Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Although, at present, India as a country is still awaiting comprehensive legal guidelines with respect to corporate risk and compliance management, in recent times, compliance with labour, industrial, financial and corporate laws has gathered enormous momentum within the corporate sector.

Labour compliance

India being a country with a significant labour force, one of the major challenges of any company in the corporate sector is with respect to labour compliance. As labour law is considered a ‘specialised area’, non-compliance of labour laws carries with it considerable legal implications and risks.

To keep up with the emerging needs with regard to corporate risk and compliance management, companies in India need to establish effective contract management with their employees and any other related third parties as per the provisions of the Indian Contracts Act 1872.

Another integral part of corporate risk and compliance management in India that has recently emerged is the aspect of pre-emptive screening of employees. There are no dedicated laws governing the pre-emptive screening of employees in India, hence, there are no legal requirements for conducting background checks on prospective employees, except in certain cases such as banks, schools, etc, under certain notifications by various state governments within the country.

Financial compliance

In the wake of the Satyam scandal (a high-profile corporate scandal affecting India-based company Satyam Computer Services in 2009 wherein the chairman, Mr Ramalinga Raju, confessed to having manipulated the accounts to the tune of 70 billion rupees) along with the collapse of some of the largest companies in the world, India has brought in stringent financial compliance that is to be strictly adhered to by every company. It is a well-known fact that India as a country has a complex and bureaucratic accounting, tax and regulatory system, which makes it an onerous challenge for all companies to remain compliant with each and every financial compliance required by the applicable laws. However, the government has from time to time relaxed many such regulations for ease of business and attracting foreign investments. For example, the Goods and Services Tax regime was introduced in India on 1 July 2017 by subsuming dozens of state and central indirect taxes to transform India into a single market and thus promote the ease of doing business in India.

Corporate compliance

Besides compliance with labour and financial laws, companies are also required to strictly adhere to all corporate compliance as per various other laws including, but not limited to, the Companies Act 2013, Reserve Bank of India guidelines, the Foreign Exchange Management Act 1999, the Securities and the Exchange Board of India Act 1992. However, the government has deregulated and relaxed various laws for ease of business and promoting foreign investment in India. For example, foreign direct investment in ‘single brand retail trading’ has recently been allowed up to 100 per cent under the automatic route.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

Keeping in mind the plethora of laws with regard to labour, financial and corporate laws in India, which a company is required to be compliant with, below are certain laws and regulations that we believe are required to be complied with on the highest priority with respect to each sector.

Labour law

There are specific central acts that are required to be strictly adhered to by a company, which are mentioned below, but are not limited to:

  • the Industrial Disputes Act 1947;
  • the Employees State Insurance Act 1948;
  • the Employees’ Provident Funds and Miscellaneous Provisions Act 1952;
  • the Payment of Bonus Act 1965;
  • the Factories Act 1948;
  • the Contract Labour (Regulation and Abolition) Act 1970;
  • the Child Labour (Prohibition and Regulation) Act 1986;
  • the Maternity Benefit Act 1961;
  • the Payment of Gratuity Act 1972; and
  • the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act 2013.

As well as the abovementioned acts, there are certain state-specific acts that are required to be adhered to by companies, such as the Professional Tax Act and the Shops and Establishment Act that are applicable to a particular state.

Financial and corporate compliance

When it comes to corporate and financial compliance, both compliance and risk management go hand in hand. Below are some of the specific regulations that are to be adhered to at the highest priority:

  • the Companies Act 2013;
  • the Income Tax Act 1961;
  • the Reserve Bank of India and its subsequent guidelines;
  • the Banking Regulation Act 1949;
  • the Foreign Exchange Management Act 1999;
  • the Securities and Exchange Board of India 1992 and its subsequent guidelines; and
  • the Goods and Services Tax Act 2017.

The Competition Act 2002 also lays down several provisions to promote fair competition in the market and mitigate business-related risks, though its applicability is dependent upon certain thresholds, which are enumerated under this legislation.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

There are no specific standards or guidelines regarding risk and compliance management processes in India. However, the same has been laid down in various forms of law and regulation. For example, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 state that companies must have ‘reasonable security practices and procedures’ and that companies are deemed in compliance if they have a documented security programme with managerial, technical, organisational and physical controls. ISO 27001 is provided as a reference standard.

The basic guidelines for risk and compliance management processes are:

  • reporting: the reports from management to the board should, in relation to the areas covered by them, provide a balanced assessment of the significant risks and the effectiveness of the system of internal control in managing the risks. Any significant control failings or weaknesses identified should be discussed in the reports, including the impact that they have had, or may have, on the company and the actions being taken to rectify them; and
  • roles and responsibilities: all employees have some responsibility for internal control as part of their accountability for achieving objectives. The employees collectively should have the necessary knowledge, skills, information and authority to establish, operate and monitor the system of internal control.

