly carried out by the RBI. Since 2004, the RBI has voluntarily included financial stability as an additional institutional objective. The RBI has expanded the use of quantitative systemic risk- assessment tools and stress tests, while the main findings of its financial stability analyses are reviewed by the FSDC-SC and published in the Financial Stability Report (FSR). Progress has also been made in addressing data gaps, and steps are underway to form a Financial Data Management Center to facilitate overall information sharing and analysis (see FSB Peer Review of India, 2016). C. A Well-Developed Public Infrastructure 24. The Corporate Insolvency and Bankruptcy Code (2016) created time-bound processes for insolvency resolution of companies and individuals. The code consolidated and amended the laws relating to reorganization and insolvency resolution of corporates, partnership firms, and individuals in a time-bound manner, and for maximization of value of the assets. The code requires that bankruptcy processes be completed within 180 days, or else the borrowers’ 12 INDIA assets may be sold to repay creditors. The new regulator, the Insolvency and Bankruptcy Board of India, exercises regulatory oversight over insolvency professionals, insolvency professional agencies, and informational utilities. 25. Convergence with International Financial Reporting Standards (IFRS) is pending. Accounting standards are set by the Institute of Chartered Accountants of India (ICAI), but the RBI can require specific carve-outs or modifications for commercial banks. The IFRS has been transposed in the Indian Accounting Standards (Ind AS) and will be implemented by scheduled commercial banks and certain categories of NBFCs in April 2018. For banks, the RBI issued directions in February 2016 on the Ind AS roadmap. The new accounting standards will allow timelier recognition of credit losses and provide forward-looking information, but imply a steep learning curve for the accounting profession, banks, and supervisors, where further guidance and dissemination of good practices may be needed. 26. Indian auditing standards are broadly in line with international auditing standards. The ICAI is in charge of setting audit standards that are in close alignment with the corresponding International Standards on Auditing issued by the International Auditing and Assurance Standards Board. Bank’s annual financial statements are to be audited by an RBI-approved auditor, who must present a true and fair view of the bank’s financial position. 27. The payment, clearing, and settlement infrastructures are well developed. The Payment and Settlement Systems Act, 2007, was enacted for regulation and supervision of payment systems in India and designates the RBI as the authority to regulate the payment and settlement systems in India. The Act was further amended in 2015 to further strengthen the payment and settlement systems, and to bring it at par with international norms, so as to ensure stability and transparency in the financial system, and to enable financial sector entities to deal with international financial sector entities in the globally integrated financial world without any difficulty or disruption. 28. Banks are expected to have a detailed Code of Customer Rights and minimum standard of practices. The RBI is responsible for enforcing disclosure standards for banks. Banks have to disclose among other items: service charges, interest rates, services offered, product information, time norms for various banking transactions, and the grievance-redressal mechanism. The RBI’s Banking Ombudsman scheme acts as the quasi-judicial authority for resolving disputes between a bank and its customers. The RBI also set up a Customer Redressal Cell, a Customer Service Department in 2006, and the Banking Codes and Standards Board of India, which is an autonomous body for promoting adherence to self-imposed codes by banks for committed customer service. D. Framework for Crisis Management, Recovery, and Resolution 29. The FSDC is expected to coordinate the authorities’ responses during a crisis. The EWG of the FSDC is tasked with the analysis of early warning signals and coordination of the responses from the government and the regulators in the occurrence of a crisis situation. The EWG is chaired by the DG of the RBI in charge of the Financial Markets Department, and includes 13 INDIA representatives from the MOF and other financial sector regulators. At present, crisis management, contingency planning, and resolution reside primarily with the sectoral regulators; an overarching framework for crisis preparedness seems to be lacking. 30. The RBI has some resolution powers under the current framework. At present, the RBI has some powers to deal with the resolution of commercial banks in terms of mergers, imposition of moratorium, suspension of management, and liquidation. However, it is constrained in the exercise of corrective powers over PSBs, their government-appointed Board members, and senior management. Due to the dual control exercised by the RBI and the government—the latter being vested with powers related to governance, management, liquidation, etc.—the scope of the corrective powers employed by the RBI are limited also in the case of Urban Cooperative Banks. 31. The resolution framework is about to be substantially revamped. The government has taken steps to establish a full-fledged Resolution Corporation (RC) covering the entire financial sector and to introduce a comprehensive resolution framework in broad alignment with the FSB’s Key Attributes of Effective Resolution Regimes for Financial Institutions. A draft Bill on Financial Resolution and Deposit Insurance has been submitted to the parliament for consideration. The bill proposes, among others, measures to address some important gaps in the current resolution framework in terms of legal powers, resolution tools, timelines of triggering resolution, and cooperation among relevant authorities. E. Public Safety Net 32. The RBI has a broad range of powers to meet the liquidity needs of the financial system. Under sections 17 and 18 of the RBI Act, the RBI has wide discretion to lend to economic agents on a system-wide or individual basis, and in normal and exceptional circumstances in support of its policy goals. While not explicitly provided for in the law, the RBI has interpreted its lender-of-last-resort arrangement as being a discretionary facility available to solvent banks that face temporary liquidity needs, provided in the interest of depositors, and to prevent the failure of the bank. 33. A deposit insurance system is in place. The Deposit Insurance and Credit Guarantee Corporation (DICGC) is a wholly owned subsidiary of the RBI. It insures all commercial banks, including branches of foreign banks functioning in India, local area banks, cooperative banks, and regional rural banks. Primary cooperative societies are not insured by the DICGC. It covers all deposits (savings, fixed, current, recurring, etc.) up to a maximum of Rs 1,00,000 per depositor. The DICGC is liable to pay to each depositor through the liquidator the insured amount within two months from the date of receipt of the claim list from the liquidator. The proposed RC would also subsume the role of the DICGC. 14 INDIA F. Effective Market Discipline 34. Key governance and disclosure requirements for market participants are spelled out in the Indian Companies Act of 2013. The Act contains provisions relating to Board constitution, Board meetings, Board processes, independent directors, general meetings, audit committees, related-party transactions, and disclosure requirements in financial statements, etc., in all financial institutions. 35. Additional disclosure requirements applicable to banks are set by the RBI or as part of mandatory disclosures for listed companies. For example, banks are required to make disclosures on asset quality, exposures to sensitive industry sectors, unsecured exposures, and key financial ratios, etc. The RBI Guidelines on remuneration and compensation are only applicable to private sector banks and foreign banks operating in India and not to PSBs. Finally, as listed companies, banks are also subject to a broad range of disclosures. 36. Improving the governance in PSBs remains work in progress. A corporate governance reform plan for PSBs was launched through publication of the Indradhanush plan in August 2015. The plan included separating the post of chairman and CEO/managing director of a PSB, and establishing a Banks Board Bureau (BBB) in place of the previous Appointments Board to take over the role of recommending to the government the appointment of PSB’s executive directors, CEO/managing director, and non-executive chairman. It also included a statement that, going forward, “there will be no interference from government and Banks are encouraged to take their decisions independently keeping the commercial interest of the organization in mind.” The authorities should keep following through on their commitment to enhance PSBs’ governance. MAIN FINDINGS A. Responsibilities, Objectives, Powers, Independence, and Accountabilities (CPs 1–2) 37. The RBI’s supervisory responsibilities and powers are generally well established. There are no material gaps in coverage of the Indian system of bank supervision and regulation. This is evident from legislation, the public stance of the RBI, and the content of the RBI’s guidance. The legal framework gives the RBI powers to authorize banks to conduct ongoing supervision, address compliance with laws, and undertake timely corrective actions to address safety and soundness concerns. Laws and regulations are updated frequently. 38. There is a need to clarify the RBI’s formal objectives and to strengthen its independence. Supervisory objectives and the first priority of safety and soundness are not clear in the law, although it is evident that the RBI is committed at the operational level to ensuring the safety and soundness of the banking system. Supervisory powers over PSBs are incomplete, as the RBI has no legal ability to dismiss PSB Board members, merge PSBs, or revoke their statutory 15 INDIA authority to conduct banking business.3 Furthermore, the government appoints the governor of the RBI for a maximum term rather than a minimum term, and can dismiss him or her without cause. 39. Legal changes are recommended to clarify supervisory objectives, provide full supervisory powers over PSBs, and to limit appeals or overrides of supervisory decisions. Formal grounding of the RBI’s independence in exercising its supervisory attributes would provide greater legal certainty. Legislation should be amended to enable the RBI to extend all the powers currently exercised over private sector banks to PSBs; in particular, regarding Board member dismissals, mergers, and license revocation. The RBI Act should be amended to appoint the governor for a minimum term, ending the government’s ability to dismiss the governor without cause. It should also remove the option of an appeal to the government when the RBI revokes a license. If statutory changes are difficult, the RBI and the government should consider adopting a framework agreement whereby the government would acknowledge the RBI’s full operational authority and independence in supervision and regulation, as they did recently for monetary policy. B. Ownership, Licensing, and Structure (CPs 4–7) 40. Permissible activities for banks, licensing, transfers of ownership, and bank mergers and acquisitions are appropriately defined and controlled. The use of the word “bank” is controlled and deposit taking is confined largely to banks, although any deposit taking by institutions that are not regulated as banks should be prohibited. Guidance and processes for scrutiny of license applications are adequate in almost all respects. The RBI should require groups that own significant shares of a bank to list all their beneficial owners and to report promptly to the RBI any material changes in the holdings of those shares. C. Ongoing Supervision (CPs 8–10, 12, and 15) 41. The RBI has made substantive changes in moving toward the implementation of a risk-based approach, but further enhancements are necessary. The SPARC framework was introduced in FY 2013. The framework deploys an adequate mix of onsite and offsite supervisory tools. The core of risk assessment under SPARC is a proprietary statistical model called IRISc, which is a multi-tiered scorecard with qualitative assessments. Appropriately, these assessments are updated dynamically in response to changes in strategy and circumstances, but the process of implementation and adjustment should be managed strictly to maintain consistency and the framework’s robustness. Assessors noted that the model needs independent review and validation. 3 Although the RBI cannot force the merger of PSBs, it can propose mergers, including mergers that would amalgamate a private sector bank with a PSB. 16 INDIA 42. The enforcement link between SPARC assessments and supervisory actions is weak with respect to imposing capital add-on. The assessors noted that a bank’s Risk Assessment Report (RAR) does not discuss the bank’s identified capital shortage in association with necessary capital augmentation or risk-mitigation plans. Although there were cases requiring identified capital add-ons, none was followed by supervisory actions; that is, by a written request for capital augmentation. The RBI should enhance the robustness of the RBS framework by clearly linking the SPARC assessments to enforceable supervisory actions. 43. Formal comprehensive guidelines regarding the oversight of compliance with RAR action points need to be established. The RBI states that non-compliance with action points within the agreed timeline is managed by the SSMs and gets factored into the assessment of governance and oversight function under SPARC. However, without formal guidelines on the oversight of compliance, it is difficult to ensure that the bank’s compliance of action points is managed and enforced in a consistent manner across all banks.4 44. It would be useful also to develop supervisory assessment handbooks to ensure consistency across banks and supervisory judgements. Once the RBI enhances the robustness of the SPARC framework, it should consider developing detailed SPARC assessment handbooks to improve the consistency of its supervisory framework. 45. The extent of the assessment of resolvability of banks is limited under the SPARC framework. Recovery and resolution plans have not been required by the RBI. The establishment of a recovery and resolution regime and the risk assessment pertaining to the resolvability of large banks (such as domestic systemically important banks (D-SIBs)) needs to be considered upon the passage of the resolution legislation bill. 46. Other improvements should be sought in the engagement with banks’ Boards, bottom-up stress tests, and consolidated supervisory returns. The supervisor should maintain frequent contact with the bank’s Board and non-executive Board members to better understand and assess matters such as strategy, group structure, corporate governance, performance, risk management systems, and internal controls. More active engagement with independent Board members is needed. The RBI should consider finalizing and utilizing the stress testing methodology to identify, assess, and mitigate emerging risks across banks as a complementary supervisory tool. The authorities should consider enhancing the collection of data for purposes of consolidated supervision in terms of frequency and granularity. D. Corrective and Sanctioning Powers (CP 11) 47. In almost all respects, the RBI has sufficient supervisory powers, but—as discussed above—there are limitations, particularly with respect to PSBs. Legislation should be amended to remove any statutory limitations on the RBI’s ability to enforce regulations in PSBs, including in the areas of Board member removal, mergers, and withdrawals of licenses. 4 The RBI states that with the setting up of the Enforcement Department, supervisory concerns, including the violations necessitating penal action, will be addressed in a more focused manner. 17 INDIA Furthermore, any private sector license revocation could be appealed on its merits to government, whose decision is final. Legislation should be amended to give the RBI full authority to revoke a bank license without appeal to the GOI; and to ensure it can act independently with respect to PCA enforcement. E. Cooperation and Cross-Border Banking Supervision (CPs 3, 13) 48. A framework has been put in place for cooperation and coordination of the RBI with other domestic financial regulators. In February 2013, a Memorandum of Understanding (MoU) was signed to facilitate cooperation in the supervision of the 11 financial conglomerates in India. The MoU envisages information sharing among regulators, subject to the legal requirements of professional secrecy, coordinated onsite inspections of entities within the conglomerates, and early information of each other in case of crisis. The MoU does not yet envisage joint inspections, but work is ongoing to develop a framework in this area. In the area of financial stability, the RBI’s mandate could be strengthened usefully. It is recommended to include more explicit provisions in the applicable bills, acts, and regulations to support recovery and resolution actions mutually. The FSDC-SC, Early Warning Group, and the FDSC working group committee structures could be streamlined to achieve clearer mandates and more efficient coordination. 49. Since 2010, the RBI has embarked on a successful program to conclude MoUs with foreign regulators. Agreements were concluded with 43 jurisdictions, covering information sharing, onsite examinations, crisis management, confidentiality, and meetings of the authorities, and supervisory colleges have been established for the six Indian banks with cross-border operations. The RBI chairs the meetings of the supervisory colleges for these banks, and the most important home and host authorities are invited. In the past five years, the RBI has established formal relationships with overseas supervisors, including colleges for its six largest internationally active banks. Thirty-six onsite inspections were performed in the establishments of 15 Indian banks abroad; a number of these jointly with the host authority. The RBI staff report good day-to- day working relationships with their main foreign counterparts. F. Corporate Governance (CP 14) 50. The appropriate rules on fitness and propriety, and banks’ internal governance structures, are in place with respect to private and foreign banks. Nevertheless, the influence the RBI may exercise on banks’ governance through section 21 BR Act, placement of RBI representatives on banks’ Boards, and the RBI’s very limited authority under the Banking Acts, as well as the custom to hold the PSB Boards accountable has become problematic. Under the law and according to custom, the RBI cannot hold PSB Boards accountable for assessing and—when necessary—replacing weak and nonperforming senior management and government-appointed Board members. Moreover, the government’s and the RBI’s roles in appointing senior management and placing their own officials on the Boards creates a conflict of interest with regard to the exercise of supervision and the PSB’s business decisions. 51. Several improvements are necessary in the area of PSB governance. Consistent with the recommendations contained in the Indradhanush Plan and 2014 Nayak report, the Banks 18 INDIA Board Bureau (BBB) should be able to appoint and remove senior management of PSBs, assuming the role presently carried out by the MOF. Over time the banking laws should be changed to empower the RBI and the Boards of PSBs to exercise the same responsibilities for PSBs as now apply to private banks. When the law is amended, the requirement that PSB Boards include, ex officio, the RBI, as well as the power of the RBI by virtue of section 21 BR Act may need to be amended. G. Capital, Risks, Problem Assets, Provisions and Large Exposure (CPs 16–19, 22–25) 52. The RBI has adopted the Basel III capital adequacy framework. In a 2015 Regulatory Capital Assessment Program (RCAP), with which the assessors concur, under the aegis of the Basel Committee, the RBI framework was assessed to be compliant with the Basel Framework. The RBI capital framework also includes a capital conservation buffer, leverage ratio, and countercyclical capital buffer. These frameworks apply to public as well as private sector banks. At this time, the RBI offers only the standardized approach for credit, market, and operational risk. However, currently the RBI is reviewing applications of several banks to apply the Internal Ratings Based Approach (IRB) for credit risk. No authorizations have yet been granted, pending validation of banks’ models and the conduct of parallel runs. 53. The regulations and supervision on risk management are considered broadly adequate. The RBI comprehensively prescribes banks’ systems for credit risk management. Board approval is required for banks’ risk strategy. A sound organizational structure for risk management is required, including a Risk Management Committee, a Risk Management Department, and a robust loan review process. With regard to credit risk, for instance, banks are required to set up an internal risk rating system, incorporating financial analysis, projections and sensitivity, and industrial and management risks. Review of credit risk should take place twice per year by independent loan review officers. Banks report to the RBI quarterly on loan quality, classification, and provisions. 54. All banks need to follow guidelines and meet targets on priority sector lending, which compromises banks’ independent, risk-based credit allocation policies and strategies. These public policy-oriented constraints can impose significant limitations on the banks’ own development of credit risk management strategies and policies, and may lead to risk accumulation. The RBI should consider reviewing PSL policy, including targets and scope of application to allow banks flexibility in meeting PSL targets, if proposed projects do not meet banks’ commercially based risk management strategies and processes. 55. The introduction of IFRS 9 provides an opportunity to strengthen loan classification and provisioning rules. The RBI may need to maintain a prudential filter as a regulatory floor after the introduction of accounting expected loan-loss provisioning in April 2018. In this context, the RBI should review its existing classification and provisioning rules to ensure they are calibrated in line with actual losses and cure rates. If necessary, regulatory parameters should be adjusted for more timely recognition of appropriate provision. The RBI should also reassess the need for amending special loan categories that could weaken the loan classification and 19 INDIA provisioning adequacy. Also, the RBI should develop a reporting tool and enhance monitoring, by closely assessing the materiality, trend, and build-up of risks in special situations in a systematic way. Furthermore, it is important to note that good practices are continuously evolving in the areas of prudential treatment of problem assets, nonperforming exposures and forbearance.5 The RBI should stay on top of this and align its practices and regulations as soon as possible with new regulatory developments. Finally, given the high level of NPAs in the system, the authorities should consider a more proactive approach to ensure that banks, via adequate provisioning, have proper incentives to tackle NPAs and free up balance sheets for more productive lending. 56. The RBI has introduced a revision of the large exposure and risk concentration rules that aim to fully converge with the Basel guidance. Although the new circular fully enters into force only in April 2019, it already prescribes significantly lower general limits on exposure to individual borrowers and groups of borrowers of 20 percent and 25 percent of bank Tier 1 capital, versus the current general limits of 25 percent and 40 percent, respectively. However, the current system still offers differentiated treatment for a significant number of special situations that need to be reviewed and simplified, with the objective of sound risk management rather than special treatment for socially sensitive or priority projects. 57. The RBI allows banks to include Indian State Government Securities, also known as State Development Loan (SDLs) in the level 1 HQLA buffer. In 2015, the Basel Committee (RCAP)6 reviewed the features of the SDLs and concluded that they do not qualify as sovereign debt securities in the context of the Basel standards. The inclusion of SDLs resulted in a material upward effect on reported liquidity, which hampers its international comparability. The RBI does not consider it necessary to rectify this rule, which is considered satisfactory from a prudential point of view. CP 24 stipulates that the liquidity requirements should not be lower than those prescribed in the applicable Basel standards. Therefore, the inclusion of the SDL in the level 1 HQLA is one of the shortcomings assessors have observed. The RBI should consider reviewing and enhancing regulation of liquidity risk management to be more in line with Basel standards. 58. The RBI should consider expanding the scope of supervisory reporting of operational risk events and associated losses. Aspects of operational risk reporting and examination are in place; a comprehensive guideline on Cyber Security Framework in banks was issued in June 2016; a Cyber-Security and Information Technology Examination Cell was launched; and reporting of financial fraud was well established. However, with regard to non-IT operational risk, the formal reporting protocol has limited applicability other than fraud. There may be scope to strengthen other aspects of operational risk reporting, such as reporting on human errors, processing errors, and external events. H. Other Regulation, Accounting, and Disclosure (CPs 20, 26–29) 5 For instance, “Prudential treatment of problem assets, definitions of nonperforming exposures and forbearance,” BCBS, April 2017. 6 Regulatory Consistency Assessment Program (RCAP), Assessment of Basel III LCR regulations—India (June 2015). 20 INDIA 59. The RBI has issued the Guidelines on Intra-Group Transactions and Exposures, which include related-party transactions (RPTs) since the last FSAP. However, the rules over RPTs still have room for improvement. For instance, there is no explicit requirement for Board approval to be obtained prior to related-party (RP) exposure write-offs. It is unclear that the intragroup exposure limit is applied to RPTs between a bank and its major individual shareholder or family. In addition, other regulations affecting RPTs are scattered across several supervisory documents or legal texts making it difficult to define a clear framework of RPTs. It would be beneficial if the regulations/guidelines of RP add further clarification. 60. The internal control regulations issued by the RBI are adequate and are supported by the requirements of the SPARC risk-based supervision system. This system provides extensive guidelines for inspection of the internal control and audit function, and prescribes that a bank’s internal controls allow identification and controlling of risks. The Internal Audit Departments in banks are required to have appropriate resources and staff with the requisite skills. Tasks can be outsourced, allowing additional expertise to be brought in. The auditors reported that overall experience with the quality of internal audit of banks was satisfactory. 61. The ICAI, a statutory body, issues the Accounting Standards (AS) applicable to all listed companies, including banks.7 Banks are also governed by RBI norms on income recognition, asset classification and provisioning, and classification and valuation of investment portfolios. Banks are required to publish audited financial statements annually in the regional newspaper. Only external auditors approved by the RBI and who are on the list of approved auditors are permitted to audit banks. Starting April 1, 2018, Indian Accounting Standards (Ind- AS) will converge with IFRS, including IFRS 9 on expected losses. The RBI prescribes rotation of audit firms every 3–4 years. The accounting and auditing professions are of high quality, and bank accounting standards are comprehensive. 62. Currently, the external auditor is not obliged to report immediately to the RBI regulator any issues encountered in the audited bank that are of material interest to the supervisor. This is only permitted after publication of the annual statements. Moreover, regulators need powers to access the auditor’s working papers when needed. This is currently not envisaged. The laws and/or regulations should explicitly authorize the external auditor to inform the RBI of any concerns at any time; also, before the annual statements have been finalized and published. The RBI should be given the explicit authority to obtain information at any time from the external auditor. 63. With regard to the AML/CFT framework, there is currently no specific requirement imposed on banks with regard to the treatment of customers who are domestic politically exposed persons (PEPs). In line with FATF Recommendation 12, in addition to performing customer due diligence (CDD) measures required by the standard, the banks should be required to take reasonable measures to determine whether a customer or beneficial owner is a domestic PEP or a person entrusted with a prominent function by an international organization and, in 7The Ministry of Corporate Affairs (MCA), through its notification on 16 February 2015, issued the Indian Accounting Standards (Ind AS), which converge with the International Financial Reporting Standards (IFRS). 21 INDIA cases where there is a higher risk business relationship with such a person, to take enhanced due diligence measures. In addition, the know your customer (KYC) rules do not highlight in the definitions section that banks are required to identify beneficial ownership where the customer is an individual. This constitutes a deficiency, given that money-laundering activities often involve the engagement of front men to obscure the identity of beneficial owners. 64. The AML/CFT reporting framework is not sufficiently broad to meet the CP. Although the controls over reporting financial fraud are well established, financial fraud is only one type of predicate crime among the AML/CFT concerns over money-generating criminal activities. The RBI should broaden its reporting requirements to address money-laundering issues, not just fraud. DETAILED ASSESSMENT 65. The assessment used a four-part grading system: compliant; largely compliant; materially noncompliant; and noncompliant. The assessment of compliance with each CP is made on a qualitative basis to allow a judgment on whether the criteria are fulfilled in practice. Effective application of relevant laws and regulations is essential to provide indication that criteria are met.  A “compliant” assessment is given when all of the essential (and additional) criteria are met without any significant deficiencies, including instances where the principle has been achieved by other means.  A “largely compliant” assessment is given only when minor shortcomings are observed that do not raise any concerns about the authority’s ability and clear intent to achieve full compliance with the principle within a prescribed period of time. The assessment “largely compliant” can be used when the system does not meet all of the essential criteria, but the overall effectiveness is sufficient, and no material risks are left unaddressed.  A “materially noncompliant” assessment is given in case of severe shortcomings, despite the existence of formal rules and procedures. It is given if there is evidence that supervision has clearly been ineffective or that the shortcomings are sufficient enough to raise doubts about the authority’s ability to achieve compliance.  A “noncompliant” assessment is given if the criteria are not substantially implemented, several essential criteria are not complied with, or supervision is manifestly ineffective. 66. Table 1 below provides a detailed Principle-by-Principle Assessment of the BCP. The table is structured as follows:  The “description and findings” sections provide information on the legal and regulatory framework, as well as evidence of implementation and enforcement.  The “assessment” sections contain only one line, stating whether the system is “compliant,” “largely compliant,” “materially non-compliant,” or “non-compliant” (as described above). 22 INDIA  The “comments” sections explain why a particular grading is given. These sections are judgmental and also reflect the assessment team’s views regarding strengths and areas for further improvement in each principle. Since, the primary goal of the exercise is to identify areas that would benefit from additional attention, emphasis should be placed on the comments that accompany each principle, rather than on the individual grades mentioned before. Table 1. India: Detailed Assessment A. Supervisory Powers, Responsibilities, and Functions Principle 1 Responsibilities, objectives and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.8 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.9 Essential criteria EC1 The responsibilities and objectives of each of the authorities involved in banking supervision10 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps. Description and The RBI’s responsibilities and objectives with regard to supervision are defined in findings re EC1 legislation and, therefore, publicly disclosed. The RBI is the authority for banking supervision in India. Its enabling legislation gives it the authority to supervise all banks, public sector and private, domestic and foreign.11, 12 It also supervises urban cooperative banks. The exceptions are state cooperative banks, district central cooperative banks, and rural regional banks, which are supervised by NABARD. Though numerous, these exceptions account for a small share of deposits. While the responsibilities and objectives of the RBI with regard to supervision are defined in the legislation, they are not entirely clear. They appear in different places in somewhat different forms. For example, in the preamble to 1934 Act creating the RBI, it is stated that the RBI is “… generally to operate … any credit system of the country to [the country’s] 8 In this document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example non-bank (including non-financial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation. 9 The activities of authorizing banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles. 10Such authority is called “the supervisor” throughout this paper, except where the longer form “the banking supervisor” has been necessary for clarification. 11 https://rbi.org.in/commonman/English/Scripts/BanksInIndia.aspx enumerates three classes of state-owned banks— the SBI and its affiliates, the nationalized banks and other public sector banks. 12 See CP2 for a discussion of the term “banking” and CP5 regarding the licensing of banks. 23 INDIA advantage,” which could be construed in some circumstances to mean, for example, encouraging investment in public infrastructure or specific industries, which might conflict with prudential regulatory objectives. The 1949 Banking Regulation Act has an accompanying Statement of Objectives and Reasons. This provides a more focused statement of objectives:13 “[the primary objective] of banking legislation should be the protection of the interests of the depositor.”14 The 1949 Act itself does not begin with a statement of objectives. Within the 1949 Act itself, the RBI’s powers, both specific and broad, are enumerated. But the ends to which they are to be used are only broadly defined, leaving uncertainty regarding their application. Sections 10BB, 12B, 19, 21, 22, 28, 35, 35A, 36, 39, and 45 describe different RBI powers. Section 35 granting the power of inspection and 35A granting the power to give directions are among the most important. Section 51 extends the applicability of most of the RBI’s supervisory powers over private sector banks to PSBs. In Section 35A, the objective of regulation is described broadly. 35A(1) states that the RBI may give directions where it is satisfied that it is “in the public interest” or “in the interest of banking policy,” or “to prevent the affairs of any banking company being conducted in a manner detrimental to the interests of the depositors, or in a manner prejudicial to the interests of the banking company, or to secure the proper management of any banking company generally.” The discussion of “banking policy,” Section 5 (ca) of the 1949 Act says that this is policy specified by the RBI “in the interest of the banking system, or in the interest of monetary stability, or sound economic growth …” Section 45, which lays out the power of the RBI to apply to the central government to “suspend the business of a banking company,” stipulates that it may do so “when it appears to the Reserve Bank that there is good reason so to do.” The “interest of the banking system” potentially extends beyond safety and soundness. It might, for example, include permitting banks to expand in the short term, even at the detriment of putting their financial strength at risk in the medium term. The “interest of monetary stability,” might mean business cycle management taking precedence over considerations of safe and sound banking. For central banks, monetary stability is more properly a separate objective that does not apply to supervision, but rather to monetary policy. EC 2 The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it. Description and As discussed in the description of EC1, there are many places in the 1949 Act where findings re EC2 protection of the interests of depositors is cited as an objective of regulation. This is nearly equivalent to the objective of “protecting the safety and soundness of banks.” Since not all deposits are insured in Indian banks, reliably meeting the 13 Bills laid before the Indian parliament often have such a statement associated with them which can be referred to in interpreting legislation, although they are superseded by the eventual Act. 14 Paragraph 1 of the Statement of Objectives and Reasons of the 1949 Act. 24 INDIA particular interests of all depositors in having ready access to their deposits requires that at least banks with some uninsured deposits be safe and sound. On its website, the RBI states that the objective of supervision is to “maintain public confidence in the system, protect depositors’ interest and provide cost-effective banking services to the public.”15 In effect, safety and soundness is acknowledged as an objective of RBI supervision. In practice, the RBI does give weight to safety and soundness considerations. It is mentioned first among issues in public discussions of supervision and it is elaborated in documents like its Annual Reports. For example, the discussion of medium term reforms in the governor’s Foreword of the 2015–16 RBI Annual Report states that a critical component of the medium-term strategy in the financial sector will be “…to strengthen PSBs in all aspects including governance, cost structure and balance sheets.”16 The same report refers later on to the three pillars envisaged by the RBI for improving the regulation and supervision of the financial sector, one of which is to improve the system’s ability to deal with distress.17 Discussions with RBI staff confirm that operationally the supervisory departments take safety and soundness considerations seriously. What is less clear is that this is the primary objective of banking supervision. It is evident that many other objectives of supervision could be viewed as on an equal footing with safety and soundness. We note that the PSL is administered by the RBI. On the RBI website, the second core purpose puts consumer protection on a par with financial system stability. EC3 Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile18 and systemic importance.19 Description and The 1934 and 1949 Acts provide the RBI with the statutory power to set and findings re EC3 enforce minimum prudential standards for banks and banking groups.20 The RBI standards cover capital, management, governance, risk management, and other aspects of banks and banking. These powers extend to PSBs as well as private.21 As an example of the power to increase prudential requirements for banks based on risk and systemic importance, we note that India has a supplementary capital requirement for systemically important banks in line with the Basel III standards. In addition, its supervisory teams increase in size with the complexity and size of 15 Rbi.org.in, “About Us,” Main Functions. 16 Page 2 of the 2015-2016 Annual Report of the RBI. 17 Page 66, para. VI.4, ibid. 18 In this document, “risk profile” refers to the nature and scale of the risk exposures undertaken by a bank. 19 In this document, “systemic importance” is determined by the size, interconnectedness, substitutability, global or cross-jurisdictional activity (if any), and complexity of the bank, as set out in the BCBS paper on Global systemically important banks: assessment methodology and the additional loss absorbency requirement, November 2011. 20 See section 35A, the 1949 Act. 21 See Section 51, the 1949 Act, for the extension of powers to the State Bank of India. (Reference needed for other nationalized banks.) 25 INDIA banks and, since the RBI adopted risk-based supervision, the riskiness of the institution is a factor in its decisions to allocate staff. Furthermore, supervisors have the power to add to minimum capital requirements to help mitigate supervisory concerns. Capital add-on requirements under Pillar II can be imposed to meet risks not reflected in Pillar I minimum capital requirements. EC4 Banking laws, regulations and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate. Description and Since the global financial crisis and the emergence of the domestic NPA crisis, there findings re EC4 are several examples of laws and regulations relating to banking that have been updated and modified. Major examples are:  The Insolvency and Bankruptcy Code, 2015, which consolidated and extensively revised existing laws on insolvency and bankruptcy. The Code limits the time for resolving a bankruptcy to 180 days. 22 After that, the Adjudicating Authority may pass orders for liquidation of the debtor, if the resolution plan is not received or it is rejected. The Code creates a new profession of bonded insolvency professionals (IPs) and calls for new information utilities (IUs) to be created to collect and disseminate financial information useful for resolutions. A National Company Law Tribunal (NCLT) will adjudicate insolvency resolution for companies. The Debt Recovery Tribunal (DRT) will adjudicate insolvency resolution for individuals. A new Insolvency and Bankruptcy Board of India is set up by the Act to regulate the functioning of IPs, IPAs, and IUs.  The RBI Act, 1934 was amended to create a Joint Mechanism under the chairmanship of the GOI finance minister to decide the issues relating to regulatory overlap among the financial regulators. It was amended again in 2016 to give a statutory basis for a Monetary Policy framework and to establish a Monetary Policy Committee. Other examples:  The Finance Act, 2015 merged the Forward Market Commission (FMC), regulator of commodities market, with Securities Exchange Board of India (SEBI).  The Negotiable Instrument Act, 1881 was amended in 2015, to clarify where cases could be filed.  The Payment and Settlement Systems Act, 2007 was amended in 2015, to align Indian standards to international norms.  The Insurance Laws (Amendment) Act, 2015 raised the cap on foreign investment in Indian insurance companies from 26 percent to 49 percent of outstanding equity. 22 This duration can be extended by another 90 days by the Adjudicating Authority if considered necessary (Section 12(3) of the Insolvency and Bankruptcy Code, 2015). 26 INDIA A draft bill is moving forward to create a resolution and recovery regime for Indian banks.23 The RBI schedule for introducing Basel III capital rules is in line with the Basel Committee timeline.24 The same is true for the LCR.25 So far as public consultation is concerned, laws are subject to due parliamentary process, and so there is always an opportunity for public consultation. Regulations—circulars, guidelines, guidance and directions—issued by the RBI are sometimes published for comment. Draft RBI regulations sometimes originate in working groups formed with the industry, and drafts are generally circulated to the Indian Banking Association and others in the banking industry. Until recently, there was no structured process of public review and comment- taking for issuing and approving all RBI regulations. The RBI has now adopted a process for publishing major drafts and allowing time for public comment, after which they are approved by its Board. In 2016, 86 separate regulations were issued, excluding consolidations of former regulations into “Master Directions.”26 EC5 The supervisor has the power to: a. have full access to banks’ and banking groups’ Boards, management, staff and records in order to review compliance with internal rules and limits as well as external laws and regulations; b. review the overall activities of a banking group, both domestic and cross-border; and c. supervise the activities of foreign banks incorporated in its jurisdiction. Description and Section 35 of the 1949 Act empowers the RBI to inspect any banking company at findings re EC5 any time. These inspections can look into “the affairs of any banking company,” implying it has full access to the Board, the management and the staff, as well as the bank’s books and accounts—its records—to ensure that it is following banking regulations. On full access to banking groups, which is discussed below under consolidated supervision, the RBI does not allow nonfinancial companies to own banks. It is the lead supervisor (or Principal Regulator) of all financial conglomerates in India that include a bank, and it has agreements with the insurance, fund, and market supervisors to receive information on issues and findings with them on the nonbank parts of any banking group. In addition, there is the Financial Stability and Development Council (FSDC) chaired by the finance minister. Under it is a subcommittee chaired by the governor of the RBI. Under that subcommittee is an Inter Regulatory Technical Group that is charged with addressing issues related to inter-regulatory coordination. If it cannot resolve an issue, either at the technical group or the subcommittee level, then it can be elevated to the Financial Stability 23 The Financial Resolution and Deposit Insurance Bill, 2016, Committee draft, undated. 24 RCAP Assessment of the Basel III risk-based capital regulations—India, Bank for International Settlements, June 2015. 25 RCAP Assessment of the Basel III LCR regulations—India, Bank for International Settlements, June 2015. 26 The RBI it is converting all of its guidance into directions and consolidating outstanding directions dealing with different aspects of a single regulatory issue into “Master Directions.” 27 INDIA and Development Council (FSDC). So far, no issue has had to be referred to the FSDC. On cross-border supervision, since a 2010 framework for Cross-Border Supervision and Supervisory Cooperation has been put in place by the RBI, under which it has built up a network of formal arrangements with foreign supervisors such as MoUs, Statements of Cooperation and Letters of Cooperation, Supervisory colleges have been established for six Indian banks. These arrangements facilitate exchange of information and periodic onsite inspections of overseas operations of Indian banks are also undertaken by the RBI.  Indian banks operate in 54 jurisdictions across the world; 46 foreign banks have presence as branches and 39 as representative offices.  Formal arrangements established with 40 overseas supervisory authorities (as against two MoUs at the time of the last FSAP).  Supervisory colleges were established during 2012–14 for all six major Indian banks having significant overseas operations. Meetings organized by the RBI are held at least once in two years. In the meantime, college members communicate to exchange information and to coordinate supervisory action. Section 22 (3A) of the 1949 Act extends the general power of the RBI to supervise domestic banks to foreign banks operating in India. EC6 When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to: a. take (and/or require a bank to take) timely corrective action; b. impose a range of sanctions; c. revoke the bank’s license; and b. cooperate and collaborate with relevant authorities to achieve an orderly resolution of the bank, including triggering resolution where appropriate. Description and So far as private sector banks are concerned, the RBI has ample power to enforce its findings re EC6 policies and directions. As noted elsewhere, it can levy fines, revoke a bank’s license, remove Board, management or staff, restrict a bank’s activities, and prevent a distribution of capital when it judges that circumstances warrant it. However, revocation of licenses is subject to appeal to the GOI. For PSBs, the RBI’s power to enforce actions is the same in most respects.27 However, the RBI cannot independently revoke their licenses or force a merger. The RBI can recommend dismissals of Board members or senior officers, but cannot independently enforce them. There is a bill before parliament to create a resolution and recovery regime. It applies to public as well as private sector banks.28 Still, the bill proposes that some supervisory powers over a public sector bank will continue to reside with the GOI. 27 See Section 35 of the 1949 Act. 28 See for example, Schedule 10 of the Financial Resolution and Deposit Insurance Bill 2016, which amends the Acquisition and Transfer of Undertakings Act of 1980 (the Bank Nationalization Act of 1980). 28 INDIA EC7 The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group. Description and Since the RBI has the power to supervise any associated financial firm (in findings re EC7 cooperation with its sectoral supervisor) as well as parent companies, it can review the activities of the nonbank parts of any banking group to determine their impact on the safety and soundness of the bank. Assessment of Largely Compliant Principle 1 Comments There are no material gaps in coverage of the Indian system of bank supervision and regulation. This is clear and credible from legislation. The legal framework gives the RBI powers to authorize banks, conduct ongoing supervision, address compliance with laws, and undertake timely corrective actions to address safety and soundness concerns. Laws and regulations are updated frequently. New arrangements between domestic financial supervisors have been put in place to smooth group regulation and supervision. In the past five years, the RBI has established formal relationships with overseas supervisors, including colleges for its six largest internationally active banks (EC5). The RBI can review the activities of parents, affiliates, and subsidiaries of banks (EC7). While safety and soundness of banks is an important objective for the RBI, it is not clearly and unambiguously its first priority for supervision (EC2). Legislation is needed to update and clarify the RBI’s supervisory mandate. The statute should clearly state that safety and soundness, including systemic stability, are the top priorities of supervision. As discussed in the assessment of CP2, the GOI should defer to the RBI in matters of safety and soundness, including in particular matters affecting the PSBs. The RBI’s decisions with respect to safety and soundness should not be subject to GOI review. Supervisors should be able to use independently the same broad range of supervisory tools and enforcement actions with respect to public and private sector banks. Short of legislation to update and clarify its supervisory mandate, the RBI and the GOI should consider adopting a framework agreement as they did recently for monetary policy, formalizing and clarifying objectives and responsibilities of the RBI and the GOI. Such a framework might record agreement that:  The main objective of RBI bank supervision is prudential, and that other supervisory objectives, such as financial inclusion, financing government, priority sector funding, or consumer protection are secondary.  As discussed in other CPs, the GOI would defer to the RBI in all matters regarding the licensing of banks, (including revoking licensing) permissible activities, governance (including dismissal of Board members), general 29 INDIA management and risk management, and corrective actions needed to address safety, soundness and stability concerns (See CP2, CP4, CP11, and CP14). 29  These provisions would apply to all banks, including the PSBs, fully and without reservation. Principle 2 Independence, accountability, resourcing and legal protection for supervisors. The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. Essential criteria EC1 The operational independence, accountability and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision. Description and The RBI has the statutory authority to set banking policy and examine banks, and findings re EC1 banks are required to submit information to the RBI that it requests. Regarding private sector banks, it has independent authority to grant or rescind licenses, remove management, file with the High Court to close banks, and control the loans and advances of banks, impose penalties, and file criminal complaints against banks. However, Section 22 (5) allows any banking company aggrieved by the decision of the RBI to cancel a license to appeal with the central government within 30 days. The decision of the central government shall be final (Section 22 (6)). Regarding the PSBs, its operational independence is more limited. While it does regulate and supervise the PSBs, the RBI cannot remove government-appointed directors or management, force a merger, or revoke a license. It can advise the GOI to do so, but the government is not bound to follow the RBI’s advice. Furthermore, the RBI must also designate a non-executive member on the Boards of the PSBs, which creates a conflict of interest for the RBI and may compromise independence. A continuous RBI presence on the Board may also impair its effectiveness. (See CP 14) The RBI Act contains provisions that undermine its independence from the government. For example, Section 7 of the RBI Act allows the central government to give directions to the RBI as it may, after consultation with the governor, consider necessary in the public interest; Section 30 of the RBI Act allows the central government to supersede the RBI if, in the opinion of the central government, it fails to carry out any of the obligations imposed on it under the RBI Act. While these provisions have not been used in practice, they remain available to the central government to use at its discretion in the event that it disagrees with the central bank regarding supervisory priorities or judgements. The RBI’s accountability and governance are prescribed in legislation and are publicly disclosed, both in the legislation and in several public documents, including its Annual Reports (see EC4 below). 29 Each cross-referenced specific issue driving the gradings is discussed in each CP. 30 INDIA EC2 The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed. Description and The governing body of the RBI is its cCentral Board. It consists of a governor, up to findings re EC2 four deputy governors appointed by the central government, four more directors nominated by the central government from the four RBI local Boards,30 10 other directors nominated by the central government, and a government official nominated by the central government.31 The governor and a deputy governor may be appointed for up to five years and be reappointed at most once.32 Directors are appointed for a four-year term and may also be reappointed for, at most, one additional term. The central government “… may remove from office the governor or a Deputy Governor or any other Director or any member of a Local Board” at will. There are no restrictions as to cause.33 While this provision has never been invoked, it remains problematic. Finally, the legislation does not provide for an obligation to make public the reasons for governor’s dismissal. EC3 The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives.34 Description and The RBI publishes its core purpose, values, and mission on its website. There, it findings re EC3 states that its core purpose is “to foster monetary and financial stability conducive to sustainable economic growth and to ensure the development of an efficient and inclusive financial system.” It continues by laying out five “commitments to the nation” of which the second deals with regulation: “to regulate markets and institutions under its ambit to ensure financial system stability and consumer protection.” The RBI is publicly accountable through its website, testimony before parliament, and its published Annual Reports. These describe in some detail its activities, its organizational structure—the framework through which it discharges its duties— and the use of resources. A section of the Annual Report is devoted to regulation, supervision, and financial stability, outlining initiatives to strengthen regulation and supervision, and progress against agendas set in earlier years. EC4 The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue, and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest. 30 Section 9 of the 1934 RBI Act. 31 Section 8 of the 1934 RBI Act. 32Section 8 (4) of the RBI Act, 1934. There have been five occasions when governors were appointed for a period of less than a year (ranging between 20 days to seven months) following resignation of the incumbent governor. 33 Section 11(1) of the 1934 RBI Act. 34 Please refer to Principle 1, Essential Criterion 1. 31 INDIA Description and The RBI has a hierarchy to take supervisory decisions at an appropriate level. findings re EC4 Powers have been delegated to the officers through “notification to sign the letters” issued to external persons and authorities, which carries with it the responsibility to take supervisor decisions. Internally, the officers have been empowered to take timely decisions at appropriate levels in case of emergency. The governing body is the Central Board. There are statutory restrictions on who may be appointed as directors to sit on the Central Board that address possible conflicts of interest.35 By statute, no person can be appointed to the Board who is a salaried government official or an officer or director of a bank.36 EC5 The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed. Description and The RBI’s professional staff are recruited selectively and generally have strong findings re EC5 academic qualifications. Turnover is low—in the order of 1 percent a year—so that, on average, staff experience is high. The RBI makes use of internal and external training seminars and programs to upgrade specialist knowledge and keep up with developments in regulation and supervision. The RBI has staff regulations that address conflicts of interest and misuse of information. EC6 The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes: a. a budget that provides for staff in sufficient numbers and with skills commensurate with the risk profile and systemic importance of the banks and banking groups supervised; b. salary scales that allow it to attract and retain qualified staff; c. the ability to commission external experts with the necessary professional skills and independence, and subject to necessary confidentiality restrictions to conduct supervisory tasks; d. a budget and program for the regular training of staff; e. a technology budget sufficient to equip its staff with the tools needed to supervise the banking industry and assess individual banks and banking groups; and f. a travel budget that allows appropriate onsite work, effective cross-border cooperation and participation in domestic and international meetings of significant relevance (e.g., supervisory colleges). Description and The RBI generates its own funds from its central banking activities, which covers its findings re EC6 budgetary needs. It does not depend on the GOI to meet its budget requirements. 35 Section 10 (1) of the RBI Act. 36 The Board does include “one Government official to be nominated by the Central Government.” 32 INDIA The Department of Supervision has about 435 staff. The D-SIBs—ICICI and SBI37— have a dedicated professional team of six or seven examiners under a Senior Supervisory Manager (SSM); staffing can be supplemented from other RBI resources with specialized skills for exams dealing with such specialized topics as IT, a Management Information System (MIS), or model validation as needed. The RBI does not depend on outside experts for any aspect of supervision but rather on the training and accumulated experience of its supervisory staff. Employee compensation is attractive and ensures the retention of qualified staff. The RBI has sufficient resources to build and maintain an up-to-date technology infrastructure, to fund travel for onsite work and for participation in domestic and international meetings. EC7 As part of their annual resource planning exercise, supervisors regularly take stock of existing skills and projected requirements over the short- and medium term, taking into account relevant emerging supervisory practices. Supervisors review and implement measures to bridge any gaps in numbers and/or skill sets identified. Description and Management in the RBI Supervisory Departments regularly review their skills findings re EC7 availability and needs. Identified gaps are referred to the RBI Human Resource Management Department (HRMD). That department collates these with Performance Management System information, which records development needs identified by the employees. Then the HRMD advises the training establishments under it to organize appropriate training. The HRMD also uses e-learning facilities such as FSI Connect and online IMF courses to meet supervisory training needs. EC8 In determining supervisory programs and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available. Description and Depending upon the size, risk profile, and importance of banks, supervisory findings re EC8 strategies are decided and resources are allocated. The RBS approach of supervision considers the systemic importance of banks for when allocating resources to supervision and determining the supervisory stance. EC9 Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith. Description and Both the 1934 and the 1949 Act protect the RBI and its officers from suit regarding findings re EC9 anything done in good faith to implement the Acts.38 This extends to any possible damage caused in the process. Assessment of Materially Non-Compliant Principle 2 Comments The RBI has budgetary autonomy and adequate resources. It is transparent about its core purpose, which is published on its website. It regularly gives a public account of its activities and use of resources in its Annual Report and elsewhere. In most respects, it has operational independence. The legal framework for banking supervision includes legal protection for the RBI and its officers. However, 37 HDFC bank has been added to the list in September 2017. 38 Section 54 of the 1949 Act. 33 INDIA  While it does regulate and supervise the PSBs, the RBI does not have full discretion to take supervisory actions (EC1).  The RBI Act contains a number of powers enabling the central government to supersede decisions of the RBI. Although these powers have not been used in practice, they are broad and their existence undermines the RBI’s legal independence (EC1).  