rapid assessment of the · ats automatic transfer service aml anti money laundering cbs central...

FINAL REPORT

SUBMITTED BY

In Partnership with

RAPID ASSESSMENT OF THE

INSTITUTIONAL AND ICT CAPACITY

OF SOMALIA’S FINANCIAL

INSTITUTIONS:

The Central Bank of

Somalia (HQ & Jubbaland

Branch) and the State Bank

of Puntland

2 | P a g e A L C O R

CONTENTS LIST OF FIGURES ................................................................................................................................... 5

LIST OF TABLES .................................................................................................................................... 5

1. Executive Summary ...................................................................................................................... 7

1.1 Terms of reference ....................................................................................................................... 7

1.2 Method of Analysis ...................................................................................................................... 7

1.3 Findings ............................................................................................................................................... 7

1.3.1 Organizational Gaps ............................................................................................................. 7

1.3.2 ICT Infrastructure Gaps ........................................................................................................ 8

1.4 Recommendations ....................................................................................................................... 9

1.4.1 General Organizational Recommendations for CBS and SBP ............................................... 9

1.4.2 General Recommendations for Jubaland .............................................................................. 9

1.4.3 General Recommendations on the Common ICT Infrastructure & Technology ................. 10

1.5 Conclusion .................................................................................................................................. 10

2. Introduction ............................................................................................................................... 11

2.1 Scope ................................................................................................................................................. 11

2.2 Objectives ......................................................................................................................................... 14

2.3 Approach and Methodology ............................................................................................................ 14

3. CBS Organizational Assessment .................................................................................................. 17

3.1 Overview ........................................................................................................................................... 17

3.2 Legal Assessment: Gaps and Opportunities .................................................................................... 18

3.3 Environmental Assessment: Gaps and Opportunities .................................................................... 19

3.3.1 Communications Function ......................................................................................................... 20

3.3.2 Supervision Framework ...................................................................................................... 20

3.3.3 Organization and Methods ................................................................................................. 22

3.4 Staffing, Organization Culture and Work Environment .................................................................. 23

4. State Bank of Puntland ............................................................................................................... 26

4.1 Scope ................................................................................................................................................. 26

4.2 Objectives ......................................................................................................................................... 26

4.3 Organizational Capabilities Assessment .......................................................................................... 26

4.4 Governance and Policy Framework ................................................................................................. 27

4.4.1 Corporate Governance ............................................................................................................... 27


4.4.2 Legal Framework and Institutional Policies ............................................................................... 28

4.5 Business and Operating Model ........................................................................................................ 28

4.5.1 Business Model and Strategic Plan ............................................................................................ 28

4.5.2 Operations Model ...................................................................................................................... 29

4.5.2.1 Organization and Methods ................................................................................................. 29

4.5.2.2 Operating Environment ...................................................................................................... 29

4.5.3 Technology capacities ................................................................................................................ 31

4.5.4 Financial Accounting .................................................................................................................. 31

4.6 SBP Recommendations .................................................................................................................... 32

4.6.1 Institutional Framework............................................................................................................. 32

4.6.2 Operating Capabilities ................................................................................................................ 33

5. CBS Jubbaland bramch Assessment ............................................................................................ 34

5.1 Summary of Key Observations ......................................................................................................... 34

5.2 Recommendations ........................................................................................................................... 34

6. Common ICT Infrastructure & Technology Capacity Assessment ................................................. 35

6.1 Thematic area description ............................................................................................................... 36

6.1.2 Technology Capacity Assessment thematic areas ..................................................................... 36

6.1.2 Common ICT Infrastructure Assessment thematic areas .......................................................... 37

6.2 Key findings ...................................................................................................................................... 37

6.2.1 General ....................................................................................................................................... 37

6.2.2 Servers and data centers ........................................................................................................... 39

6.2.3 Internet connectivity and WAN ................................................................................................. 40

6.2.4 Network security ........................................................................................................................ 42

6.3 CBS, CBS branch in Jubaland & State Bank of Puntland’s ICT Technology ..................................... 43

6.3.1 General ....................................................................................................................................... 44

6.3.2 Core Banking System Compliance .............................................................................................. 44

6.3.3 Core Banking System Integration ............................................................................................... 45

6.3.4 Security ...................................................................................................................................... 45

6.3.5 Transaction & reporting ............................................................................................................. 46

6.3.6 Support, training and documentation ....................................................................................... 46

7. CBS and State Bank’s capability maturity assessment ................................................................. 48

7.1 Central Bank of Somalia maturity assessment ................................................................................ 50


7.1.1 Common ICT Infrastructure maturity assessment ..................................................................... 50

7.1.2 ICT technology maturity assessment ......................................................................................... 52

7.2 State Bank of Puntland maturity assessment ........................................................................... 55



7.3 Central Bank of Somalia Jubaland Branch maturity assessment ................................................... 60



8. Recommendations ..................................................................................................................... 65

8.1 Recommendations on the Common ICT Infrastructure .................................................................. 65

8.1.1 Short term recommendations ................................................................................................... 65

8.1.2 Medium term recommendation ................................................................................................ 65

8.1.3 Long term recommendations .................................................................................................... 66

8.2 Recommendation on ICT technology .............................................................................................. 66

8.2.1 Short term recommendations ................................................................................................... 66

8.2.2 Medium term recommendations .............................................................................................. 66

8.2.3 Long term recommendations .................................................................................................... 67


LIST OF FIGURES Figure 1: General Recommendations on the Common ICT Infrastructure & Technology .......................... 10

Figure 2: Federal Republic of Somalia - Federal States ............................................................................... 12

Figure 3: Approach and Methodology ........................................................................................................ 15

Figure 4: Legal Enhancement Opportunities .............................................................................................. 19

Figure 5: Communications Function Strengthening Opportunities ............................................................ 20

Figure 6: Organization and Methods Indicators ......................................................................................... 22

Figure 7: Summary of institutional wide organizational capabilities required ........................................... 25

Figure 8: Technology Capacity Assessment thematic areas ....................................................................... 36

Figure 9: Common ICT Infrastructure Assessment thematic areas ............................................................ 37

Figure 10: Institutions with ICT network plans ........................................................................................... 38

Figure 11: Hardwired broadband internet access ...................................................................................... 39

Figure 12: Organizations with Server rooms on site ................................................................................... 40

Figure 13: File transfer protocols used ....................................................................................................... 41

Figure 14: Automated file transfer ............................................................................................................. 42

Figure 15:Monitoring network resources .................................................................................................. 42

Figure 16: Remote access software tools used ........................................................................................... 43

Figure 17: Systems using multi factor authentication ................................................................................ 45

Figure 18: Capability maturity assessment ................................................................................................. 48

LIST OF TABLES Table 1: Analysis of assessment results ...................................................................................................... 16

Table 2: Deriving statistical data ................................................................................................................. 16

Table 3: Expected Assessment Respondents .............................................................................................. 17

Table 4: CBS Summary of Scoring and Weighting ....................................................................................... 18

Table 5: Supervision Framework Enhancement Opportunities .................................................................. 21

Table 6: Expected Assessment Respondents .............................................................................................. 27

Table 7: Transactional data statistic counts ................................................................................................ 31

Table 8: Institutional framework recommendations .................................................................................. 32

Table 9: Operating Capabilities Recommendations .................................................................................... 33

Table 10: Hardwired broadband access channels ...................................................................................... 39

Table 11: Wireless broadband access channels .......................................................................................... 39

Table 12: Remote access software tools .................................................................................................... 43

Table 13: CBS Common ICT Infrastructure maturity assessment ............................................................... 51

Table 14: CBS ICT technology maturity assessment ................................................................................... 54

Table 15: SBP Common ICT Infrastructure maturity assessment ............................................................... 56

Table 16: SBP ICT technology maturity assessment ................................................................................... 59

Table 17: CBS Jubaland Common ICT Infrastructure maturity assessment ................................................ 61

Table 18: CBS Jubaland ICT technology maturity assessment .................................................................... 64


ACRONYMS

ATS Automatic Transfer Service

AML Anti Money Laundering

CBS Central Bank of Somalia

CFT Combating the Financing of Terrorism

CIP Capacity Injection Program

DR Disaster Recovery

ERP Enterprise Resource Planning

FACTS Financial Accounting Systems

FGS Federal Government of Somalia

FI Financial Institution

FS Financial Sector

FTE Full Time Employees

HRMS Human Resource Management System

H/W Hardware

ICT Information and Communications Technology

IT Information Technology

LAN Local Area Network

MoF Ministry of Finance

MTB Money Transfer Business

NPS National Payment System

NSP Network Security Policy

PIU Program Implementation Unit

PREMIS Public Resource Management in Somalia

PWG Payments Working Group

RCRF Recurrent Cost & Reform Financing

SBP State Bank of Puntland

SCORE Somali Core Economic Institutions and Opportunities

SFMIS Somalia Financial Management Information System

TSA Treasury Single Account

VLAN Virtual LAN

WAN Wide Area Network


1. Executive Summary

1.1 Terms of reference

This report is the result of a rapid assessment of the institutional and Information and Communications

Technology (ICT) capacity of the Central Bank of Somalia (CBS HQ and Jubbaland branch) and State Bank

of Puntland; in view of establishing a modern payment system with support from the World Bank.

