On 30th April 2024, The Reserve Bank of India (RBI) issued the updated “Guidance Note on Operational Risk Management and Operational Resilience” for the financial sector and extended it to Non-Banking Financial Companies (NBFCs) including Housing Finance Companies.
This updates the “Guidance Note on Management of Operational Risk” dated October 14, 2005
Background:
The guidelines was prepared based on the Basel Committee on Banking Supervision (BCBS) principles documents: ‘Revisions to the Principles for the Sound Management of Operational Risk” and ‘Principles for Operational Resilience’ and issued in March 2021.
About the Guidance Note:
i.Applicability: The updated guidance note is applicable to regulated entities(REs) including,
- All Commercial Banks; All Primary (Urban) Co-operative Banks/State Co-operative Banks/Central Co-operative Banks; and all NBFCs.
- All All-India Financial Institutions like Exim Bank, NABARD(National Bank For Agriculture And Rural Development), NHB(National Housing Bank), SIDBI(Small Industries Development Bank of India), and NaBFID(National Bank for Financing Infrastructure and Development).
ii.The new Guidance Note introduced three Lines of Defence Model in Operational Structure:
- Business Unit: Responsible for identifying and managing the risks inherent in the products, services, activities, processes and systems of lenders.
- Organizational operational risk management(OORF): analysis business units’ operational risk, design and effectiveness of key controls and other risk tolerance threshold.
- Audit Function: provides an independent assurance to the Board regarding the appropriateness of RE’s Operational Risk Management Framework (ORMF).
iii.It laid down separate Principles for mapping of internal and external connections and inter-dependencies, incident management, Information and Communication Technology (ICT), and disclosures.
iv.It has a focused Principle on 3rd-party relationship.
- Before entering into any arrangement with 3rd parties or external entities, all REs must perform a risk assessment.
- These REs should also verify whether the 3rd Party including intragroup entity has an equivalent level of operational resilience to safeguard the REs critical operations.
v.It now covers various REs for whom the organizational set up would vary based on size and nature of activities.
vi.It has eliminated the approaches for operational risk capital calculation for REs such as Local Area Banks(LABs), Small Finance Banks(SFBs), Payments Banks, NBFCs etc. are not required to maintain a separate regulatory capital for operational risk.
- Whereas, for Public Sector Banks (PSBs), Private Banks and Foreign Banks approach for operational risk capital is defined in paragraph 9 of the “Master Circular-Basel III Capital Regulations” (dated 1st April, 2024) which would be replaced by “Master Direction on Minimum Capital Requirements for Operational Risk”(dated 26th June, 2023).
vii.All REs in India should implement robust ICT risk management programme in alignment with their operational risk management framework.