The RBI governor is not appointed for a minimum term but for a maximum one, and may be dismissed at will by the government (EC2) without disclosing the reasons for such action. Legislation should be updated to extend the RBI’s independent authority, so that RBI has full discretion to take any supervisory actions as needed. As second best, the government and the RBI should consider entering into a framework agreement to similar effect covering all matters of prudential supervision. The 1934 Act should be amended, so that the RBI governor is appointed for a minimum term rather than a maximum term. It should be possible for the GOI to dismiss the governor before the end of his/her term only if due process establishes incapacity, dereliction of duty, or unethical behavior, in which case the reasons for dismissal should be published. For legal clarity, it would be preferable to eliminate the provisions providing the government with powers to supersede decisions of RBI. The RBI should track the resources deployed through dedicated SSM teams and specialist units for supervision of the D-SIBs and other large banks. It should review whether the level and character of resources are appropriate in absolute terms and as a share of total supervisory departmental resources, compared with the importance of these institutions in the banking system. 34 INDIA Principle 3 Cooperation and collaboration. Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.39 Essential criteria EC1 Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions, and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary. Description and In December 2010, the government created the Financial Stability and Development findings re EC1 Council (FSDC), chaired by the Minister of Finance, with membership of the RBI governor, the Deputy Minister of Finance, Head of the Financial Services Department of the Ministry of Finance, the Chief Economic Advisor of the Ministry of Finance, the Securities and Exchange Board of India (SEBI), the Insurance Regulatory and Development Authority of India (IRDA), and the Pension Fund Regulatory and Development Authority of India (PFRDA). The FSDC meets twice per year. The Sub-Committee (SC) of the FSDC is chaired by the RBI governor and meets thrice per year. The FSDC has four technical committees. The Inter-Regulatory Forum (IRF), created in 2013, with membership of all above-mentioned financial regulatory agencies, and chaired by the deputy governor in charge of the RBI’s Department of Banking Supervision, was set up in the absence of statutory enabling provisions to cooperate in the supervision of financial conglomerates. Since its creation, the IRF has met 21 times. In June 2012, an Early Warning Group was set up. Meetings of the technical groups can be convened at any time by any of the member agencies. At the meetings of the FSDC and the IRF, cross-sectoral issues of financial stability and the condition of the financial conglomerates are discussed. The secretariat of the FSDC rests with the RBI’s Financial Stability Unit (FSU). A financial stability report is written twice per year by the FSU of the RBI and placed on the RBI’s website. In February 2013, the RBI, SEBI, IRDA, and PFRDA concluded an MoU to formalize and further improve practical cooperation in the supervision of cross-sector financial conglomerates, based on reciprocity, mutual trust, and understanding. The MoU is a statement of intent to collaborate, cooperate, share information, consult on matters of mutual supervisory interest, and to undertake assessment of systemic risk arising from the activities of financial conglomerates. In supervising financial conglomerates, the agencies coordinate inspection activities and share outcomes of the inspections upon request. Inspections are not yet conducted jointly, but work is underway to design a protocol for joint inspection. At this time, the RBI is lead regulator for the bank-led conglomerates and, by virtue of section 29 (A) of BR Act, has the authority to conduct inspections in nonbank entities of these conglomerates. The MoU and the structure described provides a formal and effective platform for the confidential exchange of information on the 11 conglomerates, and on macroprudential risks across the financial system. 39 Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home-host relationships” (13) and “Abuse of financial services” (29). 35 INDIA The FSDC, its SC, and the IRF also provide a mechanism for coordinated crisis response among regulators and the government. EC2 Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary. Description and Since 2010, 43 MoUs with foreign regulators were concluded in the implementation findings re EC2 of a 2010 government Framework for Cross-border Supervision and Supervisory Cooperation. The MoUs cover information sharing, onsite examinations, crisis management, confidentiality, and meetings of the authorities and supervisory colleges. After cross-border inspections, debriefing of the host authority will take place and inspection outcomes shared. The agreement to share information also covers the licensing process, including fit-and-proper assessments of prospective managers and Board members, ongoing supervision, cross-border acquisition of shares, enforcement actions and penalties, as well as dealing with problem situations. The 2010 framework provided the basis for the creation of supervisory colleges for the six main Indian banks, with cross-border operations. In total, 25 Indian banks have operations in 54 jurisdictions and 86 foreign banks have operations in India. The colleges meet once every two years. The RBI chairs the meetings, and the counterparts who have a significant presence of Indian banks, or who have significance in the Indian market, are invited. Thirty-six onsite inspections in establishments of 15 Indian banks abroad, including offshore units, were performed between 2012 and 2015 in 23 jurisdictions. A number of cross-border inspections were undertaken jointly with the host authority. The RBI staff report good day-to- day working relationships, by e-mail and telephone, with their main foreign counterparts, also as a result of networking efforts when negotiating the MoUs and in the supervisory colleges. EC3 The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system- wide supervisory purposes and will be treated as confidential by the receiving party. Description and The 2013 MoU among domestic regulators (see above) stipulates that each of the findings re EC3 agencies will preserve the confidentiality of the information shared and will not disclose it without the written consent of the providing authority. This authority may attach conditions to the disclosure of information to another agency. In case of information on fitness and propriety of management and/or staff of a conglomerate, there is an obligation to share, subject to applicable laws. Sharing of confidential information under the MoUs with foreign regulators is subject to safeguards, i.e., voluntary basis, prior written consent of the sharing authority, and legal constraints, as well as conditions imposed by the sharing authority if information is to be passed on. The MoU signals to the foreign counterpart that the Indian authority may be compelled by a Court of Law, in particular, under the Freedom to Information Act, to disclose confidential information. Moreover, all RBI staff legitimately using information shared confidentially by a foreign regulator, are bound by the normal RBI confidentiality obligation. EC4 The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes 36 INDIA only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information. Description and Under the domestic MoU, Art. 9 firmly places sharing of information in the context findings re EC4 of the need to supervise conglomerates, e.g., in the areas of risk analysis, risk management, internal controls, capital, liquidity, and funding. Art. 18 confirms that professional secrecy and confidentiality are conditions for successful cooperation. Article 19 of the MoUs with foreign regulators specifies that any confidential information shared pursuant to the MoU is to be used only for lawful supervisory purposes. Article 20 states that any received confidential information shall be disclosed to third parties only after receipt of written approval of the authority providing the information, and taking into account any conditions imposed by the providing authority. Article 21 states that if the RBI is legally compelled to disclose such information, the providing authority will be promptly notified, and the receiving authority will use best endeavors to preserve the confidentiality of the information. According to Article 29, provision of information can be denied when this would imply violation of local laws, or interfere with an investigation, or on grounds of national interest or national security, or any other legitimate ground which could have an adverse impact on effective supervision. EC5 Processes are in place for the supervisor to support resolution authorities (e.g. central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions. Description and Provision of information to other regulatory agencies domestically and abroad, is findings re EC5 permitted under the MoUs described above, and the receiving regulatory agency can use this information to support the exercise of its own powers to take resolution and recovery actions, provided confidentiality is respected. Also, the FSDC structure described above is available to exchange information among domestic regulatory agencies and the Ministry of Finance. This shared information can be used to support recovery and resolution actions. Moreover, the RBI can be required by the government to perform specific inspections under section 35(4) of the BR Act. Art. 10 of the cross-border MoU acknowledges the benefits of close liaison in case a cross-border institution would encounter serious financial difficulties, and by implication be the object of recovery and resolution actions. Under the draft Financial Resolution and Deposit Insurance Bill 2016, the regulator may authorize any officer or agent of the deposit insurance corporation, in order to ensure compliance with the provisions of this law, to enter premises where a bank carries out business, in order to inspect any equipment, including computer systems and documents, and require staff of the bank to provide any required information or documents. Assessment of Compliant Principle 3 37 INDIA Comments The overall framework for cooperation is considered comprehensive and effective, also to support recovery and resolution actions, and a grading of compliant is therefore given. Nevertheless, it is recommended to include more explicit provisions in the applicable bills, acts, and regulations to support mutual recovery and resolution actions. These rules could also support, e.g., agency- appointed administrators, prosecutors, and liquidators. The authorities are working on a format for joint inspections, including any regulatory agency that has an interest in the institution being inspected. In general, efforts should be increased to enhance cooperative and coordinated practices wherever possible. The authorities could consider amending the interagency MoU of 2013 to create options to provide assistance among agencies in case of enforcement actions, as needed and upon request. Furthermore, the authorities should amend the mandates in the RBI Act and BR Act to strengthen the RBI mandate for financial stability. The FSDC, SC, Early Warning Group, and FDSC working group committee structures should be streamlined to achieve more clear mandates and responsibilities for financial stability and more efficient coordination in times of crisis. In particular, with regard to the larger institutions, the RBI should consider a higher frequency of supervisory colleges, or increase information exchange between meetings. Principle 4 Permissible activities. The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled. Essential criteria EC1 The term “bank” is clearly defined in laws or regulations. Description and The Banking Regulation Act of 1949 (the 1949 Act) defines two terms—“banking” findings re EC1 and “banking company”—which is tantamount to defining the term “bank.”  The term “banking” is defined in Section 5 (b) of the 1949 Act as deposit-taking. That is, “banking” is “the accepting, for the purpose of lending or investment, of deposits of money from the public, repayable on demand or otherwise, and withdrawal by cheque, draft, order or otherwise.”  Section 5 (c) of that Act goes on to define "banking company" to mean “any company which transacts the business of banking in India.” EC2 The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws or regulations. Description and Aside from those activities that define the term “banking,” Section 6 of the 1949 Act findings re EC2 specifies other permissible activities for banks. The list includes borrowing and lending, issuing financial guarantees and letters of credit, dealing in bullion and forex, underwriting and dealing in securities, including debt and equity instruments, and in government securities, providing custodian services, acting as government agents, and undertaking and executing trusts. Section 6(n) also permits banks to “[do] all such things as are incidental or conducive to the promotion or advancement of the business of the company.” This covers governance, support, and risk-management functions. Section 6(o) of the 1949 Act states that “banking companies may do any other form of business which the central government may, by notification in the Official Gazette, specify.” This opens up the possibility of a government requirement on a 38 INDIA bank to provide services that go well beyond traditional banking, such as a variety of extension services or equity investments in preferred projects. EC3 The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled. Description and Section 7 (1) of the 1949 Act states that no company other than a banking company findings re EC3 shall use as part of its name, or in connection with its business, any of the words "bank,” "banker," or "banking," and no company shall carry on the business of banking in India unless it uses as part of its name at least one of such words. The RBI regulation interprets this to extend to domain names. With the exception of some small cooperatives (and deposit taking by nonfinancial companies) all banking activity in India is regulated and supervised by the RBI. Private sector banks are licensed by the RBI. The PSBs are created by statute by the central government. EC4 The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks.40 Description and State cooperative banks, district central cooperative banks, and regional rural banks findings re EC4 are supervised as banks by NABARD, the public-sector development bank for agricultural development. Otherwise, almost all deposit taking is reserved for institutions that are licensed and supervised by the RBI. Section 22(1) of the 1949 Act requires all private sector firms to obtain a license from the RBI before they can engage in banking. However, not all deposit-taking activities take place in banks. Industrial, manufacturing, and other nonfinancial companies can take deposits— both from their employees and others—under conditions specified in the Companies Act 2013. While these companies are not regulated as banks—they are overseen by the Ministry of Corporate Affairs—the rupee amount of deposit taking concerned is very small compared with deposit taking by regulated banks.41 EC5 The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public. Description and The RBI publishes the list of commercial banks functioning in India including PSBs, findings re EC5 private sector banks and foreign bank branches which is readily available at the RBI website at https://rbi.org.in/commonman/English/Scripts/BanksInIndia.aspx. Assessment of Compliant Principle 4 The permissible activities of institutions that are licensed and supervised as banks are defined, and the use of the word “bank” in names is controlled. The term “bank,” and related terms are defined in Indian law (EC1). Permissible activities for banks are also well defined in legislation and regulation, although the central 40 The Committee recognizes the presence in some countries of non-banking financial institutions that take deposits but may be regulated differently from banks. These institutions should be subject to a form of regulation commensurate to the type and size of their business and, collectively, should not hold a significant proportion of deposits in the financial system. 41See http://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf and the 2014 acceptance of deposits rules. Conditions include: being profitable for the last three years and having a positive net worth; obtaining a credit rating annually; depositing at least 15 percent of the amount of deposits maturing by the next financial year in a separate bank account as a repayment reserve; taking deposits only up to a proportion of net owned funds; and offering an interest rate prescribed by the RBI. 39 INDIA government has the power to require banks to undertake nonbanking activities (EC2). Only banks regulated by the RBI can refer to themselves using the term “bank” and related terms (EC3). Deposit-taking is largely, but not entirely, confined to banks (EC4). The RBI does maintain a list of banks on its public website (EC5). Section 6(o) of the 1949 Act should be repealed. While the volume of deposits held in nonbanking institutions is very small and may have been justified by historical circumstances as well as overseen by the government, deposit-taking by these institutions should be prohibited under the law. Principle 5 Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management)42 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. Essential criteria EC1 The law identifies the authority responsible for granting and withdrawing a banking license. [The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank.] The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate. Description and The RBI has the authority to grant and withdraw bank licenses. The RBI also has findings re EC1 regulatory and supervisory powers over banks,43 facilitating coordination between licensing, supervision and regulation. The RBI is the authority to grant a license to start a banking business.44 For banks licensed under section 22 of the BR Act 1949, it also has the power to revoke a license.45 However, that power is circumscribed. License revocations can be 42 This document refers to a governance structure composed of a Board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-tier Board structure, where the supervisory function of the Board is performed by a separate entity known as a Supervisory Board, which has no executive functions. Other countries, in contrast, use a one-tier Board structure in which the Board has a broader role. Owing to these differences, this document does not advocate a specific Board structure. Consequently, in this document, the terms “Board” and “senior management” are only used as a way to refer to the oversight function and the management function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction. 43 Section 35 of the 1949 Act. 44 Section 22 (1) of the 1949 Act. 45 Section 22 (4) of the 1949 Act. No licenses have been revoked (or withdrawn) in the last five years. 40 INDIA appealed to and overturned by the GOI.46 The RBI does not have the power to revoke the license of any licensed PSB or to take equivalent action over PSBs that are established by statute. EC2 Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or supervisor determines that the license was based on false information, the license can be revoked. Description and The 1949 Act sets statutory requirements for granting a license which RBI must findings re EC2 enforce regarding the protection of deposits, the character of management, capital structure and earnings prospects.47 It can revoke a license for subsequently not meeting criteria that the applicant undertook to meet—presumably—including materially false representations during the licensing process.48 The 1949 Act empowers the RBI to set and enforce additional criteria for licensing banks. In the past four years, it has issued four sets of guidance to govern license applications going forward. In February 2013, it issued guidance for applications for licensing new private sector banks. This was restricted to applications received over the subsequent four months. Then Guidelines for Licensing of Payments Banks and Small Finance Banks were issued in November 2014. These are specialized institutions intended to expand financial inclusion by offering a restricted range of products and services to the priority sector entities and other qualifying disadvantaged groups. Among these, the GOI Department of Posts was granted a license as a payments bank, for which it has set up a subsidiary that just started operations on a small scale. Renewed guidance for licensing of banks was issued in August 2016.49, 50 A total of 139 applications have been received for private sector bank licenses in the past five years, of which 112 were rejected. Four applicants withdrew before getting an in-principle (or preliminary) approval, and three withdrew after the in- principle approval. Two universal banks, ten small finance banks, and seven payments banks were licensed. The RBI has an established review and assessment process for entities applying for bank licenses: 46 Section 22(5) of the 1949 Act. “Any banking company aggrieved by the decision of the Reserve Bank cancelling a license under this section may, within thirty days from the date on which such decision is communicated to it, appeal to the Central Government. The decision of the Central Government … shall be final.” 47 Section 22 (3) of the 1949 Act. 48 Section 22(4) of the 1949 Act. 49 Guidelines for Licensing of Small Finance Banks in the Private Sector dated November 27, 2014 (SFB Guidelines), Guidelines for the Licensing of Payments Banks dated November 27, 2014 (PB Guidelines), and Guidelines for On- Tap Licensing of Universal Banks in the Private Sector dated August 1, 2016 (Universal Bank Guidelines). The On- Tap Guidelines were largely based on the February 2013 Guidelines for Licensing New Banks in the Private Sector (2013 Guidelines). 50There are two more licensing schemes for foreign banks, depending on whether they want to establish a branch or a subsidiary. A total of 24 applications for a branch and 5 applications for subsidiaries were received since 2010. Out of the 24 application for a branch, 13 have been approved, 5 are under process, 4 have been rejected, and 2 withdrew. Out of the five applications received for a subsidiary, one has been permitted and four are under consideration. 41 INDIA  A preliminary scrutiny is carried out by an RBI team. Their findings are presented to an External Advisory Committee (EAC). EAC recommended applications move forward  The RBI team undertakes a detailed assessment of financial soundness, proposed business plan, and the applicant’s fit-and-proper status based on due diligence reports received from other regulators, investigative agencies, banks, etc. The EAC reviews the assessment results and then makes a recommendation to approve or reject the application to the RBI.  An Internal Screening Committee (ISC), consisting of the governor and the deputy governors examines the applications and the EAC recommendations. Then the ISC makes its recommendations to the Committee of the Central Board (CCB) of the RBI.  The CCB decides the final list of applicants for granting in-principle approval. An in-principle approval is valid for 18 months, during which time the applicant must continue to comply with all of the licensing criteria and come into line fully with standard regulations. Then they can submit an application for a final license, which, after review, the RBI may accept or reject. EC3 The criteria for issuing licenses are consistent with those applied in ongoing supervision. Description and The statutory licensing requirements cross-reference supervisory standards for findings re EC3 established banks.51 In addition, the RBI has specific regulatory criteria for licensing regarding ownership structures, the fit-and-proper nature of the owners, financial projections and other prudential matters which are consistent with their supervisory requirements for established banks.52 EC4 The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.53 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future. Description and The RBI must set criteria to ensure that the carrying on of banking business in India findings re EC4 by the applicant will be in the interests of the public and depositors.54 Accordingly, the Small Finance Banks, Payment Banks, and Universal Bank guidelines lay out acceptable corporate structures and criteria for the eligibility of the promoter and promoter group. The Universal Bank Guidelines stipulate that the promoter group shareholding in the bank can be held only through a Non-Operative Financial Holding Company (NOFHC), if the bank is not a stand-alone entity. For Payment Banks and Small Finance Banks, an NOFHC is an optional structure. The corporate governance norms for NOFHCs are found in the 2013 RBI Guidelines. These Guidelines also stipulate the prudential norms applicable to an NOFHC on a 51 Section 23(2) of the 1949 Act cross-references Section 35. 52 Guidelines for On-Tap Licensing of Universal Banks in the Private Sector dated August 1, 2016. 53 Therefore, shell banks shall not be licensed. (Reference document: BCBS paper on shell banks, January 2003.) 54 Section 22(3)(g) of the 1949 Act. 42 INDIA stand-alone as well as a consolidated basis. Furthermore, the Universal Bank Guidelines require that the corporate structure does not impede ring fencing the entities in the NOFHC from one another and that it should be possible to supervise the bank, the NOFHC, and its other entities on both a solo and a consolidated basis. EC5 The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed. Description and The 1949 Act defines a “substantial interest” in a bank as a ”beneficial interest” of findings re EC5 more than 10 percent of the equity or shareholding exceeding Rs. 0.5 million, whichever is less.55 It requires the RBI to ensure that those with such an interest are fit and proper.56 It also prescribes that any shareholder, singly or along with his/her relative or associate enterprise or person acting in concert with him/her can obtain 5 percent or more shareholding only with prior RBI approval.57 Section 22 (3) of the 1949 Act prescribes that before issuing the license, the RBI must satisfy itself about the financial strength of the applicants. This implicitly includes their ability to provide additional financial support if needed. The Small Finance Bank, Payment Bank and Universal Bank Guidelines stipulate that the RBI will assess the fit-and-proper status of applicants, judged on the basis of their credentials and integrity, including their financial soundness, success in business, and professionalism. These guidelines also lay out how the RBI should investigate in detail the experience and expertise of the applicant, their direct and indirect business interests, shareholding patterns, financial statements, income tax returns, annual reports, and sources of capital, along with the names of all the individuals and entities in their group. The applicants must furnish extra information about any persons or entities that would subscribe to 5 percent or more of the paid-up equity capital of the proposed bank. The RBI staff acknowledged that it can be difficult to establish ultimate beneficial ownership and therefore fit-and-proper reviews may not always extend to all UBOs who could exercise some control over the new bank. EC6 A minimum initial capital amount is stipulated for all banks. Description and Statutory provisions for minimum capital58 have been superseded by regulatory findings re EC6 requirements. Minimum paid-up capital for payments banks and small finance banks is Rs 1 billion. For universal banks, it is Rs 5 billion. 55 Section 5(ne) of the 1949 Act. 56 Section 12(B) of the 1949 Act. 57 Eligible promoters and shareholding requirements are laid out for Payments Banks in para 3, 7, and 8 of the Guidelines for Licensing of Payments Banks, for Small Finance Banks in paras 3, 6, and 7 of the Guidelines for Licensing of Small Finance Banks, and for universal banks in paras 2 (A) and para 2 (D) (II) of the Guidelines for ‘on tap’ Licensing of Universal Banks in the Private Sector. 58 Sections 11 and 12 of the 1949 Act. The minimum statutory capital requirement for a bank operating in a single state with no operations in Mumbai or Kolkata, is Rs. 100,000. 43 INDIA EC7 The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit-and-proper test), and any potential for conflicts of interest. The fit-and-proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank.59 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks. Description and Section 10A of the BR Act stipulates that the Board of any bank should include findings re EC7 persons with professional or special knowledge or practical experience in certain identified areas. It further restricts the commercial interests of a director of a bank. The fit-and-proper criteria that applies to already functioning commercial banks, as outlined in the circular dated June 25, 2004,60 applies to the new banks as well. The licensing guidelines for the Small Finance Banks, Payments Banks, and Universal Banks stipulate that the banks should have a majority of independent directors. The RBI, checks the credentials and professional experience of whole time directors and the Chairman of the Board before they are appointed. The appointment of a managing director and a chairman need prior RBI approval. EC8 The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank.61 Description and The licensing guidelines stipulate that the applicants should submit a business plan findings re EC8 along with the application. Among other things, the business plan should cover the proposed product lines, target clientele, target locations, usage of technology, risk management, plans relating to human resources, the proposed branch network, priority sector compliance, compliance with prudential norms, and expected loan portfolio composition. EC9 The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank. Description and The licensing guidelines prescribe that, along with the business plan, the applicant findings re EC9 should furnish pro forma financial statements and financial projections for the first years of operations. EC10 In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision. 59 Please refer to Principle 14, Essential Criterion 8. 60 DBOD.No.BC.105/08.139.001/2003-04 dated June 25, 2004 61 Please refer to Principle 29. 44 INDIA Description and At the time of applying for presence in India, a foreign bank is required to submit findings re EC10 No Objection Certificate (NOC) from the home country regulator for the same. The home country regulator is also required to certify that it practices global consolidated supervision over the bank. EC11 The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met. Description and The conditions imposed while granting license are monitored and evaluated during findings re EC11 regular supervision. Section 22 (4) of the 1949 Act empowers the RBI to cancel a license if a banking company fails to comply with any of the conditions imposed on it while granting of license under Section 22(1) of the Act. Assessment of Largely Compliant Principle 5 Comments The RBI is the licensing authority for all banks in India. Guidance and processes for scrutiny of license applications are generally adequate. However, there is a potential reason to be concerned about ultimate beneficial ownership. Difficulty in establishing ultimate beneficial ownership should be grounds for rejecting a license application. The RBI needs to review the respective regulations and/or supervisory practices to ensure that suitability of shareholders encompass the UBOs. Principle 6 Transfer of significant ownership. The supervisor62 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. Essential criteria EC1 Laws or regulations contain clear definitions of “significant ownership” and “controlling interest”. Description and The term “substantial interest” is defined in statute. In addition, there are findings re EC1 requirements linked to percent ownership levels which give effect to the ideas of “significant ownership” and “controlling interest.” These vary with the legal form of the bank or banking group and depending on whether it is a public or private sector bank. But the definitions are clear in all cases. For private sector banks and banking groups, Section 5 (ne) of the 1949 Act defines “substantial interest” as the paid-up shareholdings of a beneficial interest for individuals. That is, the definition applies to an individual or his/her spouse or minor child, whether singly or taken together. For a listed company, the limit is Rs 500,000 or 10 percent of the paid-up capital, whichever is less. The limit for an unlisted firm (partnerships or sole proprietorships for example) is just 10 percent of total paid-up capital. All large private sector Indian banks and PSBs are listed companies. Section 12B of the 1949 Act requires prior RBI approval for any purchase that would lead a person or group of persons (such as a partnership or company) to own 5 percent or more of the paid-up capital or voting rights of a banking company. 62 While the term “supervisor” is used throughout Principle 6, the committee recognizes that in a few countries these issues might be addressed by a separate licensing authority. 45 INDIA The RBI can reject requests or impose prudential conditions on acquisitions that go beyond 5 percent. Or they can approve the acquisition if it is in the public interest, the interests of the banking system or the interest of the RBI’s banking policy.63 For PSBs, different RBI powers effectively define “significant ownership:”  Section 3(2b)(c) of the Banking Companies (Acquisition and Transfer of Undertakings) Act, 1970/80 stipulates that nationalized banks may raise capital through a public issue only after consultation with the RBI; and  State Bank of India Act, 1955, Section 10 is slightly broader and says that GOI can approve a private sector holding of more than 10 percent only after consulting the RBI. EC2 There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest. Description and The RBI requires private sector banks to obtain prior approval for any acquisition findings re EC2 that would result in any person or group of persons holding shares or voting rights of 5 percent or more.64 Even when the acquisition/aggregate holding is proposed to be less than 5 percent and if the concerned bank suspects that questionable methods have been adopted to get over the ceiling of 5 percent to camouflage the real purpose of cornering of shares or voting rights by individuals/groups with a view to acquire controlling interest in the bank, a reference shall be made to the RBI by the bank. In such cases, it shall be in order for the RBI to require such shareholders to comply with the procedure for prior approval as detailed in the master direction. Further, as per BR Act, 1949, before issuing or allotting any share to any person or registering the shares in the name of any person, the banking company shall ensure the requirements of prior approval and the conditions of approval are complied with. For PSBs, the RBI has no specific powers to limit private sector ownership.65 Typically, Indian PSBs have private shareholders who, collectively, can own as much as 48 percent of outstanding capital. However, for example, if a PSB had only 30 percent private sector ownership and it decided to raise capital with a sale of 10 percent interest to a single private sector owner, the RBI could intervene by excercising its general powers to act in the interests of the banking system. There is no specific requirement for a PSB to get prior approval from the RBI for any stock sale. Where secondary market trading is concerned, the RBI relies on supervisory oversight and periodic public reports to SEBI rather than specific reporting requirements to know if any banking company shareholder is increasing their share 63See Section 3(i)(j) of the RBI Master Direction, “Prior Approval for Acquisition of Shares or Voting Rights in Private Sector Banks,” dated November 19, 2015. 64 RBIMaster Direction: Prior Approval for Acquisition of Shares or Voting Rights in Private Sector Banks, Directions 2015. 65The exception is that there are restrictions on voting rights under section 3(2D) and (2E) of the Banking Companies (Acquisition and Transfer of Undertakings) Act that affect PSBs too. 46 INDIA significantly. All the major banking companies in India are publicly listed.66 The RBI’s general powers are sufficient to intervene and prevent a transfer of ownership that they deemed was not in the public interest if they became aware of it. EC3 The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify, or reverse the change in significant ownership. Description and While the RBI does regulate and supervise the PSBs, it does not license them. So, findings re EC3 any powers over transfers in ownership of PSBs equal or exceed those of its licensing powers. For private sector banks, the RBI can reject a change in significant ownership on fit- and-proper grounds. These are similar to the fit-and-proper tests they apply during licensing. Subsections (3) and (4) of Section 12B of the 1949 Act give the RBI its powers.67 The RBI decision to reject or limit a share purchase, or to impose conditions (such as fit-and-proper conditions or limits to voting rights), is binding on the applicant and the concerned bank. If a bank suspects that someone is using “questionable methods“—which includes false information—to increase their shareholding, it must notify the RBI, even for small amounts. In those cases, the RBI can use its prior approval powers to prevent it outright. EC4 The supervisor obtains from banks, through periodic reporting or onsite examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. Description and Once a year, banks and banking companies supervised by the RBI report on the fit- findings re EC4 and-proper status of major shareholders to the RBI. The RBI also relies on ongoing supervisory oversight and periodic public reports to SEBI to know if any banking company shareholder is increasing their share significantly. While periodic reporting to the RBI and SEBI and the RBI’s supervision onsite and offsite do allow the RBI to monitor significant ownership, it is not clear that they would necessarily detect changes in beneficial ownership. EC5 The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor. Description and The RBI is concerned with unapproved changes in control involving people who are findings re EC5 not fit and proper. It limits to 5 percent the voting rights of a group of shareholders 66 One public sector entity, the Life Insurance Corporation of India (LIC), has significant holdings in the Indian banking industry. These can be as much as 15 percent of paid-in capital in some banks. So, it can exert significant influence at shareholder meetings. However, it is prohibited from appointing directors. In the case of public sector banks, the rationale is that there is already a significant public sector Boardroom representation. 67 Seesection 5.4 of the RBI Master Direction: Prior Approval for Acquisition of Shares or Voting Rights in Private Sector Banks, Directions 2015. 47 INDIA with any person in it who is not fit and proper, regardless of the group’s collective share of total bank equity. EC6 Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Description and As per the Master Direction dated November 19, 2015, banks have to notify the RBI findings re EC6 immediately if they learn that any major shareholder is no longer "fit and proper." Every bank is required to review the status of their shareholders once a year and, after Board review, certify to the RBI that their major shareholders continue to be fit and proper. Assessment of Compliant principle 6 Comments The RBI has the power to review any transfer of significant ownership or controlling interests held in existing banks. Significant ownership is either expressly or implicitly defined in statute (EC1). Approval by the RBI for a significant transfer in ownership is required for private sector banks. RBI could in principle block a significant ownership transfer for a PSB if it judged that such a transfer was not in the interest of the banking system (EC2). RBI’s supervisory powers to prevent a change in significant ownership refer to a fit-and-proper test similar to that undertaken as part of a bank licensing and they can reject a change based on false information (EC3). Banks must advise the RBI if a significant shareholder becomes unfit (EC6). The RBI can restrict voting rights if warranted (EC5). While periodic reporting to the RBI and SEBI, and the RBI’s supervision onsite and offsite do allow the RBI to monitor significant ownership, it is not clear that they would necessarily detect changes in beneficial ownership (EC4)68. The RBI should require groups that own significant shares of a bank to list all their beneficial owners and to report promptly any material changes in those shares. Principle 7 Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. Essential criteria EC1 Laws or regulations clearly define: a. what types and amounts (absolute and/or in relation to a bank’s capital) of acquisitions and investments need prior supervisory approval; and b. cases for which notification after the acquisition or investment is sufficient. Such cases are primarily activities closely related to banking and where the investment is small relative to the bank’s capital. 68Only one question, question 21, of the application form for the RBI’s approval asks about beneficial ownership: whether any other person other than the applicant has beneficial interest in the proposed acquisition (Form A in the schedules attached to the Master Direction: Prior Approval for Acquisition of Shares or Voting Rights in Private Sector Banks, Directions 2015.) 48 INDIA Description and The 1949 Act allows banks to create subsidiaries, including through acquisitions. findings re EC1 There are no statutory restrictions on the creation of a subsidiary, if it is going to operate domestically and undertake activities that are permitted for the bank itself. The Act specifies prior approval is needed to form a subsidiary to operate abroad.69 The 1949 Act also restricts bank shareholding in nonsubsidiary companies. The statutory ceiling is 30 percent of the bank’s own paid up capital and reserves or 30 percent of the investee company’s paid-up share capital, whichever is lower. RBI regulations further restrict investments in shares. Prior approval is needed for investments in a financial services company of over 10 percent of the investee company’s capital. Below that level, any investment is subject to the normal prudential parameters on profitability and capital adequacy ratios (CAR). Investments of over 10 percent of a bank’s own paid-up capital in a single entity are not allowed. However, the sum of all equity investments in subsidiaries and other entities cannot exceed 20 percent of a bank’s paid-up share capital and reserves. Investments or acquisitions by banks in financial entities are permitted only in those companies which are regulated either by RBI (e.g., a nonbank financial company licensed by RBI), or by one of the other national financial regulatory agencies -- SEBI (for mutual funds, asset management companies, etc.), IRDA (insurance), PFRDA (pension fund management), or NHB (housing finance). EC2 Laws or regulations provide criteria by which to judge individual proposals. Description and The criteria for judging individual proposals for major acquisitions or investments findings re EC2 by a bank are governed by rules on the financial services that banks may provide.70 These services are defined by statute.71 Within those bounds, a bank can make any investment or acquisition, provided it is large and healthy enough. Exact criteria for the bank to qualify are set for each kind of acquisition or investment. For example, to invest in an insurance business, the bank should have net worth of Rs 10 billion. It should also have a CRAR not less than 10 percent after investment, an NPA ratio not more than 3 percent; a net profit in the preceding three financial years; and a track record of existing subsidiaries that is satisfactory.72 Similar rules apply to all permitted investments and acquisitions. Criteria for the businesses in which the bank is investing are generally those set by the national financial regulator responsible for that type of business. EC3 Consistent with the licensing requirements, among the objective criteria that the supervisor uses is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.73 The supervisor can prohibit banks from making major acquisitions/investments (including the 69 Section 19 of the 1949 Act. The Act does provide for the RBI to widen the definition of permissible activities for subsidiaries, with prior GOI approval. 70 Master Direction on Financial Services Provided by Banks, May, 2016. 71 Section 6(1), the 1949 Act. These are, effectively, the sectors regulated by the RBI itself and the other national financial regulators. 72 Master Direction on Financial Services Provided by Banks, Section 14 (a); May, 2016. 73 In the case of major acquisitions, this determination may take into account whether the acquisition or investment creates obstacles to the orderly resolution of the bank. 49 INDIA establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis. Description and The statutory and regulatory ceilings on investments help ensure that a bank is not findings re EC3 exposed to any undue risks or that an acquisition might hinder effective supervision. The RBI can prohibit banks from making major acquisitions above the thresholds described above (including the establishment of cross-border banking operations) and it reserves the right to prohibit proposals that might hinder effective supervision, or where any serious regulatory/supervisory issues are observed. In case of foreign branches or subsidiaries, the RBI has the discretion to reject proposals if there are concerns, such as that host country secrecy laws might hinder effective RBI supervision. Proposed acquisitions by banks are reviewed with respect to financials of the bank, adherence to statutory/regulatory norms, supervisory issues/concerns observed through onsite/offsite (risk based) supervision of the bank, regulatory issues/concerns and the compliance culture of the bank. In the past five years, 80 applications were approved for acquisitions and investments in nonbanking financial entities by banks, and 25 approvals were granted for acquisitions and investments in nonfinancial entities during the year 2012 to 2016. Over that period, 23 applications were rejected for various reasons. EC4 The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment. Description and So far as financial resources are concerned, RBI examination of a bank’s ICAAP will findings re EC4 include reviewing whether any acquisitions that are contemplated are within its financial capacity and the bank’s ability to manage the activities of the investee company. EC5 The supervisor is aware of the risks that non-banking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in non-banking activities. Description and The RBI financial activities which have a higher capital commitment, high degree of findings re EC5 risk participation including possible contagion risk, need for specialized knowledge are only allowed through a separate entity which is well regulated. RBI requires banks that are part of banking groups to prepare a Consolidated Prudential Report (CPR). These include an assessment of risks to banks (or other supervised entities) by other group members in the financial conglomerate. Consolidated Prudential Reports for a bank include information and accounts of related entities such as subsidiaries, associates and joint ventures of the bank, which carry on activities of banking or financial nature (except insurance and nonfinancial activities). AC1 The supervisor reviews major acquisitions or investments by other entities in the banking group to determine that these do not expose the bank to any undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective 50 INDIA implementation of corrective measures in the future.74 Where necessary, the supervisor is able to effectively address the risks to the bank arising from such acquisitions or investments. Description and The investment ceilings having been defined very clearly (on individual basis as well findings re AC1 as aggregate basis), do not pose any significant risk to the bank. Any additional investments in any of the subsidiaries/nonsubsidiary companies are only with the approval of the RBI. Further, while investments/acquisitions in nonfinancial entities are very sparingly allowed, Investments/acquisitions by banks in financial entities are permitted only in those companies which are regulated either by RBI (e.g., NBFC), SEBI (e.g., Mutual Fund, AMC, etc.), IRDA (insurance), PFRDA (pension fund management) or NHB (housing finance). Hence, the investments made by these entities are monitored by one of the Financial Sector Regulators. Besides, at the macro level, there is a Financial Stability and Development Council (FSDC) functioning under the aegis of the MOF, which provides a platform to assess the systemic risks and address the inter-regulatory issues. Assessment of Compliant Principle 7 Comments The RBI has the power to approve or reject major acquisitions by private sector banks. Through its continuous monitoring and periodic ICAAP reviews, it should be aware of major acquisitions contemplated by any public or private sector bank. It can impose prudential conditions on major acquisitions or investments by any bank via its normal regulatory powers. These extend to the establishment of cross-border operations. Its supervision of banking groups ensures that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. Principle 8 Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable. Essential criteria EC1 The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact and scope of the risks: a. which banks or banking groups are exposed to, including risks posed by entities in the wider group; and b. which banks or banking groups present to the safety and soundness of the banking system. The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis. Description and The RBI introduced a comprehensive Risk-Based Supervision (RBS) framework for findings re EC1 supervising scheduled commercial banks (SCBs) from FY 2013, which replaced the previous compliance-based and transaction-testing supervisory approach. The RBS 74 Please refer to Footnote 33 under Principle 7, Essential Criterion 3. 51 INDIA has been phased-in gradually; at present, all 91 SCBs in India are being supervised under the RBS. Under the RBS structure, the SSM and his/her team are responsible for supervision of specific bank(s) and handle continuous monitoring, both onsite and offsite of banks. The SSM also represents the single point of contact for the designated banks. The RBS framework is underpinned by the SPARC, which is a comprehensive risk- based and forward-looking supervisory framework aimed at identifying emerging risks and prompting early supervisory action. The SPARC process starts with a “risk discovery exercise” based on an updated risk profile of the bank and identification of risks and areas of focus. Various inputs including the bank profile, prudential offsite returns, compliance with previous supervisory recommendations, as well as sectoral analyses of trends and concentrations are taken in to account. The risk discovery is followed by requisite onsite engagement based on the supervisory cycle (12–18 months) and discussions with banks. Other onsite discussions with the bank are held as needed. SPARC uses a three-pillar assessment of risk, compliance, and capital to arrive at supervisory rating. SPARC is underpinned by a sophisticated in-house developed proprietary statistical model, Integrated Risk and Impact Scoring model (IRISc), which uses 536 data points used for constructing quantitative risk metrics and 319 subjective control parameters based on information submitted by banks. Onsite engagement for verification is followed by the RBI Specifically, the risk assessment entails the following analyses:  Inherent risks: classified under 5 business risk categories (Credit risk, Market risk, Liquidity risk, operational risk, and other Pillar II risk) and assessed based on a combination of objective and subjective parameters. Objective assessment is metric driven using a set of quantitative parameters assessed on a scale of 1– 4 (1 being the lowest risk and 4 the highest risk). The model facilitates moderation of the objective risk score in the form of a subjective assessment of a risk by SSM.  Control gap assessment of business risk: evaluates the control environment and determines the extent gap in the desired level of inherent risk mitigation. Control gaps are also assessed on a scale of 1–4.  Governance and oversight gap assessment: assesses risks stemming from gaps in the bank’s governance and internal oversight. This assessment comprises of a subjective assessment of effectiveness of Board, senior management, risk governance and internal audit. Each category is assessed based on a set of parameters, and are scored on a scale of 1–4. The aggregate risk of the bank is determined based on scores for business risks and gaps in governance and oversight functions. The weights for different business risks can differ across banks depending on the business profile of the bank. The risk of failure is also assessed as a score (1–4) and is a function of aggregate risk score and the capital score such that a high aggregate risk and/or a deterioration in capital increases the Risk of Failure score (RoFS) for a bank. The RoFS is measured on a relative scale which helps the supervisor differentiate the 52 INDIA banks in terms of risk of failure. Nevertheless, the risk implications pertaining to the resolvability of individual banks are not assessed as a comprehensive bank resolution framework is still lacking. RoFS also feeds into the supervisory rating (A–E), capital add-on (if any), supervisory stance (a function of RoFS and Impact of failure). Finally, the supervisory stance of a bank is determined based on the bank’s position in a risk of failure and impact of failure score matrix. Impact assessment of a bank refers to the assessment of the “adverse effects the failure of a banking institution may have on the interests of the depositors or customers of banks, stability of the banking and financial system and health of the overall economy.” Impact of failure of a bank is determined through a scorecard based assessment of the various indicators (size, interconnectedness, substitutability, complexity) on a scale of 1–4, and aggregated to an Impact score. Based on the bank’s position in the risk-impact matrix, the bank would be under one of the 4 supervisory stances: “Level 1” (Baseline Monitoring), “Level 2” (Close Monitoring, “Level 3” (Active Oversight), or “Level 4” (Corrective actions). The supervisory stance would determine the degree of intrusiveness of onsite supervisory activity (e.g., duration, mandated activities and scope of reviews) and the periodicity of onsite inspections. In addition, the RBI introduced a “Risk Compass Report” under the SPARC framework in September 2016, in order to enhance comparability between banks. It would allow banks to gauge their relative position across various risk measures vis- à-vis the other banks in the system and gain insight into the various sub- constituents of the risk scores. However, the SPARC framework is basically based on a solo basis, even though some group risks are captured in other categories, such as other Pillar 2 risks. EC2 The supervisor has processes to understand the risk profile of banks and banking groups and employs a well-defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis. Description and The RBI uses the SPARC framework to identify and analyze the risk profiles of findings re EC2 banks. This framework covers both present and future risks and is aimed at facilitating prompt supervisory intervention. The SPARC methodology is defined in several documents including a Guidance Note on Risk Assessment & Risk Scoring, an overview of SPARC and IRISc and an explanatory note on IRISc Model in the RBS approach (see EC1). The SPARC results, for each bank, in an RAR and a “Risk Compass” (RC). The RAR is composed of:  Risk Assessment: summary of aggregate risk at bank level, supervisory evaluation of risks and control gaps, governance & oversight;  Capital Assessment: Pillar 1 Capital & CRAR, capital management, ICAAP and stress tests, assessment of internal generation of capital, scope and ability to infuse capital, assessment of leverage ratio, supervisory capital prescription;  Compliance Assessment: compliance culture, major areas of financial divergence, and major areas of non-compliance. 53 INDIA The RC is composed of:  Risk summary (Summary of aggregate risk at bank level);  Relative risk position of the bank; and  Key constituents of risks and their proportions. The RAR and the RC are prepared by SSMs and reported to the senior management of RBI on an annual basis. RAR is issued with relevant supervisory plans, i.e., proposed Risk Mitigation Plans by RBI. Critical issues of concern are brought to the top management and the Board for financial supervision for consideration and directions. Under the SPARC framework, the RBI determines supervisory ratings. While the RBI’s guidance note on the SPARC framework attaches certain supervisory measures to a specific supervisory rating, assessors found little evidence of firm and action-oriented capital augmentation plans, which would enable the RBI to closely monitor the implementation of remedial actions by the bank. For example, according to the guidance note, the definitions of supervisory ratings are:  Supervisory rating “C” (Needs improvements): The risk of failure is higher than acceptable supervisory risk appetite. For these banks, the IRISc model presumably computes the add-on capital. Along with improving/tightening risk management and controls, these banks should be required to hold additional capital. The risk mitigation plan prepared by the supervisory team should also be closely monitored for compliance by the bank.  Supervisory rating “D” (Poor): The bank has a high risk of failure and would need to not only raise additional capital, but also restructure its business to bring down the inherent risks. The banks would be placed under the corrective action framework and their compliance with the mandated supervisory action should be monitored on a monthly basis. Assessors were informed of a number of banks are with “C” and “D” ratings in 2015 and 2016. However, in none of those cases the RBI required banks to comply with the “specific” capital add-on resulting from SPARC and/or to restructure its business accordingly, although this did not preclude the supervisor from prescribing ‘risk mitigation plans’. The RBI stated that calculation of capital add-ons will be enforced pending the independent validation of the SPARC models. EC3 The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements. Description and The RBI has a structured process to assess banks and banking groups compliance findings re EC3 with prudential regulations and other legal requirements. The SSM and his/her team conduct a structured assessment of the level and culture of compliance with regulatory guidelines under SPARC in the RBI. Based on the information supplied by banks on controls, internal audit, compliance function checks and findings, the SSM assesses the regulatory compliance by a bank. In particular, the compliance assessment under SPARC would be performed in the three areas of business risk, governance and oversight functions, as well as capital (see EC1). 