Legal and regulatory framework
What legal role does corporate risk and compliance management play in your jurisdiction?
Although, at present, India as a country is still awaiting comprehensive legal guidelines with respect to corporate risk and compliance management, in recent times, compliance with labour, industrial, financial and corporate laws has gathered enormous momentum within the corporate sector.
India being a country with a significant labour force, one of the major challenges of any company in the corporate sector is with respect to labour compliance. As labour law is considered a ‘specialised area’, non-compliance of labour laws carries with it considerable legal implications and risks.
To keep up with the emerging needs with regard to corporate risk and compliance management, companies in India need to establish effective contract management with their employees and any other related third parties as per the provisions of the Indian Contracts Act 1872.
Another integral part of corporate risk and compliance management in India that has recently emerged is the aspect of pre-emptive screening of employees. There are no dedicated laws governing the pre-emptive screening of employees in India, hence, there are no legal requirements for conducting background checks on prospective employees, except in certain cases such as banks, schools, etc, under certain notifications by various state governments within the country.
In the wake of the Satyam scandal (a high-profile corporate scandal affecting India-based company Satyam Computer Services in 2009 wherein the chairman, Mr Ramalinga Raju, confessed to having manipulated the accounts to the tune of 70 billion rupees) along with the collapse of some of the largest companies in the world, India has brought in stringent financial compliance that is to be strictly adhered to by every company. It is a well-known fact that India as a country has a complex and bureaucratic accounting, tax and regulatory system, which makes it an onerous challenge for all companies to remain compliant with each and every financial compliance required by the applicable laws. However, the government has from time to time relaxed many such regulations for ease of business and attracting foreign investments. For example, the Goods and Services Tax regime was introduced in India on 1 July 2017 by subsuming dozens of state and central indirect taxes to transform India into a single market and thus promote the ease of doing business in India.
Besides compliance with labour and financial laws, companies are also required to strictly adhere to all corporate compliance as per various other laws including, but not limited to, the Companies Act 2013, Reserve Bank of India guidelines, the Foreign Exchange Management Act 1999, the Securities and the Exchange Board of India Act 1992. However, the government has deregulated and relaxed various laws for ease of business and promoting foreign investment in India. For example, foreign direct investment in ‘single brand retail trading’ has recently been allowed up to 100 per cent under the automatic route.
Laws and regulations
Which laws and regulations specifically address corporate risk and compliance management?
Keeping in mind the plethora of laws with regard to labour, financial and corporate laws in India, which a company is required to be compliant with, below are certain laws and regulations that we believe are required to be complied with on the highest priority with respect to each sector.
There are specific central acts that are required to be strictly adhered to by a company, which are mentioned below, but are not limited to:
- the Industrial Disputes Act 1947;
- the Employees State Insurance Act 1948;
- the Employees’ Provident Funds and Miscellaneous Provisions Act 1952;
- the Payment of Bonus Act 1965;
- the Factories Act 1948;
- the Contract Labour (Regulation and Abolition) Act 1970;
- the Child Labour (Prohibition and Regulation) Act 1986;
- the Maternity Benefit Act 1961;
- the Payment of Gratuity Act 1972; and
- the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act 2013.
As well as the abovementioned acts, there are certain state-specific acts that are required to be adhered to by companies, such as the Professional Tax Act and the Shops and Establishment Act that are applicable to a particular state.
Financial and corporate compliance
When it comes to corporate and financial compliance, both compliance and risk management go hand in hand. Below are some of the specific regulations that are to be adhered to at the highest priority:
- the Companies Act 2013;
- the Income Tax Act 1961;
- the Reserve Bank of India and its subsequent guidelines;
- the Banking Regulation Act 1949;
- the Foreign Exchange Management Act 1999;
- the Securities and Exchange Board of India 1992 and its subsequent guidelines; and
- the Goods and Services Tax Act 2017.
