Archive for the ‘Security and Compliance’ category

Software selection – human considerations

October 3rd, 2015

To Organise and to manage a software selection project is not so easy. If you cannot get a critical mass of people deeply involved in the accounting software selection project, then think twice before starting. Change management is often given only superficial consideration. A new tool is of little use if no one uses it. It does little good for a company to spend $500,000 on anew accounting software, or ERP software when the people who will be using the accounting software systems cannot, or will not operate it effectively.

Is your company organized for success (culture, leadership style, business processes and finally business management . If not then you need to consider more carefully the role of the implementation partner and not blame the software.

In addition to the usual questions of :
• Can the software systems do what you the businesses needs?
• What operating and hardware configuration do I require?
Also ask
Do your employees have the ability to utilize these software or ERP solutions effectively?
Hoc an I change that?
Does my implementation partner offer industry and business knowledge and track record of enabling that change process in a company like mine?

Businesses try to work to policies- which are based on predetermined assumptions, conditions, processes, statutory and other constraints, and if effect embody pre-defined decisions. decisions.

The real world is full of exceptions. Companies use information to control day to day operations relating to the production of goods and services. This information is used to control budgets and cash flows and the best utiisation of assets. . Managers combine the latest information with their managerial experience to make sound business decisions within the policy guidelines..

The negative side is that this information is of little use when the data is not updated correctly on time, and or is not integrated. Thus all functions need to participate and collaborate- if one drops out and relies on manual or Excel systems alone then the integration loop is broken and “system” does not operate effectively. The key to the effective utilization of accounting software systems is the effective production of and access to timely a, accurate meaningful information to ensure timely informed decision making at all levels of the organisation. “Knowledge is power.”

Managers can make faster and better or worse decisions based on the available information ,but they may not even be aware they need to take a decision without information whether in an inquiry screen or a report, a bI dashboard, an alert or a kpi.

Advanced software can be sued to auto decide some decisions, or to make recommendations e.g mrp. or forecasting tools. genrall software systems do not make decisions. People do. When people are not provided with the tools they require to make these critical decisions, it’s very likely mistakes will be made. Some of these decision taking responsibilities are imposed upon by the market in which the company competes. Some are imposed by the owners or managers interpretation of how the business should be operated. However, the methods by which these decisions are made can only be formulated by each individual person, and that is why the software/human relationship is so importsnt.

Each person in any company is unique. So when defining just what software systems consider the unique needs of each person with whom the accounting software systems will “integrate” or how you will select those unique people who will be comfortable with the system

Each person who will be processing transactions (e.g. customer orders) must be given the opportunity to express their personal needs, for it is these people who will be required to operate the system. Further, each manager who will be making decisions based in part upon the information produced by the accounting software systems must express their reporting needs as well (e.g. Business Intelligence, Performance Metrics, and Exception Management ). It is only after these needs are identified and understood recognized that the broader corporate strategic needs should be defined.

At the core of these considerations is a clearly understood definition of what the company is to do strategic objectives , and it must do well in order to succeed- tactical excellence. The way a company organizes itself and controls the flow of information into and out of the accounting software systems, determines to a large degree how successful the accounting software systems will become.

As individual people define their needs, do not limit their responses to factors relating only to the software systems. Let them express their needs with respect to how they fit into the overall business, what information they require when, in what format, from other people, where potential bottlenecks may occur, and in general how the manual side of the business management processes should be controlled.

Selection of a new software systems does not eliminate the need for business process control procedures, and it is those procedures impact on the effectiveness of the new accounting software systems. Some people swear will champion software systems or ERP solutions, while others will believe those are seriously flawed and will cling to old, manual systems. Some will be reluctant to share knowledge- the basis of their experience and seniority. Some may fear new technology. others may worry more about social change – reporting to a new boss, working in a different office. Most people adopt new technology is every day life a new phone, car, tv etc, but don’t so easily change their personal relationships.-

One person sees the software systems as a friend, while the other as a threat. You cannot compare your new wife to your old girlfriend fi you want a long and happy marriage. All people, whether they have had computer experience or not, have developed some personal definition of what they consider to be “good” software systems. If the software systems you purchase meets these pre conceived notions, the task of learning and operating the system will be relatively easy. If the system does not make sense to people, then they will resist entering data, and undergoing training and errors will be made. Evaluate the degree of fit between your employees and the accounting software systems you are examining during your software selection project. The cultural fit with the consultants is equally important.

Tyr not to impose a new software systems on people. Consider whether they feel their opinion is as important as others, and that that the accounting software systems will assist them personally. WIFIM “What’s in it for me?”

While you might argue that first impressions can be changed over time, andc omputer system can seem quite a daunting challenge to . The operator, whether it is accountant, bookkeeper, or clerk can be suffering silence. This suffering might reach the point where the person is willing to consider another job.

No amount of patience, encouragement, or training will reduce this suffering. Mistakes will begin to occur more frequently as well. If the person does not leave, you may have to face the grim decision that their mistakes can be corrected only by removing them from the job. Has this achieved anything positive? Certainly not! If too many critical people in the organization resist the software systems, you can consider the selection project a complete failure. That’s why this evaluation of personal needs is so very important.

Any multi-user accounting system or ERP solutions will be operated by a number of different people with different job functions and different skill levels. The larger the system becomes, the more diverse these individual abilities become, and the more critical an evaluation of their relationship to the accounting system becomes.