54 INDIA Compliance with regulatory requirements is reported in the RAR, which includes a statement as to whether prudential regulatory requirements and other legal requirements have been complied with during the year. Banking group level compliance of prudential regulations are carried out based on regulatory reporting under half-yearly CPR reports. EC4 The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in non-bank financial institutions, through frequent contact with their regulators. Description and The financial stability issues and macroeconomic environment analysis in general findings re EC4 are handled in the FSU of the RBI which also produces the half-yearly Financial Stability Report (FSR). The FSR covers financial stability issues in banks and other segments of the financial sector and is published. The RBI conducts macro-financial stress tests the results of which are published in the FSRs and incorporated in an internal “Systemic Risk Monitor (SRM),” an analysis which is prepared between two FSRs for internal RBI use. The DBS is consulted prior to finalization of the FSR. Furthermore, various analytical studies pertaining to commercial banking system are carried out in DBS and disseminated to supervisors. The interaction between the FSU and the DBS (at both manager and supervisor level) and regular informal meetings facilitate cross-department information flows on macro-economic environment and banking sector issues. In particular, a deputy governor and an executive director of the RBI are in charge of three supervision departments: Department of Banking Supervision (DBS), Department of Cooperative Banking Supervision, and Department of Nonbanking Supervision. This enables DBS to smoothly exchange information on supervision and policy development, and to have close working relationships with nonbank supervision departments. In addition, mechanisms are in place for structured engagement with other regulators under FSDC for assessment of macro-economic and financial stability assessments. EC5 The supervisor, in conjunction with other relevant authorities, identifies, monitors and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability. Description and The mechanism of RBI to identify, monitor, and assess the build-up of risks, trends findings re EC5 and concentrations within and across the banking system are:  FSR—which is reported to the RBI senior management and to the FSDC on a half- yearly basis. The FSR presents detailed analyses of banking sector developments and soundness, including on asset quality (broken down by types of banks, sectors, and types of borrowers, etc.), results of the 55 INDIA macrofinanical stress tests, liquidity risk analysis, and various other financial soundness indicators per different types of financial entities;  Internal “Systemic Risk Monitor”—documents trends and developments in between the two semi-annual FSRs; and  “Early Warning Indicators”—a monitoring report prepared on a quarterly basis (See CP9 EC1). The RBI incorporates these analyses into its assessment of banks under the SPARC framework. The RBI also communicates to banks any significant trends or emerging risks identified as part of its analyses during onsite engagements and discussions under the SPARC framework. In addition, it communicates to other relevant authorities under the FSDC mechanism and by issuing half-yearly FSRs. EC6 Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business. Description and In India, there is no dedicated resolution authority responsible for overseeing and findings re EC6 implementing resolution of financial institutions as a whole group, and the RBI does not assess the bank’s resolvability nor it prepares recovery and resolution plans. Nevertheless, under the BR Act of 1949, the RBI has some limited resolution powers. A new comprehensive resolution framework (draft Financial Resolution and Deposit Insurance Bill, 2016) is currently under consideration by the parliament, which will address these issues. EC7 The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner. Description and Under the BR Act, the RBI has certain limited resolution powers to deal with the findings re EC7 resolution of banks (i.e., can impose mergers, a moratorium, suspension of management and liquidation). The RBI also has a PCA framework which provides for certain structured and discretionary actions that RBI may initiate in respect of the banks which hit the Trigger Points in terms of CRAR, Net NPA and ROA, (see CP 11). Over the past years, there have been several cases of use of the PCA. To facilitate further early intervention, an Early Warning System (EWS) framework has been used to detect early warning indicators (EWIs) from a set of 17 financial indicators covering growth, solvency, asset quality, profitability, and liquidity. Trigger points have been set in respect of five financial indicators (credit growth, CRAR, net NPA ratio, RoA, and LCR) for identifying ‘outliers’. Banks breaching any one of the five triggers are flagged as ‘outliers’ for further examination and supervisory actions. EC8 Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps 56 INDIA to draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this. Description and The RBI is a regulator and supervisor of the NBFCs. In terms of Section 45-IA of the findings re EC8 RBI Act, 1934, no nonbanking financial company can commence or carry on business of a nonbanking financial institution without obtaining a certificate of registration from the RBI. Non-authorized deposit taking is also subject to a penalty or fine. Information on the bank-like activities is exchanged among the DNBS and the DBS on any boundary issues that may be identified. In addition, the banking policy/supervision by the RBI with inter-regulatory forum/the FSDC address the issue. Assessment of Largely Compliant Principle 8 Comments The supervisory approach of the RBI has undergone some substantive changes toward the implementation of a risk-based approach. The RBS framework of the RBI (SPARC) deploys a good mix of onsite and offsite supervisory tools, but it is still in its early stages of implementation. The existence of an SSM in charge of the specific bank(s) helps supervisors maintain a comprehensive understanding of the overall risk profile of individual banks. Each SSM has a high degree of autonomy and responsibility for supervising a specific bank. The enforcement link between SPARC assessments and supervisory actions is nevertheless weak. The assessors note that a bank’s RAR does not discuss a bank’s identified capital shortage in detail in association with necessary capital augmentation or risk mitigation plans. For example, the model computes the required add-on capital for banks with a supervisory rating of ‘C’ and lower, which are considered to have a risk of failure above the acceptable supervisory risk appetite. Nevertheless, the assessors note that there were no cases where such identified capital adds-on were followed by specific remedial actions. Finally, resolution powers and tools are very limited and the RBI does not assess the bank’s resolvability nor does it prepare recovery and resolution plans. Regarding the SPARC design, the dynamic nature in RBS is appropriate under the RBS approach, but the process of adjustment or new set-up should be strictly managed and controlled to maintain consistency and robustness of the framework. The RBI should expedite the validation of its SPARC models and start linking more firmly its overall risk assessment to supervisory actions. Once the RBI enhances the robustness of the SPARC framework, it should consider developing detailed assessment handbooks of SPARC to enhance the consistency of its supervisory framework. The RBS framework of the RBI does not have an explicit assessment component to reflect the risk implications pertaining to the resolvability of individual banks. Currently, the RBI does not assess the bank’s resolvability with respect to the bank’s risk profile and systemic importance. Recovery and resolution plans also have not been required by the RBI. The establishment of a recovery and resolution regime and the risk assessment pertaining to the resolvability for large banks (such as D- SIBs) need to be considered after the bill for financial resolution authority is finalized and India has effective resolution powers in place. 57 INDIA Principle 9 Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. Essential criteria EC1 The supervisor employs an appropriate mix of onsite75 and offsite76 supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between onsite and offsite supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its onsite and offsite functions, and amends its approach, as needed. Description and The RBS framework employs an appropriate mix of on- and offsite supervisory findings re EC1 elements. Within the SPARC, a qualitative and quantitative assessment of the bank’s risks is made by the supervisors on an ongoing basis through a combination of offsite and onsite Risk Discovery Process. The relative importance and intrusiveness of on- and offsite supervision depend on the evolving risk profile and systemic importance of the individual banks. (see CP1, EC1). As part of the offsite supervision, banks submit a set of structured offsite prudential and statistical returns that capture their current financials (balance sheet, and profit- and-loss statement, prudential indicators such as capital adequacy, asset quality, large exposures, maturity profile of assets and liabilities, leverage, connected exposures, ownership structure, and solo and consolidated financials, etc.). Domestic banks with cross-border business submit a separate set of returns covering the financials of their overseas branches, subsidiaries, or joint ventures (as applicable). These offsite returns are collected in the exercise of powers conferred on the RBI under the Banking Regulation Act 1949 (Section 27). The data collected under the offsite reporting is stored in a centralized database which is accessible to target users through a business intelligence (BI) tool with defined access controls. Certain reports which are frequently required by supervisors have been made readily available through preformatted BI reports. Besides, facilities are available to users to build ad-hoc queries from the database through BI tool. The Early Warning System (EWS) framework of RBI has been devised to detect early warning indicators (EWIs) from a set of 17 financial indicators covering growth, solvency, asset quality, profitability, and liquidity. Trigger points have been set in respect of five financial indicators (credit growth, CRAR, net NPA ratio, RoA, and LCR) for identifying “outliers.” Banks breaching any one of the five triggers are subjected to further examination and supervisory actions. Issues of concern arising 75 Onsite work is used as a tool to provide independent verification that adequate policies, procedures and controls exist at banks, determine that information reported by banks is reliable, obtain additional information on the bank and its related companies needed for the assessment of the condition of the bank, monitor the bank’s follow-up on supervisory concerns, etc. 76 Offsite work is used as a tool to regularly review and analyze the financial condition of banks, follow up on matters requiring further attention, identify and evaluate developing risks and help identify the priorities, scope of further offsite and onsite work, etc. 58 INDIA out of analyses are placed ad-hoc before the senior management and Board for financial supervision for consideration and directions. Analytic inputs in terms of macro-level/bank group level/peer group level/sector level/industry level are also undertaken by the DBS periodically to assess and identify the risks and potential concerns. Under the RBS, apart from offsite supervisory returns, banks submit detailed data elements on business, risk exposures, compliance, control parameters and governance. The offsite analyses are carried out by examiners, responsible for supervision of individual banks, as an aid to risk discovery, continuous supervision, and scoping the onsite examination process. The onsite engagement is conducted based on the offsite analyses inputs as also relative impact assessment. The onsite engagements take place within the SPARC processes, the RBS model outputs, and discussions with banks at the completion of the assessments. Full scope examination is conducted for most of the banks at least once during 12–18 months under the SPARC framework, but the examination on 32 small banks is conducted under a simplified model (Small Bank Variant Model). The RBI establishes yearly supervisory plans, including onsite engagement, and updates the plans on a needs basis as well as an annual basis. In addition, the Quality Assurance Division in the DBS reviews the process flow of the SPARC framework. EC2 The supervisor has a coherent process for planning and executing onsite and offsite activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the onsite and offsite functions. Description and Bank supervision function in the RBI is assigned to the SSM, who is assisted by a findings re EC2 group of supervisors. The SSM’s office acts as the dedicated single point of contact for all matters connected with the supervision of a bank or groups of banks. The SSM’s office carries out offsite supervision on a continuous basis to track the changing risk profile of the bank(s), and also identifies the gaps in information/risk assessment which are to be filled by the same team during onsite examination. This arrangement reinforces coordination between onsite and offsite processes. The RBS cycle starts with the risk discovery process and generation of inherent business risk scores based on data submitted by the banks. In addition, banks also submit their self-assessment of control environment and adherence to regulatory compliance instructions. The IRISc model generates risk scores that are analyzed in the offsite risk discovery and scoping onsite focus in conjunction with offsite data bases (see CP8 EC1). The Quality Assurance Division in DBS establishes policies and processes for standardized supervisory procedures of SPARC framework. The processes of SPARC are subjected to quality checks by the quality assurance function at different stages to ensure that consistency and standardization is maintained throughout the assessment process with regard to broad objectives, policies, and risk profiles of the banks. EC3 The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes 59 INDIA information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable77 and obtains, as necessary, additional information on the banks and their related entities. Description and The RBI is statutorily empowered under the Banking Regulation Act 1949 findings re EC3 (Section 27) to collect information on financial conditions from the regulated entities in such formats and frequency as it may deem necessary. The RBI’s offsite supervisory reporting is called the Offsite Surveillance and Monitoring System (OSMOS). The prudential returns under OSMOS capture granular data covering balance sheet details, operating results, risk information, asset liability mismatches, compliance information, and other supervisory information. The data is analyzed from multiple angles, such as compliance, trends, flow of funds, sensitivity, groupings based on peers, industries, etc. Further information is requested on a needs basis as follow up by the SSMs. The new Central Repository of Information on Large Credits (CRILC) database collects detailed information on individual large exposures. The information is used to ensure consistency in asset classifications across banks and to perform targeted analyses (i.e., per certain sectors or borrowers). The objective of such analyses is to identify and track, on an ongoing basis, material changes in exposures and the financial conditions of banks impacting their risk profile and to recommend appropriate supervisory actions or strategies. Prudential returns from banks are checked by OSMOS division of the DBS with regard to maintaining timeliness and quality of offsite reporting. Validation rules are properly incorporated in prudential returns. Reporting errors and other issues impacting data quality are reflected through unfavorable score in the category of “Compliance” under SPARC and/or invocation of penal clause under Section 46 of the BR Act. Along with bank-specific inputs, the supervisors use various analyses undertaken periodically at the macro-level/bank group level/peer group level/sector level/industry level to assess and identify the risks and potential concerns. Offsite analysis also includes market intelligence inputs, regulatory filings by banks with capital markets, discussions with management etc. EC4 The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as: a. analysis of financial statements and accounts; b. business model analysis; c. horizontal peer reviews; d. review of the outcome of stress tests undertaken by the bank; and e. analysis of corporate governance, including risk management and internal control systems. The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerabilities that have the potential to affect its safety and soundness. The supervisor uses its analysis to determine follow-up work required, if any. 77 Please refer to Principle 10. 60 INDIA Description and The RBS framework in India includes structured analysis and assessment of findings re EC4 financials, risk exposures, control gaps, and issues in governance as part of SPARC (see CP8 EC1 and EC2). In addition, the offsite supervision of the banks is conducted through various analytical inputs including trends, fund flows, ratio analysis, at individual bank, peer group and industry level. The EWS report captures critical financials covering growth indicators, solvency, asset quality, profitability, exposure to stressed industries, and liquidity of individual bank to track changes over the previous quarter, average of the previous eight quarters, and the same quarter a year ago with reference to the particular bank, peer group, and industry. RBI examines banks’ internal stress test results which are incorporated in their ICAAPs under the SPARC framework on an annual basis. The RBI’s stress testing guidelines include requirements for rigorous, forward looking stress tests that identify possible events or changes in market conditions that could adversely impact the bank. Under their ICAAPs, banks are required to examine future capital resources and capital requirements under adverse scenarios. The results of forward- looking stress testing should be considered when evaluating the adequacy of a bank’s capital buffer. In addition, the possibility that a crisis impairs the ability of even very healthy banks to raise funds at reasonable cost should be considered. The supervisory concerns emanating from the offsite analysis including EWS are flagged to concerned banks through periodic onsite engagement. The follow-up supervisory actions may range from simple dialogue/discussion/periodic feedback to more intrusive actions such as enhanced offsite reporting, focused scrutiny, specified restrictions on operations, requirements of seeking prior approval of supervisor for undertaking certain activities, etc. EC5 The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or system-wide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerabilities that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any. Description and Financial stability issues are handled in the FSU of RBI and publicly disseminated via findings re EC5 the half-yearly FSR. Top-down macrofinancial stress tests are an integral part of the FSR. Mechanisms are in place for structured engagement with other regulators under the FSDC for the assessment of macro-economic and financial stability assessments. In addition, as part of their ICAAP requirement of focusing on bank-specific vulnerabilities, stress tests are carried out by the banks. These are submitted to top management and the Board of Directors of banks and disseminated to supervisors for suitable incorporation in assessments. The RBI’s Guidelines on Stress Testing provide details on the overall objectives, governance, design, and implementation of stress testing. Supervisors meet with bank CEO and senior management on a regular basis to exchange views regarding the bank’s current state, trends in the banking industry 61 INDIA and impact on the bank, and the bank’s progress with respect to action plans issued earlier. In the DBS, analytic studies pertaining to commercial banking system are carried out based on offsite returns and other inputs and disseminated to the supervisors. However, the supervisory bottom-up stress testing methodology and guidance are under development within the DBS. EC6 The supervisor evaluates the work of the bank’s internal audit function, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk. Description and The RBI has provided detailed guidance note on risk-based internal audit including findings re EC6 a risk-based internal audit function. RBI assesses the effectiveness of a bank’s internal audit function based on the governance and Oversight controls and Compliance framework under the RBS approach. Under the SPARC framework, the parameters used to evaluate internal audit function include:  Comprehensiveness of bank's policy on internal audit;  Reliance on third party for internal audit and controls to ensure quality/integrity/timeliness;  Engagement of Board and senior management;  Framework for reporting and follow-up on the resolution of internal audit findings and recommendations to Audit Committee Board/management;  Methodology used by the bank for finalizing the internal audit plan for the year, and process to undertake planned audits and unplanned audits based on specific triggers etc.;  Process adopted by the bank to ensure that personnel with requisite skill sets are deployed for specific audit areas in internal audit;  Framework followed for training/development of internal audit staff; and  Framework for ensuring quality and performance evaluation of internal audit function etc. Furthermore, the RBI uses the findings of internal audit as inputs to determine further targeted examination by supervisors. EC7 The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, non-executive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models. Description and The RBI has supervisory discussions on findings of inspection and supervisory findings re EC7 evaluation with banks’ top management. The SSM’s office interacts as needed with the bank’s senior and middle management under the RBS framework. 62 INDIA The Chief Compliance Officer (CCO) of a bank acts as the dedicated interface between the bank and office of SSMs. The CCO keeps the SSMs informed on all important developments concerning the banks. The RBI’s communication with senior management of banks, both formal and informal, is an ongoing process and its intensity is determined based on the bank’s risk assessment. Broadly, the interaction with banks has the following structure: Structured Discussions—with the top management of the bank at least once at the beginning of the year to understand the changes in business strategy, projections for the year and the up-gradations in risk management systems. Regular interaction with the risk management department is also undertaken through formal meetings. Information Gaps—are covered during the Risk Discovery process under the RBS, whereby supervisors identify data gaps for interim risk assessment of the bank. In such cases, the supervisors may hold discussions with the senior management and the concerned departments/divisions of the bank to address the gaps and to enhance their understanding of the information/data provided by the bank. Interaction as part of onsite inspection and thematic/targeted reviews—the RBI has detailed discussions with banks as part of the integrated onsite inspection visit and thematic review/targeted scrutiny process. Supervisory rating communication—represents a formal communication that is expected to happen once every year for every banking entity. Detailed deliberations with bank management at the level of DG/ED/PCGM will be held as part of rating communication on the observations made by supervisors and their teams. Regular interactions—the RBI meets with the bank’s CEO and senior management on a regular basis to exchange views regarding the bank’s current state, trends in the banking industry, and impact on the bank; the bank’s progress with respect to action plans issued earlier, etc., with a view to monitor and assess the bank on a continuous basis. However, there have been no separate meetings or engagement with the bank’s Board or non-executive (independent) Board members. (See CP15) EC8 The supervisor communicates to the bank the findings of its on- and offsite supervisory analyses in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary. Description and After conclusion of the RBI’s onsite engagement, the RAR is subject to independent findings re EC8 quality assurance checks. Post quality assurance checks, the report is communicated to the banks as Preliminary Risk Assessment Report (PRAR). Thereafter the PRAR is discussed with banks’ top management at the exit meeting for seeking banks’ responses and comments. Post exit meeting and incorporation banks’ comments, the RAR is issued with proposed risk mitigation plan (RMP). After issue of the RAR, a high level supervisory discussion takes place between the RBI (deputy governor or chief general manager) and the top management of the banks where the major areas of concerns observed in the RAR are deliberated upon and the proposed RMP is finalized for compliance. 63 INDIA As part of the RBI’s regular offsite analysis including EWS, major supervisory concerns and issues are flagged to banks for comments/remedial actions. Need- based interactions with senior/middle management of the banks is one of the tools employed as part of the offsite risk discovery process. Meeting with statutory auditors also form part of the risk discovery process of RBI especially during onsite visits or where need for feedback on critical accounting issues arises during the course of onsite or offsite examinations. In addition, the findings of onsite inspections of overseas offices of Indian banks are communicated to the bank through the inspection report of the host supervisory authorities. Depending on the level of supervisory concerns that emerge regarding the Indian banks overseas operations based on the findings of the onsite inspections and other inputs received from the host supervisory authorities, discussions are held by RBI with the top Management of Indian banks. However, there is no practice of meeting separately with neither the bank’s independent Board members, nor the Board. EC9 The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner. Description and The SSMs in the RBI closely monitor the compliance to the RAR action points (the findings re EC9 outcome of RBI onsite inspection) and agreed RMP. Banks are required to submit compliance report to action points within the agreed time limit. The acceptability of banks’ compliance is examined in terms of completeness, clarity, and relevance. Compliance which is incomplete or ambiguous is not accepted and returned to the banks along with supervisor’s comments for reconsideration. Non-compliance of action points and/or RMP within the agreed time line is viewed seriously and gets factored in the assessment of governance and oversight functions in the SPARC framework. Ever though the RAR is placed before the bank’s Board, there are no formal guidelines on the oversight of compliance, which include penal actions or further enforceable measures in case that action points are not addressed in an adequate or timely manner. EC10 The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. Description and The RBI expects that banks should notify it in advance of any substantive changes findings re EC10 in their activities, structure, and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. The office of the SSM is entrusted with full responsibility for supervision of a bank and acts as the single point of contact with banks. Banks are required to bring to the notice of the SSM any emerging development/issue that is material for the bank. 64 INDIA However, there are no explicitly binding requirements in the regulatory framework for banks to timely report any substantive changes in their activities, structure and overall conditions. EC11 The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties. Description and As per section 30 (1B) of the Banking Regulation Act 1949, RBI has the power to findings re EC11 conduct a special audit of a bank in the interest of public or the bank or the interest of depositors. The RBI can cause the special audit to be conducted either by the bank’s statutory auditors or some other persons eligible to be appointed as bank auditor. There are no explicit rules of the RBI for hiring third parties in supervisory activities or regulating quality control or preventing conflicts of interest in such cases. There are also no rules to ensure quality control as well as prevent conflicts of interest. However, the RBI states that use of this power is very rare. In addition, terms of contracts that the RBI uses for this purpose covers detailed mandate for work. Further, the RBI functions as the approving authority for appointment of statutory auditors. The RBI has mandated external auditors of banks to specifically report, simultaneously, to the Chief Executive Officer of the bank and the RBI, any matter susceptible to fraud or fraudulent activity or foul play in any of the transactions. Any deliberate failure on the part of the auditor would render themselves liable for action. Comprehensive Long Form Audit Report (LFAR) prescribed by the RBI is submitted by Statutory Central Auditors of Scheduled Commercial Banks to the chairman of banks and to the RBI every year. In practice, in the event of significant divergence observed in asset classification and NPA provisioning during inspection, the RBI may obtain and examine the comments of statutory auditors on the divergence. In case any integrity breaches are reported by the banks, appropriate action including black listing, denial of bank audit for specified periods is initiated by the RBI, besides reporting the same to the ICAI, which exercises disciplinary jurisdiction as quasi-judicial authority over their profession and their conduct. EC12 The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action. Description and In the RBI, the data collection (submission by banks), validation, and processing of findings re EC12 offsite returns is done online through XBRL reporting platform under a centralized environment. Data storage and retrieval/ access is done through a central server with robust BI tool and security features. Accessibility of the data is geography neutral as it is browser based. First signal report immediately on receipt of defined set of returns, select preformatted reports for easy and quick retrieval, EWS report, important financial indicators, organized summary values for building customized ad-hoc queries based on variables across different returns, peer group report, etc., are available to the supervisors. The RBS data and operationalization of supervisory model are also carried out in automated and secure environment with appropriate output reports and MIS. 65 INDIA Additional criteria AC1 The supervisor has a framework for periodic independent review, for example by an internal audit function or third party assessor, of the adequacy and effectiveness of the range of its available supervisory tools and their use, and makes changes as appropriate. Description and The RBI assesses and improves the supervisory tools and processes as and when findings re AC1 necessary. The RBS processes have been fine-tuned based on experience. However, the RBI does not have a periodic formal independent review procedure to assess the adequacy, use, and effectiveness of the range of available supervisory tools. Assessment of Largely Compliant Principle 9 Comments The RBI has established a comprehensive range of supervisory tools and techniques to implement its RBS approach. The RBI employs an appropriate mix of on- and offsite supervisory elements. Under the RBS framework, the relative importance and intrusiveness of on- and offsite supervision depends on the evolving risk profile and systemic importance of the individual banks. The RBI has broad information gathering power, since it is statutorily empowered under the BR Act to collect information on financial conditions from the regulated entities in manner and frequency as deemed necessary. In particular, the new CRILC database appears to be useful in the current context to ensure consistency of assessments of large credit exposures and asset classification across banks. The RBI’s communication with banks, both formal and informal, is an ongoing process, and its intensity is determined by the bank’s risk assessment. The SSM acts as the dedicated single point of contact for all matters connected to the supervision of the particular bank(s), and facilitates the exchange of supervisory information. There are some aspects of the essential criteria for BCP 9 that are not fully consistent with the supervisory tools and techniques of the RBI:  More detailed formal guidelines regarding the oversight of compliance of RAR action points need to be established. Without comprehensive formal guidelines on the oversight of compliance, it is difficult to ensure that the bank’s compliance of action points is managed in a consistent, focused, and enforceable manner across all banks to prevent banks from hindering implementation of RAR action points.78  Supervisory bottom-up stress testing methodology is under development within the DBS. The RBI should consider finalizing and utilizing the stress testing methodology to identify, assess, and mitigate any emerging risks across banks.  Explicit mandatory requirements in the regulatory framework regarding the reporting of any substantive changes in activities, structure, and overall conditions do not exist. 78 The RBI established the Enforcement Department in April 2017, which may address the concern in a more focused manner. 66 INDIA Principle 10 Supervisory reporting. The supervisor collects, reviews and analyses prudential reports and statistical returns79 from banks on both a solo and a consolidated basis, and independently verifies these reports through either onsite examinations or use of external experts. Essential criteria EC1 The supervisor has the power80 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related-party transactions (RPT), interest rate risk, and market risk. Description and The RBI is statutorily empowered under the Banking Regulation Act 1949 (Section findings re EC1 27) to collect information on the financial condition, performance, and risks of regulated entities in such formats and frequency as it may deem necessary. The RBI collects an array of offsite returns from banks at frequencies ranging from fortnightly to annual basis. The offsite information covers granular data, such as: on-and off-balance sheet details, operating results, capital adequacy, asset quality, lending per sectors, large exposures, structural liquidity in domestic and foreign currency, liquidity coverage ratio, leverage ratio, interest rate sensitivity in domestic and foreign currency, related-party (RP) exposures, ownership and control structures, and geographical distribution of loans and deposits, etc. The RBI also collects returns on a consolidated basis in the form of semi-annual Consolidated Prudential Reports covering consolidated balance sheet and profit and loss statements, list of subsidiaries, affiliates, and joint ventures, selected prudential statements (i.e., return on capital adequacy, large exposures, forex exposures, exposures to capital market, exposure to unsecured guarantees and advances, CRR, SLR, and structured liquidity, etc.). In addition, the RBI collects returns on financial conglomerates capturing intra-group transactions (on a quarterly basis). The RBI analyzes the suite of prudential returns and financial information on both a solo and a consolidated basis. EC2 The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally. Description and Financial statements of banks are prepared using Indian Accounting Standards findings re EC2 prescribed by the ICAI. In the preparation of the prudential returns, banking companies have to use the same accounting standards. Additionally, the RBI has issued detailed guidance in the form of “Offsite Surveillance Reports” to assist banks in the completion and submission of the prudential returns. Section 29 of the BR Act prescribes the format for preparing the financial statements. The RBI has also issued detailed instructions on the disclosure of 79 In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this CP, and the latter are addressed in CP 27. 80 Please refer to CP 2. 67 INDIA financial statements. Banks are mandated to disclose additional information as part of the annual financial statements, such as the CARs, shareholding structure, lending, etc. EC3 The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and is consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes. Description and The prudential norms for classification, valuation and operation of the investment findings re EC3 portfolio as well as the prudential norms on income recognition, asset classification and provisioning pertaining to advances are the areas where the RBI valuation rules complement the accounting standards. Financial reporting information contained in the bank disclosure statements and prudential returns is required to be subject to a limited scope review by an external auditor on a quarterly basis. The RBI examiners verify adherence to the guidelines during onsite inspections. In case the RBI determines that valuations are not adequate, banks are required to make adjustments. EC4 The supervisor collects and analyses information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank. Description and The BR Act (Section 27) empowers the RBI to collect offsite information in such findings re EC4 formats and frequencies from any bank as it deems fit. The prudential returns are submitted on a fortnightly, monthly, quarterly, half-yearly, and annual basis. The frequency of offsite returns has been set keeping the importance of information in meaningful risk assessment. For instance, liquidity being a critical issue in supervisory risk assessment, information on liquidity is collected on a fortnightly basis. Balance sheet details, interest rate sensitivity, and exposure to sensitive sector are collected on monthly basis. The impact of business activities on capital adequacy, profitability, large exposure, risk concentration, etc., are collected on a quarterly basis. The EWS report captures additional information on trends and developments relative to peers or previous time frames (see CP9, EC1). Identified areas of concern may trigger enhanced offsite reporting, among other supervisory actions. EC5 In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data). Description and The prudential returns (stock and flow data) are collected on a comparable basis findings re EC5 and are related to the same dates and periods. The prudential returns are submitted on a fortnightly, monthly, quarterly, half-yearly and annual basis. After collection, the offsite data is analyzed from multiple angles such as compliance, trends, peers, stocks and flows, industries, sensitivities to various risks, 68 INDIA etc. Such reports are used by supervisors in conjunction with individual bank statements and reports. Offsite analysis is also informed by market intelligence inputs, regulatory filings by banks active in capital markets, discussions with management, etc. EC6 The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal management information. Description and The BR Act allows the RBI to request and receive any relevant information from findings re EC6 banks and other supervised entities belonging to the banking group, but not from nonsupervised entities. (Section 27 of the BR Act). However, the Section 29(A)(2) of the BR Act, 1949 authorizes RBI to undertake inspections of any associate enterprise of a bank and its books of accounts, jointly with the authority regulating such associate enterprise. It is expected to remedy the gap to some extent regarding the access to call for information for any entity in the banking group. The inspections of overseas subsidiaries of Indian banks are undertaken by virtue of powers under Section 29(A)(2), in association with the host supervisor (wherever the host authority consents to participate in such inspections) or by RBI alone. In addition, the banks that are required to disclose consolidated financials, as per Accounting Standard 21, submit a return on Consolidated Prudential Report (CPR). Financial conglomerates submit Financial Conglomerates returns (FinCon). Branches of foreign banks having subsidiaries of their overseas parent bank submit certain consolidated prudential details but not the consolidated financials. EC7 The supervisor has the power to access81 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management, and staff, when required. Description and Section 35 of the BR Act, 1949, the bank is supposed to make available all books of findings re EC7 account to the RBI for inspection. The banks are also expected to provide access to its Board, management, and staff when required by the RBI. The RBI has the general power to issue directions under the BR Act (Section 35A) where necessary in the interest of banking policy, in the public interest or where the business of the bank is conducted in a manner detrimental to the interest of the depositors. Section 27 (2) of the BR Act also empowers the RBI to direct a banking company at any time to furnish it, within such time as the RBI may specify, with such statements or information as it deems necessary. Section 35 (2) of the BR Act also gives the RBI access to every director, officer, or employee of a bank and requires these persons to provide the RBI with any statements or information the RBI examiners may require. EC8 The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines the appropriate level of the bank’s senior management is responsible 81 Please refer to Principle 1, Essential Criterion 5. 69 INDIA for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended. Description and The prudential returns are to be signed off by a member of senior management findings re EC8 (the compliance officer and/or the bank’s CEO). Submission of erroneous information to the RBI results in the imposition of penalties as specified in Section 46 (1) of the BR Act. Penalties have been imposed on banks in case of lapses in their reporting. RBI has used the process to impose penalty on a bank recently in respect of non-compliance of reporting requirements. RBI does not normally impose sanctions on employees or senior management for misreporting. The validity and integrity of the prudential returns are periodically verified upon submission by a designated statistics division of the RBI. The information submissions by banks are subjected to verification during onsite visits also. In case of submission of incorrect or incomplete information, it is treated as nonsubmission of returns and leads to a penalty under Section 46 of the BR Act. Section 30 (1B) of the BR Act allows the RBI to direct a special audit of the banking company’s account. The RBI may also appoint a person duly qualified or direct the auditor of the bank to conduct a special audit. In all cases, the auditors will comply with the RBI directions and report back on the audit findings. The expenses of such a special audit have to be borne by the bank (Section 30-1C of the BR Act). EC9 The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a programme for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts.82 Description and In RBI, the validity and integrity of the prudential returns are periodically verified findings re EC9 upon submission. The information submissions by banks are subjected to verification during onsite visits also. The prudential returns have to be signed by a member of senior management and/or CEO. A structured offsite supervisory reporting called Offsite Surveillance and Monitoring System (OSMOS) has been operationalized in 1995–96 in the RBI. The data collection, validation, and processing of offsite returns is done online in the XBRL under a centralized environment. Data storage and retrieval is done through a central server with robust Business Intelligence tool and security features. Banks are sensitized on the criticality of maintaining timeliness and quality of offsite reporting. Reporting errors and other issues impacting data quality are viewed and reflected through higher risk scores and/or invocation of penal clause. (see EC8). The basic statistical returns are periodically reviewed for changes by ‘Committee for Direction on Banking Statistics (CDBS)’ convened by the ‘Department of Statistics and Information Management (DSIM)’ of the RBI. The CDBS comprise of representatives from select commercial banks and different departments in the RBI. The last CDBS committee meeting was held in October 2016. In addition to the above, the RBI has constituted an inter-departmental ‘Return Governance Group (RGG)’ that is responsible for the introduction of new 82 Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. 70 INDIA returns/modification of returns. The important functions of the RGG include vetting the introduction of new returns, approving the modification (addition/deletion of elements) of existing returns, approving the rationalization of existing returns, and approving the standardization of code masters. The RGG is chaired by the executive director in charge of the Department of Regulation, and the last meeting of the RGG was held on November 10, 2016. EC10 The supervisor clearly defines and documents the roles and responsibilities of external experts,83 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations. Description and The RBI states that cases of hiring experts are rare, except for auditors. findings re EC10 When the services of auditors are required for any special examinations, the roles and responsibilities, the scope of work, and conflicts of interest are spelt out in the contract and monitored by the RBI. The RBI is informed of any deficiencies observed, which are discussed with the external auditors and, if need be, referred to the ICAI, the oversight body for the external audit profession. There are no comprehensive guidelines/criteria for hiring third parties who conduct supervisory tasks in place or for assessing the quality of the work performed by those experts. EC11 The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes. Description and There is no explicit requirement that external experts promptly bring to the RBI’s findings re EC11 attention, if they identify any material shortcomings during the course of any work undertaken by them for supervisory purposes. However, the use of external experts—except for auditors—is very rare. The statutory auditors are required to highlight matters of material significance in the Long Form Audit Report (LFAR) to the annual accounts. The LFAR prescribed by the RBI is submitted by the Statutory Central Auditors of Scheduled Commercial Banks to the chairman of banks and to the RBI every year. In addition, in accordance with the RBI’s terms of appointment that are generally used for external auditors, they are also required to report directly to the RBI frauds of Rs 1 crore and above, which have not been reported by banks, as well as serious irregularities observed by them during the course of the audit. In the event of significant divergence observed in asset classification and NPA provisioning during inspection, the RBI may obtain and examine the comments of statutory auditors. EC12 The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need. 83 Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. External experts may conduct reviews used by the supervisor, yet it is ultimately the supervisor that must be satisfied with the results of the reviews conducted by such external experts. 71 INDIA Description and The offsite reporting framework of the RBI has been reviewed to incorporate new findings re EC12 data requirements due to changes in regulation, supervisory requirements, requirements of users, reporting entities, etc. The RBI has processes in place to periodically review the returns (see EC 9). Assessment re Largely Compliant Principle 10 Comments The RBI has extensive powers to require banks to submit any relevant supervisory information. In exercise of its powers, the RBI collects a wide range of offsite returns from banks at frequencies ranging from fortnightly to an annual basis, and supervisory information can be collected on an ad-hoc basis. The quantity and types of the data collected from banks vary based on the group structures and business profiles. The RBI validates prudential returns periodically and automatically upon each submission. The submitted information is also subjected to verification during onsite visits. Banks that submit erroneous information to the RBI are subject to penalties. Penalties have been imposed on banks in case of lapses in this regard. The RBI has an assessment process in place to periodically review the returns. For this purpose, the RBI established inter-departmental groups with responsibilities for the introduction of new returns/modification of returns. Some shortcomings should be addressed:  With regard to prudential supervisory returns, apart from a few, most data are submitted on a solo basis. The authorities should consider enhancing the collection of data for purposes of consolidated supervision in terms of granularity and frequency (e.g., data collection of group-wide asset classification, quarterly CPR, etc.).  There are no explicit guidelines/criteria for hiring third parties who conduct supervisory tasks to assess the quality of the work performed by those experts, or obliging them to report to the RBI promptly any material shortcomings identified. The issuance of such guidelines could be contemplated if the use of third parties were to increase. Principle 11 Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. Essential criteria EC1 The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified. Description and Supervisory concerns discovered in offsite and onsite analyses are promptly raised findings re EC1 with the bank in question for information and remediation. 72 INDIA The RBI can identify a range of issues quickly. It has a structured risk assessment process as part of the RBS. This is supported by an annual scoring of banks to judge their risk of failure and the impact a failure would have on depositors and other customers, systemic stability, and the economy. Scorecard indicators reflect the bank’s condition and its risks, as well as considerations related to its size, interconnectedness, substitutability, and complexity. Aggregate scores run on a scale of 1 to 4. Though the SPARC scorecard cannot be updated by the EWS output of 17 indicators, a quarterly risk-profile update is made based on all available information to identify emerging supervisory issues. If there is an outlier among the 17 EWS indicators, and these indicate issues of potential supervisory concern, they will be reflected in the next annual scoring exercise. In the meantime, the supervisor can act on emerging supervisory issues. The RBI requires the bank’s management to share examination reports with the bank’s Board. For more serious infractions of supervisory standards, the RBI requires a bank to prepare and submit a written risk mitigation plan (RMP) with specific milestones. Once revised as needed and approved by the RBI, the SSM monitors subsequent actions against the plan and, if necessary, takes further supervisory action when shortfalls are identified. EC2 The supervisor has available84 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened. Description and Ongoing scorecard results and the seriousness of any recent supervisory report findings re EC2 findings determine the choice of supervisory tools and approach, including the intrusiveness and frequency of onsite supervision. RBI defines four levels of intensity—Levels 1 to 4—that are roughly defined as “baseline monitoring,” “close monitoring” “active oversight,” and “corrective actions.” Supervisory actions may range from enhanced dialogue and periodic feedback on progress to more intrusive actions such as enhanced offsite reporting, focused scrutiny of specific risk areas, specified restrictions on operations, requirements for prior supervisory approval for specific activities, etc. EC3 The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios. Description and The RBI has a PCA regime that specifies certain mandatory and discretionary findings re EC3 supervisory actions when the trigger points are breached.85 These are defined in terms of CRAR, Net NPA, and ROA (capital, NPAs, and profits). The PCA framework is under revision and changes will be introduced shortly. These amendments to the PCA are expected to make the framework more stringent as 84 Please refer to CP 1. 85 “The Scheme for Prompt Corrective Action,” December, 2002. 73 INDIA ranges are tightened and the capital measure is changed from Tier 1 plus Tier 2 to CET1. 86 EC4 The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license. Description and The 2002 RBI PCA Scheme associates specific action with different trigger levels. For findings re EC4 example, for the capital to risk (weighted) assets ratio (CRAR), the PCA trigger ranges are defined as 6–9 percent, 3–6 percent, and below 3 percent. For CRAR less than 9 percent, but equal or more than 6 percent, the following measures apply: Structured (Mandatory) PCA Actions  Submission and implementation of capital restoration plan by the bank;  The bank will restrict expansion of its risk-weighted assets;  The bank will not enter into new lines of business;  The bank will not access/renew costly deposits and CDs; and  The bank will reduce/skip dividend payments. Discretionary PCA Actions  The RBI will order recapitalization;  The bank will not increase its stake in subsidiaries;  The bank will reduce its exposure to “sensitive” sectors like capital market, real estate or investment in nonsLR securities;  The RBI will impose restrictions on the bank on borrowings from inter-bank market; and  The bank will revise its credit/investment strategy and controls. Then, as the CRAR falls into lower ranges, some discretionary actions become mandatory and additional corrective requirements are imposed. The same is true for the NPA and ROA triggers. The CRAR requirements largely focus on matters affecting capital adequacy, the NPA requirements on asset portfolio quality going forward, and the ROA requirements on matters such as overhead expenses that directly impact costs and earnings. 86 The PCA framework was revised with effect from April 13, 2017. In the revised PCA framework the following parameters are monitored, CRAR, Net NPA, ROA and CET1 along with leverage ratio. There are three risk thresholds and breach of each thresholds would invite certain mandatory and discretionary actions. 74 INDIA Some structured and discretionary actions, however, are specified as actions of the RBI and the central government. For example, when the CRAR is between 3 percent and 6 percent, discretionary actions include one whereby the “Bank/Government [can] take steps to bring in new Management/Board.” The PCA framework, which has been in place since 2002, is currently undergoing a substantial revision.87 The RBI can and does take supervisory actions outside of the PCA framework. The PCA scheme itself makes this explicit where it says that the RBI reserves the right to require a bank to take “any other action…in the interest of the concerned bank or in the interest of its depositors.” EC5 The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein. Description and The PCA framework provides for certain Structured Actions and Discretionary findings re EC5 Actions that the RBI may initiate in respect of the banks that have hit the trigger points in terms of CRAR, the Net NPA, and the ROA, etc. The 1949 Act in Section 36 AA gives the RBI the authority to remove officers of a private sector bank. The discretion is broad and has been used in practice. However, it does not extend to PSBs (except directors appointed by private shareholders). EC6 The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system. Description and As explained in the discussion of CP12 on consolidated supervision, the RBI does findings re EC6 coordinate supervision of financial conglomerates that include a bank with the financial regulators who oversee the other parts of the conglomerate. RBI regulations call for ring fencing the bank within a non-operating financial holding company (NOFHC) from any liabilities of companies outside the NOFHC also owned by NOFHC shareholders.88 While the RBI cannot unilaterally ring fence a bank, in the sense of protecting it completely from losses in other parts of a financial conglomerate at the time such losses materialize, it does have guidelines that limit intra-group exposures for banks and limit their equity investment in subsidiaries.89 The combination would limit contagion from nonbank affiliated entities to a bank. EC7 The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution). Description and Problem situations severe enough to call for resolution of a PSB would be findings re EC7 coordinated with the MOF of the central government. The RBI and other nonbank financial regulatory agencies have undertaken to “… endeavour to work together to develop resolution and recovery plans (RRPs) for 87 The revised PCA framework has since been introduced in April, 2017. 88 Section 2 (C)(3) of the Guidelines for Licensing New Banks in the Private Sector, February 2013. 89 Guidelines on Management of Intra-Group Transactions and Exposures, February 2014 and Guidelines on Investments in Subsidiaries and Other Companies, July 2013. 75 INDIA any financial conglomerate when the lead supervisor (Principal Regulator) requested it. Banks wishing to merge need RBI prior approval.90 For a failed bank, the final determination is with the GOI and the High Court, which oversees liquidation.91 The MoU signed in 2013 between member of Inter-Regulatory Forum-IRF: (RBI, Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority of India (IRDAI), and Pension Fund Regulatory and Development Authority (PFRDA) helped enhance cooperation in the supervision of FCs. The IRF coordinated oversight comprises; (i) periodic discussion meetings of all four domestic regulators with the designated entity of the FC and key group entities; and (ii) submission of quarterly offsite returns to the PR of the FC. This forum will handle such resolution issues. The GOI has constituted a committee to frame a bill for financial resolution authority which will be the authority to decide on the resolution of all types of financial firms in consultation with sectoral regulators. The draft bill has already been framed by the committee and it is out for wider consultation. Additional criteria AC1 Laws or regulations guard against the supervisor unduly delaying appropriate corrective actions. Description and RBI has well established policies, principles and processes to identify supervisory findings re AC1 concerns and take appropriate corrective actions in a timely manner. RBI is also accountable to GOI. AC2 When taking formal corrective action in relation to a bank, the supervisor informs the supervisor of non-bank related financial entities of its actions and, where appropriate, coordinates its actions with them. Description and The MOU between the domestic financial regulatory agencies that established to findings re AC2 Inter-Regulatory Forum encourages each regulator to notify the Principal Regulator of a conglomerate of any regulatory actions they take regarding parts of the conglomerate. Assessment of Largely Compliant Principle 11 Comments The RBI has an adequate range of supervisory tools for timely responses to most issues. This includes the ability to revoke the license of a private sector bank. In particular, the RBI:  has processes help in detecting issues quickly and raising them with the bank, including with their Board. Supervisors can then monitor risk mitigation plans and follow-up on any shortfalls (EC1);  has an appropriate set of supervisory tools (EC2);  has the power to take timely risk mitigating actions (EC3); 90 Guidelines for the Merger of Private Sector Banks, May 2005 and Section 44A of the 1949 Act. 91 Section 38 of the 1949 Act. 76 INDIA  has specific options for escalating these actions (EC4);  can take corrective actions against members of management and the Board of a private bank (EC5);  can coordinate corrective actions against nonbank entities in financial conglomerates to protect the bank. Ring-fencing a bank from nonbank liabilities within a group might not be an option in times of stress, but intra- group exposures are limited by regulation (EC6); and  cooperates with other agencies as needed to resolve problem situations. However, under the current PCA regime, some of the more stringent actions under PCA are for action by the “government/RBI” (EC4). Its decisions to revoke any banking license are subject to government appeal (EC5). Legislation should be amended to give the RBI full authority to revoke a bank license without appeal to the GOI; and to ensure it can act independently with respect to PCA enforcement. The revisions to the PCA triggers and capital definitions should be implemented soon. Principle 12 Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.92 Essential criteria EC1 The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including non-banking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks, may jeopardize the safety and soundness of the bank and the banking system. Description and The RBI conducts supervision of banking group-level activities through analysis of findings re EC1 the consolidated financials required by the Accounting Standards Board for consolidation (AS21 of Accounting Standards in India) and as reported in the annual Consolidated Prudential Report (CPR). Cross-border consolidated supervision of banking groups is conducted through supervisory colleges, supervisory cooperation MoUs, and inspection of overseas operation of Indian banks. The RBI coordinates supervision and regulation of the five bank-led large financial groups designated “financial conglomerates.” It supervises all the subsidiaries of such bank-led financial groups in conjunction with the relevant domestic securities, pension, and insurance sectoral regulator—the SEBI, the PFRDA, and the IRDA respectively. Financial conglomerates are defined as firms that are active in more than one of these financial sectors. The SBI is the largest financial conglomerate. It consists of five associates banks, and eight overseas banking subsidiaries/joint ventures, NBFCs, insurance 92 Please refer to footnote 19 under Principle 1. 77 INDIA companies, and pension funds. Only the five associates have been merged with the parent SBI with effect from April 1, 2017. The ICICI Bank and the PNB have overseas banking subsidiaries. All the others only have nonbank activities in subsidiaries of the bank. The RBI has the authority to supervise any associate enterprise of a banking company jointly with its regulator.93 This includes the conduct of joint onsite inspections whenever the RBI judges necessary. Joint onsite inspections, however, are not common in practice. To coordinate cross-industry regulation and supervision, the Inter-Regulatory Forum on Financial Conglomerates (IRF-FCs) of the Financial Stability and Development Council (FSDC) was set up in August 2012.94 The IRF-FC uses “lead regulators” to monitor financial conglomerates. The RBI is the lead regulator for all financial conglomerates that include a bank. The IRF-FC is headed by the deputy governor of the RBI (in charge of the Department of Banking Supervision), and other sectoral regulators are represented at the executive director level. Since it was established, it has met, on average, more than once every quarter. An MoU was signed between the members in March 2013, addressing consolidated supervision and monitoring of financial conglomerates.95 At the end of each quarter, intra-group exposures are reported to the RBI, which are constrained by guidance.96 During the quarter, the RBI’s SSM has access to Board and management reports regarding intra-group transactions. If sectoral supervisory teams decide coordinated action is needed, it can be escalated to the IRF-FC for discussion and approval. For cross-border supervision, the RBI has an extensive network of cross-border relationships with regulatory authorities in other countries (see EC3). EC2 The supervisor imposes prudential standards and collects and analyses financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, large exposures, exposures to related parties, lending limits, and group structure. Description and Prudential standards have been set up on capital, liquidity risk, large exposures, and findings re EC2 exposures to related parties at the group level. The RBI collects and analyzes financial and other information in the form of semi-annual prudential reports (CPR) on a consolidated basis (See CP 10 EC1) The banks with foreign operations are required to disclose financials that consolidate those operations in their Consolidated Prudential Report. EC3 The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding 93 Section 29(A) (2) of the 1949 Act, revised January 2013. 94The FSDC itself is Chaired by the Finance Minister and its members include the heads of all Financial Sector Regulators (RBI, SEBI, PFRDA, IRDA) and the Secretary, Department of Financial Services (DFS) among others. The Council monitors macro prudential supervision of the economy, including functioning of large financial conglomerates, and addresses inter-regulatory coordination and financial sector development issues. It meets roughly every six months. http://finmin.nic.in/fsdc/Structure_of_Financial_Stability.pdf. The MOU draws a distinction between coordinated onsite inspections, which it calls for, and joint inspections, 95 which it specifically excludes. 96 “Guidance on the Management of Intra-Group Transactions and Exposures,” February 2014. 