Future-Proofing the Indian Financial System
I am very happy to be here among researchers and practitioners to participate in the Global Conference on Financial Resilience organised by the College of Supervisors of the Reserve Bank of India. I would like to convey my appreciations to the College of Supervisors (CoS) for organising this conference. I also congratulate the CoS for its accomplishments over the last two years.
In the context of the overall impact of the COVID-19 pandemic, the war in Ukraine and the recent banking sector events in the US and Europe on the financial sector, there is now renewed focus on issues of financial resilience and stability. Regulators and Governments across the world are now looking at these aspects with greater intensity. Adequacy of the existing regulations and supervisory systems are under fresh assessment. In this background, a global conference on financial resilience is very appropriate and timely.
The financial sector in a country and the individual entities therein like banks, non-banking financial companies (NBFCs) and other entities have to be resilient at all times. They should have the inner strength to withstand even the most stressful times. So far as India is concerned, the Reserve Bank of India has significantly strengthened its regulations and supervision of banks and other regulated entities in recent years. Our approach has been to enhance the resilience as well as the robustness of the financial sector so that individual entities effectively withstand stressful situations and continue to contribute to the process of economic development of the country. In my address today, I propose to highlight the expectations of the Reserve Bank of India from the stakeholders in the Indian financial system.
In most economies, central banks act as custodians of financial stability. Central banks are also empowered to act as a lender of last resort during financial crises. This historical function of providing emergency liquidity assistance to banks and other financial market institutions necessitates that central banks keep a close watch on banks and financial markets for signs of instability, if any. Moreover, monetary policy is implemented largely through banks and financial markets. The transmission of monetary policy to the real economy depends crucially on the smooth functioning of the financial markets as well as financial intermediaries like banks and NBFCs. It is in this context that the key and complementary functions of central banks such as setting of interest rates, liquidity management, regulation and supervision over the banking and other segments of the financial sector become more pronounced. These functions work together to support economic growth by maintaining financial stability and promoting responsible behaviour among financial institutions.
Let me now specifically turn to the concept of ‘resilience’ which is the theme of today’s conference. Systemic resilience depends both on the resilience of individual financial institutions as well as on the interdependencies among them.
A resilient future ready bank needs to be financially, operationally and organisationally resilient. To be financially resilient, a bank should have adequate capital buffers and be able to generate earnings even in times of severe macroeconomic shocks. It should also have adequate liquidity to meet its obligations in various situations. Therefore, financial resilience is closely linked to a bank’s business model and strategy. The Reserve Bank has, therefore, started looking at the business models of banks more closely. Aspects or deficiencies in the business model itself can spark a crisis in due course. We have not only prescribed regulatory norms for capital adequacy and liquidity ratios, but even gone beyond to nudge banks to build up capital buffers in good times and times of plenty. We did this during the COVID-19 pandemic when there was plenty of liquidity, the interest rates were low and the full impact of the pandemic on the financial sector was still highly uncertain.
The Reserve Bank has also put in place various prudential regulatory frameworks. These include capital adequacy requirements, asset classification and provisioning requirements, dividend distribution framework and liquidity management framework. In addition, the Reserve Bank also periodically deploys macroprudential measures to address system level build-up of risks. As a consequence of the measures taken by both the Reserve Bank and the banks themselves, the Indian banking system has remained resilient and has not been affected adversely by the recent sparks of financial instability seen in some advanced economies. This also comes out clearly in our recent stress test results.
The Gross NPA ratio for the Scheduled Commercial Banks (SCBs) was 4.41 per cent at end December 2022, down from 5.8 per cent as on March 31, 2022 and 7.3 per cent as on March 31, 2021. The CRAR at 16.1 per cent at end December 2022 is also much above the minimum regulatory requirement. Macro stress tests for credit risk indicate that SCBs would be able to comply with the minimum capital requirements even under severe stress scenarios.
Nevertheless, the recent events in the banking landscape of the US and Europe suggest that risks for an individual bank could crop up from segments of its balance sheet which might have been considered relatively safer. Hence, we expect the management and Board of Directors of each bank to continually assess the financial risks and focus on building up adequate capital and liquidity buffers even beyond the regulatory minimum for continued resilience and sustainable growth.
Let me now focus on operational resilience. This would mean that a bank should be able to deliver critical services even in the face of disruptions. Cyber risks and possible cyber-attacks are on top of the list so far as such disruptions are concerned.