1.2 Method of Analysis

The open system methodology which looks into an organization both as a unit or a network of

organizations was adopted. In detail, we looked at the targeted institutions as a system consisting of

interacting and interdependent elements whereby the institutions obtain inputs; uses the inputs for

processing; and eventually produce outputs. The approach was applied through physical visits to target

institutions, analysis of assessment questionnaires, formal and informal meetings and observations.

1.3 Findings The assessment drew attention to the fact that the CBS HQ, CBS Jubbaland branch and State Bank of

Puntland are in the initial stages of the maturity capability level i.e. stage 1 which is characterized by

individual heroic effort, undocumented processes, low process repeatability, adhoc events and lack of

effective incident management. A summary of key observations and gaps arising from the assessment are

provided as follows;

1.3.1 Organizational Gaps

CATEGORY KEY OBSERVATIONS / GAPS

Legal

NPS supporting legislation is not in place

Legal framework is not aligned between the Federal Government of Somalia and federal states

State Bank legal framework (where applicable)

Environmental

The communication function is at a rudimentary stage across all institutions

Supervision framework does not presently cater for NPS

Regulation and industry guidelines do not cater for NPS

Financial and non-financial risk frameworks are not in place

Organization and Methods

NPS Payment functions across institutions are not in place

Payment department organization, skills, competencies, roles are not defined

Standard operating procedures are generally not documented

Limits and levels of authority are not defined

Staffing Staffing levels across functions may not be adequate to compliment NPS

operations (IT, Operations, Finance, Supervision, Research, Audit)


Organization Culture

Organizational change management planning is not adopted as part of project management practice

HR policy is not defined

Work Environment

Employee facilities require improvement

1.3.2 ICT Infrastructure Gaps

CATEGORY KEY OBSERVATIONS / GAPS

General

WAN network plans are not defined

ICT security frameworks are not in place

ICT policies not established

Lack of disaster recovery capability

Servers and Data Centers

Data center / server rooms are poorly equipped and do no not meet minimum standards

There is no staging / pre-production environment

There is no defined ICT infrastructure in State Bank of Puntland

Internet Connectivity and WAN

Lack of telecommunication networks, internet and IP address management and utilization policies

Poor network monitoring

Network Security

No approved secure and encrypted data and file transmission capabilities

No approved secured password policies

Capability Maturity

Institutions are at initial stage (1/5) with CBS Mogadishu being in between initial (1/5) and managed stage (2/5)


1.4 Recommendations

1.4.1 General Organizational Recommendations for CBS and SBP

1.4.2 General Recommendations for Jubaland

i. Immediate - The Somali Core Institutions and Economic Opportunities (SCORE) Programme’s

establishes contact with the Jubaland MoF and Executive with a view to establishing mechanisms

to progress work that has been initiated by Public Resource Management in Somalia (PREMIS), an

EU funded project that aims to support Federal Member States of Somalia establish sound

financial systems, raise revenues and effectively manage public resources. In so doing, the existing

PREMIS roadmap for Jubaland State can be refocused where applicable to align with SCORE’s

objectives and priority areas.

ii. Long Term - Recommendations outlined for CBS and State Bank of Puntland could be extended to appropriate areas where applicable in order to cover The State of Jubaland as a second phase. The model should then be replicated for all future States.

In tandem, the following ICT infrastructure recommendations are proposed for the CBS HQ, CBS Jubbaland

branch and State Bank of Puntland , see figure 1 below.

Governance and Policies

Board independenceDefined board mandateInstitutional policies

Business Model Core functions value proposition

(what, for who and why)

Operating Model

Develop institutional and Directorate value maps

(how the business model will be operationalized)

Research & StatisticsStatistical data & analysisBoard & public reporting

Economic data

Risk & Compliance

Financial & non fin. Risk

Internal audit assurance

SupervisionEnforcementIndustry collaboration

Industry capacity building

Supervision framework

IT Systems Roadmap

Systems needed to enable Directorates

Technology roadmap (IT systems & organization

evolution)

Legal Framework

CBS, FI, MTB, Micro Finance laws

NPS & other supporting legislation Regulatory guidelines

Legend:

Improvement Opportunity

Not Developed

≈

≈

≈

≈

≈

≈

≈

Compliance & legal

≈

≈

≈

≈

≈

≈


Organization structures

Directorate & role TOR’s

Std operating procedures

COA standardization

HR development

Report & MIS Integrity

≈

≈

≈

OrganizationalCapabilities Required


1.4.3 General Recommendations on the Common ICT Infrastructure & Technology

Figure 1: General Recommendations on the Common ICT Infrastructure & Technology

1.5 Conclusion

Consolidation of these actions will result in the establishment of a robust institutional environment that

can provide and maintain a resilient payment system infrastructure and form the basis for value adding

collaboration with CBS HQ, CBS Jubbaland branch and State Bank of Puntland.


2. Introduction

The Federal Government of Somalia (FGS) through the Ministry of Finance (MoF) with support from the

World Bank Somali Core Economic Institutions and Opportunities (SCORE) Program, a World Bank Group

(WBG) program supported by a multi-donor trust fund, is implementing a series of activities to support

financial and private sector development and strengthen formal provision of financial services in Somalia.

The development objectives of the SCORE Program are to: (i) improve the enabling environment for

private and financial sector development; and (ii) catalyze private investment and job creation in key

productive and service sectors. For the MoF, the SCORE Program will help deliver governance capacity for

financial sector development by strengthening the capacity of the Ministry to coordinate the analysis,

formulation, implementation, and monitoring of financial sector policies, strategies and regulations; As

well as, oversee FGS’s interventions in the financial sector.

The authorities, with technical assistance from the World Bank, are looking to establish a modern payment

system and have initiated a participatory approach to modernizing Somalia’s payment system through

establishing a Payment Working Group (PWG), convening payment system stakeholders. The PWG aims

to propose the laws and/or regulations, procedures and the appropriate ICT infrastructure required to

establish a fully electronic, safe and expandable National Payment System (NPS) that is integrated across

all bank channels in Somalia.

For the CBS and the PWG, the SCORE Program will help assist in putting in place the necessary building

blocks (i.e. legal framework, procedures, and ICT infrastructure) required for a fully electronic and

integrated NPS that permits banks and other non-bank payment service providers to make transactions

over accounts and facilitate settlement finality using funds held at the CBS.

2.1 Scope The cornerstone of this assignment was to undertake on-site institutional and capacity assessment of

technologies and connected network infrastructure for the CBS, CBS branch office in Jubaland, State Bank

of Puntland and the bank and non-bank payment service providers vis-a-vis their preparedness to

participate in a NPS. Activities undertaken during the assessment included;

i) An assessment of the technical capacity, efficiency, productivity, job satisfaction and training

needs of IT and operational staff at the CBS, CBS branch office in Jubaland, State Bank of Puntland

and bank and non-bank payment service providers by identifying institutional and human

resource gaps with respect to implementation of a NPS;

ii) Assessment of the ICT infrastructure, core banking systems, mobile payment providers, security

and network settings and connected infrastructure between banks and non-bank payment

services


The assignment was conducted in two phases that ran concurrently i.e.

i) Institutional assessment relating to establishment of inter-bank payments, clearing and

settlement system, and;

ii) Institutional assessment relating to extending core-banking system to CBS HQ, CBS Jubbaland

branch and State Bank of Puntland .

The geographical scope covered physical visits to the Capital City – Mogadishu, Puntland State (Garowe,

Qardho, Bosaso) and Jubaland State (Kismayo). The locations are geographically dispersed as represented

in the map below:

Figure 2: Federal Republic of Somalia - Federal States

The assessments sought to establish a gap analysis of the existing structures and infrastructure with a

view to providing recommendations for improving and modifying the institutional and ICT capacity of key

financial institutions in order to establish a fully integrated National Payment System.

Target institutions referred to as participants, hereinafter, and their geographical representation include;


Federal Government

Private Sector Banks

Entity Mogadishu Puntland Jubaland

Central Bank Somalia

• Mogadishu Headoffice

• Federal State Branches - Puntland (Garowe), Galmudug (Dhusamareb), South West (Baidoa), Jubaland (Kismayo), Hirshabele (Jowhar)


Mobile Money Entities

Entity Mogadishu Puntland Jubaland

2.2 Objectives In order to fulfill the mandate in the terms of reference, a rapid assessment of the institutional and ICT

capacity of the participants (CBS & Somali Banking Institutions) was undertaken. The rapid assessment

included other non-bank payment service providers and examined whether the CBS, CBS branch office in

Jubaland State, State Bank of Puntland and the licensed banks and non-bank payment service providers

e.g. Mobile Money Providers operating in Mogadishu and State of Puntland have the requisite institutional

and ICT capacity to participate in an electronic NPS. The assessment was undertaken towards fulfillment

of the following objectives;

2.3 Approach and Methodology A rapid assessment was undertaken of targeted institutions. The approach applied was based on the open

systems methodology which looks into an organization as a unit or a network of organizations as a system.

The approach looked at the targeted institutions as a system consisting of interacting and interdependent

elements whereby the institutions obtain inputs, uses the inputs for processing and produces outputs.

OBJECTIVE 1

Strengthening

the pre-

procurement

process for the

NPS

OBJECTIVE 3

Ensuring the

highest

opportunity to

achieve success

of the

envisioned NPS

intervention.

OBJECTIVE 2

Providing a clear

picture on

industry

preparedness

for the NPS and,


In the context of the rapid assessment for a NPS participants, the open systems model was applied

generically across the CBS (and branches), SBP (and branches), Commercial Banks and mobile money

service providers.