78 INDIA company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any cross-border operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations. Description and A framework for Cross-border Supervision and Supervisory Cooperation was put in findings re EC3 place during 2010. Regarding the ability of Indian banks to oversee their foreign operations, the RBI requires banks with foreign operations to be able to manage those operations effectively, which means—among other things—that the Indian head office must have unimpeded access to pertinent local information. Regarding the expertise needed in foreign operations, the RBI has issued guidance to Indian banks on the soft and hard skills needed by bank officials who are posted overseas. (In addition, Indian PSBs follow GOI ‘Guidelines on placement of bank officials in Overseas Branches’, that address possible issues of inequity and corruption.) The effectiveness of host country supervision is assessed in the course of establishing and managing cross-border supervision arrangements. The RBI uses (i) supervisory colleges; (ii) home-host relationships governed by formal/informal arrangements; and (iii) periodic onsite inspection of overseas operations of Indian banks. Indian banks are operating in 54 foreign jurisdictions. Formal arrangements such as MoUs on supervision are in place for 43 overseas supervisory authorities, up from 2 in 2011. They cover both home authorities of foreign banks operating in India and host authorities of Indian banks operation abroad. Supervisory colleges were established during 2012–14 for all six major Indian banks having significant overseas operations. The colleges meet at least once in two years, with as needed communications in between. EC4 The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct onsite examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate. Description and Between 2012–2015, the RBI has conducted onsite inspection of select overseas findings re EC4 branches of Indian banks in major jurisdictions, focusing on significant exposures, problem credits and other supervisory concerns. Results of these exams feed into each bank’s annual supervisory RAR. 79 INDIA EC5 The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action. Description and The RBI conducts supervision of banking group level activities through analysis of findings re EC5 the consolidated financials and supervisory returns (EC2). For bank-led financial groups, the RBI is responsible for monitoring the group, including the parent—which, to date, has always been a bank. It can supervise any affiliated enterprise in conjunction with its sectoral regulator. As noted in the description of EC1, the RBI recently instituted a system of prompt reporting on transactions between banks and their associate institutions within financial groups. In addition, intra-group exposures are reported to the RBI which are constrained by guidance.97 The RBI’s SSM has access to Board and management reports regarding intra-group transactions. EC6 The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that: a. the safety and soundness of the bank and banking group is compromised because the activities expose the bank or banking group to excessive risk and/or are not properly managed; b. the supervision by other supervisors is not adequate relative to the risks the activities present; and/or b. the exercise of effective supervision on a consolidated basis is hindered. Description and The power of the RBI to take corrective action against a bank, under section 35A of findings re EC6 the 1949 Act does not stop at the frontier. It may limit bank activity to protect the interests of depositors or of the banking company itself. This extends to overseas activities that might compromise safety and soundness. The extensive network of MoUs and supervisory colleges that the RBI has put in place over the past five years means that the RBI could intensify its own supervision of Indian bank overseas operations if weak local supervision was a concern. EC7 In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a stand-alone basis and understands its relationship with other members of the group.98 Description and The RBI supervises banks basically on a solo basis, regardless of whether they are a findings re EC7 part of a group or a conglomerate. Additionally, consolidated supervision on banking groups is conducted based on half-yearly CPRs and other information (EC5). Additional criteria 97 “Guidance on the Management of Intra-Group Transactions and Exposures,” February 2014. 98 Please refer to Principle 16, Additional Criterion 2. 80 INDIA AC1 For countries that allow corporate ownership of banks, the supervisor has the power to establish and enforce fit-and-proper standards for owners and senior management of parent companies. Description and Corporate ownership of banks—that is ownership of banks by nonfinancial findings re AC1 companies—is prohibited in India. Through its supervision of both banks, and nonbank financial companies, the RBI can set and enforce fit-and-proper standards for owners of all banks and banking groups. Assessment of Compliant Principle 12 Comments The RBI can supervise every part of any Indian banking group or bank-led financial conglomerate. It can monitor and apply prudential standards to all subsidiaries and associate enterprises within the banking group, domestically and internationally. In particular, through intra-group transaction monitoring and coordination with other domestic regulators, it understands risks that other entities in a group might pose to a bank and to take supervisory action to limit those risks. The RBI will not license a nonbank operating company to own a bank. Through a network of MoUs and supervisory colleges, it can now supervise foreign operations of Indian banks effectively. It monitors continuously intra-group financial exposures and transactions. The RBI can take action to limit activities in nonbank subsidiaries in concert with the nonbank financial supervisor concerned. Some prudential standards are set and are monitored on a consolidated basis, such as standards regarding concentration, capital, and liquidity. The RBI should consider whether to introduce and supervise against prudential standards for bank-led financial conglomerates for interest rate risk, large exposure limits, and concentration limits at the group level, etc. Principle 13 Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. Essential criteria The home supervisor establishes bank-specific supervisory colleges for banking EC1 groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor, who has a relevant subsidiary or a significant branch in its jurisdiction, and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors. Description and Indian banks operate in 54 jurisdictions. In India, 46 foreign banks have branch findings re EC1 banking operations, and 39 have set up representative offices. India has concluded Memoranda of Understanding (MOUs) with 43 foreign supervisory authorities. Nine more are pending. The government has approved the template for the MoUs. Under its 2010 “Framework for Cross-Border Supervision and Supervisory Cooperation,” the RBI has established supervisory colleges for six Indian banks, i.e., State Bank of India, ICICI Bank, Bank of India, Bank of Baroda, Axis Bank, and Punjab National Bank, all of which have significant international activities. Pending 81 INDIA finalization of negotiations, the RBI has concluded ad-hoc agreements with two additional jurisdictions. The supervisory colleges meet once every two years. All supervisory agencies with a material role in the supervision of cross-border activities of the bank are invited to attend. Their main objectives are to enhance information exchange and cooperation among supervisors, to improve understanding of the risk profile of the banking group and thereby facilitate more effective supervision of the internationally active banks. The supervisory colleges are also used to share supervisory plans for the cross-border banks. In February 2017 meetings of the Supervisory Colleges of State Bank of India, ICICI Bank Ltd., Axis Bank Ltd. and Punjab National Bank were held at Mumbai. Thirty-six host supervisors from 19 overseas banking supervisory authorities participated in the supervisory college of the State Bank of India. Sixteen supervisors from 10 overseas banking supervisory authorities and 10 supervisors from six authorities participated in the supervisory colleges of ICICI Bank Ltd., and Axis Bank Ltd. Ten supervisors from 5 overseas banking supervisory authorities participated in the supervisory college of Punjab National Bank. Representatives from the SEBI, the IRDA, and the PFRDA also participated in the colleges of State Bank of India, ICICI Bank Ltd., and Punjab National Bank, as these bank-led financial groups operate in more than one segment of the Indian financial market and undertake a wide range of financial activities, including commercial banking, investment banking, insurance, pension fund management, etc. Also, for interactions with countries with which no MoU has been concluded as yet, the MoU provides a practical template for interaction and the RBI reports good working contacts. EC2 Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group99 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information. Description and The MoUs envisage that information shall be shared between supervisory agencies findings re EC2 “to the extent reasonable and subject to any relevant statutory provisions, including those restricting disclosure.” In the context of the licensing process, supervisory agencies shall exchange information whether the banking organization is in substantial compliance with applicable laws and regulations and whether it may be expected, given its administrative structure and internal controls, to manage the cross-border establishment in an orderly manner. The home authority should also upon request assist the host authority in verifying any information submitted by the applicant banking organization. To the extent permitted by law, information on fitness and propriety of prospective manages shall be exchanged. Relevant information on material developments or material supervisory concerns, penalties, enforcement actions, and any other relevant information that might be required to assist with the supervisory process shall be exchanged. Cooperation with non-MoU countries in which Indian banks have a presence, or foreign banks have a presence in India, cooperation between the RBI and its foreign counterpart, if not based on a 99 See Illustrative example of information exchange in colleges of the October 2010 BCBS Good Practice Principles On Supervisory Colleges for further information on the extent of information sharing expected. 82 INDIA formal agreement, is effective and collegial. Contacts between staff of both agencies, for instance by e-mail and in tele-conferences have shown to be easy and cooperative. EC3 Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups. Description and The agencies shall cooperate in the context of the licensing process, notify findings re EC3 each other in case of the need for remedial action, in particular when a banking organization faces serious difficulties that could have a material adverse impact on the activities of the bank in the host jurisdiction. Moreover, cooperation is envisaged on onsite inspections, and the host authority may, if mutually agreeable, take part in the onsite inspection of the establishment in its jurisdiction. Upon written request of the host authority, the requested authority may provide the requesting authority with information contained in inspection reports concerning the cross-border establishment that was inspected. Between 2012 and 2015, 36 cross-border inspections were held by the RBI in 23 jurisdictions. EC4 The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues. At the time of meetings of supervisory colleges, and at the time of joint inspections, RBI staff assured consistency of information related to the meetings and the inspections through its informal interactions with the colleagues in the other jurisdictions. Description and The MoUs contain no explicit undertaking to develop an agreed communications findings re EC4 strategy, but the quality of the contacts between the RBI and its counterparts in other jurisdictions ensure that in situations that require joint or agreed communications the channels are effective to come to an ad hoc cooperation when needed. Moreover, Article 18a of the MoU states that the authorities shall seek together possible solutions for issues and barriers that may come up. Dealing with the media in both countries in a coordinated way can be seen as such an issue under Article 18a. EC5 Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality. Description and The MoUs contain a section on crisis management. Under the terms of the MoU, findings re EC5 the home and host authorities should together consider possible solutions to any cross-border issues and barriers that may arise. The home authority is entitled to hold special meetings with any relevant authorities concerning a specific cross- border establishment and its head office or parent organization. Home and host authorities shall endeavor to inform their counterparts on a timely basis and to the extent permissible and appropriate of crisis management arrangements for any specific cross-border establishment and its head office or parent. At a minimum, 83 INDIA authorities should share information on any assessments of systemic impact, liquidity, solvency, and contingency funding plans of the bank’s establishment, any other contingency arrangements, and contingency arrangements in case of bankruptcy. Information shall be exchanged on deposit insurance arrangements. In order to assist the host authority, the home authority shall require the head office/parent to provide the establishment abroad with liquidity assistance and other supporting measures. There has been no occasion to test the crisis management provisions in reality. EC6 Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures. Description and At the current time, the RBI has not required banks to prepare recovery plans, nor findings re EC6 has the RBI itself prepared resolution plans. (See CP8 EC7) Nevertheless, Art. 10 of the MoU envisages that in case of serious financial difficulties of a cross-border bank, close liaison between the two authorities would be very beneficial. The two authorities commit to attempt to share such information as appropriate in the particular circumstances, including the efforts by home authorities to resolve the bank’s difficulties and restore confidence. Moreover, in the context of the MoU, information can be shared about legal and regulatory provisions about recovery and resolution plans that might have been put in place in either jurisdiction. At the supervisory colleges information is provided about the progress in India toward the development of resolution plans, as envisaged in the Financial Resolution and Deposit Insurance Bill. EC7 The host supervisor’s national laws or regulations require that the cross-border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks. Description and Establishments in India of foreign banks are subject to identical laws, rules, findings re EC7 regulations and supervision as domestic banks and their branches and/or subsidiaries. EC8 The home supervisor is given onsite access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups. Description and RBI indicated that onsite inspection of overseas branches/subsidiaries of Indian findings re EC8 banks in several jurisdictions are undertaken by RBI on a need basis manner, based on significant exposures, problem assets and other supervisory concerns. (See CP3 EC2) RBI always issues prior notification regarding plans for onsite inspections at overseas offices of Indian banks to the host supervisor. In addition, Section IV, Articles 13-17 of the MoU provide for information sharing about cross-border inspections, provide opportunity to request participation by the host jurisdiction, and provide opportunity to request information about the results 84 INDIA of the inspection. The RBI has regular informal contacts by telephone and email with foreign authorities and is satisfied with the level of cooperation. EC9 The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks. Description and Shell banks are not permitted in India. No explicit rules apply to loan generation findings re EC9 offices or booking offices of foreign banks in India. EC10 A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action. Description and Article 7 of the MoU stipulates that in connection with the ongoing supervision of findings re EC10 cross-border establishments, the authorities intend to: a. provide relevant information to their counterpart regarding material developments or material supervisory concerns; b. respond to requests for information on their respective national regulatory systems and inform each other about major changes; and c. inform their counterpart of enforcement actions taken or penalties imposed. Prior notification shall be made, as far as practicable and subject to applicable laws. Also, the RBI indicated that information sharing includes contact during the licensing process, day-to-day supervision, and handling of problem situations. When shared information is used, the contact should take place between supervisors about the incident at hand. Assessment of Compliant Principle 13 Comments Much has been achieved by the RBI since the previous assessment. The current framework shows that it is functioning adequately. The RBI is very active in its exercise of cross-border supervision, and in organizing cooperation with colleagues abroad on the basis of MoUs and in supervisory colleges. A large number of MoUs have been concluded and another 9 are being negotiated. A significant number of cross-border inspections have been held. Staff of the RBI confirms that they have good contacts and working relationships with counterparts in other countries. The authorities are advised to include language in the MoUs, or to make parallel arrangements to strengthen the mechanisms to coordinate media responses in case of crisis or other problems that draw media attention. 85 INDIA B. Prudential Regulations and Requirements Principle 14 Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,100 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. Essential criteria EC1 Laws, regulations, or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance. Description and The bank governance framework is provided by the Companies Act 2013 (CA) to findings re EC1 the extent it is not inconsistent with the provisions of the Bank Regulation (BR) Act. These provisions apply fully to private sector banks and to public banks, to the extent that they do not contradict provisions laid out in special legislation. For the PSBs, governance arrangements are specifically provided by the Banking Companies (Acquisition and Transfer of Undertakings) Act of 1970, the Banking Companies (Acquisition and Transfer of Undertakings) Act of 1980, and the State Bank of India Act of 1955. Per Art. 179 of CA, the governing body of a bank is the Board. The functions of chairman of the Board and CEO of a bank have been split recently by the RBI. Banks are managed by a full-time CEO/managing director and the Board is chaired by a part-time non-executive director. The Board and the shareholders appoint the Board’s chairman and the CEO. However, in the PSBs, the government (through the MOF) appoints the full-time Board members, including the CEO and the chairman, while part-time Board members are appointed by the Board, except two ex officio members of the Board, one nominated by MOF and the other by RBI. Fitness and propriety standards are applied to full-time senior executives and part- time non-executive Board members. Art. 10B of BR Act specifies that the CEO shall have banking, finance, economics, or business administration expertise. In April 2016, the government created an autonomous BBB, of which the deputy governor of the RBI is a member, to recommend to the government executive directors and non-executive chairmen for PSB Boards. By Circular of May 23, 2011, the RBI established a fit-and-proper test, requiring directors to provide annually a written declaration to the effect i.a., that there are no pending prosecutions or investigations, he/she has not previously filed for liquidation of a company (Art. 274 CA), and is not under the attention of another financial regulatory agency. The CEO must also declare any loans from the bank, any defaults on these loans, and interests in other companies. The need for an appropriate skill mix in the Board is acknowledged in Art. 10A BR Act, which specifies that the Board shall have at least 51 percent of members with experience in specific fields, such as accounting, law, economics, finance, agriculture, and small- and medium-size enterprises. All whole-time directors and non-executive chairmen must be vetted by the RBI as fit and proper. 100 Please refer to footnote 27 under Principle 5. 86 INDIA The RBI sets remuneration standards for private bank CEOs, based on size of the bank, nature of the bank’s operations, number of establishments and the qualifications, age and experience of the CEO. CEOs of PSBs are subject to government compensation rules. In response to the Financial Stability Board guidelines on governance, further governance guidelines have been introduced by the RBI, including “claw-back” provisions. Art. 21 BR Act, on the “Power of the RBI to control advances by banking companies” opens the possibility for RBI to prescribe banks’ credit and pricing policies. This provision states that when the RBI considers it “expedient in the public interest or in the interests of depositors or banking policy,” it can give a binding determination with regard to general banking policy, or the policy of an individual bank, with regard to the purpose of the loans, margins charged, maximum amounts per borrower, lending rate, guarantees or other terms and conditions applicable to the loans. EC2 The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner. Description and In the context of the RBI’s system for risk-based supervision, SPARC governance findings re EC2 policies and practices are routinely assessed. The SPARC process reviews high-level bank-wide governance controls by means of 59 parameters in the areas of the functioning of the Board, senior management, internal audit, and risk management. The assessment, graded on a scale of 1–4, is also based on supervisory judgment, formed during onsite inspections. The assessment also includes elements such as culture of the bank, compliance record and risk appetite. During onsite inspections, the minutes of the Board meeting are reviewed to help assess governance quality, addressing issues such as the existence of healthy debate on major decisions, risk appetite, knowledgeability of Board members. EC3 The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced non-executive members Description and The RBI has required the Boards of banks to use due diligence when appointing findings re EC3 new directors, and has issued guidelines on the assessment of fitness and propriety. In the case of PSBs, however, it is the government that appoints the senior management team, including the executive directors, the CEO, and the non- executive chairman (EC1). Traditionally, the government has appointed senior PSB officials to fill executive vacancies on PSB Boards. Because the government’s mandatory retirement age of 60 years applies to these individuals, many of the appointees serve for less than three years. Boards also include part-time, non-executive members. As required by the Bank Nationalization Acts, two of these non-executive positions on PSB Boards are filled in an ex officio capacity by appointees from the RBI and government. Government nominates one director who is an official of the central government, one director on the recommendation of the RBI, and one director who 87 INDIA is a chartered accountant, etc., but not more than six directors. The remaining shareholders can elect anywhere between one to three directors on the basis of the shareholding. For private banks and PSBs (when not in conflict with the laws governing PSBs), the RBI has required governance-supportive mechanisms such as internal control and audit, preparation of audited financial statements, Board skills mix, and the formation of mandatory Board committees for audit, risk management, credit, remuneration, IT, regulation, and the nomination of new Board members and CEOs. BR Act Art. 10A specifies the required overall skills-mix of the Board, while Art. 10B of BR Act specifies that the CEO shall have banking, finance, economics, or business administration expertise. EC4 Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty”.101 Description and The annual declaration required from the CEO and each executive and non- findings re EC 4 executive Board member testifies to meeting the qualifications and other fitness and propriety criteria. Section 166 of CA requires that directors act in good faith to promote the objectives of the company, in the best interests of the company, its shareholders, employees, the community and the environment. Directors shall exercise due and reasonable care, skill and diligence, and good judgment. They shall avoid conflicts of interest. Indeed, the assessors note that in case of PSBs, there is a possibility of a conflict of interest between RBI Board members on one hand, and the bank on the other, in the exercise of supervision and, possibly, in setting bank business policies. (See EC 5) Art. 166 (7) of CA stipulates that contravention of these standards shall be punished with a fine of up to Rs 500,000 (US$7,400 appr.). Art. 10 B (6) authorizes the RBI to require that unfit and improper CEOs or Board members of private banks be replaced by the bank. This power is subject to appeals under Art. 10 B (7). More broadly, Art. 36 (I) (d) (v) authorizes the RBI to order that changes be made in the bank’s management; for PSBs, however, only government is authorized to change bank senior management. EC5 The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite102 and strategy, and related policies, establishes and communicates corporate culture and values (e.g., 101 The OECD (OECD glossary of corporate governance-related terms in “Experiences from the Regional Corporate Governance Roundtables”, 2003, www.oecd.org/dataoecd/19/26/23742340.pdf.) defines “duty of care” as “The duty of a Board member to act on an informed and prudent basis in decisions with respect to the company. Often interpreted as requiring the Board member to approach the affairs of the company in the same way that a ’prudent man’ would approach their own affairs. Liability under the duty of care is frequently mitigated by the business judgment rule.” The OECD defines “duty of loyalty” as “The duty of the Board member to act in the interest of the company and shareholders. The duty of loyalty should prevent individual Board members from acting in their own interest, or the interest of another individual or group, at the expense of the company and all shareholders.” 102 “Risk appetite” reflects the level of aggregate risk that the bank’s Board is willing to assume and manage in the pursuit of the bank’s business objectives. Risk appetite may include both quantitative and qualitative elements, as appropriate, and encompass a range of measures. For the purposes of this document, the terms “risk appetite” and “risk tolerance” are treated synonymously. 88 INDIA through a code of conduct), and establishes conflicts of interest policies and a strong control environment. Description and The Board of a bank is required to create committees for the key areas of bank findings re EC5 governance, e.g., risk, credit, appointments, remuneration, regulation, audit. The Board discusses and approves risk appetite and bank strategies. In their management of the bank the CEO and the Board are required to take into account the bank’s culture, and the interests of employees. The RBI includes these elements into its inspections, which feed into the SPARC risk-based supervision framework, and result in a grading of the bank and capital addition as needed. In the case of PSBs, the MOF could, through their representative (i.e., the director nominated by the government) exert influence on bank strategies, and relatedly, the bank’s risk appetite. Shifting this responsibility for the PSBs from the MOF to the newly created BBB is now under consideration by the government. Finally, the participation of the RBI’s ex officio Board members is very problematic, since the supervisor needs to assess the Board’s performance and its individual members, including that of its own institution’s representative, which represents a conflict of interest. EC6 The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them. Description and The RBI requires that the bank’s Boards have laid out policy for selection of the findings re EC6 senior management team and evaluation of their performance. As part of governance and oversight assessment under the SPARC framework, in particular, the RBI assesses the process of Board oversight including the:  bank’s management structure, with clearly defined roles and responsibilities;  Board's oversight functions with respect to senior management;  framework to regularly review and assess by the Board, the performance level of its senior and business line managers against their designated roles, and of their skills and experience, succession planning. etc.; and  process by which the Board ensures implementation of its directions. However, the PSB Board has a limited role in the selection of senior management. The MoF is involved in selecting senior management (CEO and chairman) and full- time executive directors, subject to approval by the RBI for fit-and-proper standards. The RBI examines Board minutes in the course of its onsite inspections to verify that appropriate discussions take place at the Board. EC7 The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness, of the bank and is rectified if there are deficiencies. Description and Banks are required to create a compensation committee in the Board. The RBI has findings re EC7 also set remuneration standards for bank CEOs (in the case of private banks), based 89 INDIA on size of the bank, nature of the bank’s operations, number of establishments and the personal qualities of the CEO. For PSBs, CEO compensation is subject to government personnel rules. RBI is able to set compensation standards for PSB chairmen. In response to the Financial Stability Board, further governance guidelines have been introduced, including “claw-back” provisions. EC8 The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate. Description and These aspects are reviewed by the RBI in the course of onsite inspections, feeding findings re EC8 into the SPARC assessment of governance and risk management. EC9 The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria. Description and Art. 10 B (6) authorizes the RBI to require that unfit and improper CEOs or Board findings re EC9 members be replaced. This power is subject to appeals under Art. 10B (7). More broadly, Art. 36 (I) (d) (v) authorizes the RBI to order that changes be made in the management of private banks. In the event of PSBs, the RBI can advise the government, now through the BBB, of any concerns it has with respect to government-appointed senior management and Board members. Additional criteria AC1 Laws, regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management. Description and Any material information that may affect the fitness and propriety of a bank’s Board findings re AC1 member or senior management are required to be reported to SSM under SPARC framework. Banks are expected to bring to the notice of SSM any emerging development/issue on corporate governance that is material. In addition, Board members are required to self-declare on fitness and propriety, by signing and submitting annual covenants to the Board. There is no obligation, in case of adverse information on CEO or Board members, to independently inform the RBI. The RBI does review the covenants in the course of onsite inspections Assessment of Materially non-compliant Principle 14 Comments The appropriate rules on fitness and propriety and banks’ internal governance structures are in place with respect to private and foreign banks. The influence the RBI may exercise on governance of banks through section 21 BR Act, and the very limited authority of the RBI under the Banking Acts to hold PSB Boards accountable regarding strategic direction, risk profiles, assessment of management, and compensation has resulted in a low overall rating on this assessment. Under the law, and according to custom, the RBI is not in a position to hold PSB Boards accountable for assessing, and when necessary, replacing weak and nonperforming senior management and government-appointed Board members. The government’s role in appointing senior management and placing their own official on the Board creates the potential for the government interfering with the 90 INDIA PSB’s business decisions. The result of this interference may partially explain the fact that PSB financial performance in recent years has been so much weaker than private banks. Moreover, the presence of RBI and MOF officials on the PSB Boards, as required by law, puts RBI supervisors in the uncomfortable position of having to assess the performance and competence of these officials in their role as Board members. For example, if a PSB assumes an inappropriate amount of risk, it would be problematic for the supervisor to recommend that the RBIs take action against the Board and its designated member. In addition, the PSB Board has a limited role in the selection of senior management. MoF is involved in selecting senior management (CEO and chairman) and full time executive directors, subject to approval by the RBI based on the fit-and-proper standards. Consistent with the recommendations contained in the Indradhanush Plan and the 2014 Nayak report, over the near-term the BBB should be empowered to appoint and remove senior management of PSBs and assume the role presently carried out by the MOF. Over the longer term, the banking laws should be changed to empower the RBI and the Boards of PSBs to exercise the same responsibilities for PSBs as now apply to private banks. The requirement that PSB Boards include ex officio RBI officials should be eliminated to eliminate conflicts of interest. The authorities could also consider adopting model Board charters which would better define the terms of reference for Board members, including for the non-executive member nominated by the government. Finally, for legal certainty, the intrusive powers of the RBI to determine parameters of bank lending policies (by virtue of section 21 BR Act) may need to be reconsidered. 91 INDIA Principle 15 Risk management process. The supervisor determines that banks103 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate104 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.105 Essential criteria EC1 The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that: a. a sound risk management culture is established throughout the bank; b. policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite; c. uncertainties attached to risk measurement are recognized; d. appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and e. senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite. Description and The RBI determines that bank risk management policies are approved by the findings re EC1 Board.106 These policies should be consistent with broader business strategies, capital strength, management expertise, and risk appetite. The RBI guidance does not explicitly address culture but it does consider several cultural determinants:  an independent risk function with a comprehensive approach to risk management and measurement;  risk limits;  MIS for reporting, monitoring and controlling risks;  procedures for the effective control; 103 For the purposes of assessing risk management by banks in the context of Principles 15 to 25, a bank’s risk management framework should take an integrated “bank-wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risks posed to the bank or members of the banking group through other entities in the wider group. 104 To some extent the precise requirements may vary from risk type to risk type (Principles 15 to 25) as reflected by the underlying reference documents. 105 It should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management. 106 Introduction to the Guidance on Risk Management Systems in Banks, October 1999. 92 INDIA  clear delegation of authority; and  the need for periodic review and evaluation of the risk function. Under the SPARC framework, the bank’s risk governance is assessed as part of a broader review of governance and oversight controls. This in turn focuses on Board and senior management oversight and control. Guidance addresses the Board’s responsibility to oversee: risk management practices, procedures and systems; the reporting framework to Board; internal communication of the risk management strategy, corporate values, professional standards and codes of conduct set out by the Board. Supervisors also examine whether information flowing to the Board is enough for them to understand regulatory and supervisory issues. Uncertainties related to risk measurement are addressed at different points in supervision. Individual guidance on each major risk type addresses the quality of risk reporting. Operational risk guidance also addresses control and compliance risks faced by the risk function itself. EC2 The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate: a. to provide a comprehensive “bank-wide” view of risk across all material risk types; b. for the risk profile and systemic importance of the bank; and c. to assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s risk management process. Description and The RBI requires banks to have a comprehensive risk measurement and reporting findings re EC2 framework.107 The SPARC requirements direct supervisors to look at whether the framework for the design and implementation of risk management policies and practices is appropriate for the nature and size of the bank’s businesses. They must also check whether these are periodically reviewed and whether the policies and practices are updated with changes in the business of the bank, the regulatory environment and internal and external events. EC3 The supervisor determines that risk management strategies, policies, processes and limits are: a. properly documented; b. regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and c. communicated within the bank. The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary. 107 October 1999 guidance, section 1, (ii) & (vi). 93 INDIA Description and Banks are required to document important policies and processes related to risk findings re EC3 management. Documentation requirements are laid out in guidance for each major risk type. The RBI requires banks to review and evaluate risk management strategies, policies, processes and limits periodically. For important policies, minimum frequency and level of review are prescribed. In its periodic Inspections for Supervisory Evaluation (ISE), the RBI reviews corporate governance issues, including how risk management approaches are updated and communicated across the bank. Limits and their exceptions are also reviewed at that time. The framework for communication to the senior management and other employees of risk management strategy is also assessed. The RBI does track exceptions and ensure that they are properly authorized at the appropriate level. Exceptions throughout the risk management process are treated as an operational risk. EC4 The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand, the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive. Description and One vehicle through which Boards and senior management obtain information findings re EC4 about the level of risk and its relation to capital is the required Internal Capital Adequacy Assessment Process. That involves senior management and Board review. The ICAAP must be commensurate with the bank’s size, level of complexity and scope of operations. The RBI requires bank Boards to address risk issues periodically. They would be expected to consider policies concerning credit, operational, market and liquidity risks as well as assessing the independence of the risk function. The RBI then uses the SPARC framework to assess whether Boards get the information they need for effective decision making and their understanding of the business environment and risks faced by the bank is adequate. EC5 The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies. Description and Drawing on Basel II requirements, banks are required to conduct a periodic ICAAP findings re EC5 exercise, prepare a document that captures all material risks on a forward-looking basis and plan capital accordingly. Their assessments are subject to a supervisory review and evaluation process (SREP) which is a part of the SPARC process. Where banks use models to measure components of risk, the supervisor determines EC6 that: a. banks comply with supervisory standards on their use; b. the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and (c) banks perform regular and independent validation and testing of the models. 94 INDIA The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed. Description and The RBI draws a distinction between models used for regulatory capital purposes findings re EC6 and those that are used only for risk management purposes, with the former expected to be subjected to stronger and more consistent review and validation. The RBI requires that banks’ independent validation function should conduct validation, test the models and report the results to a relevant committee. Banks’ internal and external auditors are expected to validate models. For banks in parallel run and as a part of approval process for migration to advanced approaches of credit, market and operational risks, the RBI examines model inputs, outputs, and assumptions. They use their own benchmark models and compare models across banks. Modelling requirements are set by risk type. They expect internal model manuals to emphasize the importance of understanding the limitations of specific models and how they are maintained as circumstances change. Banks are required to have appropriate processes to approve model introduction and subsequent modification. In addition, model risk is assessed as part of Pillar II controls under business risk assessment, including:  bank Board approved policies for model risk,  the processes for identification, monitoring, reviewing and reporting model risk; and  the model risk management framework. Under the SPARC framework, process of banks’ identification, monitoring, reviewing, i and reporting of model risk is assessed by RBI as well as bank’s Board approved policy for model risk. EC7 The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use. Description and Various guidance notes and circulars on advanced approaches prescribe that banks findings re EC7 are expected to have adequate information systems for measuring, assessing, and reporting on different sorts of risks. For instance, the RBI requires that banks in parallel run should ensure that there is regular and comprehensive reporting of its operational risk profile, risk exposures and loss experience to the Board, senior management and business unit management.108 Requirements for the MIS for risk measurement are included in the Automated Data Flow project the RBI has underway. It does not, however, have comprehensive and separate requirements for risk management MIS. 108The RBI circular on Advanced Measurement Approach (AMA), April 27, 2011, for example, contains no specific references to either “MIS” or “management information.” 95 INDIA EC8 The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,109 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board. Description and The RBI does require banks to consider new product risk. Under the topic of risk findings re EC8 governance controls, SSMs assess whether risk identification is carried out whenever changes are introduced such as changes to the business, the product range or markets served or new activities are undertaken, so that all risks are well understood and priced accordingly. New product approval process involves typically the risk department. Banks are required to ensure that, for new products, activities, processes and systems are introduced or undertaken, the risks inherent in them are identified and can be managed. Additionally, banks have to appoint a senior compliance officer to ensure that ensure that new products conform to regulatory guidelines.110 Boards are also required to review the operational risk management framework regularly to ensure that the bank is managing the operational risks arising from external market changes and other environmental factors as well as operational risks associated with new products, activities or systems. While RBI supervisors do regularly assess Board documents and meet with selected members of Boards, including the heads of the risk and audit committees, they do not as a rule meet with the Board as a whole, or with the non-executive directors individually. Such meetings are useful to confirm, among other things, that Boards and senior management understand all the material risks associated with the business. (See CP8) EC9 The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function. Description and The RBI has prescribed through its circulars that banks have risk management findings re EC9 functions covering all material risks. It is the duty of Risk Management Committee to assure adequate resources are being assigned to mitigate risks as needed. The Boards are required to establish clear lines of management responsibility, accountability, and reporting. In addition, there should be separation of responsibilities and reporting lines between risk control functions, business lines and support functions, to avoid conflicts of interest. 109 New products include those developed by the bank or by a third party and purchased or distributed by the bank. 110 Guidance on the Compliance Function, April 20, 2007. 96 INDIA Banks have been advised that while formulating the internal risk-based audit plan, every activity/location of the bank, including the risk management function, should be subjected to risk assessment by the risk-based internal audit. Further, under risk governance, supervisors assess the appropriateness of the structure and size of the risk management function, and the independence of risk management from the businesses. The RBI requires that the CRO reports directly to both the CEO and the Board of directors. EC10 The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a chief risk officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Description and RBI guidelines prescribe a governance structure for risk management which findings re EC10 includes a requirement for a CRO. Guidance Note on Operational Risk prescribes that each type of major risk viz. Credit Risk, Market Risk and Operational Risk, is managed as an independent function. Hence, banks should have corresponding risk management committees, which are assigned the specific responsibilities. Banks may structure the risk management department(s) as appropriate without compromising on the above principles. In terms of the RBI’s instructions, a bank’s risk function and its chief risk officer (CRO) or equivalent position should be independent of the individual business lines and report directly to the chief executive officer (CEO)/managing director and the institution’s Board of directors. In addition, the risk function should highlight to senior management and the Board risk management concerns, such as risk concentrations and violations of risk appetite limits. Under risk governance, supervisors also assess whether there has been change in person designated as CRO during the year, in case the change was in nature of removal, the reasons for such removal and whether Board approval was obtained. For all public companies, senior officers, including the CRO, cannot be dismissed without prior Board approval. It is unclear whether a similar requirement is in place for PSBs. 111 EC11 The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book, and operational risk. Description and The RBI has issued guidance in each of these areas, as discussed in the findings re EC11 corresponding CP.112 On April 21, 2017, the guidelines on Risk Management Systems – Role of the CRO was revised to clarify and 111 address this issue. 112Guidance Note on Credit Risk Management (October 2002); Guidance Note on Market Risk Management (March 2002); Guidance Note on Management of Operational Risk (October 2005); Asset-Liability Management (ALM) System (February 1999). Guidelines on Liquidity Risk Management were issued in November 2012 and Guidelines on Basel III framework on liquidity standards—Liquidity Coverage Ratio (LCR) and Liquidity Risk Monitoring Tools and LCR Disclosure Standards—were issued in 2014. Some amendments to these standards were made in 2016. RBI has also issued the draft guidelines on Interest Rate Risk in the Banking Book (IRRBB) in February 2017 based on standards on IRRBB published by Basel Committee on Banking Supervision (BCBS) in April 2016. 97 INDIA EC12 The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. Description and Banks must prepare contingency plans to withstand bank-specific or market crisis findings re EC12 scenarios. These should clearly document plans for asset sales, market access, restructuring the maturity and composition of assets and liabilities, and alternative sources of liquidity should be clearly articulated.113 Banks are also required to prepare business process continuity plans to deal with operational risks.114 While banks are also required to prepare business process continuity plans to deal with operational risks, and the principle RBI guidance on risk management systems does require banks to develop contingency plans for a variety of circumstances, it does not specifically flag recovery or resolution planning.115, 116 EC13 The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program: a. promotes risk identification and control, on a bank-wide basis b. adopts suitably severe assumptions and seeks to address feedback effects and system-wide interaction between risks; c. benefits from the active involvement of the Board and senior management; and d. is appropriately documented and regularly maintained and updated. The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process. 113 Para 8.2.13 of the Annex in the guidance ‘Risk Management Systems in Banks,’ October 7, 1999. 114 ‘Operational Risk Management—Business Continuity Planning,’ April 15, 2005. 115 ‘Risk Management Systems in Banks,’ October 7, 1999. 116 ‘Operational Risk Management—Business Continuity Planning,’ April 15, 2005. 98 INDIA Description and The Boards are responsible for overseeing stress testing programs.117 findings re EC13 Guidelines prescribe that stress testing needs to be integrated into risk governance, risk management, the ICAAP (including buffer assessment) and decision making. Stress testing policy should also include the range of remedial actions envisaged, based on the purpose, type and result of the stress testing, including an assessment of the feasibility of corrective actions in stress situations. Stress testing for the ICAAP, requires banks to identify severe events or changes in market conditions that could adversely impact the bank. Banks are required to periodically review their stress testing framework, both qualitatively and quantitatively, to determine its efficacy and to consider the need for modifying any of the elements. The framework should be subjected to at least annual reviews. Banks with total risk- weighted assets of more than Rs 500 billion are required to include feedback effects in their stress testing programs. EC14 The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities. Description and Asset liability management118 guidelines require banks to have an internal funds findings re EC14 transfer pricing model based on current market rates provided and funds used as an important component for effective implementation of ALM System. Banks are also required to incorporate liquidity costs, benefits and risks in internal pricing, performance measurement and new product approval process for all significant business activities.119 Banks must use the marginal cost of funds lending rate methodology (MLCR) for determining interest rates on loans. This requires banks to set loan rates based on the marginal cost of funds at the relevant maturity plus a spread reflecting borrower risk. The guidelines on Risk Based Supervision require banks to use their risk policies and limits in selecting borrowers and pricing loans. Compensation is not risk-based in the PSBs, but some have risk-based performance assessment.120 Banks are expected to have documented policy for internal pricing, performance measurement and new product approval process for all significant business activities. Additional criteria 117‘Guidelines on Stress Testing’ December, 2013, which reflect the Basel Committee ‘Principles for Sound Stress Testing Practices and Supervision’, May 2009. 118 “Guidance on ‘Asset-Liability Management (ALM) System,” February, 1999, and “Guidelines on Asset-Liability Management (ALM) System—Amendments,” October 2007. 119 DBOD.BP.No.56/21.04.098/2012–13, dated November 7, 2012 on “Liquidity Risk Management by Banks.” 120 Bank interviews during mission. 99 INDIA AC1 The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks. Banks have been advised that certain risks such as reputational risks and strategic Description and risks may be equally important as the major risk types and should be given findings re AC1 consideration as the more formally defined risk types. As per RBI guidelines on Basel III, a bank should develop methodologies to measure the effect of reputational risk in terms of other risk types, namely credit, liquidity, market and other risks that they may be exposed to in order to avoid reputational damages and in order to maintain market confidence. This could be done by including reputational risk scenarios in regular stress tests. Banks have also been advised to identify and assess reputational risks and strategic risks to the extent possible, including quantifying the results of that assessment into its ICAAP process. Further, under Pillar II risk, the RBI examiners assess other material risks viz, strategic risk, reputational risk, etc. Assessment of Largely Compliant Principle 15 Comments The RBI does:  determine that banks have Board-approved appropriate risk management strategies (EC1);  require comprehensive risk policies and frameworks to be comprehensive (EC2);  require the risk management framework be well documented, internally communicated and evolves appropriately (EC3);  ensures the Boards and senior management obtain the information they need to assess capital adequacy (EC4);  examine the level of capital and liquidity and the processes banks use to ensure adequacy (EC5);  ensure models used for risk measurement are appropriate for use, validated and developed and used under strong governance (EC6);  ensure that the risk management function has the resources, independence, Board access and authority it needs (EC9);  require prior Board approval for dismissing a CRO (EC10);  issue guidance on each major risk type (EC11);  require banks to have contingency plans (EC12);  require banks to stress test (EC13); and  assess how banks account for risks in internal pricing, performance measurement and new product approval (EC14). However, the RBI does not impose specific requirements for robust risk management MIS, as opposed to implicit requirements derived from requirements for such things as the measurement, aggregation and reporting of different risk types in normal times (EC7). The RBI does not have a specific requirement in its principle guidance on risk for recovery or resolution plans (EC12). 100 INDIA While RBI supervisors do regularly assess Board documents and meet with selected members of Boards, including the heads of the risk and audit committees, they do not as a rule meet with the Board as a whole, or with the non-executive directors individually. Such meetings are useful to, among other things, confirm that Boards and senior management understand the risks associated with any material change to the business (EC8). The RBI should consider specific and separate requirements for robust risk management MIS. The RBI should also institute the practice of supervisors meeting regularly with individual Board members. The RBI should consider supplementing its contingency planning guidance with specific guidance on recovery and resolution planning. Principle 16 Capital adequacy.121 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. Essential criteria EC 1 Laws, regulations, or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations, or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis. The RBI regulations on banks’ capital adequacy are laid down in Master Circular Description and Basel III Capital Regulation of July 1, 2015. The master circular covers the Minimum findings re EC1 Capital Requirement methodology of Pillar 1 of Basel III, the Supervisory Review and Evaluation Process of Pillar 2, Disclosure and Market Discipline of Pillar 3, and includes sections on the Capital Conservation Buffer Framework, the Leverage Ratio Framework, and the Countercyclical Capital Buffer Framework. The framework applies to scheduled banks, including PSBs and private sector banks, but with the exception of regional rural banks and cooperative banks. For credit risk, the regulations prescribe the Standardized approach, for operational risk the Basic Indicator Approach, and for market risk the Standardized Duration Approach. Currently, the RBI is reviewing banks’ applications to apply the Advanced Internal Ratings Based Approach (A-IRB) to credit risk. No authorizations have been granted to this moment, pending further work of the banks and the RBI on the validation of banks’ IRB models and the conduct of parallel runs. On a solo, as well as on a consolidated basis, banks are required to maintain a minimum 9 percent risk-weighted CAR. The minimum ratio of Core Equity Tier 1 (CET1) capital to risk-weighted assets is set at 5.5 percent. Overall Tier 1 capital (T1) to risk-weighted assets should be no less than 7 percent. The minimum overall ratio of Tiers 1 and 2 is 9 percent. The components of CET1, Tier 1 and Tier 2 are defined 121 The Core Principles do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for compliance with the Core Principles, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it. 101 INDIA in the Master Circular. An additional CET1 requirement for systemically important banks has been set since April 1, 2016, to be fully operative after a phasing-in period until April 1, 2019. Including a capital conservation buffer of 2.5 percent, and additional Tier 1 capital of 1.5 percent, the total minimum risk-weighted CAR could add up to 11.5 percent, to enter into force April 1, 2019. CET1 is defined as follows: (i) Common shares (paid-up equity capital) issued by the bank which meet the criteria for classification as common shares for regulatory purposes as given in Annex 1; (ii) Stock surplus (share premium) resulting from the issue of common shares; (iii) Statutory reserves; (iv) Capital reserves representing surplus arising out of sale proceeds of assets; (v) Other disclosed free reserves, if any; (vi) Balance in Profit & Loss Account at the end of the previous financial year; (vii) Banks may reckon the profits in current financial year for CRAR calculation on a quarterly basis provided the incremental provisions made for NPAs at the end of any of the four quarters of the previous financial year have not deviated more than 25 percent from the average of the four quarters; (viii) While calculating capital adequacy at the consolidated level, common shares issued by consolidated subsidiaries of the bank and held by third parties (i.e., minority interest) which meet the criteria for inclusion in Common Equity Tier 1 capital; and (ix) Less: Regulatory adjustments. Additional Tier 1 capital will consist of the sum of the following elements: (i) Perpetual Non-Cumulative Preference Shares (PNCPS), which comply with the regulatory requirements; (ii) Stock surplus (share premium); (iii) Debt capital instruments eligible for inclusion in Additional Tier 1 capital, which comply with the regulatory requirements; (iv) Any other type of instrument generally notified by the RBI; (v) Additional Tier 1 instruments issued by consolidated subsidiaries of the bank and held by third parties which meet the criteria for inclusion; and (vi) Less: Regulatory adjustments/deductions. Tier 2 capital consists of (i) Provisions or loan-loss reserves held against future, presently unidentified losses; these provisions must be freely available to meet losses which subsequently materialize, and are permitted to a maximum of 2.5 percent of credit risk-weighted assets; (ii) Debt Capital Instruments issued by the banks; (iii) Preference Share Capital Instruments; 102 INDIA (iv) Stock surplus (share premium) resulting from the issue of instruments included in Tier 2 capital; (v) Tier 2 capital instruments issued by consolidated subsidiaries of the bank and held by third parties; and (vi) Revaluation reserves at a discount of 55 percent. Reciprocal cross-holdings of capital across financial institutions might artificially inflate the capital position of banks. Such cross holdings will be fully deducted. In June 2015, the Basel Committee issued a report on the peer assessment of India’s compliance with the Basel capital adequacy framework under its Regulatory Consistency Assessment Program. This assessment found India to be in compliance with the requirements of the Basel III risk-based capital adequacy framework (bis.org/bcbs/publ/d320.pdf). EC2 At least for internationally active banks,122 the definition of capital, the risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards. Description and The current minimum CAR is 9 percent of risk-weighted assets, based on the findings re EC2 standardized approach. This is at, or above the minimum level required per the Basel guidelines. The thresholds for Indian banks as described above will also be higher than the Basel standards when they enter into force per April 1, 2019. In the meantime, a phasing-in process is underway. Per March 31, 2017 banks should have total capital including the capital conservation buffer, of 10.25 percent, per March 31, 2018: 10.875 percent, and per March 31, 2019: 11.5 percent. EC3 The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)123 entered into by the bank. Both on- balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements. Description and Art. 35A of the BR Act authorizes the RBI to issue bank-specific directions. This can findings re EC3 include directions to apply a specific capital surcharge and/or limit on exposures, in order to decrease the amount of risk-weighted assets, or to decrease particular categories of risk-weighted assets. Off balance sheet items are also covered by capital requirements. The risk-weighted amount of an off-balance sheet item that gives rise to credit exposure is generally calculated by means of a two-step process: (a) the notional amount of the transaction is converted into a credit equivalent amount, by multiplying the amount by the specified credit conversion factor or by applying the current exposure method; and (b) the resulting credit equivalent 122 The Basel Capital Accord was designed to apply to internationally active banks, which must calculate and apply CARs on a consolidated basis, including subsidiaries undertaking banking and financial business. Jurisdictions adopting the Basel II and Basel III capital adequacy frameworks would apply such ratios on a fully consolidated basis to all internationally active banks and their holding companies; in addition, supervisors must test that banks are adequately capitalized on a stand-alone basis. 123 Reference documents: Enhancements to the Basel II framework, July 2009 and: International convergence of capital measurement and capital standards: a revised framework, comprehensive version, June 2006. 