Archive for the ‘Security and Compliance’ category

Security – major threats revealed – August 2015

August 8th, 2015

A major vulnerability plaguing Firefox has Mozilla warning users to update the Web browser to Firefox 39.0.3 to fix the vulnerability The browser is set to automatically update by default, but users should manually check to ensure that the update has indeed gone through.
An advertisement on a news Web site in Russia was offering an exploit for the browser that searched for specific, sensitive files, before uploading those to a server that appeared to be located in the Ukraine.
The vulnerability allows hackers to violate the browser’s same origin policy and inject script into a non-privileged part of Firefox’s built-in PDF viewer. Same origin is a security practice in which a Web browser allows scripts running from one Web page to access data from a second one, if both pages are from the same origin. The bug allows an attacker to read and steal sensitive local files on the victim’s computer.
Mozilla said that since the vulnerability is specific to its PDF Viewer, versions of the browser that do not contain the PDF Viewer, such as Firefox for Android, are not at risk.
The company said that the exploit leaves no trace of itself on the local machine, making it difficult for users to know if their files had been compromised. Mozilla urged users running Firefox on Windows and Linux systems to change any passwords and keys for programs targeted by the exploit. Mac users were not vulnerable to the particular exploit found in the wild, but would be vulnerable if another hacker designed a payload targeting Macs.

Firefox users on Windows machines should change the passwords for the following files: subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients.

Linux users, meanwhile, should change passwords associated with global configuration files such as /etc/passwd, user directories including .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts

Before the dust has had a chance to settle on one major security flaw uncovered in the Android mobile operating system, a second massive vulnerability — dubbed “Certifi-gate” — has burst onto the scene.
The new vulnerability can allow attackers to “gain unrestricted device access, allowing them to steal personal data, track device locations, turn on microphones to record conversations, and more,” according to Check Point. The problem cannot be completely fixed with a patch.

Check Point has a scanner app that Android users can download from the Google Play Store and run to determine whether their devices are vulnerable. The Certifi-gate vulnerability allows applications to gain illegitimate privileged access rights that are normally used to support remote applications, according to Check Point. Those applications might have come pre-installed on the device, or been intentionally downloaded by the user, but currently there is no way in Android to revoke the certificates that allow those privileged permissions.

This latest flaw “affects hundreds of millions of Android devices, as most popular OEMs (original equipment manufacturers) have collaborated with these vendors. The same scale applies to the previously disclosed Stagefright vulnerability, which potentially affects 95 percent — about 950 million — of Android devices.

Google, Samsung and LG this week said they would start providing more frequent — about once a month — security updates for their Android devices. Google’s own Nexus devices are not affected, nor has the company seen any attempts to exploit the vulnerability.

Apple users have largely skirted the bugs, viruses and other malicious software that plague Microsoft Windows and Google’s Android. But this flaw in Apple’s OS X is serious enough to sound the alarm.
German security researcher Stefan Esser published details about a zero-day vulnerability in OS X without telling Apple first and hackers moved quickly to exploit the flaw. It’s an adware installer that actually modifies a file that controls who can run what commands on a machine while Thomas was testing it.

The Sudoers File

The sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

The worse part is that Apple has reportedly known about the zero-day vulnerability for quite some time because another security researcher had disclosed it previously.
There is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest.
Another Apple bug, Thunderstrike 2, which will be revealed at Black Hat security conference in Las Vegas this week, is more concerning. That’s because firmware bugs can cause lots of headaches for both regular users and advanced users and are almost always harder to eradicate than any other bug.

A massive hack infiltrated Yahoo’s ad network for at least seven days, according to Malwarebytes’ official security blog- this anti-malware security company, discovered the attack and immediately notified the search company. With more than 6.9 billion visitors to Yahoo’s Web site every month, the attack, which began on July 28, constitutes one of the farthest reaching malware attacks ever recorded.
The hackers pulled off the attack using Web sites for Microsoft Azure, a cloud computing platform and infrastructure used for building, managing, and deploying applications and services. The scam worked by redirecting users to an Angler exploit kit, off-the-shelf software containing easy-to-use packaged attacks on known and unknown vulnerabilities.

Malicious ads do not require any type of user interaction to execute their payloads. Just visiting a Web site that contains malicious advertisements can be enough to trigger an infection.
Yahoo said it took immediate action when it learned of the campaign, and would continue to investigate it in the future. Because of the large number of visitors to Yahoo sites, it is difficult to know exactly how many Internet users have been affected.

The subtlety of a malvertising attack, combined with the complexity of the Internet advertising market, make it a difficult security challenge to overcome. That might be part of the reason such attacks are increasing. The number of malvertising attacks spiked in the first half of this year, registering a 260 percent increase over the same period in 2014,

“The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware,” said James Pleger, director of research at RiskIQ. “There are a number of reasons for this development, including the fact that malvertisements are difficult to detect and take down since they are delivered through ad networks and are not resident on Web sites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users.”

“This machine-to-machine ecosystem has also created opportunities for cybercriminals to exploit display advertising to distribute malware,” according to the company. “For example, malicious code can be hidden within an ad, executables can be embedded on a Web page, or bundled within software downloads.”

