rapid assessment of the · ats automatic transfer service aml anti money laundering cbs central...
TRANSCRIPT
FINAL REPORT
SUBMITTED BY
In Partnership with
RAPID ASSESSMENT OF THE
INSTITUTIONAL AND ICT CAPACITY
OF SOMALIA’S FINANCIAL
INSTITUTIONS:
The Central Bank of
Somalia (HQ & Jubbaland
Branch) and the State Bank
of Puntland
2 | P a g e A L C O R
CONTENTS LIST OF FIGURES ................................................................................................................................... 5
LIST OF TABLES .................................................................................................................................... 5
1. Executive Summary ...................................................................................................................... 7
1.1 Terms of reference ....................................................................................................................... 7
1.2 Method of Analysis ...................................................................................................................... 7
1.3 Findings ............................................................................................................................................... 7
1.3.1 Organizational Gaps ............................................................................................................. 7
1.3.2 ICT Infrastructure Gaps ........................................................................................................ 8
1.4 Recommendations ....................................................................................................................... 9
1.4.1 General Organizational Recommendations for CBS and SBP ............................................... 9
1.4.2 General Recommendations for Jubaland .............................................................................. 9
1.4.3 General Recommendations on the Common ICT Infrastructure & Technology ................. 10
1.5 Conclusion .................................................................................................................................. 10
2. Introduction ............................................................................................................................... 11
2.1 Scope ................................................................................................................................................. 11
2.2 Objectives ......................................................................................................................................... 14
2.3 Approach and Methodology ............................................................................................................ 14
3. CBS Organizational Assessment .................................................................................................. 17
3.1 Overview ........................................................................................................................................... 17
3.2 Legal Assessment: Gaps and Opportunities .................................................................................... 18
3.3 Environmental Assessment: Gaps and Opportunities .................................................................... 19
3.3.1 Communications Function ......................................................................................................... 20
3.3.2 Supervision Framework ...................................................................................................... 20
3.3.3 Organization and Methods ................................................................................................. 22
3.4 Staffing, Organization Culture and Work Environment .................................................................. 23
4. State Bank of Puntland ............................................................................................................... 26
4.1 Scope ................................................................................................................................................. 26
4.2 Objectives ......................................................................................................................................... 26
4.3 Organizational Capabilities Assessment .......................................................................................... 26
4.4 Governance and Policy Framework ................................................................................................. 27
4.4.1 Corporate Governance ............................................................................................................... 27
3 | P a g e A L C O R
4.4.2 Legal Framework and Institutional Policies ............................................................................... 28
4.5 Business and Operating Model ........................................................................................................ 28
4.5.1 Business Model and Strategic Plan ............................................................................................ 28
4.5.2 Operations Model ...................................................................................................................... 29
4.5.2.1 Organization and Methods ................................................................................................. 29
4.5.2.2 Operating Environment ...................................................................................................... 29
4.5.3 Technology capacities ................................................................................................................ 31
4.5.4 Financial Accounting .................................................................................................................. 31
4.6 SBP Recommendations .................................................................................................................... 32
4.6.1 Institutional Framework............................................................................................................. 32
4.6.2 Operating Capabilities ................................................................................................................ 33
5. CBS Jubbaland bramch Assessment ............................................................................................ 34
5.1 Summary of Key Observations ......................................................................................................... 34
5.2 Recommendations ........................................................................................................................... 34
6. Common ICT Infrastructure & Technology Capacity Assessment ................................................. 35
6.1 Thematic area description ............................................................................................................... 36
6.1.2 Technology Capacity Assessment thematic areas ..................................................................... 36
6.1.2 Common ICT Infrastructure Assessment thematic areas .......................................................... 37
6.2 Key findings ...................................................................................................................................... 37
6.2.1 General ....................................................................................................................................... 37
6.2.2 Servers and data centers ........................................................................................................... 39
6.2.3 Internet connectivity and WAN ................................................................................................. 40
6.2.4 Network security ........................................................................................................................ 42
6.3 CBS, CBS branch in Jubaland & State Bank of Puntland’s ICT Technology ..................................... 43
6.3.1 General ....................................................................................................................................... 44
6.3.2 Core Banking System Compliance .............................................................................................. 44
6.3.3 Core Banking System Integration ............................................................................................... 45
6.3.4 Security ...................................................................................................................................... 45
6.3.5 Transaction & reporting ............................................................................................................. 46
6.3.6 Support, training and documentation ....................................................................................... 46
7. CBS and State Bank’s capability maturity assessment ................................................................. 48
7.1 Central Bank of Somalia maturity assessment ................................................................................ 50
4 | P a g e A L C O R
7.1.1 Common ICT Infrastructure maturity assessment ..................................................................... 50
7.1.2 ICT technology maturity assessment ......................................................................................... 52
7.2 State Bank of Puntland maturity assessment ........................................................................... 55
7.2.1 Common ICT Infrastructure maturity assessment ..................................................................... 55
7.2.2 ICT technology maturity assessment ......................................................................................... 57
7.3 Central Bank of Somalia Jubaland Branch maturity assessment ................................................... 60
7.3.1 Common ICT Infrastructure maturity assessment ..................................................................... 60
7.3.2 ICT technology maturity assessment ......................................................................................... 62
8. Recommendations ..................................................................................................................... 65
8.1 Recommendations on the Common ICT Infrastructure .................................................................. 65
8.1.1 Short term recommendations ................................................................................................... 65
8.1.2 Medium term recommendation ................................................................................................ 65
8.1.3 Long term recommendations .................................................................................................... 66
8.2 Recommendation on ICT technology .............................................................................................. 66
8.2.1 Short term recommendations ................................................................................................... 66
8.2.2 Medium term recommendations .............................................................................................. 66
8.2.3 Long term recommendations .................................................................................................... 67
5 | P a g e A L C O R
LIST OF FIGURES Figure 1: General Recommendations on the Common ICT Infrastructure & Technology .......................... 10
Figure 2: Federal Republic of Somalia - Federal States ............................................................................... 12
Figure 3: Approach and Methodology ........................................................................................................ 15
Figure 4: Legal Enhancement Opportunities .............................................................................................. 19
Figure 5: Communications Function Strengthening Opportunities ............................................................ 20
Figure 6: Organization and Methods Indicators ......................................................................................... 22
Figure 7: Summary of institutional wide organizational capabilities required ........................................... 25
Figure 8: Technology Capacity Assessment thematic areas ....................................................................... 36
Figure 9: Common ICT Infrastructure Assessment thematic areas ............................................................ 37
Figure 10: Institutions with ICT network plans ........................................................................................... 38
Figure 11: Hardwired broadband internet access ...................................................................................... 39
Figure 12: Organizations with Server rooms on site ................................................................................... 40
Figure 13: File transfer protocols used ....................................................................................................... 41
Figure 14: Automated file transfer ............................................................................................................. 42
Figure 15:Monitoring network resources .................................................................................................. 42
Figure 16: Remote access software tools used ........................................................................................... 43
Figure 17: Systems using multi factor authentication ................................................................................ 45
Figure 18: Capability maturity assessment ................................................................................................. 48
LIST OF TABLES Table 1: Analysis of assessment results ...................................................................................................... 16
Table 2: Deriving statistical data ................................................................................................................. 16
Table 3: Expected Assessment Respondents .............................................................................................. 17
Table 4: CBS Summary of Scoring and Weighting ....................................................................................... 18
Table 5: Supervision Framework Enhancement Opportunities .................................................................. 21
Table 6: Expected Assessment Respondents .............................................................................................. 27
Table 7: Transactional data statistic counts ................................................................................................ 31
Table 8: Institutional framework recommendations .................................................................................. 32
Table 9: Operating Capabilities Recommendations .................................................................................... 33
Table 10: Hardwired broadband access channels ...................................................................................... 39
Table 11: Wireless broadband access channels .......................................................................................... 39
Table 12: Remote access software tools .................................................................................................... 43
Table 13: CBS Common ICT Infrastructure maturity assessment ............................................................... 51
Table 14: CBS ICT technology maturity assessment ................................................................................... 54
Table 15: SBP Common ICT Infrastructure maturity assessment ............................................................... 56
Table 16: SBP ICT technology maturity assessment ................................................................................... 59
Table 17: CBS Jubaland Common ICT Infrastructure maturity assessment ................................................ 61
Table 18: CBS Jubaland ICT technology maturity assessment .................................................................... 64
6 | P a g e A L C O R
ACRONYMS
ATS Automatic Transfer Service
AML Anti Money Laundering
CBS Central Bank of Somalia
CFT Combating the Financing of Terrorism
CIP Capacity Injection Program
DR Disaster Recovery
ERP Enterprise Resource Planning
FACTS Financial Accounting Systems
FGS Federal Government of Somalia
FI Financial Institution
FS Financial Sector
FTE Full Time Employees
HRMS Human Resource Management System
H/W Hardware
ICT Information and Communications Technology
IT Information Technology
LAN Local Area Network
MoF Ministry of Finance
MTB Money Transfer Business
NPS National Payment System
NSP Network Security Policy
PIU Program Implementation Unit
PREMIS Public Resource Management in Somalia
PWG Payments Working Group
RCRF Recurrent Cost & Reform Financing
SBP State Bank of Puntland
SCORE Somali Core Economic Institutions and Opportunities
SFMIS Somalia Financial Management Information System
TSA Treasury Single Account
VLAN Virtual LAN
WAN Wide Area Network
7 | P a g e A L C O R
1. Executive Summary
1.1 Terms of reference
This report is the result of a rapid assessment of the institutional and Information and Communications
Technology (ICT) capacity of the Central Bank of Somalia (CBS HQ and Jubbaland branch) and State Bank
of Puntland; in view of establishing a modern payment system with support from the World Bank.
1.2 Method of Analysis
The open system methodology which looks into an organization both as a unit or a network of
organizations was adopted. In detail, we looked at the targeted institutions as a system consisting of
interacting and interdependent elements whereby the institutions obtain inputs; uses the inputs for
processing; and eventually produce outputs. The approach was applied through physical visits to target
institutions, analysis of assessment questionnaires, formal and informal meetings and observations.
