The Reserve Bank of India (RBI) has issued draft “Commercial Banks – Governance (Second Amendment) Directions, 2026”, significantly strengthening governance norms for control functions by overhauling rules on risk management, compliance and internal audit. The directions, which will come into effect from January 1, 2027, aim to consolidate and harmonise scattered regulatory instructions and enhance board-level oversight of banks’ control architecture.
Under the revised framework, banks will be required to establish clearly defined and independent Risk Management, Compliance and Internal Audit functions, each headed by a Chief Risk Officer (CRO), Chief Compliance Officer (CCO) and Head of Internal Audit (HIA), respectively. The RBI has also mandated that these functions must operate with full independence from business lines, with no revenue-generation responsibilities or performance-linked remuneration tied to business outcomes.
The draft directions significantly strengthen governance safeguards around these control functions. CRO, CCO and HIA will functionally report to the board or its committees, while administratively reporting to the MD & CEO. They will have unrestricted access to records and board committees and will be required to meet the board at least quarterly without the presence of senior management. Their final performance evaluation will rest with the board or relevant board committee.
The RBI has also prescribed stricter norms for appointments, tenure and removal of key control function heads. These roles will be filled by senior officials not more than two levels below the MD & CEO, with a minimum fixed tenure of three years. Any premature removal or transfer will require board approval. In addition, all appointments and changes in CRO, CCO and HIA positions must be reported to the RBI, with prior approval required in certain cases for systemically important banks.
At the functional level, the Risk Management Function has been given expanded responsibilities, including oversight of bank-wide risk appetite frameworks, continuous monitoring of risk exposures, and escalation of breaches to the board. The function will also be required to challenge business decisions and ensure alignment with board-approved risk limits and strategic objectives.
The Compliance Function will be tasked with ensuring adherence to regulatory and statutory requirements, embedding compliance culture across the organisation, and acting as the nodal point of contact with the RBI. It will also be required to carry out compliance risk assessments, monitor adherence, and provide independent assurance to the board or audit committee.
Internal audit
The Internal Audit Function will be required to adopt a risk-based approach, covering all significant areas over defined cycles and focusing on high-risk segments more frequently. The RBI has emphasised the need for data-driven audit techniques, thematic reviews, and stronger coordination with risk and compliance functions, while preserving full independence.
In addition, the draft introduces mandatory Quality Assurance and Improvement Programmes (QAIP) for compliance and internal audit functions, and requires periodic external reviews of risk management and assurance frameworks to benchmark effectiveness.
The RBI has also formally embedded the Risk-Based Internal Audit (RBIA) framework into regulatory expectations, shifting focus from transaction-heavy audits to risk-prioritised audit planning based on materiality, systemic relevance and emerging vulnerabilities.
The regulator said the changes are aimed at strengthening governance standards, improving risk governance independence and ensuring that control functions operate as effective checks within banks’ decision-making frameworks, in line with global best practices.
