The Reserve Bank of India (RBI) has issued 11 draft Amendment Directions to standardize the operational frameworks of control and assurance functions—specifically the Chief Risk Officer (CRO), Chief Compliance Officer (CCO), and Head of Internal Audit (HIA). The overarching theme across all regulated entities is the strict mandate for employer-employee relationships (barring external consultants from these roles), clearly demarcated functional vs. administrative reporting lines, internal policy-driven eligibility criteria, and the introduction of periodic external reviews to ensure robust corporate governance.
1. Reserve Bank of India (Commercial Banks – Governance) Second Amendment Directions, 2026
Applicable Entity:
Scheduled Commercial Banks (excluding RRBs, SFBs, and PBs). Note: Foreign banks are subject to these rules on a “comply or explain” basis.
Specific Changes Required:
- Eligibility Overhaul: Shift from rigid, RBI-prescribed tenure and age limits to internal, board-approved policies based on domain knowledge and complexity.
- Payroll Mandate: Absolute prohibition of appointing consultants, advisors, or part-time auditors as CRO, CCO, or HIA. They must be on the bank’s direct payroll.
- Group Oversight: Banks operating as a group with multiple financial entities must appoint a Group CRO (GCRO) and Group CCO (GCCO).
- External Review: Mandated periodic external reviews of the risk management function, and the Quality Assurance and Improvement Program (QAIP) of both compliance and internal audit functions.
- Reporting Lines: Clear separation of administrative reporting (to MD & CEO) and functional reporting (to the Board / Audit / Risk Committees).
Management Action Plan:
- Policy Drafting: Board to draft and approve new internal eligibility policies for assurance heads.
- Contract Audit: HR to audit all existing control head contracts to ensure strict employer-employee relationships.
- Group Governance: Formulate a framework for the designation and reporting hierarchy of Group CRO and CCO.
- Vendor Selection: Initiate the process for empaneling external firms for the newly mandated periodic external reviews of control functions.
2. Reserve Bank of India (Small Finance Banks – Governance) Second Amendment Directions, 2026
Applicable Entity:
Small Finance Banks (SFBs).
Specific Changes Required:
- Standardized eligibility criteria tailored to the risk profile and complexity of SFBs, moving away from rigid regulatory age/tenure caps.
- Enforcement of strict functional independence for internal assurance roles, distinct from business-generating lines.
- Prohibition of outsourcing the fundamental duties of the CRO, CCO, and HIA.
Management Action Plan:
- Transition Plan: If any assurance function is currently supplemented by external consultants, initiate a phase-out and recruitment plan for full-time internal leaders.
- Committee Restructuring: Ensure the Audit and Risk Committees of the Board directly receive functional reports from the CCO, CRO, and HIA.
- HR Policy Update: Revise the HR manual to reflect domain-knowledge prerequisites over fixed tenure constraints.
3. Reserve Bank of India (Payments Banks – Governance) Second Amendment Directions, 2026
Applicable Entity:
Payments Banks.
Specific Changes Required:
- Proportional application of control functions with a heightened focus on technology, cyber risk, and operational compliance.
- Requirement to maintain internal executives for assurance, ceasing reliance on external technical advisors serving as functional heads.
Management Action Plan:
- Cyber-Risk Integration: Ensure the newly defined internal CRO has specific, board-approved domain knowledge in IT and cyber risk appropriate for a Payments Bank.
- Gap Analysis: Conduct an immediate gap analysis on reporting lines to verify the MD/CEO does not interfere with the functional reporting of the HIA and CCO to the Board.
4. Reserve Bank of India (Local Area Banks – Governance) Second Amendment Directions, 2026
Applicable Entity:
Local Area Banks (LABs).
Specific Changes Required:
- Tailored but formalized adoption of the CRO, CCO, and HIA roles.
- Complete separation of business and control functions, requiring dedicated internally appointed heads rather than dual-hatting operations personnel.
Management Action Plan:
- Capacity Building: Initiate targeted recruitment for specialized internal risk and audit personnel.
- Role Demarcation: Present a formalized organogram to the Board separating sales/operations clearly from the CCO and HIA lines.
5. Reserve Bank of India (Regional Rural Banks – Governance) Amendment Directions, 2026
Applicable Entity:
Regional Rural Banks (RRBs).
Specific Changes Required:
- Alignment of governance standards with broader commercial banks, specifically regarding the establishment of formalized, internal Risk Management and Compliance functions.
- Ending reliance on sponsor banks for direct daily functioning of control roles; the RRB must have its own dedicated officers on payroll.
Management Action Plan:
- Sponsor Bank Coordination: Coordinate with the sponsor bank to transition any borrowed assurance personnel into independent, dedicated roles within the RRB.
