Archive for the ‘Security and Compliance’ category

XP workarounds

April 14th, 2014

http://www.enterprise-security-today.com/story.xhtml?story_id=92235

Microsoft has officially ended support for Windows XP .
In 2013, more than 70 percent of Microsoft’s security patches affected Windows XP.
Opinons range that from 14 to 25% + of Windows users are still on Xp
An estimated 95 percent of all the ATM machines in the world run XP, and JPMorgan Chase, Citibank, and Wells Fargo are also reportedly concluding deals for extended support from Microsoft.

The UK government has signed a similar deal, paying 5.5 million euros for 12 months of support for XP, Office 2003 and Exchange 2003. That deal covers the national and local government, charities, schools and the country’s National Health Service. The national government told news media that OS upgrades are expected to be completed for most of the XP users by April of next year.

What does that mean for your due diligence in trading relationships with such companies?

As C level Executive how does this square with your SOX, ITIL or other compliance obligations?

If you stick with Xp then how do others now view you? What can you do about it?. Start by reading the post the link above. It gives good advise and

Last Tuesday patch day was the last xp patches so make the most of those. There were two crtical vulnerabilities fixed.

Why does a Middle East bank need a regulatory reporting system?

March 7th, 2014

Most banks and financial services firms intend to devote more resources to regulatory change over the next two years, and difficulty lies ahead for many businesses. Major areas of budget on are IT and HR. Both are expensive, and resources are finite.

There are talent shortages in the market for financial services staff with
regulatory skills. That’s reflected in rising salaries in regulatory roles in financial services, where salaries have risen by 11%, according to PricewaterhouseCoopers.

Many businesses cut back on compliance staff and consultants when they were desperate to reduce costs during the height of the financial crisis. With increasing legislation they have inadequate systems and lack of in house resources to cope with the increasing demands for more detail in shorter timescales.

The wheel of change spins ever faster and it is harder for internal staff to keep up with requirements. Many banks in this region have to report to more than one regulatory regime and what happens in USA and Europe tends to also find its way here. For example:

Basel III reforms, under which banks must increase the capital and liquidity buffers they impose. The new rules were first announced in 2010, but the size of the buffers required under the rules has repeatedly been changed. This year alone, the Basel Committee on Banking Standards has extended the timetable for implementation and redefined “liquid assets,” changing the rules of engagement again and again for the banking sector.

“Management consulting firm Booz & Company recently conducted a study of capitalisation and liquidity levels at 64 regional banks. The results were sobering, as many institutions face the prospect of capital and liquidity shortfalls in the near term, particularly as Basel III rules are phased in between 2013 and 2018. In response, banks will need to manage their capital and liquidity levels more proactively — and soon.The capital shortfall for GCC and Levant banks could increase from about $11 billion in total in 2012 to a range of $12 billion to $27 billion in 2017, based on various economic scenarios ”
<em>http://gulfnews.com/business/banking/gcc-banks-could-face-capital-and-liquidity-shortfall-1.1298026
and
http://www.thenational.ae/business/industry-insights/finance/gcc-and-levant-banks-warned-against-complacency-on-capital-requirements-ahead-of-basel-iii”

Last Wednesday, Sultan Bin Nasser Al Suwaidi the U.A.E. Central Bank Governor warned in his speech, at the Global Financial Markets Forum in Abu Dhabi, that Basel III banking rules could curb the growth of small and medium-sized business worldwide.

As our recent blog post mentions the Markets in Financial Instruments Directive (MiFID) EU reforms that will affect anyone dealing in or processing financial instruments across Europe is to be introduced but it is still not clear when MiFID II will be implemented and in what form – only that the new regulation is coming – due for implementation in 2015

Solvency II Directive: EU reforms intended to harmonize insurance regulation – details still to be confirmed, due for implementation in 2016

› G20 Financial Transactions Tax: efforts to introduce a “Tobin Tax” across the EU continue despite opposition in many parts of the world – details and timetable unknown

› Global derivatives regulation: watchdogs around the world are negotiating over how to police the $700 trillion over-the-counter derivatives market – details and timetable unknown

And there is a lot more e.g. Islamic Banking compliance, FATCA compliance.

In such circumstances it is important that a bank has a regulatory reporting system framework that can take away the black magic and dependence on scare resource. The system should automate the ETL processes and be able to adapt rapidly to the changing requirements.

Hard copy reports will soon be replaced by electronic XBRL style reporting formats. As new technology such as parallel processing and in memory processing becomes more widely available central banks own systems will get faster and their appetite for even more data to process will become even more voracious.

When banks globally are all reporting against the same regulatory frameworks then the local regulatory report formats are all much the same data content with variations on the calculation formulas. This allows a standard reporting framework built, on standard industry technology, to be quickly and cost effectively adapted to local requirements – without need to restructure the banks operational systems and charts of accounts.

BRSAnalytics has been proven over the last 7 years to address the needs of most mid-sector banks. To find out how it can help you to realise your compliance strategy while reducing risks and costs please contact us for a demonstration.

Call: Hasan on 00971 3365589

Allegion (Ingersoll Rand: Schlage, CISA, Interflex, Steelcraft and LCN )

March 6th, 2014

On December 1, 2013 Ingersoll Rand plc converted its security division into an independent, publicly traded corporation and Allegion (www.allegion.com) debuted as a standalone company.
It is a synonym for innovative security products and solutions. Well-known brands such as Schlage, CISA, Interflex, Steelcraft and LCN are part of this new global player.