Management Reporter Updates and tips – Synergy Software Systems, Dubai

June 18th, 2015

This video describes how to create side by side reports with Management Reporter

Management Reporter offers a variety of formatting tools to automate reporting and to quickly put reports in the hands of stakeholders. This video introduces the ability to add dynamic report headers to calculated columns to avoid having to manually edit report headers prior to generating a report. Especially useful for consolidated information and rolling fiscal reports

This video describes how to suppress drill down on specific lines of a report in Management Reporter.for example you may not want to allow drilldown on salary details.

MR CU12 was initially released for the USA in April and is now available for all regions.
It contains all of the enhancements and bug fixes from hotfixes 1-4, including:
• Indication of currently active reporting tree node
• Added the ability to use BASE+1:12 in the column definition
• Report generation performance improvements
• Additional fixes for product defects

HF1, HF2, HF3, HF4
As well as the additional fixes that were added post-HF4:
•Ability to exclude NP rows from exporting to Excel by disabling the export of formulas
•Ability to export NP rows at the Account and Transaction detail levels
•Additional fixes for exporting to Excel where you would receive an operand error when exporting with formulas enabled
•Additional fixes for product defects
Version Information: Management Reporter CU12 RTM – 2.1.12000.26

Management Reporter bugs are now visible in Lifecycle Services (LCS) Issue search. Issue search is another great tool within LCS to help with troubleshooting. Currently both Microsoft Dynamics AX and Management Reporter bugs are searchable.

For Management Reporter, bugs will be visible through LCS when they are triaged to be fixed. Additional updates in LCS will occur when either a cumulative update or hotfix is available to fix the issue. To see a list of current known issues, you can search for “known issue” and restrict the product to Management Reporter 2012.

In order to access Issue search, you can do the following:

1. Navigate to

2. Click Sign in

Note: You must use the same credentials that you use to access CustomerSource or PartnerSource. If you don’t have access to CustomerSource, then you will only have access to an evaluation version of LCS, which does not include Issue search

3. Accept the Microsoft Online Services Agreement if you haven’t already signed in before

4. Create a project

5. Click the + button under Recent projects to create a new project

6. Fill out the project details including Name, Product name, Product version, Industry, and Methodology. Any settings should be fine as long as you don’t select a pre-sales type of project

7. Scroll to the right and select Issue search

8. Begin searching

Synergy Software Systems, Dubai – in top 5% of Microsoft Enterprise Resource Partners

June 17th, 2015

We received confirmation from Microsoft of our attainment of the new Enterprise Resource Competency which has been by less than 5% of Microsoft Global Partner Network.

That ‘s why you can be assured of a successful, Synergy Software Systems Implementation – a 100% track record of successful projects with Dynamics Ax since we started the practice in 2003. Its also why the Highest Customer Satisfaction Award for 2014 also has Synergy’s name on it.

We are proud of our professionals.

We receive similar accolades across our solutions- for years the word in the hospitality industry is “go with Synergy and sleep a night” and why many of our Sunsystems customers have been loyal for over 15 years.

Value ultimately comes from competence and attitude and the results consistently shows that the right partner will give the right solution, service, support and price and deliver the right value.

Adoption of Basel Regulatory Framework 8th progress report

June 14th, 2015

The Basel Committee on Banking Supervision (BCBS) has updated and published its eighth progress report on adoption of the Basel regulatory framework as of end-March 2015.
BCBS’ monitoring reports have been published semi-annually since 2011 and focus on the status of domestic rule-making processes to ensure that the Committee’s capital standards are implemented in jurisdictions according to internationally agreed timeframes.
The Basel III framework builds on and enhances the regulatory framework set out under Basel II and Basel 2.5.

Leverage ratio: In January 2014, the Basel Committee issued the Basel III leverage ratio framework and disclosure requirements following endorsement by its governing body, the Group of Central Bank Governors and Heads of Supervision (GHOS). Implementation of the leverage ratio requirements has begun with bank-level reporting to national supervisors and public disclosure on 1 January 2015.

Net stable funding ratio: In October 2014, the Basel Committee issued the final standard for the net stable funding ratio (NSFR). In line with the timeline specified in the 2010 publication of the liquidity risk framework, the NSFR will become a minimum standard by 1 January 2018. The monitoring of the status of adoption of the NSFR is planned to start with the next progress report in October 2015.

The only GCC company reviewed in the report was Saudi Arabia.
SAMA through its Circular # 351000133367 on 25 August 2014 issued its final guidance document on the Leverage Ratio disclosure requirements. The
aforementioned SAMA Circular is effective from January 2015.
The D-SIB framework has been finalised and the relevant regulation has
been issued for implementation by January 2016 through SAMA Circular # 351000138356 (issued in September 2014).

Allegion announce a new release of the IF-6020 – version 1.79

June 1st, 2015

The IF-6020 version 1.79 is going was released on May 29, 2015.