The Competition Act 2002 also lays down several provisions to promote fair competition in the market and mitigate business-related risks, though its applicability is dependent upon certain thresholds, which are enumerated under this legislation.
Types of undertaking
Which are the primary types of undertakings targeted by the rules related to risk and compliance management?
Risk and compliance management is significantly dependent on various factors of a business such as the sector, size, scale, nature of the business and the activities being carried out. Any legal person or entity who indulges in any kind of commercial activities will have to adhere to the rules of risk and compliance management, as may be applicable. A good corporate governance policy is a commitment by an organisation to adopt various good ethical practices and values and this should necessarily encompass the entire value chain of stakeholders, namely, shareholders, management, employees, bankers, customers, vendors and regulators.
Thus, all persons, organisations and undertakings are targeted at varying degrees by the rules of risk and compliance management.
Regulatory and enforcement bodies
Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?
The Indian legal system recognises sector-specific regulatory and enforcement agencies and bodies that are responsible for corporate compliance in a particular sector. The government of India has enacted various acts, and inter alia created various statutory bodies to regulate and implement the provisions specified therein. The following are a few examples of the principal regulatory and enforcement bodies in India with responsibility for corporate compliance:
- The Registrar of Companies (ROC) is the designated authority that deals with the administration of the Companies Act 2013, and falls under the ambit of the Ministry of Corporate Affairs. It is mandatory for companies incorporated under the Companies Act 2013 to file various forms, returns and documents with the ROC with respect to their day-to-day corporate compliance and activities.
- The Reserve Bank of India (RBI) is the central bank of the country and the key authority that lays down the compliance functions for banks throughout India. The RBI, via its notification RBI/2006-2007/335 dated 20 April 2007, has laid down certain mandatory compliance functions including but not limited to strict observance of all statutory provisions contained in various legislations such as Banking Regulation Act 1949, Reserve Bank of India Act 1934, Foreign Exchange Management Act 1999, Prevention of Money Laundering Act 2002, etc, as well as ensuring observance of other regulatory guidelines issued from time to time such as standards and codes prescribed by The Banking Codes and Standards Board of India, Indian Banks Association, Foreign Exchange Dealers Association of India, Fixed Income Money Markets and Derivatives Association, etc, and also each bank’s internal policies and fair practices code. The RBI also sets out the rules and regulations for exchange control transactions in India, eg, foreign investment and outbound investment related regulations.
- The Securities and Exchange Board of India (SEBI) promotes and regulates the securities market in India. In order to protect the interests of investors, SEBI has laid down various compliances required to be followed by listed entities. In addition to this, SEBI has directed the stock exchanges to implement various measures to ensure corporate compliances including inter alia setting up of a separate monitoring cell to monitor compliances with the provisions of corporate governance and listing of public issues.
- The Competition Commission of India was established under the Competition Act 2002 to eliminate practices having adverse effect on competition, to promote and sustain competition, and to protect interests of consumers and ensure freedom of trade by other participants.
- The prime objective of the Enforcement Directorate is the enforcement of two key acts of the government of India, namely, the Foreign Exchange Management Act 1999 and the Prevention of Money Laundering Act 2002. The officers of the Directorate perform an adjudication function so as to impose a penalty on persons for the contravention of the said acts.
Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?
The Indian laws have been designed to implement risk and compliance management. While there is no specific law or regulation in India that defines ‘risk management’ and ‘compliance management’, the same has been widely recognised under various statutes in the manner that has been described in earlier questions.
Are risk and compliance management processes set out in laws and regulations?
Yes. As stated above, Indian laws set out various provisions for risk and compliance management. For example, the Companies Act 2013, requires a board of directors to develop and implement a risk management policy and identify risks that may threaten the existence of the company. Further, the Companies Act 2013 has made the requirement of compliance very explicit by stipulating a mandatory requirement of positive affirmation from the directors as part of the directors’ responsibility statement under section 134, stating that the directors have devised a proper system to ensure compliance with the applicable laws and that such systems are operating effectively.
