The Reserve Bank of India (RBI) has issued a consolidated framework covering risk management, compliance and internal audit functions for commercial banks.
The updated directions seek to reinforce governance practices across the banking sector while enhancing the independence and effectiveness of critical control functions within banks
The RBI has directed banks to maintain separate control functions led by a Chief Risk Officer (CRO), Chief Compliance Officer (CCO), and Head of Internal Audit (HIA).
These functions must operate independently from business units, remain unaffected by business performance targets, and have unrestricted access to records and operational areas.
The framework also provides that CROs, CCOs, and HIAs should ordinarily be appointed for a minimum tenure of 3 years.
Any decision to remove or transfer these officials before the completion of their term will require approval from the board of directors.
Banks must appoint CROs, CCOs, and HIAs from among senior executives who are not more than 2 levels below the Managing Director and Chief Executive Officer (MD & CEO).
While these officials will report administratively to the MD & CEO, their functional reporting will be directly to the board or the relevant board committee.
The revised directions further require these key officials to meet the board or concerned board committee at least once every quarter without senior management being present.
Their overall performance evaluation will also be conducted by the board or the respective committee.
To strengthen risk governance, the RBI has stated that the CRO will participate as an invitee in meetings of credit sanction and approval committees, though without voting rights.
The framework also mandates that if a business decision involves taking risks contrary to the CRO’s recommendations and without sufficient mitigation measures, it must be approved by the next higher authority and subsequently reported to the board or the risk management committee.
The revised framework requires banks to conduct an annual assessment of compliance risks and implement a risk-based internal audit mechanism that covers all material business activities.
The RBI has also directed banks to carry out more frequent audits and reviews in areas identified as high risk.
In addition, banks must notify the RBI within 5 working days of any appointment, reappointment, removal, or resignation of a Chief Risk Officer (CRO).
For the appointment or exit of Chief Compliance Officers (CCOs) and Heads of Internal Audit (HIAs), prior intimation to the regulator will be mandatory.
The revised directions introduce a consolidated governance framework for risk management, compliance, and internal audit functions in commercial banks. The new norms will come into effect from January 1, 2027, and will apply to key control functions headed by the CRO, CCO, and HIA.
Want to read stock market updates in Hindi? Angel One News gives comprehensive share market news in Hindi.
Disclaimer: This blog has been written exclusively for educational purposes. The securities mentioned are only examples and not recommendations. This does not constitute a personal recommendation/investment advice. It does not aim to influence any individual or entity to make investment decisions. Recipients should conduct their own research and assessments to form an independent opinion about investment decisions.
Investments in the securities market are subject to market risks, read all the related documents carefully before investing.
Published on: Jun 11, 2026, 3:52 PM IST
Team Angel One
We're Live on WhatsApp! Join our channel for market insights & updates
Get the link to download the App