A strong risk and compliance management system framework can mitigate risks if it can:

  • identify the risk inherent in achieving goals and objectives;
  • establish risk appetite across the entire risk spectrum;
  • establish and communicate risk management frameworks;
  • build accurate and consistent risk assessment;
  • establish and implement measurement reporting standards and methodologies;
  • build a risk profile;
  • establish the key control processes, practices and reporting requirements;
  • monitor the effectiveness of control;
  • ensure all the exposures are adequately identified, measured and managed in accordance with board-approved frameworks;
  • provide early warning signals;
  • ensure risk management practices are adequate and appropriate for managing the risks;
  • report areas of stress where crystallisation of risks is imminent;
  • present remedial actions to reduce or mitigate such risks;
  • report on sensitive and key risk indicators;
  • communicate with relevant parties;
  • review and challenge all aspects of the company’s risk profile;
  • advise on optimising and improving the company’s risk profile; and
  • review and challenge risk management practices.

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Yes, as explained above, undertakings operating in India are subject to risk and compliance governance obligations. As per section 134(5)(f) under the Companies Act 2013, the directors have to state in the yearly directors’ responsibility statement that they have devised proper systems to ensure compliance with the provisions of all applicable laws and that such systems were adequate and operating effectively.

On failure to comply with the above requirement, the company shall be punishable with fines ranging from 50,000 rupees to 2.5 million rupees and every officer of the company who is in default shall be punished with imprisonment for a term of up to three years or with a fine ranging from 50,000 rupees to 500,000 rupees, or with both.

Further, corporate governance lays down the foundation of a properly structured board and strives for a healthy balance between management and ownership that is capable of taking independent decisions for creating long-term trust between the company and external stakeholders of the company. It creates space for open dialogue by incorporating transparency and fair play in strategic operations of the corporate management. The significance of corporate governance lies in:

  • accountability of management to shareholders and other stakeholders;
  • transparency in basic operations of the company and integrity in financial reports produced by the company;
  • checks and balances as an integral part of good corporate governance;
  • adherence to the rules of company in law and spirit;
  • code of responsibility for directors and employees of the company; and
  • open dialogue between management and stakeholders of the company.

What are the key risk and compliance management obligations of undertakings?

Key compliances under the Companies Act 2013 are as follows:

  • consolidated financial statements are to be prepared where a company has subsidiaries and associates. Intermediary subsidiaries are exempted provided shareholders of the parent have consented to the same;
  • uniform financial year has been implemented for all companies as April to March. Specific approvals for deviation can be obtained from the National Company Law Tribunal for certain classes of companies;
  • as per section 138 of said Act and Rule 13 of Companies (Accounts) Rules 2014, the following companies are required to appoint an internal auditor in a board meeting:
  • listed companies;
  • a public company with a paid-up share capital of more than 500 million rupees and a turnover of 2 billion rupees, loans and borrowings of more than 1 billion rupees and outstanding deposits of more than 250 million rupees; and
  • a private company with a turnover of 2 billion rupees, loans and borrowings of more than 1 billion rupees;
  • the provisions on reporting fraud have been laid down under section 143(12) of the Act and provides that if the auditor of a company, in the course of the performance of their duties as auditor, has reason to believe that an offence involving fraud is being or has been committed against the company by officers or employees of the company, they shall report the matter to the central government;
  • as per section 204(1) of said Act, read with Rule 9 of the Companies (Appointment and Remuneration of Managerial Personnel) Rules 2014, the following companies are required to obtain a secretarial audit report:
  • every listed company;
  • every public company having a paid-up share capital of 500 million rupees or more; and
  • every public company having a turnover of 2.55 billion rupees or more.

Key compliances under the Foreign Exchange Management Act 1999:

  • a foreign liabilities and assets return is required to be submitted mandatorily by all companies resident in India that have received foreign direct investment or made outward direct investment (ODI) in any of the previous year or years, including the current year; in other words, who holds foreign assets or liabilities in their financial statements as of 31 March; and
  • an Indian party or resident individual that has made an ODI has to submit an annual performance report in Form ODI Part II to the authorised dealer bank by 31 December every year in respect of each joint venture or wholly owned subsidiary outside India.

Key compliances under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Data Protection Rules):

  • any person or entity that collects, receives, stores, processes or handles personal or sensitive personal information must provide a privacy policy on the company’s website that should be accessible to the provider of information;
  • the Data Protection Rules mandate companies to obtain express consent from the provider of sensitive personal information regarding the purpose and use of the information. The consent can be obtained through any electronic media;
  • the company should ensure that the data providers are made aware of the purpose for which the sensitive personal information is collected, the intended recipients of the information, the agency collecting the information, the agency retaining the information, etc. Further, the data provider should be given an option not to provide the information or to revise or withdraw the information;
  • the companies must have ‘reasonable security practices and procedures’. The companies are deemed in compliance if they have a documented security programme with managerial, technical, organisational and physical controls. ISO 27001 is provided as a reference standard; and
  • all discrepancies or grievances reported to companies must be addressed in a timely manner. Companies must appoint a grievance officer and publish their name and contact details on the company’s website. The grievance officer must redress all the data subjects’ grievances within one month of receiving the grievance.