- Board Resolution: Pass resolutions defining direct functional access of these new internally appointed heads to the Board of Directors.
6. Reserve Bank of India (All India Financial Institutions – Miscellaneous) Amendment Directions, 2026
Applicable Entity:
All India Financial Institutions (AIFIs) (e.g., NABARD, SIDBI, EXIM Bank, NHB, NaBFID).
Specific Changes Required:
- Stringent application of Group-level oversight mechanisms (Group CRO/CCO) due to the systemic importance and scale of AIFIs.
- Mandatory external reviews for risk management functions and the QAIPs.
- Strict adherence to the internal-payroll only rule for assurance heads.
Management Action Plan:
- Group Policy Drafting: Formulate a comprehensive Group Control Policy governing subsidiaries and associated funds.
- External Audit Setup: Design a procurement/RFP process to hire specialized external reviewers for benchmarking the internal control functions against global best practices.
7. Reserve Bank of India (Urban Co-operative Banks – Governance) Second Amendment Directions, 2026
Applicable Entity:
Urban Co-operative Banks (UCBs).
Specific Changes Required:
- Standardized control framework scaled to the UCB tier structure.
- Removal of rigid prior RBI age/experience templates, allowing the Board to set proportional domain-knowledge requirements.
- Mandate to hire full-time internal personnel, removing the practice of entirely outsourced audit/compliance functions.
Management Action Plan:
- Internal Policy Drafting: Board to approve customized eligibility guidelines for CCO/CRO/HIA based on the bank’s specific tier and operational complexity.
- Recruitment Drive: Convert existing outsourced external audit dependencies into internally staffed internal audit units.
8. Reserve Bank of India (Rural Co-operative Banks – Governance) Second Amendment Directions, 2026
Applicable Entity:
Rural Co-operative Banks (State Co-operative Banks and District Central Co-operative Banks).
Specific Changes Required:
- Formalization of compliance and risk functions, requiring dedicated in-house officers.
- Strict separation of lending/business functions from risk assessment and audit lines.
Management Action Plan:
- Structural Audit: Conduct an immediate review to ensure no dual-hatting exists where business line managers are also acting as compliance/risk officers.
- Board Oversight: Establish direct channels for these new internal officers to report to the Board or appropriate sub-committees.
9. Reserve Bank of India (Non-Banking Financial Companies – Governance) Amendment Directions, 2026
Applicable Entity:
Non-Banking Financial Companies (Base, Middle, Upper, and Top Layers).
Specific Changes Required:
- NBFC-UL Specific Mandate: Only NBFCs in the Upper Layer (NBFC-UL) are explicitly mandated to undergo periodic external reviews of their risk management function.
- General Consolidation: All applicable NBFCs must ensure CRO, CCO, and HIA roles are fulfilled by direct employees (no consultants).
- Clarification of functional reporting directly to the Board/Committees and administrative reporting to the MD/CEO.
Management Action Plan:
- Layer Verification: Confirm NBFC regulatory layer to ascertain the applicability of the mandatory external review requirement.
- Payroll Compliance Check: Review HR records to verify that all assurance heads are on direct company payroll and terminate any consultancy-based appointments for these roles.
- Policy Realignment: Update internal policies regarding eligibility, removing constraints that conflict with the new domain-knowledge-focused guidelines.
10. Reserve Bank of India (Credit Information Companies) Amendment Directions, 2026
Applicable Entity:
Credit Information Companies (CICs).
Specific Changes Required:
- Harmonization of CCO, CRO, and HIA appointments to guarantee total independence from data aggregation and operational activities.
- Elimination of external data consultants holding internal risk or compliance governance positions.
Management Action Plan:
- Operational Segregation: Review organizational matrices to ensure absolute firewalling of the assurance functions from operational data processing units.
- HR Re-contracting: Transition key compliance and audit leaders from independent contractor statuses to full-time payroll employees.
11. Reserve Bank of India (Asset Reconstruction Companies) Second Amendment Directions, 2026
Applicable Entity:
Asset Reconstruction Companies (ARCs).
Specific Changes Required:
- Establishment of a standardized control framework wherein the CRO, CCO, and HIA must be full-time, internal employees.
- Clear demarcation to ensure that risk and compliance assessments of resolution strategies remain unbiased and independent of the resolution professionals.
Management Action Plan:
- Board Approval: Approve revised governance guidelines distinguishing the roles of resolution managers from risk and compliance officers.
- Independence Verification: Establish a protocol ensuring the CRO and CCO report functionally to the Board without administrative interference affecting their judgments on asset resolutions.