Tuesday, 4 June 2013

Can't bank on it

Indian Express, 04th June 2013

The RBI board makes no attempt to review its regulatory failures

According to a recent press release by the Reserve Bank of India, its board met in early May. This was the first board meeting after the Cobrapost expose, revealing widespread failure by banks in adhering to the RBI's Know Your Customer (KYC) regulations. What did the RBI board discuss and what decisions did it take?

The first set of Cobrapost exposes happened on March 14, implicating three banks. On April 6, a second set of news stories exposed more banks. The exposes revealed widespread failure by banks in enforcing KYC regulations.

When the RBI central board met in Srinagar on May 9, one would have expected the board to take some decisions to look into the issue of KYC regulations. At the very least, the board might have asked for a report on the enforcement of KYC regulations, or a review of the audits carried out on banks by the regulator. Alternatively, the management of RBI would have informed the board of the steps to be taken to review the working of the KYC regulations. The board might have highlighted the need for better regulatory oversight.

The press release says that the board, however, took "four major decisions": one, banks are to enhance the Credit Deposit Ratio (CDR) in the state from 36 per cent to 40 per cent by March 31, 2014. Two, the state government should legislate the SARFAESI (Securitisation and Reconstruction of Financial Assets and Enforcement of Securities) Act in the state. Three, the state government and banks are to take up electronic benefit transfer on a pilot basis. Four, banks are to have an active role in skill development for horticulture and other social activities in the state.

There are two important things to note. First, the RBI board did not express a view on the KYC regulations. Second, none of its decisions were about banking regulations or what the regulator may do. All its decisions were about about what the state government and banks will do.

The first decision related to commercial banks is not about risk, safety, or regulatory compliance. Giving more credit to increase the CDR is a commercial decision of a bank. The second decision is an instruction/ suggestion to elected legislatures of the state. While the RBI may assist the legislature on making the laws, it is not within the powers of the RBI board to decide that "The state government [has] to legislate the SARFAESI Act in the state". Similarly, the decision of the RBI board that the J&K government take up a pilot project or that banks engage in skill development in horticulture are not decisions that the board of a financial regulatory authority should be taking.

None of the four major decisions of the RBI board had anything to do with its regulatory failure. There was no attempt at reviewing why the failure took place. There was no attempt to say what the RBI would do to prevent such failure.

The key function of the board of a regulator is to make regulations, to review the effects of the regulations, enforcement, performance review and cost benefit analysis. The board of any corporate body is created to maintain oversight of the functioning of the corporate body. For example, a company's board reviews the functioning of the company, orders investigation into serious issues and gives direction to the company. The decisions of the board are actionable orders to the management of the company. For regulators, the main functioning is making regulations. The board of the regulator must exercise control, oversight and review the functioning of the regulator. Many regulatory boards develop modern corporate governance systems like risk committees and audit committees to discharge their duties.

In addition, boards of regulators have a responsibility to the public at large. Companies use funds of shareholders, and therefore, the board's responsibility is limited to shareholders. For regulators, the entire public is the shareholder of the regulator. The board must also publicly demonstrate that it is discharging its statutory duties. Only issues that are decided to be sensitive may be closed to the public. To complete the cycle of accountability, it is important for the public to be aware of the outcomes of the decision of the board. A review of whether a regulation the board approved was enforced properly, and whether it achieved the purpose for which it was written, must be made public.

The Indian Financial Code, drafted by the Financial Sector Legislative Reforms Commission, addresses some of these issues. It incorporates modern-day developments in governance and oversight mechanisms for public institutions. The code requires every regulation to be approved by the board of the regulator through a resolution. Unlike the present system, the only regulatory instruments the regulator is allowed to issue are regulations. Today, the RBI issues regulations, circulars and master circulars that are not required to be approved by the board.

In contrast, at the RBI board meeting in Srinagar, the issue of the Cobrapost expose and KYC was not even discussed. No review of the KYC regulations was done. No decision was taken about KYC. The board's major decisions were ones that the RBI cannot implement. It is not even clear that the RBI board has the constitutional authority to decide what the J&K legislature will legislate, or even whether it can decide if banks should have a role in social activities in the state.

Though the IFC lays down in detail the role and functioning of the board of regulators, it is not necessary for the RBI to wait for adopting these good practices. The current RBI Act, Section 7 (2), says: "Subject to any such directions, the general superintendence and direction of the affairs and business of the bank shall be entrusted to a central board of directors which may exercise all powers and do all acts and things which may be exercised or done by the bank." Under these powers, the RBI can transform its board from taking decisions advising banks to develop horticulture skills to writing better regulations that prevent money-laundering in India.

(Co-authored with Shubho Roy of NIPFP)


  1. We have some decisions made on the latest reports by Corbapost for AXIS / ICICI / HDFC bank.
    I think you are stressing out more on KYC reviews by RBI. On one=side I am sure this is required but my opinion it doesn't stop regulator take action against the banks.
    But limited fines / restrictions laid down by law which limit it hands.

  2. Dear Mr. Jain,
    1. The issue here is not of reviews of KYC by RBI. The issue is of oversight of RBI by the RBI board. It is not not stating that RBI did not take actions against the bank. The article tries to separate two entities under law which public sees as one:
    1. The RBI
    2. The board of the RBI.

    While surprising it may seem, these are not the same entities. The latter is supposed to review and have oversight of the actions of the former. The article states that the board of the RBI did not question the functioning of the RBI.

    While there is some merit in the argument that the amount of fines that can be levied is limited. The article does not make a point about that. The article states that the RBI had made regulations governing KYC, but had not created any supervision of the same. In the power to audit/supervise/inspect the functions of a bank the powers of RBI are unlimited. RBI could have carried out KYC audits. This brings us to the following questions:
    1. Why is it that Cobrapost could expose such a systemic failure?
    2. What does that say about the RBI audit system?
    3. Is it important enough for the Board of RBI to raise questions?
    4. Is the board discharging its duties of oversight and review of RBI functions?

    On your question of fines, there is quite a large amount of fine that can be levied. Up to 5 lakhs for each violation which did not even involve any money. Using this RBI has fined banks up to 5 crores. Which clearly implies that the RBI audit between the Cobrapost article and yesterday could reveal a 100 violations of KYC.