The institutions were viewed as black boxes which paved the way for adoption of an investigative

approach in determining compliance to core functions, their means of fulfillment, the outputs generated

and their strengths and opportunities.

In addition, the open system approach allowed the assessment to be undertaken inside the boundaries

of the target institutions by way of definition of key factors and dimensions needed to assess capacity.

Scoring was accorded on pre-defined scales whereby resulting scores were used to determine maturity

levels, and opportunities that exist for onward work to be undertaken towards preparing target

institutions for participation in the anticipated NPS initiative.

The following diagram depicts application of this methodology;

Figure 3: Approach and Methodology

Analyzed assessment results contained in this report are presented in two (2) forms as shown in table 1

below;

Form Assessment

Narratives where qualitative feedback was obtained by way of interviews,

observations, interactions and review of institutional information

• Informal meetings

• Review of emperical information

• Perceptive targeted discussions

Enquiry

• Invitations

• Opening presentations and discussions

• C-Level guided questions

• Functional area interviews

• Facility inspection

Visits•Information synthesis

•Data analysis and categorization

•Statistical analysis

•Draft report preparartion

•Presentation preparation

•Final report prepaparation

Reporting


Statistical where quantitative data was gathered, analyzed with resultant data

generated

Table 1: Analysis of assessment results

Statistical data has been derived using the following methodology;

Methodology

Scoring

(High)

Individual interview questions were scored on a scale of 1 (low) to 4 where;

1 equates to 25 % weighting



4 equates to 100% weighting

% Weighting Actual total summation of scoring for interview questions in a given category

divided by the sum of highest scoring expected (using 4 as the determinant)

multiplied by the number of interview questions in a given category

expressed in percentage terms

Table 2: Deriving statistical data

Information Technology and Organizational assessment tool kits were developed for use over the

assessment period. Areas assessed have been used to categorize responses from respondents,

observations made during visits and information gathered during extensive interactions held with line

management in each organization.

The following sections present interactions held with targeted institutions based on target organization

availability, target group availability and submission of feedback obtained. It goes further to cover the

assessment objective, key gaps identified and opportunities identified for NPS readiness.


3. CBS Organizational Assessment

3.1 Overview The executive of the CBS cleared the commencement of the survey across all target locations signifying

their support to have the exercise undertaken. Questionnaires were released to the Director of IT for

onward coordination and collection of feedback ahead of onsite interviews that were held by ALCOR on

target CBS departments. Consequently, duly filled questionnaires and feedback were submitted and

follow-up discussion and clarification meetings primarily held with Director of IT, nominated CBS technical

consultant and SCORE office focal point while input from Supervision department was obtained which

covered legislation. Table 3: Expected Assessment Respondents

The CBS assessment looked into areas listed under categories in the table below. These were scored and

weighted based on responses received from the assessment questionnaires with a view to identifying

opportunities for capacity building and support required to prepare the Bank for the NPS initiative. A

summary of findings based on perception is provided in the table below;

Central Bank of Somalia ASSESSMENT CATEGORY INDICATORS COMMENTS

Executive Meeting

Briefing meeting held with CBS executive to obtain their feedback and buy-in

Questionnaire Submission

Both organizational and IT questionnaire feedback obtained

Interviews:

IT

Interview held with Director IT, feedback obtained

Operations

Director of IT offered responses

Finance

Director of IT offered responses

Supervision

Discussion held and feedback obtained


CATEGORY 25% 50% 75% 100% TOTAL

1 2 3 4

< 25% Up to 50 % Up to 75% Up to 100% SCORING

Legal 43% 31/72

Environmental 66% 21/32

Organization and Methods 52% 29/56

Staffing 55% 11/20

Organization Culture 25% 7/28

Work Environment 65% 13/20

Process 33% 17/52

OVERALL 129/280

Table 4: CBS Summary of Scoring and Weighting

3.2 Legal Assessment: Gaps and Opportunities

Objective Gap

To assess the extent to which legal frameworks

have been established to support NPS and

supporting legal requirements.

Supporting NPS and MTB legislations not in

place.

Inadequate legal framework for NPS

Legal framework not uniformly adopted

between FGS and Federal states


Opportunities Identified

3.3 Environmental Assessment: Gaps and Opportunities

Objective Gap

To assess the external operating environment and

extent to which CBS functions are positioned to

support NPS participants covering settlement risk,

supervision, industry interactions &

communications

Communications function is undefined / basic

and may be inadequate for NPS PR, Marketing

and Communication needs

No focused consumer education and

awareness capability

Supervision framework does not include NPS;

Prudential / industry guidelines not

developed and do not include

(ATS/SWITCH/MTB)

Settlement risk mitigating controls not

established

Establish transactional law;• National Payments• Negotiable Instruments• Electronic Payments• Electronic Evidence

Establish Institutional Laws for;• State Banks• MTB• Micro Finance• Insurance

Establish FI Supporting law;• AML / CFT• Escrow• Deposit Protection• Consumer Protection

Benchmark Central Bank and FI laws to

regional & “like” countries

Priority 1 Priority 2 Priority 3 Priority 4

Figure 4: Legal Enhancement Opportunities


3.3.1 Communications Function

Figure 5: Communications Function Strengthening Opportunities

3.3.2 Supervision Framework

The payment system is the infrastructure (comprised of institutions, instruments, rules, procedures,

standards, and technical means) established to effect the transfer of monetary value between parties

discharging mutual obligations. Technical efficiency of the payments system determines the efficiency

with which transaction money is used in the economy and the risks associated with its use. An efficient

payment system reduces the cost of exchanging goods and services, and is indispensable to the

functioning of interbank operations including settlement capabilities required for National Switch inter-

operability. A weak payment system will severely impact the stability and developmental capacity of the

Somalia financial sector and overall economic activity; its failures can result in inefficient use of financial

resources, inequitable risk-sharing among agents, actual losses for participants, and loss of confidence in

the financial system.

The oversight function needs to be developed and strengthened with a view to ensuring the financial

and technical integrity of the payment system, its robustness against shocks, and its overall efficiency

through rules and standards, monitoring and enforcement.

The CBS will be required to establish guidelines on payment system operations as these raise systemic

risks. In this regard, the CBS Supervision function should be enriched to include complimentary

responsibilities provided in the table below;

NO STRUCTURED INDUSTRYINTERACTIONS

- No defined strategy

- Low leadership awareness

- No established processes

- IT controls media

STRUCTURED INDUSTRY AND CONSUMER FOCUS

- Strategy developed

- Event based communication

- Executive sponsorship

- General email communication

- Manual contacts database

INTERACTIONS AND FOCUS MEASUREDFOR EFFECTIVENESS

- Strategy implemented

- Benefits realization

- Elevated executive interest

- Professional targeted communication

- Electronic based contact

- Media house and influencers

STAGE 1 - Undefined

STAGE 2 - Progressive

STAGE 3 - MatureImmediate Need


Role of CBS Develop rules and guidelines

Assess and enforce compliance

Promotes industry collaboration

Ensure system functioning

Promote NPS evolution

Operational Objectives Development of efficient, reliable, safe, & stable payment systems

Consumer protection and confidentiality

Expansion and integration of payment services

Prevention of violations, breaches and criminal abuse

Intermediate

Objectives

Fair and competitive market environment

Cooperation convener

Sound legal and regulatory foundation

Instruments Targets Scope of Action Types of Action

Rules & incentives

Policy dialogue

Surveillance

Data mining

Governance

Participation

o Participant access

o Risk control

o Info. transparency

o Pricing

o System viability

o System evolution

o Settlement risk

Commercial Banks

Mobile money

providers

Service providers

Instruments and

services

Technical

Infrastructure

Cash margin

Escrow accounts

Inspections

Crisis management

Consumer

protection

R&D

Technical resources

Table 5: Supervision Framework Enhancement Opportunities


3.3.3 Organization and Methods

Observation Gap

To assess the internal operating

environment, payments strategic focus,

institutional, functional arrangements

and role clarity

Payments function not in place

Selection criteria for required incumbents not defined

Role based functions in areas of IT, Finance and

Operations not fully adopted

Delegated limits and levels of authority not defined

Comprehensive standard operating procedures not

documented

Organization and Methods Current Indicators

Figure 6: Organization and Methods Indicators

Organization and methods capabilities represent key competencies that CBS needs to develop in

readiness for its upcoming NPS accountability. Addressing these basic organizational needs will allow CBS

organizational resources i.e. human, physical environment, supporting tools and structural resources to

be correctly engaged in achieving required operational objectives.


It is imperative that in the course of implementation, the vendor and CBS establish operational

requirements so as to identify supporting process activities that need to be addressed such as

establishment and management of interbank accounts, settlement mechanisms, financial risk

management, user access controls, reporting standardization, and application of penalties among other.

3.4 Staffing, Organization Culture and Work Environment

Objective Gaps

To assess staffing levels and expertise

so as to guide NPS training and

development needs (soft skills,

functional and technical)

Adoption of training development and study tour plans for

Operations, Finance and IT

Evaluation to establish needs for communications, change

management, supervision and research

To assess the organization culture and

level of employee engagement

towards establishing complexity of

change management interventions

required

Responses not obtained to questions under this category.