1.3 Findings The assessment drew attention to the fact that the CBS HQ, CBS Jubbaland branch and State Bank of
Puntland are in the initial stages of the maturity capability level i.e. stage 1 which is characterized by
individual heroic effort, undocumented processes, low process repeatability, adhoc events and lack of
effective incident management. A summary of key observations and gaps arising from the assessment are
provided as follows;
1.3.1 Organizational Gaps
CATEGORY KEY OBSERVATIONS / GAPS
Legal
NPS supporting legislation is not in place
Legal framework is not aligned between the Federal Government of Somalia and federal states
State Bank legal framework (where applicable)
Environmental
The communication function is at a rudimentary stage across all institutions
Supervision framework does not presently cater for NPS
Regulation and industry guidelines do not cater for NPS
Financial and non-financial risk frameworks are not in place
Organization and Methods
NPS Payment functions across institutions are not in place
Payment department organization, skills, competencies, roles are not defined
Standard operating procedures are generally not documented
Limits and levels of authority are not defined
Staffing Staffing levels across functions may not be adequate to compliment NPS
operations (IT, Operations, Finance, Supervision, Research, Audit)
8 | P a g e A L C O R
Organization Culture
Organizational change management planning is not adopted as part of project management practice
HR policy is not defined
Work Environment
Employee facilities require improvement
1.3.2 ICT Infrastructure Gaps
CATEGORY KEY OBSERVATIONS / GAPS
General
WAN network plans are not defined
ICT security frameworks are not in place
ICT policies not established
Lack of disaster recovery capability
Servers and Data Centers
Data center / server rooms are poorly equipped and do no not meet minimum standards
There is no staging / pre-production environment
There is no defined ICT infrastructure in State Bank of Puntland
Internet Connectivity and WAN
Lack of telecommunication networks, internet and IP address management and utilization policies
Poor network monitoring
Network Security
No approved secure and encrypted data and file transmission capabilities
No approved secured password policies
Capability Maturity
Institutions are at initial stage (1/5) with CBS Mogadishu being in between initial (1/5) and managed stage (2/5)
9 | P a g e A L C O R
1.4 Recommendations
1.4.1 General Organizational Recommendations for CBS and SBP
1.4.2 General Recommendations for Jubaland
i. Immediate - The Somali Core Institutions and Economic Opportunities (SCORE) Programme’s
establishes contact with the Jubaland MoF and Executive with a view to establishing mechanisms
to progress work that has been initiated by Public Resource Management in Somalia (PREMIS), an
EU funded project that aims to support Federal Member States of Somalia establish sound
financial systems, raise revenues and effectively manage public resources. In so doing, the existing
PREMIS roadmap for Jubaland State can be refocused where applicable to align with SCORE’s
objectives and priority areas.
ii. Long Term - Recommendations outlined for CBS and State Bank of Puntland could be extended to appropriate areas where applicable in order to cover The State of Jubaland as a second phase. The model should then be replicated for all future States.
In tandem, the following ICT infrastructure recommendations are proposed for the CBS HQ, CBS Jubbaland
branch and State Bank of Puntland , see figure 1 below.
Governance and Policies
Board independenceDefined board mandateInstitutional policies
Business Model Core functions value proposition
(what, for who and why)
Operating Model
Develop institutional and Directorate value maps
(how the business model will be operationalized)
Research & StatisticsStatistical data & analysisBoard & public reporting
Economic data
Risk & Compliance
Financial & non fin. Risk
Internal audit assurance
SupervisionEnforcementIndustry collaboration
Industry capacity building
Supervision framework
IT Systems Roadmap
Systems needed to enable Directorates
Technology roadmap (IT systems & organization
evolution)
Legal Framework
CBS, FI, MTB, Micro Finance laws
NPS & other supporting legislation Regulatory guidelines
Legend:
Improvement Opportunity
Not Developed
≈
≈
≈
≈
≈
≈
≈
Compliance & legal
≈
≈
≈
≈
≈
≈
Organization and Methods
Organization structures
Directorate & role TOR’s
Std operating procedures
COA standardization
HR development
Report & MIS Integrity
≈
≈
≈
OrganizationalCapabilities Required
10 | P a g e A L C O R
1.4.3 General Recommendations on the Common ICT Infrastructure & Technology
Figure 1: General Recommendations on the Common ICT Infrastructure & Technology
1.5 Conclusion
Consolidation of these actions will result in the establishment of a robust institutional environment that
can provide and maintain a resilient payment system infrastructure and form the basis for value adding
collaboration with CBS HQ, CBS Jubbaland branch and State Bank of Puntland.
11 | P a g e A L C O R
2. Introduction
The Federal Government of Somalia (FGS) through the Ministry of Finance (MoF) with support from the
World Bank Somali Core Economic Institutions and Opportunities (SCORE) Program, a World Bank Group
(WBG) program supported by a multi-donor trust fund, is implementing a series of activities to support
financial and private sector development and strengthen formal provision of financial services in Somalia.
The development objectives of the SCORE Program are to: (i) improve the enabling environment for
private and financial sector development; and (ii) catalyze private investment and job creation in key
productive and service sectors. For the MoF, the SCORE Program will help deliver governance capacity for
financial sector development by strengthening the capacity of the Ministry to coordinate the analysis,
formulation, implementation, and monitoring of financial sector policies, strategies and regulations; As
well as, oversee FGS’s interventions in the financial sector.
The authorities, with technical assistance from the World Bank, are looking to establish a modern payment
system and have initiated a participatory approach to modernizing Somalia’s payment system through
establishing a Payment Working Group (PWG), convening payment system stakeholders. The PWG aims
to propose the laws and/or regulations, procedures and the appropriate ICT infrastructure required to
establish a fully electronic, safe and expandable National Payment System (NPS) that is integrated across
all bank channels in Somalia.
For the CBS and the PWG, the SCORE Program will help assist in putting in place the necessary building
blocks (i.e. legal framework, procedures, and ICT infrastructure) required for a fully electronic and
integrated NPS that permits banks and other non-bank payment service providers to make transactions
over accounts and facilitate settlement finality using funds held at the CBS.
2.1 Scope The cornerstone of this assignment was to undertake on-site institutional and capacity assessment of
technologies and connected network infrastructure for the CBS, CBS branch office in Jubaland, State Bank
of Puntland and the bank and non-bank payment service providers vis-a-vis their preparedness to
participate in a NPS. Activities undertaken during the assessment included;
i) An assessment of the technical capacity, efficiency, productivity, job satisfaction and training
needs of IT and operational staff at the CBS, CBS branch office in Jubaland, State Bank of Puntland
and bank and non-bank payment service providers by identifying institutional and human
resource gaps with respect to implementation of a NPS;
ii) Assessment of the ICT infrastructure, core banking systems, mobile payment providers, security
and network settings and connected infrastructure between banks and non-bank payment
services
12 | P a g e A L C O R
The assignment was conducted in two phases that ran concurrently i.e.
i) Institutional assessment relating to establishment of inter-bank payments, clearing and
settlement system, and;
ii) Institutional assessment relating to extending core-banking system to CBS HQ, CBS Jubbaland
branch and State Bank of Puntland .
The geographical scope covered physical visits to the Capital City – Mogadishu, Puntland State (Garowe,
Qardho, Bosaso) and Jubaland State (Kismayo). The locations are geographically dispersed as represented
in the map below:
Figure 2: Federal Republic of Somalia - Federal States
The assessments sought to establish a gap analysis of the existing structures and infrastructure with a
view to providing recommendations for improving and modifying the institutional and ICT capacity of key
financial institutions in order to establish a fully integrated National Payment System.
Target institutions referred to as participants, hereinafter, and their geographical representation include;
13 | P a g e A L C O R
Federal Government
Private Sector Banks
Entity Mogadishu Puntland Jubaland
Central Bank Somalia
• Mogadishu Headoffice
• Federal State Branches - Puntland (Garowe), Galmudug (Dhusamareb), South West (Baidoa), Jubaland (Kismayo), Hirshabele (Jowhar)
14 | P a g e A L C O R
Mobile Money Entities
Entity Mogadishu Puntland Jubaland
2.2 Objectives In order to fulfill the mandate in the terms of reference, a rapid assessment of the institutional and ICT
capacity of the participants (CBS & Somali Banking Institutions) was undertaken. The rapid assessment
included other non-bank payment service providers and examined whether the CBS, CBS branch office in
Jubaland State, State Bank of Puntland and the licensed banks and non-bank payment service providers
e.g. Mobile Money Providers operating in Mogadishu and State of Puntland have the requisite institutional
and ICT capacity to participate in an electronic NPS. The assessment was undertaken towards fulfillment
of the following objectives;
2.3 Approach and Methodology A rapid assessment was undertaken of targeted institutions. The approach applied was based on the open
systems methodology which looks into an organization as a unit or a network of organizations as a system.
The approach looked at the targeted institutions as a system consisting of interacting and interdependent
elements whereby the institutions obtain inputs, uses the inputs for processing and produces outputs.
OBJECTIVE 1
Strengthening
the pre-
procurement
process for the
NPS
OBJECTIVE 3
Ensuring the
highest
opportunity to
achieve success
of the
envisioned NPS
intervention.
OBJECTIVE 2
Providing a clear
picture on
industry
preparedness
for the NPS and,
15 | P a g e A L C O R
In the context of the rapid assessment for a NPS participants, the open systems model was applied
generically across the CBS (and branches), SBP (and branches), Commercial Banks and mobile money
service providers.
The institutions were viewed as black boxes which paved the way for adoption of an investigative
approach in determining compliance to core functions, their means of fulfillment, the outputs generated
and their strengths and opportunities.
In addition, the open system approach allowed the assessment to be undertaken inside the boundaries
of the target institutions by way of definition of key factors and dimensions needed to assess capacity.
Scoring was accorded on pre-defined scales whereby resulting scores were used to determine maturity
levels, and opportunities that exist for onward work to be undertaken towards preparing target
institutions for participation in the anticipated NPS initiative.
The following diagram depicts application of this methodology;
Figure 3: Approach and Methodology
Analyzed assessment results contained in this report are presented in two (2) forms as shown in table 1
below;
Form Assessment
Narratives where qualitative feedback was obtained by way of interviews,
observations, interactions and review of institutional information
• Informal meetings
• Review of emperical information
• Perceptive targeted discussions
Enquiry
• Invitations
• Opening presentations and discussions
• C-Level guided questions
• Functional area interviews
• Facility inspection
Visits•Information synthesis
•Data analysis and categorization
•Statistical analysis
•Draft report preparartion
•Presentation preparation
•Final report prepaparation
Reporting
16 | P a g e A L C O R
Statistical where quantitative data was gathered, analyzed with resultant data
generated
Table 1: Analysis of assessment results
Statistical data has been derived using the following methodology;
Methodology
Scoring
(High)
Individual interview questions were scored on a scale of 1 (low) to 4 where;
1 equates to 25 % weighting
2 equates to 50 % weighting
3 equates to 75 % weighting
4 equates to 100% weighting
% Weighting Actual total summation of scoring for interview questions in a given category
divided by the sum of highest scoring expected (using 4 as the determinant)
multiplied by the number of interview questions in a given category
expressed in percentage terms
Table 2: Deriving statistical data
Information Technology and Organizational assessment tool kits were developed for use over the
assessment period. Areas assessed have been used to categorize responses from respondents,
observations made during visits and information gathered during extensive interactions held with line
management in each organization.
The following sections present interactions held with targeted institutions based on target organization
availability, target group availability and submission of feedback obtained. It goes further to cover the
assessment objective, key gaps identified and opportunities identified for NPS readiness.