In addition to the implementation of features that enhance the performance of the system, note:

IF-6020 version 1.79
1. The number of person record fields is increased. As of version 1.79, it is possible to enter longer remarks in the fields on the new “Info 4″ tab in the person record.

2. Visitor management in the WebClient isoptimized. Thus, work processes are more clearly structured and more effective.

3. The number of reports is increased from 100 to 1000.

4. The escalation check is enhanced to include month accounts. . For example, according to a company agreement, only two flexitime days are allowed to be taken per month. If a request is made for three days, a reject message is returned.

5. Support of new technologies: MS SQL Server 2014, Oracle 12g and Windows 8.1 are now also supported.

Known bugs have also been fixed.

Microsoft Azure Stack announced this week at Microsoft Ignify 2015

May 6th, 2015

Microsoft Ignite this week- the company announced that it is making available a version of Azure that can be hosted in your own datacenter.
The new software, called Microsoft Azure Stack allows you to run your own version of the company’s cloud platform on your own servers. The idea is that you’ll be able to use the same application development and deployment techniques from the hosted cloud platform on your own terms.
Azure Stack is essentially everything you see on the hosted version of the company’s cloud service, including the portal, in a single package for running on premise. The software will be available for the first time “this summer.”

Microsoft’s competitors like: Amazon’s EC2 and Google Cloud Compute don’t provide offerings for hosting your own service.

Summary of Technet Guest post by Mike Neil, General Manager for Windows Server, Microsoft:
Chicago at the Microsoft Ignite conference

Hybrid cloud is an ideal solution for many organizations bringing together the agility of public cloud and the control of on-premises systems.
“Today, we are announcing several new solutions that will continue to expand the industry’s most complete cloud:
• Microsoft Azure Stack, a next generation cloud infrastructure that brings Azure IaaS and PaaS capabilities to customers’ datacenters.
• Windows Server 2016 and System Center 2016, the next versions of the popular application platform and management solutions.
• Microsoft Operations Management Suite, a new hybrid management solution that helps you manage your corporate workloads no matter where they run: Azure, AWS, Windows Server, Linux, VMware, or OpenStack.”

Building Hybrid Clouds
Microsoft is the only cloud vendor that both builds, and runs its own hyper-scale datacenters and delivers that same technology back to customers’ and partners’ datacenters.

Next wave of cloud infrastructure.
Microsoft Azure Stack
- Microsoft Azure Stack delivers IaaS and PaaS services into your datacenter
- Easily blend enterprise applications such as SQL Server, SharePoint, and Exchange with modern distributed applications and services while maintaining centralized oversight.
- Azure Resource Manager (just released in preview last week), gives consistent application deployments every time, whether provisioned to Azure in the public cloud or Azure Stack in a datacenter environment. This approach is unique in the industry and gives developers the flexibility to create applications once and then decide where to deploy t later – all with role-based access control to meet your compliance needs.

- Azure Stack includes a scalable and flexible software-defined Network Controller and Storage Spaces Direct with: – automated sync and failover.
Shielded VMsand Guarded Hosts to bring “zero-trust” software-defined security to your private cloud. Securely segment organizations and workloads and centrally control and monitor access and administration rights.

Preview Azure Stack starting this summer.

New Technical Preview of Windows Server 2016 – Now Available
The next version of Windows Server will introduce Windows Server Containers and Hyper-V Containers (expected in the third Technical Preview of Windows Server 2016 this summer).

Windows Server 2016 will also offer Azure Service Fabric, a platform for building and hosting application services that automatically scale and heal, bringing you the same underlying technology used to power highly scalable services like Skype for Business, Azure SQL Database, and Cortana.
The second Technical Preview of Windows Server 2016. offers a first look at Nano Server. Extending the advanced virtualization features:
• Rolling upgrades for Hyper-V and Storage clusters for even faster adoption of new updates and operating systems.
• Compute resiliency so virtual machines (VMs) continue running even if the compute cluster fabric service fails.
• Storage Replica updates for synchronous storage replication for affordable backup and disaster recovery.

Managing a Hybrid World
Today’s hybrid reality means applications and data are spread across multiple vendors’ environments. While you may not control all the platforms they run on you still need to manage and control these assets to help your organization meet business, compliance and regulatory needs.
Microsoft Operations Management Suite (OMS)
OMS now extends your System Center investments and Microsoft best practices to simplify management of your assets at a lower cost than competitive solutions, wherever they live-
- any instance (physical, virtual or container)
- and any cloud, including: your data center, Azure, AWS, Windows Server, Linux, VMware, and OpenStack,
OMS tracks and manages:
Log Analytics: collect and search millions of records in seconds across thousands of machines to identify the root cause of operational issues.
Security: identify malware status and missing system updates, and collect security related events to perform forensic, audit and breach analysis.
Availability: enable application and data protection for all servers and applications, no matter where they reside with cloud-based backup and site recovery.
Automation: orchestrate complex and repetitive operations for more efficient and cost-effective hybrid cloud management.

Expect cloud-based patching, inventory, alerting, container management, and more later in the year.