Stakeholder identification, planning and management will

be required towards preparing the CBS environment for

change

It was not apparent whether a formal HR policy that

setsouts compensentation for extended work hours

among broader employee relation exists

To assess the physical staff work

environment and determine

influences identified factors have on

organizational culture and staff

motivation

There is an opportunity to improve the quality of common

staff facilities used by majority of staff e.g. providing

improved catering area, adequate hygenic ablution

facilities

The assessment undertaken in this category sought to establish the levels of employee engagement,

employee attitude towards work and work environment ergonomics towards informing the change

management intervention approach required to support the NPS project.

Inability to hold one-on-one interviews with Directors of Operations and Finance may have resulted in

collection of perceptive reponses in some categories of the institutional toolkit. It is noted that the scope

of implementation affects these departments as well as Communication, Research and Audit and it is

recommended that an organizational change management intervention be established to identify,

manage and support stakeholders within and outside the CBS.


Priority is called for in this area noting that the extent of NPS implementation support, and post

implementation operational stability is hinged on stakeholders collectively undertsanding the scope of

change, its impact on routine operations and actions required to drive a hearts and minds initiative across

all CBS staff levels, direct and indirect NPS participants.

In the case of CBS, the institution will be accountable for ensuring soundness of the day to day NPS

operations thereby servicing the needs of participants and the public in line with industry and

international best practise. Extended working hour arrangements to cater for exceptional incidences

where clearing and settlement mechanisms are delayed due to uncontrollable system or work

environment accessability factors need to be considered.


3.5 CBS Recommendations

The following diagram summarizes capabilities that need to be initiated or uniformly adopted and those

that are work in progress and need to be carried through to implementation so as to strengthen CBS

organizational capabilities. It is worth mentioning that the model should be considered as the benchmark

for CBS Jubbaland branch and State Bank of Puntland as well so as to establish alignment between Federal

and State level CBS branches and SBP operating frameworks.

Figure 7: Summary of institutional wide organizational capabilities required

Index

Short term priorities

Medium term priorities

Long term priorities

Governance and Policies

Board independenceDefined board mandateInstitutional policies

Business Model Core functions value proposition

(what, for who and why)

Operating Model

Develop institutional and Directorate value maps

(how the business model will be operationalized)

Research & StatisticsStatistical data & analysisBoard & public reporting

Economic data

Risk & Compliance

Financial & non fin. Risk

Internal audit assurance

SupervisionEnforcementIndustry collaboration

Industry capacity building

Supervision framework

IT Systems Roadmap

Systems needed to enable Directorates

Technology roadmap (IT systems & organization

evolution)

Legal Framework

CBS, FI, MTB, Micro Finance laws

NPS & other supporting legislation Regulatory guidelines

Legend:

Improvement Opportunity

Not Developed

≈

≈

≈

≈

≈

≈

≈

Compliance & legal

≈

≈

≈

≈

≈

≈


Organization structures

Directorate & role TOR’s

Std operating procedures

COA standardization

HR development

Report & MIS Integrity

≈

≈

≈

OrganizationalCapabilities Required


4. State Bank of Puntland

4.1 Scope

Emphasis in this section is given to the State Bank of Puntland (SBP) which will be a potential indirect NPS

participant and is a target for extension of the CBS core banking and financial accounting (FACTS) system

capabilities. Challenges relating to Jubaland will also be discussed. The geographical scope covered

included physical visits to locations in Puntland State (Garowe, Qardho, Bosaso) and Jubaland State

(Kismayo).

4.2 Objectives The SBP assessment looked into areas listed in the table below. These were scored and weighted based

on responses received from the assessment questionnaires as well as additional feedback and clarification

gathered during onsite meetings. The objectives of this exercise aimed at preparing the Bank to receive

the Core Banking and Financial Accounting (FACTS) extension initiative are provided as follows;

4.3 Organizational Capabilities Assessment The Governor of the SBP hosted a very cordial, welcoming and participatory opening session where he

provided comprehensive responses to a set of guided questions in addition to volunteering additional

substantive background information, challenges encountered, matters of SBP governance, the SBP

operations, aspirations among others. The opening session concluded with the Governor taking the

consultants through a face to face introductory tour of all work areas and SBP staff.


Upon visiting all directorates and SBP branches in Qardho and Bosaso, a closing workshop was held with

all directorates in Garowe convened by the SBP Director General where a summary field report was

presented.

Table 6: Expected Assessment Respondents

4.4 Governance and Policy Framework

4.4.1 Corporate Governance

Articles 111 of the Puntland Constitution outlines the structure of the SBP board as follows;

One director from each of the following - Ministry of Commerce and Industry; Ministry of Finance; 3

from Chamber of Commerce; 1 from SBP – Director General to act as secretary to the board, Governor

of SBP who is to also act as Chairman to the Board,

The Governor has written to the above institutions to nominate their representatives as soon as possible

so that a formal board of directors can undertake the oversight role required under good corporate

governance practice.

Gap

The Board is currently not constituted

State Bank of Puntland

ASSESSMENT CATEGORY INDICATOR COMMENTS

Executive Meeting Constructive and informative session held

Questionnaire Submission Both organizational and IT questionnaire feedback obtained

Interviews;

IT Interview held followed by post branch visit meeting

Operations Interview held followed by post branch visit meeting

Finance Interview held followed by post branch visit meeting

Human Resource Interview held followed by post branch visit meeting

Policy & Planning Interview held followed by post branch visit meeting

Administration Interview held followed by post branch visit meeting


4.4.2 Legal Framework and Institutional Policies

The Bank is anchored in the Puntland State constitution but is lacking a modern representative State Bank

Law that aligns with considerations given in the Federal Government constitution. Consequently, SBP is

an independent entity formulated under the Federal State Government of Puntland and derives its

mandate from legacy law which does not conform to the FGS Central Bank or Financial Institution Laws.

The Governor is a Presidential appointee and is not accountable to the FGS. The independence is

reinforced by the absence of legislated federal arrangements, supporting law and lack of inter-

governmental or inter-institutional memorandums of understanding.

The absence of required legislation and federal working arrangements compounds the understanding of

the SBP mandate and ability to develop sound policies. In this regard, the lack of clarity on its mandate

and policies presents challenges in SBP’s ability to develop role based TOR’s at an executive level that

align with required legal and policy frameworks.

Having said this, it is noted that there are ongoing consultations and dialogue between CBS and SBP.

Gap

Legal framework not adequate

Legal framework not aligned with FGS

SBP mandate not clear

No established institutional policies

4.5 Business and Operating Model

4.5.1 Business Model and Strategic Plan

SBP has not established a strategic plan aligned to its mandate. The mandate needs to be clarified through

a modern representative State Bank Law that outlines SBP core functions, role and accountabilities.

Establishment of such law will give way to development of a focused strategic plan and development of a

roadmap to guide adoption of interventions that will better articulate the SBP business and overall

operating model aimed at transforming the Banks mode of engagement relative to CBS and Financial

sector participants.

Gap

Strategic plan and business model not established


4.5.2 Operations Model

4.5.2.1 Organization and Methods

The WB funded Capacity Injection Program (CIP) undertook a State wide Human Resources (HR)

assessment of all Ministries, Government Departments and Agencies in 2014 that resulted in

recommendations to hire employees for government agencies to fill 6 common roles. For SBP, 6

employees were hired to fill the following role:

o IT

o Finance

o Planning

o HR

o Supervision

o Procurement

Subsequently, there have been no further interventions to build institutional capacity and invest in the

training and development of the CIP and existing SBP staff.

Whilst an organizational structure formulated under the CIP initiative exists, there are misalignments /

misplaced roles and responsibilities specifically noted are that they do not align with core functions of

State Bank of Puntland in other Federal systems of Government e.g. Ethiopia, Nigeria, South Africa,

Pakistan etc. Arising from the lack of mandate clarity, organogram misalignment among other, roles

defined in the organogram do not complement each other effectively towards establishing a working

organizational value chain. As a result, incumbents are not clear on what their job roles entail and secondly

they have not been equipped with knowledge and skills required to fulfill their modern day roles and

responsibilities.

In the absence of role based clarity, standard operating procedures cannot be developed. However,it was

noted that the staff understand the flow of routine work, they demonstrated the ability to follow this

process through on a day to day basis, and can induct new staff by way of verbal knowledge transfer and

desk based coaching.

Gap

Operating model not defined

Organization structure not adequate

Departmental and role based TOR’s not established

4.5.2.2 Operating Environment

Currently, there isn’t a defined operating model. Further, customer segments, alternative channels, credit

management and supporting banking functions have not been established. For purposes of SBP, the

operations model designed for CBS can be enriched to incorporate retail operations and institutional

support functions.


The Bank has six (6) fully operational branches that are geographically dispersed as provided in the map

under diagram 1. The State of Puntland enjoys relative peace and security compared to Mogadishu and

shoulders two (2) sea lines i.e. The Gulf of Aden and The Indian Ocean.

All banking operations are manually managed under maker, checker, and approver process controls which

are applied for all operating processes that were reviewed during the visit. There are clear segregations

of roles and responsibilities along the transaction and financial accounting lines. All transactions and

booking records are held manually and recorded in the following primary and secondary cards;

Manual ledger and booking cards are updated on fixed schedules as follows:

o Daily - Customer ledger and cash book

o Day 10 - Control ledger

o Day 30 - Consolidated ledger and trail balance

The above ledger process is adopted across all branches

HRMS data is held centrally in an MS_ACCESS database

The Bank runs a Retail Operation in addition to fulfilling its primary duty of Government revenue

collection. All inland and local authority revenues, taxes, fees are collected and banked into the Treasury

Single Account (TSA) held at the SBP. Due to the lack of automated processes, Amal Bank is an appointed

collector of government revenue and fulfils this function under disclosure to the Accountant General.