17 | P a g e A L C O R
3. CBS Organizational Assessment
3.1 Overview The executive of the CBS cleared the commencement of the survey across all target locations signifying
their support to have the exercise undertaken. Questionnaires were released to the Director of IT for
onward coordination and collection of feedback ahead of onsite interviews that were held by ALCOR on
target CBS departments. Consequently, duly filled questionnaires and feedback were submitted and
follow-up discussion and clarification meetings primarily held with Director of IT, nominated CBS technical
consultant and SCORE office focal point while input from Supervision department was obtained which
covered legislation. Table 3: Expected Assessment Respondents
The CBS assessment looked into areas listed under categories in the table below. These were scored and
weighted based on responses received from the assessment questionnaires with a view to identifying
opportunities for capacity building and support required to prepare the Bank for the NPS initiative. A
summary of findings based on perception is provided in the table below;
Central Bank of Somalia ASSESSMENT CATEGORY INDICATORS COMMENTS
Executive Meeting
Briefing meeting held with CBS executive to obtain their feedback and buy-in
Questionnaire Submission
Both organizational and IT questionnaire feedback obtained
Interviews:
IT
Interview held with Director IT, feedback obtained
Operations
Director of IT offered responses
Finance
Director of IT offered responses
Supervision
Discussion held and feedback obtained
18 | P a g e A L C O R
CATEGORY 25% 50% 75% 100% TOTAL
1 2 3 4
< 25% Up to 50 % Up to 75% Up to 100% SCORING
Legal 43% 31/72
Environmental 66% 21/32
Organization and Methods 52% 29/56
Staffing 55% 11/20
Organization Culture 25% 7/28
Work Environment 65% 13/20
Process 33% 17/52
OVERALL 129/280
Table 4: CBS Summary of Scoring and Weighting
3.2 Legal Assessment: Gaps and Opportunities
Objective Gap
To assess the extent to which legal frameworks
have been established to support NPS and
supporting legal requirements.
Supporting NPS and MTB legislations not in
place.
Inadequate legal framework for NPS
Legal framework not uniformly adopted
between FGS and Federal states
19 | P a g e A L C O R
Opportunities Identified
3.3 Environmental Assessment: Gaps and Opportunities
Objective Gap
To assess the external operating environment and
extent to which CBS functions are positioned to
support NPS participants covering settlement risk,
supervision, industry interactions &
communications
Communications function is undefined / basic
and may be inadequate for NPS PR, Marketing
and Communication needs
No focused consumer education and
awareness capability
Supervision framework does not include NPS;
Prudential / industry guidelines not
developed and do not include
(ATS/SWITCH/MTB)
Settlement risk mitigating controls not
established
Establish transactional law;• National Payments• Negotiable Instruments• Electronic Payments• Electronic Evidence
Establish Institutional Laws for;• State Banks• MTB• Micro Finance• Insurance
Establish FI Supporting law;• AML / CFT• Escrow• Deposit Protection• Consumer Protection
Benchmark Central Bank and FI laws to
regional & “like” countries
Priority 1 Priority 2 Priority 3 Priority 4
Figure 4: Legal Enhancement Opportunities
20 | P a g e A L C O R
3.3.1 Communications Function
Figure 5: Communications Function Strengthening Opportunities
3.3.2 Supervision Framework
The payment system is the infrastructure (comprised of institutions, instruments, rules, procedures,
standards, and technical means) established to effect the transfer of monetary value between parties
discharging mutual obligations. Technical efficiency of the payments system determines the efficiency
with which transaction money is used in the economy and the risks associated with its use. An efficient
payment system reduces the cost of exchanging goods and services, and is indispensable to the
functioning of interbank operations including settlement capabilities required for National Switch inter-
operability. A weak payment system will severely impact the stability and developmental capacity of the
Somalia financial sector and overall economic activity; its failures can result in inefficient use of financial
resources, inequitable risk-sharing among agents, actual losses for participants, and loss of confidence in
the financial system.
The oversight function needs to be developed and strengthened with a view to ensuring the financial
and technical integrity of the payment system, its robustness against shocks, and its overall efficiency
through rules and standards, monitoring and enforcement.
The CBS will be required to establish guidelines on payment system operations as these raise systemic
risks. In this regard, the CBS Supervision function should be enriched to include complimentary
responsibilities provided in the table below;
NO STRUCTURED INDUSTRYINTERACTIONS
- No defined strategy
- Low leadership awareness
- No established processes
- IT controls media
STRUCTURED INDUSTRY AND CONSUMER FOCUS
- Strategy developed
- Event based communication
- Executive sponsorship
- General email communication
- Manual contacts database
INTERACTIONS AND FOCUS MEASUREDFOR EFFECTIVENESS
- Strategy implemented
- Benefits realization
- Elevated executive interest
- Professional targeted communication
- Electronic based contact
- Media house and influencers
STAGE 1 - Undefined
STAGE 2 - Progressive
STAGE 3 - MatureImmediate Need
21 | P a g e A L C O R
Role of CBS Develop rules and guidelines
Assess and enforce compliance
Promotes industry collaboration
Ensure system functioning
Promote NPS evolution
Operational Objectives Development of efficient, reliable, safe, & stable payment systems
Consumer protection and confidentiality
Expansion and integration of payment services
Prevention of violations, breaches and criminal abuse
Intermediate
Objectives
Fair and competitive market environment
Cooperation convener
Sound legal and regulatory foundation
Instruments Targets Scope of Action Types of Action
Rules & incentives
Policy dialogue
Surveillance
Data mining
Governance
Participation
o Participant access
o Risk control
o Info. transparency
o Pricing
o System viability
o System evolution
o Settlement risk
Commercial Banks
Mobile money
providers
Service providers
Instruments and
services
Technical
Infrastructure
Cash margin
Escrow accounts
Inspections
Crisis management
Consumer
protection
R&D
Technical resources
Table 5: Supervision Framework Enhancement Opportunities
22 | P a g e A L C O R
3.3.3 Organization and Methods
Observation Gap
To assess the internal operating
environment, payments strategic focus,
institutional, functional arrangements
and role clarity
Payments function not in place
Selection criteria for required incumbents not defined
Role based functions in areas of IT, Finance and
Operations not fully adopted
Delegated limits and levels of authority not defined
Comprehensive standard operating procedures not
documented
Organization and Methods Current Indicators
Figure 6: Organization and Methods Indicators
Organization and methods capabilities represent key competencies that CBS needs to develop in
readiness for its upcoming NPS accountability. Addressing these basic organizational needs will allow CBS
organizational resources i.e. human, physical environment, supporting tools and structural resources to
be correctly engaged in achieving required operational objectives.
23 | P a g e A L C O R
It is imperative that in the course of implementation, the vendor and CBS establish operational
requirements so as to identify supporting process activities that need to be addressed such as
establishment and management of interbank accounts, settlement mechanisms, financial risk
management, user access controls, reporting standardization, and application of penalties among other.
3.4 Staffing, Organization Culture and Work Environment
Objective Gaps
To assess staffing levels and expertise
so as to guide NPS training and
development needs (soft skills,
functional and technical)
Adoption of training development and study tour plans for
Operations, Finance and IT
Evaluation to establish needs for communications, change
management, supervision and research
To assess the organization culture and
level of employee engagement
towards establishing complexity of
change management interventions
required
Responses not obtained to questions under this category.
Stakeholder identification, planning and management will
be required towards preparing the CBS environment for
change
It was not apparent whether a formal HR policy that
setsouts compensentation for extended work hours
among broader employee relation exists
To assess the physical staff work
environment and determine
influences identified factors have on
organizational culture and staff
motivation
There is an opportunity to improve the quality of common
staff facilities used by majority of staff e.g. providing
improved catering area, adequate hygenic ablution
facilities
The assessment undertaken in this category sought to establish the levels of employee engagement,
employee attitude towards work and work environment ergonomics towards informing the change
management intervention approach required to support the NPS project.
Inability to hold one-on-one interviews with Directors of Operations and Finance may have resulted in
collection of perceptive reponses in some categories of the institutional toolkit. It is noted that the scope
of implementation affects these departments as well as Communication, Research and Audit and it is
recommended that an organizational change management intervention be established to identify,
manage and support stakeholders within and outside the CBS.
24 | P a g e A L C O R
Priority is called for in this area noting that the extent of NPS implementation support, and post
implementation operational stability is hinged on stakeholders collectively undertsanding the scope of
change, its impact on routine operations and actions required to drive a hearts and minds initiative across
all CBS staff levels, direct and indirect NPS participants.
In the case of CBS, the institution will be accountable for ensuring soundness of the day to day NPS
operations thereby servicing the needs of participants and the public in line with industry and
international best practise. Extended working hour arrangements to cater for exceptional incidences
where clearing and settlement mechanisms are delayed due to uncontrollable system or work
environment accessability factors need to be considered.
25 | P a g e A L C O R
3.5 CBS Recommendations
The following diagram summarizes capabilities that need to be initiated or uniformly adopted and those
that are work in progress and need to be carried through to implementation so as to strengthen CBS
organizational capabilities. It is worth mentioning that the model should be considered as the benchmark
for CBS Jubbaland branch and State Bank of Puntland as well so as to establish alignment between Federal
and State level CBS branches and SBP operating frameworks.
Figure 7: Summary of institutional wide organizational capabilities required
Index
Short term priorities
Medium term priorities
Long term priorities
Governance and Policies
Board independenceDefined board mandateInstitutional policies
Business Model Core functions value proposition
(what, for who and why)
Operating Model
Develop institutional and Directorate value maps
(how the business model will be operationalized)
Research & StatisticsStatistical data & analysisBoard & public reporting
Economic data
Risk & Compliance
Financial & non fin. Risk
Internal audit assurance
SupervisionEnforcementIndustry collaboration
Industry capacity building
Supervision framework
IT Systems Roadmap
Systems needed to enable Directorates
Technology roadmap (IT systems & organization
evolution)
Legal Framework
CBS, FI, MTB, Micro Finance laws
NPS & other supporting legislation Regulatory guidelines
Legend:
Improvement Opportunity
Not Developed
≈
≈
≈
≈
≈
≈
≈
Compliance & legal
≈
≈
≈
≈
≈
≈
Organization and Methods
Organization structures
Directorate & role TOR’s
Std operating procedures
COA standardization
HR development
Report & MIS Integrity
≈
≈
≈
OrganizationalCapabilities Required
26 | P a g e A L C O R
4. State Bank of Puntland
4.1 Scope
Emphasis in this section is given to the State Bank of Puntland (SBP) which will be a potential indirect NPS
participant and is a target for extension of the CBS core banking and financial accounting (FACTS) system
capabilities. Challenges relating to Jubaland will also be discussed. The geographical scope covered
included physical visits to locations in Puntland State (Garowe, Qardho, Bosaso) and Jubaland State
(Kismayo).
4.2 Objectives The SBP assessment looked into areas listed in the table below. These were scored and weighted based
on responses received from the assessment questionnaires as well as additional feedback and clarification
gathered during onsite meetings. The objectives of this exercise aimed at preparing the Bank to receive
the Core Banking and Financial Accounting (FACTS) extension initiative are provided as follows;
4.3 Organizational Capabilities Assessment The Governor of the SBP hosted a very cordial, welcoming and participatory opening session where he
provided comprehensive responses to a set of guided questions in addition to volunteering additional
substantive background information, challenges encountered, matters of SBP governance, the SBP
operations, aspirations among others. The opening session concluded with the Governor taking the
consultants through a face to face introductory tour of all work areas and SBP staff.
27 | P a g e A L C O R
Upon visiting all directorates and SBP branches in Qardho and Bosaso, a closing workshop was held with
all directorates in Garowe convened by the SBP Director General where a summary field report was
presented.