Perhaps the least skilled person who might be called upon to operate the accounting software systems is a warehouse manager or even a shipping or receiving clerk.
Does the system meet their needs?
Does the menu structure segregate their input screens into one logical area?
Does the language used, particularly Help Screens, talk to them on their skill level?
Will the processing methodology make sense to someone with their relative skills and educational background?
Do they have to work in multiple systems?

I cannot emphasize enough the importance of training. If you want to remove fear, then you have to build confidence.
You need to reduce errors, not only for the business to avoid fear of personal embarrassment. These result from a lack of experience I.e training and practise with the new software systems.
Invest the time in practical training – understanding a demo does not make you fluent in transaction entry or in report analysis. Reading the highway code is not enough for you to drive – you also need 40 hours on the road experience. You also need an instructor by your side for sometime and to be formally tested and certified. If the investment in training appears formidable, then beware. The major lesson that those who implement cite is that they unde-rbudgetted time for training. Don’t be fooled by those who calm they can configure and get you live in a month or so with an accelerator, or a blueprint . Configuration is a relatively simple, job. Defining the right configuration need user interaction and the testing, To make that work needs their training and practice time. Transforming a an install into a working implementation is another matter. It is not enough to buy a tool you have to understand the many different ways to use it and build up skill.

Depending upon the vendor or product reseller you have selected to provide your accounting software systems, you will probably have several options open to you. If your system is a large multi-user installation, you might want to consider sending several people to a regional or national training seminar lasting several days. While expensive on the surface, this intensive class room oriented environment will enable these people to develop a detailed knowledge which can be passed on to others. Train the trainer really works.

Demonstration accounting software systems are excellent training tools. An even better one is a training company with your own Chart of Accounts, vendors, customers, and employees. This provides people the opportunity to experience a “real” data processing environment without running the risk that errors will lead to catastrophes.

One last point should be discussed with respect to training. Some people will find it difficult, if not impossible, to make the transition to new accounting software systems, or from one accounting software system to another, perhaps more powerful ERP solution.

While you might wish the accounting system or ERP solution could be installed with minimum problems, this may be your most significant hurdle. If the installation of integrated accounting software systems is the best alternative for your company, what is to be done with those people who cannot, or will not make the adjustment?

You must face the very real possibility some people may have to be replaced. It’s not a very pleasant thought, but do not delude yourself into thinking all people will be as excited about new accounting software systems as you are. Business is not easy sometimes, and this is one of those times. I do not like the idea any more than you do, but changes may be necessary for the good of the company and its employees.

Ask yourself if you know how to organize and control an accounting systems selection project. One of the greatest dangers is people assuming they know when in fact that are ignorant. They do it rarely in their business life. Can IT or choose a finance system, do they really know how to select a vendor or a solution? Manger’s need to have confidence in their decision making but often they do not know how to evaluate facts outside their core functional area, nor even what facts are needed to evaluate a solution. Its too easy rush into a demo and to benchmark everything against the first software seen .

In practice its better to spend sometime discussing your business needs, your change management challenges, and the business case and to focus on the implementation partner understanding and expertise. the right partner will guide you through the process and will not waste your time with inappropriate solutions, and then the demo will have some relevance to your needs. and you will have a better idea how to evaluate it.

Security – major threats revealed – August 2015

August 8th, 2015

A major vulnerability plaguing Firefox has Mozilla warning users to update the Web browser to Firefox 39.0.3 to fix the vulnerability The browser is set to automatically update by default, but users should manually check to ensure that the update has indeed gone through.
An advertisement on a news Web site in Russia was offering an exploit for the browser that searched for specific, sensitive files, before uploading those to a server that appeared to be located in the Ukraine.
The vulnerability allows hackers to violate the browser’s same origin policy and inject script into a non-privileged part of Firefox’s built-in PDF viewer. Same origin is a security practice in which a Web browser allows scripts running from one Web page to access data from a second one, if both pages are from the same origin. The bug allows an attacker to read and steal sensitive local files on the victim’s computer.
Mozilla said that since the vulnerability is specific to its PDF Viewer, versions of the browser that do not contain the PDF Viewer, such as Firefox for Android, are not at risk.
The company said that the exploit leaves no trace of itself on the local machine, making it difficult for users to know if their files had been compromised. Mozilla urged users running Firefox on Windows and Linux systems to change any passwords and keys for programs targeted by the exploit. Mac users were not vulnerable to the particular exploit found in the wild, but would be vulnerable if another hacker designed a payload targeting Macs.

Firefox users on Windows machines should change the passwords for the following files: subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients.

Linux users, meanwhile, should change passwords associated with global configuration files such as /etc/passwd, user directories including .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts

Before the dust has had a chance to settle on one major security flaw uncovered in the Android mobile operating system, a second massive vulnerability — dubbed “Certifi-gate” — has burst onto the scene.
The new vulnerability can allow attackers to “gain unrestricted device access, allowing them to steal personal data, track device locations, turn on microphones to record conversations, and more,” according to Check Point. The problem cannot be completely fixed with a patch.

Check Point has a scanner app that Android users can download from the Google Play Store and run to determine whether their devices are vulnerable. The Certifi-gate vulnerability allows applications to gain illegitimate privileged access rights that are normally used to support remote applications, according to Check Point. Those applications might have come pre-installed on the device, or been intentionally downloaded by the user, but currently there is no way in Android to revoke the certificates that allow those privileged permissions.

This latest flaw “affects hundreds of millions of Android devices, as most popular OEMs (original equipment manufacturers) have collaborated with these vendors. The same scale applies to the previously disclosed Stagefright vulnerability, which potentially affects 95 percent — about 950 million — of Android devices.