It is to be noted that section 205 also requires a company secretary to provide a report to the board about compliance with the provisions of the said act, the rules made thereunder and other laws applicable to the company.
The most significant regulation in this context is Regulation 27(2) of the SEBI Listing Obligation and Disclosure Requirements (LODR) Regulations 2015, which defined significant tighter personal responsibility of top management for the accuracy of reported corporate governance and inter alia stipulates the preparation of a compliance report of all laws applicable to a company and the review of the same by the board of directors periodically, as well as to take steps by the company to rectify instances of non-compliance and to send reports on compliance to the stock exchanges quarterly. The stock exchanges have been directed by SEBI to set up a separate monitoring cell with identified personnel to monitor compliance with the provisions of the revised Regulation 27(2) of SEBI (LODR) 2015 on corporate governance and to submit a consolidated compliance report to SEBI within 15 days from the end of each quarter.
As per LODR, read with section 134(5)(f) of the Companies Act 2013, the relevant provisions mandate the present corporate bodies to incorporate and implement a legal compliance management system:
- Regulation 4(1) of LODR requires that the listed entity shall abide by all the provisions of the applicable laws and other guidelines;
- Regulation 4(2)(f) of LODR directs that the board of directors of the listed entity shall ensure that a system for compliance with the law and relevant standards are in place; and
- Regulation 17(3) of LODR provides that the board of directors shall periodically review compliance reports pertaining to all laws applicable to the listed entity, prepared by the listed entity, as well as steps taken by the listed entity to rectify instances of non-compliance.
There are a number of other acts and regulations besides the SEBI guidelines such as the Information Technology Act 2000, Companies Act 2013, etc, that mandate the corporate bodies both in public and private sectors to maintain and conduct a periodic review of the regulatory functions and processes of the organisations to ensure that the company’s goal, structure and ongoing operations are consistent with the latest developments in business and corporate laws and regulations. This then lowers the compliance risk profile, reduces fines, reassigns headcounts, enables a better and higher use of the limited law department’s resources, saves measurable costs and improves effectiveness and ensures due diligence.
Standards and guidelines
Give details of the main standards and guidelines regarding risk and compliance management processes.
There are no specific standards or guidelines regarding risk and compliance management processes in India. However, the same has been laid down in various forms of law and regulation. For example, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 state that companies must have ‘reasonable security practices and procedures’ and that companies are deemed in compliance if they have a documented security programme with managerial, technical, organisational and physical controls. ISO 27001 is provided as a reference standard.
The basic guidelines for risk and compliance management processes are:
- reporting: the reports from management to the board should, in relation to the areas covered by them, provide a balanced assessment of the significant risks and the effectiveness of the system of internal control in managing the risks. Any significant control failings or weaknesses identified should be discussed in the reports, including the impact that they have had, or may have, on the company and the actions being taken to rectify them; and
- roles and responsibilities: all employees have some responsibility for internal control as part of their accountability for achieving objectives. The employees collectively should have the necessary knowledge, skills, information and authority to establish, operate and monitor the system of internal control.
A strong risk and compliance management system framework can mitigate risks if it can:
- identify the risk inherent in achieving goals and objectives;
- establish risk appetite across the entire risk spectrum;
- establish and communicate risk management frameworks;
- build accurate and consistent risk assessment;
- establish and implement measurement reporting standards and methodologies;
- build a risk profile;
- establish the key control processes, practices and reporting requirements;
- monitor the effectiveness of control;
- ensure all the exposures are adequately identified, measured and managed in accordance with board-approved frameworks;
- provide early warning signals;
- ensure risk management practices are adequate and appropriate for managing the risks;
- report areas of stress where crystallisation of risks is imminent;
- present remedial actions to reduce or mitigate such risks;
- report on sensitive and key risk indicators;
- communicate with relevant parties;
- review and challenge all aspects of the company’s risk profile;
- advise on optimising and improving the company’s risk profile; and
- review and challenge risk management practices.
Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?
Yes, as explained above, undertakings operating in India are subject to risk and compliance governance obligations. As per section 134(5)(f) under the Companies Act 2013, the directors have to state in the yearly directors’ responsibility statement that they have devised proper systems to ensure compliance with the provisions of all applicable laws and that such systems were adequate and operating effectively.
On failure to comply with the above requirement, the company shall be punishable with fines ranging from 50,000 rupees to 2.5 million rupees and every officer of the company who is in default shall be punished with imprisonment for a term of up to three years or with a fine ranging from 50,000 rupees to 500,000 rupees, or with both.
Further, corporate governance lays down the foundation of a properly structured board and strives for a healthy balance between management and ownership that is capable of taking independent decisions for creating long-term trust between the company and external stakeholders of the company. It creates space for open dialogue by incorporating transparency and fair play in strategic operations of the corporate management. The significance of corporate governance lies in:
- accountability of management to shareholders and other stakeholders;
- transparency in basic operations of the company and integrity in financial reports produced by the company;
- checks and balances as an integral part of good corporate governance;
- adherence to the rules of company in law and spirit;
- code of responsibility for directors and employees of the company; and
- open dialogue between management and stakeholders of the company.
What are the key risk and compliance management obligations of undertakings?
Key compliances under the Companies Act 2013 are as follows:
- consolidated financial statements are to be prepared where a company has subsidiaries and associates. Intermediary subsidiaries are exempted provided shareholders of the parent have consented to the same;
- uniform financial year has been implemented for all companies as April to March. Specific approvals for deviation can be obtained from the National Company Law Tribunal for certain classes of companies;
- as per section 138 of said Act and Rule 13 of Companies (Accounts) Rules 2014, the following companies are required to appoint an internal auditor in a board meeting:
- listed companies;
- a public company with a paid-up share capital of more than 500 million rupees and a turnover of 2 billion rupees, loans and borrowings of more than 1 billion rupees and outstanding deposits of more than 250 million rupees; and
- a private company with a turnover of 2 billion rupees, loans and borrowings of more than 1 billion rupees;
- the provisions on reporting fraud have been laid down under section 143(12) of the Act and provides that if the auditor of a company, in the course of the performance of their duties as auditor, has reason to believe that an offence involving fraud is being or has been committed against the company by officers or employees of the company, they shall report the matter to the central government;
- as per section 204(1) of said Act, read with Rule 9 of the Companies (Appointment and Remuneration of Managerial Personnel) Rules 2014, the following companies are required to obtain a secretarial audit report:
- every listed company;
- every public company having a paid-up share capital of 500 million rupees or more; and
- every public company having a turnover of 2.55 billion rupees or more.
Key compliances under the Foreign Exchange Management Act 1999:
- a foreign liabilities and assets return is required to be submitted mandatorily by all companies resident in India that have received foreign direct investment or made outward direct investment (ODI) in any of the previous year or years, including the current year; in other words, who holds foreign assets or liabilities in their financial statements as of 31 March; and
- an Indian party or resident individual that has made an ODI has to submit an annual performance report in Form ODI Part II to the authorised dealer bank by 31 December every year in respect of each joint venture or wholly owned subsidiary outside India.
Key compliances under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Data Protection Rules):
- the Data Protection Rules mandate companies to obtain express consent from the provider of sensitive personal information regarding the purpose and use of the information. The consent can be obtained through any electronic media;
- the company should ensure that the data providers are made aware of the purpose for which the sensitive personal information is collected, the intended recipients of the information, the agency collecting the information, the agency retaining the information, etc. Further, the data provider should be given an option not to provide the information or to revise or withdraw the information;
- the companies must have ‘reasonable security practices and procedures’. The companies are deemed in compliance if they have a documented security programme with managerial, technical, organisational and physical controls. ISO 27001 is provided as a reference standard; and
- all discrepancies or grievances reported to companies must be addressed in a timely manner. Companies must appoint a grievance officer and publish their name and contact details on the company’s website. The grievance officer must redress all the data subjects’ grievances within one month of receiving the grievance.