New Technical Preview of System Center 2016 – Available This Week
System Center 2016 has new; provisioning, monitoring and automation capabilities for your software-defined datacenter. iT adds:
• Improved Linux management, including Desired State Configuration (DSC) support, native SSH support, and improved LAMP stack monitoring.
• Software Defined Datacenter management, including mixed mode cluster upgrades, enhanced Scale-Out File Server (SOFS) management, and deployment of software-defined networking (SDN) at scale.
• Powerful new monitoring for Azure, Office365, SQL Server and Exchange.

FATCA and the UAE January 2015

January 12th, 2015

The governments of the US and the UAE have reached an agreement in substance, a model 1 Intergovernmental Agreement (IGA).
The UAE has consented to disclose this status.

In accordance with this status, the text of such IGA has not been released and financial institutions in the UAE are allowed to register on the FATCA registration website consistent with the treatment of having an IGA in effect until December 31, 2014.

More than 100 countries including India, China and Russia have already entered into agreements with the US on the Foreign Account Tax Compliance Act (FATCA) and with new FATCA requirements coming into effect on 1st of January 2015 applying to U.S. and non-U.S insurers and insurance brokers, large portions of the financial services sector are being affected.

After a relatively quiet four-year ramp up, America’s global tax law is now being enforced.

FATCA requires foreign banks to reveal Americans with accounts over $50,000 and considering the risks of being frozen out of U.S. markets, everyone is complying.

Firms that fail to comply with FATCA will be subjected to a stringent 30% withholding tax on any US sourced income even if they do not have any US customers.

The compliance aspects being forced upon financial services firms globally by the US tax authorities are complex and costly. It includes amending everything, from more thorough KYC requirements to changes in the account opening processes for new customers to take into account the new information required under FATCA, and systems will have to be updated to comply with the withholding taxes if so required. Insurers and insurance brokers will have to comply with new information gathering and reporting rules when U.S. insurance and reinsurance premiums are sent outside the U.S.

A Model 1 IGA is treated as ‘in effect’ by the US Treasury as of May 21, 2014. (
On 3 June 2013, the Governor of the DIFC signed a Memorandum of Understanding with the UAE Ministry of Finance which named the DIFC Registrar of Companies as the DIFC’s contact point for any international tax agreement entered into between the UAE and another country. FATCA is an example of such an agreement.

According to DIFC release as of 17 November 2014, “The reporting form will be available (for financial institutions) on the Registrar’s website at a time agreed and instructed by federal officials. Further instructions will be circulated as soon as the reporting framework is in place, and the guidance will be made available to DIFC entities as soon as it is finalised by the Ministry of Finance”.

Who will be affected by FATCA?
• Banks and deposit taking institutions;
• Trust company – Custodial institutions;
• Investment entities – those businesses involved in trading in transferable securities; money market instruments, foreign exchange derivatives etc.; individual or collective portfolio management or otherwise investing, administering or managing funds, money or financial instruments on behalf of other persons;
• Certain types of insurance companies that have cash value products or annuities;
• Family offices would be included in the definition;
• Certain holding companies or treasury centres.

FATCA objective

Disclosure of assets and income of U.S. taxpayers (US person) held with foreign financial institutions.

Definition of US person:
• a citizen or resident of the United States,
• a domestic partnership,
• a domestic corporation,
• any estate (other than a foreign estate) and
• any trust if:
1. a court within the United States is able to exercise primary supervision over the administration of the trust, and
2. one or more United States persons have the authority to control all substantial decisions of the trust.
How will financial institutions be affected?
If a Foreign Financial Institution (FFI) fails to address FATCA requirements promptly, all relevant US-sourced payments, such as dividends and interest paid by US corporations, will be subject to a 30% withholding tax.
The same 30% withholding tax will also apply to gross sale proceeds from the sale of relevant US property.
This will be inconvenient for the customers of the Foreign Financial Institution who will then need to claim refunds from the U.S. IRS after proving that they are non U.S. persons, and not liable for tax.

The definition of a Foreign Financial Institution which is an Investment Entity in Model 1 IGA covers:
• Investment managers;
• Investment advisors;
• Fund administrators.
However, the IGA includes a deemed compliant category for Investment Advisors and Managers, whereas an Investment entity established in a FATCA Partner Jurisdiction can obtain a status of Non-Reporting Financial Institution if it is a financial institution solely because it:
• Renders investment advice to, and acts on behalf of, or;
• Manages portfolios for, and acts on behalf of a customer for the purpose of investing, managing or administering funds deposited in the name of the customer with a Financial Institution other than an Non-Performing Foreign Financial Institution (NPFFI).

It is important to note that if an Investment Advisor / Investment Manager provides services of investment advice or manages portfolios of customers whose funds are deposited with the financial institution which is non-compliant with FATCA, or is located in a jurisdiction other than a FATCA Partner jurisdiction, the DFSA regulated Investment Advisor / Investment Manager might have FATCA reporting obligation for those clients.