Google, Samsung and LG this week said they would start providing more frequent — about once a month — security updates for their Android devices. Google’s own Nexus devices are not affected, nor has the company seen any attempts to exploit the vulnerability.

Apple users have largely skirted the bugs, viruses and other malicious software that plague Microsoft Windows and Google’s Android. But this flaw in Apple’s OS X is serious enough to sound the alarm.
German security researcher Stefan Esser published details about a zero-day vulnerability in OS X without telling Apple first and hackers moved quickly to exploit the flaw. It’s an adware installer that actually modifies a file that controls who can run what commands on a machine while Thomas was testing it.

The Sudoers File

The sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

The worse part is that Apple has reportedly known about the zero-day vulnerability for quite some time because another security researcher had disclosed it previously.
There is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest.
Another Apple bug, Thunderstrike 2, which will be revealed at Black Hat security conference in Las Vegas this week, is more concerning. That’s because firmware bugs can cause lots of headaches for both regular users and advanced users and are almost always harder to eradicate than any other bug.

A massive hack infiltrated Yahoo’s ad network for at least seven days, according to Malwarebytes’ official security blog- this anti-malware security company, discovered the attack and immediately notified the search company. With more than 6.9 billion visitors to Yahoo’s Web site every month, the attack, which began on July 28, constitutes one of the farthest reaching malware attacks ever recorded.
The hackers pulled off the attack using Web sites for Microsoft Azure, a cloud computing platform and infrastructure used for building, managing, and deploying applications and services. The scam worked by redirecting users to an Angler exploit kit, off-the-shelf software containing easy-to-use packaged attacks on known and unknown vulnerabilities.

Malicious ads do not require any type of user interaction to execute their payloads. Just visiting a Web site that contains malicious advertisements can be enough to trigger an infection.
Yahoo said it took immediate action when it learned of the campaign, and would continue to investigate it in the future. Because of the large number of visitors to Yahoo sites, it is difficult to know exactly how many Internet users have been affected.

The subtlety of a malvertising attack, combined with the complexity of the Internet advertising market, make it a difficult security challenge to overcome. That might be part of the reason such attacks are increasing. The number of malvertising attacks spiked in the first half of this year, registering a 260 percent increase over the same period in 2014,

“The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware,” said James Pleger, director of research at RiskIQ. “There are a number of reasons for this development, including the fact that malvertisements are difficult to detect and take down since they are delivered through ad networks and are not resident on Web sites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users.”

“This machine-to-machine ecosystem has also created opportunities for cybercriminals to exploit display advertising to distribute malware,” according to the company. “For example, malicious code can be hidden within an ad, executables can be embedded on a Web page, or bundled within software downloads.”

Management Reporter Updates and tips – Synergy Software Systems, Dubai

June 18th, 2015

This video describes how to create side by side reports with Management Reporter

Management Reporter offers a variety of formatting tools to automate reporting and to quickly put reports in the hands of stakeholders. This video introduces the ability to add dynamic report headers to calculated columns to avoid having to manually edit report headers prior to generating a report. Especially useful for consolidated information and rolling fiscal reports

This video describes how to suppress drill down on specific lines of a report in Management Reporter.for example you may not want to allow drilldown on salary details.

MR CU12 was initially released for the USA in April and is now available for all regions.
It contains all of the enhancements and bug fixes from hotfixes 1-4, including:
• Indication of currently active reporting tree node
• Added the ability to use BASE+1:12 in the column definition
• Report generation performance improvements
• Additional fixes for product defects

HF1, HF2, HF3, HF4
As well as the additional fixes that were added post-HF4:
•Ability to exclude NP rows from exporting to Excel by disabling the export of formulas
•Ability to export NP rows at the Account and Transaction detail levels
•Additional fixes for exporting to Excel where you would receive an operand error when exporting with formulas enabled
•Additional fixes for product defects
Version Information: Management Reporter CU12 RTM – 2.1.12000.26

Management Reporter bugs are now visible in Lifecycle Services (LCS) Issue search. Issue search is another great tool within LCS to help with troubleshooting. Currently both Microsoft Dynamics AX and Management Reporter bugs are searchable.

For Management Reporter, bugs will be visible through LCS when they are triaged to be fixed. Additional updates in LCS will occur when either a cumulative update or hotfix is available to fix the issue. To see a list of current known issues, you can search for “known issue” and restrict the product to Management Reporter 2012.

In order to access Issue search, you can do the following:

1. Navigate to

2. Click Sign in

Note: You must use the same credentials that you use to access CustomerSource or PartnerSource. If you don’t have access to CustomerSource, then you will only have access to an evaluation version of LCS, which does not include Issue search

3. Accept the Microsoft Online Services Agreement if you haven’t already signed in before

4. Create a project

5. Click the + button under Recent projects to create a new project

6. Fill out the project details including Name, Product name, Product version, Industry, and Methodology. Any settings should be fine as long as you don’t select a pre-sales type of project

7. Scroll to the right and select Issue search

8. Begin searching

Synergy Software Systems, Dubai – in top 5% of Microsoft Enterprise Resource Partners

June 17th, 2015

We received confirmation from Microsoft of our attainment of the new Enterprise Resource Competency which has been by less than 5% of Microsoft Global Partner Network.

That ‘s why you can be assured of a successful, Synergy Software Systems Implementation – a 100% track record of successful projects with Dynamics Ax since we started the practice in 2003. Its also why the Highest Customer Satisfaction Award for 2014 also has Synergy’s name on it.

We are proud of our professionals.

We receive similar accolades across our solutions- for years the word in the hospitality industry is “go with Synergy and sleep a night” and why many of our Sunsystems customers have been loyal for over 15 years.