Table 6: Expected Assessment Respondents
4.4 Governance and Policy Framework
4.4.1 Corporate Governance
Articles 111 of the Puntland Constitution outlines the structure of the SBP board as follows;
One director from each of the following - Ministry of Commerce and Industry; Ministry of Finance; 3
from Chamber of Commerce; 1 from SBP – Director General to act as secretary to the board, Governor
of SBP who is to also act as Chairman to the Board,
The Governor has written to the above institutions to nominate their representatives as soon as possible
so that a formal board of directors can undertake the oversight role required under good corporate
governance practice.
Gap
The Board is currently not constituted
State Bank of Puntland
ASSESSMENT CATEGORY INDICATOR COMMENTS
Executive Meeting Constructive and informative session held
Questionnaire Submission Both organizational and IT questionnaire feedback obtained
Interviews;
IT Interview held followed by post branch visit meeting
Operations Interview held followed by post branch visit meeting
Finance Interview held followed by post branch visit meeting
Human Resource Interview held followed by post branch visit meeting
Policy & Planning Interview held followed by post branch visit meeting
Administration Interview held followed by post branch visit meeting
28 | P a g e A L C O R
4.4.2 Legal Framework and Institutional Policies
The Bank is anchored in the Puntland State constitution but is lacking a modern representative State Bank
Law that aligns with considerations given in the Federal Government constitution. Consequently, SBP is
an independent entity formulated under the Federal State Government of Puntland and derives its
mandate from legacy law which does not conform to the FGS Central Bank or Financial Institution Laws.
The Governor is a Presidential appointee and is not accountable to the FGS. The independence is
reinforced by the absence of legislated federal arrangements, supporting law and lack of inter-
governmental or inter-institutional memorandums of understanding.
The absence of required legislation and federal working arrangements compounds the understanding of
the SBP mandate and ability to develop sound policies. In this regard, the lack of clarity on its mandate
and policies presents challenges in SBP’s ability to develop role based TOR’s at an executive level that
align with required legal and policy frameworks.
Having said this, it is noted that there are ongoing consultations and dialogue between CBS and SBP.
Gap
Legal framework not adequate
Legal framework not aligned with FGS
SBP mandate not clear
No established institutional policies
4.5 Business and Operating Model
4.5.1 Business Model and Strategic Plan
SBP has not established a strategic plan aligned to its mandate. The mandate needs to be clarified through
a modern representative State Bank Law that outlines SBP core functions, role and accountabilities.
Establishment of such law will give way to development of a focused strategic plan and development of a
roadmap to guide adoption of interventions that will better articulate the SBP business and overall
operating model aimed at transforming the Banks mode of engagement relative to CBS and Financial
sector participants.
Gap
Strategic plan and business model not established
29 | P a g e A L C O R
4.5.2 Operations Model
4.5.2.1 Organization and Methods
The WB funded Capacity Injection Program (CIP) undertook a State wide Human Resources (HR)
assessment of all Ministries, Government Departments and Agencies in 2014 that resulted in
recommendations to hire employees for government agencies to fill 6 common roles. For SBP, 6
employees were hired to fill the following role:
o IT
o Finance
o Planning
o HR
o Supervision
o Procurement
Subsequently, there have been no further interventions to build institutional capacity and invest in the
training and development of the CIP and existing SBP staff.
Whilst an organizational structure formulated under the CIP initiative exists, there are misalignments /
misplaced roles and responsibilities specifically noted are that they do not align with core functions of
State Bank of Puntland in other Federal systems of Government e.g. Ethiopia, Nigeria, South Africa,
Pakistan etc. Arising from the lack of mandate clarity, organogram misalignment among other, roles
defined in the organogram do not complement each other effectively towards establishing a working
organizational value chain. As a result, incumbents are not clear on what their job roles entail and secondly
they have not been equipped with knowledge and skills required to fulfill their modern day roles and
responsibilities.
In the absence of role based clarity, standard operating procedures cannot be developed. However,it was
noted that the staff understand the flow of routine work, they demonstrated the ability to follow this
process through on a day to day basis, and can induct new staff by way of verbal knowledge transfer and
desk based coaching.
Gap
Operating model not defined
Organization structure not adequate
Departmental and role based TOR’s not established
4.5.2.2 Operating Environment
Currently, there isn’t a defined operating model. Further, customer segments, alternative channels, credit
management and supporting banking functions have not been established. For purposes of SBP, the
operations model designed for CBS can be enriched to incorporate retail operations and institutional
support functions.
30 | P a g e A L C O R
The Bank has six (6) fully operational branches that are geographically dispersed as provided in the map
under diagram 1. The State of Puntland enjoys relative peace and security compared to Mogadishu and
shoulders two (2) sea lines i.e. The Gulf of Aden and The Indian Ocean.
All banking operations are manually managed under maker, checker, and approver process controls which
are applied for all operating processes that were reviewed during the visit. There are clear segregations
of roles and responsibilities along the transaction and financial accounting lines. All transactions and
booking records are held manually and recorded in the following primary and secondary cards;
Manual ledger and booking cards are updated on fixed schedules as follows:
o Daily - Customer ledger and cash book
o Day 10 - Control ledger
o Day 30 - Consolidated ledger and trail balance
The above ledger process is adopted across all branches
HRMS data is held centrally in an MS_ACCESS database
The Bank runs a Retail Operation in addition to fulfilling its primary duty of Government revenue
collection. All inland and local authority revenues, taxes, fees are collected and banked into the Treasury
Single Account (TSA) held at the SBP. Due to the lack of automated processes, Amal Bank is an appointed
collector of government revenue and fulfils this function under disclosure to the Accountant General.
There is no established mechanism by which balances held at Amal Bank are updated into the SBP TSA
position. This is attributed to SBP operating in a manual processing environment relative to Amal Bank
which operates off a fully automated environment. Similarly, the Accountant General obtains electronic
account information faster from Amal Bank compared to SBP which needs to generate manual account
statement.
It follows that cash management operations of the Ministry of Finance driven by activity in the TSA is
fragmented between SBP and Amal Bank and requires the Accountant General to prepare consolidated
positions.
The bank has not yet established support functions such as Banking Operations and payments, IT
organization, Credit Management, Risk Management, Marketing and Communication, Internal Audit,
Customer Service among other. Due to the nature of its non-regulatory role, SBP has on-boarded business
entity and consumer accounts by default at its Bosaso sea port city branches. This has eased delays for
the business and consumer entities who seek to make payment for government taxes, fees and levy’s.
Traditionally as is the case for non-account holders, monies would need to be withdrawn from other Banks
or money transfer entities and be physically deposited into the TSA account at Amal Bank or SBP.
Being a Sea Port City, Bosaso is the busiest branch out of the six (6) SBP operational branches. The branch
has an agency located in the port cash registry that is shared with the Ministry of Finance. Collocation of
SBP and the MOF revenue department has realized the establishment of a seamless manual work flow
between both entities servicing sea port customers. The agency operates two (2) daily work shifts to
support extended port operating hours.
31 | P a g e A L C O R
Transactional data statistic counts are provided in the table below except Qardho branch for which data
was not submitted;
CATEGORY CASH DEPOSIT MOF Transactions
CASH WITHDRAWAL IBT TL Avg Daily
Transaction Type
Rv F35 8/C Slip
PV B/dro 14/c Chq 18/dir
Bosasso 5,423 278 307 677 169 60 150 14 90 7,168 299
Garowe 871 1,406 86 428 957 0 3,748 156
Galkaiyo 2,334 130 164 59 24 32 27 40 0 2,810 117
Totals 7,757 408 1,342 2,142 193 178 605 1,011 90 13,726 572 Table 7: Transactional data statistic counts
Gap
Lack of automated business processes
Lack of financial accounting and reporting automation
IT and banking operations organizations not established
IT infrastructure design and implementation not in place
4.5.3 Technology capacities
A substantive IT resource was recruited under the CIP program however a formal department has not
been established. This is attributed to minimal use of banking software necessitating the establishment
of IT demand management and enablement on the supply side.
The bank has a couple of computer desktops in place however these are not interlinked through a WAN
and therefore operate on a standalone basis. There is no established IT infrastructure comprising the
WAN, hardware, software’s, telecommunications, security installations or a computer room. The IT
assessment section of this report covers these findings in detail and provides recommendations.
The environment presents a positive green-field environment to implement a well laid out IT environment
designed to service the needs of all the 6 active branches in a phased manner.
4.5.4 Financial Accounting
The Directorate receives day-10 control ledgers after every 10 business days; this is followed by
submission of day-30 general ledger cards and accompanying trail balance. Submissions are made by each
of the six (6) branches upon which the Garowe Director of Finance and Accounting facilitates consolidation
of the financial data thereby generating monthly financial statements through the use of MS Excel. There
is no form of accounting software in use to provide electronic business continuity or data recording and
retention in conformance to in-built financial controls and standards.
The opportunity exists to deploy the ERP application suite to service financial accounting and HR
automation needs.
32 | P a g e A L C O R
4.6 SBP Recommendations
4.6.1 Institutional Framework
Legislation & Policy
Framework
(Long term)
• Legal framework gapping and formulation
• Legal framework alignment with FGS
• Review and finalize draft State Bank law
• Draft supporting institutional policies
• Develop SBP prudential guidelines for Financial sector group with
alignment to CBS
Governance
(Medium Term)
• State Bank benchmarking study tours for key staff
• Board formalization and implementation
• Develop a board mandate policy paper
• Adoption of Corporate Governance best practice principles
• Establish an MOU with Mogadishu on role of state bank relative to
the role of CBS
Organization Design
(Medium Term)
• Design the Business and Operations model
• Develop a strategic plan
• Re-fit top level organogram based on benchmarking study findings
• Establish medium term organograms
• Development of departmental and role based TOR’s
• Develop the IT roadmap
Table 8: Institutional framework recommendations
33 | P a g e A L C O R
4.6.2 Operating Capabilities
IT Enablement
(Short Term)
• Document the envisaged IT topology
• Define requirements for SBP FACTS capabilities
• Identification and procurement of required services
• Implement infrastructure - H/W, security, telecommunications
• Implement FACTS
Human Capital
(Short Term)
• Develop role based JD's / TOR's
• Match existing FTE to proposed organogram
• Gapping and procure CIP for critical posts
• Develop induction, training and development plans
Fulfillment
(Short Term)
• Define chart of accounts & reporting requirements
• Document standard operating procedures
• Analyze and workshop "as-is" and "to-be" processes
• Organizational and people change management
Table 9: Operating Capabilities Recommendations
34 | P a g e A L C O R
5. CBS Jubbaland bramch Assessment It was established that the CBS Jubaland branch while established, is not as yet fully operational;
consequently, the Ministry of Finance TSA account is operated at Salaam Bank. The State is in its early
formative stages and in need of significant institutional capacity building support to implement the various
facets of organizational capabilities.
5.1 Summary of Key Observations
The financial sector is dominated by Hawalas and Commercial Banks
Jubaland Ministry of Finance currently uses a CBS branch in Kismayo it refurbished as its inland
revenue collection point
Seaport and airport revenues are managed separately by officers appointed by the President
Jubaland is facing a myriad of challenges in undertaking financial sector reforms including
budgetary constraints as well as lack of technical capacity
There is lack of legal framework and memorandum of understanding to guide the establishment
of a State Bank or modus operandi for a CBS branch within Jubaland
State of Jubaland has partnered with PREMIS which is a project funded by EU, to provide capacity
building and other technical support for the Ministry of Finance of Jubaland.