According to a notice1 from the UAE Central Bank, at the start of 2014 banks and other financial institutions in the UAE must complete the following actions to facilitate the signing of the IGA:
1.Identify customer accounts that are a “US Reportable Account”, which is defined as a financial account maintained by a reporting UAE financial institution and held by one or more specified US persons or by a non-U.S. entity with one or more controlling persons that is a specified U.S. person (implementation date: 19 November 2013).
2.Adopt FATCA’s due diligence procedures for identifying and reporting on US Reportable Accounts and for payments to certain nonparticipating financial institutions (implementation date: 1 January 2014).
3.Prepare relevant systems for establishing electronic connection to the Central Bank’s FATCA Reporting System, currently in development. All banks and other financial institutions should expect to be contacted for this purpose during the first quarter of 2014 (implementation date: 1 March 2014).
4.Be prepared to register via the IRS portal to obtain a “Global Intermediary Identification Number” (final registration date: 1 November 2014).
5.Adopt reporting procedures specified in the IGA (first report for 2014 must be sent to the Central Bank by 1 August 2015).

The Central Bank, with help from a US law firm, will provide legal support and conduct workshops to assist banks and other financial institutions in implementing the FATCA requirements.

New FAQ on IGA registration issued by IRS

On 22 December 2014, the IRS posted updated FAQs regarding IGA Registration to the FATCA website. This update acknowledges Announcement 2014-38 and addresses whether Reporting Model 1 FFIs in certain jurisdictions need to register and obtain a Global Intermediary Identification Number (“GIIN”) before 1 January 2015. This update confirms that a jurisdiction which was treated in 2013 as if it has an IGA in effect, but which has not yet signed an IGA, retains such status beyond December 31, 2014, provided the jurisdiction continues to demonstrate firm resolve to sign the IGA that was agreed in substance.
New Form W-9 and accompanying instructions released by IRS

The IRS has published on its website a new revised version of Form W-9 (revision date December 2014) as well as the Instructions for the Requestor of Form W-9.

Ask us about BRS Analytics Regulatory reporting platform.

Qatar Financial Centre Regulatory Authority (QFCRA) – 2015 new Banking Business Prudential Rules and Investment Management and Advisory Rules

January 6th, 2015

Happy New Year!

2014 was the year of record settlements between banks and regulators with the total amount of fines and settlements globally passing USD 56 billion. The biggest single hit was the settlement of USD 16.65 billion between Bank of America and the United States Department of Justice in relation to the misleading of investors with mortgage backed securities.

Local regulators are tightening their compliance legislation. The QFCRA has introduced enhancements to its prudential framework for QFC authorised firms undertaking banking, investment management or advisory business. Two new sets of prudential rules were introduced: the Banking Business Prudential Rules 2014 and the Investment Management and Advisory Rules 2014. The new Rules come into force on 1 January 2015.

The new Banking Business Rules bring enhancements focused on the following areas:
•The Internal Capital Adequacy Assessment Process
•Capital adequacy and capital requirements
•Credit risk
•Market risk
•Interest rate risk in the banking book
•Liquidity risk
•Group risk

The new Investment Management and Advisory Rules bring enhancements focused on the Minimum paid-up share capital and liquid assets requirement, Risk management, Professional Indemnity Insurance and on the Client money and asset protection.

Prophix 11 Service Pack 3

December 17th, 2014

Oman – National Committee for Anti Money Laundering and Combating Terrorism Financing

December 14th, 2014

The National Committee for Anti Money Laundering and Combating Terrorism Financing which held its first meeting of the year on Monday, December 8th 2014 I the Central Bank of Oman reviewed major pertinent issues concerning Anti-money laundering and counter terrorism financing laws in the country.

Held at the CBO premises, the meeting was chaired by H.E. Hamoud bin Sangour al- Zadjali, The Executive President of the CBO who is also the Chairman of the National Committee. All the members of the National Committee hailing from organizations such as ROP, FIU, Public Prosecution, Ministry of Commerce & Industry, Ministry of Justice, Capital Market Authority, Ministry of Housing, and Ministry of Social Development also attended the meeting.

The meeting discussed a number of issues listed in the agenda and took appropriate decisions in this respect. The Committee welcomed the decision of the Sultanate assuming the chairmanship of the Middle East and North Africa Financial Work Group for 2015 along with hosting the upcoming 21st General Meeting of the Group in the same year.

The Committee also reviewed the executive stance of the Technical Cooperation Program with the International Monetary Fund and the anticipated visit of the IMF experts in January 2015.

Additionally, the Committee reviewed the status quo of the project for amending the Law on Combating Money Laundering and Financing Terrorism issued under Royal Decree No. (79/2010) in addition to examining the findings of the 3rd regular follow-up report on the Law on Combating Money Laundering and Financing Terrorism in the Sultanate of Oman by the Regional Financial Work Group.

The report is an analysis of the actions taken and implemented in the Sultanate as a party to the international standards framework and the joint evaluation systems developed for combating money laundering and terrorism financing.

EU General Data Protection Regulation (GDPR) – are you ready?

December 11th, 2014

The EU General Data Protection Regulation (GDPR) was proposed in 2012 and aims to apply a single set of data protection rules across the European Union (EU) to protect user’s data.