Synergy Software Systems still continues to provide the same specialist solutions for biometric access control, time recording and personnel planning.

As a partner of Allegion the spin-off does not change the contractual support ship of Synergy Software Systems customers using the Interflex, Schlage and Ingersoll Rand solutions we have implemented for them.

Document Management – Dubai, U.A.E., Qatar, Kuwait, KSA, Oman, Bahrain – anywhere! Synergy Software Systems

March 4th, 2014

As we move more and more into the digital world the need to access documents electronically, anytime anywhere is of increasing importance. To complement our financial and erp systems we have also provide solutions such as fax software, print management software and document management. Many erp systems have some facility for document linking or attachment e.g Dynamics CRM and Dynamics Ax. However the document repository is usually best kept outside the erp system for many reasons e.g.:
- Users need an erp license to access documents stored in an erp system
- Documents stored in an erp system are usually static in contact because those relate to specific transactions and time and should not be subject to changes and version control.
- Documents take up database space and increase the size of the erp system back ups thereby extending downtime on the operational system
- There may be document workflow processes outside of erp.
- OCR scanning and searching are generally not supported within erp systems

Filehold is a modern feature rich comprehensive document system which integrates with SharePoint and we extend it with Arabic OCR. It is available on premise or on-cloud.

There are several considerations to select and to introduce a document management system. For example:

How many documents?
What types of documents?
What is the mix of document types e.g., what % are created soft copy by applications e.. erp systems, email systems and thus don’t need scanning or physical printing and filing , and how many are received as hard copies e.g. faxes, or printed contracts?
Do you receive faxes as hard copy print outs or do you use a fax software to send and to receive?
How many users?
How many locations?
Will hard copy documents need to be scanned?
If so, then will there be a central scanning department or will users have individual access to scanners?
Do you already have scanners in place?
Is OCR scan conversion required?
If so then does this need to be multi lingual e.g. Arabic or English?
Do you need to ocr scan dual language within the same document? e.g. a bi-lingual Arabic-English contract?
How much integration is needed to other systems and how easy is this e.g. from within email systems, or within erp systems?
will the document management system work with you collaboration system e.g. SharePoint?
Does it offer version controls?
Does it offer workflow approval processes?
What will be done about legacy hard copy documents- how many are there?
How long would it take to unbind, scan, ocr convert, index, and then re-file?
Does it provide the right security Access controls to digital documents rather than to physical documents?
Which physical documents will still also be filed?
How should it be phased in e.g. by one function or one department at a time?

Business case?
For a knowledge-worker time is money. If the average annual cost of an engineer is ~$100k then how much of that workers time is consumed searching for amendments in paper contracts?

Modern businesses create complex contracts that often require multiple revisions and many authorizations. Creating and managing those contracts electronically in a document management system saves time and frustration and ensures that everyone is working with the most current version of a document.

Filehold provides important features for contract management that : maintains security, allows users to collaborate, provides alerts and reminders as to contract expiration or renewal dates. It is essential that the solution allows project users at site users to look at and even check out contract documents from anywhere in the world from where they have access to the Internet.

Engineering organizations and engineering departments create large and complex design and report documents. Being able to put these documents into a document management workflow for review and approval saves time and money. Tight version control ensures everyone uses with the most recent version of a document.

There are obvious cost saving benefits stemming from document management such as reduced printing, postage, and physical storage costs. The more significant benefits from the business impacts:
• Rapid find and search of key data and files for timely decision making based on all the related information
• Version control to ensure the correct prices, designs and contractual terms are used.
• Streamlined electronic processes,
• Support for compliance and audit trails and avoidance of legal disputes

If you are drowning in documents and want to streamline our business, reduce errors, improve collaboration, reduce errors and ensure compliance then document management is often one of the fastest solutions to implement with the quickest ROI.

Ask us for a demo: 00971 43365589

Remove admin rights and prevent >90% + of your security problems

March 2nd, 2014

Avecto a market leading privilege management firm analyzed data from security bulletins issued by Microsoft throughout 2013. it concldued that:

- 92% of all vulnerabilities reported by Microsoft with a critical severity rating can be mitigated by removing admin rights,
the same goes for:
- 96% of critical vulnerabilities affecting Windows operating systems, – - – 91% critical vulnerabilities affecting Microsoft Office
- 100% of vulnerabilities in Internet Explorer.

When malware infects a user with admin rights, it can cause incredible damage locally, as well as on a wider network.

Employees with admin rights have access to install, modify and delete software and files and to change system settings.

Paul Kenyon, co-founder and EVP of Avecto said: “It’s astounding just how many vulnerabilities can be overcome by the removal of admin rights. “

Apple bug -as bad as it gets

March 2nd, 2014

Apple acknowledged has a major security flaw in its software for mobile devices and most users aren’t aware of just how at risk they might be if they fail to update their software. Mac computers could be even more exposed to attacks.

A Secure Socket Layer (SSL) vulnerability allowing hackers to intercept information that is supposed to encrypted. If an attacker hsd access to the same network over an unsecured WiFi connection then he could impersonate a protected site such as Facebook or Gmail and alter any data passed between the iPhone and the site.

Johns Hopkins University cryptography professor Matthew Green summarized it succinctly to Reuters: “It’s as bad as you could imagine, that’s all I can say.”

Liquidity and Leverage requirements of the Capital Requirements Directive (CRD) IV and the Capital Requirements Regulation (CRR).

February 27th, 2014

Liquidity and Leverage requirements of the Capital Requirements Directive (CRD) IV and the Capital Requirements Regulation (CRR).