There is no established mechanism by which balances held at Amal Bank are updated into the SBP TSA

position. This is attributed to SBP operating in a manual processing environment relative to Amal Bank

which operates off a fully automated environment. Similarly, the Accountant General obtains electronic

account information faster from Amal Bank compared to SBP which needs to generate manual account

statement.

It follows that cash management operations of the Ministry of Finance driven by activity in the TSA is

fragmented between SBP and Amal Bank and requires the Accountant General to prepare consolidated

positions.

The bank has not yet established support functions such as Banking Operations and payments, IT

organization, Credit Management, Risk Management, Marketing and Communication, Internal Audit,

Customer Service among other. Due to the nature of its non-regulatory role, SBP has on-boarded business

entity and consumer accounts by default at its Bosaso sea port city branches. This has eased delays for

the business and consumer entities who seek to make payment for government taxes, fees and levy’s.

Traditionally as is the case for non-account holders, monies would need to be withdrawn from other Banks

or money transfer entities and be physically deposited into the TSA account at Amal Bank or SBP.

Being a Sea Port City, Bosaso is the busiest branch out of the six (6) SBP operational branches. The branch

has an agency located in the port cash registry that is shared with the Ministry of Finance. Collocation of

SBP and the MOF revenue department has realized the establishment of a seamless manual work flow

between both entities servicing sea port customers. The agency operates two (2) daily work shifts to

support extended port operating hours.


Transactional data statistic counts are provided in the table below except Qardho branch for which data

was not submitted;

CATEGORY CASH DEPOSIT MOF Transactions

CASH WITHDRAWAL IBT TL Avg Daily

Transaction Type

Rv F35 8/C Slip

PV B/dro 14/c Chq 18/dir

Bosasso 5,423 278 307 677 169 60 150 14 90 7,168 299

Garowe 871 1,406 86 428 957 0 3,748 156

Galkaiyo 2,334 130 164 59 24 32 27 40 0 2,810 117

Totals 7,757 408 1,342 2,142 193 178 605 1,011 90 13,726 572 Table 7: Transactional data statistic counts

Gap

Lack of automated business processes

Lack of financial accounting and reporting automation

IT and banking operations organizations not established

IT infrastructure design and implementation not in place

4.5.3 Technology capacities

A substantive IT resource was recruited under the CIP program however a formal department has not

been established. This is attributed to minimal use of banking software necessitating the establishment

of IT demand management and enablement on the supply side.

The bank has a couple of computer desktops in place however these are not interlinked through a WAN

and therefore operate on a standalone basis. There is no established IT infrastructure comprising the

WAN, hardware, software’s, telecommunications, security installations or a computer room. The IT

assessment section of this report covers these findings in detail and provides recommendations.

The environment presents a positive green-field environment to implement a well laid out IT environment

designed to service the needs of all the 6 active branches in a phased manner.

4.5.4 Financial Accounting

The Directorate receives day-10 control ledgers after every 10 business days; this is followed by

submission of day-30 general ledger cards and accompanying trail balance. Submissions are made by each

of the six (6) branches upon which the Garowe Director of Finance and Accounting facilitates consolidation

of the financial data thereby generating monthly financial statements through the use of MS Excel. There

is no form of accounting software in use to provide electronic business continuity or data recording and

retention in conformance to in-built financial controls and standards.

The opportunity exists to deploy the ERP application suite to service financial accounting and HR

automation needs.


4.6 SBP Recommendations

4.6.1 Institutional Framework

Legislation & Policy

Framework

(Long term)

• Legal framework gapping and formulation

• Legal framework alignment with FGS

• Review and finalize draft State Bank law

• Draft supporting institutional policies

• Develop SBP prudential guidelines for Financial sector group with

alignment to CBS

Governance

(Medium Term)

• State Bank benchmarking study tours for key staff

• Board formalization and implementation

• Develop a board mandate policy paper

• Adoption of Corporate Governance best practice principles

• Establish an MOU with Mogadishu on role of state bank relative to

the role of CBS

Organization Design

(Medium Term)

• Design the Business and Operations model

• Develop a strategic plan

• Re-fit top level organogram based on benchmarking study findings

• Establish medium term organograms

• Development of departmental and role based TOR’s

• Develop the IT roadmap

Table 8: Institutional framework recommendations


4.6.2 Operating Capabilities

IT Enablement

(Short Term)

• Document the envisaged IT topology

• Define requirements for SBP FACTS capabilities

• Identification and procurement of required services

• Implement infrastructure - H/W, security, telecommunications

• Implement FACTS

Human Capital

(Short Term)

• Develop role based JD's / TOR's

• Match existing FTE to proposed organogram

• Gapping and procure CIP for critical posts

• Develop induction, training and development plans

Fulfillment

(Short Term)

• Define chart of accounts & reporting requirements

• Document standard operating procedures

• Analyze and workshop "as-is" and "to-be" processes

• Organizational and people change management

Table 9: Operating Capabilities Recommendations


5. CBS Jubbaland bramch Assessment It was established that the CBS Jubaland branch while established, is not as yet fully operational;

consequently, the Ministry of Finance TSA account is operated at Salaam Bank. The State is in its early

formative stages and in need of significant institutional capacity building support to implement the various

facets of organizational capabilities.

5.1 Summary of Key Observations

The financial sector is dominated by Hawalas and Commercial Banks

Jubaland Ministry of Finance currently uses a CBS branch in Kismayo it refurbished as its inland

revenue collection point

Seaport and airport revenues are managed separately by officers appointed by the President

Jubaland is facing a myriad of challenges in undertaking financial sector reforms including

budgetary constraints as well as lack of technical capacity

There is lack of legal framework and memorandum of understanding to guide the establishment

of a State Bank or modus operandi for a CBS branch within Jubaland

State of Jubaland has partnered with PREMIS which is a project funded by EU, to provide capacity

building and other technical support for the Ministry of Finance of Jubaland.

MoF have installed Financial Management Information System (FMIS) (no correlation to Somalia

FMIS and has much lower capability) for management of government revenues.

MoF is planning to undertake an assessment for the establishment of a State Bank and is in

discussion with PREMIS, however not much progress has been made due to funding constraints

The World Bank currently pays salaries for a number of MoF staff, as well as other civil servants

through an established program under Recurrent Cost of Reform Financing (RCRF).

5.2 Recommendations Immediate - SCORE Program Implementation Unit (PIU) establishes contact with the Jubaland MOF and

with a view to establishing mechanisms to progress work that has been initiated by PREMIS. In so doing,

the existing PREMIS roadmap can be refocused to align with SCORE objectives and priority areas.


6. Common ICT Infrastructure & Technology Capacity Assessment This section of the report sums up the activities undertaken and findings of the on-site institutional and

capacity assessment of technologies and connected network infrastructure for the participants. The

assessment entailed on-site visits, focus group discussions and in-depth interviews and questions about

their common ICT infrastructure and core banking technologies, innovations around their technology

solutions, and any challenges that abound and their overall preparedness in terms of a firmed up

technology and infrastructure setting that would allow them to effectively participate as a regulator in an

integrated National Payment System.

The assessment attempted to get an understanding of the core ICT competencies of the CBS and state

bank of Puntland and CBS branch office in Jubaland looking at IT developments and implementations at

the infrastructure and technology level.

It examined the technology at the participants branches as seen in the eyes of the banks’ IT leadership

and based on evidence adduced during on-site visits and through literature, peer and customer reviews

in comparison to globally accepted industry standards, providing a framework through which we could

gauge the banks’ capability maturity.

In order to effectively structure the assessment, the exercise targeted two key focus areas namely; ICT

Technology Capacity and Common ICT Infrastructure Capacity. Each focus area was further divided into

key thematic areas aimed at gauging competencies in respect to various IT sectors.

The technology capacity assessment covered the following six thematic areas:

General

Core Banking System Compliance

Core Banking System Integration

Security

Transaction & reporting

Support, Training and documentation

The common ICT infrastructure capacity assessment covered the following four thematic areas:

General

Servers

Internet Connectivity & WAN

Network Security

This assessment examined how well equipped and prepared Somali financial regulatory institutions i.e.

CBS, CBS branches and CBS Jubbaland bramch and State Bank of Puntland are to face new trends,

developments and challenges in anticipation of the implementation of the integrated National Payment

System.


6.1 Thematic area description In order to gauge capability maturity, we attempted to link trends in business, technology and consumer

satisfaction and behavior to CBS and CBS Jubbaland bramch and State Bank of Puntland’ technology

implementations, IT strategies, innovations and any other strategies they have put in place to deal with

the future including investments in new IT systems and infrastructure platforms with key thematic areas

attempting to answer questions like: Did they have a well-defined plan for their overall ICT network across

their sites? Did they have Enterprise equipment replacement plan? Do they have DR sites? Which

database(s) run on the core banking system? Which primary bank functional areas does your core banking

solution cover? Etc.

Descriptions of the key thematic areas in each of the focus areas i.e. the ICT capacity assessment and

common ICT infrastructure assessment are provided in the figures 8 and 9 below.