MoF have installed Financial Management Information System (FMIS) (no correlation to Somalia
FMIS and has much lower capability) for management of government revenues.
MoF is planning to undertake an assessment for the establishment of a State Bank and is in
discussion with PREMIS, however not much progress has been made due to funding constraints
The World Bank currently pays salaries for a number of MoF staff, as well as other civil servants
through an established program under Recurrent Cost of Reform Financing (RCRF).
5.2 Recommendations Immediate - SCORE Program Implementation Unit (PIU) establishes contact with the Jubaland MOF and
with a view to establishing mechanisms to progress work that has been initiated by PREMIS. In so doing,
the existing PREMIS roadmap can be refocused to align with SCORE objectives and priority areas.
35 | P a g e A L C O R
6. Common ICT Infrastructure & Technology Capacity Assessment This section of the report sums up the activities undertaken and findings of the on-site institutional and
capacity assessment of technologies and connected network infrastructure for the participants. The
assessment entailed on-site visits, focus group discussions and in-depth interviews and questions about
their common ICT infrastructure and core banking technologies, innovations around their technology
solutions, and any challenges that abound and their overall preparedness in terms of a firmed up
technology and infrastructure setting that would allow them to effectively participate as a regulator in an
integrated National Payment System.
The assessment attempted to get an understanding of the core ICT competencies of the CBS and state
bank of Puntland and CBS branch office in Jubaland looking at IT developments and implementations at
the infrastructure and technology level.
It examined the technology at the participants branches as seen in the eyes of the banks’ IT leadership
and based on evidence adduced during on-site visits and through literature, peer and customer reviews
in comparison to globally accepted industry standards, providing a framework through which we could
gauge the banks’ capability maturity.
In order to effectively structure the assessment, the exercise targeted two key focus areas namely; ICT
Technology Capacity and Common ICT Infrastructure Capacity. Each focus area was further divided into
key thematic areas aimed at gauging competencies in respect to various IT sectors.
The technology capacity assessment covered the following six thematic areas:
General
Core Banking System Compliance
Core Banking System Integration
Security
Transaction & reporting
Support, Training and documentation
The common ICT infrastructure capacity assessment covered the following four thematic areas:
General
Servers
Internet Connectivity & WAN
Network Security
This assessment examined how well equipped and prepared Somali financial regulatory institutions i.e.
CBS, CBS branches and CBS Jubbaland bramch and State Bank of Puntland are to face new trends,
developments and challenges in anticipation of the implementation of the integrated National Payment
System.
36 | P a g e A L C O R
6.1 Thematic area description In order to gauge capability maturity, we attempted to link trends in business, technology and consumer
satisfaction and behavior to CBS and CBS Jubbaland bramch and State Bank of Puntland’ technology
implementations, IT strategies, innovations and any other strategies they have put in place to deal with
the future including investments in new IT systems and infrastructure platforms with key thematic areas
attempting to answer questions like: Did they have a well-defined plan for their overall ICT network across
their sites? Did they have Enterprise equipment replacement plan? Do they have DR sites? Which
database(s) run on the core banking system? Which primary bank functional areas does your core banking
solution cover? Etc.
Descriptions of the key thematic areas in each of the focus areas i.e. the ICT capacity assessment and
common ICT infrastructure assessment are provided in the figures 8 and 9 below.
6.1.2 Technology Capacity Assessment thematic areas
Figure 8: Technology Capacity Assessment thematic areas
37 | P a g e A L C O R
6.1.2 Common ICT Infrastructure Assessment thematic areas
Figure 9: Common ICT Infrastructure Assessment thematic areas
6.2 Key findings The assessment of ICT infrastructure and technology covered two (2) broad focus areas; namely common
ICT infrastructure and technology capacity. The data that was collected helped to quantify and to gauge
the competence and preparedness of the institutions with regards to the resilience and robustness of
their core ICT infrastructure and also the strength of their software implementations in terms of security,
scalability, integration, and support.
We particularly covered several aspects of hardware and support technology infrastructure including but
not limited to ICT equipment, servers, LAN & WAN, internet, firewalls, and policies. Our survey
instruments and toolkits helped us to identify gaps and weaknesses inherent in the organizations and
aided in pinpointing any opportunities for improvement and how ICT applications can be infused to
enhance quality and efficiency. This section provides an analysis on ICT capacity for financial institutions
and identifies gaps in each of the focus areas.
6.2.1 General
Looking at the overall ICT infrastructure setting and gauging the general ICT network setting and high level
planning, equipment, support and backup options available, the assessment found that technology gaps
on the general setting of the financial institutions’ common ICT infrastructure can be explained by:
38 | P a g e A L C O R
Organizations lack enterprise wide network plans that describe the overall ICT network across the
site (Topology, Distribution, Nodes, VLANs).
Lack of continuous, mandatory, external independent benchmark ICT Infrastructure security
audits and benchmarking
Lack of stringent policies and governing end of life management for networking & ICT equipment
as enterprise equipment replacement plans exist in principal but not documented and not
enforceable and/or enforced.
Lack of DR site for back up and failover when the primary sites are down
Lack of proper infrastructure to support internet access
Frequent occurrence of power outages and lack of adequate power backup sources
Lack of network connectivity and ICT equipment on site
Figure 10: Institutions with ICT network plans
67% of the Somali financial regulatory
institutions do not have any plan describing the
overall ICT network on their sites. Save for the
CBS, which has a basic high level description of
their ICT network plan, all the CBS Jubbaland
bramch and State Bank of Puntland and CBS
branches lack such plans meaning the networks
have no proper design and have been
implemented in a haphazard manner.
The same numbers also apply with all the CBS
Jubbaland bramch and State Bank of Puntland
and CBS branches (67% of the institutions) not
having had any benchmark ICT security audits
done on their sites and any audits done at the
CBS were from independent individual
consultants and not from recognized ICT security
audit firms and as such they do not have any
certifications for the ICT security audits done.
There is also a lack of policies governing how
frequently such audits need to be undertaken.
All the institutions surveyed also lacked Enterprise equipment replacement plans governing end of life
management for networking & ICT equipment. This means that there are no mechanisms for tracking
depreciation of equipment in use within their networks, gauging number of years equipment have been
in use against useful life and decommissioning and replacing old equipment.
39 | P a g e A L C O R
The CBS branch in Jubaland does not have any proper local area network configured while the State bank
of Puntland has a rudimentary network without a specifically configured or documented topology. The
remote sites in the branch and state bank do not have power backups to support the primary power
sources despite the fact that more than half (50%) experience frequent power outages.
The institutions use both wireless and hardwired internet access channels. The most popularly used
hardwired internet access channel is cabled internet access (40%), with ISDN, leased lines and digital
subscriber lines having an equal share at 20%.
Figure 11: Hardwired broadband internet access
Hardwired broadband access %
Cable Internet access 40%
ISDN 20%
Leased lines 20%
Digital subscriber line 20%
Power-line Internet 0%
Dial-up access 0%
Multilink dial-up 0%
ATM and Frame Relay 0%
OC3 - Optical Carrier 0%
Fibre Optic 0% Table 10: Hardwired broadband access channels
For wireless broadband internet access,
WiMAX and Wireless ISP remain the most
popular access channels used with each
having an equal share at 50%.
Wireless broadband access %
WiMAX 50%
Wireless ISP 50%
Satellite broadband 0%
Mobile Broadband 0%
LMDS 0% Table 11: Wireless broadband access channels
6.2.2 Servers and data centers
The assessment sought to establish the institutions’ capacity in terms of their capacity to host systems, if
the hosting environments met the required standards, versions of operating systems used and
deployment environments available.
40 | P a g e A L C O R
Figure 12: Organizations with Server rooms on site
The assessment found that 67% of the
institutions did not have server rooms on site
with only the CBS in Mogadishu having a fully
equipped server room.
The institution that has a server room still does
not meet all requisite standards, with lack of
proper access control and safety, raised floor
systems, and fire prevention.
Windows and Linux are the most popularly used
operating systems version at 50% each with HP
being the only used server model.
In terms of the server environment used for
deployment all the organizations only use
production/live and don’t have any staging/pre-
production servers.
Save for the CBS, all the branches and CBS Jubbaland bramch and State Bank of Puntland don’t have DR
sites and all the data and information solely reside in their primary sites, if any. The CBS is still prone to
complete shutdown in case of failure of the primary site as the DR is located in the same premises as the
primary site.
6.2.3 Internet connectivity and WAN
The assessment looked at the broad aspects of internet connectivity and policies and measures around
utilization of internet resources in the organization, gauging aspects of connectivity strengths, bandwidth
management, internet backup, monitoring of network resources, IP allocations and file and data transfer.
From the analysis of the findings, gaps on internet connectivity and WAN can be explained by:
Poor internet access or lack of access to the internet
Lack of or poor understanding of internet package/plan provided to the organization
Organizations not having policies to ensure that mission critical systems like core banking
applications and enterprise resource planning systems are accorded dedicated bandwidth to
ensure uptime and prevent unexpected interruptions from non-essential systems utilizing
network resources
Lack of bandwidth management policies and technologies to track utilization of and/or
management of internet resources and reducing incidences of misuse
41 | P a g e A L C O R
Institutions lacking reliable backup internet in case of downtime or failure from ISP
Lack of policies and procedures governing IP address allocations
Institutions that have internet access receive monthly bandwidth speed of 6-10 mbps (50%) and 16-20
mbps (50%) with majority of the package provided being shared internet access.
The assessment also showed that the institutions had fairly good access to internet with most stating that
internet connection quality was good to excellent with the CBS Jubbaland bramch having no proper access
to internet resources.
A sizable majority of the institutions (67%) still don’t accord mission critical systems dedicated bandwidth
leaving bandwidth resources open for all systems in the network. All the institutions do not have any
bandwidth management systems in place and none of the institutions utilize any bandwidth management
technology.
Figure 13: File transfer protocols used
The most popular file transfer protocols used are FTP, HTTP and HTTP each at 29% and TFTP coming last
at 14%.
42 | P a g e A L C O R
Figure 14: Automated file transfer
Only 33% of the institutions automate transfer of
files between their institutions and trading
partners and also automation of detection of
failed file transfers.
Figure 15:Monitoring network resources
Many institutions (67%) also don’t monitor their
network resources. For those institutions that
monitor their network resources (33%), the most
monitored resource include bandwidth (50%) while
the other resources monitored include SNMP agent
(50%).
6.2.4 Network security
We assessed the organizations’ network security capabilities looking at various aspects relating to security
including but not limited to secure file transmission, data encryption, remote access, password and
acceptable use policies, firewalls, and data backup methods. Based on the analysis of the findings gaps on
internet connectivity and WAN can be explained by:
Storage of files without secure encryption methods and lack of intrusion prevention and detection
systems
Lack of policies clearly defining remote access prerequisites, content security and enterprise wide
network security policies characterized by lack of enforcement of the same
The assessment revealed that all the institutions don’t have secure data and file transmission capabilities
and also don’t utilize encrypted file transfer protocols when moving files over private and public networks.
43 | P a g e A L C O R
Wired Equivalent Privacy (WEP) is the only secure transmission method used with active directory being
the only repository used for user authentication.