Related topics discussed in this post include counterparty risk and the adoption of the single Europe wide rule, and implications for banks in this region.

CRD IV introduces standardized EU regulatory reporting in the form of COREP and FINREP.
- COREP applied from 1 January 2014,
- FINREP will be phased in over the second half of 2014.

Recently, chief central bankers in Europe announced an ease in restriction with regards to Basel III regulations, effectively pushing back the liquidity deadline for banks by four years. Key new rules were also introduced as the level of corporate debt for banks widened.

The MENA market will benefit the most from these recent announcements. If MENA banks were to carry out full implementation by 2015, then tight lending would continue and the global recovery would be at a slow pace and thus affect MENA market growth plans as an emerging market. Lending has generally been eased as are trade finance restrictions which will help fuel the current growth seen within the MENA region.

The European Union’s Basel III legislative package known as “CRD IV”, covers prudential rules for: banks, building societies and investment firms. It was formally published in the Official Journal of the European Union on Thursday 27 June 2013. CRD IV will require these institutions to:
- Hold more and better quality capital
- Satisfy new macro-prudential standards including a countercyclical capital buffer and capital buffers for systemically important institutions
- Meet new rules for counterparty credit risk
- Meet new minimum standards for short and long term liquidity in the form of the:
- Liquidity Coverage Ratio (LCR)
-Net Stable Funding Ratio (NSFR)
– Meet minimum standards for leverage to act as a backstop to balance sheet growth in the form of the leverage ratio
- Improve risk management governance and make senior management / board members accountable
-Introduce restrictions on variable remuneration

COREP and FINREP

These reporting requirements specify the information firms must report to supervisors in areas such as own funds, large exposures and financial information, as well as defining the XBRL taxonomy through which institutions will be required to submit their COREP and FINREP reports to their national supervisor.

COREP, , increased regulatory reporting requirements for European banks significantly. Under COREP and FINREP banks are required to offer much more granular data in a fully standardized format. The quality and quantity of data disclosures required for COREP will make it necessary for banks to significantly upgrade their reporting framework.

FINREP The framework instructs firms to align the accounting calendar with the calendar year – for firms that use any other timeline for their accounting, this is a major upheaval of internal procedures.

Similar to COREP, FINREP is transmitted using strong>XBRL, which makes it even more crucial that firms investigate the new delivery method.

Liquidity
- Due to Basel III and CRD IV, close monitoring and control are increased over credit and financial institutions’ liquidity.
- The role of senior management to set risk boundaries is more onerous. – New liquidity metrics include liquidity coverage ratio (LCR) and the Net Stable Funding Ratio (NSFR). The rules on the calculation of the LCR and NSFR are not yet finalised. Regulators are still gathering information to adjust the metrics adequately.

Liquidity Coverage Ratio (LCR)
This is to ensure both that financial and credit institutions have the assets to handle short-term liquidity disruptions and that companies are able to improve their short-term resilience.

The ratio aims to ensure that in a 30 day period of stress with an LCR maintained at 100%, the company will be capable to withstand the pressure by virtue of having sufficient unencumbered high quality liquidity assets.

When the percentage is lower than 100%, the institution will be subject to regulatory scrutiny and a plan would have to be made to indicate how the institution plans to raise its liquidity buffer to reach the necessary limit.

Net Stable Funding Ratio (NSFR)
This deals with ratios of both long term assets and long term funding. The NSFR supports both of those measures and will come into practice as of January 2018. Until then, there will be other general rules regarding long term funding for financial institutions from January 2016. The objective behind these rules is for institutions to actively deliberate on their funding profile for the next 2 years.

The remaining issues that concern liquidity, and the LCR and NSFR are expected to be resolved in the following months. The EU is currently completing these to be in line with the international Basel III agreement and is currently on track with their 2015 and 2018 implementations.

Leverage
A new leverage ratio will be introduced by the CRD IV to protect against the risks often attributed to risk models. The new ratio is calculated by dividing the Tier 1 capital by a measure of the institution’s non-risk weighted assets, including the institution’s on and off balance sheet amounts. The new leverage ratio has not yet been finalised.

During the calibration period a 3% ratio is being considered, which means that Tier 1 capital will not be allowed to be lower than 3% of non-RWAs. Furthermore, institutions will have to adhere to a third prudential metric because distinct from Basel II calculations, on-balance sheet loans and deposits will not be allowed to be netted.

Initially as a Pillar 2 measure, the national regulator may alter the leverage ratio. To set the final ratio, the data gathered from January 2014 will be used. Leverage ratios will be disclosed publically in January 2015 within the European Union and according to Basel III from 2018 onwards in all EU countries, leverage ratios will be a pillar 1 measure.

The amount of capital will no longer be the sole determinant of whether certain banking business can be done. Capital, liquidity and leverage will all have to be taken into serious consideration and decisions may involve sacrificing one in order to strengthen the other.

Finance and credit institutions will have to take into consideration other aspects apart from capital, liquidity and leverage. These include :
1. Single Europe-wide rule book.
The rule book governs all of the EU’s financial institutions and it consists of the CRR together with the EBA’s Binding Technical Standards (BTS). By compiling a single rule book, the EBA’s objective is to reduce the amount of available national discretions which would in turn reduce the number of national divergences.

2. Counterparty Risk
CRD IV includes new regulatory exposure to central counterparties (CCPs) treatments, adjustments in credit values, increased capital charges for OTS derivatives for transactions which are not centrally cleared and wrong-way risk charges.