Liability of undertakings
What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?
As per the Companies Act 2013, the board of directors is required to develop and implement a risk management policy and identify risks that may threaten the existence of the company. Further, the Act has made the requirement of compliance very explicit by stipulating a mandatory requirement of positive affirmation from the directors as part of the directors’ responsibility statement under section 134, stating that the directors have devised a proper system to ensure compliance with the applicable laws and that such systems are operating effectively. It is to be noted that section 205 also requires a company secretary to provide a report to the board about compliance with the provisions of the said Act, the rules made thereunder and other laws applicable to the company.
Further, SEBI issued the revised clause 49 that would be applicable to all listed companies with effect from 1 October 2014. The revised clause 49 requires senior management to make disclosures to the board relating to all material financial and commercial transactions where they have personal interest that may have potential conflict with the interest of the company at large. The term ‘senior management’ shall mean members of the core management team. This will include all members of management one level below the executive directors including all functional heads.
Do undertakings face civil liability for risk and compliance management deficiencies?
Compliance in general means compliance with laws and regulations. These laws and regulations may stipulate penalties for non-compliance of provisions. While there are no direct consequences for deficiencies in risk and compliance management mechanisms, penalties may be imposed if the same results in infringement of the said laws.
Below are a few examples of penalties imposed:
- As per section 88 of the Companies Act 2013, if a company fails to maintain a register of members, the company and every officer of the company in default shall be punishable with a fine ranging from 50,000 rupees to 300,000 rupees. Further, as per section 92 of the Act, if a company fails to file a copy of annual return within the prescribed timeline, the company shall be punishable with a fine ranging from 50,000 rupees to 500,000 rupees.
- Section 13 of the Foreign Exchange Management Act 1999 imposes a penalty on every person who contravenes any provision of this Act, or contravenes any rule, regulation, notification, direction or order issued in exercise of the powers under this Act, or contravenes any condition subject to which an authorisation is issued by the Reserve Bank. The said penalty can equal up to three times the sum involved in such contravention where the amount is quantifiable, or up to 200,000 rupees where the amount is not quantifiable. Where such contravention continues, further penalties can be levied of up to 5,000 rupees for each day after the first day during which the contravention continues.
- Section 21 of the Maternity Benefit Act 1961 states that every employer who does not comply with the provisions of the Act shall be punishable with imprisonment of up to three months, with a fine of up to 500 rupees or with both.
- Section 22A of the Minimum Wages Act 1948 imposes a penalty on every employer who contravenes any provision of this Act or any rule or order made thereunder with a fine of up to 500 rupees.
- Via its circular dated 15 June 2017, SEBI has imposed certain penalties for non-compliance with certain provisions of the SEBI (Issue of Capital and Disclosure Requirements) Regulations 2009, which includes inter alia a penalty of 20,000 rupees a day for delay in completion of bonus issue, until the date of actual compliance.
- Section 43A of the Competition Act 2002 imposes penalties on any person or enterprise who fails to give notice to the commission with respect to forming a combination. The penalty imposed may extend to one per cent of either the total turnover or the assets, whichever is the higher amount.
Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?
Yes, undertakings do face administrative and regulatory consequences for risk and compliance management deficiencies.
For example, under the Aircraft Rules 1937, powers have been conferred on the central government and the Director General of Civil Aviation (DGCA) to grant various licences, permits, certificates, approvals, etc. At the same time, these rules empower them to suspend, cancel, withdraw or modify them, if the document holder contravenes certain provisions of these rules or does not comply with the directions issued by the DGCA or does not observe the terms and conditions of the relevant document. This can be termed as administrative action.