6.1.2 Technology Capacity Assessment thematic areas

Figure 8: Technology Capacity Assessment thematic areas


6.1.2 Common ICT Infrastructure Assessment thematic areas

Figure 9: Common ICT Infrastructure Assessment thematic areas

6.2 Key findings The assessment of ICT infrastructure and technology covered two (2) broad focus areas; namely common

ICT infrastructure and technology capacity. The data that was collected helped to quantify and to gauge

the competence and preparedness of the institutions with regards to the resilience and robustness of

their core ICT infrastructure and also the strength of their software implementations in terms of security,

scalability, integration, and support.

We particularly covered several aspects of hardware and support technology infrastructure including but

not limited to ICT equipment, servers, LAN & WAN, internet, firewalls, and policies. Our survey

instruments and toolkits helped us to identify gaps and weaknesses inherent in the organizations and

aided in pinpointing any opportunities for improvement and how ICT applications can be infused to

enhance quality and efficiency. This section provides an analysis on ICT capacity for financial institutions

and identifies gaps in each of the focus areas.

6.2.1 General

Looking at the overall ICT infrastructure setting and gauging the general ICT network setting and high level

planning, equipment, support and backup options available, the assessment found that technology gaps

on the general setting of the financial institutions’ common ICT infrastructure can be explained by:


Organizations lack enterprise wide network plans that describe the overall ICT network across the

site (Topology, Distribution, Nodes, VLANs).

Lack of continuous, mandatory, external independent benchmark ICT Infrastructure security

audits and benchmarking

Lack of stringent policies and governing end of life management for networking & ICT equipment

as enterprise equipment replacement plans exist in principal but not documented and not

enforceable and/or enforced.

Lack of DR site for back up and failover when the primary sites are down

Lack of proper infrastructure to support internet access

Frequent occurrence of power outages and lack of adequate power backup sources

Lack of network connectivity and ICT equipment on site

Figure 10: Institutions with ICT network plans

67% of the Somali financial regulatory

institutions do not have any plan describing the

overall ICT network on their sites. Save for the

CBS, which has a basic high level description of

their ICT network plan, all the CBS Jubbaland

bramch and State Bank of Puntland and CBS

branches lack such plans meaning the networks

have no proper design and have been

implemented in a haphazard manner.

The same numbers also apply with all the CBS

Jubbaland bramch and State Bank of Puntland

and CBS branches (67% of the institutions) not

having had any benchmark ICT security audits

done on their sites and any audits done at the

CBS were from independent individual

consultants and not from recognized ICT security

audit firms and as such they do not have any

certifications for the ICT security audits done.

There is also a lack of policies governing how

frequently such audits need to be undertaken.

All the institutions surveyed also lacked Enterprise equipment replacement plans governing end of life

management for networking & ICT equipment. This means that there are no mechanisms for tracking

depreciation of equipment in use within their networks, gauging number of years equipment have been

in use against useful life and decommissioning and replacing old equipment.


The CBS branch in Jubaland does not have any proper local area network configured while the State bank

of Puntland has a rudimentary network without a specifically configured or documented topology. The

remote sites in the branch and state bank do not have power backups to support the primary power

sources despite the fact that more than half (50%) experience frequent power outages.

The institutions use both wireless and hardwired internet access channels. The most popularly used

hardwired internet access channel is cabled internet access (40%), with ISDN, leased lines and digital

subscriber lines having an equal share at 20%.

Figure 11: Hardwired broadband internet access

Hardwired broadband access %

Cable Internet access 40%

ISDN 20%

Leased lines 20%

Digital subscriber line 20%

Power-line Internet 0%

Dial-up access 0%

Multilink dial-up 0%

ATM and Frame Relay 0%

OC3 - Optical Carrier 0%

Fibre Optic 0% Table 10: Hardwired broadband access channels

For wireless broadband internet access,

WiMAX and Wireless ISP remain the most

popular access channels used with each

having an equal share at 50%.

Wireless broadband access %

WiMAX 50%

Wireless ISP 50%

Satellite broadband 0%

Mobile Broadband 0%

LMDS 0% Table 11: Wireless broadband access channels

6.2.2 Servers and data centers

The assessment sought to establish the institutions’ capacity in terms of their capacity to host systems, if

the hosting environments met the required standards, versions of operating systems used and

deployment environments available.


Figure 12: Organizations with Server rooms on site

The assessment found that 67% of the

institutions did not have server rooms on site

with only the CBS in Mogadishu having a fully

equipped server room.

The institution that has a server room still does

not meet all requisite standards, with lack of

proper access control and safety, raised floor

systems, and fire prevention.

Windows and Linux are the most popularly used

operating systems version at 50% each with HP

being the only used server model.

In terms of the server environment used for

deployment all the organizations only use

production/live and don’t have any staging/pre-

production servers.

Save for the CBS, all the branches and CBS Jubbaland bramch and State Bank of Puntland don’t have DR

sites and all the data and information solely reside in their primary sites, if any. The CBS is still prone to

complete shutdown in case of failure of the primary site as the DR is located in the same premises as the

primary site.

6.2.3 Internet connectivity and WAN

The assessment looked at the broad aspects of internet connectivity and policies and measures around

utilization of internet resources in the organization, gauging aspects of connectivity strengths, bandwidth

management, internet backup, monitoring of network resources, IP allocations and file and data transfer.

From the analysis of the findings, gaps on internet connectivity and WAN can be explained by:

Poor internet access or lack of access to the internet

Lack of or poor understanding of internet package/plan provided to the organization

Organizations not having policies to ensure that mission critical systems like core banking

applications and enterprise resource planning systems are accorded dedicated bandwidth to

ensure uptime and prevent unexpected interruptions from non-essential systems utilizing

network resources

Lack of bandwidth management policies and technologies to track utilization of and/or

management of internet resources and reducing incidences of misuse


Institutions lacking reliable backup internet in case of downtime or failure from ISP

Lack of policies and procedures governing IP address allocations

Institutions that have internet access receive monthly bandwidth speed of 6-10 mbps (50%) and 16-20

mbps (50%) with majority of the package provided being shared internet access.

The assessment also showed that the institutions had fairly good access to internet with most stating that

internet connection quality was good to excellent with the CBS Jubbaland bramch having no proper access

to internet resources.

A sizable majority of the institutions (67%) still don’t accord mission critical systems dedicated bandwidth

leaving bandwidth resources open for all systems in the network. All the institutions do not have any

bandwidth management systems in place and none of the institutions utilize any bandwidth management

technology.

Figure 13: File transfer protocols used

The most popular file transfer protocols used are FTP, HTTP and HTTP each at 29% and TFTP coming last

at 14%.


Figure 14: Automated file transfer

Only 33% of the institutions automate transfer of

files between their institutions and trading

partners and also automation of detection of

failed file transfers.

Figure 15:Monitoring network resources

Many institutions (67%) also don’t monitor their

network resources. For those institutions that

monitor their network resources (33%), the most

monitored resource include bandwidth (50%) while

the other resources monitored include SNMP agent

(50%).

6.2.4 Network security

We assessed the organizations’ network security capabilities looking at various aspects relating to security

including but not limited to secure file transmission, data encryption, remote access, password and

acceptable use policies, firewalls, and data backup methods. Based on the analysis of the findings gaps on

internet connectivity and WAN can be explained by:

Storage of files without secure encryption methods and lack of intrusion prevention and detection

systems

Lack of policies clearly defining remote access prerequisites, content security and enterprise wide

network security policies characterized by lack of enforcement of the same

The assessment revealed that all the institutions don’t have secure data and file transmission capabilities

and also don’t utilize encrypted file transfer protocols when moving files over private and public networks.


Wired Equivalent Privacy (WEP) is the only secure transmission method used with active directory being

the only repository used for user authentication.

Figure 16: Remote access software tools used

Many institutions (67%) allow remote access to

enterprise applications hosted, with Microsoft

Remote Desktop (40%) and Teamviewer (40%)

being the most used remote access software

tools used with other software tools (VPN) having

20% utilization.

Remote access software tools %

Teamviewer 40%

Microsoft Remote Desktop

(RDC)/Apple Remote Desktop 40%

Other 20%

Splashtop 0%

Chrome Remote Desktop 0%

VNC 0%

Table 12: Remote access software tools

For organizations that use VPN, the most popular

method used is remote access with IPSec

protocol but all the institutions don’t have

intrusion and prevention and detection systems.

The assessment revealed that some institutions (33%) did not have firewalls or password policies or secure

password policies. SSID is the most popular method used to secure wireless networks followed by

Enterprise WPA2.

The institutions fell short of policy and compliance alignment with all the institutions lacking compliance

validation for all devices accessing their networks, remote access policy, antivirus policy, acceptable use

policy and content security policy.

6.3 CBS, CBS branch in Jubaland & State Bank of Puntland’s ICT Technology ICT Technology assessment of the participants covered several aspects of core banking software

technology including but not limited to software compliance issues, integration, system security,

transactions and reporting, and training and documentation. As the case with common ICT infrastructure,


the assessment on ICT technology was done by addressing key thematic areas with gaps identified in each

of these thematic aspects.