3. Reduction of the reliance on credit rating agencies
Credit and financial institutions should no longer rely on credit rating agencies to be given an overview of their credit exposure. In order to do this, institutions need to develop their own criteria on which they can rate their own credit exposure.

4. Single Supervisory Mechanism
The aim of the mechanism is to harmonise and strengthen sanctions across the EU resulting in the increase of fines in some EU jurisdictions.

5. Remuneration
The variable bonus payment is now limited to the 100% of the fixed salary amount for risk control, risk-takers and senior management. On the other hand, it may go up to 200% pending shareholders’ consent. 50% of the variable remuneration should be paid in equity-linked products with at least 40% of the variable payment deferred to a maximum of 5 years.

CRD IV will undoubtedly pose challenges in the manner which financial and credit institutions are regulated but it concurrently helps institutions in the EU to comply with Basel III. A change in the way institutions behave and in the economic realities of banking seem inevitable.

The same considerations will apply in the GCC as central banks adopt Basel lll and CRD4 compliance.

The Central Bank of Kuwait (CBK) has taken necessary measures to put Basel III standards in place out of its interest in the significance of international reform packages. Governor Mr. Al Hashel is recorded as stating that the CBK board of directors has approved a minimum capital adequacy ratio of 13 percent with phased out applications; 12 percent in 2014, 12.5 percent in 2015 and 13 percent in 2016.

Qatar Central Bank (QCB) has decided to combine Basel III with proposals put forward specifically for Islamic banking operations by the Islamic Financial Services Board (IFSB).

Other countries in the Middle East – the U.A.E. and Saudi Arabia, for instance – have elected to implement Basel III and the IFSB standards separately, to give their banks time to deal with one before the other.

Qatar’s banks are thus dealing with a unique combination of regulatory challenges: to implement a strict interpretation of Basel III across both conventional and Islamic operations whilst at the same time ensuring their Islamic arms comply with the new IFSB guidelines.

Qatari banks that deal with both conventional and Islamic finance will have to establish processes to ensure that the two sets of rules are implemented across two divisions simultaneously. For those banks already specialising in either conventional or Islamic finance, the impact is no less significant. They will have to comply with new regulatory measures around their liquidity ratios. They will also have to implement strategies for stress testing that allow for complex data to be analysed in order to demonstrate compliance with the QCB’s guidance on the Basel III directives.

These requirements will require considerable technology change at many banks to ensure that the required financial and risk data can be accurately gathered, cleansed, analysed and reported to board members and the regulator in the formats required.

The Central Bank of Bahrain website provided guidance on its Basel lll implementation plan in June last year:

Banks have to meet the challenge of creating the optimal structure, systems and controls to demonstrate compliance with these new regulatory requirements. Basel III is not a one-time compliance exercise. Its requirements are expected to evolve further with time.

Banks will benefit from taking a long-term view of regulatory compliance. This means developing a framework for implementing consistent compliance practices and utilising enterprise-wide risk management tools.

This will help to assure on-going compliance as Basel III (and other, related, regulations) change with time.

OECD Common Reporting

February 24th, 2014

On 13 February 2014, the Organization for Economic Co-operation and Development (OECD), at the request of the G8 and the G20, released a model Competent Authority Agreement (CAA) and Common Reporting Standard (CRS) designed to create a global standard for the automatic exchange of financial account information.

The publication of the CAA and the CRS is a significant step in governments’ efforts to improve cross border tax compliance. This follows a raft of tax compliance legislation such as the US Foreign Account Tax Compliance Act (FATCA) and active campaigns of voluntary disclosures and legal procedures.

The CRS is another global compliance burden for financial institutions and increases the risks and costs of servicing globally mobile wealthy customers – an otherwise attractive customer segment.

The OECD has modelled the CRS on FATCA, which means it may be possible to leverage existing and planned
FATCA processes and systems. However, the data required is different, and the volume of reporting required is likely to be significantly greater under the CRS.

The OECD’s model CRS,is designed to be a standardized approach to identifying and reporting information about taxpayers by financial institutions that will be exchanged with residence jurisdictions.

The common reporting standard will require financial institutions and brokers to report information to their own jurisdiction and this information will in turn be passed on to other relevant countries automatically each year. It is not designed to replace any existing basis or any other means of information exchange, but instead intends to supplement current measures. It applies to financial accounts and sets out the due diligence which financial institutions will need to follow in order to comply
.
This could mean new customer due diligence procedures being required as early as 2015 with the first reporting being due in 2016. It seems unlikely that all jurisdictions intending to participate will be able to
enter into agreements under the same timeframe. Due to the increased scope and volume of information required by the CRS, financial institutions may need to reconsider their approach to FATCA compliance to accommodate the new standard.

Significant uncertainties remain and commentary is not expected to be released until the summer of 2014.
about the detailed requirements. Financial institutions will want to see competent authorities providing clear guidance to help clients determine their tax residency.

The standard has no direct legal force but it is expected that jurisdictions will follow the model CAA and CRS closely when implementing bilateral agreements.

There is significant political will to implement this standard, with more than 40 jurisdictions signing up for early adoption. The expected timeframe could see jurisdictions seeking to sign agreements in 2014, with new customer due diligence procedures required in 2015 and reporting in 2016.