Further undertakings in India have been governed by various regulators such as the RBI, SEBI, Insurance Regulatory and Development Authority (IRDA), Pension Fund Regulatory and Development Authority, National Bank of Agriculture and Rural Development, Telecom Regulatory Authority of India, etc.
In addition to the penalties imposed by the RBI and SEBI as explained above, please note that section 105B of the IRDA stipulates the penalty for failure of an insurer to undertake life insurance business and general insurance business in the rural or social sector. In such an event, an insurer shall be liable to a penalty of up to 500,000 rupees for each such failure and shall be punishable with imprisonment for up to three years or with a fine for each such failure.
Do undertakings face criminal liability for risk and compliance management deficiencies?
Yes, undertakings face criminal liability for risk and compliance management deficiencies in India. The Companies Act 2013 prescribes the penalties for offences committed by companies. Under the Income Tax Act 1961, the Customs Act 1962, the Central Sales Tax 1956 and the Central Excise Act 1944, various tax-related crimes such as tax evasion, smuggling, customs duty evasion, value added tax evasion and tax fraud are prosecuted.
Further, the Environment (Protection) Act 1986 is an act under which the central government is empowered to protect and improve the quality of the environment. A significant statutory rule framed under this Act is the Hazardous Waste (Management and Handling) Rules 1989. It is to be noted that any violation of any rule framed under the provisions of the said Act renders the offender liable for imprisonment for a term of up to five years with a fine, and if the contravention continues beyond a period of one year, the term of imprisonment may be increased by another five years.
Liability of governing bodies and senior management
Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?
Yes, the members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations. For example, section 35(1) of the Companies Act 2013 imposes civil liability on every director, promoter or other senior management personnel for any mis-statements in the prospectus.
Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?
Yes. See question 12.
Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?
The Companies Act 2013 prescribes punishments for offences committed by companies under the Act. Liability for an offence leads to conviction or punishment by way of imprisonment or fine or both, and the punishment is inflicted on the company, the directors and other officers of the company who were accused and found guilty of the offence by a court.
In most cases, the persons liable for the offences are ‘officers who are in default’ and the said term is defined exhaustively under the Act. For the purpose of any provision under that Act, an ‘officer of the company’ means any of the following:
- a whole-time director;
- key managerial personnel, who include:
- a managing director, or chief executive officer or manager and, in their absence, a whole-time director;
- the company secretary; and
- the chief financial officer (CFO);
- where there are no key managerial personnel, such director or directors as are specified by the board on its behalf who have given their consent in writing to the board to such specification, or all of the directors if no director is so specified;
- any person in accordance with whose advice, directions or instructions the board of directors of the company is accustomed to act, other than a person who gives advice to the board in a professional capacity;
- any person who, under the immediate authority of the board or any key managerial personnel, is charged with any responsibility including maintenance, filing or distribution of accounts or records, and who authorises, actively participates in, knowingly permits or knowingly fails to take active steps to prevent, any default;
- in respect of a contravention of any of the provisions of the Act, any director who is aware of a contravention by virtue of receiving any proceedings of the board or participating in such proceedings without India objecting to the same, or where such contravention had taken place with their consent or connivance; and
- in respect of the issue or transfer of any shares of a company, the share transfer agents, registrars and merchant bankers to the issue or transfer.
Section 439 of the Act provides that, notwithstanding anything contained in the Code of Criminal Procedure 1973, every offence under the Act shall be deemed to be non-cognisable within the meaning of the Code of Criminal Procedure and that no court (as defined under the 2013 Act) shall take cognisance of any offence under the Act that is alleged to have been committed by any company or any officer thereof, except on the complaint in writing of the companies registrar, a shareholder of the company or a person authorised by central government.
In Anath Bandhu Samanta v Corporation of Calcutta (AIR 1952 Cal 759), the Calcutta High Court held that there is nothing in Indian law that precludes the trial of a company for an offence except where it was physically impossible for the company to have committed the offence in question; mens rea is essential. Furthermore, if the only punishment for the offence in question is imprisonment, a company can be tried for that offence and, if found guilty, punished by imposing a suitable fine.