103 INDIA amount is multiplied by the risk weight. Where the off-balance sheet item is collateralized or guaranteed, credit risk mitigation guidelines may apply. Banks are required to hold regulatory capital against all securitization exposures, including those arising from the provision of credit risk mitigants to a securitization transaction, investments in asset-backed securities, retention of a subordinated tranche, and extension of a liquidity facility or credit enhancement. EC4 The prescribed capital requirements reflect the risk profile and systemic importance of banks124 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements. Description and The RBI has issued a “Framework for Dealing with Domestic Systemically Important findings re EC4 Banks” of July 22, 2014. Two banks, State Bank of India and ICICI Bank (Industrial Credit and Investment Corporation of India) have been designated as a D-SIB (Domestic Systemically Important Bank). Every year, the RBI reviews whether banks need to be added to, or taken off the list of D-SIBs. Each D-SIB is awarded a Systemic Importance Score, on the basis of which additional CET1 requirements are imposed on the D-SIBs. The Framework provides a scoring method, which differs somewhat from the Basel Methodology. Banks with more than 2 percent of GDP in assets are considered D-SIBs, as are the largest five foreign banks in India. Size of the bank will receive a weight of 40 percent in the scoring, the other factors (interconnectedness substitutability and complexity) each 20 percent. Level 3 assets (mark-to-model valuation) are not taken into the score. Based on their score, banks are placed in a “bucket.” The SBI is in bucket 3, and will incur a charge of 0.6 percent additional CET1. ICICI Bank is in bucket 1 and incurs a charge of 0.2 percent additional CET1. EC5 The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use: a. such assessments adhere to rigorous qualifying standards; b. any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor; c. the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken; d. the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so; and 124 In assessing the adequacy of a bank’s capital levels in light of its risk profile, the supervisor critically focuses, among other things, on (a) the potential loss absorbency of the instruments included in the bank’s capital base; (b) the appropriateness of risk weights as a proxy for the risk profile of its exposures; (c) the adequacy of provisions and reserves to cover loss expected on its exposures; and (d) the quality of its risk management and controls. Consequently, capital requirements may vary from bank to bank to ensure that each bank is operating with the appropriate level of capital to support the risks it is running and the risks it poses. 104 INDIA e. if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval. Description and The RBI has opened the possibility for banks subject to this regulation (see EC1) to findings re EC5 use the Internal Ratings Based Pillar 1 capital adequacy methodology. Banks need to apply to the RBI for validation of their models and receive RBI approval. The RBI needs to be satisfied that the bank’s internal assessments can be relied upon to reasonably reflect the risks undertaken by the bank. The RBI evaluates banks’ internal assessments based on qualitative as well as quantitative criteria. These are imposed on a continuous basis and corrections can be imposed by the RBI. Currently, all Indian banks are under standardized approaches, but some banks are under parallel run for advanced approaches for credit risk management and operational risk management. A parallel run is only approved by the RBI after satisfying rigorous qualifying criteria. Their models are strenuously scrutinized during parallel run before giving final approval for advanced approaches by RBI. As of now, none of the Indian banks are using advanced approaches for capital computation purposes. Four highly qualified RBI staff are tasked with the review and assessment of banks’ IRB models. They report to a general manager in the RBI. In Circulars of December 22, 2011, on “Implementation of the Internal Ratings Based Approaches for Calculation of Capital Charge for Credit Risk, and of April 27, 2011, on Implementation of the Advanced Measurement Approach (AMA) for Calculation of Capital Charge for Operational Risk, the RBI lays down extensive criteria for the development by banks of such systems, and for the process of applying to the RBI for authorization to use these approaches. For the IRB credit risk approach, Appendix 1 to the circular sets out qualitative and quantitative criteria banks must meet the satisfaction of the RBI. These include the ability to quantify risk, produce meaningful assessments of borrower and facility characteristics, meaningful differentiation of risk and reasonably accurate and consistent quantitative estimates of risk. Additional requirements must be met if banks wish to use their own estimates for Exposure at Default, and Loss Given Default. Banks must also demonstrate they have the requisite systems and processes to produce these quantitative elements. Guidelines are also provided for rating system design, pooling of retail exposures, and grading of borrowers. For the AMA approach to operational risk, also qualitative and quantitative criteria must be met by the banks to the satisfaction of the RBI. An application process must be completed by the banks. Banks need to show a well-documented Operational Risk Management System (ORMS), demonstrating a close integration of the ORMS with general risk management processes in the bank, adequate estimation of risks, i.e., no underestimation. Banks need to have adequate techniques for allocation of operational risk to business lines. The quantitative measurement techniques of the bank must be able to estimate tail loss events, and must meet standards of soundness and conservatism. The capital requirement calculation must take into account expected as well as unexpected operational losses. The bank’s systems for quantifying operational risk must include relevant internal as well as external loss data. The guidelines further prescribe that any changes in the model/processes, post- approval, can be made only with the approval of regulators. Banks are required to 105 INDIA inform supervisors about material changes in processes and models along with impact studies. Such changes are subject to regulatory/supervisory approvals. The RBI has the power to revoke approval and/or take supervisory/regulatory actions if a bank does not continue to meet the qualifying standards or the conditions imposed by the RBI on an ongoing basis. EC6 The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).125 The supervisor has the power to require banks: a. to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and b. to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank. Description and In its Circular of March 26, 2008, the RBI has laid down extensive guidelines on findings re EC6 implementation of Pillar 2 of Basel II, including ICAAP and the Supervisory Review Process (SREP). Per the Master Circular, banks are required to have a Board-approved policy on an Internal Capital Adequacy Assessment Process (ICAAP) and to assess the capital requirement as per ICAAP, also on a forward-looking basis. Banks’ systems must be able to identify all material risks to the bank’s operations. Banks must submit an updated ICAAP every year. An ICAAP should be prepared on a solo basis for each banking entity within the banking group, as also at the level of the consolidated bank (i.e., a group of entities where the licensed bank is the controlling entity). As part of the ICAAP, the bank shall periodically conduct stress tests, particularly in respect of the bank’s material risk exposures, in order to evaluate the bank’s potential vulnerability to unlikely but plausible events or movements in the market. The ICAAP should form an integral part of the management and decision-making culture of a bank. This integration could range from using the ICAAP for internal allocation of capital to business units, or as a tool in the individual credit decision process and pricing of products, or more general business decisions such as expansion plans and budgets. Aside from planning ahead how much capital is needed, and when, integrated use of the ICAAP would also mean that banks are better able to assess, on an ongoing basis, the inherent risks in their activities. Per Section 35A of the Bank Regulation Act the RBI has the legal power to impose upon individual banks a specific capital charge on, and/or limit any material risk exposures, also based on the RBI’s assessment of the quality of individual banks’ ICAAP. In doing so, the RBI takes into account the relevant risk factors and the ICAAP process of the bank to make sure the capital held by a bank is commensurate with the bank’s own risk profile. With regard to the overall level of capital adequacy relative to the risk profile, the RBI can also impose a general increase in the capital requirements for an individual bank, again, by virtue of Section 35A of the Bank Regulation Act. 125 “Stress testing” comprises a range of activities from simple sensitivity analysis to more complex scenario analyzes and reverses stress testing. 106 INDIA Section 11.8 of the Pillar 2 Guidelines, cited above, the RBI requires banks to have forward looking ICAAPs, “to ensure banks maintain adequate capital” taking into account potential future developments relevant to its risk profile, such as strategic plans, macroeconomic factors etc., including the likely future constraints in the availability and use of capital. Banks must have an explicit approval by their Boards for their capital plan, which should outline i.e., a “general contingency plan for dealing with divergences and unexpected events.” As stated, banks should conduct stress tests and scenario analyses to be able to have a reasonable view of potential future risks. AC1 For non-internationally active banks, capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application and the capital required, are broadly consistent with the principles of the applicable Basel standards relevant to internationally active banks. Description and The RBI Master Circular is in line with the Basel standards for capital adequacy, as findings re AC1 stated above. All scheduled banks in India, with the exception of the regional rural banks and cooperative banks, are subject to the same capital adequacy framework. AC2 The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks.126 Description and The RBI guidelines for Licensing of New Banks in the Private Sector were issued on findings re AC2 February 22, 2013. Under these guidelines, setting up of a Non-Operating Financial Holding Company (NOFHC) is required for financial groups. Under the guidelines for licensing, risk based capital requirements are to be applied to the NOFHC on a consolidated basis. Nevertheless, a bank shall comply with the CAR requirements on two levels: (a) the consolidated (“group”) level: capital adequacy requirements, which measure the capital adequacy of a bank based on its capital strength and risk profile after consolidating the assets and liabilities of its subsidiaries/joint ventures/associates, etc., except those engaged in insurance and any nonfinancial activities; and (b) the standalone (“solo”) level CAR requirements, which measure the capital adequacy of a bank based on its individual capital strength and risk profile. Accordingly, overseas operations of a bank through its branches will be covered in both the above scenarios. The RBI has the authority under Section 35A of the BR Act to require capital additions for any licensed banking entity within a group if the entity is non-compliant with the risk based capital adequacy minima. However, the RBI does not have explicit provision in its regulation to require NOFHC or banking group to distribute capital throughout the group or NOFHC. Assessment of Compliant Principle 16 Comments The RBI is in the process of implementing the Basel III capital adequacy framework, and is working with selected banks to approve Advanced approaches and parallel runs. The RBI framework, in particular the current capital definition, is appropriate. The framework was considered compliant by the Basel Committee’s Regulatory Consistency Assessment Program in 2015. 126 Please refer to Principle 12, Essential Criterion 7. 107 INDIA Principle 17 Credit risk.127 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk128 (including counterparty credit risk)129 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. Essential criteria EC1 Laws, regulations, or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration, and monitoring. Description and The October 1999 RBI Circular on Risk Management Systems in Banks findings re EC1 comprehensively prescribes the key areas of risk management. The October 2002 Guidance Note on Credit Risk Management refines the 1999 Circular on Risk Management Systems. The circular comprises i.a., sections on risk management structure, credit risk, counterparty credit risk, instruments of credit risk management, credit risk in off-balance sheet exposures, interbank risk, market risk, liquidity risk, interest rate risk in the banking book, operational risk and internal controls. The guidelines prescribe that credit-equivalent off balance sheet exposure, counterparty credit risk, settlement risk and transfer risk also should be covered under the framework. The bank’s credit risk strategy document should be approved by the Board. The Circular requires a high-level Credit Policy Committee to manage risk. The Guidance note also requires a sound organizational structure for credit risk management, including a credit risk management committee and a credit risk management department. The risk-management function needs to be able to identify, monitor, and measure risk, and a verifiable risk pricing method needs to be based on the outcomes of these measurements. The circular specifies that credit risk should receive the attention of top management, and should be measured using credit scoring methods. Estimates need to be made of expected and unexpected losses. Risk pricing needs to be data-based and analytical, and the risk needs to be controlled through an effective loan review mechanism and portfolio management. A loan policy needs to be articulated and approved by the Board. Credit approval needs to be structured according to a delegation of powers, taking into account the size of the credits. A credit risk rating system needs to be developed. Large exposure limits need to be set up, per borrower, per sector and in aggregate. A risk rating system needs to be set up, incorporating financial analysis, projections and sensitivity, industrial and management risks. Review of credit risk 127 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 128 Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions and trading activities. 129 Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments. 108 INDIA should take place twice per year by independent loan review officers. The system should produce information on expected losses. Banks need to formulate a loan review policy. EC2 The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,130 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes. Description and The October 1999 Circular on Risk Management requires Board approval for the findings re EC2 credit risk strategy, and other risk policies. The Guidance Note of October 2002 mentioned above provides more detail on the management of the credit portfolio. It provides basic guidance on credit risk modelling. Strategy development and approval, review, risk mitigation through a system of limits, tracking of NPLs and credit concentration are also addressed in the Guidance Note. For large NPLs to a borrower with loans from other banks as well, the banks with exposure to this borrower are required to form a “Joint Lenders Forum” under the terms of the 2014 Framework for Revitalizing Distressed Assets, and develop a Corrective Action Plan. The bank’s credit risk management strategy must clearly spell out the risk appetite of the bank and include areas such as risk identification, risk measurement, risk rating, reporting, and risk mitigation. The Board is responsible for the adoption of the strategy, senior management is tasked with the implementation. In the course of onsite inspections, also in the context of the SPARC risk-based supervision system, compliance with these requirements is checked. The banks need to meet certain substantial RBI imposed targets for lending to a list of priority economic sectors: the Priority Sector Lending program.131 This practice interferes significantly with banks’ commercially oriented underwriting policies and contributes to moral hazard. Moreover, a number of exceptions to the classification, provisioning and large exposure rules also have the possibility to undermine banks’ best professional insights into risk management in the credit portfolios. EC3 The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including: a. a well-documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments; b. well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures; 130 “Assuming” includes the assumption of all types of risk that give rise to credit risk, including credit risk or counterparty risk associated with various financial instruments. 131 The total priority sector target is 40 percent of Adjusted Net Bank Credit or Credit Equivalent Amount of Off- Balance Sheet Exposure, whichever is higher for Domestic scheduled commercial banks and Foreign banks with 20 branches and above. 109 INDIA c. effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system; d. effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis; e. prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff; f. exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and b. effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits. Description and The RBI requires policies to establish an appropriate and properly controlled credit findings re EC3 risk environment, as indicated above. The Guidance Note sets out in detail how a bank should create an organizational structure for risk management, put in place Board-approved risk-management policies, consistent with its business strategy, a detailed structure of limits, strong management information systems, well laid out procedures for effective control and risk reporting frameworks, and a system of regular reviews and examinations. A significant addition to banks risk management capabilities has been achieved through the creation of the Credit Repository of Information on Large Credits (CRILC). Banks also have access to the credit bureaus in the Indian market. Banks are required to furnish 75 detailed qualitative information parameters on credit risk control once every year under the SPARC framework (e.g., process for reporting breaches in exposure limits, controls regarding origination of securitized assets, process of review of credit risk ratings (including automation of the process), process for monitoring of credit risk mitigation techniques, etc.) Banks’ implementation of these requirements is covered during the regular onsite inspection process under the SPARC. Full-scope examinations are conducted for most of the banks, other than for 32 banks under Small Bank Variant Model. The 2002 Guidance Note on Credit Risk Management requires banks to have a MIS, enabling them to measure and manage all aspects of credit risk. Banks’ credit risk policy document must include risk identification, measurement, grading and aggregation techniques, reporting and risk control/mitigation. EC4 The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk. Description and Banks have access to the credit risk database maintained by the RBI, the Credit findings re EC4 Repository of Information on Large Credits (CRILC), enabling them to assess the overall indebtedness of their large clients, as well as the performance of overall debt exposure of these borrowers, also with other banks. Information can also be 110 INDIA obtained from other credit bureaus in India. Furthermore, the Circular on Guidance on Risk Management requires banks to assess and develop a framework for managing risk exposure to borrowers in foreign exchange who have no natural hedge against exchange rate movements, and whose debt servicing capacity could therefore be sensitive to such movements. In particular, the guidance requires the banks to maintain higher provisions and RWAs in respect of borrowers facing risk from unhedged foreign currency exposures. EC5 The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis. Description and Art. 10 B of the BR Act specifies that bank managers and Board members shall be findings re EC5 disqualified if they have interests in other companies. Involvement in another company could entail a conflict of interest. The fit-and-proper criteria applicable to banks’ Board members and managers require a declaration of any substantial interests in other companies. Any disclosure of outside interests to the Board, through this declaration, should lead to the manager or Board member being disqualified. Art. 2.1.2.1 of Master Circular on Loans and Advances of July 1, 2015 reaffirms art. 20(1) of the BR Act, which restricts loans and advances to directors and firms in which they hold special interests. Art. 2.1.2.2 of the Master Circular stipulates that banks are prohibited from granting a loan or advance to or on behalf of any director, or to any company in which a director has an interest. EC6 The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities. Description and Notwithstanding banks’ internal credit limits per the Guidance Note mentioned findings re EC6 above, the Master Circular—Exposure norms of July 2, 2012, sets exposure ceilings at 15 percent of capital in case of a single borrower and at 40 percent of capital for a borrower group. Exposures exceeding these thresholds must be approved, e.g., by the Credit Approval Committee of the bank. The capital funds for the denominator of the ratio will comprise Tier I and Tier II capital, as defined under capital adequacy standards (also see paragraph 2.1.3.5 of this Master Circular). Credit exposure to a single borrower may exceed the exposure norm of 15 percent of the bank's capital funds by an additional 5 percent (i.e., up to 20 percent) for infrastructure projects. Credit exposure to borrowers belonging to a group may exceed 40 percent of the bank's capital funds by an additional 10 percent (i.e., up to 50 percent), for infrastructure projects. Board approval is needed for an increase of exposure to a borrower (single as well as group) up to a further 5 percent of capital funds, bringing the ceiling to 25 percent for these cases. Starting May 29, 2008, the single borrower exposure limit has been raised to 25 percent of bank capital for oil companies who have been issued Oil Bonds (which do not have SLR status) by the GOI. Moreover, in exceptional circumstances banks may, under paragraph 2.1.1.3 of the Master Circular, consider increase of the exposure to oil companies with an additional 5 percent of capital, bringing the single borrower ceiling for these borrowers up to 30 percent. EC7 The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. 111 INDIA Description and Under Art. 27 BR Act, the RBI shall receive prudential returns from the banks, on a findings re EC7 quarterly basis. At any time, the RBI may request and obtain any information from the bank about its business, provided it is relevant to supervision. The RBI has access to all Board members, managers and staff of banks, to discuss the bank’s business, in particular, within the SPARC risk-based supervision and inspection process. EC8 The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes. Description and Banks perform scenario analysis with regard to Interest Rate Risk, per the Guidelines findings re EC8 on Risk Management Systems in Banks of 1999. The RBI has also issued a circular “Guidelines on Stress Testing,” of December 2, 2013. The circular stipulates that stress testing should form an integral part of the internal capital adequacy assessment process (ICAAP), which requires banks to undertake rigorous, forward- looking stress testing that identifies severe events or changes in market conditions. ICAAP stress testing provides the senior management with a thorough understanding of the material risks to which the bank may be exposed. Stress testing should also be a central tool in identifying, measuring, and controlling funding and liquidity risks, and assessing the bank’s liquidity profile and the adequacy of liquidity buffers in case of stress events. Assessment of Largely compliant Principle 17 Comment All banks need to follow guidelines and meet targets on priority sector lending, which compromises banks’ independent, risk-based credit allocation policies and strategies. These public policy-oriented constraints can impose significant limitations on the banks’ own development of credit risk management strategies and policies, and may lead to risk accumulation that otherwise could have been avoided. We recommend the RBI consider reviewing PSL policy including targets and scope of application to allow banks flexibility in meeting PSL targets if proposed projects do not meet banks’ commercially based risk management strategies and processes. Principle 18 Problem assets, provisions and reserves.132 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves.133 Essential criteria EC1 Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs. Description and The RBI has put in place a broad range of regulations on asset classification and findings re EC1 provisioning. The rules on classification of, and provisioning for NPAs of banks intend to provide criteria for all banks in order to ensure uniform and consistent application. The criteria for classification and provisioning need to take into 132Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 133Reserves for the purposes of this Principle are “below the line” non-distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit). 112 INDIA account, among other factors, the period for which the asset has remained nonperforming, the availability of security and the realizable value thereof. The following documents are applicable: The “Master Circular on Prudential Norms on Income Recognition, Asset Classification and Provisioning Pertaining to Advances” (July 2015) (MCCP), the Guidance Note on Risk Management systems in Banks (1999) (GNRM), Guidance Notes on Management of Credit Risk and Market Risk (2002), (GNMC) and Master Circular on Prudential Norms for Classification Valuation and Operation of Investment Portfolio by Banks, July 1, 2015 (MCIP). Banks are obliged by section 3.2.6. of the GNRM to put in place proper Loan Review Mechanisms for large value accounts, and a loan review policy. This policy should cover “assessing the loan loss provision, portfolio quality etc..” The loan reviews are designed to provide “feedback of effectiveness of credit sanction and to identify incipient deterioration in credit portfolio quality….at least 40 percent of the portfolio should be subject to the Loan Review Mechanism in a year.” Banks are obliged by section 2 of The GNRM to put in place a Risk Management Structure consisting of a high-level Risk Management Committee, a Credit Policy Committee (also called Credit Risk Management Committee), tasked with formulating policies on, e.g., loan review, asset quality, and provisioning. The guidelines require ongoing monitoring of the loan portfolio, with half-yearly or quarterly ratings. Banks are required to put in place appropriate internal systems and processes as well as formal MIS to detect deteriorating assets at an early stage.134 The RBI’s MCCP in sections 26.1, creates a category of special mention accounts, SMA-0, no more than 30 days overdue but with signs of incipient stress, SMA-1, overdue 31-60 days, and SMA-2, overdue 61-90 days (EC 9). Standard Nonperforming Assets Substandard Doubtful Loss No timeframe Overdue days 0–90 days 3–15 months Over 15 months defined Provisioning 0.25–2% Unsecured: 25% Unsecured: 100% 100% rate of depending Secured: 15% Secured: outstanding on types of  For doubtful up amount assets, to 1 year: 25% irrespective of security  For doubtful >1 year and up to 3 years: 40%  For doubtful >3 years:100% 134 In April, 2017, the RBI has prescribed that banks put in place a Board-approved policy for making provisions for standard assets at rates higher than the regulatory minimum based on evaluation of risk and stress in various sectors. 113 INDIA By the definition in Art. 2 of the MCCP, an asset becomes nonperforming after 90 days past due. The rules subsequently distinguish categories of NPAs as follows, with the respective provisioning percentages. Standard assets are subject to a general provision at rates between 0.25 percent and 1 percent (2 percent in in the case of housing loans with teaser rates). Section 4.2.7. MCCP determines that when one credit facility for a borrower becomes NPA, all the client’s facilities become NPA. Section 4.2.9. MCCP stipulates that fraudulent NPAs need to be 100 percent written off over at most 4 quarters, without prior classification as substandard, doubtful or loss. The MCCP, in particular, in section 4, recognizes categories of special situations, some of which could entail deviations from the original loan contract conditions and payment expectations on the part of the banks, as well as from the general rules in the MCCP on classification of the loans. The examples of special situations are:  4.2.4: An asset should not be considered nonperforming “merely due to the existence of some deficiencies which are temporary in nature…including non- renewal of the limits on the due date” (e.g., working capital account);  4.2.10: Overdue bank loans under the on-lending program to Primary Agricultural Credit Societies/Farmers’ Service Societies are considered in default only after one or two full crop seasons, depending on the frequency of the crop, and only the on-lent loan actually in default becomes NPA, and not—as is good practice with other types of borrowers—all other exposures to the PACS/FSS;  4.2.11: Overdue advances against term deposits and other financial assets, i.e., life insurance policies are not considered NPA, if there is sufficient margin in the accounts;  4.2.12.ii: Interest on housing loans where interest is payable after recovery of the principal is not overdue measured from the start of the loan, but only after missing a due date once interest payments start (i.e., after principal has been repaid);  4.2.13: Other priority sector agricultural loans become overdue only after one or two crop seasons of nonpayment;  4.2.13.ii: In case of natural calamities, banks are encouraged to convert short term loans into longer maturity loans, or otherwise reschedule them to avoid classification as NPA;  4.2.13.iv: The payment schedules of rural housing loans should—according to the regulation - also be linked to crop schedules;  4.2.14: Credit facilities backed by government guarantees, even when overdue, are classified as NPA only when the government repudiates the guarantee;  Section 4.2.15.3: For project loans where the completion of the projects is delayed for legal and other extraneous reasons, such as delay in government approvals, the delay will not be regarded as restructuring, provided the new DCCO (date of completion and commencement of operations) falls between one and two years after the time of financial closure of the loan. As the loan is 114 INDIA not considered restructured, it remains classified as “standard,” with a standard provision of 0.4 percent, notwithstanding a potentially two-year delay.  4.2.15.3.ii: Banks may also restructure project loans through a revision of the DCCO for longer periods than mentioned above, while retaining the “standard” classification, if: o It is an infrastructure project caught up in an arbitration or court case, to a maximum extension of four years; o If it is an infrastructure project delayed beyond the control of the promoters of the project, to a maximum extension of three years; and o If it is a non-infrastructure loan (other than commercial real estate) to a maximum extension of two years.  4.2.15.3.v: Infrastructure projects under implementation where the appointed date is delayed due to inability of the concession authority to comply with the applicable conditions, leading to a shift in the DCCO, the loan does not need to be treated as restructuring, o if the project is an infrastructure loan in a public private partnership; o loan disbursement has not yet started; o the revised DCCO is duly recorded in a revised contract; o project viability has been reassessed; and o the authorities have agreed.  4.2.15.4: If a change in ownership, and an injection of funds from the new owners takes place in order to facilitate revival of a stalled project, banks may permit extension of the DCCO up to two years without changing the asset classification. These extensions are permitted if certain conditions are met, e.g., inadequacies with regard to the current promoters, and a very high probability that under new ownership, the project can commence within the extension period, the new owner has sufficient expertise in the area of the project, and viability of the project should be established to the satisfaction of the bank  4.2.15.5.ii: Change in the repayment schedule of a project loan caused by an increase in project outlay due to an increase in the scope of the project, is not treated as a restructuring provided certain conditions are met, e.g., the increase takes place before the original DCCO, and the bank still considers the project viable.  4.2.15.5: In all cases of restructuring where regulatory forbearance has been extended, the banks’ Boards need to satisfy themselves as to the viability of the project and the restructuring plan.  4.2.18.ii: In case of nonpayment due to well documented transfer or political risk, the classification needs to be made only one year after the start of the transfer delay.  4.2.19: New loans to enterprises in the context of a rehabilitation approved by the Board for Industrial and Financial Reconstruction only can become NPAs after one year after disbursement, even if earlier facilities to the project were already NPA. 115 INDIA Also, under the scheme for Strategic Debt Restructuring and the scheme for Sustainable Restructuring of Stressed Assets, classification standstills have been introduced under certain conditions. The special situation loans mentioned above are not reported separately under the asset classification and provisioning returns, although some elements are captured through other prudential returns (i.e., on capital adequacy) and through the Central Repository of Information on Large Credits (CRILC) reporting system for large borrowers. The RBI states that project and infrastructure loans are assessed by inspectors in terms of adequacy of risk management. Assessors note that some of the special situations mentioned above seem to reach materiality levels which warrant systematic supervisory monitoring. For example, based on data collected by RBI at one point in time, infrastructure and non-infra- structure project loans with delayed DCCO accounted for almost 19 percent of total impaired loans and advances. Although primary responsibility for appropriate provisioning rests with the bank and its auditor and higher provisions may be taken, the MCCP Sections 5.2, 5.3 and 5.4 provide guidance about provisioning percentages. Secured portions of substandard assets are provisioned for 15 percent. Unsecured substandard exposures are provisioned at 25 percent. If cash flows from financed infrastructure projects flow into an escrow account, provisions of 20 percent are considered adequate. While the availability of security or collateral is not considered for the classification of a loan as an NPA, realizable value of the security or collateral is taken into account when setting provisioning amounts (up to a certain ‘doubtful’ category, see EC1). When a loan becomes an NPA, accrued interest is backed out of the income statement and further accrual stopped. In case of a restructured loan, unpaid interest payments can be capitalized up to a certain period. Provisions are tax deductible to a limit set by the Income Tax Act 1961. Banks are required to create a high-level Credit Policy Committee, which reviews asset quality, classifications, and provisioning. EC2 The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes Description and In the context of the SPARC process, banks are required to provide information on findings re EC2 a bank’s policies and processes for grading, classifying, and provisioning, and the SSMs of a bank determine the adequacy by conducting the assessment of the information during on-/offsite supervision process. The scope of asset quality assessment includes review of the process for credit risk rating, policy for provisioning of NPAs and write-off of NPAs, and process for valuation of collateral. The assessment also covers a review of the working of the Joint Lender Forum mechanism and flexible structuring, quality of appraisal and moratorium, etc. In particular, the RBI examiners assess the adequacy of the classification, provisioning and write-off procedures of individual loans on a sampling basis and determine the bank’s adherence to the RBI’s guidelines. Retail and SME accounts are also tested for asset quality and provisioning at portfolio level. In case of 116 INDIA material adjustments to comply with the RBI’s minimum standards, these are pursued with the bank for rectification. Moreover, in reviewing the annual statements of the bank, the supervisor forms an opinion on the adequacy of the work of the auditors on the loan classification and provisioning per the regulatory requirements, as well as based on the professional judgment of auditors and supervisors. The RBI receives the long-form audit report by which it analyzes the work carried out by the external auditors. Overall, the RBI actively investigates and determines the adequacy of banks’ policies and processes, and mandates action when considered necessary, is evidenced by a number of examples provided by the RBI. These cases show that the RBI monitors banks’ policies and procedures and where needed issues written instructions to banks. Examples include instructions to implement internal mechanisms to classify accounts as nonperforming, to upgrade nonperforming accounts only after full payment of amounts due, to implement systems to identify NPAs, strengthen credit monitoring, review and strengthen collateral management, provide training on asset quality review, to confirm the amounts of restructured loans and make appropriate provisions, and to review and tighten recovery mechanisms by targeting high-value NPAs. From April 2018, India will be converging toward IFRS 9 which requires forward- looking provisioning, based on expected losses. EC3 The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.135 Description and In section 5 of the GNRM banks have been instructed to develop adequate findings re EC3 frameworks for managing their exposure in off balance sheet products, such forex forward contracts, swaps, options, etc. Banks are required to classify their off- balance sheet exposures into three broad categories - full risk (credit substitutes)— stand-by letters of credit, money guarantees, etc., medium risk (not direct credit substitutes, which do not support existing financial obligations)—bid bonds, letters of credit, indemnities and warranties and low risk—reverse repos, currency swaps, options, and futures. Moreover, in MCCP Section 5.9.12 banks are provided with rules for provisioning for derivatives. The rule states that “credit exposures, computed as per the current mark-to-market value of the contract, arising on account of the interest rate and foreign exchange derivative transactions, credit default swaps and gold, shall also attract provisioning requirements as applicable to the loan assets in the “standard” category, of the concerned counterparties.” This provision deals with counterparty credit risk rather than with guarantees and similar “credit equivalent” commitments as envisaged under the Basel guidelines. Supervisors require banks to submit relevant data and determine the appropriateness of the bank’s system during the onsite inspections under the SPARC framework. See EC4. 135It is recognized that there are two different types of off-balance sheet exposures: those that can be unilaterally cancelled by the bank (based on contractual arrangements and therefore may not be subject to provisioning), and those that cannot be unilaterally cancelled. 117 INDIA EC4 The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions. Description and The MCCP sets out a time schedule for the treatment of NPAs and their resolution findings re EC4 (EC1). An asset becomes nonperforming when payment has not taken place after 90 days after the due date. The rules subsequently distinguish categories of NPAs as well as the provisioning percentages and the migration periods from less severe to more severe categories of NPAs, as per the schedule under EC1. However, a significant group of exposures (EC 1) can receive special classification and provisioning treatment. Under Section 4.2.15.5.v of MCCP, banks are required to reassess the viability of a restructured project before making use of the opportunities for regulatory forbearance. The MCCP, GNCM, GNRM, and MCIP all prescribe that a bank shall have appropriate policies, procedures and practices for timely identification of NPAs. The SPARC system collects balance sheet data on loan classification and provisions. A basic early warning mechanism has been created recently through the introduction of Special Mention Accounts—SMAs (EC1). The SMAs allow a bank to become aware of potential NPAs at an early stage when the exposure has not yet become nonperforming as defined in the MCCP. A bank’s policies, processes and loan review, in particular classification and provisioning procedures, are a standard item verified in the SPARC context, examined during onsite inspections. The loan review and provisioning results are routinely discussed at the bank’s Board. The SPARC process also incorporates market and macroeconomic conditions. The assessors note that the interpretation of macroeconomic conditions needs to be made with a view to introducing more prudence in setting repayment and recovery expectations at realistic levels, especially when such macroeconomic conditions deteriorate. EC5 The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans). Description and Through the GNRM, MCCP, MCIP, and GNCM, banks are obliged to put in place findings re EC5 proper Loan Review Mechanisms for large value accounts, and a loan review policy. This policy should cover “assessing the loan loss provision, portfolio quality etc..” The loan reviews are designed to provide “feedback of effectiveness of credit sanction and to identify incipient deterioration in credit portfolio quality….at least 40 percent of the portfolio should be subject to the Loan Review Mechanism in a year.” Supervisors test banks’ treatment of assets and determine whether the bank has appropriate policies processes and resources for early identification of NPAs, and exercise ongoing oversight during onsite work in the banks. For example, supervisors examine on a regular basis the credit review and rating/classification 118 INDIA process, including downgrades, the recovery process, and the process to identify a guarantor’s assets in case of need to call the guarantee. Banks are obliged by section 2 of The GNRM to put in place a Risk Management Structure consisting of a high-level Risk Management Committee, a Credit Policy Committee (also called Credit Risk Management Committee), tasked with formulating policies on e.g., loan review, asset quality and provisioning. The guidelines require ongoing monitoring of the loan portfolio, with half-yearly or quarterly ratings. Banks are required to put in place appropriate internal systems and processes as well as formal MIS to detect deteriorating assets at an early stage. In particular, Chapter 8 of the GNRM lays down rules on identification of NPAs, and their treatment. The loan classification and provisioning system has opportunities for special treatment of overdue debt, as described in EC 1 above, and thus some elements of regulatory forbearance (e.g., MCCP 4.2.15-) is retained in the system. The GNRM also requires banks to put a Loan Review Mechanism in place to identify loans which are developing weaknesses, to review portfolio quality overall, provide information to determine the adequacy of provisioning, and to provide top management with information on credit administration, sanctions and follow up. This system would typically be applied to large value loans. The SPARC system, makes the banks themselves and the RBI follow NPA developments and have a basis for corrective action. EC6 The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels. Description and The banks report to RBI on a quarterly basis their NPAs and provisioning. Sections findings re EC6 27 and 35 of the BR Act provide the RBI with the right to obtain any information from a bank necessary to perform its supervisory tasks, and to perform full inspections, including on an ad hoc basis. This includes information on classification and provisioning. The RBI also has access to the internal and external auditors of the bank, and can send a delegate to attend the bank’s Board meetings where provisions are discussed. Moreover, the quarterly returns specify the provisions made, and banks are bound to disclose the provisions in the annual and quarterly financial statements. The RBI does not collect full quantitative information about amounts involved in each of the special cases mentioned in the description in EC 1. EC7 The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures. Description and The adequacy of asset classification and provisions, per the guidelines issued by the findings re EC7 RBI—see above under EC1—is assessed quarterly, and during the annual onsite inspection. NPAs and provisions are risk factors in a bank’s risk rating per the SPARC system. Appropriate supervisory action is prepared and carried out based on the supervisory rating, and onsite inspection. For example, RBI conducted banking- 119 INDIA sector wide AQR in 2015 and required banks to reclassify the identified accounts as NPA and make further provisions. An important part of the framework is Section 35A of the BR Act, which lays down general powers for the RBI to give binding directions to banks to “prevent the affairs of any banking company being conducted in a manner detrimental to the interests of the depositors or in a manner prejudicial to the interests of the banking company.” This general rule does not specifically mention the power to impose stricter classifications or higher provisions. However, it is seen by the RBI as the basis for its enforcement powers with regard to classification and provisioning. In practice, RBI has taken relevant supervisory measures, e.g., by requiring banks to phase in, by March 2017, additional provisions as a result of the 2015 AQR and issued incidental directives to individual banks. EC8 The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account the prevailing market conditions. Description and The Circular “Valuation of Properties—Empanelment of Valuers” requires banks to findings re EC8 have a Board approved policy on valuation of collateral. Two appraisals from independent appraisers are required for properties above a certain value. In cases of NPAs with balance of Rs 5 crore and above, collateral must be reviewed annually by external appraisers. Also, collateral such as immovable properties pledged in favor of the bank must be subjected to valuation once in three years by appraisers appointed by the bank. The value of risk mitigants is reviewed by banks every quarter when NPAs and provisions are reported to the RBI. The RBI reviews the asset portfolio during inspections, or on an ad hoc basis as needed. The review results are included in the SPARC risk based scoring methodology. EC9 Laws, regulations or the supervisor establish criteria for assets to be: (a) identified as a problem asset (e.g., a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and (b) reclassified as performing (e.g., a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected). Description and Sections 2.1 and 4.1 of the MCCP it provides definitions of NPAs, and the findings re EC9 classification categories: substandard, doubtful, loss. A nonperforming loan (90 days overdue) is classified as “substandard” when it has remained an NPA for a period less than or equal to 12 months. Such an asset will have well defined credit weaknesses that jeopardize the liquidation of the debt and are characterized by the distinct possibility that the banks will sustain some loss, if deficiencies are not corrected. A loan is classified “doubtful” when the loan has remained in the substandard category for a period of 12 months. A doubtful loan will have all the weaknesses inherent in assets that were classified as substandard, with the added characteristic that collection in full is considered highly questionable and improbable. The classification “Loss” is applied when the amount has not been 120 INDIA written off wholly but is considered uncollectible, although there may be some salvage or recovery value. Moreover, a new category “special mention advances” (SMA) was created for the early detection of signs of distress in the condition of borrowers. SMA has three sub-classifications: SMA-0: includes accounts with signs of incipient stress, although there are no overdues longer than 30 days. The illustrative list of signs of stress in Appendix to Part C-1 of the MCCP includes:  Delay of 90 days or more in (a) submission of stock statement/other stipulated operating control statements or (b) credit monitoring or financial statements or (c) non-renewal of facilities based on audited financials;  Actual sales/operating profits falling short of projections accepted for loan sanction by 40 percent or more; or a single event of non- cooperation/prevention from conduct of stock audits by banks; or reduction of Drawing Power (DP) by 20 percent or more after a stock audit; or evidence of diversion of funds for unapproved purpose; or drop in internal risk rating by 2 or more notches in a single review;  Increase in frequency of overdrafts in current accounts;  The borrower reporting stress in the business and financials; and  Promoter(s) pledging/selling their shares in the borrower company due to financial stress, etc. SMA-1: includes accounts where principal and/ or interest are overdue between 31-60 days. SMA-2: includes accounts where principal and/ or interest are overdue for between 61-90 days. SMA-2 loans are reported to the Central Repository of Information on Large Credits (CRILC). Reclassification of a restructured loan can take place only after one year’s uninterrupted payment record for principal and interest, starting when the first restructured payment has fallen due on the loan with the longest grace period after restructuring. EC10 The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred. Description and Section 3.2.5. of the GNRM stipulates that banks need to have a credit risk findings re EC10 management department (CRMD), that should have the responsibility of periodic monitoring of the portfolio. Per the GNRM banks could also consider the following: quantitative ceilings on aggregate exposure by sector or rating categories. Per 3.2.6. of the GNRM banks must have a Loan Review Mechanism (LRM), which should promptly identify weak loans and initiate timely corrective action. The LRM should also evaluate overall portfolio quality and identify problem areas, provide information about the adequacy of loan loss provisions, to assess the adequacy of and adherence to loan policies and procedures, and to provide top management 121 INDIA with information on credit administration, risk evaluation and post sanction follow up. The GNRM requires banks to have a strong MIS. The RBI Circular on Calendar of Reviews, of May 14, 2015 stipulates that financial reports and their integrity shall be one of the critical themes for discussion at Board meetings, which shall include discussion of NPA management and integrity of the provisioning process. The above mentioned LRM must be annually evaluated by the Board. The RBI routinely reviews the minutes of Board meetings to assess the quality and scope of the Board’s activities. Further, RBI requests and reviews extensive information on Board’s oversight function under the SPARC, including reporting framework established to ensure that the Board is provided with timely, relevant, correct and complete information for effective decision making. The RBI also can send a delegate to attend the bank’s Board meetings where provisions are discussed (EC 6). EC11 The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold. Description and The RBI’s current regulations on valuation, asset classification and provisioning findings re EC11 apply at the individual item level, even for small retail exposures. The RBI requires that banks undertake the loan reviews of high value loans, usually within three months of sanction/renewal, or more frequently when factors indicate a potential for deterioration in the credit quality. The scope of the review should cover all loans above a certain cut-off limit. Under this loan review mechanism, banks are required to review at least 40 percent of the portfolio every year. The complexity and scope of the banks’ loan review mechanism normally vary based on banks’ size, type of operations, and management practices. For the review of the loan portfolio, to assess the appropriateness of loan classification and provisions, banks determine the scope of the review, including high- value loans, and generally comprising the great majority of the loan portfolio in value. Among the documents banks need to present to the RBI in the context of the SPARC system is a half-yearly credit audit prepared by the banks based on their internal review processes. Supervisors require that the loans selected by the banks are reviewed by banks on an individual basis. With each review the sampling exercise is repeated, which assures that the sample is refreshed as new loans appear on the books. EC12 The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment. Description and The RBI has a Financial Stability Unit (FSU), which, as part of its preparation of the findings re EC12 half-yearly Financial Stability Reviews, assesses the build-up of risk across the banking sector. The FSU findings are included in the preparation of macroprudential policy. The results of the analysis by the FSU are shared with the Banking Supervision Department and the inspectors. While classification and provisioning is in first instance the responsibility of the banks, their management, 122 INDIA Board, and their internal and external auditors, the supervisory function is intended to be an effective backstop in case the banks’ own processes fail. In addition, the SPARC system also includes a large number of parameters that provide data on exposure to many significant sectors of the economy. The SSMs consider the FSU findings and review NPAs and provisioning level as part of its SPARC framework. The identification of risk in the banking system has also been considerably strengthened by the creation of the CRILC database, within the RBI, which is accessible to inspectors, as well as banks. In effect, it is a credit bureau/ registry operated by the RBI. Inputs to this system are provided by the banks, following an instruction from the RBI. The inspectors also evaluate banks’ actions to prevent default risk. Notwithstanding the use of these mechanisms to detect risk in the system, the Asset Quality Review (AQR) of 2015 brought to light very considerable additional NPAs and the associated need for additional provisions. However, the special situation loans mentioned in EC1 are not reported separately as formal supervisory returns for regular monitoring of the trends and potential build- up of relevant risks (See EC1). Assessment of Largely compliant Principle 18 Comments Significant positive developments have been set in motion since the previous FSAP. In the area of loan classification and provisioning changes have been introduced, generally in the direction of further tightening of the rules. For loans where regulatory forbearance has been allowed for restructured accounts (deferment of DCCO) allowing them to remain “standard,” the provision has been increased from 2.75 percent to 5 percent. A very significant policy action to start addressing the NPA problem has been the 2015 AQR, which coincided with the introduction of the new 2015 Master Circular on loan classification and provisioning. The exercise showed a significant level of under-recognition of NPAs, incorrect classification, and under-provisioning, and the corresponding need for the reinforcement of capital in many banks. The AQR covered 93 percent of the loans on the banks’ books. Although banks have taken additional provisions since the AQR, further action is needed to follow up on the results of the AQR in terms of further reducing NPA levels, and continued tightening of the regulations, the need for which was recognized by the RBI in meetings with the assessors. The current systems and processes to monitor asset classification and provisioning could be considered broadly adequate. Notwithstanding an increase in coverage level since mid-2015 from 37 percent to 42 percent, the current coverage of NPAs still seems to be on the low side, given the vulnerabilities in the corporate sector, and may prevent a more decisive resolution of problem assets. The current system for classification and provisioning still shows several weaknesses and the issues driving the gradings are:  The regulation recognizes a number of special situation advances, some of which considerably extend the period beyond the contractually agreed payment dates, before the bank starts receiving its expected cash flow. While the authorities may have justifications for this special treatment, in particular with regard to the loans for projects of which DCCO has been delayed for certain reasons, it may weaken the loan classification and provisioning adequacy by providing this flexibility for the borrowers. The structure of the 123 INDIA rules, with multiple cases of different treatment under special situations is also complex and difficult to monitor given the lack of systematic reporting on the magnitudes of these special cases. The RBI should also further reassess the need for amending the special loan categories relating to asset classification benefits, as some of these special situations could alter the repayment schedules, to the detriment of the banks cash flow, liquidity management and ultimately profitability. Also, RBI should develop reporting tools and enhance monitoring, in order to closely monitor the materiality, trend and build-up of risks on this special situations in a systematic way, also to create a stronger factual basis for remedial action when needed.  The RBI would need to ensure that the parameters of the asset classification and provisioning regulations (i.e., provisioning rates and categories of impairment) remain realistic136. The RBI should periodically undertake deeper reviews of actual losses, cure rates, and performing exposures, and back test provisioning percentages in each category of assets. If necessary, regulatory parameters should be adjusted to accurately reflect the real value of the assets.  It is important to note that good practices are continuously evolving in the areas of NPLs and forbearance and supervisory expectations on NPA identification and definitions of restructuring were raised in recent months (i.e., Basel Committee “Prudential treatment of problem assets, definitions of nonperforming exposures and forbearance,” April 2017). The RBI should stay on top of this and align its practices and regulations as soon as possible with new regulatory developments.   Finally, given the high level of NPAs in the system, the authorities should consider a more proactive approach to ensure that banks, via adequate provisioning, have proper incentives to tackle NPAs and free up balance sheets for more productive lending. Principle 19 Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.137 Essential criteria EC1 Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.138 Exposures arising from off-balance sheet as well as on- balance sheet items and from contingent liabilities are captured. 136 In April 2017, the LGD rates for collateralized exposures for some commercial banks were assessed for the supervisory purpose. 137 Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof. 138 This includes credit concentrations through exposure to: single counterparties and groups of connected counterparties both direct and indirect (such as through exposure to collateral or to credit protection provided by a single counterparty), counterparties in the same industry, economic sector or geographic region and 124 INDIA Description and The rules on concentration risk and large exposure limits are laid down in the findings re EC1 Circular on Risk Management Systems in Banks of October 7, 1999, the Circular “Guidance Notes on Management of Credit Risk and Market Risk” of October 12, 2002. Key document is the Master Circular “Exposure Norms,” of July 2, 2012, and the Circular “Large Exposures Framework” of December 1, 2016, which is to take effect on April 1, 2019. The latter circular intends to implement the Basel Committee’s “Supervisory Framework for Measuring and Controlling Large exposures both at the consolidated group level as well as at the solo level.” Already in the earliest circular, of 1999, banks were required to formulate policies on prudential limits on large exposures, concentration of risk, monitoring and evaluation of large and concentrated risks. Portfolio managers should be appointed to monitor these risks. Banks were also required to develop frameworks to adequately manage their exposures, also to off balance sheet instruments, including swaps, foreign exchange forwards, options, etc. Off balance sheet items are also included in the calculation of large exposures and concentration of risk. Banks are required to report large exposures and risk concentration (also off balance sheet) on a consolidated basis to the RBI. These are reviewed during onsite inspections, and the outcomes introduced into the SPARC risk based supervision framework. EC2 The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure139 to single counterparties or groups of connected counterparties. Description and Banks’ systems are required to provide the data for reporting large exposures and findings re EC2 concentration of risks, individually and in aggregate, to the RBI on a quarterly basis, using the regular prudential reporting formats. Breaches are reported internally in the bank to the Risk Management Committee and the Board. The onsite inspections make exception reports as needed, and outcomes are entered into the SPARC risk based supervision framework. This framework produces a risk score, and an estimated capital outcome, taking into account all risk factors, including large exposures and risk concentrations. Moreover, the CRILC framework described under CP 18 under which banks report their exposures to a centralized database at the RBI (in effect a central bank operated credit bureau/ registry) has helped banks as well as the RBI track large exposures and lending to individual borrowers, sectors and groups or connected parties. EC3 The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s counterparties whose financial performance is dependent on the same activity or commodity as well as off- balance sheet exposures (including guarantees and other commitments) and also market and other risk concentrations where a bank is overly exposed to particular asset classes, products, collateral, or currencies. 