Many OECD countries may be reluctant to sign up to information exchange with less developed countries which may not have the legal and basic processing capacities to keep the information confidential and to use it only for the purposes for which it’s been collected. The OECD may need to go further, e.g. by providing withholding tax mechanisms to enable less developed countries to collect tax

IE Vulnerabilities 30% or more of internet users at risk

February 17th, 2014

Microsoft late Thursday said that both Internet Explorer 10 and its predecessor, IE9, were under attack by hackers exploiting an unpatched flaw in the browsers. The extension of the vulnerability to IE9 followed confirmation earlier yesterday that active attacks are compromising the newer IE10 and hijacking PCs running the browser.

With both IE9 and IE10 vulnerable and under attack, it means that about a third of all those using Internet Explorer are at risk.
Milpitas, Calif.-based FireEye was the first to spot the attacks, and said that they had been aimed at IE10 as part of a campaign targeting current and former U.S. military personnel when they visited the Veterans of Foreign Wars (VFW) website.

San Diego security company Websense said it had found evidence that the exploit may have been used as early as Jan. 20, or more than three weeks ago.Websense also speculated that those earlier attacks had been aimed at visitors to a French aerospace association’s website. Members of the organization, GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales), include defense and space contractors and subcontractors.

Microsoft’s advice to customers is that they upgrade to IE11 -(not possible for those still running Windows Vista. Most Vista users are likely running IE9, since Microsoft automatically upgraded their copies from IE7 or IE8 to the then-new IE9 in the first half of 2012.

Yet more security issues- refrigerators, Pay Pal…

February 1st, 2014

A security firm, Proofpoint Inc., based in Sunnyvale, California, uncovered a global cyberattack that harnessed connected household devices, including a refrigerator. The attack utilized 100,000 consumer devices, employing them as other attacks have used captured computers — to secretly deliver spamming e-mails numbering in the hundreds of thousands. The attack took place between Dec. 23 and Jan. 6, and included in its botnet at least one smart refrigerator, as well as home-networking routers, connected multimedia centers and smart TVs.

How I Lost My $50,000 Twitter Username. A story of how PayPal and GoDaddy allowed the attack and caused me to lose my $50,000 Twitter username

https://medium.com/p/24eb09e026dd ; and

  • http://www.enterprise-security-today.com/story.xhtml?story_id=91392

  • FATCA update U.A.E.

    January 30th, 2014

    In 2010, the U.S. government enacted the Foreign Account Tax Compliance Act (FATCA) with the goal of diminishing tax evasion, FATCA requires foreign financial institutions (FFIs) and individuals to report any financial accounts held by Americans to the U.S. Internal Revenue Service (IRS). Because of this, according to a recent Forbes.com story, FATCA is influencing how governments around the world share tax information.

    This is already creating consternation. Banking institutions, for example must find a way to classify preexisting and new customers to meet this requirement. There is a lot of confusion about what is to be reported. There are different rules for new accounts, for “recalcitrant” accounts (naughty accounts) and for pre-existing accounts. The deadline for FFIs to finalize the registration of these foreign accounts owned by Americans in the IRS Registration Portal has been delayed from the initial statutory date of January 1, 2014 to July 1, 2014.

    This gives banks a bit more time to figure out a strategy for this compliance. While it sounds like an easy process, classifying this information is a bit more complicated than one might think – it can be a time-consuming, costly process that may require extensive manual labor. And to comply on an on-going basis, it makes sense for banks to find a way to modify their systems so there is an automated classification and reporting process permanently in place.

    In 2010 the Internal Revenue Services (IRS) announced it would soon start taking measures in an attempt to tackle tax evasion. Other than the voluntary commitment of US residents to report income on foreign accounts to the service, it urged Foreign Financial Institutions (FFI) to report details of such accounts to the IRS. Nearly three years of negotiation, regulation, and time framing followed, with a final regulation and timeline formed in October last year. According to these agreements, FFIs are subjected from July 1, 2014 to due diligence of all accounts except grandfathered accounts. From March 15, detailed reporting of accounts is required. Grandfathered accounts are obligations that are outstanding on January 1, 2014.

    Transactions made by US citizens from January 1, 2014, are fully monitored, the UAE Central Bank has agreed to adopt the Model 1 IGA, an agreement stating that all financial institutions in the UAE will answer to the FATCA request of sharing information about any US accounts, assets, or transactions channelled through. A US citizen living outside the US must file the FATCA Form 8938 if he or she holds or has signatory control over funds in FFIs totaling $200,000 in aggregate at the end of the year or $300,000 in aggregate at any time during the year. The thresholds for couples filing jointly are $400,000 and $600,000, respectively. There are severe penalties for under-reporting income in any FFI. The thresholds for US-based citizens are much lower and US residents with signature power over jointly held overseas accounts may have to report even though the overseas citizen may not.

    If an FFI has not registered as intending to become compliant or has a national agreement (IGA) in place ‘withholding’ will have already started. In the case of the banks in the UAE, this agreement has been made, and thus withholding should be already in place. However, due diligence on all accounts will begin on this date. All pre-existing accounts will have to be identified with basic information as per 1 July 2014. Basic information includes name, social security number/TIN, address, account number, current value etc. The requirement is more than just reporting the accounts that the FFI know as being linked to US ‘persons’ – the FFI also has to do a manual search of all their files where the account has a value of $1,000,000 or more to check if there are links to the US. If the FFI has not complied by this date then they will suffer withholding tax of 30 per cent,

    FFIs over the next couple of months will be registering the data required. The FATCA registration website opened on January 1, 2014. Note that the information reported must be backdated to include information relating to the year 2014, and therefore January 1, 2014, was a very important date.