Value ultimately comes from competence and attitude and the results consistently shows that the right partner will give the right solution, service, support and price and deliver the right value.

Adoption of Basel Regulatory Framework 8th progress report

June 14th, 2015

The Basel Committee on Banking Supervision (BCBS) has updated and published its eighth progress report on adoption of the Basel regulatory framework as of end-March 2015.
BCBS’ monitoring reports have been published semi-annually since 2011 and focus on the status of domestic rule-making processes to ensure that the Committee’s capital standards are implemented in jurisdictions according to internationally agreed timeframes.
The Basel III framework builds on and enhances the regulatory framework set out under Basel II and Basel 2.5.

Leverage ratio: In January 2014, the Basel Committee issued the Basel III leverage ratio framework and disclosure requirements following endorsement by its governing body, the Group of Central Bank Governors and Heads of Supervision (GHOS). Implementation of the leverage ratio requirements has begun with bank-level reporting to national supervisors and public disclosure on 1 January 2015.

Net stable funding ratio: In October 2014, the Basel Committee issued the final standard for the net stable funding ratio (NSFR). In line with the timeline specified in the 2010 publication of the liquidity risk framework, the NSFR will become a minimum standard by 1 January 2018. The monitoring of the status of adoption of the NSFR is planned to start with the next progress report in October 2015.

The only GCC company reviewed in the report was Saudi Arabia.
SAMA through its Circular # 351000133367 on 25 August 2014 issued its final guidance document on the Leverage Ratio disclosure requirements. The
aforementioned SAMA Circular is effective from January 2015.
The D-SIB framework has been finalised and the relevant regulation has
been issued for implementation by January 2016 through SAMA Circular # 351000138356 (issued in September 2014).

Allegion announce a new release of the IF-6020 – version 1.79

June 1st, 2015

The IF-6020 version 1.79 is going was released on May 29, 2015.

In addition to the implementation of features that enhance the performance of the system, note:

IF-6020 version 1.79
1. The number of person record fields is increased. As of version 1.79, it is possible to enter longer remarks in the fields on the new “Info 4″ tab in the person record.

2. Visitor management in the WebClient isoptimized. Thus, work processes are more clearly structured and more effective.

3. The number of reports is increased from 100 to 1000.

4. The escalation check is enhanced to include month accounts. . For example, according to a company agreement, only two flexitime days are allowed to be taken per month. If a request is made for three days, a reject message is returned.

5. Support of new technologies: MS SQL Server 2014, Oracle 12g and Windows 8.1 are now also supported.

Known bugs have also been fixed.

Microsoft Azure Stack announced this week at Microsoft Ignify 2015

May 6th, 2015

Microsoft Ignite this week- the company announced that it is making available a version of Azure that can be hosted in your own datacenter.
The new software, called Microsoft Azure Stack allows you to run your own version of the company’s cloud platform on your own servers. The idea is that you’ll be able to use the same application development and deployment techniques from the hosted cloud platform on your own terms.
Azure Stack is essentially everything you see on the hosted version of the company’s cloud service, including the portal, in a single package for running on premise. The software will be available for the first time “this summer.”

Microsoft’s competitors like: Amazon’s EC2 and Google Cloud Compute don’t provide offerings for hosting your own service.

Summary of Technet Guest post by Mike Neil, General Manager for Windows Server, Microsoft:
Chicago at the Microsoft Ignite conference

Hybrid cloud is an ideal solution for many organizations bringing together the agility of public cloud and the control of on-premises systems.
“Today, we are announcing several new solutions that will continue to expand the industry’s most complete cloud:
• Microsoft Azure Stack, a next generation cloud infrastructure that brings Azure IaaS and PaaS capabilities to customers’ datacenters.
• Windows Server 2016 and System Center 2016, the next versions of the popular application platform and management solutions.
• Microsoft Operations Management Suite, a new hybrid management solution that helps you manage your corporate workloads no matter where they run: Azure, AWS, Windows Server, Linux, VMware, or OpenStack.”

Building Hybrid Clouds
Microsoft is the only cloud vendor that both builds, and runs its own hyper-scale datacenters and delivers that same technology back to customers’ and partners’ datacenters.

Next wave of cloud infrastructure.
Microsoft Azure Stack
- Microsoft Azure Stack delivers IaaS and PaaS services into your datacenter
- Easily blend enterprise applications such as SQL Server, SharePoint, and Exchange with modern distributed applications and services while maintaining centralized oversight.
- Azure Resource Manager (just released in preview last week), gives consistent application deployments every time, whether provisioned to Azure in the public cloud or Azure Stack in a datacenter environment. This approach is unique in the industry and gives developers the flexibility to create applications once and then decide where to deploy t later – all with role-based access control to meet your compliance needs.

- Azure Stack includes a scalable and flexible software-defined Network Controller and Storage Spaces Direct with: – automated sync and failover.
Shielded VMsand Guarded Hosts to bring “zero-trust” software-defined security to your private cloud. Securely segment organizations and workloads and centrally control and monitor access and administration rights.

Preview Azure Stack starting this summer.

New Technical Preview of Windows Server 2016 – Now Available
The next version of Windows Server will introduce Windows Server Containers and Hyper-V Containers (expected in the third Technical Preview of Windows Server 2016 this summer).