6.3.1 General

Looking at the overall ICT technology at a high level and gauging the general technology ecosystem within

the institutions covering databases, deployment options, and functionality, the assessment found that

gaps on the general setting of the financial institutions’ ICT technology can be explained by:

Lack of auditing and certification of software technologies implemented in the institutions

Lack of any technology to support core banking services

No standards for documentation, coding, scaling, integration, decommissioning and security

especially for software developed in-house

Figure 17: Core banking systems implementation

The assessment revealed that all the CBS

branches and State Bank of Puntland did not have

any core banking systems implemented and all

core banking processes were handled using

manual forms and systems.

Only the CBS in Mogadishu had a solution

implemented using TEMENOS T24 handling

mostly payment and origination and an ERP

implemented using Oracle handling largely HR

processes, and financial management and

accounting. The state bank of Puntland had a HR

management information system developed

using access database and was used to handle all

HR information for the Puntland state bank at

headquarters and in the branches in Quardo and

Bosasso.

Oracle and Ms Access are the most commonly used databases at 50% each with all the mission critical

systems hosted on dedicated servers.

6.3.2 Core Banking System Compliance

The assessment looked at the various compliance issues around core banking applications including

payment methods and requisite certifications required for financial systems. There were no major gaps

identified in relation to banking systems standards and compliance as the core banking system

implemented at the CBS is PCI-DSS compliant and is also accredited and meets the ISO27001 standards.


With the pending rollout of the core banking system to other CBS branches and implementation of the

same in other CBS Jubbaland bramch and State Bank of Puntland, it would be imperative that these

standards are maintained and complied to by all the institutions through the implementations ensuring

that there is a model for establishing, implementing, operating, monitoring, reviewing, maintaining and

improving an information security management system.

6.3.3 Core Banking System Integration

The assessment of core banking system integration aimed at looking at how easily core banking systems

can be scaled up in terms of adding functionality to existing components and modules, and/or adding new

components and modules without adversely affecting the existing support operations of the system. The

assessment also looked at how open the systems are for integration with other systems.

The solution implemented at the CBS was built with an open architecture that allowed for integration and

exchange of data with other systems and had modules to support inter-bank domestic debit transfers and

integration with SWIFT. The solution however lacked a pan-enterprise support system which can lead to

challenges when building extensions on the core solutions for integration of the systems to NPS.

6.3.4 Security

The assessment looked at various aspects of systems security addressing broadly areas of authentication,

encryption, fraud detection and prevention, and audit trails. The assessment revealed that 33% of the

institutions have core banking solutions and solutions that support cryptography hash functions meaning

a sizable majority of the institutions (67%) have weaknesses in terms of compliance on this essential

security requirement.

Figure 18: Systems using multi factor authentication

Despite controlled access being essential in

securing of data and information stored by

systems, the CBS Jubbaland bramch and State

Bank of Puntland and CBS branches run system

that do not have multi factor authentication e.g.

2FA and such do not have extra layers of security.


There are gaps in fraud detection and prevention as all fraud detection methods are not utilized, and it is

essential to enforce all the methods and techniques including performed, predictive analytics, outliner

models and anti-money laundering so as to cover all possible threats to the systems.

Other gaps in security still exist as the CBS branches and CBS Jubbaland bramch and State Bank of Puntland

don’t encrypt sensitive information in transmission to/from it and with any interfacing systems and

systems that don’t keep audit trail of all user activities in the system.

6.3.5 Transaction & reporting

The assessment looked at core banking system capabilities related to transactions and reporting

addressing issues of high availability, number of transactions per second, high resilience and fault

tolerance, fail-over times, and benchmark figures for fail-over times. Gaps in core banking solutions’

transactions and reporting capabilities can be explained by:

No standards and benchmark figures for minimum number of transactions per minute/second

No documented target benchmarks for fail-over times and target/benchmark figures for the fault

tolerance percentage

Some weaknesses in reporting and analysis including predictive analytics, statistics on

performance, transactions and security

Report generation not automated, and largely characterized by inaccuracy and delays

Despite the fact that the core banking solution implemented at CBS had a dedicated module for full

transaction dispute resolution with inbuilt data analytics engine to provide real-time statistics on

performance, transactions, security status, the solution did not have customized models for prediction,

clustering and classification based on machine learning or statistical techniques.

The CBS core banking solution is hosted in High Availability mode / DR and a minimum uptime time of

99.95 % and is also configured to guarantee high resilience and fault tolerance, but there is no certification

or evidence of test performed or documentation of benchmark figures for transactions per

second/minute, availability of metric elements used to benchmark fail-over times, or target/benchmark

figures for the fault tolerance percentage.

The configuration commonly used to ensure high availability is automatic failover to backup.

6.3.6 Support, training and documentation

The financial institutions were assessed to see if the core banking solutions they had implemented had

proper support structure provided by the vendors in terms of post implementation support programs,

training, knowledge transfer and capacity building and documentation.

Even though the CBS branch in Jubaland and State bank of Puntland do not have any core banking system

implemented, they also do not have any policies to guide in developing long term programs for continued

training and knowledge transfer for systems that they implement or support continuous- improvement

project approaches.


The core banking solution at the CBS HQ in Mogadishu was in the final stages of implementation. There

were already knowledge transfer and training sessions underway, facilitated by external consultants.

There was also a long term program for continued training and knowledge transfer to property equip key

technical staffs to independently run the core banking system.

The vendor of the solution also ensured that quality programs are embedded in the implementation

service and support continuous- improvement project approaches and also provides programs for system

integration partners.

The knowledge transfer sessions will ensure the solution has in-house support and the warranty period is

still open and the vendor is yet to sign a service level agreement with the CBS.


7. CBS and State Bank’s capability maturity assessment The analysis of the CBS, CBS branch in Jubaland and State Bank of Puntland was done using a maturity

assessment framework with 5 maturity level indicators which were used to measure each of the thematic

areas within the two main assessment focus areas: 1) looking into maturity in terms of the degree and

level of formality to which processes and systems are optimized, from ad hoc practices, to formally

defined steps and practices and (2)to managed result metrics, to active optimization of the processes.

The figure below represents the 5 maturity levels with the color codes from the maturity assessment

results.

Figure 19: Capability maturity assessment

The assessment looked into areas listed under categories in the tables below. These were scored and

weighted against the maturity levels based on responses received from the assessment questionnaires

with a view of gauging the institutions’ preparedness to participate in the NPS.

The analysis shows that CBS branches and State bank of Puntland are at the initial stage (the starting point

for use of a new or undocumented repeat process), while the CBS HQ is at the Managed stage (processes

are at least documented sufficiently such that repeating the same steps may be attempted) both at

technology capacity and common ICT infrastructure. Once the core banking system is launched and all the

loose ends tightened including sufficient knowledge transfer and sufficient training concluded at the CBS,

the institution should move to the defined stage after which measures should be put in place including

enduring systems and processes are firmed up to enable them progress to the quality managed and

ultimately to optimization in the next three years.

For the CBS branch in Jubaland and state bank of Puntland, there are a lot of capacity building initiatives

that need to be initiated, including purchase and installation of hardware and software to ensure that


they move to the managed stage then slowly work on improving processes gradually moving them to the

managed and ultimately to quality managed and finally to optimized stage.

Summaries of the scoring and weighing are shown in the tables below.


7.1 Central Bank of Somalia maturity assessment

7.1.1 Common ICT Infrastructure maturity assessment Capability maturity level

Category

Init

ial

Man

age

d

De

fin

ed

Qu

alit

y

Man

age

d

Op

tim

izin

g

Total

Score

General Plan that describes the overall ICT network across the site 3 3

Number of users in the network 5 5

ICT Infrastructure security audits and benchmarking been

done on the site

2 2

Enterprise equipment replacement plan 2 2

How long equipment been in use since commissioning 3 3

Hastily Formed Network (HFN) plan 2 2

Internet access channel(s) available in the site 4 4

Primary source of power in the site 3 3

Rate of recurrence of power outages 4 4

Backup power source to support the primary power source 4 4

Total score on General 3

Servers Server rooms located on site 4 4

Server room standards 3 3

Servers used 4 4

Server OS used 4 4

Server environments used for deployment 1 1

Total score on Servers 3

Internet Connectivity &

WAN

Monthly bandwidth speed 5

5

ISP Bandwidth provision package/internet plan provided to

the organization

4

4

Connection Quality 4 4

Critical core business systems accorded dedicated

bandwidth

4

4

Bandwidth management systems in place 1 1


Bandwidth management technology used 1 1

Availability of Backup Internet Connectivity (VSAT?) 1 1

Video conferencing 3 3

File transfer protocols used 3 3

Automate file transfer processes between trading partners

and exchanges including detection and handling of failed

file transfers

1

1

Monitoring of network resources 2 2

IP Address Allocations 2 2

Total score on Internet Connectivity & WAN 2

Network Security Secure data and file transmission capabilities 2 2

Transfer files over public and private networks using

encrypted file transfer protocols

2

2

Secure transmission methods used 2 2

Which repositories do you authenticate users against?

(identity management)

4

4

Securely store files using multiple data encryption methods 4 4

Remote access to enterprise applications hosted 4 4

Remote access software tools used 4 4

Virtual Private Network (VPN) 4 4

VPN protocols used 4 4

Intrusion prevention and detection systems 1 1

Firewall 5 5

Password policy 3 3

Secure wireless Network 4 4

Compliance validation 1 1

Remote access policy 1 1

Antivirus Policy 1 1

Acceptable use policy 1 1

Content Security Policy (CSP) 1 1

Data backup methods 2 2

Total score on Network Security 2

Overall score on Common ICT Infrastructure 2

Table 13: CBS Common ICT Infrastructure maturity assessment


7.1.2 ICT technology maturity assessment Capability maturity level

Category

Init

ial

Man

age

d

De

fin

ed

Qu

alit

y

Man

age

d

Op

tim

izin

g

Total Score

General Does your organization have a core banking system? 5 5

How was the system acquired and/or developed? 5 5

Which primary bank functional areas does your core banking

solution cover?