    Annual reporting by PFFIs is to be phased in starting in 2015 (with respect to information related to the 2014 calendar year), with reporting of the full scope of FATCA information required no later than March, 2017, states the IRS. The information reporting will have to include full details of the accounts, such as the underlying investments of funds, all transactions, interest earned etc. The phasing in starts with “recalcitrant” (known or suspected offenders) accounts, large value accounts, pre-existing accounts and works its way down to the mass volume accounts with smaller sums.

    It is important to note that by July 1, 2014, or sooner banks may adopt new rules regarding the opening of new accounts with US-linked transactions.

    Needless to say not everyone is happy about this – this post gives some reasons why!

    http://1389blog.com/2014/01/26/why-republicans-are-right-to-support-repeal-of-fatca/

    Banking regulatory changes, fines, what to do? U.A.E., Qatar…

    January 29th, 2014

    There is a continual flux of regulatory reporting changes. There also recent high profiles of banks being fined large sums for non- compliance.Some recent news:

    The DFSA proposed changes to the forms that authorised firms submit through the Electronic Prudential Reporting System, which has necessitated changes to the PIB and PIN modules (and consequently the FER module on Fees) of the DFSA Rulebook. The objectives in the rule changes are primarily to improve the collection of data in line with their risk-based supervision approach, but have also filled certain reporting gaps such as the reporting of foreign exchange positions as required under the Basel standards on banking supervision. The proposed revised forms are also included in the updated PRU module. The regulator has also made a specific proposal that the period for submission of the Quarterly Regulatory Return (under PIN 6.5.7) and the Financial Group Capital Adequacy Return (under PIN 6.6.2) should be reduced from two months after the period end to one month after the period end.

    Some UAE Central Bank Rule Changes announced for 2014:
    The UAE Central Bank will introduce a series of new rules to regulate outsourcing, disaster recovery, Shariah banking, financial statements regulations and CEO’s financial bonuses, to enhance performance and ensure conformity with international standards and best practices.

    • The Central Bank is planning to introduce financial services law (framework law), the new banking law and a new law regarding criminalisation of money laundering.
    • In the sphere of banking supervision, the directors approved the project on the Implementation of the US Foreign Account Tax Compliance Act (FATCA) under which financial institutions will be obliged to make certain disclosures to the IRS concerning accounts belonging to US nationals.
    • In the area of monetary policy instruments and reserve management, the Central Bank is considering introducing a discount window, a settlement system linked to securities custody and financial stability.
    • The Central Bank is working to launch a virtual banking system in order to facilitate financial inclusion and the smart government systems on mobile phones.
    • The Central Bank agreed to establish an Economic research department and a risk monitoring unit.

    In December 2013, the Government of Dubai announced the Dubai Islamic Economy Development Centre and its board of directors as part of its goal to make the Emirate of Dubai the global capital of Islamic finance. Law No 42 of 2013 details the basic objectives of the Centre, which includes drawing up the Centre’s general policy and setting up strategic plans for the development of the sector in the Emirate, in addition to developing comprehensive and unified standards to judge the extent to which any commodity or financial service or otherwise complies with the provisions of Islamic law, and promoting these standards locally and globally.

    Qatar Central Bank (QCB), the Qatar Financial Centre Regulatory Authority (QFCRA) and the Qatar Financial Market Authority (QFMA), jointly launched a strategic plan for the future of financial sector regulation in the country to position Qatar as a leader in the region in financial sector regulations and thereby to support Doha’s ambitions to be a global financial centre. The goals are to enhance regulation by developing a consistent risk-based micro-prudential framework; expanding macro-prudential oversight; strengthening financial market infrastructure; enhancing consumer and investor protection; promoting regulatory cooperation; and building human capital. The move comes as regulators around the world increase their focus on systemic risks, and demand greater co-operation and co-ordination among financial sector regulators at the local, regional and international levels. The Qatari plan sets out how the regulatory authorities will work together to help build a resilient financial sector that operates to the highest international standards of regulation and supervision

    Some recent regulatory fines in the banking sector:

    JPMorgan was hit with $20 billion worth of fines during 2013

    FCA Fined Lloyds £28 million for ‘serious failings’ – because Lloyds TSB had been fined in 2003 for unsuitable sales of bonds, the regulator increased the fine by ten per cent, making it the largest fine ever imposed by the regulator or its predecessor, the Financial Services Authority. Lloyds has made an obligatory apology and the FCA said that changes and the redress being made by the group correct many of the issues.

    US Regulators Fined RBS $100 million for violating US sanctions against Iran, Sudan, Burma, and Cuba, between 2005 and 2009. This settlement follows others by international banks in recent years, including $674m paid by Standard Chartered in 2012 for violating sanctions against Iran, and $1.9bn paid by HSBC in 2013 for sanctions violations and laundering money for Mexican drug cartels.

    FINRA Fined Barclays Capital over Record Keeping – The Financial Industry Regulatory Authority (FINRA), which acts as Wall Street’s self-regulator, fined Barclay’s Capital $3.75 million for failing to properly preserve electronic records as well as certain emails and instant messages for at least a decade. FINRA stated that it fined the brokerage unit of Barclays PLC for not keeping the records in a non-rewritable, non-erasable format to prevent alteration, as mandated by the Securities and Exchange Commission requirements (the format required by regulators is called WORM (Write-Once, Read-Many). This was a widespread issue affecting all of the firm’s business areas, and Barclays was unable to determine whether all of its electronic books and records were maintained in an unaltered condition. FINRA also noted that proper book-keeping and record storage are regulators’ primary means of monitoring whether banks are in compliance with securities laws. Therefore ensuring the integrity, accuracy and accessibility of electronic books and records is essential to a firm’s ability to meet its compliance obligations.