Cyber risk has been identified as the foremost in top ten operational risks for 2023 based on a global survey1 of financial institutions. The Bank for International Settlements (BIS), while revising the Principles for Sound Management of Operational Risk in 2021, introduced a specific principle on ‘Information and Communications Technology (ICT) risk management’ reflecting the importance of this risk. Robust IT and information security governance would help in increased predictability and reduction of uncertainty in operations, minimise losses from information security related incidents and enhance operational resilience. Given the extensive level of outsourcing being done by the banks and also by other regulated entities, there is even greater need for ensuring that effective policies and practices are in place in this regard. Even the G20 finance ministers and central bank governors are focusing on risks arising from third party dependencies. The RBI has taken a slew of measures in the recent years with usage of advanced analytical and surveillance tools along with techniques like phishing simulation and cyber reconnaissance exercises to push for enhanced IT and cyber security governance processes in banks and other supervised entities. In the context of the growing exposure of Regulated Entities (REs) to various risks from dependency on third-parties which provide technology and IT-enabled services, the Reserve Bank has recently on April 10, 2023 issued comprehensive guidelines on Information Technology outsourcing2 by banks, NBFCs, and other REs.
The third component of resilience for banks and other financial institutions is to be organisationally resilient so that they anticipate risks early and absorb them efficiently. Organisations must have the capacity and resilience to protect themselves from adverse incidents and shield their balance sheets. To achieve organisational resilience, REs need to continuously evolve by standardising policies, processes, organisational culture and governance. They must also be flexible enough to encourage diverse ideas and innovations within the organisation.
Pillars of Reserve Bank's Regulatory and Supervisory Strategy
An important element in our strategy of making the Indian financial system, including the banking system, future ready is the robust and enhanced regulatory and supervisory framework we have put in place in the last few years. Our present approach to regulation and supervision has been built essentially on three pillars.
First, one of our focus areas in recent years has been to strengthen governance and assurance functions within the Regulated Entities. The safety and soundness of the banking system relies critically on effective governance, so that the interest of all stakeholders, especially the depositors, are safeguarded. The essence of good governance is to build an environment of trust, transparency and accountability. Depositors, whose money represents an overwhelming part of banks’ resources, keep their life savings and hard-earned money with the banks. Protection of depositors’ money is, therefore, a sacred duty which has to be fulfilled through good governance. There cannot be any compromise on this. The Reserve Bank is very particular that the Regulated Entities have systems and processes that promote sound corporate governance. The assurance functions i.e. risk management, compliance and internal audits in banks are critical links between governance and business. Assurance functions assist the Board as well as the senior management in gauging whether the business operations of the bank or NBFC are being run in conformity with the policies and strategies laid down by the Board. The Reserve Bank has issued detailed guidelines for ensuring quality and independence of the governance and assurance functions. These areas are also subjected to intensive supervisory assessment.
Second, we have devoted our efforts to identifying and addressing the root causes of the vulnerabilities. Many a times, vulnerabilities arise from inappropriate business models adopted by banks and other financial entities. Over-aggressive growth strategies or mindless pursuit of bottomlines, for instance, are often a precursor to future problems. While we do not interfere with business decision making, Regulated Entities must demonstrate adequacy of internal controls and loss absorption capacity to match the risks that their business models may generate. Our approach is to flag deficiencies in this area to the senior management or to the Board of Directors of individual institutions for remedial action. We also remain engaged with external auditors and flag issues that are relevant for their role as the third line of defence. In recent times, our focus on ‘root cause’ has led us to mandate certain housekeeping hygiene such as automated identification of non-performing loans and provisioning, proper checks and balances in the use of Internal and Office accounts, implementation of Early Warning Systems (EWS) for preventing frauds and a host of IT and cybersecurity related controls, among others.
Third, within the Reserve Bank, we have considerably strengthened our supervisory analytics. We are increasingly employing data analytics – both macro and micro – to capture potential and emerging risks, identify outlier entities and the vulnerable large exposures of banks. Our onsite supervisors deep dive into areas red-flagged by offsite supervision teams. We are now focusing on the adoption of advanced analytical based technological solutions, including Artificial Intelligence/Machine Learning (AI and ML), for strengthening the internal supervisory processes.
We have a system of early warning signals that provide lead indications of risk build-up. Stress tests are also carried out on a continuous basis. These stress tests not only cover individual entities but also capture the system level stress.
While asset quality and capital position indicate resilience and robustness of financial institutions in the medium term, liquidity is often seen as the immediate cause of crisis. We monitor liquidity position of our entities very closely and aberrations, if any, are immediately taken up with the supervised entities for remedial measures. Thus, our whole approach to Supervision has been pro-active for minimising surprises, spotting concerns and addressing vulnerabilities early.
In essence, the unification of supervisory architecture within the Reserve Bank (i.e, combining the supervisory processes of commercial banks, NBFCs and urban cooperative banks (UCBs) into an integrated Department of Supervision); ownership-agnostic and risk-focused supervision; a shift from episodic to continuous supervision; enhanced off-site surveillance leveraging on data analytics and SupTech solutions; strengthened on-site supervision; root cause analysis of problems and identification of outlier entities; and deep-dive into vulnerable areas have been the major planks of our supervisory strategy.