139 The measure of credit exposure, in the context of large exposures to single counterparties and groups of connected counterparties, should reflect the maximum possible loss from their failure (i.e., it should encompass actual claims and potential claims as well as contingent liabilities). The risk weighting concept adopted in the Basel capital standards should not be used in measuring credit exposure for this purpose as the relevant risk weights were devised as a measure of credit risk on a basket basis and their use for measuring credit concentrations could significantly underestimate potential losses (see “Measuring and controlling large credit exposures, January 1991). 125 INDIA policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board. Description and The thresholds for large exposures and risk concentration are currently laid down in findings re EC3 Master Circular—“Exposure Norms” of July 2, 2012. Large exposures to a single borrower are limited to 15 percent of regulatory capital (Tier 1 +2), and exposures to a group to percent. A number of exceptions and exemptions are allowed under the regulation:  Exposure to central counterparties is excluded;  Single borrower and group limits can be raised to respectively 20 percent and 45 percent with approval of the bank’s Board;  For infrastructure projects, the limits can be raised to 20 percent and 50 percent;  For oil companies with oil bonds, the limit is 25 percent which can be raised to 30 percent;  For loans to nonbank finance companies that lend to infrastructure projects, the limit can be raised to as high as 20 percent;  No limit applies to lending to “sick or weak” industrial units, provided these are under rehabilitation;  No limit applies to borrowers who are under specific RBI determined limits for lending to the “food credit” program; and  Loans guaranteed by the government are not subject to limits, nor loans against cash collateral, or loans to the National Bank for Agriculture and Rural Development (NABARD). Using a system of “credit conversion factors” (CCFs), off balance sheet items are also brought under the exposure limits. CCFs are set depending on duration of the contracts. Contracts of less than one year carry a CCF of 0.5 percent, for 1–5 years: 1.0 percent, above 5 years: 3 percent. Foreign exchange and gold contracts each carry CCFs of respectively 2, 10 percent and 15 percent. However, lease, hire and factoring exposures are together limited to 10 percent of total loans. EC4 The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed. Description and Banks report all their large exposures on a quarterly basis. The reporting templates findings re EC4 allow for identification of large exposures and group exposures. Also sectoral, geographical and foreign exchange exposures can be distinguished. However, the regulation does not set sectoral limits. Banks are required to do so according to their professional judgment in their internal systems. These limits will be verified in onsite inspections. EC5 In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis. Description and The definition of “group” and the identification of borrowers belonging to specific findings re EC5 industrial groups is left to the assessment of the banks/financial institutions. 126 INDIA Membership of a group may, therefore, be decided on the basis of relevant information available to the bank. The guiding principle is commonality of management and effective control. The definition of “group” is stipulated in the RBI circular from December 1, 2016, but will only become effective from the date when the circular will be implemented in full by April 1, 2019. EC6 Laws, regulations or the supervisor set prudent and appropriate140 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on- balance sheet as well as off-balance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis. Description and The RBI’s large exposure rules of December 1, 2016, in section 4.1 define “large findings re EC6 exposure” as follows: “the sum of all exposure values of a bank to a counterparty or group of connected counterparties is defined as a large exposure if it is equal to, or above 10 percent of a bank’s eligible capital base (Tier 1 capital).” With respect to the limit, according to section 5, the sum of all the exposure values of a bank to a single counterparty must not be higher than 20 percent of the bank’s available eligible capital base at all times. In exceptional cases, Board of banks may allow an additional 5 percent exposure of the bank’s available eligible capital base. Banks shall lay down a Board approved policy in this regard. For groups of connected counterparties, the sum of all the exposure values of a bank to a group of connected counterparties (as defined in section 6 of this circular) must not be higher than 25 percent of the bank’s available eligible capital base at all times. The definition of “group” is stipulated in the RBI circular of December 1, 2016 as follows: “a group of counterparties with specific relationships (e.g., “control”) or dependencies such that, if one of the counterparties were to fail, all of the counterparties would very likely fail.” Section 7.1 of the circular requires that both off- and on-balance sheet exposures, in the banking as well as the trading book, plus counterparty credit risk, should be taken into account. This circular will be implemented in full by April 1, 2019. However, the RBI states that the limits are already applied de facto. On the other hand, under the RBI’s current circular of 2012, any credit exposure to a single borrower is not to exceed 15 percent of a bank’s regulatory capital, and exposure to a group is not to exceed 40 percent of a bank’s regulatory capital (see EC3) RBI requires banks to submit detailed information on large exposure limit through supervisory returns. In addition, under the SPARC framework, banks are required to report their control information parameters including process for reporting breaches in exposure limits, process for fixing limits and controlling exposure to counterparties, etc. (see CP17). The RBI assesses that senior management of banks monitors these limits and that they are not exceeded on a solo or consolidated basis during the offsite supervision and onsite inspection. 140 Such requirements should, at least for internationally active banks, reflect the applicable Basel standards. As of September 2012, a new Basel standard on large exposures is still under consideration. 127 INDIA EC7 The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes. Description and The “Guidelines on Stress Testing,” of December 2, 2013, section 3.1 “Credit risk,” findings re EC7 provide for stress testing single borrower exposure by assuming the default of the largest single borrower, the top two single borrowers, and the top three. Exposure to groups is tested by assuming the default of the top three group entities, the top five, and the entire group. Sectoral concentration risk is tested by assuming the top, top three, and top five borrowers in a particular sector. Under the guidelines, banks are divided into three categories according to balance sheet totals. Depending on their category, banks are expected to perform stress tests of increasing complexity. A bank in the smallest group would conduct simple sensitivity analyses of the specific risk types to which it is most exposed, allowing it to identify, assess and test its resilience to shocks relating to the material risks to which its portfolios are exposed. It should however still consider interactions between risks, for example intra- or inter-risk concentrations, rather than focus on the analysis of risk factors in isolation. A bank in the middle group should conduct multifactor sensitivity analysis and simple scenario analyses of the portfolios with respect to simultaneous movements in multiple risk factors caused by an event. It should select a sufficiently realistic scenario which can impact its portfolios. Such a bank may also do qualitative analysis with respect to reverse stress testing. Moreover, the bank is expected to carry out both qualitative and quantitative analysis of correlations among risk types, feedback effects, etc. to get meaningful results from stress testing programs. A bank in the largest group should carry on stress testing programs with all the complexities and severities required for programs to be realistic and meaningful. These banks are expected to have an appropriate infrastructure in place to undertake a variety of stress testing approaches, from simple portfolio based sensitivity analyses to complex macro scenario driven firm-wide exercises. Moreover, they should include rigorous firm-wide stress tests covering all material risks and entities, as well as the interactions between different risk types. The banks are expected to regularly conduct reverse stress testing. Banks operating internationally should conducted stress tests at consolidated level to understand the risk at aggregate level and their implications for the group. They are expected to discuss the stress testing issues with the concerned regulators. Additional criteria AC1 In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following: (a) 10 percent or more of a bank’s capital is defined as a large exposure; and (b) 25 percent of a bank’s capital is the limit for an individual large exposure to a private sector non-bank counterparty or a group of connected counterparties. Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks. Description and The RBI’s large exposure and risk concentration rules of December 1, 2016, in findings re AC1 section 4.1 and 5 define “large exposure” and set the limit following the Basel Guidelines. The circular will be implemented in full by April 1, 2019 (See EC6). 128 INDIA With regard the circular of 2012, although a number of exceptions and exemptions are permitted under the current framework, limits are prescribed. A basic limit of 15 percent of regulatory capital (Tier 1 +2) per individual borrower imposed. The basic limit for exposures to a group is 40 percent. (See EC3). Assessment of Largely compliant Principle 19 Comments In order to align the exposure norms for Indian banks with the Basel Standards, a new Large Exposures (LE) Framework was issued on December 1, 2016. However, this new framework will not be applicable fully until April 2019. The current rules still have many exceptions that allow large exposures up to 50 percent of its capital base (e.g., infrastructure project loans).141 Nevertheless, the RBI states that it already applies the new limits in practice. Banks must gradually adjust their exposures, so as to comply with the LE limit by that date. Accordingly, prior to this date, banks should avoid taking any additional exposure/reduce exposure in cases where their exposure is at or above the exposure limit prescribed under this framework. The RBI should monitor banks’ practice more closely and take supervisory action (as needed) in the context of the introduction of the new large exposure rules, and reduce/remove as much as possible the current exceptions to the basic limits. Principle 20 Transactions with related parties. In order to prevent abuses arising in transactions with related parties142 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties143 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. Essential criteria EC1 Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties”. This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis. Description and In India, the regulations or guidelines on transactions with related parties are findings re EC1 scattered in various standards and guidelines:  Indian Accounting Standard 18 (Related party disclosures)—considers parties are related if at any time during the reporting period one party has the ability to control the other party or exercise significant influence over the other party in making financial and/or operating decisions and defines in detail such relationships (enterprises that directly, or indirectly through one or more intermediaries, control, or are controlled by, or are under common control with, the reporting enterprise; affiliates; individuals who control or significant 141 The current rules will be phased out with full implementation of new LE framework. 142 Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies. 143 RPTs include on-balance sheet and off-balance sheet credit exposures and claims, as well as, dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes an RP. 129 INDIA influence over the enterprise and their relatives, key management personnel and their relatives, etc.).  RBI Guidelines on Management of Intra-Group Transactions and Exposures (February 2014)—contains a comprehensive definition of group and which also includes related parties (as group entities) for prudential purposes (para. 2.3). The guidelines state that the prudential definition has to be interpreted in conjunction with the accounting standards. “Related Party” will also include structures such as SPV/SIV/conduits based upon the actual ownership/ control/ significant influence/beneficial interest. The guidelines are exclusively meant for banks’ transactions and exposures to the entities belonging to the bank’s own group (group entities). The RBI states that an individual RP is also included in its definition of “group entity” as well as a company for the purpose of these guidelines.  The RBI Master Circular-Loans and Advances-Statutory and Other Restrictions— outlines clear restrictions on loans and advances to directors and relatives of directors of the bank. With the exception of loans for personal use (clearly defined in the regulation), directors (or firms where the director is a partner, manager, employee, or guarantor, or in which he/she holds a substantial interest) are not allowed under to obtain credit from their bank. The relatives of bank’s directors may not be granted loans and advances without prior Board approval. In such cases, the director should not be present in the meeting unless his/her presence is required by the other directors for the purpose of eliciting information and the director so required to be present shall not vote on any such proposal. Further, the master circular stipulates that bank’s officers and their relatives can receive loans and advances in accordance with the loan policy of the bank approved by their Board. In case of a loan to the senior officer in charge of grant of credit facilities, the approval of such credit facility (including to his relatives) is accorded by the next higher authority. Loans approved to the senior officers and their relatives are all reported to the Board of the bank. The above norms relating to grant of loans and advances will equally apply to awarding of contracts. The RBI states that the term ‘contract’ refers to any contract for supply of goods and services entered into by the bank. (Para. 2.2.1, 2.2.1.6, 2.2.1.7 of the Master Circular, Section 20(1) of BR Act). EC2 Laws, regulations, or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.144 Description and The guidelines on management of Intra-Group Transactions and Exposures findings re EC2 (paragraphs 4.1—4.2) require banks to put in place a Board approved comprehensive policy on monitoring and management of intra-group transactions and exposures (ITE), which include those with related parties (see EC1). The policy should include, among others, a system of regular review and reporting of material ITEs to the Board; requirement that terms and conditions and credit standards of intra-group transactions are substantially the same as those prevailing at the time for comparable transactions with or involving third party/non-group entities, and 144 An exception may be appropriate for beneficial terms that are part of overall remuneration packages (e.g., staff receiving credit at favorable rates). 130 INDIA procedures for resolving any conflicts of interest arising from ITEs (which should be conducted at arm’s-length principle). EC3 The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing RPTs. Description and Regulation 23(2) of Securities and Exchange Board of India (Listing Obligations and findings re EC3 Disclosure Requirements) (2015), stipulates that all RPTs shall require prior approval of the Board’s Audit Committee. This is applicable to all Indian banks, as all of them are listed in the stock exchanges. In addition, the guidelines on management of ITE (paragraph 4.3) require that where the terms and conditions applying to a bank’s dealings with related parties (group entities) are inconsistent with the benchmarks set for the similarly rated third party/non-group entities as required by the regulation, they must be put up to the Board by the sanctioning authority with justifications. In addition, the guidelines stipulate a general requirement that banks are required to put in place procedures for resolving any conflict of interest arising from intra- group transactions and exposures. Thus, Board members with conflicts of interest are expected to be excluded from the approval process of granting RPTs. However, there are no explicit requirements that the write-off of related-party exposures be subject to prior approval by the bank’s Board under this guideline. EC4 The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction. Description and The Guidelines on management of ITE (paragraph 4.1-4.2) require that banks findings re EC4 should put in place a Board approved comprehensive policy on monitoring and management of ITEs, which extends to related parties (see EC1). The policy should be reviewed at least annually (see EC2). Paragraph 2.2.1.6 of the Master Circular quoted above mandates that the chairman/managing director or other director who is directly or indirectly concerned or interested in any proposal should disclose the nature of his/her interest to the Board when any such proposal is discussed. He/she should not be present in the meeting unless his/her presence is required by the other directors for the purpose of eliciting information, and the director so required to be present shall not vote on any such proposal. Further, the Master Circular requires that no officer or any Committee comprising, inter alia, an officer as member, shall, while exercising powers of sanction of any credit facility, sanction any credit facility to his/her relative (see EC2). The RBI states that annual onsite inspection verifies policies and processes associated with RPTs, exposures, and effectiveness of compliance controls. EC5 Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties. 131 INDIA Description and The guidelines on management of ITE (paragraph 3) prescribes limits on intra group findings re EC5 transactions and exposures, which extend to related parties (see EC1). According to Paragraph 3.3 of the guidelines, banks should adhere to the following intra-group exposure limits: a. Single Group Entity Exposure i. 5 percent of Paid-up Capital and Reserves in case of nonfinancial companies and unregulated financial services companies; ii. 10 percent of Paid-up Capital and Reserves in case of regulated financial services companies. b. Aggregate Group Exposure i. 10 percent of Paid-up Capital and Reserves in case of all nonfinancial companies and unregulated financial services companies taken together; ii. 20 percent of Paid-up Capital and Reserves in case of the group i.e., all group entities (financial and nonfinancial) taken together.” In addition, the intra-group exposures beyond permissible limits subsequent to March 31, 2016, would be deducted from Common Equity Tier 1 capital of the bank (Paragraph 4.4.11 of the guidelines). In terms of the loans to directors, senior bank officers, and relatives of them, the paragraphs 2.1.2 and 2.2.1. Master Circular-Loans and Advances-Statutory and Other Restrictions are applied (See EC1). However, it is unclear that the ITE limit is applied to RPTs between a bank and its major individual shareholder or family. EC6 The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors RPTs on an ongoing basis, and that the Board also provides oversight of these transactions. Description and The guidelines on management of ITE (paragraph 4.6) requires banks to ensure that findings re EC6 they have adequate systems and controls in place for identifying, monitoring, managing and reviewing exposures arising from intra-group transactions and exposures, which extend to related parties (see EC1). In particular, according to paragraph 4.2 of the guidelines, banks’ material intra- group transactions should be examined by their internal auditors and the same should be checked by statutory auditors on a sample basis to ascertain that intra- group transactions undertaken (see EC2). In addition, where the terms and conditions applying to a bank’s dealings with group entities are inconsistent with the benchmarks set for the similarly rated third party/non-group entities, they must be put up to the Board by the sanctioning authority with justifications (paragraph 4.3). If necessary, the RBI can require banks to put in place additional internal controls and a more robust risk monitoring, managing, reporting and review mechanism on 132 INDIA intra- group transactions and exposures over the course of onsite examinations under the SPARC framework. However, the guidelines do not apply to the transactions with directors, senior bank officers, and their relatives (see EC1). In terms of the loans to directors, senior bank officers, and their relatives, the paragraphs 2.1.2 and 2.2.1. Master Circular-Loans and Advances-Statutory and Other Restrictions apply, but no such detailed requirements are stipulated in the Master Circular. EC7 The supervisor obtains and reviews information on aggregate exposures to related parties. Description and The guidelines on management of ITE (paragraph 9) contains reporting findings re EC7 requirement for banks of their intra group transactions (including related parties). In particular, the banks should prepare and submit a list of the group entities. The list should include all group entities established and operating in India and those overseas entities with which they have material transactions during last three financial years. Any exclusion and/or inclusion of group entities should be reported at the earliest. The RBI reviews information on aggregate intra-group exposures and compliance of the limit on exposures through a prudential return submitted by banks. Banks should operate within the stipulated limits on an ongoing basis and report their intra-group exposures. In terms of the loans to directors and senior bank officers, the exposures are reported through the report on connected lending. Each SSM of DBS reviews the report on a quarterly basis. Assessment of Largely Compliant Principle 20 Comments The RBI issued the Guidelines on Intra-Group Transactions and Exposures (ITEs), which have been in effect since 2014. The guidelines apply to RPs. Transactions with individual related parties such as directors, senior officers, and their relatives are regulated by Master Circular-Loans and Advances-Statutory and Other Restrictions. Even though there have been improvements since the last FSAP in terms of transactions with related parties, group entities, the rules over RPTs still have room for improvement:  The definitions of related parties and relevant regulations/guidelines are scattered in different supervisory documents or legal texts, making it difficult to identify/define a clear framework of RPTs. The RBI should consider issuing a consolidated document to compile the different regulations on RPTs.  There is no explicit requirement for Board approval to be obtained prior to RP exposure (beyond a specified level) write-offs. The RBI should consider including in the regulation an explicit provision to ensure arm’s-length transactions.  It is unclear that the ITEs limits are applied to RPTs between a bank and its major individual shareholder or family. Principle 21 Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or 133 INDIA mitigate country risk145 and transfer risk146 in their international lending and investment activities on a timely basis. Essential criteria EC1 The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end- borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures. Description and According to RBI circular on ‘Risk Management Systems in Banks - Guidelines on findings re EC1 Country Risk Management by banks in India,’ issued in February 2003, banks are required to formulate appropriate, well-documented, and clearly defined 'Country Risk Management' (CRM) policies (Paragraph 1). The scope should cover domestic and foreign operations as well as direct and indirect country risk. Banks are required to monitor and make provisions in terms of the guidelines. The CRM policy of banks should address the issues of identifying, measuring, monitoring, and controlling country exposure risks (Paragraph 4). For each country where the bank’s net funded exposure is 1 percent or more of its total assets, the bank is required to formulate the CRM Policy for dealing with country risk. The policy should include contingency plans and exit strategies in times of crisis. The Guidelines also requires banks to implement systems and procedures approved by the Board, in order to handle situations involving significant changes in conditions in a country (Paragraph 2). Banks also may set up regional exposure limits for country groups, at the discretion of their Board. The Board decides on the basis for grouping of countries and also formulate guidelines regarding all aspects of such regional exposure limits (Paragraph 12). According to the Guidance Note on Credit Risk (October 2002) transfer risk is considered a component of country risk (i.e., country risk comprises: transfer risk, sovereign risk, nonsovereign or political risk, and cross-border risk). The RBI conducts assessments of policies and procedures of the CRM of banks during the onsite examination under the SPARC framework (at least once during 12–18 month supervisory cycle). In addition, banks are required to submit to the RBI a quarterly prudential return on the country exposure and maturity. 145 Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporate, banks or governments are covered. 146 Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference document: IMF paper on External Debt Statistics – Guide for compilers and users, 2003.) 134 INDIA EC2 The supervisor determines that bank’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. Description and According to the guidelines on the CRM, banks are required to formulate findings re EC2 appropriate CRM policies with the approval of the respective Boards (Paragraph 1). The CRM policy should be periodically reviewed by the Board on the basis of the experience gained. Banks should also institute appropriate procedures for dealing with country risk problems. They should have in place contingency plans and clear exit strategies, which would be activated at times of crisis. Appropriate systems/procedures should be laid down with the approval of the Board to handle situations involving significant changes in conditions in any country (Paragraph 2, 4). The RBI reviews the country and transfer risks policies and processes over the onsite examination under the SPARC framework. EC3 The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits. Description and According to the guidelines on CRM, country risk management processes findings re EC3 employed by banks require adequate internal controls that include audits or other appropriate oversight mechanisms to ensure the integrity of the information used by senior officials in overseeing compliance with policies and limits (Paragraph 17). In addition, Boards should review the country risk exposures at quarterly intervals. The review should include progress in establishing internal country rating systems, compliance with the regulatory and the internal limits, results of stress tests and the exit options available to the banks in respect of countries belonging to ‘high risk & above’ categories. In case any significant deterioration takes place in respect of any particular country risk or overall exposure, banks should report to the Board such developments in its next meeting, without waiting for the quarterly review by the Board (Paragraph 16). Furthermore, paragraphs 24 and 25 of the guidelines on the CRM state that banks should disclose as a part of the 'Notes on Accounts' to the Balance Sheet on March 31 each year. Statutory auditors of the bank should look into and comment on the country risk exposures and the adequacy of provisions held. As part of RBI’s offsite monitoring, banks report country risk exposures to all countries in excess of 1 percent of total assets on a quarterly basis. Banks are required to set country exposure limits as a percentage of regulatory capital (Tier 1 and Tier 2). The limit setting is the ultimate responsibility of the Board but limits should be reviewed periodically and, in any case, not less than once a year. Banks are also required to review the country risk exposures on a quarterly basis (Paragraph 10). The onsite examiners assess the information system of the bank to ensure it tracks the exposures accurately and comprehensively under the SPARC framework. They also analyze the position in terms of the limits and provisioning, etc. 135 INDIA EC4 There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include: a. The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate. b. The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate. c. The bank itself (or some other body such as the national bankers association) sets percentages or guidelines or even decides for each individual loan on the appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor. Description and According to the Guidelines on CRM (Paragraph 18), the RBI has a prescribed findings re EC4 provisioning requirement on the net funded country exposures on a graded scale ranging from 0.25 to 100 percent. The provision scale follows the seven- grade risk classification followed by the Export Credit Guarantee Corporation of India (ECGC). These provisions are to be made when the bank’s net funded exposure is 1 percent or more of its total assets. Banks may make a lower level of provisioning (say, 25 percent of the requirement) in respect of short-term exposures (i.e., exposures with contractual maturity of less than 180 days) (Paragraph 21). The country risk provisions are in addition to the provisions required to be held according to the asset classification. In the case of ‘loss assets’ and ‘doubtful assets’, provision held, including provision held for country risk, may not exceed 100 percent of the outstanding (Paragraph 19). Provisioning ECGC Classification Requirement Risk Category (in percent) Insignificant A1 0.25 Low A2 0.25 Moderate B1 5 High B2 20 Very high C1 25 Restricted C2 100 Off-credit D 100 In addition, banks may put in place appropriate systems to move over to internal assessment of country risk (Paragraph 7). The system should be able to identify the full dimensions of country risk as well as incorporating features that acknowledge the links between credit and market risk. Banks should use a variety of internal and external sources as a means to measure country risk. Several large banks in India use their internal assessment system for measuring and monitoring country risk. The onsite examiners also assess the adequacy of provisioning with regard to country risk under the SPARC framework. 136 INDIA EC5 The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. Description and According to the Guidelines on CRM (Paragraph 15), it is required that findings re EC5 management of country risk should incorporate stress testing as one method to monitor actual and potential risks. Stress testing should include an assessment of the impact of alternative outcomes to important underlying assumptions. EC6 The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations). Description and As part of the RBI’s offsite monitoring, the data on country exposure in excess of findings re EC6 1 percent of total assets (‘Report on country exposure and maturity) is obtained from banks by RBI on a quarterly basis. RBI states that they review the relevant prudential returns on the country and transfer risk from time to time. However, the formal analysis has been rare. RBI has comprehensive powers to call for any additional information in this regard, as when necessary according to Section 27 of BR Act. Assessment of Compliant Principle 21 Comments The assessors indicated that the RBI guidelines for CRM are generally comprehensive and in line with this CP. Relevant supervision is also conducted by SSMs. However, currently, there is no framework to comprehensively assess country and transfer risk across all entities (regulated and unregulated) of the banking group or financial conglomerates. As such, group-wide analysis on a country risk/transfer risk management has limited applicability. Indian banks have expanded their overseas presence and a holding company structure was also adopted. The RBI should consider strengthening the group-wide country/transfer risk management framework by collecting such data on a consolidated basis. Principle 22 Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions, and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report, and control or mitigate market risks on a timely basis. Essential criteria EC1 Laws, regulations, or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring, and control of market risk. Description and The RBI has issued a Guidance Note on Market Risk Management in March, 2002, findings re EC1 which requires the Board to articulate market risk management policies, procedures, prudential risk limits, review mechanisms and reporting and auditing systems. In particular, the policies of banks should address the bank’s exposure on a consolidated basis and clearly articulate the risk measurement systems that capture all material sources of market risk and address the effects on the bank. The 137 INDIA guidance notes outline policy framework and the organizational set up for market risk management, too. The RBI also has issued detailed guidelines on market risk as part of Basel II and subsequent enhancements, that is, Basel 2.5 in February, 2010. In addition, the RBI has also issued detailed guidelines on advanced approach for market risk under Basel II (Internal Modelling Approach) in April, 2010. Besides, guidelines on stress testing also require stress testing of market risk factors and impact on balance sheet of banks. The banks are also required to have an ICAAP which inter-alia covers management of interest rate risk in banking books. Banks should identify the risks associated with the changing interest rates on its on- and off-balance sheet exposures in the banking book from both, a short-term and long-term perspective. Given the uncertainty in the assumptions bank used, stress testing and scenario analysis should be used in the analysis of interest rate risks. These aspects are assessed during the course of the RBI’s onsite examination under the SPARC framework. In particular, the examination assesses a number of qualitative control parameters including:  Board-approved strategic objectives of market risk management, and risk appetite policy/statement for market risk;  Permissible products and currencies approved by the Board for trading;  Process of authority delegation for approval of the breaches in the limits for trading portfolio; and  Details of stress test conducted on the portfolios in the trading book and interest rate derivative portfolio and the related results. EC2 The supervisor determines that bank’ strategies, policies and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. Description and The RBI’s guidance note on market risk (para. 2.1.) requires the Board to clearly findings re EC2 articulate market risk management policies, procedures, prudential risk limits, review mechanisms and reporting, and auditing systems. Banks are required to manage their market risk by adopting both the traditional and duration gap analysis and to hold regulatory capital in accordance with the standardized approach. Indian banks are not allowed to take positions in commodities (Section 6 of the BR Act) and gold positions are treated as FX in accordance with the Basel guidelines on market risk. The adherence and adequacy to market risk limits set by the Board is assessed as part of Market Risk and Governance and Oversight assessment under the SPARC framework. Specifically, under the SPARC framework, RBI assesses the effectiveness of market risk management with various control parameters including: 138 INDIA  Board-approved policy, risk appetite and strategic objectives of market risk management in the bank and their appropriateness considering the balance sheet profile and the risk management systems in the bank;  Permissible products and currencies approved by the Board for investments, derivatives, forex, etc.; and  Process of setting up of risk limits, and also monitoring of the limits, delegation of authority for approval and ratification of breaches in the limits. EC3 The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including: a. effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management; b. appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to manage market risk and which are understood by, and regularly communicated to, relevant staff; c. exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary; d. effective controls around the use of models to identify and measure market risk, and set limits; and e. sound policies and processes for allocation of exposures to the trading book. Description and The RBI’s guidance note on market risk (para. 1.2.) requires a bank to have an findings re EC3 effective market risk management framework that comprises risk identification, setting up of limits and triggers, risk monitoring, models of analysis that value positions or measure market risk, risk reporting, etc. The guidance note requires of banks that:  All trading transactions should be booked on systems capable of accurately calculating relevant sensitivities on a daily basis; usage of Sensitivity and Value at Risk limits for trading portfolios and limits for accrual portfolios must be measured daily. Risk Taking Units must have procedures that monitor activity to ensure that they remain within approved limits at all times.  Mandatory market risk limits are required for Factor Sensitivities and Value at Risk for mark to market trading and appropriate limits for accrual positions including Available-for-Sale portfolios. Requests for market risk limits will be submitted annually for approval by the risk policy committee. The approval should take into consideration the Risk Taking Unit's capacity and capability to perform within those limits evidenced by the experience of the traders, controls and risk management, audit ratings and trading revenues.  Approved management action triggers or Stop-loss are required for all mark to market risk taking activities.  Risk Taking Units of banks are expected to apply additional, appropriate market risk limits, including limits for basis risk, to the products involved; these will be detailed in the banks’ Market Risk Product Program, which should define procedures, limits and controls for all aspects for the product. 139 INDIA  Line Management must ensure that the software used in Financial Models that value positions or measure market risk is performing appropriate calculations accurately. The risk policy committee is responsible for administering the model control and certification policy, providing technical advice through qualified and competent personnel. These aspects are assessed as part of market risk assessment during onsite examination of banks under SPARC framework. In particular, following essential requirements at banks for market risk management are also prescribed:  The bank has a system for formulating an integrated view of the interest rate risk across its operations. At the same time, interest rate risk in the trading book and that in the banking book are clearly segregated.  All dealing activities pertaining to different markets are well integrated under an integrated treasury.  There is a system of Middle Office, which has the authority and responsibility for monitoring adherence to risk limits and procedures, etc. The independence of the control mechanism is ensured and the system of escalation of exceptions and deviations are well defined. There is sufficient documentation of the different models in use to measure risks and the results of back-testing, etc. EC4 The supervisor determines that there are systems and controls to ensure that banks’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions. Description and The RBI has provided elaborate guidance to banks on how to value investments findings re EC4 kept in the trading books. Based on the RBI Master Circular—Prudential Norms for Classification, Valuation and Operation of Investment Portfolio by banks, dated July 2015 (para 3.2 and 3.3), the Held for Trading (HFT) position is required to be valued at least on a monthly basis, and available for sale (AFS) positions should be marked-to-market at least on a quarterly basis. Furthermore, RBI guidelines prescribe the following requirements:  Line management must ensure that the software used in financial models that value positions or measure market risk has independent certification that it is performing appropriate calculations accurately.  The Risk Policy Committee should ensure the model control and certification policy, providing technical advice through qualified and competent personnel, and maintaining a register of qualified certifiers.  Certification of models must be performed by someone other than the person who wrote the software code; the testers must be competent in designing and conducting tests; records of tests must be kept, including details of the types of 140 INDIA tests and their results. Assumptions contained in the financial models must be documented as part of the initial certification and reviewed annually by a qualified validator. Unusual parameter sourcing conventions require annual approval by the risk policy committee.  Models must be validated in writing by persons who are acceptable to the Risk Policy Committee and independent of the area creating the model. In addition, the aforementioned RBI Master Circular (para. 8.8.2. Adjustment to the current valuation of less liquid positions for regulatory capital purposes) requires the bank’s valuation methods to appropriately capture less liquid positions, which should be reflected in the provisions held by banks. Limit setting process and their adherence should be monitored on a regular basis. These aspects are assessed during annual onsite examination of banks under the SPARC framework. In particular, the RBI focuses on the consistency in the system/ models used by front/middle/back offices, and consistency, timing, reliability, and independence of external data sources, exceeding of actual profits/losses during back testing, appropriateness of the confidence level, assumptions taken, holding period, historical data observation period, and correlation between each broad category of risk, etc. EC5 The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. Description and As part of their procedures for marking to market, banks must establish and findings re EC5 maintain procedures for considering valuation adjustments (para 8.8.1.2 of RBI Master Circular on Prudential Guidelines on Capital Adequacy). The RBI reviews banks’ valuation adjustments on the onsite engagement. In India, all banks are currently following a standardized approach for computing market risk capital and the minimum requirements on market risk capital is higher than the Basel standards (see RCAP report of India, 2015). According to the current standardized approach in India, several capital requirements in terms of market risk capital charge are stricter than the Basel framework. For example, in case of foreign exchange risk positions risk, capital requirements are more stringent than under the Basel framework. Basel II requires a capital charge of 8 percent for forex risk positions while the RBI’s requirement is 9 percent. The RBI considers that such a conservative approach makes banks hold appropriate levels of market risk capital against unexpected losses. EC6 The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes. Description and RBI Guidelines on Stress Testing issued in December 2013 capture market risk findings re EC6 elements. With respect to the stress testing program, the supervisors also look into the regularity of conduct, selection of scenarios, and adequacy of stress test undertaken by banks. All banks are required to carry out the minimum prescribed stress tests involving market risk on a regular basis as part of ICAAP. During the course of onsite examination, the RBI assesses if banks comply with the stress testing requirements. Assessment of Compliant Principle 22 141 INDIA Comments In the Indian banking system, trading activity by banks is relatively limited and simple in nature. A major part of the investments is in government securities. Foreign banks perform the role of market makers in certain market segments like interest rates and foreign exchange and are dominant players in the derivatives market. All banks are following standardized approach for computing market risk capital charge. Banks have the option of migrating to advanced approach, i.e., Internal Modelling Approach (IMA) for computing market risk capital charge subject to supervisory approval. To date, none of the banks have received supervisory approval from the RBI for the use of the IMA approach. Five application forms have been submitted and are currently under review by the RBI. A revised market risk framework will come into effect in January 2019. Principle 23 Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk147 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. Essential criteria EC1 Laws, regulations, or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report, and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments. Description and RBI guidelines on interest rate risk in the banking book currently require banks to findings re EC1 have an interest rate risk framework. This requires banks to set appropriate internal limits on earnings at risk (EaR) and on the volatility in the market value of equity (MVE). The Board must approve comprehensive aggregate limits. Guidance specifies who can set lower-level limits and how responsibilities for risk measurement, monitoring and control can be organized from the Asset Liability Committee (ALCO) downward. The Board and ALCO must periodically review limits. 148 Guidance also specifies that risks must be measured and limits set using both Market Value of Equity and a Duration Gap Approach to gauge risk to net interest income and economic value.149 The RBI issued revised guidelines on stress testing, which include interest rate risk in banking book as one risk factor they should over.150 147 Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banking book. Interest rate risk in the trading book is covered under Principle 22. 148 Chapter 2 of Guidance Note on Market Risk Management October, 2002. 149 Guidelines on Banks’ Asset Liability Management Framework – Interest Rate Risk, November 2010. 150 Guidance on Stress testing, Section 4.2.4, December 2013. 142 INDIA The RBI issued updated draft guidelines on Interest Rate Risk in the Banking Book (IRRBB) in February 2017 based on standards on IRRBB published by Basel Committee on Banking Supervision (BCBS) in April 2016. For example, they define an “outlier” level of IRRBB as 15 percent (formerly at 20 percent) of total capital. Limits in Indian banks are typically between 7 to 12 percent. These guidelines strengthen requirements for an interest rate risk strategy linked to each bank’s ICAAP process and for RBI supervision during the SREP. EC2 The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively. Description and The Asset Liability Committee (ALCO) consisting of the bank's senior management findings re EC2 including CEO is responsible for ensuring adherence to the limits set by the Board as well as for deciding the business strategy of the bank in line with the bank’s risk tolerance. The RBI regularly reviews the management of interest rate risk by banks. IRRBB is monitored and assessed as part of Market Risk under the SPARC framework. The SSMs determine:  Whether the IRRBB is taken into account suitably, while devising the business strategies of the bank, areas of growth, targeted/actual credit, market and liquidity positions and risk levels;  Whether limit utilization is reasonable;  Whether the IRRBB is measured and monitored through methodologies suitable to the size and spread of the banking book (manual or system based measurement, monitoring and reporting); and  Whether the IRRBB is reported and monitored at appropriate level frequently enough. EC3 The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including: a. comprehensive and appropriate interest rate risk measurement systems; b. regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions); c. appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff; d. effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and e. effective information systems for accurate and timely identification, aggregation, monitoring and reporting of interest rate risk exposure to the banks’ Boards and senior management. 143 INDIA Description and The ALCO is responsible for ensuring adherence to the limits set by the Board as findings re EC3 well as for deciding the business strategy of the bank (on both the assets and liabilities sides) in line with the bank’s risk tolerance. Banks must validate their interest rate risk models periodically. Whether internal models or software packages are used, the integrity of data, assumptions, parameters and model methodology must be checked. Also, the interest rate risk management system must be independently audited, under the aegis of the Audit Committee of the Board. As part of their market risk assessment, the RBI assesses:  Risk measures for managing the interest rate risk in the banking book;  Whether senior management is sensitized to the methodology, assumptions, and limitations of any models used;  Whether policies and rates are reviewed and updated in a timely manner;  Whether there is independent validation of models;  Whether the IRRBB is taken into account the business strategies of the bank, including such things as areas of growth, targeted/actual credit, market and liquidity positions, and risk levels.;  Whether the IRRBB measured and monitored through methodologies is suitable to the size and spread of the banking book (manual or system-based measurement, monitoring, and reporting);  Limits established for managing interest rate risk in the banking book along with the frequency of monitoring;  Reporting and MIS framework established for monitoring, review and managing IRRBB; and  Whether the limit utilizations and/or breaches have been factored in while taking business decisions. EC4 The supervisor requires the banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements. Description and Banks must include analysis of changes in interest rates on their economic value findings re EC4 and EaR in their stress testing. This includes the impact of changes due to parallel shocks, yield curve twists, yield curve inversions, changes in the relationships of rates (basis risk), and other relevant scenarios.151 Banks are also required to measure their vulnerability to loss in stressed market conditions, including the breakdown of key assumptions, and to consider these results when establishing and reviewing their limits and policies in respect of interest rate risk. The possible stress scenarios may include: changes in the general level of interest rates, e.g., a change in the yield by 200 and 300 basis points or more in a year; changes in interest rates in individual time bands to different relative levels (i.e., 151 Guidance on Stress Testing, December 2013. 144 INDIA yield curve risk); changes in volatility of market rates; and earlier withdrawal of the core portion of current account deposits, etc. During the course of onsite examinations, the SSM is expected to assess if banks comply with the scenario analysis and stress testing requirements. Additional criteria AC1 The supervisor obtains from banks the results of their internal interest rate risk measurement systems, expressed in terms of the threat to economic value, including using a standardized interest rate shock on the banking book. Description and Guidelines on Duration Gap Analysis require banks to report the impact on the MVE findings re AC1 different interest rate shocks. These reports are collected monthly via the SPARC system on the sensitivity of economic value and earnings to IRRBB. AC2 The supervisor assesses whether the internal capital measurement systems of banks adequately capture interest rate risk in the banking book. Description and The RBI’s guidance on ICAAP requires banks to capture all material risks including findings re AC2 IRRBB on a forward-looking basis and plan capital accordingly. The RBI has specialized examiners who assess the management of IRRBB in banks. Thus, banks’ assessments are subject to a supervisory review and evaluation process as part of the SPARC process. Assessment of Compliant Principle 23 Comments Through successive guidance issued since 1999, the RBI has raised standards for Indian banks. These require banks to have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk152 in the banking book. Principle 24 Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. Essential criteria EC1 Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards. Description and The RBI issued guidelines for liquidity risk management in 1999 with updates in findings re EC1 2007, 2010, and 2012. 152 Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banking book. Interest rate risk in the trading book is covered under Principle 22. 145 INDIA In June 2014, the RBI also issued guidelines on Basel III Liquidity Standards— Liquidity Coverage Ratio (LCR), Liquidity Risk Monitoring Tools and LCR Disclosure. The LCR requirement has been in effect since January 1, 2015 and expected to reach 100 percent coverage by January 1, 2019. The RBI also issued a NSFR draft guideline proposing to implement the minimum requirement of 100 percent in January 2018 without any phase-in arrangements. RBI also requires banks to comply with statutory reserve requirements, specifically, the cash reserve ratio (CRR) and the statutory liquidity ratio (SLR):  CRR: Every scheduled bank shall maintain an average daily balance, the amount of which shall not be less than 4 percent of the bank's total net demand and term liabilities (NDTL) (Section 42 of RBI Act, 1934); and  SLR: Every scheduled bank shall maintain the SLR prescribed at 20.5 percent of their total NDTL (Section 24 of BR Act, 1949).153 Banks report their compliance with above mentioned metrics to the RBI from fortnightly basis to a monthly basis. As for the LCR framework of India, the RBI allows banks to include Indian State Government Securities, also known as State Development Loans (SDL), in the HQLA buffer. In June 2015, the RCAP Assessment Team of the Basel Committee reviewed the features of SDL and concluded that they cannot be considered sovereign debt securities in line with the Basel standard stating that its inclusion has a material upward effect on the LCR and hampers its international comparability. The RBI has not rectified this rule. EC2 The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate. Description and Effective January 1, 2015, on- and off-balance sheet risks are included in the findings re EC2 calculation of LCR. Per RBIs guidelines on liquidity risk management, ALM and structural liquidity should account for the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets in which they operate. Specifically, for measuring and managing net funding requirements, banks are required to adopt the statement of structural liquidity (SSL) under ALM System for measuring cash flow mismatches at different time bands should be adopted (Paragraphs 18–20). Banks are required to prepare domestic SSL (rupee) on a daily basis and report to RBI on a fortnightly basis. Further, SSL in respect of overseas operations are also reported to RBI on quarterly basis. Banks are required to slot their assets and liabilities, including off-balance sheet items, into 10 time buckets showing outflows and inflows. Regulatory limits of 5 percent, 10 percent, 15 percent, and 20 percent have been specified for the first four time buckets. EC3 The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a 153 SLR has been reduced in July 2017 from 20.5 percent to 20 percent of NDTL. 146 INDIA comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance Description and The November 2012 RBI guidelines on liquidity risk management require banks to findings re EC3 have a sound liquidity management framework. The guidelines included enhanced guidance on liquidity risk governance, measurement, monitoring and reporting requirements to the Reserve Bank on liquidity positions. Guidelines on ALM (Section 5) require that Boards take overall responsibility for management of risks, decide the risk management policy of the bank, and set limits for liquidity risks. The Asset-Liability Committee is responsible for ensuring adherence to the limits set by the Board and deciding the business strategy of the bank. Banks also undertake liquidity stress tests. Liquidity risk exposure is reported offsite by banks on a fortnightly to quarterly basis. As part of the annual onsite examination under the SPARC, the RBI reviews the robustness of a bank’s liquidity management framework including:  The Board approved policy; and  Framework and process for approvals of new process and /or material changes to existing systems. EC4 The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including: a. clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards; b. sound day-to-day, and where appropriate intraday, liquidity risk management practices; c. effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank-wide; d. adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and e. regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate. Description and RBI guidelines on ALM require that Boards take overall responsibility for findings re EC4 management of risks, decide the risk management policy of the bank, and set limits for liquidity risks. The Asset-Liability Committee is responsible for ensuring adherence to the limits set by the Board as well as for deciding on the business strategy of the bank, as it relates to assets and liabilities. Para. 13 of the guidelines on liquidity management stipulates that the Board or its delegated committee of Board members should oversee the establishment and 147 INDIA approval of policies, strategies, and procedures to manage liquidity risk. They should review them at least annually. Paras. 35–38 of the guidelines on liquidity management requires banks to develop and adopt an intra-day liquidity strategy that allows it to monitor and measure expected daily gross liquidity inflows and outflows, ensure that arrangements to acquire sufficient intraday funding to meet its intraday needs are in place, and that it has the ability to deal with unexpected disruptions to its liquidity flows. A bank should have policies, procedures and systems to support the intra-day liquidity risk management in all financial markets and currencies in which it has significant payment and settlement flows. The guidelines on structural liquidity require adherence to the prudential limits set on liquidity mismatches, specifically in short-time buckets and arrangements to bridge liquidity gaps. As part of liquidity risk assessment under SPARC framework, RBI analyzes annually:  whether the liquidity strategy and risk appetite statement approved by the Board are in line with the bank's strategic objectives, size, and nature of business and business risks, and whether it is responsive to the changes in the bank's business strategies;  whether the bank has an effective, well-documented, and disseminated strategy for the day-to-day management of liquidity;  whether the bank revisits inputs and assumptions, undertake back testing for factors and models used in liquidity management and whether the results appropriately reported and acted upon;  whether the liquidity strategy is clearly articulated and disseminated to the relevant business units/desks; and  whether reporting and MIS framework related to liquidity management are established to assist Board and senior management oversight. EC5 The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include: a. an analysis of funding requirements under alternative scenarios; b. the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress; c. diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits; d. regular efforts to establish and maintain relationships with liability holders; and e. regular assessment of the capacity to sell assets. Description and According to RBI guidelines for liquidity risk management issued in November findings re EC5 2012, banks are required to prepare funding strategies and policies as follows: 148 INDIA  According to para. 12, banks are required to put in place an effective liquidity risk management policy which include funding strategies, prudential limits, system for measuring, assessing and reporting/reviewing liquidity, framework for stress testing, liquidity planning under alternative scenarios/formal contingent funding plan, periodical review of assumptions used in liquidity projection, etc.  According to para. 41 and 42, a bank should establish a funding strategy that provides effective diversification in the sources and tenor of funding. It should maintain an ongoing presence in its chosen funding markets and strong relationships with fund providers to promote effective diversification of funding sources. A bank should “regularly gauge” its capacity to raise funds quickly from each source. It should identify and monitor the main factors that affect its ability to raise funds to ensure that estimates of fund raising capacity remain valid. These factors should also be incorporated in the bank’s stress test scenario and contingent funding plan. Over-reliance on a single source of funding should be avoided. Funding strategy should also take into account the qualitative dimension of the concentrated behavior of deposit withdrawal in typical market conditions and overdependence on non-deposit funding sources arising out of a unique business model. Funding diversification may be implemented by placing limits (by tenor, counterparty, secured versus unsecured market funding, instrument type, currency wise, geographic market wise, and securitization, etc.)  Para. 9 defines that the role of the ALCO with respect to the liquidity risk should include the following: o Deciding on desired maturity profile and mix of incremental assets and liabilities. o Deciding on source and mix of liabilities or sale of assets. It will have to develop a view on future interest rate movements and decide on funding mixes between fixed vs. floating rate funds, wholesale vs. retail deposits, money market vs. capital market funding, domestic vs. foreign currency funding, etc. ALCO should be aware of the composition, characteristics and diversification of the bank’s assets and funding sources, and should regularly review the funding strategy in the light of any changes in the internal or external environments.  