    If you have headache in timely, compliant, regulatory reporting then the bad news is that its going to get tougher very soon. The good news is that BRSAnalytics is a proven solution to automate much of the process of report generation, and to simplify the creation of new reports or report changes. Its in built data warehouse and Excel ad hoc analytic layer also makes it much easier to respond quickly to Central Bank queries for more information.

    That is why we have are meeting with 10 banks this week and next. If we missed you and you need to know more then please contact us for information, a remote demonstration or to meet with you. 00971 43365589

    For further information see our previous blog articles.

    eVAYO touch terminal from Synergy Software Systems, Dubai

    January 27th, 2014

    The new member of our eVAYO family, the touch terminal IF-5721 with PIN pad, is now able to support two new features: the Scrambled PIN Pad and Auto Enter.

    With the Scrambled PIN Pad feature, the number keys change their position after each booking process (see examples above). This security feature makes it significantly more difficult to figure out a person’s PIN based on observation only.

    Auto Enter is a convenience feature. If this feature is enabled, an employee no longer has to press the “OK” button once his/her PIN has been entered. When the specified number of digits has been reached, the device automatically activates a booking.

    As of now, both features are available with software version 7.13.03.
    Furthermore, they are also available for terminals of the series IF-5735.

    Regulatory reporting in Dubai -BRSAnalytics – the benefits

    January 7th, 2014

    The Regulatory Challenges
    The Oxford Business Group recently issued a report that included a section entitled “Banking Reforms And Regulations To Take Centre Stage In 2014

    In an interview on Bloomberg Television’s “Bloomberg Surveillance,” IIF President and Chief Executive Officer Tim Adams discussed regulatory changes expected in 2014

    http://www.iif.com/press/press+443.php

    The Board of Directors of Central Bank of the UAE held its 8th meeting for the year 2013 in Abu Dhabi, under the chairmanship of Khalifa Mohammed Al Kindi, Chairman of the Board. The Board reviewed important projects currently being implemented o be completed during 2014. Development of these projects would enhance performance and ensure conformity with international standards and best practices Some of these projects:
    First: In the area of banking supervision:
    1- Implementation of the US Foreign Account Tax Compliance Act (FATCA) for individuals subject to US tax laws;
    2- Some proposed regulations to be prepared, or to be reviewed during 2014 are in the area of supervision of banks and other financial institutions, such as: Outsourcing, Disaster Recovery, banks’ CEOs bonuses, Financial Statements Regulations and Regulations regarding Sharia Compliant Banking Transactions etc.
    Second: In the area of Monetary Policy Instruments and Reserve Management:
    Discount Window A Settlement system linked to securities custody Financial stability report.

    This week the Central Bank of UAE issued regulations on licensing and monitoring of exchange business to regulate, enhance exchange business profession, support its geographical spread and facilitate the provision of exchange services throughout the UAE based on solid foundations. one clause states “That the licensed person shall provide, upon the Central Bank’s request, all data, information or statistics, at any time and for any specified period and such information shall be identical to the records of the licensed person and it shall be regarded and treated as confidential information.

    From January 2015 new Basel 3 Liquidity ratios will apply and then in 2018 net stable funding ratios will come into effect. The Central Bank has deferred implementation of the announced ‘large exposure regulations” pending review with the banks.

    Why do the regulatory changes matter?
    New rules such as those included in; COREP, FINREP and CRD IV add to the challenge of collecting and submitting regulatory reports efficiently, accurately and on time.

    Continually emerging regulations demand that banks do more to achieve compliance. This includes improving the quality of information collected and reported, and managing change as banks’ responsibilities evolve in line with developments in the regulatory framework.

    Financial institutions must address:
    • Increased complexity surrounding data consolidation requirements
    • Pressures to introduce improved corporate governance practices
    • Cleansing and auditing data for populating reports
    • Reporting to the regulator within the stipulated timeframes
    • Streamlining and implementing consistent calculation processes
    • Managing large quantities of data
    • Using data effectively for internal and external reporting
    • Normalising data coming in from different data sources
    • Variations in the substance and timing of regulations

    Regulatory reporting solution
    BRSANALYTICS for regulatory compliance takes multiple, disparate data sources into an integrated centralised data architecture. The unified web-based application, automates the process of collating statistical and supervisory reports.

    Developed and supported by a team of professionals the solution embeds a unique combination of technical, legislative and financial expertise. The application offers a standard engine that has been refined over several years.

    Our regulatory reporting solution seamlessly integrates with banks’ existing infrastructure to deliver a robust and straight forward to implement system. Developed with the ease-of-use mindset, BRSANALYTICS provides a clearly defined, and standardized data model that is fully scalable for regulatory compliance at either branch, or head office.

    Regular checks, and updates in line with regulators’ developments computational formulas ensure a fully flexible and immediately responsive solution to new developments in the regulatory framework. This provides the ability to deliver accuracy, timeliness, quality and
    efficiency in the submission of user- definable period reports that start from daily submissions.

    BRSANALYTICS will free up your time at the end of the process to conduct report analysis so that any inconsistencies and errors in data gathered are identified and reconciled.