The Reserve Bank has also taken several regulatory initiatives in recent years to strengthen governance, risk management, audit and compliance functions in NBFCs and UCBs. These include the new scale based regulatory framework for NBFCs issued in October 2021 and the revised regulatory framework for UCBs issued in July 2022. Even before these new regulatory frameworks were brought in, we had taken measures such as issuance of guidelines on appointment of Chief Risk Officers (CROs) and Chief Compliance Officers(CCOs) in large NBFCs; Liquidity coverage ratios for NBFCs with asset size of ₹5000 crore and above; risk-based internal audit (RBIA) norms for large NBFCs (with asset size of ₹5000 crore and above) and UCBs with asset size of ₹500 crore and above; and harmonising the guidelines on appointment of statutory auditors for NBFCs and UCBs with that of commercial banks.
Importance of Effective Internal and External Audits
I would now like to touch upon the criticality of effective internal and external audits for financial institutions. It is no secret that stability and growth of an economy and financial markets are dependent upon trust among stakeholders. To be future ready, banks and financial institutions need to earn the trust of their current as well as prospective customers. One cannot take the ‘trust’ for granted. With greater openness of the economy and faster transmission of information and capital flows on account of advent of technology, it has become even more necessary to ensure credibility and confidence in the system. Towards this cause, a robust assurance mechanism by way of internal audit is essential to provide independent evaluation and assurance to the stakeholders that the operations of a Regulated Entity are being performed in accordance with the prescribed policies and procedures. Statutory auditors also play a vital role in maintaining market confidence on audited financial statements. In banking industry, this public role is particularly relevant for financial stability, given that banks hold public deposits. Audit quality is key to the effectiveness of such public role. For these reasons, the Reserve Bank as the supervisor has a keen interest in the functioning of statutory auditors of the Regulated Entities. Wherever necessary, we engage with the external statutory auditors on issues of critical nature in individual banks and financial entities.
We have recently revised the guidelines for statutory branch audits of Public Sector Banks (PSBs) according to which a minimum of 70% of credit exposure of a bank is required to be covered. From FY 2023-24 onwards, the Board of Directors of PSBs will decide on the coverage of branch audit and selection of branches. While doing so, the Boards are required to keep in mind the specific characteristics of individual banks like the bank’s business and risk profile, geographical spread, degree of centralisation of processes, etc. We expect the Boards of banks to exercise the highest level of diligence while deciding on these issues. As regards statutory branch audit of Private Sector Banks (PVBs), we are doing a fresh assessment of the quality and coverage of such audits.
Skill and capacity building in the Reserve Bank
In the Reserve Bank we attach a lot of importance to skill building and capacity development of our employees. We have been strengthening the Department of Supervision both in number and quality. This is important as effective supervision requires specialised skills and mature judgement. In this context, we expect the College of Supervisors to keep on improving its training methodologies, adopt more case study-based teaching, have more practical sessions in its training programmes, and develop objective assessment of the impact of its training interventions. The feedback received from trainees may be used to improve programme content and fill the gaps identified. The training programmes may also strike a balance between teaching hard technical skills and promoting soft skills such as leadership, decision making, time management and conflict resolution.
The rapid developments and innovations in the financial system, especially in the areas of fintech and digital products pose new opportunities as well as risks. These may affect financial intermediation, payment systems, cyber security and consumer protection. We have to continue monitoring and assessing the implications of these emerging trends, while also developing our own capabilities and frameworks to effectively respond to these challenges.
In recent times, we have seen a proliferation of digital lending by NBFCs, FinTechs and loan apps. Such lending also brought with it certain challenges, especially with regard to fair practices and consumer protection. To address these challenges, the Reserve Bank has laid down comprehensive guidelines for digital lending in September 2022. These guidelines aim to ensure that lending activities are conducted by the REs and their partners such as Loan Service Providers (LSPs) in a prudent, fair, transparent and responsible manner.
Conclusion
To sum up, the Reserve Bank remains committed to future-proofing the Indian financial system and provide the required support for sustainable growth. I am confident that this Global Conference on Financial Resilience organised by the College of Supervisors with participation of experts from India and abroad will add considerable value to the body of knowledge in the area of resilient financial systems. I have been informed that many research papers on identified themes have been received and select papers have been made part of the maiden issue of the Journal of Financial Resilience, which was released today. I am sure the deliberations during the Conference would provide a lot of food for thought and bring new perspectives on the evolution of financial regulation and supervision.
I wish the conference all success !
Thank you.
First, please LoginComment After ~