Corporate compliance defence
Is there a corporate compliance defence? What are the requirements?
There is no such defence for corporate compliance under the Indian laws. Every undertaking needs to comply with applicable laws. As is the case under common law principles, ignorance of law is no justification for non-compliance and corporate entities and their management bodies are required to be aware of the various compliances demanded of them.
Discuss the most recent leading cases regarding corporate risk and compliance management failures?
The Satyam case
The fraud committed by Ramalinga Raju and Satyam Computers is the biggest corporate fraud in India and it is also an example of failure of corporate governance. On 24 June 1987, Satyam Computer Services Ltd (popularly known as Satyam) was incorporated by the two brothers, B. Rama Raju and B. Ramalinga Raju, as a private limited company with just 20 employees for providing software development and consultancy services to large corporations (the company went public in 1991). In 1996, the company promoted three more subsidiaries including Satyam Renaissance Consulting Ltd, Satyam Enterprise Solutions Pvt Ltd and Satyam Infoway Pvt Ltd. In 2001, Satyam became the world’s first ISO 9001:2000 company certified by Bureau Veritas Quality International. In 2003, Satyam started providing IT services to World Bank and signed a long-term contract with them. In 2005, Satyam was ranked third in the Corporate Governance Survey by Global Institutional Investors.
Suddenly, on 7 January 2009, B. Ramalinga Raju confessed to more than 78 billion rupees worth of financial fraud and he resigned as chairman of Satyam. His emotionally charged four and half page letter of startling revelations shook the entire corporate world when he admitted to cooking the accounts and inflating the figures by 50.4 billion rupees. He committed this fraud and tried to hush it up through an abortive bid to purchase Maytas Infra, a company he had created and that was run by his son Teja Raju. A week after his scandalous confession, Satyam’s auditors Price Waterhouse finally admitted that its audit report was wrong as it was based on incorrect financial statements provided by Satyam’s management. On 22 January 2009, Satyam’s CFO Srinivas Vadlamani confessed to having inflated the number of employees by 10,000. He told Criminal Investigation Department officials interrogating him that this helped in drawing approximately 200 million rupees per month from the related but fictitious salary accounts. Satyam had inflated the revenue of the company by infusing false and fictitious sales invoices and shown the amount received and deposited as fixed deposits in various scheduled banks.
The Sahara case
The Sahara Group was accused of failing to refund over 200 billion rupees to its more than 30 million small investors that it had collected through two unlisted companies of Sahara. In 2011, SEBI ordered Sahara to refund this amount with interest to the investors, as the issue was not in compliance with the requirements applicable to the public offerings of securities. Later in 2014, Mr Subrata Roy, the chairman of Sahara was arrested for the said fraud. His proposal to settle the matter was rejected by the court and SEBI.
Punjab National Bank (PNB) fraud case
India’s second largest state-owned lender Punjab National Bank (PNB) disclosed on 14 February 2018 that it was the victim of the country’s largest bank fraud. PNB revealed that fraudulent transactions by billionaire jeweller Nirav Modi and related entities (ie, M/s Diamonds R Us, M/s Solar Exports and M/s Stellar Diamonds) amounted to US$1.77 billion or over 110 billion rupees.
In a complaint to the Central Bureau of Investigation, PNB said that Modi and the companies linked to him colluded with its officials to get guarantees or letters of undertaking to help fund buyer’s credit from other overseas banks. PNB alleged that the funds, ostensibly raised for the purchase and sale of diamonds, were not used for that purpose. Later, it was revealed that the fraud extended past PNB to other lenders such as State Bank of India, Union Bank, Axis Bank Ltd and Allahabad Bank, all of whom had exposure to the case. The preliminary investigations showed two officials of the bank had fraudulently issued letters of undertaking to the said firms without following the due process. These fraudulent letters of undertaking were then transmitted across the Society for Worldwide Interbank Financial Telecommunications (SWIFT) messaging system, and based on these, credit was offered to the said firms.