    BENEFITS
    Out-of-the-box country reporting packs
    BRSANALYTICS provides out-of-the-box reporting
    packs for specific jurisdictions. This means that once data is loaded into the system, business users can immediately generate the reports, in the specific format required by the regulator. This reduces the implementation: time, costs, and risks.

    Data consistency and integrity
    BRSANALYTICS ensures that data imported from
    multiple data sources is consistent. To ensure a quick resolution.
    the user is informed of any data anomalies with guidance on the location and type of data error. The business user can also customise the solution through additional validation rules that can be applied automatically during the upload process.

    With standard pre-built interdependencies of the data source uploads, BRSANALYTICS provides business users with a logical path of source data to be uploaded. Furthermore the user is also prompted with any data subsets that may need to be recalculated following manual data nterventions to be incorporated into the data load such as adjustments.

    Standard data model and centralized financial data warehouse
    The standard data model covers a wide spectrum of the finance domain and banking business models. This ensures that once data is uploaded in the system, the data is automatically consolidated – irrespective of the back-end source systems. This reduces the implementation time by utilizing a proven, standard data model that is tried and tested in multiple banks. Moreover the solution is built on a robust data warehouse technology which permits the storage and consolidation of all the data, at different aggregation levels, centrally.

    World-leading Business Intelligence platform
    The solution is built on a sound Business Intelligence platform identified by Gartner as being the global leader in the field.
    .
    Tried and tested implementation methodology
    The robust and flexible underlying software solution is complemented by the BRSANALYTICS standardized Professional Implementation Methodology (SPIM), which was designed from experience in implementing regulatory reporting solutions over the years. This provides a detailed, structured, and repeatable implementation process, hence ensuring project success.

    Single Version of Truth
    The underlying mechanism of BRSANALYTICS – to consolidate data from multiple data sources also conducts checks and validations as part of this process, thus creating a Single Version of Truth (SVOT) reporting platform for both regulatory and internal financial reporting needs.

    Bank Regulatory Reporting for 2014 in the G.C.C.

    January 6th, 2014

    Banks today have to contend with increasingly stringent regulations in various stages of development and implementation.

    Furthermore, new regulations impact financial institutions at a global, regional and national level and continue to be issued at a rapid rate. Regulators want to shape a stronger financial and economic reality but this brings about a counter situation in which operational costs rise as a direct consequence of changes in the regulatory landscape.

    The financial climate of this new era of banking is unarguably complex and unforgiving, and stricter regulations regarding data quality, more frequent reporting and greater aggregation of risk data, IT and operations are proving to be unwieldy to most financial institutions.

    A new set of regulations are theoretically now in force for FATCA. While questions about the final regulations remain, the first important deadline for implementing system and process changes has arrived. From January 2014, FFIs who have entered into an agreement with the IRS must have adopted their procedures for opening new accounts to ensure capture of U.S. indicia. Soon screening of pre-existing relationships will also begin. Designed as a tool to counteract tax evasion, the Foreign Account Tax Compliance Act requires additional reporting requirements for all US citizens overseas. It also means substantial compliance obligations for all non-US financial institutions worldwide. Bankers say all banks in the UAE will be forced to comply as they must rely on US correspondent banks to clear dollar denominated transactions. Non compliance could invite sanctions that could include withdrawal of US dollar clearing rights with correspondent banks.

    Act now, and choose proven technology to support your regulatory reporting. Synergy Software Systems a proven local specialist for more than 20 years in the implementation and support of financial and reporting solutions ensures an effective and cost-efficient path to compliance. BRSAnalytics is purpose built to address regulatory requirements with an automated pre-built data warehouse and reporting framework.

    Below are listed some of its core features. Tomorrow I will highlight the benefits these bring.

    Ad-hoc data drill-downs and drill-ups reporting
    Following the submission of reports to the regulator, it is common to receive queries from the regulator on specific figures. The solution provides the facility to address this requirement by allowing easy-to-use data-drilling and ad hoc analytics.

    Support and audit of full reporting cycle
    The solution provides a single environment from which the business user can manage the full reporting cycle; from data loading, to data checking and validations, from data querying, to report generation and report submission. Moreover, the solution keeps track of and also audits all historic activities.

    Customisable engine and reporting
    The core engine of the solution allows business users to customise and add business rules to the underlying calculations without any programming interventions. Furthermore, the reporting layer allows changes or additions to the reports, both in terms of content as well as layout. System authorised personnel, such as power users, may also assign the rights to modify reference data mappings. This increases flexibility and prevents changes being either overlooked or forgotten.

    Standard data interface layer
    The solution provides a standard data interface that clearly defines the data fields and file formats required by the solution to produce the regulatory reports. This facilitates the implementation of the solution by keeping an abstracted layer from any back-end source systems.

    Supports XBRL submission format
    Over 30 regulators across the world have mandated XBRL (eXtensible Business Reporting Language) as the required electronic reporting format. The primary driver for XBRL adoption is the provision of a systematic reporting framework in which institutions domiciled in different countries may easily be compared. BRSANALYTICS has been developed so that it can be easily extended to support this format (with COREP and FINREP reports bearing over 35,000 data points. Source: EBA), thus satisfying the reporting requirements of such jurisdictions.

    Consolidated group reporting
    Consolidated reporting requirements of bank subsidiaries vary depending on the country in which they operate. Group reporting of multi-regional banks to head offices is made possible through BRSANALYTICS. The solution provides different reporting views of data as a result of the multiple Chart of Accounts hierarchies that can be structured within the application. This provides easy reporting configurations, be it for internal, subsidiary and/or the group.