Figure 16: Remote access software tools used
Many institutions (67%) allow remote access to
enterprise applications hosted, with Microsoft
Remote Desktop (40%) and Teamviewer (40%)
being the most used remote access software
tools used with other software tools (VPN) having
20% utilization.
Remote access software tools %
Teamviewer 40%
Microsoft Remote Desktop
(RDC)/Apple Remote Desktop 40%
Other 20%
Splashtop 0%
Chrome Remote Desktop 0%
VNC 0%
Table 12: Remote access software tools
For organizations that use VPN, the most popular
method used is remote access with IPSec
protocol but all the institutions don’t have
intrusion and prevention and detection systems.
The assessment revealed that some institutions (33%) did not have firewalls or password policies or secure
password policies. SSID is the most popular method used to secure wireless networks followed by
Enterprise WPA2.
The institutions fell short of policy and compliance alignment with all the institutions lacking compliance
validation for all devices accessing their networks, remote access policy, antivirus policy, acceptable use
policy and content security policy.
6.3 CBS, CBS branch in Jubaland & State Bank of Puntland’s ICT Technology ICT Technology assessment of the participants covered several aspects of core banking software
technology including but not limited to software compliance issues, integration, system security,
transactions and reporting, and training and documentation. As the case with common ICT infrastructure,
44 | P a g e A L C O R
the assessment on ICT technology was done by addressing key thematic areas with gaps identified in each
of these thematic aspects.
6.3.1 General
Looking at the overall ICT technology at a high level and gauging the general technology ecosystem within
the institutions covering databases, deployment options, and functionality, the assessment found that
gaps on the general setting of the financial institutions’ ICT technology can be explained by:
Lack of auditing and certification of software technologies implemented in the institutions
Lack of any technology to support core banking services
No standards for documentation, coding, scaling, integration, decommissioning and security
especially for software developed in-house
Figure 17: Core banking systems implementation
The assessment revealed that all the CBS
branches and State Bank of Puntland did not have
any core banking systems implemented and all
core banking processes were handled using
manual forms and systems.
Only the CBS in Mogadishu had a solution
implemented using TEMENOS T24 handling
mostly payment and origination and an ERP
implemented using Oracle handling largely HR
processes, and financial management and
accounting. The state bank of Puntland had a HR
management information system developed
using access database and was used to handle all
HR information for the Puntland state bank at
headquarters and in the branches in Quardo and
Bosasso.
Oracle and Ms Access are the most commonly used databases at 50% each with all the mission critical
systems hosted on dedicated servers.
6.3.2 Core Banking System Compliance
The assessment looked at the various compliance issues around core banking applications including
payment methods and requisite certifications required for financial systems. There were no major gaps
identified in relation to banking systems standards and compliance as the core banking system
implemented at the CBS is PCI-DSS compliant and is also accredited and meets the ISO27001 standards.
45 | P a g e A L C O R
With the pending rollout of the core banking system to other CBS branches and implementation of the
same in other CBS Jubbaland bramch and State Bank of Puntland, it would be imperative that these
standards are maintained and complied to by all the institutions through the implementations ensuring
that there is a model for establishing, implementing, operating, monitoring, reviewing, maintaining and
improving an information security management system.
6.3.3 Core Banking System Integration
The assessment of core banking system integration aimed at looking at how easily core banking systems
can be scaled up in terms of adding functionality to existing components and modules, and/or adding new
components and modules without adversely affecting the existing support operations of the system. The
assessment also looked at how open the systems are for integration with other systems.
The solution implemented at the CBS was built with an open architecture that allowed for integration and
exchange of data with other systems and had modules to support inter-bank domestic debit transfers and
integration with SWIFT. The solution however lacked a pan-enterprise support system which can lead to
challenges when building extensions on the core solutions for integration of the systems to NPS.
6.3.4 Security
The assessment looked at various aspects of systems security addressing broadly areas of authentication,
encryption, fraud detection and prevention, and audit trails. The assessment revealed that 33% of the
institutions have core banking solutions and solutions that support cryptography hash functions meaning
a sizable majority of the institutions (67%) have weaknesses in terms of compliance on this essential
security requirement.
Figure 18: Systems using multi factor authentication
Despite controlled access being essential in
securing of data and information stored by
systems, the CBS Jubbaland bramch and State
Bank of Puntland and CBS branches run system
that do not have multi factor authentication e.g.
2FA and such do not have extra layers of security.
46 | P a g e A L C O R
There are gaps in fraud detection and prevention as all fraud detection methods are not utilized, and it is
essential to enforce all the methods and techniques including performed, predictive analytics, outliner
models and anti-money laundering so as to cover all possible threats to the systems.
Other gaps in security still exist as the CBS branches and CBS Jubbaland bramch and State Bank of Puntland
don’t encrypt sensitive information in transmission to/from it and with any interfacing systems and
systems that don’t keep audit trail of all user activities in the system.
6.3.5 Transaction & reporting
The assessment looked at core banking system capabilities related to transactions and reporting
addressing issues of high availability, number of transactions per second, high resilience and fault
tolerance, fail-over times, and benchmark figures for fail-over times. Gaps in core banking solutions’
transactions and reporting capabilities can be explained by:
No standards and benchmark figures for minimum number of transactions per minute/second
No documented target benchmarks for fail-over times and target/benchmark figures for the fault
tolerance percentage
Some weaknesses in reporting and analysis including predictive analytics, statistics on
performance, transactions and security
Report generation not automated, and largely characterized by inaccuracy and delays
Despite the fact that the core banking solution implemented at CBS had a dedicated module for full
transaction dispute resolution with inbuilt data analytics engine to provide real-time statistics on
performance, transactions, security status, the solution did not have customized models for prediction,
clustering and classification based on machine learning or statistical techniques.
The CBS core banking solution is hosted in High Availability mode / DR and a minimum uptime time of
99.95 % and is also configured to guarantee high resilience and fault tolerance, but there is no certification
or evidence of test performed or documentation of benchmark figures for transactions per
second/minute, availability of metric elements used to benchmark fail-over times, or target/benchmark
figures for the fault tolerance percentage.
The configuration commonly used to ensure high availability is automatic failover to backup.
6.3.6 Support, training and documentation
The financial institutions were assessed to see if the core banking solutions they had implemented had
proper support structure provided by the vendors in terms of post implementation support programs,
training, knowledge transfer and capacity building and documentation.
Even though the CBS branch in Jubaland and State bank of Puntland do not have any core banking system
implemented, they also do not have any policies to guide in developing long term programs for continued
training and knowledge transfer for systems that they implement or support continuous- improvement
project approaches.
47 | P a g e A L C O R
The core banking solution at the CBS HQ in Mogadishu was in the final stages of implementation. There
were already knowledge transfer and training sessions underway, facilitated by external consultants.
There was also a long term program for continued training and knowledge transfer to property equip key
technical staffs to independently run the core banking system.
The vendor of the solution also ensured that quality programs are embedded in the implementation
service and support continuous- improvement project approaches and also provides programs for system
integration partners.
The knowledge transfer sessions will ensure the solution has in-house support and the warranty period is
still open and the vendor is yet to sign a service level agreement with the CBS.
48 | P a g e A L C O R
7. CBS and State Bank’s capability maturity assessment The analysis of the CBS, CBS branch in Jubaland and State Bank of Puntland was done using a maturity
assessment framework with 5 maturity level indicators which were used to measure each of the thematic
areas within the two main assessment focus areas: 1) looking into maturity in terms of the degree and
level of formality to which processes and systems are optimized, from ad hoc practices, to formally
defined steps and practices and (2)to managed result metrics, to active optimization of the processes.
The figure below represents the 5 maturity levels with the color codes from the maturity assessment
results.
Figure 19: Capability maturity assessment
The assessment looked into areas listed under categories in the tables below. These were scored and
weighted against the maturity levels based on responses received from the assessment questionnaires
with a view of gauging the institutions’ preparedness to participate in the NPS.
The analysis shows that CBS branches and State bank of Puntland are at the initial stage (the starting point
for use of a new or undocumented repeat process), while the CBS HQ is at the Managed stage (processes
are at least documented sufficiently such that repeating the same steps may be attempted) both at
technology capacity and common ICT infrastructure. Once the core banking system is launched and all the
loose ends tightened including sufficient knowledge transfer and sufficient training concluded at the CBS,
the institution should move to the defined stage after which measures should be put in place including
enduring systems and processes are firmed up to enable them progress to the quality managed and
ultimately to optimization in the next three years.
For the CBS branch in Jubaland and state bank of Puntland, there are a lot of capacity building initiatives
that need to be initiated, including purchase and installation of hardware and software to ensure that
49 | P a g e A L C O R
they move to the managed stage then slowly work on improving processes gradually moving them to the
managed and ultimately to quality managed and finally to optimized stage.
Summaries of the scoring and weighing are shown in the tables below.
50 | P a g e A L C O R
7.1 Central Bank of Somalia maturity assessment
7.1.1 Common ICT Infrastructure maturity assessment Capability maturity level
Category
Init
ial
Man
age
d
De
fin
ed
Qu
alit
y
Man
age
d
Op
tim
izin
g
Total
Score
General Plan that describes the overall ICT network across the site 3 3
Number of users in the network 5 5
ICT Infrastructure security audits and benchmarking been
done on the site
2 2
Enterprise equipment replacement plan 2 2
How long equipment been in use since commissioning 3 3
Hastily Formed Network (HFN) plan 2 2
Internet access channel(s) available in the site 4 4
Primary source of power in the site 3 3
Rate of recurrence of power outages 4 4
Backup power source to support the primary power source 4 4
Total score on General 3
Servers Server rooms located on site 4 4
Server room standards 3 3
Servers used 4 4
Server OS used 4 4
Server environments used for deployment 1 1
Total score on Servers 3
Internet Connectivity &
WAN
Monthly bandwidth speed 5
5
ISP Bandwidth provision package/internet plan provided to
the organization
4
4
Connection Quality 4 4
Critical core business systems accorded dedicated
bandwidth
4
4
Bandwidth management systems in place 1 1
51 | P a g e A L C O R
Bandwidth management technology used 1 1
Availability of Backup Internet Connectivity (VSAT?) 1 1
Video conferencing 3 3
File transfer protocols used 3 3
Automate file transfer processes between trading partners
and exchanges including detection and handling of failed
file transfers
1
1
Monitoring of network resources 2 2
IP Address Allocations 2 2
Total score on Internet Connectivity & WAN 2
Network Security Secure data and file transmission capabilities 2 2
Transfer files over public and private networks using
encrypted file transfer protocols
2
2
Secure transmission methods used 2 2
Which repositories do you authenticate users against?
(identity management)
4
4
Securely store files using multiple data encryption methods 4 4
Remote access to enterprise applications hosted 4 4
Remote access software tools used 4 4
Virtual Private Network (VPN) 4 4
VPN protocols used 4 4
Intrusion prevention and detection systems 1 1
Firewall 5 5
Password policy 3 3
Secure wireless Network 4 4
Compliance validation 1 1
Remote access policy 1 1
Antivirus Policy 1 1
Acceptable use policy 1 1
Content Security Policy (CSP) 1 1
Data backup methods 2 2
Total score on Network Security 2
Overall score on Common ICT Infrastructure 2
Table 13: CBS Common ICT Infrastructure maturity assessment
52 | P a g e A L C O R
7.1.2 ICT technology maturity assessment Capability maturity level
Category
Init
ial
Man
age
d
De
fin
ed
Qu
alit
y
Man
age
d
Op
tim
izin
g
Total Score
General Does your organization have a core banking system? 5 5
How was the system acquired and/or developed? 5 5
Which primary bank functional areas does your core banking
solution cover?