This case is the most recent classic example of risk and compliance management failure by PNB and several bankers wonder how the delinking of SWIFT from Core Banking Solution could have been achieved without it being detected by the bank’s information technology department. This suggests a possible breach of the security system (eg, passwords and authentication) and the fact that the approval for issuance of letters of undertaking was forged for such huge amounts without it being captured in the system or red-flagged, indicates a major failure of the internal control systems of PNB.
In light of the above, it is pertinent to note that a company’s system of internal control reflects its control environment and should be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment. Internal controls are the core of a company’s corporate governance practice and the main means of controlling, offsetting and mitigating most types of risk, especially those associated with reckless and fraudulent financial decisions.
Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?
Yes, there are risk and compliance management obligations for government, government agencies and state-owned enterprises. The Department of Public Enterprises (DPE) has issued mandatory governance guidelines to Central Public Sector enterprises and state-owned enterprises.
For example, the DPE requires Central Public Sector enterprises to submit quarterly progress reports with regard to compliance of corporate governance guidelines. Further, the guidelines also require the Administrative Ministries to consolidate the information received from such enterprises and submit a comprehensive report on the status of compliance of corporate governance guidelines to the DPE.
In addition to the above, the DPE also provides for certain other policies to regulate risk and compliance management that include but are not limited to personnel policies, vigilance policies, financial policies, corporate social responsibility, etc.
Framework covering digital transformation
What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?
The introduction of the Companies Act 2013 has imposed certain additional compliance requirements mandated for private companies that, until then, were mandated only for public companies and private companies that are subsidiaries of public companies. These include the following:
- appointment of director to be voted individually;
- option to adopt principle of proportional representation for appointment of directors; and
- the provisions pertaining to the ineligibility for appointment of director are also extended to cover appointment or reappointment of a director in a private limited company.
Certain provisions of clause 49 of the Listing Agreement are very specific with regard to risk and compliance management obligations for public companies. Clause 49 I(D) of the Listing Agreement with the stock exchanges requires companies to institute a code of ethics for the board and senior management and affirm compliance to the same on an annual basis. Although institution of the whistle-blower mechanism is not mandatory at present, clause 49 II(D) requires an audit committee to review procedures for the receipt, retention and treatment of complaints (including confidential and anonymous submissions by employees) received regarding accounting, internal accounting controls or auditing matters, providing for adequate safeguards against victimisation of employees who avail of the mechanism and also provide for direct access to the chairman of the audit committee in exceptional cases. The stock exchanges’ corporate governance listing standards require listed companies to incorporate the code of ethics for directors and senior management and public disclosure of the code on the company’s website. The guidelines changed focus away from compliance toward a broader assessment of corporate efforts to create an ethical and organisational culture.
Schedule IV, read with section 149(8) of the Companies Act 2013, lays down the code for professional conduct for independent directors. The duties of an independent director elaborated in Part III of Schedule IV include ascertaining and ensuring that the company has an adequate and functional vigil mechanism and that the interests of the persons using it are not harmed. The independent directors are also entrusted with the task of reporting concerns over unethical behaviour, actual or suspected fraud or violation of the company’s code of conduct or ethics policy. Such changes made by the Act with regard to governance, transparency, disclosures, the position of the serious fraud investigation office, etc, under section 211 of the Companies Act 2013 is expected to make companies shift from being complacent to playing compliant roles.
In particular, the amended guidelines require boards of directors and executives to assume responsibility for the oversight and management of ethics and compliance programmes. The provisions will help in developing a valuable framework for the design of effective ethics and compliance programmes.
Update and trends
Update and trends
Updates and trends
The Companies Act 2013 has put a greater emphasis on corporate governance measures through the different provisions that are incorporated within it.