Organisations will be expected to report a breach in 72 hours, and give data owners the right to request a copy of the personal data they hold, and the right to have personal data erased.

The regulation will impose greater fines on organisations that break the law -compliance failures will carry fines of up to €100m or 5% of global turnover – whichever is greater.

The proposed regulations are planned to begin at the end of 2014, coming into effect over the next two years.

A recent survey from network management and monitoring software specialist, Ipswitch showed that
- over half of employees could not accurately describe GDPR
- and 52% admitted their firms were not ready for the changes the regulations might bring.

FATF guidance – risk based approach for banks – Synergy Software Systems

November 4th, 2014

The FATF has adopted guidance which will help in the design and implementation of the risk-based approach for the banking sector, taking into account national risk assessments and the national legal and regulatory framework.
The risk-based approach is an essential component of the effective implementation of the FATF Recommendations. Countries, competent authorities and reporting entities are expected to identify, assess and understand the money laundering / terrorist financing risks they are exposed to so that they can develop the risk-based measures to mitigate these risks.

Basel Core Principle
Element of Supervision

Principle 1 Responsibilities, objectives and powers:
An effective system of banking supervision has clear responsibilities and objectives for each authority
involved in the supervision of banks and banking groups. A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorise banks, conduct ongoing supervision, address compliance with laws
and undertake timely corrective actions to address safety and soundness concerns.
Principle 2 Independence, accountability, resourcing and legal protection for
The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable
for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor.
Principle 3 Cooperation and collaboration:
Laws, regulations or other arrangements provide a framework for cooperation and collaboration
with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.
Principle 5 Licensing criteria:
The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management) of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organisation is a foreign bank, the prior consent of its home supervisor is obtained.

Talk to us to find out how BRSAnalytics can help you clearly demonstrate effective robust management of governance and compliance.

Leverage Ratio Standards for Kuwaiti banks

November 4th, 2014

Mohammad Y. Al-Hashel, Governor of the Central Bank of Kuwait (CBK) recently announced that CBK’s Board of Directors has approved the instructions for implementing the Leverage Ratio Standards to Kuwaiti banks, both conventional and Islamic.

The implementation of the Leverage Ratio Standards comes within the framework of the CBK’s measures to fully apply the International regulatory framework for banks (Basel III) reforms and guidelines. It also aims to keep abreast of the developments in field of banks control,Al-Hashel reiterated that the CBK is firmly committed to complete implementing Basel III reforms and guidelines
The leverage ratio is the proportion of debts that a bank has compared to its equity/capital.

The Governor pointed out that the CBK, through the new instructions, seeks to curb the accumulation of leverage ratio in the banking sector which could put pressures on the financial system or the whole economy. It also aims to boost capital adequacy requirements.

Under the new instructions, a Banks’ leverage ratio should not exceed three percent. The new instruction is effective 31 December 2014.
The CBK is moving forward toward accomplishing the other standards of Basel III set of reforms, liquidity ratios standards, according to a well-planned schedule and taking into consideration the comprehensive quantitative impact study (QIS) outcomes, The Governor said that final Basel III Leverage ratio standard instructions are now published on the CBK website for those interested in the banking and financial business.

“Basel III” is a comprehensive set of reform measures, developed by the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector. These measures aim to: improve the banking sector’s ability to absorb shocks arising from financial and economic stress, whatever the source; improve risk management and governance; strengthen banks’ transparency and disclosure”s.

Recent Banking regulatory news.

October 31st, 2014

The videos below from PWC provide an interesting insight into the current status and future direction of banking

Learn more at –
“Powerful forces are reshaping the banking industry, creating an imperative for change. Banks need to chose what posture they want to adopt – to lead the change, to follow fast, or to manage for the present. Whatever their chosen strategy, leading banks will need to balance execution against 6 critical priorities and have a clear sense of the posture they wish to adopt. However, each of them is important, and success will come from a balanced execution across these priorities — and a balance of tactical initiatives and longer-term programs, all coming together as an integrated whole.”

Banking Banana Skins 2014 Overview

Regulators want to ensure that banks, implement effective corporate governance. The scope of corporate governance to address has increased exponentially The separation between ownership and control in firms could result in managers exploiting corporate assets for their own individual interests.”

In the mid-1900s Legislators introduced a wave of corporate governance regulations to mitigate risk with new requirements for the role of the board overseeing the firm’s business strategy and financial soundness, key personnel decisions, internal organisation, governance structures and risk management practices. So long as boards did their job, it then seemed that investors would be protected.

Now a bank’s corporate governance has to protect against all the risks that bank’s business may experience. and there is zero tolerance of a bank’s failure to manage its risks. Not to mention adverse negative media attention and steep regulatory fines. The fallout of the 2007 financial crisis, perhaps overlooks the risks inherent in a bank’s business model – with governments, regulators, investors and customers all demanding change.

New laws impose more stringent requirements and intensified scrutiny and pressure from regulators. Significant problems remain. The Financial Stability Board (FSB) has asserted that much more work is needed to “establish effective risk governance frameworks” (2013).