Para 28 requires banks having high concentration of wholesale deposits (wholesale deposits for this purpose would be Rs 15 lakh or any such higher threshold as approved by the banks’ Board) to frame suitable policies to contain the liquidity risk arising out of excessive dependence on such deposits. Banks should also create a system for monitoring high value deposits (other than interbank deposits) like Rs 1 crore or more to track the volatile liabilities in normal and stress situation. As for the maintenance of high quality liquid assets (HQLA), the LCR requirements indirectly require the banks to hold a cushion of high quality, unencumbered, liquid assets that can be used to obtain funding in times of stress. EC6 The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets 149 INDIA out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies. Description and According to RBI guidelines on liquidity risk management (paras 52–54), banks are findings re EC6 required to prepare formal Contingency Funding Plans (CFP), provide a blueprint for asset sales, market access (including options for alternative funding sources if existing sources are not available), and restructure the maturity and composition of assets and liabilities. Banks are required to conduct liquidity risk stress testing periodically with the outcomes reflected in the liquidity strategy and contingency funding plans. The CFP must be tested regularly to ensure their effectiveness and operational feasibility, and should be reviewed by the Board on an annual basis. Regarding timely responses to disruptions, banks are required to have the CFP that describes what actions to take at which time, who can take them, and what issues need to be escalated to more senior levels in the bank. There should be explicit procedures for effective internal coordination and communication across the bank’s different business lines and locations. It should also address when and how to contact external parties, such as supervisors, central banks, or payments system operators. The annual onsite examination under the SPARC assesses banks’ CFPs in respect of liquidity risk of banks. EC7 The supervisor requires banks to include a variety of short-term and protracted bank-specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans. Description and According to the Prudential Guidelines on Capital Adequacy and Market findings re EC7 Discipline—New Capital Adequacy Framework (Para. 13.7), banks are required to manage liquidity under “normal” circumstances and be prepared to manage liquidity under “stressed” conditions. A bank should perform stress tests or scenario analyses on a regular basis in order to identify and quantify their exposures to possible future liquidity stress, analyze possible impacts on the institution’s cash flows, liquidity positions, profitability, and solvency. The results of these stress tests should be discussed by management appropriate mitigating actions should be formed to limit the bank’s exposures, build up a liquidity cushion, and adjust its liquidity profile to fit its risk tolerance. Per RBI guidelines of December 2013 on stress testing (Para. 3.3), banks are required to undertake portfolio-wide liquidity stress tests and scenario analyses to assess funding requirements under varying assumptions and differing sets of assumed business conditions. The differing business conditions include a normal situation, a bank-specific crisis, and a market-crisis scenario. In addition, November 2012 Guidelines on Liquidity Risk Management (Para. 45) also stipulate that banks 150 INDIA should conduct stress tests on a regular basis for a variety of short-term and protracted bank-specific and market-wide stress scenarios (individually and in combination). The results of stress tests should play a key role in shaping the bank's CFP, which should outline policies for managing a range of stress events and clearly set out strategies for addressing liquidity shortfalls in emergencies. Para. 3.2 of the RBI guidelines require banks to qualitatively and quantitatively review the stress testing framework to determine its efficacy and to consider the need for modifying elements. The framework should be subjected to annual reviews and should cover: realistic levels of stress applied, business and/or managerial assumptions used, and any other assumptions used etc. Para 1.1.4, states that banks should perform stress tests according to these guidelines at least every six months. Overall, these aspects are also reviewed during an annual onsite examination under the SPARC. EC8 The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities. Description and According to RBI guidelines on liquidity risk management (para 69), banks are findings re EC8 required to have a measurement, monitoring and control system for liquidity positions in the major currencies in which they are active. Banks are required to establish aggregate and individual gap limits for each currency, and have RBI approval for such limits. (See EC 2) In addition, banks are required to manage liquidity and interest rate risk in their foreign currency through maturity and position analysis, and fixing net open positions approved by the RBI. For assessing the liquidity mismatch in foreign currencies, a bank should also undertake separate analysis of its strategy for each major currency individually by taking into account the outcome of stress testing (para 69). These areas are monitored and examined during onsite engagement. As part of the onsite inspection, inspectors review the diversification of funding sources through the review of the top 10 or 20 sources of funding for each bank. Additional criteria AC1 The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks. 151 INDIA Description and There is no supervisory requirement on the banks’ levels of encumbered balance- findings re AC1 sheet assets or disclosure requirements. In India, banks are not allowed to issue covered bonds. Moreover, banks investments in government securities (up to the SLR limit) are mostly not encumbered. RBI requires banks to submit a quarterly “statement of available unencumbered assets” as a liquidity monitoring tool and assesses banks’ levels of unencumbered assets on a regular basis. Assessment of Largely Compliant Principle 24 Comments The RBI maintains the SLR of 20.5 percent154 in parallel with the LCR requirement of 80 percent (100 percent by January 2019, in line with Basel standards) as regulatory liquidity ratios for banks. The SLR requires banks to hold a substantial portion of their assets in cash, gold, government securities, and SDLs. Since the RBI has full authority to recalibrate the SLR requirement in times of stress, assessors expect that the RBI would lower the SLR requirements under stressed conditions to facilitate banks’ liquidity management. There is one material gap regarding the definition of HQLA. The RBI allows banks to include Indian State Government Securities, also known as State Development Loans (SDL), in the level 1 HQLA buffer. In 2015, the Basel Committee (RCAP) reviewed the features of SDL and concluded that SDL cannot be considered as sovereign debt securities in the context of the Basel standards. The inclusion of SDL resulted in a material upward effect on the LCR that hampered its international comparability. The RBI does not consider it would be appropriate to rectify this rule. CP 24 (EC1) stipulates that the liquidity requirements should not be lower than those prescribed in the applicable Basel standards. The RBI should consider reviewing and enhancing the regulation on liquidity risk management to be more in line with Basel standards. Principle 25 Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk155 on a timely basis. Essential criteria EC1 Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase). Description and The RBI Guidance Note on Management of Operational Risk 2005 requires that findings re EC1 each bank must have policies and procedures that clearly describe the major elements of the operational risk management framework including identifying, 154 It has been decided to reduce the SLR from 20.5 percent to 20 percent in June 2017 by RBI. 155 The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk. 152 INDIA assessing, monitoring, and controlling /mitigating operational risk. Risk management frameworks should be oriented toward the bank’s requirements, as dictated by the size and complexity of business, risk philosophy, market perception and the expected level of capital. Per guidance note (para. 2.7), the operational risk framework of banks should articulate what constitutes operational risk to cover the bank's appetite and tolerance for operational risk. The framework should also articulate the key processes needed to manage operational risk. The degree of formality and sophistication of the bank's operational risk management framework should be commensurate with the bank's risk profile. Independent evaluation by internal audit and capital allocation are also addressed in the guidelines. These aspects are assessed during the course of annual onsite examination under the SPARC framework. EC2 The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversee management in ensuring that these policies and processes are implemented effectively. Description and According to the guidance note on operational risk (para. 2.7), the Board of findings re EC2 directors of a bank is primarily responsible for ensuring effective management of operational risk (OR). The Board should approve an appropriate OR management framework for the bank and review it periodically. The framework should be based on an appropriate definition of OR that covers the bank’s appetite and tolerance for OR. The framework should also articulate the key processes the needed to manage OR. The Board should review the framework regularly to ensure that OR arising from external market changes and other environmental factors, and associated with new products, activities or systems are being managed. This review process should also aim to assess industry best practice in OR management appropriate for the bank’s activities, systems and processes. The Board should have adequate internal audit coverage to ensure policies and procedures have been implemented effectively. These aspects are assessed during annual onsite examination under the SPARC framework. EC3 The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process. Description and The RBI utilizes SPARC framework to assess the effectiveness of OR management findings re EC3 implementation by banks on a yearly basis. The supervision under SPARC consists of multiple qualitative inputs to form a comprehensive assessment of operational risk management. Specifically, the assessment of operational risk includes assessment of the following six main categories: compliance risk, people risk, process risk, external risk, IT-financial risk, and IT-operational risk. As part of governance and oversight assessment under SPARC, the RBI reviews the framework on the delegation of responsibilities to senior management, and determines effective implementation of policies and procedures for operational risk management. 153 INDIA The adequacy of the overall operational risk management framework and its effective implementation is assessed during the annual onsite inspections. However, the discussion of operational risk management across the operations of banking groups has limited applicability due to the SPARC framework basically being based on a solo basis. RBI states that some Board documents of the parent are across group entities, and banks normally do capture penalties across group entities. EC4 The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption. Description and In accordance with the requirements in the Circular on Business Continuity Plans findings re EC4 (BCP) issued on 15 April 2005, banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption. According to the Circular (Para. 3), the responsibility for the BCP rests with the Board of directors and top management. Banks should periodically review their BCPs for consistency with the bank’s current operations and business strategies. According to the guideline (paras. 5 and 6), an effective BCP should take into account the potential for wide-area disasters that impact an entire region and the resulting loss or inaccessibility of staff. It should also address interdependencies (market and geographic) among financial system participants as well as infrastructure service providers. Banks are required to thoroughly test BCP to verify its full capability against changing scenarios and assumptions at frequent intervals, as per the policy. Plans should be tested periodically to ensure that the bank would be able to execute the plans in the unlikely event of a severe business disruption. Per RBI Circular on Business Continuity/Disaster Recovery (DR) Planning issued on February 16, 2006, banks are advised to test their BCP/DR plans at least on an annual basis. For critical systems like core banking systems, customer-facing electronic delivery channels and other systems as outlined in the respective Business continuity policy/plan, banks are advised to carry out testing on a more frequent basis such as half-yearly intervals. Comprehensive testing would involve making the DR site the primary site for a short period. Information Security Auditors (internal or external) of the banks are required to audit the effectiveness of BCP and its periodic testing as part of their IS audit work. Findings/recommendations should be reported to top management/Audit Committee. The top management needs to annually review the adequacy of the business recovery and contingency plans, test results, and forward the reports to the Board for review. The RBI has provided guidance on business continuity planning (BCP), vulnerability assessment and penetration tests (VAPT) and information security to the banks through the circular on June 26, 2013. The internal audit functions in banks are expected to review the position. Guidance on cyber risks was also issued to raise the awareness of banks on the requirement of identifying and addressing cyber threats. 154 INDIA These aspects are assessed during annual onsite examination under the SPARC. The RBI reviews BCP/DR policies of the bank for its preparedness to ensure business continuity, resumption and recovery of critical business processes after a disaster. EC5 The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management. Description and According to ‘Guidance Note on Management of Operational Risk’, 2005 findings re EC5 (Para.6.10), banks are required to invest in appropriate processing technology, information security function, system development and processes to identify, assess, monitor, and manage technology risks. The RBI has also provided guidance on nine areas in April 2011: IT governance, information security, IS audit, IT operations, IT services outsourcing, cyber fraud, business continuity planning, customer awareness programs and legal aspects. Implementation of the recommendations needs to be commensurate with the nature and scope of activities engaged in by banks, the prevalent technological environment, and the support rendered by technology to the business processes. Banks with extensive reliance on technology to support business processes would be expected to implement all the stipulations outlined in the circular. During the course of onsite examinations, examiners specializing in IT risks are employed. Recently, the RBI has established a new institution, the Reserve Bank Information Technology (ReBIT) Pvt Ltd for increasing advanced level focus on cyber security and building cutting edge capabilities for supervising financial technology usage in the banking sector. EC6 The supervisor determines that banks have appropriate and effective information systems to: a. monitor operational risk; b. compile and analyze operational risk data; and c. facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk. Description and According to ‘Guidance Note on Management of Operational Risk’, 2005 (Chapter findings re EC6 3, Policy Requirements and Strategic Approach), the key elements in the Operational Risk Management process include:  Appropriate policies and procedures;  Efforts to identify and measure operational risk;  Effective monitoring and reporting;  A sound system of internal controls; and  Appropriate testing and verification of the operational risk framework. As per the guidance note (Chapter 3 and 5), banks are required to regularly report critical risk issues and its control/mitigations to senior management and Board. Senior management should receive regular reports from appropriate areas such as business units, group functions, the operational risk management unit, and internal 155 INDIA audit. The operational risk reports should contain internal financial, operational, and compliance data, as well as external market information about events and conditions that are relevant to decision making. Reports should be analyzed with a view to improving existing risk management performance as well as developing new risk management policies, procedures, and practices. Guidance on cyber risks was issued in June 2016 sensitizing banks on the requirement of identifying and addressing cyber threats. Focused IT examinations by supervisors, including cyber risk issues are being carried out by RBI under the SPARC framework. EC7 The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. Description and According to Master Directions on Frauds-Reporting and Monitoring, July 2015, findings re EC7 banks are required to periodically (from within a week to quarterly) report to supervisors all incidents of fraud. Reporting of financial fraud was well established. According to Paragraph 2.2 of Master Direction, fraud is classified under: a. Misappropriation and criminal breach of trust. b. Fraudulent encashment through forged instruments, manipulation of books and accounts or through fictitious accounts and conversion of property. c. Unauthorized credit facilities extended for reward or for illegal gratification. d. Cash shortages. e. Cheating and forgery. f. Fraudulent transactions involving foreign exchange. g. Any other type of fraud not coming under the specific heads as above. However, there is no explicit requirement in the regulations, for the bank to keep the RBI immediately notified of developments affecting operational risk if an incident other than fraud occurs. EC8 The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers: a. conducting appropriate due diligence for selecting potential service providers; b. structuring the outsourcing arrangement; c. managing and monitoring the risks associated with the outsourcing arrangement; d. ensuring an effective control environment; and e. establishing viable contingency planning. Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank. Description and The RBI issued comprehensive guidelines on outsourcing on November 3, 2006 findings re EC8 (Guidelines on Managing Risks and Code of Conduct in Outsourcing Financial Services by banks). The guidelines require that a bank intending to outsource any of 156 INDIA its financial activities has to put in place a comprehensive outsourcing policy, approved by its Board. The policy should include criteria for selection of service providers, parameters for defining material outsourcing, delegation of authority depending on risks and materiality, and systems to monitor and review the operations of these activities. The bank should have in place a management structure to monitor and control its outsourcing activities. It should ensure that outsourcing agreements with the service provider contain provisions to address their monitoring and control of outsourced activities. The terms and conditions governing the contract between the bank and the service provider should be carefully defined in written agreements and vetted by the bank's legal counsel. Agreements should address the risks and risk-mitigation strategies. Agreements should be sufficiently flexible to allow the bank to retain an appropriate level of control over the outsourcing and the right to intervene to meet legal and regulatory obligations. The agreement should also establish the nature of legal relationship between the parties. Due diligence should take into consideration qualitative and quantitative, financial, operational and reputational factors. Where possible, the bank should obtain independent reviews and market feedback on the service provider to supplement its own findings. For critical activities, the bank has to consider contingency plans, including the availability of alternative external parties and the costs and resources required to switch external parties, potentially on very short notice. During the course of onsite examination under SPARC, the RBI reviews the implementation of these guidelines to assess the quality of related risk management systems particularly in respect of material outsourcing. Examiners’ reviews include the following:  Clauses of the agreement in place to ensure required services from vendors at the time of crisis;  Controls in place for the outsourcing process and vendor management process; and  Policies, procedures, and guidelines related to outsourcing of IT services and operations, etc. Additional criteria AC1 The supervisor regularly identifies any common points of exposure to operational risk or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities). Description and The RBI does not currently identify common points of exposure to operational risk findings re AC1 or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities). While there are currently no formal arrangements in place till now, RBI states that it has started interacting with the major service providers to assess the issues from a perspective of operational risk or potential vulnerability. 157 INDIA Assessment of Largely Compliant Principle 25 Comments In India, no banks have been allowed to use the AMA approach to calculate operational risk regulatory capital. All banks use BIA; seven run in parallel for TSA and three for AMA. As of December 2016, RWAs for operational risk have been on average 8.5 percent of total RWAs. Regulations/guidelines are stipulated in a comprehensive way and relevant supervision is also conducted by SSMs, in line with CPs. In particular, with regard to EC5, a comprehensive circular on Cyber Security Framework in Banks was issued on June 2016 and a Cybersecurity and Information Technology Examination Cell was launched for more comprehensive examination. The following gaps in relation to the expectations of minimum standards of CP 25 should be rectified:  There is no explicit requirement or formal offsite returns in the regulations for the bank to keep the RBI apprised of developments affecting operational risk at banks, if an incident other than frauds occurs. For operational risk events that should be reported to RBI, the formal reporting protocol has limited applicability. RBI needs to consider expanding the scope of supervisory reporting in this regard.  The discussion of operational risk management across the operations of banking groups has limited applicability since the SPARC framework is basically based on a solo basis.  As for another recommendation with regard to operational risk supervision, the New Standardized Approach of Operational risk of Basel Committee is expected to be finalized. The new approach requires banks to use bank-specific operational loss data as a direct input to capital calculations. In India, loss data accumulation other than fraud appears to be relatively limited since all banks currently use BIA. Strengthening supervision in collecting/accumulating good quality loss data across banks would be useful. With regard to additional criteria of CP 25, it would be useful for the RBI to interact with the major service providers to assess the issues from a perspective of operational risk or potential vulnerability on a regular basis. Principle 26 Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent156 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. Essential criteria 156 In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee. 158 INDIA EC1 Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address: a. organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g., clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g., business origination, payments, reconciliation, risk management, accounting, audit and compliance); b. accounting policies and processes: reconciliation of accounts, control lists, information for management; c. checks and balances (or “four eyes principle”): segregation of duties, cross- checking, dual control of assets, double signatures; and d. safeguarding assets and investments: including physical control and computer access. Description and In its 1999 guidance note on Risk Management Systems in Banks, the RBI stipulates findings re EC1 that one of the major tools for managing risk is a well-established internal control system, which includes segregation of duties, clear management reporting lines and adequate operating procedures. Banks need to have in place techniques of self- assessment of the internal control environment. Banks should have effective internal systems to detect problems. The Audit Committees should play a central role to ensure independent financial and internal control functions. The current RBI rules on internal control and audit are primarily laid down in the Guidance Note on Risk Based Internal Audit, issued in December 2002. In addition, the SPARC risk- based supervision system provides extensive guidelines on inspection of the internal control and audit function. The SPARC methodology states that a bank’s internal controls comprise the processes and the internal environment in a bank that identify, measure, monitor, mitigate, and control the risk. The desired level and nature of control in each bank may differ based on considerations such as bank’s business model, strategy, tolerance to risk, adoption of technology, competence of staff and the external environment, including regulation, competition, and macro conditions. Accordingly, the assessment of controls involves both assessing the desired level of control, given the level of risk and judging the gap between the desired and actual levels of controls in place. During a risk assessment under SPARC, controls are assessed, covering the six business risk categories (credit, market, liquidity, operational non-IT, operational IT, and other Pillar II risks). The supervisory expectation on the robustness of internal controls environment is commensurate to the level of relevant inherent risk in the business operations of each bank. For each aspect of risk, the gaps in controls are assessed in relation to the inherent level of risk. An evaluation of gaps in control is made by the SSM, taking into account qualitative information, discussions with the management, and transaction testing. This information enables an assessment of 159 INDIA the bank’s own understanding of its control environment and allows incorporation into the SPARC assessment. The SPARC compendium lists 22 attention points (“control parameters”) on internal audit and control, including the internal process for drafting the internal audit charter, the internal audit oversight by the Board of a bank, the audit committee, other Board committees, and senior management, a framework for follow up and resolution of internal audit findings, and performance evaluation of the internal audit function. Other points include:  The process adopted by the bank to ensure that personnel with the required skills are deployed for specific areas in internal audit, staff adequacy, recruitment and training;  The process to ensure independence of the internal audit function;  Coverage of all critical areas such as IT, key business units, branches and outsourced activities;  Methodology for preparing the internal audit plan;  Access for the internal audit function to the bank’s records, information and staff; and  The requirement for the internal audit function to express an opinion on the effectiveness of, and adherence to the bank’s internal procedures and controls. Inspectors are required to review and include all 22 aspects in the report. Furthermore, various other guidance and circulars from the RBI contain many references to internal systems to ensure proper administration and the necessary compliance functions, as well as checks and balances within the banks. For instance, the Guidance note on Credit Risk Management of October 2002 states that each bank should set up a Credit Risk Management Department (CRMD), independent of the Credit Administration Department. The CRMD should measure, control, and manage credit risk within the limits set by the Board/CRMC, enforce compliance with the risk parameters and prudential limits set by the Board/CRMC, build risk assessment systems and develop management information systems. The RBI has also issued guidelines on concurrent audit which is an examination which is contemporaneous with the occurrence of transactions or is carried out as closely in real time to the transactions as possible. This audit is essentially a management process aimed at the establishment of sound internal accounting functions and effective controls. It helps set the tone for a vigilant internal audit to preclude the incidence of serious errors and fraudulent manipulations. EC2 The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions, and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units. Description and The RBI prescribes in its Guidance Note on Risk Based Internal Audit of December findings re EC2 2002 that the Internal Audit Department in a bank should be provided with 160 INDIA appropriate resources and staff, with the requisite skills. They should also be trained periodically to enable them to understand the bank’s business activities, including operating procedures, risk management and control systems, and management information systems. The guidelines envisage that tasks can be outsourced, allowing additional expertise to be brought in as needed. EC3 The supervisor determines that banks have an adequately staffed, permanent and independent compliance function157 that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function is suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function. Description and As part of the Risk Discovery Process under SPARC, a structured assessment of the findings re EC3 compliance culture and level of compliance with the regulatory guidance is performed. Internal audit and control risk related areas covered in the SPARC manual include:  Process of sensitization of the Board on topics related to risk management, products, etc.;  Process by which the Board ensures implementation of its directions;  Reporting framework established to ensure that the Board is provided with timely, relevant, correct, and complete information for effective decision making;  Process and framework to ensure that Board members are fully cognizant of the regulatory and supervisory regime under which the business operates;  Reporting framework to ensure that senior management is provided with timely, relevant, accurate and complete information;  Framework for Board, ACB, other Board committees and senior management oversight with respect to internal audit;  Framework for reporting and follow-up on the resolution of internal audit findings and recommendations to ACB/management; and  Framework followed for training/development of internal audit staff. The SPARC risk-based supervision framework is the basis for onsite inspections and the production of an RAR that reports explicitly on the quality of control in the bank, and identifies any shortcomings. If shortcomings have been found and the bank is required to remedy them. The next inspection will review implementation of the directives issued by the RBI. 157 The term “compliance function” does not necessarily denote an organizational unit. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance who should be independent from business lines. 161 INDIA EC4 The supervisor determines that banks have an independent, permanent and effective internal audit function158 charged with: (a) assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and (b) ensuring that policies and processes are complied with. Description and The SPARC framework requires that inspectors assess, i.a., the following aspects of a findings re EC4 bank’s internal controls:  The process followed by the Board to ensure that the laid down risk management practices, procedures and systems are adequate to limit all potential risks faced by the bank to prudent levels, including details of reporting (say, dash Boards) on material risks to the Board, with their frequency (need not be reported by foreign banks);  The reporting framework established to ensure that the Board is provided with timely, relevant, correct and complete information for effective decision making;  The compliance framework in the bank, including details on: primary responsibility for monitoring compliance;  The process by which the Board ensures implementation of its directions. EC5 The supervisor determines that the internal audit function: a. has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing; b. has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations; c. is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes; d. has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties; e. employs a methodology that identifies the material risks run by the bank; f. prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and g. (g) has the authority to assess any outsourced functions. Description and The onsite examination process reviews, i.a., the following aspects: findings re EC5  The process adopted by the bank to ensure that personnel with requisite skill sets are deployed for specific audit areas in internal audit;  The framework followed for training/development of internal audit staff; 158 The term “internal audit function” does not necessarily denote an organizational unit. Some countries allow small banks to implement a system of independent reviews, e.g., conducted by external experts, of key internal controls as an alternative. 162 INDIA  The framework for performance evaluation of the internal audit function;  The latest findings on the performance evaluation;  The process to ensure independence of the internal audit function (including its staff);  The framework for development and review of risk management policies and practices with emphasis on oversight by Board or Board-level Committees;  The framework for periodical assessment by senior management of the number of people and necessary skills needed in the business units or departments; and  The framework for communication to the senior management and other employees of risk management strategy, corporate values, professional standards and codes of conduct set out by the Board. Assessment of Compliant Principle 26 Comments The RBI has issued a comprehensive framework for internal control and audit, as well as a detailed list of parameters that are reviewed during the onsite inspections in the context of the SPARC risk based assessment process. In this way, the RBI has issued a mutually reinforcing set of standards and processes. A score for the quality and effectiveness of internal audit and control is included in the overall risk rating of the bank by the RBI. In the context of the SPARC review, the banks are required to report the number of staff in the internal audit function and the level of qualifications. This information is included in the overall risk assessment of the bank by the RBI. Principle 27 Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. Essential criteria EC1 The supervisor159 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data. It is essential that banks put in place robust systems and clearly defined processes for collection, collation and submission of accurate data and information in a timely manner to the supervisor. Description and At present, the accounting framework for banks is governed by the Accounting findings re EC1 Standards (AS) issued by the ICAI. The ICAI, created by act of law, has issued extensive auditing standards to which practitioners must adhere. These standards cover areas such as basic principles, quality control, documentation, fraud and error, audit evidence, analytical procedures, and reliance on the work of an internal 159 In this Essential Criterion, the supervisor is not necessarily limited to the banking supervisor. The responsibility for ensuring that financial statements are prepared in accordance with accounting policies and practices may also be vested with securities and market supervisors. 163 INDIA auditor. In order to receive certification from the ICAI to practice, an examination must be passed. These standards are supplemented by instructions (income recognition asset classification, valuation, investment portfolio, etc.) issued by the RBI. Section 31 of the BR Act requires the publication of the audited balance sheet, and profit and loss accounts, together with the auditors’ report. The RBI has determined that banks have to publish their annual accounts in a newspaper in circulation at the place where the bank has its principal office. Further, banks have to publish their annual accounts in abridged form in additional newspapers, journals, etc., to give wider coverage to information about banks’ operations. Finally, in accordance with the Master Circular “Prudential Guidelines on Capital Adequacy and Market Discipline, Part C Market Discipline,” banks have to disclose the Pillar III disclosures of Basel II. All commercial banks are listed and in accordance with listing requirements, they are required to publish unaudited quarterly results. Banks prepare standalone and consolidated financial statements in accordance with the accounting standards. The IFRS converged Indian Accounting Standards (Ind-AS) shall be effective for banks only from April 01, 2018 and are as such currently not applicable. The bank’s records and internal audit are the basis for the external auditor’s work to prepare and certify the annual financial statements. Auditors reported that overall experience with the quality of internal audit of banks was satisfactory. Art. 27 BR Act prescribes that bank shall submit monthly returns in the form determined by the RBI. The SPARC risk-based supervision system requires robust quality data, and the inspections comment on the data quality. If deficiencies are apparent in the RAR, they will be mentioned as action points for the bank to address. The SPARC manual prescribes that the onsite inspections shall review and comment upon banks’ data. Banks submit prudential returns, e.g., on assets, liabilities, off-balance sheet exposures, asset quality, and capital adequacy, etc. These returns are inputs used by the SSM teams for monitoring the level of inherent risk in a bank. Further, the data in these returns acts as input for the assessments/activities of offsite analysis functions in the RBI. The RBI has the authority to hold a bank’s management accountable for ensuring that the financial record-keeping system and the data they produce are reliable, and it has the power to impose penalties or directions in accordance with Sections 47A and 35A of the Bank Regulation Act. The RBI has issued guidance requiring banks to have effective internal audit systems. The SPARC methodology, as part of the governance and oversight assessment in the SPARC framework, requires analysis of Board and management’s oversight of the internal audit systems and processes, processes to ensure adequate skills in the bank to perform internal audit functions, independence, appropriate coverage, full access of internal auditors to the bank’s internal information, and delivery of an opinion on the effectiveness of, and adherence to, the bank’s organizational and procedural controls. EC2 The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards. Description and Per Section 29 of the BR Act, the balance sheet and profit and loss statement shall findings re EC2 be signed by the CEO and directors of the bank. Section 30 of the BR Act mandates 164 INDIA audit of the balance sheet and profit and loss account prepared in accordance with Section 29 by duly qualified auditors. The auditor is required to prepare a report. The RBI has required banks to ensure compliance with accounting standards. Banks have been advised that any qualifications in the financial statements for non- compliance with accounting standards will be viewed seriously by the RBI. Per Section 29 of the BR Act, the balance sheet and profit and loss statement shall be signed by the bank’s CEO and directors, underlining their final responsibility for the statements. Auditd balance sheets and income statements of bank must be publicly displayed on the bank’s premises. EC3 The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes. Description and The fair value of the balance sheet items as stated by the bank is verified by the findings re EC3 bank’s internal audit function, as well as the external auditor in the course of the annual audit and preparation of financial statements. The banks are required to use the valuation rules set by the ICAI and the norms for valuation of collateral laid out by the RBI. The bank’s internal accounting and audit functions are obliged to operate in a way that is not inconsistent with the IFRS-convergent Indian accounting and auditing standards, when they prepare for the external auditor. These standards refer to the need to use fair value valuations. The accounting standards used by the external auditor distinguish between the values required for the regulatory reports to be submitted to the RBI and those to be used in the preparation of financial statements for public disclosure. EC4 Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit. Description and See EC1. The ICAI has issued extensive audit guidelines addressing the scope and findings re EC4 standards for audits, including guidance on scope and materiality aspects. The ICAI guidelines are confirmed by the government through a notification process, after which they have force of law. EC5 Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting. Description and The supervisory guidelines and reporting requirements, as well as the format for the findings re EC5 issuance of publicly disclosed financial statements require that these areas are covered. These are also key data points for the SPARC Risk Based Supervision system. The external auditors are required to state an opinion on the quality of a bank’s internal accounting and auditing systems. EC6 The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards. Description and The RBI maintains a list of accepted and duly qualified bank auditors. Only external findings re EC6 auditors on the RBI’s list of approved auditors are permitted to audit banks. 165 INDIA Art. 30 (1) (A) determines that the appointment or removal of an external auditor requires prior approval from the RBI. This gives the RBI power to decide whether an auditor is suitable to audit the bank in question, e.g., whether the skills and available resources are adequate to audit a large complex institution. Auditors are required to obtain a certificate of practice from the Institute of Chartered Accountants of India. EC7 The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time. Description and Current RBI instructions prescribe rotation of audit firms (NB not just the auditing findings re EC7 partner) every 3–4 years. Auditors can be reappointed in the same private and foreign bank after a two-year cooling-off period. For reappointment in the same PSB, the cooling-off period is nine years. EC8 The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations. Description and The RBI meets at least once a year with the external auditor of a bank, and holds findings re EC8 annual conferences with bank auditors to discuss events and developments in the banks and accounting and auditing. EC9 The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality. Description and Once the financial statements have been issued, the external auditor can draw the findings re EC9 attention of the RBI to matters of material significance. Until this moment the external auditor is not authorized to inform the supervisor. This is laid down in the appointment letter from the RBI to the auditor. The Companies Act, in section 143 (13,) states that an auditor will not be sanctioned for the performance of any duty under the law, which includes reporting cases of fraud, provided this has been done in good faith. Additional criteria AC1 The supervisor has the power to access external auditors’ working papers, where necessary. Description and This power is not explicitly laid down in statute nor regulation. findings re AC1 Assessment of Largely compliant Principle 27 Comments The accounting and auditing professions are of high quality, and the accounting standards applicable to banks are comprehensive. Preparation of financial statements based on IFRS-convergent Indian Accounting Standards will start April 1, 2018, including IFRS 9 on expected losses. Nevertheless, the AQR in 2015 has shown that firms incurred additional losses after a stricter assessment of compliance with the loan classification and provisioning regulations. As a result of the AQR, the “true and fair view” required by law therefore appeared to need significant adjustments, notwithstanding that the accounts had been signed off by 166 INDIA management and auditors. As a result, the RBI has conducted conversations with the accounting and auditing professions.160 Also, the relationship between auditor and regulator needs to provide for immediate reporting of material issues, not just after publication of the statements. Regulators need to have the power to access the working papers of the auditors when needed. The laws and/or regulations should explicitly authorize the external auditor to inform the RBI of any concerns, also before the annual statements have been finalized and published. Moreover, the RBI needs to have the explicit authority to obtain information at any time from the external auditor and access the external working papers, as needed. Principle 28 Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. Essential criteria EC1 Laws, regulations or the supervisor require periodic public disclosures161 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed. Description and Building on the publication of the annual financial statements, mandated by findings re EC1 Section 31 of the BR Act, the RBI has developed a set of disclosure requirements, which allow market participants to assess key information on capital adequacy, risk exposures, risk assessment processes and business parameters, to provide a comparable, consistent and understandable disclosure framework. Banks are also required to comply with Accounting Standard 1 on Disclosure of Accounting Policies, issued by the ICAI. The enhanced disclosures are incorporated in the Balance Sheet and Profit & Loss Account of banks and in ‘Notes to Accounts’, per Master Circular on “Disclosure in Financial Statements—Notes to Accounts,” of July 1, 2015. In addition to the 16 detailed prescribed schedules to the balance sheet, Notes to Accounts broaden disclosure as follows. Additional RBI required disclosures, above and beyond the requirements of the accounting standards, include: 1. On provisions:  Provisions and contingencies—banks are required to disclose in the “Notes to Accounts” information on provisions and contingencies, including provisions for depreciation on investment, on NPAs, and general provisions on standard assets, provisions toward tax liabilities, and others; 160 In April 2017, RBI issued a Circular on Disclosure requiring a disclosure in the notes to the accounts every time the difference between bank’s audited provisions and RBI’s mandated provisions following a supervisory review is greater than 15 percent. This is supposed to have a disciplining effect and carries a high reputational risk for auditors.  161 For the purposes of this Essential Criterion, the disclosure requirement may be found in applicable accounting, stock exchange listing, or other similar rules, instead of or in addition to directives issued by the supervisor. 167 INDIA  General provisions over total assets;  Draw-downs from reserves; and  Provision Coverage Ratio (PCR) - ratio of provisioning to gross NPAs. 2. On risk concentration:  Concentration of deposits - total deposits of 20 large depositors and percentage of the deposits to total deposits of the bank;  Concentration of loans - total loans to 20 largest borrowers and percentage of the advance to total advances of the bank;  Concentration of other exposures - total exposure to 20 largest borrowers/ customers and percentage of the exposures to total exposure of the bank on borrowers/customers;  Concentration of NPAs -Total exposure to top four NPA accounts;  Sectoral NPAs such as agriculture and related sectors, industry (micro, SME, and large, services, and consumer loans;  NPA dynamics - additions, recoveries, reclassification, write-offs from gross NPAs, as well as the final position as on the date of the financial statement;  Assets, NPAs, and revenue abroad: total assets, total NPAs, and total revenue; and  Sponsored off-balance sheet SPVs (consolidated). Additional disclosures, including:  Capital, broken down into Tier I/II capital, percentage of shareholdings by the government, amount of subordinated debt raised as Tier II capital;  Asset quality with details on NPAs, restructurings, and assets sold to the securitization/reconstruction company for assets (AMC);  Details of NPAs sold, and provisions on standard assets.  Asset liability management giving the maturity pattern of certain items of assets and liabilities, such as deposits, advances, investments, borrowings, foreign current assets, and foreign currency liabilities;  Sectoral breakdown, e.g., exposures to real estate sector, capital market;  Country risk exposure;  Cases of single borrower limit (SGL)/group borrower limit (GBL) exceeded by the bank; and  Unsecured advances. The annual financial statements must be published in a newspaper in the area where the bank has its headquarters, as well as, in an abridged form, in additional newspapers and journals. Disclosure takes place on a quarterly basis. The RBI requires that customers can easily access the relevant information from the bank’s websites. The websites also mandatorily include information on grievance-redressal procedures. 168 INDIA EC2 The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank. Description and At a minimum, the items listed in the RBI circular mentioned under EC1 should be findings re EC2 disclosed in the ‘Notes to Accounts’. Disclosure on 43 areas of key significance are required. When appropriate for the understanding of the financial position and performance of the bank, banks should also make more comprehensive disclosures. The disclosures required by the RBI supplement, and do not replace, other disclosure requirements under relevant legislation or accounting and financial reporting standards. EC3 Laws, regulations, or the supervisor require banks to disclose all material entities in the group structure. Description and According to paragraph 4.6 of the Master Circular, a parent company should findings re EC3 consolidate the financial statements of all subsidiaries - domestic as well as foreign, except those specifically permitted to be excluded under the accounting standards. The reasons for not consolidating a subsidiary should be disclosed in the CFS. The consolidation perimeter is decided by the management and the external auditor, based on accounting standards. These set out principles and procedures for recognizing, in the consolidated financial statements, the effects of the investments in associates on the financial position and operating results of a group. A bank may acquire more than 20 percent of voting power in the borrower entity as security for loans, so long as significant influence is not exercised. EC4 The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards. Description and The RBI is responsible for enforcing disclosure standards for banks. Various findings re EC4 instructions have been given by the RBI to banks toward display of various key aspects, such as service charges, interest rates, services offered, product information, time norms for various banking transactions, and grievance-redressal mechanism. However, during inspections/visits to bank branches by the RBI, it was observed that many banks were not displaying the required information. The RBI reinforced the instructions in a new circular. It has the authority to enforce disclosure rules. Typically, this will take place through an adverse remark in the inspection report, which will be discussed with the bank. Every quarter the RBI verifies whether the required disclosures have been made. EC5 The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles). Description and The website of the RBI contains much information about the banking sector, in findings re EC5 aggregate and per individual bank. Publications include: “Profile of Banks,” and a bi- weekly web publication “Scheduled Banks.” A “Financial Stability Report” is published twice annually. A yearly “Report on Trends and Progress on Banking in India” is available on the website. The RBI Annual Report, also on the website, 169 INDIA contains a section on banking supervision. Weekly Statistical Supplements and Monthly Statistical Bulletins also contain information on the banking sector. A Database on the Indian Economy is accessible through the RBI website, with information on sectoral deployment of bank credit. Additional criteria AC1 The disclosure requirements imposed promote disclosure of information that will help in understanding a bank’s risk exposures during a financial reporting period, for example on average exposures or turnover during the reporting period. Description and Bank-by-bank information is posted on the RBI’s website on a quarterly basis, based findings re AC1 on banks’ periodic reports to the RBI. Together with the quarterly publication by banks of their financial statements and supplementary disclosures as required by the RBI, interested parties and the general public can be adequately informed. Assessment of Compliant Principle 28 Comments Building on the publication of the annual financial statements, mandated by Section 31 of the BR ACT, the RBI has developed a set of disclosure requirements, which allow market participants to assess key information on capital adequacy, risk exposures, risk assessment processes and business parameters, to provide a comparable, consistent, and understandable disclosure framework. The RBI website also offers a wide range of information and data on the banking system in India. Principle 29 Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.162 Essential criteria EC1 Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities. Description and The Prevention of Money Laundering Act 2002 (PMLA) has been enacted to combat findings re EC1 money laundering in India. The PMLA and rules notified thereunder impose obligation on banking companies, financial institutions and intermediaries to verify identity of clients, maintain records and furnish information to FIU-IND. PMLA defines money laundering offence and provides for the freezing, seizure and confiscation of the proceeds of crime. Section 54 of the Act empowers and requires certain officers, including RBI officers, to assist the authorities in the enforcement of this Act. Regulated Entities (REs) are required to follow certain customer identification procedure while undertaking a transaction either by establishing an account based relationship or otherwise and monitor their transactions. Accordingly, in exercise of the powers conferred by Sections 35A of the Banking Regulation Act, 1949 (Power of the RBI to give directions to the Entities regulated 162 The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit (FIU), rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations regarding criminal activities in banks, such as fraud, money laundering and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8 and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle. 170 INDIA by it) and the Banking Regulation Act (AACS), 1949, read with Section 56 of the Act and Rule 9(14) of Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, the RBI has issued the Master Direction “Know Your Customer (KYC) Direction, 2016” on February 25, 2016. The Master Direction consolidates the earlier guidelines issued to banks by the RBI as regards KYC/AML and has to be read in conjunction with Section 12 of the PMLA, which details the obligations of banking companies. Section 4 of the aster Direction requires that REs shall frame a KYC policy duly approved by the Board of directors of REs or any committee of the Board to which power has been delegated. The instructions cover the domains such as Customer Acceptance Policy, Risk Management, Customer Due Diligence (CDD) Procedure, Identification of Beneficial Owner, On-going Due Diligence, Enhanced and Simplified Due Diligence Procedure, Record Management, Reporting Requirements to Financial Intelligence Unit—India, Requirements/Obligations under International Agreements Communications from International Agencies and Other Instructions. EC2 The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities. Description and Section 4 of the RBI Master Direction on KYC requires that REs shall frame a KYC findings re EC2 policy duly approved by the Board of directors of the REs or any committee of the Board to which power has been delegated (See EC1). Moreover, in terms of Section 8 on ‘Compliance of KYC policy’, the REs have to ensure compliance with KYC Policy through:  Specifying as to who constitute ‘senior management’ for the purpose of KYC compliance;  Allocation of responsibility for effective implementation of policies and procedures;  Independent evaluation of the compliance functions of REs’ policies and procedures, including legal and regulatory requirements;  Concurrent/internal audit system to verify the compliance with KYC/AML policies and procedures; and  Submission of quarterly audit notes and compliance to the Audit Committee. The RBI examiners ensure during the onsite examination that banks comply with the AML/KYC policies. Under the SPARC framework, the examiners assess:  Framework for identification, investigation, monitoring, reporting and prevention of KYC/AML issues; and  Methodology for solving KYC/AML related issues and non-compliances by the bank. In addition, the DBS conducts thematic reviews on KYC-related matters. During the last three years, seven scrutinies were undertaken by the DBS across banks, mainly on KYC-related violations/irregularities. The follow-up actions were disclosed in the RBI press release. 171 INDIA The KYC/AML aspect of urban cooperative banks and the NBFCs is looked into while doing annual inspections by the respective supervision departments. Some penalties have been imposed upon cooperatives and a notice for cancellation of certificate of registration of the NBFC was issued to the company for violating the guidelines. However, the RBI Master Direction does not highlight in the Definitions section that banks are required to identify beneficial ownership when the customer is an individual. Banks have clear procedures for obtaining beneficial ownership information of corporate customers, but are less effective in the identification of beneficial ownership in the case where the customer is an individual carrying out transactions on behalf of another person. This constitutes a deficiency, given that money-laundering activities often involve the engagement of front men to obscure the identity of beneficial owners. EC3 In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.163 Description and The suspicious transactions are reported only to the Financial Intelligence Unit-IND findings re EC3 (FIU). Banks are not required to report the suspicious activities to the RBI. However, RBI supervisors have access to the suspicious transactions reports during onsite inspection. The RBI has issued Master Direction (MD) on “Frauds—Classification and reporting” dated July 01, 2016 containing details/aspects relating to frauds. These directions are issued with a view to providing a framework to banks, enabling them to detect and report frauds early and taking timely consequent actions like reporting to the investigative agencies, so that fraudsters are brought to book early, examining staff accountability, and doing effective fraud risk management. Banks report frauds to the RBI as and when fraud is detected. On receipt of fraud reports from banks, various aspects related to the frauds are examined, and concerned banks are advised to report the case to CBI/police/Serious Fraud Investigation Office, examine staff accountability, complete proceedings against the erring staff expeditiously, take steps to recover the amount involved in the fraud, claim insurance wherever applicable, and streamline the system procedures so that frauds do not recur. Banks are also required to update the subsequent developments through quarterly returns. In addition, banks are required to submit to the RBI, the Fraud Monitoring Returns (FMR) and data, based on the Frauds Reporting and Monitoring System (FRMS) supplied to banks. Frauds amounting to more than Rs 1 lakh are to be reported on a case-by-case basis in accordance with para. 3 of the aforementioned Master Circular. Frauds of less than Rs 1 lakh are also due to be reported to the RBI in consolidated form by category. Banks are also required to report all cases of fraud to the concerned agencies immediately. The RBI maintains a database of frauds and 163 Consistent with international standards, banks are to report suspicious activities involving cases of potential money laundering and the financing of terrorism to the relevant national center, established either as an independent governmental authority or within an existing authority or authorities that serves as an FIU. 172 INDIA their modus operandi and this information is shared with banks to enable them to prevent occurrences of such frauds. In January 2016, a Central Fraud Registry (CFR) was made operational as searchable online central data base for use by the banks for frauds above Rs 1 lakh. However, the Master Direction on Frauds that requires banks to report frauds is not sufficiently broad to meet this EC, which requires reporting of suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness, or reputation of the banks. EC4 If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities. Description and The RBI informs the FIU-IND about any gross violations of AML/CFT instructions by findings re EC4 banks. In August 2012, an MOU between the FIU-IND and the RBI was singed:  According to the MOU (para. 8), the FIU-IND and the RBI will endeavor to cooperate in areas of mutual interest including: a) Laying down procedure and manner of reporting to FIU-IND under the PML Rules; b) Conducting outreach and training for reporting entities; c) Upgradation of skill levels in the banking industry; d) Assessment of Anti-Money Laundering/Combating Financing of Terrorism (AML/CFT) risks and vulnerabilities in the financial sector; e) Identification of red flag indicators for Suspicious Transaction Reports (STRs); f) Monitoring the compliance of reporting entities with their obligations under PMLA; and g) Compliance with the relevant international standards.  FIU-IND and RBI will hold quarterly meetings to discuss and share information of mutual interest including (para. 9): a) Issues arising out of (8) above; b) Trends in reporting; and c) Cases where sanctions have been imposed.  