Windows Server 2016 will also offer Azure Service Fabric, a platform for building and hosting application services that automatically scale and heal, bringing you the same underlying technology used to power highly scalable services like Skype for Business, Azure SQL Database, and Cortana.
The second Technical Preview of Windows Server 2016. offers a first look at Nano Server. Extending the advanced virtualization features:
• Rolling upgrades for Hyper-V and Storage clusters for even faster adoption of new updates and operating systems.
• Compute resiliency so virtual machines (VMs) continue running even if the compute cluster fabric service fails.
• Storage Replica updates for synchronous storage replication for affordable backup and disaster recovery.

Managing a Hybrid World
Today’s hybrid reality means applications and data are spread across multiple vendors’ environments. While you may not control all the platforms they run on you still need to manage and control these assets to help your organization meet business, compliance and regulatory needs.
Microsoft Operations Management Suite (OMS)
OMS now extends your System Center investments and Microsoft best practices to simplify management of your assets at a lower cost than competitive solutions, wherever they live-
- any instance (physical, virtual or container)
- and any cloud, including: your data center, Azure, AWS, Windows Server, Linux, VMware, and OpenStack,
OMS tracks and manages:
Log Analytics: collect and search millions of records in seconds across thousands of machines to identify the root cause of operational issues.
Security: identify malware status and missing system updates, and collect security related events to perform forensic, audit and breach analysis.
Availability: enable application and data protection for all servers and applications, no matter where they reside with cloud-based backup and site recovery.
Automation: orchestrate complex and repetitive operations for more efficient and cost-effective hybrid cloud management.

Expect cloud-based patching, inventory, alerting, container management, and more later in the year.

New Technical Preview of System Center 2016 – Available This Week
System Center 2016 has new; provisioning, monitoring and automation capabilities for your software-defined datacenter. iT adds:
• Improved Linux management, including Desired State Configuration (DSC) support, native SSH support, and improved LAMP stack monitoring.
• Software Defined Datacenter management, including mixed mode cluster upgrades, enhanced Scale-Out File Server (SOFS) management, and deployment of software-defined networking (SDN) at scale.
• Powerful new monitoring for Azure, Office365, SQL Server and Exchange.

FATCA and the UAE January 2015

January 12th, 2015

The governments of the US and the UAE have reached an agreement in substance, a model 1 Intergovernmental Agreement (IGA).
The UAE has consented to disclose this status.

In accordance with this status, the text of such IGA has not been released and financial institutions in the UAE are allowed to register on the FATCA registration website consistent with the treatment of having an IGA in effect until December 31, 2014.

More than 100 countries including India, China and Russia have already entered into agreements with the US on the Foreign Account Tax Compliance Act (FATCA) and with new FATCA requirements coming into effect on 1st of January 2015 applying to U.S. and non-U.S insurers and insurance brokers, large portions of the financial services sector are being affected.

After a relatively quiet four-year ramp up, America’s global tax law is now being enforced.

FATCA requires foreign banks to reveal Americans with accounts over $50,000 and considering the risks of being frozen out of U.S. markets, everyone is complying.

Firms that fail to comply with FATCA will be subjected to a stringent 30% withholding tax on any US sourced income even if they do not have any US customers.

The compliance aspects being forced upon financial services firms globally by the US tax authorities are complex and costly. It includes amending everything, from more thorough KYC requirements to changes in the account opening processes for new customers to take into account the new information required under FATCA, and systems will have to be updated to comply with the withholding taxes if so required. Insurers and insurance brokers will have to comply with new information gathering and reporting rules when U.S. insurance and reinsurance premiums are sent outside the U.S.

A Model 1 IGA is treated as ‘in effect’ by the US Treasury as of May 21, 2014. (
On 3 June 2013, the Governor of the DIFC signed a Memorandum of Understanding with the UAE Ministry of Finance which named the DIFC Registrar of Companies as the DIFC’s contact point for any international tax agreement entered into between the UAE and another country. FATCA is an example of such an agreement.

According to DIFC release as of 17 November 2014, “The reporting form will be available (for financial institutions) on the Registrar’s website at a time agreed and instructed by federal officials. Further instructions will be circulated as soon as the reporting framework is in place, and the guidance will be made available to DIFC entities as soon as it is finalised by the Ministry of Finance”.

Who will be affected by FATCA?
• Banks and deposit taking institutions;
• Trust company – Custodial institutions;
• Investment entities – those businesses involved in trading in transferable securities; money market instruments, foreign exchange derivatives etc.; individual or collective portfolio management or otherwise investing, administering or managing funds, money or financial instruments on behalf of other persons;
• Certain types of insurance companies that have cash value products or annuities;
• Family offices would be included in the definition;
• Certain holding companies or treasury centres.

FATCA objective

Disclosure of assets and income of U.S. taxpayers (US person) held with foreign financial institutions.

Definition of US person:
• a citizen or resident of the United States,
• a domestic partnership,
• a domestic corporation,
• any estate (other than a foreign estate) and
• any trust if:
1. a court within the United States is able to exercise primary supervision over the administration of the trust, and
2. one or more United States persons have the authority to control all substantial decisions of the trust.
How will financial institutions be affected?
If a Foreign Financial Institution (FFI) fails to address FATCA requirements promptly, all relevant US-sourced payments, such as dividends and interest paid by US corporations, will be subject to a 30% withholding tax.
The same 30% withholding tax will also apply to gross sale proceeds from the sale of relevant US property.
This will be inconvenient for the customers of the Foreign Financial Institution who will then need to claim refunds from the U.S. IRS after proving that they are non U.S. persons, and not liable for tax.