The Basel Committee on Banking Supervision (BCBS) recently revised its Guidelines Corporate governance principles for banks on 10 October 2014. This further raises the standards in corporate governance at banks and emphasizes the critical role of the board and its risk committees in ensuring a bank’s risk governance.

The BCBS suggests that boards should be more involved in “evaluating and promoting a strong risk culture in the bank” by setting the banks” risk appetite and overseeing the implementation of this. The increased focus on risk and the supporting governance framework includes identifying the responsibilities of different parts of the bank for addressing and managing risk. These areas are often referred to as the “three lines of defence”:
- business units
- risk management function
- internal audit.

Regardless of the structure, responsibilities for each line of defence should be well defined and communicated and supported by the board.

Managing risks includes identifying, assessing and reporting such exposures, taking into account the bank’s risk appetite and its policies, procedures and controls. The manner in which the front line a business unit executes its responsibilities should reflect the bank’s existing risk culture—in a top-down fashion directly aligned to the approach set by the board.

An effective risk management function complements the business unit’s risk activities by monitoring and reporting against responsibilities. Among it is responsible for overseeing the bank’s risk-taking activities and assessing risks and issues independently from the business line. This requires an independent and effective compliance function responsible for routinely monitoring compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The function must have sufficient authority, stature, independence, resources and access to the board.

An independent and effective internal audit function . should “provide independent review and assurance on the quality and effectiveness of the bank’s risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes”. The board should ensure that the risk management, compliance and audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently and effectively.

Effective internal corporate governance provisions doesn’t just benefit small stakeholders. Ensuring effective oversight of managerial actions should result in lower equity and debt capital cost for the bank, a reduction of labour costs and higher value in products and services from clients but it also poses many challenges for the banks and their regulators. . Complexity can take many forms such as the evaluating the quality of a bank’s loan portfolio or ascertaining the importance of off-balance sheet operations. The BCBS’s revised principles provide a framework within which banks and supervisors should operate to achieve robust and transparent risk management and decision-making and, in doing so, promote public confidence and uphold the safety and soundness of the banking system.

EU banks s(bar Italy) stood-up pretty well to the EBA’s stress test. Only 25 failed (CET> 5.5%) from the 130 banks tested. About half of those had already taken actions to remedy their alleged failings, .

So outside of Italy, EU banks should be more confident to lend again and rebuild their damaged balance sheets.. Banks will eventually have to open their cheque books and start lending again. Moreover, the Banking Union will further break-down barriers to cross-border lending within the Eurozone. Banks will no longer have any endogenous constraints to lending in any Eurozone country.

External constraints still need to be considered. The Eurozone economy is on the verge of tipping into its third recession in only six years. The Eurozone is “marching towards stagnation and deflation” according to the Economist (25 October 2014). A large portion of its private sector is actually minimising debt instead of maximising profits following the housing collapse in the 1990s, to repair their balance sheets. This deleveraging reduces aggregate demand and throws the economy into a very special type of recession. There are signs that the EU may be suffering from a similar fate to Japan.. Governments and central banks don’t have any easy solutions to put things right again.

Other financial institutions are considering taking a larger slice of the credit market. Insurance firms provide one option – they take in more than €1 trillion in premiums each year. As with the banks, new rules will force insurers to hold more capital than before against corporate loans. Equity investment or debt finance from asset managers and other shadow bank players are also increasingly another option for obtaining credit. Regulatory action to facilitate some types of credit is also being considered. For example, the EBA is seeking views on what is required to simulate a “prudentially sound securitisation market” with a view to “widening long-term funding opportunities for the European economy”. It

The EBA published its Work Programme 2015 on 10 October 2014 (dated 30 September 2015). Drafting regulatory and technical standards on CRD IV, BRRD and the revision of the Deposit-Guarantee Schemes Directive will take-up the majority of the EBA’s workload in 2015. The EBA also expects to contribute to the various legislative processes (e.g. shadow banking), monitor implementation (e.g. CRD IV), calibrate rules (liquidity and leverage ratios) and develop various ad-hoc reports (e.g. Bitcoin).

The FSB revised its Key Attributes of Effective Resolution Regimes for Financial Institutions (Key Attributes) on 15 October 2014,to incorporate recently published guidance on the resolution of FMIs and insurers, client asset protection and information sharing. The FSB also published Guidance on Cooperation and Information Sharing with Host Authorities of Jurisdictions Not Represented on CMGs where a G-SIFI has a Systemic Presence on 17 October 2014.

The ECB will take over responsibility for prudential supervision of Eurozone banks from 4 November 2014. This change represents a significant milestone in the evolution of EU banking regulation.
Also, on 20 October 2014, it published a Decision of the European Central Bank of 17 September 2014 on the implementation of separation between the monetary policy and supervision functions of the European Central Bank (ECB/2014/39). The decision sets out the ECB’s arrangements for complying with the separation of the monetary policy function from the new supervisory function under SSM. It outlines arrangements related to professional secrecy and the exchange of information between the two functions. The decision will enter into force on the day of its publication in the Official Journal.