4
4
Does your organization have an ERP? 4 4
How was the ERP system acquired and/or developed? 5 5
Is the ERP integrated with the core banking system? 4 4
The ERP & Core banking system share a General ledger and
Chart of accounts to cover all accounting requirements of the
bank
4
4
Which non-core banking operations does the ERP handle? 4 4
What are the hosting arrangements for the core banking system
and/or ERP?
4
4
Which database(s) run on the core banking system? 5 5
For each of the following banking & finance functions, please
state your system vendors/Solutions ( if internally developed,
state “Internal”)
4
4
Total score on General 4
Core banking system
compliance
Which payment methods are supported by the solution? 3
3
Multi-currency support 5 5
The system is PCI-DSS compliant 3 3
The system is ISO27001 compliant 3 3
The system is built along/compliant to ISO20022 standards 3 3
Total score on Core banking system compliance 3
Core banking system
integration
Solution has a ‘componentized’ architecture with a framework
where modules can be added, upgraded or removed without
the need for a complete solution revamp
5
5
53 | P a g e A L C O R
Solution has a Pan-enterprise support system - components to
be moved/eliminated without affecting existing support
configurations
2
2
Is the core banking solution integrated to any Payment Switch? 2 2
Does the system have any APIs that allow for integration with
other systems?
3
3
Solution supports inter-bank domestic debit transfer 4 4
The system integrates with SWIFT 5 5
Total score on Core banking system integration 3
Security The system supports processing of transactions made by cards
in a 3D secure environment
4
4
System uses multi factor authentication e.g. two factor
authentication (2FA)
4
4
Access to the system is user and role based 4 4
The system supports secure cryptography hash functions for
securing digital passwords and login credentials and user access
tokens
3
3
The solution supports automatic generation of multiple RSA
Public and Private Key pairs.
3
3
Does the system have fraud prevention, detection and
authentication modules, either in-built or as add on modules?
4
4
The system encrypts sensitive in transmission to/from it and
with any interfacing system
3
3
System keeps audit trail of all user activities in the system 4 4
System provides tools for filtering logs for use by Auditors 3 3
Total score on Security 3
Transaction & reporting System has a dedicated module for full transaction dispute
resolution and chargeback cycle with all communicated entities
4
4
System has inbuilt data analytics engine to provide real-time
statistics on performance, transactions, security status
3
3
Has customized models for prediction, clustering and
classification based on machine learning or statistical
techniques.
2
2
The system supports a minimum of how many transactions per
minute?
3
3
54 | P a g e A L C O R
The system is hosted in High Availability mode / DR and a
minimum uptime time of 99.95 %
1
1
Solution is benchmarked for minimum TPS (Transaction Per
Second) of 100 and should be highly scalable as per the business
demands and forecast.
2
2
System configured to guarantee high resilience and fault
tolerance
1
1
Do you have target/benchmark figures for the fail-over times of
different system components
1
1
Provide target/benchmark figures for the fault tolerance
percentage
3
3
Total score on Transaction & reporting 2
Support, Training and
documentation
The vendor/developer has a long term program for continued
training and knowledge transfer?
4
4
Quality programs are embedded in the implementation service
and support continuous- improvement project approaches.
4
4
Vendor provides programs for system integration partners 3 3
Documentation provided by the vendor 2 2
Vendor has proprietary rights over the solution 2 2
There is an SLA between the vendor and the institution 1 1
Is there in-house support for the solution? 1 1
Does the solution have a warranty? 3 3
Is the warranty period over? 2 2
Is the vendor a local supplier or an international vendor? 3 3
If the vendor is international, do they have a local presence? 3 3
Total score on Support, Training and documentation 2
Overall score on technology capacity 2
Table 14: CBS ICT technology maturity assessment
55 | P a g e A L C O R
7.2 State Bank of Puntland maturity assessment
7.2.1 Common ICT Infrastructure maturity assessment Capability maturity level
Category
Init
ial
Man
age
d
De
fin
ed
Qu
alit
y
Man
age
d
Op
tim
izin
g
Total Score
General Plan that describes the overall ICT network across the site 1 1
Number of users in the network 5 5
ICT Infrastructure security audits and benchmarking been done
on the site
1
1
Enterprise equipment replacement plan 2 2
How long equipment been in use since commissioning 2 2
Hastily Formed Network (HFN) plan 1 1
Internet access channel(s) available in the site 2 2
Primary source of power in the site 2 2
Rate of recurrence of power outages 1 1
Backup power source to support the primary power source 1 1
Total score on General 1
Servers Server rooms located on site 1 1
Server room standards 1 1
Servers used 1 1
Server OS used 2 2
Server environments used for deployment 1 1
Total score on Servers 1
Internet Connectivity &
WAN
Monthly bandwidth speed 4
4
ISP Bandwidth provision package/internet plan provided to the
organization
2
2
Connection Quality 3 3
Critical core business systems accorded dedicated bandwidth 1 1
Bandwidth management systems in place 1 1
Bandwidth management technology used 1 1
56 | P a g e A L C O R
Availability of Backup Internet Connectivity (VSAT?) 1 1
Video conferencing 1 1
File transfer protocols used 2 2
Automate file transfer processes between trading partners and
exchanges including detection and handling of failed file
transfers
1
1
Monitoring of network resources 2 2
IP Address Allocations 1 1
Total score on Internet Connectivity & WAN 1
Network Security Secure data and file transmission capabilities 1 1
Transfer files over public and private networks using encrypted
file transfer protocols
1
1
Secure transmission methods used 3 3
Which repositories do you authenticate users against?
(identity management)
3
3
Securely store files using multiple data encryption methods 3 3
Remote access to enterprise applications hosted 3 3
Remote access software tools used 3 3
Virtual Private Network (VPN) 1 1
VPN protocols used 1 1
Intrusion prevention and detection systems 1 1
Firewall 1 1
Password policy 2 2
Secure wireless Network 2 2
Compliance validation 1 1
Remote access policy 1 1
Antivirus Policy 1 1
Acceptable use policy 1 1
Content Security Policy (CSP) 1 1
Data backup methods 1 1
Total score on Network Security 1
Overall score on Common ICT Infrastructure 1
Table 15: SBP Common ICT Infrastructure maturity assessment
57 | P a g e A L C O R
7.2.2 ICT technology maturity assessment Capability maturity level
Category
Init
ial
Man
age
d
De
fin
ed
Qu
alit
y
Man
age
d
Op
tim
izin
g
Total Score
General Does your organization have a core banking system? 1 1
How was the system acquired and/or developed? 1 1
Which primary bank functional areas does your core banking
solution cover?
1
1
Does your organization have an ERP? 2 2
How was the ERP system acquired and/or developed? 1 1
Is the ERP integrated with the core banking system? 1 1
The ERP & Core banking system share a General ledger and
Chart of accounts to cover all accounting requirements of the
bank 1
1
Which non-core banking operations does the ERP handle? 1 1
What are the hosting arrangements for the core banking system
and/or ERP? 1
1
Which database(s) run on the core banking system? 1 1
For each of the following banking & finance functions, please
state your system vendors/Solutions ( if internally developed,
state “Internal”) 1
1
Total score on General 1
Core banking system
compliance
Which payment methods are supported by the solution?
1
1
Multi-currency support 1 1
The system is PCI-DSS compliant 1 1
The system is ISO27001 compliant 1 1
The system is built along/compliant to ISO20022 standards 1 1
Total score on Core banking system compliance 1
Core banking system
integration
Solution has a ‘componentized’ architecture with a framework
where modules can be added, upgraded or removed without
the need for a complete solution revamp 1
1
58 | P a g e A L C O R
Solution has a Pan-enterprise support system - components to
be moved/eliminated without affecting existing support
configurations 1
1
Is the core banking solution integrated to any Payment Switch? 1 1
Does the system have any APIs that allow for integration with
other systems? 1
1
Solution supports inter-bank domestic debit transfer 1 1
The system integrates with SWIFT 1 1
Total score on Core banking system integration 1
Security The system supports processing of transactions made by cards
in a 3D secure environment 1
1
System uses multi factor authentication e.g. two factor
authentication (2FA) 1
1
Access to the system is user and role based 1 1
The system supports secure cryptography hash functions for
securing digital passwords and login credentials and user access
tokens 1
1
The solution supports automatic generation of multiple RSA
Public and Private Key pairs. 1
1
Does the system have fraud prevention, detection and
authentication modules, either in-built or as add on modules? 1
1
The system encrypts sensitive in transmission to/from it and
with any interfacing system 1
1
System keeps audit trail of all user activities in the system 1 1
System provides tools for filtering logs for use by Auditors 1 1
Total score on Security 1
Transaction &
reporting
System has a dedicated module for full transaction dispute
resolution and chargeback cycle with all communicated entities 1
1
System has inbuilt data analytics engine to provide real-time
statistics on performance, transactions, security status 1
1
Has customized models for prediction, clustering and
classification based on machine learning or statistical
techniques. 1
1
The system supports a minimum of how many transactions per
minute? 1
1
59 | P a g e A L C O R
The system is hosted in High Availability mode / DR and a
minimum uptime time of 99.95 % 1
1
Solution is benchmarked for minimum TPS (Transaction Per
Second) of 100 and should be highly scalable as per the business
demands and forecast. 1
1
System configured to guarantee high resilience and fault
tolerance 1
1
Do you have target/benchmark figures for the fail-over times of
different system components 1
1
Provide target/benchmark figures for the fault tolerance
percentage 1
1
Total score on Transaction & reporting 1
Support, Training and
documentation
The vendor/developer has a long term program for continued
training and knowledge transfer? 1
1
Quality programs are embedded in the implementation service
and support continuous- improvement project approaches. 1
1
Vendor provides programs for system integration partners 1 1
Documentation provided by the vendor 1 1
Vendor has proprietary rights over the solution 1 1
There is an SLA between the vendor and the institution 1 1
Is there in-house support for the solution? 1 1
Does the solution have a warranty? 1 1
Is the warranty period over? 1 1
Is the vendor a local supplier or an international vendor? 1 1
If the vendor is international, do they have a local presence? 1 1
Total score on Support, Training and documentation 1
Overall score on technology capacity 1
Table 16: SBP ICT technology maturity assessment
60 | P a g e A L C O R
7.3 Central Bank of Somalia Jubaland Branch maturity assessment
7.3.1 Common ICT Infrastructure maturity assessment Capability maturity level
Category
Init
ial
Man
age
d
De
fin
ed
Qu
alit
y
Man
age
d
Op
tim
izin
g
Total Score
General Plan that describes the overall ICT network across the site 1 1
Number of users in the network 1 1
ICT Infrastructure security audits and benchmarking been done
on the site
1 1
Enterprise equipment replacement plan 1 1
How long equipment been in use since commissioning 1 1
Hastily Formed Network (HFN) plan 1 1
Internet access channel(s) available in the site 1 1
Primary source of power in the site 1 1
Rate of recurrence of power outages 1 1
Backup power source to support the primary power source 1 1
Total score on General 1
Servers Server rooms located on site 1 1
Server room standards 1 1
Servers used 1 1
Server OS used 1 1
Server environments used for deployment 1 1
Total score on Servers 1
Internet Connectivity &
WAN
Monthly bandwidth speed 1 1
ISP Bandwidth provision package/internet plan provided to the
organization
1 1
Connection Quality 1 1
Critical core business systems accorded dedicated bandwidth 1 1
Bandwidth management systems in place 1 1
Bandwidth management technology used 1 1
61 | P a g e A L C O R
Availability of Backup Internet Connectivity (VSAT?) 1 1
Video conferencing 1 1
File transfer protocols used 1 1
Automate file transfer processes between trading partners and
exchanges including detection and handling of failed file
transfers
1 1
Monitoring of network resources 1 1
IP Address Allocations 1 1
Total score on Internet Connectivity & WAN 1
Network Security Secure data and file transmission capabilities 1 1
Transfer files over public and private networks using encrypted
file transfer protocols
1 1
Secure transmission methods used 1 1
Which repositories do you authenticate users against?