The definition of a Foreign Financial Institution which is an Investment Entity in Model 1 IGA covers:
• Investment managers;
• Investment advisors;
• Fund administrators.
However, the IGA includes a deemed compliant category for Investment Advisors and Managers, whereas an Investment entity established in a FATCA Partner Jurisdiction can obtain a status of Non-Reporting Financial Institution if it is a financial institution solely because it:
• Renders investment advice to, and acts on behalf of, or;
• Manages portfolios for, and acts on behalf of a customer for the purpose of investing, managing or administering funds deposited in the name of the customer with a Financial Institution other than an Non-Performing Foreign Financial Institution (NPFFI).

It is important to note that if an Investment Advisor / Investment Manager provides services of investment advice or manages portfolios of customers whose funds are deposited with the financial institution which is non-compliant with FATCA, or is located in a jurisdiction other than a FATCA Partner jurisdiction, the DFSA regulated Investment Advisor / Investment Manager might have FATCA reporting obligation for those clients.

According to a notice1 from the UAE Central Bank, at the start of 2014 banks and other financial institutions in the UAE must complete the following actions to facilitate the signing of the IGA:
1.Identify customer accounts that are a “US Reportable Account”, which is defined as a financial account maintained by a reporting UAE financial institution and held by one or more specified US persons or by a non-U.S. entity with one or more controlling persons that is a specified U.S. person (implementation date: 19 November 2013).
2.Adopt FATCA’s due diligence procedures for identifying and reporting on US Reportable Accounts and for payments to certain nonparticipating financial institutions (implementation date: 1 January 2014).
3.Prepare relevant systems for establishing electronic connection to the Central Bank’s FATCA Reporting System, currently in development. All banks and other financial institutions should expect to be contacted for this purpose during the first quarter of 2014 (implementation date: 1 March 2014).
4.Be prepared to register via the IRS portal to obtain a “Global Intermediary Identification Number” (final registration date: 1 November 2014).
5.Adopt reporting procedures specified in the IGA (first report for 2014 must be sent to the Central Bank by 1 August 2015).

The Central Bank, with help from a US law firm, will provide legal support and conduct workshops to assist banks and other financial institutions in implementing the FATCA requirements.

New FAQ on IGA registration issued by IRS

On 22 December 2014, the IRS posted updated FAQs regarding IGA Registration to the FATCA website. This update acknowledges Announcement 2014-38 and addresses whether Reporting Model 1 FFIs in certain jurisdictions need to register and obtain a Global Intermediary Identification Number (“GIIN”) before 1 January 2015. This update confirms that a jurisdiction which was treated in 2013 as if it has an IGA in effect, but which has not yet signed an IGA, retains such status beyond December 31, 2014, provided the jurisdiction continues to demonstrate firm resolve to sign the IGA that was agreed in substance.
New Form W-9 and accompanying instructions released by IRS

The IRS has published on its website a new revised version of Form W-9 (revision date December 2014) as well as the Instructions for the Requestor of Form W-9.

Ask us about BRS Analytics Regulatory reporting platform.

Qatar Financial Centre Regulatory Authority (QFCRA) – 2015 new Banking Business Prudential Rules and Investment Management and Advisory Rules

January 6th, 2015

Happy New Year!

2014 was the year of record settlements between banks and regulators with the total amount of fines and settlements globally passing USD 56 billion. The biggest single hit was the settlement of USD 16.65 billion between Bank of America and the United States Department of Justice in relation to the misleading of investors with mortgage backed securities.

Local regulators are tightening their compliance legislation. The QFCRA has introduced enhancements to its prudential framework for QFC authorised firms undertaking banking, investment management or advisory business. Two new sets of prudential rules were introduced: the Banking Business Prudential Rules 2014 and the Investment Management and Advisory Rules 2014. The new Rules come into force on 1 January 2015.

The new Banking Business Rules bring enhancements focused on the following areas:
•The Internal Capital Adequacy Assessment Process
•Capital adequacy and capital requirements
•Credit risk
•Market risk
•Interest rate risk in the banking book
•Liquidity risk
•Group risk

The new Investment Management and Advisory Rules bring enhancements focused on the Minimum paid-up share capital and liquid assets requirement, Risk management, Professional Indemnity Insurance and on the Client money and asset protection.

Prophix 11 Service Pack 3

December 17th, 2014

Oman – National Committee for Anti Money Laundering and Combating Terrorism Financing

December 14th, 2014

The National Committee for Anti Money Laundering and Combating Terrorism Financing which held its first meeting of the year on Monday, December 8th 2014 I the Central Bank of Oman reviewed major pertinent issues concerning Anti-money laundering and counter terrorism financing laws in the country.

Held at the CBO premises, the meeting was chaired by H.E. Hamoud bin Sangour al- Zadjali, The Executive President of the CBO who is also the Chairman of the National Committee. All the members of the National Committee hailing from organizations such as ROP, FIU, Public Prosecution, Ministry of Commerce & Industry, Ministry of Justice, Capital Market Authority, Ministry of Housing, and Ministry of Social Development also attended the meeting.

The meeting discussed a number of issues listed in the agenda and took appropriate decisions in this respect. The Committee welcomed the decision of the Sultanate assuming the chairmanship of the Middle East and North Africa Financial Work Group for 2015 along with hosting the upcoming 21st General Meeting of the Group in the same year.

The Committee also reviewed the executive stance of the Technical Cooperation Program with the International Monetary Fund and the anticipated visit of the IMF experts in January 2015.

Additionally, the Committee reviewed the status quo of the project for amending the Law on Combating Money Laundering and Financing Terrorism issued under Royal Decree No. (79/2010) in addition to examining the findings of the 3rd regular follow-up report on the Law on Combating Money Laundering and Financing Terrorism in the Sultanate of Oman by the Regional Financial Work Group.