Further to our recent meetings with many banks at Gitex. We will be hosting BRSAnalytics principals and software authors, Computime and holding a series of meetings and proof of concepts with local banks in mid November. Meet with our expert team and understand how the purpose designed data model and regulatory processes built into BRSAnalytics proven in many bank over over the last 8years, can help you comply with current and future regulatory compliance with a rapid implementation. Slash reporting time, and cost and risk of error and relax in the knowledge of expert local support that will keep reports current with Central Bank requirements.

Call us on 0097143365589

Bank Regulatory Reporting update – Middle East – October 2014 – Synergy Software Systems

October 26th, 2014

The importance of transparency in bank reporting was the subject of an extended article in Gulf News. “In a recent discussion paper, it is appropriate and long overdue that the Basel Committee on Banking Supervision recognised the need to incorporate the accounting, non-risk weighted leverage into the framework of assessing capital adequacy. “
Dr. R. Seetharaman, Group CEO, Doha Bank spoke at the fifth US- MENA Private Sector Dialogue on correspondent banking, which was hosted by the Union of Arab Banks at BNY Mellon, New York on 14th and 15th October 2014
I the session “Customer risk ratings and evolving nature of financial crime”
he said that Banks should strengthen their fight against financial crime to protect against reputation risks. Dr. Seetharaman also gave insights on current trends in Correspondent Banking. “Banks have looked forward to scale their vast Correspondent Banking networks to reduce risks and strengthen controls, expand their client coverage and geographic reach by striking up new banking partnerships. However with the onslaught of new financial regulation banks need to reassess and redefine this business. With banking revenues under pressure, many banks are questioning whether they can continue to try to offer all services to clients in all markets, combined with rising costs related to new regulations. Banks are selectively increasing the global banking partnerships. … After crisis, letters of credit re-emerged as the key solution for alleviating the spike in credit risk concerns. During the financial crisis, it was correspondent banking, which played a pivotal role as many global banks retreated towards their home market, leaving constraints in trade funding and risk mitigation. Local banks became vital, both for local corporates and their international trading partners. When it came to securing the handling of trade flows despite a spike in perceived risks during the crisis, local banks proved that their knowledge of local companies was critical to keep trades flowing.”

Dr. Seetharaman also gave his views on the regulatory focus on correspondent banking. He said “Regulators continue to scrutinise due diligence and risk management practices in the Correspondent Banking arena due to the inherent risks associated with processing transactions as well as cases in which Correspondent Banking accounts have been used to move illicit funds. Recent regulatory actions have resulted in record-breaking financial penalties and have highlighted the vulnerabilities which financial institutions are exposed to when there are failures in in the areas of governance, client due diligence, risk assessment and transaction monitoring.“

Dr. Seetharaman further highlighted recent Financial Crimes, and AML lawsuits faced by financial institutions. “Certain banks failed to conduct basic due diligence on some of its account holders, assign the appropriate risk categories and ignored warnings that monitoring systems are not adequate. Violation of Know Your Customer (KYC) norms also exposed them to fraud risks. Certain banks failed to check and monitor the relationships its corporate customers had with politically exposed people. Some banks failed to identify high risk transactions. Financial crimes have increased the penalties for banks and also affected the reputation risks.”

Islamic Banking continues to grow in the region but what exactly is it?
You will find a lot of useful information on this portal. Islamic Finance News Portal – Bringing you the latest updates in global Shariah finance
The 4th Annual World Islamic Retail Banking Conference was officially inaugurated this month with more than 150 delegates – The conference started with a panel discussion outlining regulatory changes and the impact those will have on retail banking.

In the USA On October 17th the Federal Reserve Board (FRB) released instructions and guidance (Guidance) for CCAR 2015 and finalized amendments to the Capital Plan rule, providing more clarity . Modifications to the Capital Plan rule are consistent with the June proposal, and the Guidance provides additional information on content and the organization of capital plan submissions. The Guidance’s focuses on: internal controls, model inventory, risk identification, and organization

This indicates both that the FRB’s emphasis is now moving from quantitative to qualitative judgments and that the regulators’ expectations continue to rise and this is likely to reflected in this region’s regulatory authority focus. Some key points
Completeness in risk identification is key.
Documentation for internal controls -increased expectation.
Methodology and model inventory must be mapped to FR Y-14 and be subject to internal audit.
This follows on form September when, the Office of the Comptroller of the Currency (“OCC”) finalized its risk governance framework for large banks and thrifts (“Guidelines”) that was proposed in January 2014.

The responsibility to oversee risk management in the USA clearly remains squarely with the Board of Directors, which retains the ultimate risk governance oversight role. The Guidelines clarify that the Board need not take on responsibility for day-to-day managerial duties. This however require consideration of risk appetite and risk profile, lines of reporting, talent management training and retention, regulatory reporting systems – robustness, ease of use, auditability, adaptability and scalability etc..

You can register now for our next free seminar on Bank Regulatory Reporting to be held at Microsoft Gulf, Offices, DIC during the morning of 17 November 2014