(identity management)
1 1
Securely store files using multiple data encryption methods 1 1
Remote access to enterprise applications hosted 1 1
Remote access software tools used 1 1
Virtual Private Network (VPN) 1 1
VPN protocols used 1 1
Intrusion prevention and detection systems 1 1
Firewall 1 1
Password policy 1 1
Secure wireless Network 1 1
Compliance validation 1 1
Remote access policy 1 1
Antivirus Policy 1 1
Acceptable use policy 1 1
Content Security Policy (CSP) 1 1
Data backup methods 1 1
Total score on Network Security 1
Overall score on Common ICT Infrastructure 1
Table 17: CBS Jubaland Common ICT Infrastructure maturity assessment
62 | P a g e A L C O R
7.3.2 ICT technology maturity assessment Capability maturity level
Category
Init
ial
Man
age
d
De
fin
ed
Qu
alit
y
Man
age
d
Op
tim
izin
g
Total Score
General Does your organization have a core banking system? 1 1
How was the system acquired and/or developed? 1 1
Which primary bank functional areas does your core banking
solution cover?
1 1
Does your organization have an ERP? 1 1
How was the ERP system acquired and/or developed? 1 1
Is the ERP integrated with the core banking system? 1 1
The ERP & Core banking system share a General ledger and
Chart of accounts to cover all accounting requirements of the
bank
1 1
Which non-core banking operations does the ERP handle? 1 1
What are the hosting arrangements for the core banking system
and/or ERP?
1 1
Which database(s) run on the core banking system? 1 1
For each of the following banking & finance functions, please
state your system vendors/Solutions ( if internally developed,
state “Internal”)
1 1
Total score on General 1
Core banking system
compliance
Which payment methods are supported by the solution? 1 1
Multi-currency support 1 1
The system is PCI-DSS compliant 1 1
The system is ISO27001 compliant 1 1
The system is built along/compliant to ISO20022 standards 1 1
Total score on Core banking system compliance 1
Core banking system
integration
Solution has a ‘componentized’ architecture with a framework
where modules can be added, upgraded or removed without
the need for a complete solution revamp
1 1
63 | P a g e A L C O R
Solution has a Pan-enterprise support system - components to
be moved/eliminated without affecting existing support
configurations
1 1
Is the core banking solution integrated to any Payment Switch? 1 1
Does the system have any APIs that allow for integration with
other systems?
1 1
Solution supports inter-bank domestic debit transfer 1 1
The system integrates with SWIFT 1 1
Total score on Core banking system integration 1
Security The system supports processing of transactions made by cards
in a 3D secure environment
1 1
System uses multi factor authentication e.g. two factor
authentication (2FA)
1 1
Access to the system is user and role based 1 1
The system supports secure cryptography hash functions for
securing digital passwords and login credentials and user access
tokens
1 1
The solution supports automatic generation of multiple RSA
Public and Private Key pairs.
1 1
Does the system have fraud prevention, detection and
authentication modules, either in-built or as add on modules?
1 1
The system encrypts sensitive in transmission to/from it and
with any interfacing system
1 1
System keeps audit trail of all user activities in the system 1 1
System provides tools for filtering logs for use by Auditors 1 1
Total score on Security 1
Transaction & reporting System has a dedicated module for full transaction dispute
resolution and chargeback cycle with all communicated entities
1 1
System has inbuilt data analytics engine to provide real-time
statistics on performance, transactions, security status
1 1
Has customized models for prediction, clustering and
classification based on machine learning or statistical
techniques.
1 1
The system supports a minimum of how many transactions per
minute?
1 1
64 | P a g e A L C O R
The system is hosted in High Availability mode / DR and a
minimum uptime time of 99.95 %
1 1
Solution is benchmarked for minimum TPS (Transaction Per
Second) of 100 and should be highly scalable as per the business
demands and forecast.
1 1
System configured to guarantee high resilience and fault
tolerance
1 1
Do you have target/benchmark figures for the fail-over times of
different system components
1 1
Provide target/benchmark figures for the fault tolerance
percentage
1 1
Total score on Transaction & reporting 1
Support, Training and
documentation
The vendor/developer has a long term program for continued
training and knowledge transfer?
1 1
Quality programs are embedded in the implementation service
and support continuous- improvement project approaches.
1 1
Vendor provides programs for system integration partners 1 1
Documentation provided by the vendor 1 1
Vendor has proprietary rights over the solution 1 1
There is an SLA between the vendor and the institution 1 1
Is there in-house support for the solution? 1 1
Does the solution have a warranty? 1 1
Is the warranty period over? 1 1
Is the vendor a local supplier or an international vendor? 1 1
If the vendor is international, do they have a local presence? 1 1
Total score on Support, Training and documentation 1
Overall score on technology capacity 1
Table 18: CBS Jubaland ICT technology maturity assessment
65 | P a g e A L C O R
8. Recommendations Having assessed the key focus areas related to ICT and further conducting analysis based on thematic
areas and identifying gaps inherent in these areas, the following recommendations if implemented, will
bolster the participants towards achieving full competence in all technology aspects i.e. infrastructure,
technology and practice, that would enable the CBS, CBS branches and CBS Jubbaland bramch and State
Bank of Puntland to effectively participate in a NPS and enhance their ability to act as a regulator in the
financial sector.
8.1 Recommendations on the Common ICT Infrastructure
8.1.1 Short term recommendations
i. Establish proper ICT infrastructure as a backbone to support any automations at the State bank
of Puntland and CBS branch in Jubaland. This should include setting up of a well-structured and
documented LAN, providing adequate access to the internet, electricity and backup power and
purchase of computers and peripheral equipment;
ii. The CBS, CBS branches and CBS Jubbaland bramch and State Bank of Puntland must ensure that
their ICT network infrastructure is well planned and such plans should be clearly documented
(Topology, Distribution, Nodes, VLANs etc) and should be readily accessible for utilization during
disaster recovery, redesigning and/or expansion of the network and also during ICT infrastructure
audits;
iii. CBS and CBS Jubbaland bramch and State Bank of Puntland to ensure that all sensitive file and
information in digital format should be stored using data encryption methods to avoid
compromising on sensitive information. This is critical as all the institutions allow remote access
to their internal systems and networks;
iv. Develop sound ICT policy covering enterprise equipment replacement pans, password and
security policies which are enforceable and be part of the organization’s official regulations
ensuring that all staff members are inducted as part of security awareness and training.
8.1.2 Medium term recommendation
i. CBS branch in Jubaland and state bank of Puntland to digitize all their manual legacy records in
readiness for migration to the automated systems;
ii. CBS to make it a common practice to have their ICT networks audited frequently. To this end, they
should put in place enforceable policies compelling them to periodically conduct regular ICT
infrastructure security audit particularly whenever there are increased incidences of security
breach. They should not only conduct internal audits but also encourage external independent
audits from internationally recognized firms to ensure they get top rating accreditation based on
security preparedness;
iii. Ensure that all the sites hosting mission critical system have all the basic minimums required for
a standard server room or data centre including but not limited to; Access Control and Safety,
66 | P a g e A L C O R
Raised Floor Systems, Fire Prevention, Cooling/AC Unit(s), Server racks & rack mount equipment,
and Emergency planning (power backup/UPSs);
iv. Develop clear standard operating procedures on server environments to be used pre and post
deployment;
v. CBS to ensure that they implement intrusion prevention and detection systems guided by internal
security policies.
8.1.3 Long term recommendations
i. The CBS to move their DR site to a different geographic location and not in the same premises as
their primary site;
ii. Have policies in place to ensure mission critical systems like core banking system and/or ERPs are
allotted their own dedicated bandwidth;
iii. Have policies to ensure ethical and efficient utilization of bandwidth resources in the organization
including greater utilization of bandwidth management tools;
iv. Develop policies and procedures spelling out IP allocations addressing amongst many things;
address range, amount of available addresses and amount of users;
v. There should be stringent enforcement of internal and external Network Security Policies (NSP)
to avoid incidences of industrial espionage, theft, or accidental disclosure of intellectual property,
or damage to public image or industry standing. Remote access policies and content security
policies should also be made elements of the NSP.
8.2 Recommendation on ICT technology
8.2.1 Short term recommendations
i. Extend the core banking system implementation to the CBS branch in Jubaland and State bank of
Puntland;
ii. Training of the personnel at the CBS branch in Jubaland and State bank of Puntland on basic IT
skills and utilization of technology;
iii. Auditing and certification of all systems implemented i.e. core banking solution and ERP to ensure
they meet the international best practice and industry standards;
iv. As the core banking system is implemented in the CBS branches and CBS Jubbaland bramch and
State Bank of Puntland, CBS and CBS Jubbaland bramch and State Bank of Puntland should put in
place a model for establishing, implementing, operating, monitoring, reviewing, maintaining and
improving the information security management system.
8.2.2 Medium term recommendations
67 | P a g e A L C O R
i. As part of capacity injection, CBS and CBS Jubbaland bramch and State Bank of Puntland should
hire competent staff to aid in managing the network and systems to be implemented in the CBS
Jubbaland bramch and State Bank of Puntland and CBS branches, specifically people skilled in
database administration and systems/network administration;
ii. Have proper scalability plans catering for possible disruptions during upgrades;
iii. CBS to ensure their systems fully support encryption of data on transit and support decryption
using private and public keys;
iv. CBS should make it a practice to measure and set standards in terms of how resilient their systems
are when it comes to processing of transactions;
v. CBS to develop measurable benchmarks for performance and scalability.
8.2.3 Long term recommendations
i. CBS to ensure that all systems have fraud prevention and detection capabilities including velocity
checks, account blacklisting etc to minimize and mitigate cases of fraud;
ii. CBS to make it an integral part of their practice to perform frequent transaction tests on their
systems and document benchmark figures as standard practice. The information can be useful
when upgrading, scaling up, performing system audits, or managing bandwidth and server
resources;
iii. CBS should put in place programs to guarantee continued training and knowledge transfer in the
long term to facilitate skills transfer so that they have internal competencies and continuity.