The report is an analysis of the actions taken and implemented in the Sultanate as a party to the international standards framework and the joint evaluation systems developed for combating money laundering and terrorism financing.

EU General Data Protection Regulation (GDPR) – are you ready?

December 11th, 2014

The EU General Data Protection Regulation (GDPR) was proposed in 2012 and aims to apply a single set of data protection rules across the European Union (EU) to protect user’s data.

Organisations will be expected to report a breach in 72 hours, and give data owners the right to request a copy of the personal data they hold, and the right to have personal data erased.

The regulation will impose greater fines on organisations that break the law -compliance failures will carry fines of up to €100m or 5% of global turnover – whichever is greater.

The proposed regulations are planned to begin at the end of 2014, coming into effect over the next two years.

A recent survey from network management and monitoring software specialist, Ipswitch showed that
- over half of employees could not accurately describe GDPR
- and 52% admitted their firms were not ready for the changes the regulations might bring.

FATF guidance – risk based approach for banks – Synergy Software Systems

November 4th, 2014

The FATF has adopted guidance which will help in the design and implementation of the risk-based approach for the banking sector, taking into account national risk assessments and the national legal and regulatory framework.
The risk-based approach is an essential component of the effective implementation of the FATF Recommendations. Countries, competent authorities and reporting entities are expected to identify, assess and understand the money laundering / terrorist financing risks they are exposed to so that they can develop the risk-based measures to mitigate these risks.

Basel Core Principle
Element of Supervision

Principle 1 Responsibilities, objectives and powers:
An effective system of banking supervision has clear responsibilities and objectives for each authority
involved in the supervision of banks and banking groups. A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorise banks, conduct ongoing supervision, address compliance with laws
and undertake timely corrective actions to address safety and soundness concerns.
Principle 2 Independence, accountability, resourcing and legal protection for
The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable
for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor.
Principle 3 Cooperation and collaboration:
Laws, regulations or other arrangements provide a framework for cooperation and collaboration
with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.
Principle 5 Licensing criteria:
The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management) of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organisation is a foreign bank, the prior consent of its home supervisor is obtained.

Talk to us to find out how BRSAnalytics can help you clearly demonstrate effective robust management of governance and compliance.

Leverage Ratio Standards for Kuwaiti banks

November 4th, 2014

Mohammad Y. Al-Hashel, Governor of the Central Bank of Kuwait (CBK) recently announced that CBK’s Board of Directors has approved the instructions for implementing the Leverage Ratio Standards to Kuwaiti banks, both conventional and Islamic.

The implementation of the Leverage Ratio Standards comes within the framework of the CBK’s measures to fully apply the International regulatory framework for banks (Basel III) reforms and guidelines. It also aims to keep abreast of the developments in field of banks control,Al-Hashel reiterated that the CBK is firmly committed to complete implementing Basel III reforms and guidelines
The leverage ratio is the proportion of debts that a bank has compared to its equity/capital.

The Governor pointed out that the CBK, through the new instructions, seeks to curb the accumulation of leverage ratio in the banking sector which could put pressures on the financial system or the whole economy. It also aims to boost capital adequacy requirements.

Under the new instructions, a Banks’ leverage ratio should not exceed three percent. The new instruction is effective 31 December 2014.
The CBK is moving forward toward accomplishing the other standards of Basel III set of reforms, liquidity ratios standards, according to a well-planned schedule and taking into consideration the comprehensive quantitative impact study (QIS) outcomes, The Governor said that final Basel III Leverage ratio standard instructions are now published on the CBK website for those interested in the banking and financial business.

“Basel III” is a comprehensive set of reform measures, developed by the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector. These measures aim to: improve the banking sector’s ability to absorb shocks arising from financial and economic stress, whatever the source; improve risk management and governance; strengthen banks’ transparency and disclosure”s.

Recent Banking regulatory news.

October 31st, 2014

The videos below from PWC provide an interesting insight into the current status and future direction of banking

Learn more at –
“Powerful forces are reshaping the banking industry, creating an imperative for change. Banks need to chose what posture they want to adopt – to lead the change, to follow fast, or to manage for the present. Whatever their chosen strategy, leading banks will need to balance execution against 6 critical priorities and have a clear sense of the posture they wish to adopt. However, each of them is important, and success will come from a balanced execution across these priorities — and a balance of tactical initiatives and longer-term programs, all coming together as an integrated whole.”

Banking Banana Skins 2014 Overview

Regulators want to ensure that banks, implement effective corporate governance. The scope of corporate governance to address has increased exponentially The separation between ownership and control in firms could result in managers exploiting corporate assets for their own individual interests.”

In the mid-1900s Legislators introduced a wave of corporate governance regulations to mitigate risk with new requirements for the role of the board overseeing the firm’s business strategy and financial soundness, key personnel decisions, internal organisation, governance structures and risk management practices. So long as boards did their job, it then seemed that investors would be protected.

Now a bank’s corporate governance has to protect against all the risks that bank’s business may experience. and there is zero tolerance of a bank’s failure to manage its risks. Not to mention adverse negative media attention and steep regulatory fines. The fallout of the 2007 financial crisis, perhaps overlooks the risks inherent in a bank’s business model – with governments, regulators, investors and customers all demanding change.

New laws impose more stringent requirements and intensified scrutiny and pressure from regulators. Significant problems remain. The Financial Stability Board (FSB) has asserted that much more work is needed to “establish effective risk governance frameworks” (2013).