The FIU-IND and the RBI shall endeavor to provide feedback on information obtained from the other party (para. 10). According to the MOU, and in practice, the RBI share with the FIU-IND, the gist/extracts of inspection reports where gross violations of KYC/PMLA were noticed, which need further probe by the FIU-IND. EC5 The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with 173 INDIA respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements: a. a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks; b. a customer identification, verification and due diligence program on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk- based reviews to ensure that records are updated and relevant; c. policies and processes to monitor and recognize unusual or potentially suspicious transactions; d. enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk); e. enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships with these persons); and f. clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five-year retention period. Description and The instructions contained in the RBI Master Direction on KYC cover the domains findings re EC5 such as Customer Acceptance Policy, Risk Management, CDD Procedure, Identification of Beneficial Owner, Ongoing Due Diligence, Enhanced and Simplified Due Diligence Procedure, Record Management, Reporting Requirements to Financial Intelligence Unit—India, Requirements/obligations under International Agreements Communications from International Agencies and Other Instructions. (See EC1) The CDD management program has the following essential elements: (a) In terms of Section 9 of the aforementioned Master Direction, Regulated Entities (REs), including banks, are required to frame a Customer Acceptance Policy. Additionally, in terms of Section 10, REs shall ensure that: No account is opened in anonymous or fictitious name; No account is opened where the RE is unable to apply appropriate CDD measures, either due to non-cooperation of the customer or non-reliability of the documents/information furnished by the customer; No transaction or account based relationship is undertaken without following the CDD procedure, etc. (b) Chapter V of Master Direction details the requirement of a Customer Identification Procedure (CIP) to be carried out by the REs. Also, Part V of Chapter VI on Customer Due Diligence (CDD) Procedure requires that REs shall undertake ongoing due diligence of customers to ensure that their transactions are consistent with their knowledge about the customers, customers’ business and risk profile; and the source of funds. The extent of monitoring shall be aligned with the risk category of the customer. A system of periodic review of risk categorization of accounts, with such periodicity being at least once in six months, and the need for applying 174 INDIA enhanced due diligence measures shall be put in place. Section 38 details the requirement of Periodic Updation that is to be carried out by the REs. (c) Section 36 of the Master Direction on KYC mandates that REs need to necessarily monitor the following types of transactions: Large and complex transactions, and those with unusual patterns, inconsistent with the normal and expected activity of the customer, which have no apparent economic rationale or legitimate purpose; Transactions which exceed the thresholds prescribed for specific categories of accounts; High account turnover inconsistent with the size of the balance maintained; Deposit of third party cheques, drafts, etc., in the existing and newly opened accounts followed by cash withdrawals for large amounts. Further, Rule 7 of the PML (Maintenance of Records) Rules, 2005 requires the REs to furnish to the director, Financial Intelligence Unit-India (FIU-IND), information referred to in Rule 3 of the Rules ibid. Also, in terms of Section 50, robust software, throwing alerts when the transactions are inconsistent with risk categorization and updated profile of the customers shall be put in to use as a part of effective identification and reporting of suspicious transactions. (d) Enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk); As specified in (b) above, the extent of monitoring shall be aligned with the risk category of the customer. A system of periodic review of risk categorization of accounts, with such periodicity being at least once in six months, and the need for applying enhanced due diligence measures shall be put in place. Section 38 details the requirement of Periodic Updation that is to be carried out by the REs. Sections 40, 41, and 42 detail the requirements of enhanced due diligence for accounts of non-face-to-face customers, Accounts of Politically Exposed Persons (PEPs) and client accounts opened by professional intermediaries respectively. (e) In terms of Section 41 of the Master Direction on ‘Accounts of Politically Exposed Persons (PEPs)’: REs shall have the option of establishing a relationship with PEPs provided that: sufficient information, including information about the sources of funds accounts of family members and close relatives is gathered on the PEP; the identity of the person shall have been verified before accepting the PEP as a customer; the decision to open an account for a PEP is taken at a senior level in accordance with the REs’ Customer Acceptance Policy; all such accounts are subjected to enhanced monitoring on an ongoing basis; in the event of an existing customer or the beneficial owner of an existing account subsequently becoming a PEP, senior management’s approval is obtained to continue the business relationship; the CDD measures as applicable to PEPs including enhanced monitoring on an ongoing basis are applicable. Moreover, these instructions shall also be applicable to accounts where a PEP is the beneficial owner. (f) In terms of Section 46 of the Master Direction on ‘Record Management’, the following steps shall be taken regarding maintenance, preservation and reporting of customer account information, with reference to provisions of PML Act and Rules. REs shall: 175 INDIA a. maintain all necessary records of transactions between the RE and the customer, both domestic and international, for at least five years from the date of transaction; b. preserve the records pertaining to the identification of the customers and their addresses obtained while opening the account and during the course of business relationship, for at least five years after the business relationship is ended; c. make available the identification records and transaction data to the competent authorities upon request; d. introduce a system of maintaining proper record of transactions prescribed under Rule 3 of Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PML Rules, 2005); e. maintain all necessary information in respect of transactions prescribed under PML Rule 3, so as to permit reconstruction of individual transaction, including the following: the nature of the transactions; the amount of the transaction and the currency in which it was denominated; the date on which the transaction was conducted; and the parties to the transaction. f. evolve a system for proper maintenance and preservation of account information in a manner that allows data to be retrieved easily and quickly whenever required or when requested by the competent authorities; and g. maintain records of the identity and address of their customer, and records in respect of transactions referred to in Rule 3 in hard or soft format. The objective of the RBI’s guidelines is to prevent banks from being used, intentionally or unintentionally, by criminal elements for money laundering or terrorist financing activities. The KYC procedures also enable banks to know/understand their customers and their financial dealings better which in turn help them manage their risks prudently. These areas are reviewed by SSMs during onsite examination of banks under the SPARC. SSMs assess the bank’s compliance to those guidelines. The RBI’s requirements relating to foreign PEPs are not fully in line with the international standards as they do not specifically require banks to: have appropriate risk-management systems to determine whether the customer or the beneficial owner is a PEP; examine the customer’s source of wealth (in addition to the source of funds); and the coverage does not apply to associates. In addition, there is currently no specific provision requiring banks to apply enhanced customer due diligence measures to accounts of domestic PEPs, as defined in RBI Master Direction on KYC, are individuals who are or have been entrusted with prominent public functions in a foreign country, e.g., heads of states/governments, senior politicians, senior government/judicial/military officers, senior executives of state- owned corporations, and important political party officials, etc. Domestic PEPs are, however, not specifically referred to in the RBI Master Direction on KYC. EC6 The supervisor determines that banks have in addition to normal due diligence, specific policies, and processes regarding correspondent banking. Such policies and processes include: 176 INDIA a. gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and b. not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks. Description and According to Section 64 of the RBI Master Direction on KYC, banks shall have a findings re EC6 policy approved by their Boards, or by a committee headed by the chairman/CEO/MD to lay down parameters for approving correspondent banking relationships subject to the following conditions:  Sufficient information in relation to the nature of business of the bank including information on management, major business activities, level of AML/CFT compliance, purpose of opening the account, identity of any third-party entities that will use the correspondent banking services, and regulatory/supervisory framework in the bank’s home country shall be gathered;  Post facto approval of the Board at its next meeting shall be obtained for the proposals approved by the committee;  The responsibilities of each bank with whom correspondent banking relationship is established shall be clearly documented;  In the case of payable-through-accounts, the correspondent bank shall be satisfied that the respondent bank has verified the identity of the customers having direct access to the accounts and is undertaking ongoing 'due diligence' on them;  The correspondent bank shall ensure that the respondent bank is able to provide the relevant customer identification data immediately on request;  Correspondent relationship shall not be entered into with a shell bank;  It shall be ensured that the correspondent banks do not permit their accounts to be used by shell banks;  Banks shall be cautious with correspondent banks located in jurisdictions which have strategic deficiencies or have not made sufficient progress in implementation of FATF Recommendations; and  Banks shall ensure that respondent banks have KYC/AML policies and procedures in place and apply enhanced 'due diligence' procedures for transactions carried out through the correspondent accounts. The RBI verifies banks’ adherence to these guidelines during the course of onsite examination. However, there is no explicit requirement that banks do not establish or discontinue existent correspondent relationships which those banks that do not have adequate controls against criminal activities and are not effectively supervised by relevant authorities. EC7 The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism. 177 INDIA Description and According to section 8 of the Master Direction, Banks have to ensure compliance findings re EC7 with KYC Policy through:  Independent evaluation of the compliance functions of banks’ policies and procedures, including legal and regulatory requirements.  Submission of quarterly audit notes and compliance to the Audit Committee. Banks should ensure that their internal audit is staffed adequately with individuals who are well versed in such policies and procedures. Internal and concurrent auditors have to check and verify the application of KYC procedures at the branches and comment on the gaps observed. The Audit Committee has to be informed of compliance in this respect on a quarterly basis. Reports of these audits have to be made available to the RBI on request or during the inspection of banks. Whether banks have sufficient controls and systems, and non-compliances by the bank are analyzed during the course of onsite examinations of banks under the SPARC framework. EC8 The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities. Description and The KYC guidelines have been issued by the RBI under Section 35A of the BR Act. findings re EC8 Accordingly, banks are required to comply with such directions and any contraventions thereof or non-compliance shall attract penalties under Section 46 the BR Act. Over the last two years, KYC related penalties of 3,250 Lakhs are imposed by RBI on 17 banks in India. EC9 The supervisor determines that banks have: a. requirements for internal audit and/or external experts164 to independently evaluate the relevant risk management policies, processes and controls. The supervisor has access to their reports; b. established policies and processes to designate compliance officers at the banks’ management level, and appoint a relevant dedicated officer to whom potential abuses of the banks’ financial services (including suspicious transactions) are reported; c. adequate screening policies and processes to ensure high ethical and professional standards when hiring staff; or when entering into an agency or outsourcing relationship; and d. ongoing training programs for their staff, including on CDD and methods to monitor and detect criminal and suspicious activities. Description and First of all, internal auditors are responsible for verifying compliance with KYC findings re EC9 guidelines (See EC7). According to the RBI Master Direction on KYC, banks should appoint a Principal Officer (PO) from senior management as the contact point for all AML issues. He/she is responsible for monitoring and reporting all transactions and sharing information as required under the law as well as liaison with enforcement agencies, 164These could be external auditors or other qualified parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. 178 INDIA banks and other institutions. The PO is also responsible for timely submission of Cash Transaction Report (CTR), Suspicious Transaction Report (STR), and the reporting of counterfeit notes and all transactions involving receipt by nonprofit organizations of value more than Rs 10 lakh or its equivalent in foreign currency to FIU-IND. According to para. 8 of aforementioned Master Direction, banks have to institute a system of internal/concurrent audit to verify the compliance with KYC/AML policies and procedures. Banks have to ensure that their internal audit function is staffed adequately with individuals who are well versed in such policies and procedures. The Audit Committee has to be informed of compliance in this respect on a quarterly basis. Reports of these audits are made available during the course of onsite inspections of banks. According to Section 71 on ‘Hiring of Employees and Employee training’, banks are also required to put in place adequate screening mechanisms as an integral part of their recruitment processes. Banks have to implement an ongoing employee training program, so that their staff is adequately trained in KYC procedures with different focus for frontline staff, compliance staff and staff dealing with new customers. The RBI conducts onsite examination under SPARC on the compliance with KYC/AML policies on a sample basis. Observations are suitably factored in the RAR, and supervisory actions are initiated against the bank. EC10 The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities. Description and The RBI has issued Master Direction (MD) on “Frauds—Classification and reporting” findings re EC10 in July 2016, containing the details/aspects relating to frauds (see EC3). The RBI conducts onsite examinations under the SPARC to assess roles and responsibilities of the Independent Vigilance Unit, procedure for referring staff- related fraud cases to vigilance, and mechanism for detection, prevention and reporting of staff related frauds in the bank. In particular, during the operational risk assessment, the RBI reviews following:  Banks should have a well-laid procedure for detection, reporting and monitoring of frauds.  Banks should have a system of review of frauds with corrective action at a systemic level, where appropriate. Reporting of financial fraud was well established. However, AML/CFT issues encompass money-generating criminal activities, with fraud being only one type of predicate crimes. It is unclear that RBI requires under its regulations banks to report any problems related to the abuse of the banks’ financial services. EC11 Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable. 179 INDIA Description and Section 14 of the PMLA 2002 states that banking companies or their officials would findings re EC11 not be liable to any civil or criminal proceedings against them for furnishing any information to the appropriate authority under the Act. In addition, in the Indian context, the GOI had passed a resolution on April 21, 2004 authorizing the Central Vigilance Commission (CVC) as the ‘Designated Agency’ to receive written complaints or disclosure on any allegation of corruption or of misuse of office and recommend appropriate action. The jurisdiction of the CVC in this regard is restricted to employees of the central government or of any corporation established by it or under any Central Act, government companies, societies or local authorities owned or controlled by the central government. Staff in the PSB is protected in this regard. Private sector bank staff is also not liable to discretionary proceedings according to Protected Disclosures Scheme for Private Sector and Foreign Banks (April 2007). EC12 The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes. Description and The RBI has signed an MoU with the FIU-IND for sharing information (see EC 4). findings re EC12 The cooperation for sharing information on suspected or actual criminal activities for supervisory purposes with other domestic supervisory authorities can be accommodated in the IRF/FSDC framework. Section 56 (1b) of the PMLA 2002 states that the GOI may enter into an agreement with the government of a foreign country for exchange of information for prevention of any offence under the Act or under the corresponding law in force in that country or investigation of a case relating to any offence under the above Act. RBI supervisory department has entered into MoUs with supervisors of 40 countries for sharing supervisory information. The secrecy provisions in the BR Act do not apply in this case as Section 71 of the PMLA has an overriding effect in case of inconsistencies with other law in force at that point in time. EC13 Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks. Description and The main function of the FIU-IND is to receive cash/suspicious transaction reports, findings re EC13 analyze them and, disseminate relevant financial information to intelligence/ enforcement agencies and regulatory authorities. To facilitate this, RBI issued Master Direction on “Frauds—Classification and reporting” containing all the details/aspects relating to frauds. These directions help in faster dissemination of information by the RBI to banks on the details of frauds. (See EC3) Caution advice—general in nature—are also being issued by the RBI as necessary for preventing and controlling the frauds having systemic impacts. Assessment of Largely Compliant Principle 29 Comments Assessors indicated several shortcomings with CP 29: 180 INDIA  The RBI Master Direction does not highlight in the Definitions section that banks are required to identify beneficial ownership where the customer is an individual. This constitutes a deficiency given that money laundering activities often involve the engagement of front men to obscure the identity of beneficial owners. While there is a requirement relating to preventive measure on money mules, the identification of beneficial ownership in the case of an individual acting on behalf of another goes beyond the intent of addressing money mules activities.  The RBI’s requirements relating to foreign PEPs are not fully in line with the international standards, as they do not specifically require banks to: have appropriate risk-management systems to determine whether the customer or the beneficial owner is a PEP; examine the customer’s source of wealth (in addition to the source of funds); and the coverage does not apply to associates. In addition, there is currently no specific requirement imposed on banks with regard to treatment of customers who are domestic PEPs165 or persons entrusted with prominent functions by an international organization. In line with FATF Recommendation 12, in addition to performing CDD measures required by the standard, banks should be required to take reasonable measures to determine whether a customer or the beneficial owner is a domestic PEP or a person entrusted with a prominent function by an international organization and, in cases when there is a higher risk business relationship with such a person, to take enhanced due diligence measures (i.e., obtain senior management approval before establishing or continuing the business relationship; take reasonable measures to establish the source of wealth and source of funds; and conduct enhanced monitoring of that relationship).  Although the controls over reporting financial fraud were well established, financial fraud is only one type predicate crime among the AML/CFT concerns over money-generating criminal activities. The Master Direction on Frauds that requires banks to report frauds is not sufficiently broad to meet the EC3 which requires reporting of suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the banks. It is also unclear if the RBI formally requires banks under its regulations to report all problems related to the abuse of the bank’s financial services (EC10). The RBI should broaden its response to address money laundering reporting issues, not just fraud.  There is no explicit requirement for banks to avoid establishing correspondent relationships or discontinue existing ones with banks that do not have adequate controls against criminal activities and are not effectively supervised by relevant authorities. The RBI’s KYC master direction stipulates that correspondent relationships shall not be entered into with a shell bank.166 It is not 165 Politically Exposed Persons (PEPs), as defined in RBI Master Direction on KYC, are individuals who are or have been entrusted with prominent public functions in a foreign country, e.g., Heads of States/governments, senior politicians, senior government/judicial/military officers, senior executives of state-owned corporations, important political party officials, etc. 166 The shell bank (Section 3. of KYC master direction) is defined as a bank that is incorporated in a country where it has no physical presence and is unaffiliated to any regulated financial group. 181 INDIA comprehensive enough to capture the broad requirement of this CP. For example, non-shell banks would not meet the aforementioned requirement. 182 INDIA SUMMARY COMPLIANCE OF BASEL CORE PRINCIPLES Table 2. India: Summary Compliance with the Basel Core Principles Core Principle Grade Comments 1. Responsibilities, LC There are no material gaps in coverage of the Indian system of objectives and powers bank supervision and regulation. This is clear and credible from legislation. The legal framework gives the RBI powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns. Laws and regulations are updated frequently. New arrangements between domestic financial supervisors have been put in place to smooth group regulation and supervision. In the past five years, the RBI has established formal relationships with overseas supervisors, including colleges for its six largest internationally active banks. The RBI can review the activities of parents, affiliates and subsidiaries of banks. While safety and soundness of banks is an important objective for the RBI, the legislation does not define it clearly and unambiguously as its first priority for supervision. 2. Independence, MNC The RBI has budgetary autonomy and adequate resources. It is accountability, transparent about its core purpose, which is published on its resourcing and legal website. It regularly gives a public account of its activities and protection for use of resources in its Annual Report and elsewhere. In most supervisors respects, it has operational independence. The legal framework for banking supervision includes legal protection for the RBI and its officers. However,  While it does regulate and supervise the PSBs, the RBI does not have full discretion to take supervisory actions.  The RBI Act contains a number of powers, enabling the central government to supersede decisions of the RBI. Although these powers have not been used in practice, they are broad and their existence undermines the RBI’s legal independence.  The RBI governor is not appointed for a minimum term, but for a maximum one and may be dismissed at will by the government without disclosing the reasons for such action. 3. Cooperation and C The overall framework for cooperation is considered collaboration comprehensive and effective. Nevertheless, it is recommended to include more explicit provisions in the applicable bills, acts, and regulations to support mutual recovery and resolution actions. These rules should also support e.g., agency-appointed administrators, prosecutors, and liquidators. The authorities are working on a format for joint inspections, including any 183 INDIA regulatory agency that has an interest in the institution that is being inspected. 4. Permissible activities C The permissible activities of institutions that are licensed and supervised as banks are defined and the use of the word “bank” in names is controlled. The term “bank” and related terms are defined in Indian law. Permissible activities for banks are also well defined in legislation and regulation, although the central government can impose on banks to undertake nonbanking activities. Only banks regulated by the RBI can refer to themselves using the term “bank” and related terms. Deposit taking is largely, but not entirely, confined to banks. The RBI does maintain a list of banks on its public website. 5. Licensing criteria LC The RBI is the licensing authority for all banks in India. Guidance and processes for scrutiny of license applications are adequate. However, there is a potential reason to be concerned about ultimate beneficial ownership. Difficulty in establishing ultimate beneficial ownership should be grounds for rejecting a license application. 6. Transfer of C The RBI generally has the power to review any transfer of significant ownership significant ownership or controlling interests held in existing banks. Significant ownership is either expressly or implicitly defined in statute. Approval by the RBI for a significant transfer in ownership is required for private sector banks. The RBI could, in principle, block a significant ownership transfer for a PSB, if it judged that such a transfer was not in the interest of the banking system. The RBI’s supervisory powers to prevent a change in significant ownership refer to a fit-and-proper test similar to that undertaken as part of a bank licensing, and they can reject a change based on false information. Banks must advise the RBI if a significant shareholder becomes unfit. While periodic reporting to the RBI and SEBI, and the RBI’s supervision onsite and offsite, do allow the RBI to monitor significant ownership, it is not clear that they would necessarily detect changes in beneficial ownership. 7. Major acquisitions C The RBI has the power to approve or reject major acquisitions by private sector banks. Through its continuous monitoring and periodic ICAAP reviews, it should be aware of major acquisitions contemplated by any public or private sector bank. It can impose prudential conditions on major acquisitions or investments by any bank via its normal regulatory powers. These extend to the establishment of cross-border operations. Its supervision of banking groups ensures that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. 8. Supervisory LC The supervisory approach of the RBI has undergone some approach substantive changes toward the implementation of a risk-based approach. The RBS framework of RBI (SPARC) deploys a good mix of onsite and offsite supervisory tools, but it is still in its early stage of implementation. The existence of an SSM in 184 INDIA charge of the specific bank(s) helps supervisors maintain a comprehensive understanding of the overall risk profile of individual banks. Each SSM has a high degree of autonomy and responsibility for supervising a specific bank. The enforcement link between SPARC assessments and supervisory actions is nevertheless weak. The assessors note that a bank’s Risk Assessment Report (RAR) does not discuss a bank’s identified capital shortage in detail in association with necessary capital augmentation or risk mitigation plans. For example, the model computes the required add-on capital for banks with a supervisory rating of ‘C’ and lower, which are considered to have a risk of failure above the acceptable supervisory risk appetite. Nevertheless, the assessors note that there were no cases where such identified capital adds-on were followed by specific remedial actions. Finally, resolution powers and tools are very limited and the RBI does not assess the bank’s resolvability nor does it prepare recovery and resolution plans. 9. Supervisory LC The RBI has established a comprehensive range of supervisory techniques and tools tools and techniques to implement its RBS approach. Under the RBS framework, the relative importance and intrusiveness of onsite and offsite supervision depends on the evolving risk profile and systemic importance of the individual banks. In particular, the new CRILC database appears to be useful in the current context to ensure consistency of assessments of large credit exposures and asset classification across banks. However, there are no detailed formal guidelines, which define penal actions or further enforceable measures, in case that action points of the RAR are not addressed in an adequate manner. Also, as a supervisory tool, the bottom-up stress testing methodology is under development within the DBS. 10. Supervisory LC The RBI has extensive powers to require banks to submit any reporting relevant supervisory information. The quantity and types of the data collected from banks vary based on the group structures and business profiles. The RBI validates prudential returns periodically and automatically upon each submission. The submitted information is also subjected to verification during onsite visits. Banks that submit erroneous information to the RBI are subject to penalties. In addition, The RBI has an assessment process in place to periodically review the returns. For this purpose, the RBI established inter-departmental groups with responsibilities for the introduction of new returns/modification of returns. However, with regard to prudential returns, apart from a few (e.g., half-yearly consolidated prudential returns), most data are submitted on a solo basis rather than on a consolidated basis. In addition, there are no explicit guidelines/criteria for hiring third parties who conduct supervisory tasks, to assess the 185 INDIA quality of the work performed by those experts, or obliging them to report to the RBI promptly material shortcomings that are identified. 11. Corrective and LC The RBI has an adequate range of supervisory tools for timely sanctioning powers of responses. This includes the ability to revoke the banking supervisors license or to recommend its revocation. In particular, the RBI:  has processes to help in detecting issues quickly and raising them with the bank, including with their Board. Supervisors can then monitor risk mitigation plans and follow-up on any shortfalls;  has an appropriate set of supervisory tools;  has the power to take timely risk mitigating actions;  has specific options for escalating these actions;  can take corrective actions against members of management and the Board of a private bank;  can coordinate corrective actions against nonbank entities in financial conglomerates to protect the bank. Ring- fencing a bank from nonbank liabilities within a group might not be an option in times of stress, but intra-group exposures are limited by regulation; and  cooperates with other agencies as needed to resolve problem situations. However, under the current PCA regime, some of the more stringent actions under PCAare for action by the “government/RBI.” Its decisions to revoke any banking license are subject to government appeal. 12. Consolidated C The RBI can supervise every part of any Indian banking group supervision or financial conglomerate. It can monitor and apply prudential standards to all subsidiaries and associate enterprises within the banking group, domestically and internationally. In particular, through intra-group transaction monitoring and coordination with other domestic regulators, it understands risks that other entities in a group might pose to a bank and to take supervisory action to limit those risks. The RBI will not license a nonbank operating company to own a bank. Through a network of MoUs and supervisory colleges, it can now supervise foreign operations of Indian banks effectively. It monitors continuously intra-group financial exposures and transactions. The RBI can take action to limit activities in nonbank subsidiaries in concert with the nonbank financial supervisor concerned. Some prudential standards are set and are monitored on a consolidated basis, such as standards regarding concentration, capital, and liquidity. 13. Home-host C Much has been achieved by the RBI since the previous relationships assessment. The current framework shows that it is functioning 186 INDIA adequately. The RBI is very active in its exercise of cross-border supervision, and in organizing cooperation with colleagues abroad on the basis of MoUs and in supervisory colleges. A large number of MoUs have been concluded, and another 9 are being negotiated. A significant number of cross-border inspections has been held. The RBI staff confirms that they have good contacts and working relationships with counterparts in other countries. 14. Corporate MNC The appropriate rules on fitness and propriety and banks’ governance internal governance structures are in place with respect to private and foreign banks. The influence the RBI may exercise on governance of banks through section 21 of BR Act, and the very limited legal authority of the RBI to hold the PSB Boards accountable regarding strategic direction, risk profiles, assessment of management, and compensation have resulted in a low overall rating on this assessment. Under the law, and according to custom, the RBI is not in a position to hold PSB Boards accountable for assessing, and when necessary, replacing weak and nonperforming senior management and government-appointed Board members. government’s role in appointing senior management and placing their own official on the Board creates the potential for government interfering with the PSB’s business decisions. The result of this interference may explain in part the fact that PSB financial performance in recent years has been so much weaker than private banks. Moreover, the presence of RBI and MOF officials on the PSB Boards, as required by law, puts RBI supervisors in the uncomfortable position of having to assess the performance and competence of these officials in their role as Board members. For example, if a PSB assumes an inappropriate amount of risk, it would be problematic for the supervisor to recommend that the RBI take action against the Board and its designated member. In addition, the PSB Board has limited role in selection of senior management, where once again MoF is involved in selecting the CEO, the chairman and the full time executive directors, subject to approval by the RBI for fit-and- proper standard. 15. Risk management LC The RBI does: process  determine that banks have Board-approved appropriate risk management strategies;  require comprehensive risk policies and frameworks to be comprehensive;  require the risk management framework be well documented, internally communicated and evolves appropriately; 187 INDIA  ensures the Boards and senior management obtain the information they need to assess capital adequacy;  examine the level of capital and liquidity and the processes banks use to ensure adequacy;  ensure models used for risk measurement are appropriate for use, validated and developed and used under strong governance;  ensure that the risk-management function has the resources, independence, Board access, and authority it needs;  require prior Board approval for dismissing a CRO;  issue guidance on each major risk type;  require banks to have contingency plans;  require banks to stress test; and  assess how banks account for risks in internal pricing, performance measurement and new product approval. However, the RBI does not impose specific requirements for robust risk management MIS, as opposed to implicit requirements derived from requirements for such measurement, aggregation and reporting of different risk types in normal times. The RBI does not have a specific requirement in its principle guidance on risk for recovery or resolution plans. While RBI supervisors do regularly assess Board documents and meet with selected members of Boards, including the heads of the risk and audit committees, they do not as a rule meet with the Board as a whole, or with the non-executive directors individually. Such meetings are useful to, among other things, confirm that Boards and senior management understand the risks associated with any material change to the business. 16. Capital adequacy C The RBI is in the process of implementing the Basel III capital adequacy framework, and is working with selected banks to approve advanced approaches and parallel runs. The RBI framework, in particular the current capital definition, is appropriate. The framework was considered compliant by the Basel Committee’s Regulatory Consistency Assessment Program in 2015. 188 INDIA 17. Credit risk LC All banks need to follow guidelines and meet targets on priority sector lending, which compromises banks’ independent, risk- based credit allocation policies and strategies. These public policy-oriented constraints can impose significant limitations on the banks’ own development of credit risk management strategies and policies, and may lead to risk accumulation that otherwise could have been avoided. 18. Problem assets, LC The current systems and processes to monitor asset provisions, and classification and provisioning could be considered broadly reserves adequate. Significant positive developments have been set in motion since previous FSAP. In the area of loan classification and provisioning, changes have been introduced, generally in the direction of further tightening of the rules. For loans where regulatory forbearance has been allowed for restructured accounts (deferment of DCCO) allowing them to remain “standard,” the provision has been increased. A very significant policy action to start addressing the NPA problem has been the 2015 AQR, which coincided with the introduction of the new 2015 Master Circular on loan classification and provisioning. The exercise showed a significant level of under-recognition of NPAs and under-provisioning, and the corresponding need for the reinforcement of capital in many banks. The current coverage with provisions, although it improved slightly, seems to be on the low side, given persisting high vulnerabilities in the corporate sector. Also, the system for classification and provisioning still shows several weaknesses:  The regulation recognizes a number of special situation advances, some of which considerably extend the period beyond the contractually agreed payment dates, before the bank starts receiving its expected cash flow (e.g., project loans of which commencement of commercial operation has been delayed for certain reasons). The structure of the rules, with multiple cases of different treatment under special situations is complex and difficult to monitor given the lack of systematic reporting on the magnitudes of these special cases.  The introduction of IFRS9 provides an opportunity to strengthen loan classification and provisioning rules. The RBI needs to systematically review credit risk parameters (i.e., loss rates, recovery rates, etc.) across the banking system to ensure that the parameters of the asset classification and provisioning regulations (i.e., provisioning rates and categories of impairment) remain realistic. 19. Concentration risk LC To align the exposure norms for Indian banks with the Basel and large exposure Standards, a new Large Exposures (LE) Framework was issued limits on December 1, 2016. However, this new framework will not be applicable fully until April 2019. The current rules still have many exceptions that allow large exposures up to 50 percent of 189 INDIA its capital base (e.g., infrastructure project loans). Banks must gradually adjust their exposures to comply with the LE limit by that date. Accordingly, prior to this date, banks should avoid taking any additional exposure/reduce exposure in cases where their exposure is at or above the exposure limit prescribed under the new framework. 20. Transactions with LC The RBI issued the Guidelines on Intra-Group Transactions and related parties Exposures (ITEs), which expand to related-party transaction (RPTs) to maintain arm’s-length basis. Several shortcomings still remain, despite improvements over RPTs since the last FSAP. For example, there is also no explicit requirement for Board approval to be obtained prior to RP exposure write-offs. It is unclear that the ITE limit is applied to RPTs between the bank and the bank’s major individual shareholder or family. 21. Country and C The RBI guidelines for CRM are generally in line with this CP, transfer risks and relevant supervision is also conducted by SSMs. 22. Market risk C Trading activity by Indian banks is relatively limited and simple in nature. A major part of the investments is in government securities. Foreign banks perform the role of market makers in certain market segments like interest rates and foreign exchange and are dominant players in the derivatives market. All banks are following standardized approach for computing market risk capital charge. The guidelines and supervisions are broadly in line with Basel standards and this CP. 23. Interest rate risk in C Through successive guidance issued since 1999, the RBI has the banking book raised standards for Indian banks. These require banks to have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk in the banking book. 24. Liquidity risk LC The RBI maintains the Statutory Liquidity Requirement (SLR; 20.5 percent) to run in parallel with the LCR requirement (80 percent currently, and 100 percent by January 2019) as regulatory liquidity ratios for banks.167 The SLR requires banks to hold a substantial portion of their assets in cash, gold, government securities, and SDLs. Since the RBI has full authority to recalibrate the SLR requirement in times of stress, the assessors expect that the RBI would lower the SLR requirements under stressed conditions to facilitate banks liquidity management. However, there is one gap regarding the definition of high-quality liquid assets (HQLA). The RBI allows banks to include Indian State Government Securities, also known as State Development Loans (SDLs), in the HQLA level 1 buffer, which is not in line with the Basel Committee’s decision. 167 SLR has been reduced in July 2017 from 20.5 percent to 20 percent. 190 INDIA 25. Operational risk LC Regulations/guidelines are stipulated in a comprehensive way, and relevant supervision is also conducted by the SSMs in line with the CPs. A comprehensive circular on Cyber Security Framework in Banks was issued on June 2016 and Cyber Security and Information Technology Examination Cell was launched for more comprehensive examination. However, for operational risk events that should be reported to the RBI, the formal reporting protocol has limited applicability. There is no explicit requirement or formal offsite returns in the regulations, for the bank to keep the RBI apprised of developments affecting operational risk at banks if an incident other than frauds occurs. In addition, loss data accumulation other than fraud appears to be relatively limited since all banks currently use the BIA for operational risks. 26. Internal control C The RBI has issued a comprehensive framework for internal and audit control and audit, as well as a detailed list of parameters that are reviewed during the onsite inspections in the context of the SPARC risk-based assessment process. In this way, the RBI has issued a mutually reinforcing set of standards and processes. A score for the quality and effectiveness of internal audit and control is included in the bank’s overall risk rating by the RBI. 27. Financial reporting LC The accounting and auditing professions are of high quality, and external audit and the accounting standards applicable to banks are comprehensive. Preparation of financial statements based on IFRS-convergent Indian Accounting Standards will start April 1, 2018, including IFRS 9 on expected losses. However, the laws and/or regulations do not currently explicitly authorize the external auditor to inform the RBI of any concerns at any time, before the annual statements have been finalized and published. Moreover, the RBI does not seem to have the explicit authority to obtain information at any time from the external auditor. In particular, the RBI does not seem to have the authority to access the external auditor’s working papers, as needed. 28. Disclosure and C Building on the publication of the annual financial statements, transparency mandated by Art. 31 of the BR Act, the RBI has developed a set of disclosure requirements, which allow market participants to assess key information on capital adequacy, risk exposures, risk assessment processes and business parameters, to provide a comparable, consistent and understandable disclosure framework. The RBI website also offers a wide range of information and data on the banking system in India. 29. Abuse of financial LC The RBI KYC Master Direction does not highlight in the services Definitions section that banks are required to identify beneficial ownership where the customer is an individual. This constitutes a deficiency, given that money-laundering activities often involve the engagement of front men to obscure the identity of beneficial owners. 191 INDIA There is currently no explicit requirement imposed on banks with regard to the treatment of customers who are domestic PEPs or persons entrusted with prominent functions by an international organization. The RBI’s requirements relating to foreign PEPs are also not fully in line with the international standards, as they do not specifically require banks to: have appropriate risk-management systems to determine whether the customer or the beneficial owner is a PEP; examine the customer’s source of wealth (in addition to the source of funds); and the coverage does not apply to associates. In addition, although the controls over reporting financial fraud were well established, financial fraud is only one type predicate crime among the AML/CFT concerns over money-generating criminal activities. The Master Direction on Frauds that requires banks to report frauds is not sufficiently broad to meet this CP, which requires reporting of suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the banks. 192 INDIA RECOMMENDED ACTIONS AND AUTHORITIES COMMENTS Table 3. India: Recommended Actions Core Principle Recommendation 1. Responsibilities,  Legislation is needed to update and clarify the supervisory mandate objectives and powers of the RBI. The statute should clearly state that safety and soundness, including systemic stability, are the top priority of supervision.  The GOI should defer to the RBI in matters of safety and soundness, including in particular matters affecting PSBs. The RBI decisions with respect to safety and soundness should not be subject to GOI review.  Supervisory powers over the PSBs should be enhanced. Supervisors should be able to use independently the same broad range of supervisory tools and enforcement actions with respect to public and private sector banks.  Short of legislation to update and clarify its supervisory mandate, the RBI and the GOI should consider adopting a framework agreement as they did recently for monetary policy, formalizing and clarifying objectives and responsibilities of the RBI and the GOI. Such a framework might record agreement that: o The main objective of RBI bank supervision is prudential and that other supervisory objectives, such as financial inclusion, financing government, priority sector funding, consumer protection are secondary; o The GOI would defer to the RBI in all matters regarding the licensing of banks, (including revoking licensing) permissible activities, governance (including dismissal of Board members), general management and risk management, and corrective actions needed to address safety, soundness and stability concerns (See CP2, 4, 11, and 14); and o These provisions would apply to all banks, including the PSBs, fully and without reservation. 2. Independence,  The 1934 Act should be amended, so that the RBI governor is accountability, appointed for a minimum term. It should be possible for the GOI to resourcing and legal dismiss the governor before the end of his/her term only if due- protection for process establishes incapacity, dereliction of duty or unethical supervisors behavior, in which case the reasons for dismissal should be published.  For legal clarity, it would be preferable to eliminate the provisions providing the government with powers to supersede the RBI’s decisions.  The RBI should track the resources deployed through dedicated SSM teams and specialist units for supervision of the D-SIBs and other large banks. It should review whether the level and character of resources are appropriate in absolute terms, and as a share of total 193 INDIA supervisory departmental resources, compared with the importance of these institutions in the banking system. 3. Cooperation and  Amend the interagency MoU of 2013 to create options to provide collaboration assistance among agencies in case of enforcement actions as needed and upon request.  Amend mandates in the RBI Act and the BR Act to strengthen the RBI mandate for financial stability.  Streamline the FSDC, SC, Early Warning Group, and FSDC working group committee structures to achieve clearer mandates and responsibilities for financial stability and more efficient coordination in time of crisis.  Consider the frequency of supervisory colleges for large institutions, or increase information exchange between meetings. 4. Permissible activities  Repeal Section 6(o) of the 1949 Act.  Deposit taking by institutions that are not regulated as banks should be prohibited, notwithstanding the very small volume of such deposits. 5. Licensing criteria  The RBI needs to review the respective regulations and/or supervisory practices to ensure that suitability of shareholders encompass the ultimate beneficial owners. 6. Transfer of  The RBI should require groups that own significant shares of a bank significant ownership to list all their beneficial owners and to report promptly any material changes in the holdings of such shares. 8. Supervisory  Strengthen enforcement link between SPARC assessments and approach supervisory action (e.g., capital add-on).  Finalize the review of the SPARC framework (e.g., independent model validation) to enhance it robustness.  Develop supervisory handbooks on onsite and offsite SPARC assessments to further ensure consistency. 9. Supervisory  Develop formal comprehensive guidelines regarding the oversight of techniques and tools compliance of RAR action points to further ensure that the bank’s compliance of action points is managed in a consistent, focused, and enforceable manner.  Finalize supervisory bottom-up stress testing methodology. 10. Supervisory  Enhance the collection of data for consolidated supervision in terms reporting of frequency (e.g., quarterly CPR) and granularity (e.g., data collection of group-wide asset classification). 11. Corrective and  Legislation should be amended to give the RBI full authority to sanctioning powers of revoke a bank license without appeal to the GOI; and to ensure it can supervisors act independently with respect to PCA enforcement. 12. Consolidated  Consider introducing and supervising against prudential group-level supervision standards for bank-led financial conglomerates for interest rate risk, large exposure limits, and concentration limits, etc. 13. Home-host  The authorities are advised to include language in the MoUs, or relationships make parallel arrangements to strengthen coordination of responses to the media in case of crisis or problems that draw media attention. 194 INDIA 14. Corporate  Over the near-term the BBB should be empowered to appoint and governance remove senior management of PSBs and assume the role presently carried out by the MOF.  Legislation should be amended to empower the RBI and the Boards of PSBs to exercise the same responsibilities as now apply to private banks and to remove the requirement that PSB Boards include ex officio RBI officials. 15. Risk management  Consider specific and separate requirements for robust risk process management MIS.  Institute the practice of supervisors meeting regularly with Board members, especially non-executive directors. 17. Credit risk  Consider reviewing the PSL policy, including targets and scope of application to allow banks flexibility in meeting the PSL targets if proposed projects do not meet banks’ commercially based risk management strategies and processes. 18. Problem assets,  The RBI should further reassess the need for amending the special provisions, and loan categories relating to asset classification benefits, as some of reserves these special situations could alter the repayment schedules and weaken the loan classification and provisioning adequacy. Also, the RBI should develop reporting tools and enhance monitoring, to closely monitor the materiality, trend, and build-up of risks in this special situations in a systematic way.  In the context of introduction of IFRS 9, the RBI should review its existing classification and provisioning rules to ensure they are calibrated in line with actual losses and cure rates. If necessary, regulatory parameters should be adjusted to accurately reflect more timely recognition of provisioning.  The RBI should stay on top of new regulatory developments and align its practices and regulations as soon as possible. It is important to note that good practices are continuously evolving in the areas of prudential treatment of problem assets, nonperforming exposures and forbearance 168.    Overall, the RBI should consider a more proactive approach to ensure that banks, via adequate provisioning, have proper incentives to tackle the NPAs and free up balance sheets for more productive lending. 19. Concentration risk  Expedite the introduction of the new large exposure rules, monitor and large exposure banks’ practice more closely and take supervisory action (as needed), limits and reduce/remove as much as possible the current exceptions to the basic limits. 20. Transactions with  Include in the regulation the explicit requirement for Board approval related parties prior to related-party exposure (beyond a specified level) write-offs. 168 For instance, “Prudential treatment of problem assets, definitions of nonperforming exposures and forbearance,” BCBS, April 2017. 195 INDIA  Review the regulation to clarify that an appropriate exposure limit is placed to major individual shareholders and families.  Consider issuing a consolidated document to compile the regulations on RPT. 21. Country and  Consider strengthening group-wide country risk management transfer risks framework by collecting such data on a consolidated basis. 24. Liquidity risk  Review and enhance the regulation on liquidity risk management to be more aligned to Basel standards (e.g., Indian State Government Securities are not considered as sovereign debt securities in the context of the Basel standards). 25. Operational risk  Expand formal reporting protocol for the bank to keep RBI appraised of development of affecting operational risk (e.g., incident reports other than fraud).  Strengthen supervision in collecting/accumulating good-quality loss data. 27. Financial reporting  The laws and/or regulations should explicitly authorize the external and external audit auditor to inform the RBI of any concerns at any time, also before the annual statements have been finalized and published.  Amend legislation to ensure that the RBI has the explicit authority to obtain information at any time from the external auditor and access the external auditor's working papers, as needed. 29. Abuse of financial  Amend the laws/or regulation on domestic PEPs to address limited services applicability of EDD for them. There is no specific provision with regard to domestic PEPs (and PEPs of international organizations). The RBI’s requirements relating to foreign PEPs also need to be enhanced to be fully in line with the international standards  Include in the KYC Master Direction explicitly that banks are required to identify beneficial ownership where the customer is an individual, since this constitutes a deficiency given that money laundering activities often involve the engagement of front men to obscure the identity of beneficial owners.  Broaden its reporting requirements to address money laundering issues, not just fraud. Fraud is only one type of money generating criminal activity. 196 INDIA A. Authorities’ Response to the Assessment 67. The Indian authorities express our sincere gratitude to the joint IMF-World Bank FSAP mission team led by Marina Moretti (Mission Chief) and Aurora Ferrari (Team Leader) for the conduct of the FSAP in 2017. We recognize the importance of the FSAP not just as an independent peer review assessment by professionally competent staff, but also as a collaborative process that provides a learning opportunity to staff on both sides and is of value for its policy advice. This contributes to our efforts to identify strengths and weaknesses of our financial system and to further development of our financial markets through deepening and broadening access, thus helping in building a more efficient and resilient financial system. We remain committed to this exercise that is carried out as a mandatory exercise for 29 jurisdictions with systemically important financial systems in the global economy and will follow-up by considering its recommendations and implementing them through sequenced and timed actions as may be appropriate. 68. Amid growing intermediation through financial markets, India remains a bank- dominated economy and the authorities will give special importance to the Detailed Assessment Report (DAR) of the Basel Core Principles (BCP). We appreciate the overall assessment and see its specific recommendations as an opportunity for improvement. We note in particular that that the Basel Committee on Banking Supervision (BCBS) had published the revised BCP in September 2012 after the completion of the India FSAP mission in 2011. While the bar has been raised high on the BCP after its revision in 2012 and on that account the assessment grading in this report are not comparable with those in 2011 FSAP, the authorities remain committed to compliance with BCP 2012. 69. Currently, the several banks in India, especially the Public Sector Banks (PSBs) are facing asset quality problems reflected in their stressed assets and the Reserve Bank of India, in close coordination with the Government of India, are according high priority to addressing this problem. India is moving towards a new state-of-the-art bankruptcy regime. Making use of the recently enacted Insolvency and Bankruptcy Code, 2016 (IBC), the Reserve Bank of India has identified several accounts that are non-performing and asked banks to follow-up with the National Company Law Tribunal (NCLT) for resolution/ insolvency in accordance with the time-bound process laid down in the Code. The move is expected to make a significant dent to quantum of NPAs starting next year. Banks have also been asked to disclose any material divergence (above a threshold of 15 percent) in their own and supervisory assessments on the NPAs and in additional provisioning requirements (as ratio of net profits after tax). The Reserve Bank of India had earlier conducted an Asset Quality Review of the banks and has since internalized the process strengthening the regular inspections buffeted by continuous monitoring of NPAs and their recognition helped by the Central Repository of Information on Large Credits (CRILC). RBI had withdrawn regulatory forbearance since April 2015 and now requires bank to make same provisioning on restructured standard assets as for the NPAs. 197 INDIA 70. All these moves have helped usher in an era of transparency and improved discipline and will go a long way in resolving the problem of bad loans in India. The authorities are also using this window of opportunity to bring about structural improvements in the banking sector. The Government of India has sought, through its Indradhanush plan, to revitalize PSBs through capital infusion and improved governance. All these efforts are likely to turnaround the NPA cycle, strengthen bank balance sheets, enhance provisioning coverage, address current fragilities and ultimately improve banking soundness. 71. On a few specific aspects in this report, the authorities’ response is as follows:  Regarding risk accumulation stemming from the mandatory Priority Sector Lending (PSL) allocations (CP17), we submit that in India, the scope for penetration of bank led financial services to the segments classified under PSL is immense and offers much scope for innovative lending strategies to diversified pools of borrowers which, to the contrary, may reduce risk accumulation. The experience has been that the asset quality of PSL assets is better than some non-PSL asset categories. Further, within the PSL targets, banks have the flexibility to choose their borrowers.  The inclusion of the State Development Loans (SDLs) in the HQLA has been assessed as one of the shortcomings by the assessors (CP24). We may clarify that SDLs are issued as state government bonds and we have slotted SDLs under HQLA 1 as they meet the necessary qualitative characteristics of HQLA. State governments in India have sovereign powers in a number of respects, including revenue raising powers. Under the Basel Liquidity framework, HQLAs range in categories from HQLA-1 to HQLA-2B. SDL clearly has qualities superior to HQLA-2B assets. So, rather than suggest that SDL should not be included in HQLA, it would be appropriate to consider, with reasons, into which category of HQLA should SDLs be slotted. The authorities are fully conscious that some market reforms are needed in the SDL market to encourage better market pricing across States. They are working towards this end, but they judge the instrument to be sufficiently liquid and entailing characteristics akin to high-end HQLA assets. This view of ours is also applicable to CP 24, EC2. We have given the RCAP assessors cogent reasons why SDLs should qualify to be a part of HQLA at a minimum as HQLA-2A, if not HQLA-1.  As regards broadening its reporting requirements to address money-laundering issues by RBI (CP29), it may be noted that RBI regulations require suspicious transaction reports to be filed with the FIU-IND, and that banks put in place a robust AML detection and reporting framework. The Indian authorities have been fully committed to the AML/CFT framework and are further looking into the requirements with a view to further strengthen its implementation. 198