The Basel Committee on Banking Supervision (BCBS) recently revised its Guidelines Corporate governance principles for banks on 10 October 2014. This further raises the standards in corporate governance at banks and emphasizes the critical role of the board and its risk committees in ensuring a bank’s risk governance.

The BCBS suggests that boards should be more involved in “evaluating and promoting a strong risk culture in the bank” by setting the banks” risk appetite and overseeing the implementation of this. The increased focus on risk and the supporting governance framework includes identifying the responsibilities of different parts of the bank for addressing and managing risk. These areas are often referred to as the “three lines of defence”:
- business units
- risk management function
- internal audit.

Regardless of the structure, responsibilities for each line of defence should be well defined and communicated and supported by the board.

Managing risks includes identifying, assessing and reporting such exposures, taking into account the bank’s risk appetite and its policies, procedures and controls. The manner in which the front line a business unit executes its responsibilities should reflect the bank’s existing risk culture—in a top-down fashion directly aligned to the approach set by the board.

An effective risk management function complements the business unit’s risk activities by monitoring and reporting against responsibilities. Among it is responsible for overseeing the bank’s risk-taking activities and assessing risks and issues independently from the business line. This requires an independent and effective compliance function responsible for routinely monitoring compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The function must have sufficient authority, stature, independence, resources and access to the board.

An independent and effective internal audit function . should “provide independent review and assurance on the quality and effectiveness of the bank’s risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes”. The board should ensure that the risk management, compliance and audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently and effectively.

Effective internal corporate governance provisions doesn’t just benefit small stakeholders. Ensuring effective oversight of managerial actions should result in lower equity and debt capital cost for the bank, a reduction of labour costs and higher value in products and services from clients but it also poses many challenges for the banks and their regulators. . Complexity can take many forms such as the evaluating the quality of a bank’s loan portfolio or ascertaining the importance of off-balance sheet operations. The BCBS’s revised principles provide a framework within which banks and supervisors should operate to achieve robust and transparent risk management and decision-making and, in doing so, promote public confidence and uphold the safety and soundness of the banking system.

EU banks s(bar Italy) stood-up pretty well to the EBA’s stress test. Only 25 failed (CET> 5.5%) from the 130 banks tested. About half of those had already taken actions to remedy their alleged failings, .

So outside of Italy, EU banks should be more confident to lend again and rebuild their damaged balance sheets.. Banks will eventually have to open their cheque books and start lending again. Moreover, the Banking Union will further break-down barriers to cross-border lending within the Eurozone. Banks will no longer have any endogenous constraints to lending in any Eurozone country.

External constraints still need to be considered. The Eurozone economy is on the verge of tipping into its third recession in only six years. The Eurozone is “marching towards stagnation and deflation” according to the Economist (25 October 2014). A large portion of its private sector is actually minimising debt instead of maximising profits following the housing collapse in the 1990s, to repair their balance sheets. This deleveraging reduces aggregate demand and throws the economy into a very special type of recession. There are signs that the EU may be suffering from a similar fate to Japan.. Governments and central banks don’t have any easy solutions to put things right again.

Other financial institutions are considering taking a larger slice of the credit market. Insurance firms provide one option – they take in more than €1 trillion in premiums each year. As with the banks, new rules will force insurers to hold more capital than before against corporate loans. Equity investment or debt finance from asset managers and other shadow bank players are also increasingly another option for obtaining credit. Regulatory action to facilitate some types of credit is also being considered. For example, the EBA is seeking views on what is required to simulate a “prudentially sound securitisation market” with a view to “widening long-term funding opportunities for the European economy”. It

The EBA published its Work Programme 2015 on 10 October 2014 (dated 30 September 2015). Drafting regulatory and technical standards on CRD IV, BRRD and the revision of the Deposit-Guarantee Schemes Directive will take-up the majority of the EBA’s workload in 2015. The EBA also expects to contribute to the various legislative processes (e.g. shadow banking), monitor implementation (e.g. CRD IV), calibrate rules (liquidity and leverage ratios) and develop various ad-hoc reports (e.g. Bitcoin).

The FSB revised its Key Attributes of Effective Resolution Regimes for Financial Institutions (Key Attributes) on 15 October 2014,to incorporate recently published guidance on the resolution of FMIs and insurers, client asset protection and information sharing. The FSB also published Guidance on Cooperation and Information Sharing with Host Authorities of Jurisdictions Not Represented on CMGs where a G-SIFI has a Systemic Presence on 17 October 2014.

The ECB will take over responsibility for prudential supervision of Eurozone banks from 4 November 2014. This change represents a significant milestone in the evolution of EU banking regulation.
Also, on 20 October 2014, it published a Decision of the European Central Bank of 17 September 2014 on the implementation of separation between the monetary policy and supervision functions of the European Central Bank (ECB/2014/39). The decision sets out the ECB’s arrangements for complying with the separation of the monetary policy function from the new supervisory function under SSM. It outlines arrangements related to professional secrecy and the exchange of information between the two functions. The decision will enter into force on the day of its publication in the Official Journal.

Further to our recent meetings with many banks at Gitex. We will be hosting BRSAnalytics principals and software authors, Computime and holding a series of meetings and proof of concepts with local banks in mid November. Meet with our expert team and understand how the purpose designed data model and regulatory processes built into BRSAnalytics proven in many bank over over the last 8years, can help you comply with current and future regulatory compliance with a rapid implementation. Slash reporting time, and cost and risk of error and relax in the knowledge of expert local support that will keep reports current with Central Bank requirements.

Call us on 0097143365589