4

4

Does your organization have an ERP? 4 4

How was the ERP system acquired and/or developed? 5 5

Is the ERP integrated with the core banking system? 4 4

The ERP & Core banking system share a General ledger and

Chart of accounts to cover all accounting requirements of the

bank

4

4

Which non-core banking operations does the ERP handle? 4 4

What are the hosting arrangements for the core banking system

and/or ERP?

4

4

Which database(s) run on the core banking system? 5 5

For each of the following banking & finance functions, please

state your system vendors/Solutions ( if internally developed,

state “Internal”)

4

4


Core banking system

compliance

Which payment methods are supported by the solution? 3

3

Multi-currency support 5 5

The system is PCI-DSS compliant 3 3

The system is ISO27001 compliant 3 3

The system is built along/compliant to ISO20022 standards 3 3

Total score on Core banking system compliance 3

Core banking system

integration

Solution has a ‘componentized’ architecture with a framework

where modules can be added, upgraded or removed without

the need for a complete solution revamp

5

5


Solution has a Pan-enterprise support system - components to

be moved/eliminated without affecting existing support

configurations

2

2

Is the core banking solution integrated to any Payment Switch? 2 2

Does the system have any APIs that allow for integration with

other systems?

3

3

Solution supports inter-bank domestic debit transfer 4 4

The system integrates with SWIFT 5 5

Total score on Core banking system integration 3

Security The system supports processing of transactions made by cards

in a 3D secure environment

4

4

System uses multi factor authentication e.g. two factor

authentication (2FA)

4

4

Access to the system is user and role based 4 4

The system supports secure cryptography hash functions for

securing digital passwords and login credentials and user access

tokens

3

3

The solution supports automatic generation of multiple RSA

Public and Private Key pairs.

3

3

Does the system have fraud prevention, detection and

authentication modules, either in-built or as add on modules?

4

4

The system encrypts sensitive in transmission to/from it and

with any interfacing system

3

3

System keeps audit trail of all user activities in the system 4 4

System provides tools for filtering logs for use by Auditors 3 3

Total score on Security 3

Transaction & reporting System has a dedicated module for full transaction dispute

resolution and chargeback cycle with all communicated entities

4

4

System has inbuilt data analytics engine to provide real-time

statistics on performance, transactions, security status

3

3

Has customized models for prediction, clustering and

classification based on machine learning or statistical

techniques.

2

2

The system supports a minimum of how many transactions per

minute?

3

3


The system is hosted in High Availability mode / DR and a

minimum uptime time of 99.95 %

1

1

Solution is benchmarked for minimum TPS (Transaction Per

Second) of 100 and should be highly scalable as per the business

demands and forecast.

2

2

System configured to guarantee high resilience and fault

tolerance

1

1

Do you have target/benchmark figures for the fail-over times of

different system components

1

1

Provide target/benchmark figures for the fault tolerance

percentage

3

3

Total score on Transaction & reporting 2

Support, Training and

documentation

The vendor/developer has a long term program for continued

training and knowledge transfer?

4

4

Quality programs are embedded in the implementation service

and support continuous- improvement project approaches.

4

4

Vendor provides programs for system integration partners 3 3

Documentation provided by the vendor 2 2

Vendor has proprietary rights over the solution 2 2

There is an SLA between the vendor and the institution 1 1

Is there in-house support for the solution? 1 1

Does the solution have a warranty? 3 3

Is the warranty period over? 2 2

Is the vendor a local supplier or an international vendor? 3 3

If the vendor is international, do they have a local presence? 3 3

Total score on Support, Training and documentation 2

Overall score on technology capacity 2

Table 14: CBS ICT technology maturity assessment


7.2 State Bank of Puntland maturity assessment


Category

Init

ial

Man

age

d

De

fin

ed

Qu

alit

y

Man

age

d

Op

tim

izin

g

Total Score



ICT Infrastructure security audits and benchmarking been done

on the site

1

1











Servers used 1 1

Server OS used 2 2




WAN

Monthly bandwidth speed 4

4

ISP Bandwidth provision package/internet plan provided to the

organization

2

2


Critical core business systems accorded dedicated bandwidth 1 1







Automate file transfer processes between trading partners and

exchanges including detection and handling of failed file

transfers

1

1





Transfer files over public and private networks using encrypted

file transfer protocols

1

1




3

3







Firewall 1 1

Password policy 2 2










Table 15: SBP Common ICT Infrastructure maturity assessment



Category

Init

ial

Man

age

d

De

fin

ed

Qu

alit

y

Man

age

d

Op

tim

izin

g

Total Score




solution cover?

1

1






bank 1

1



and/or ERP? 1

1




state “Internal”) 1

1


Core banking system

compliance

Which payment methods are supported by the solution?

1

1






Core banking system

integration



the need for a complete solution revamp 1

1




configurations 1

1



other systems? 1

1





in a 3D secure environment 1

1


authentication (2FA) 1

1




tokens 1

1


Public and Private Key pairs. 1

1


authentication modules, either in-built or as add on modules? 1

1


with any interfacing system 1

1




Transaction &

reporting

System has a dedicated module for full transaction dispute

resolution and chargeback cycle with all communicated entities 1

1


statistics on performance, transactions, security status 1

1



techniques. 1

1


minute? 1

1



minimum uptime time of 99.95 % 1

1



demands and forecast. 1

1


tolerance 1

1


different system components 1

1


percentage 1

1



documentation


training and knowledge transfer? 1

1


and support continuous- improvement project approaches. 1

1












Table 16: SBP ICT technology maturity assessment


7.3 Central Bank of Somalia Jubaland Branch maturity assessment


Category

Init

ial

Man

age

d

De

fin

ed

Qu

alit

y

Man

age

d

Op

tim

izin

g

Total Score



ICT Infrastructure security audits and benchmarking been done

on the site

1 1











Servers used 1 1

Server OS used 1 1




WAN

Monthly bandwidth speed 1 1

ISP Bandwidth provision package/internet plan provided to the

organization

1 1


Critical core business systems accorded dedicated bandwidth 1 1







Automate file transfer processes between trading partners and

exchanges including detection and handling of failed file

transfers

1 1





Transfer files over public and private networks using encrypted

file transfer protocols

1 1




1 1







Firewall 1 1

Password policy 1 1










Table 17: CBS Jubaland Common ICT Infrastructure maturity assessment



Category

Init

ial

Man

age

d

De

fin

ed

Qu

alit

y

Man

age

d

Op

tim

izin

g

Total Score




solution cover?

1 1






bank

1 1



and/or ERP?

1 1




state “Internal”)

1 1


Core banking system

compliance

Which payment methods are supported by the solution? 1 1






Core banking system

integration



the need for a complete solution revamp

1 1




configurations

1 1



other systems?

1 1





in a 3D secure environment

1 1


authentication (2FA)

1 1




tokens

1 1


Public and Private Key pairs.

1 1


authentication modules, either in-built or as add on modules?

1 1


with any interfacing system

1 1




Transaction & reporting System has a dedicated module for full transaction dispute

resolution and chargeback cycle with all communicated entities

1 1


statistics on performance, transactions, security status

1 1



techniques.

1 1


minute?

1 1



minimum uptime time of 99.95 %

1 1



demands and forecast.

1 1


tolerance

1 1


different system components

1 1


percentage

1 1



documentation


training and knowledge transfer?

1 1


and support continuous- improvement project approaches.

1 1












Table 18: CBS Jubaland ICT technology maturity assessment


8. Recommendations Having assessed the key focus areas related to ICT and further conducting analysis based on thematic

areas and identifying gaps inherent in these areas, the following recommendations if implemented, will

bolster the participants towards achieving full competence in all technology aspects i.e. infrastructure,

technology and practice, that would enable the CBS, CBS branches and CBS Jubbaland bramch and State

Bank of Puntland to effectively participate in a NPS and enhance their ability to act as a regulator in the

financial sector.

8.1 Recommendations on the Common ICT Infrastructure

8.1.1 Short term recommendations

i. Establish proper ICT infrastructure as a backbone to support any automations at the State bank

of Puntland and CBS branch in Jubaland. This should include setting up of a well-structured and

documented LAN, providing adequate access to the internet, electricity and backup power and

purchase of computers and peripheral equipment;

ii. The CBS, CBS branches and CBS Jubbaland bramch and State Bank of Puntland must ensure that

their ICT network infrastructure is well planned and such plans should be clearly documented

(Topology, Distribution, Nodes, VLANs etc) and should be readily accessible for utilization during

disaster recovery, redesigning and/or expansion of the network and also during ICT infrastructure

audits;

iii. CBS and CBS Jubbaland bramch and State Bank of Puntland to ensure that all sensitive file and

information in digital format should be stored using data encryption methods to avoid

compromising on sensitive information. This is critical as all the institutions allow remote access

to their internal systems and networks;

iv. Develop sound ICT policy covering enterprise equipment replacement pans, password and

security policies which are enforceable and be part of the organization’s official regulations

ensuring that all staff members are inducted as part of security awareness and training.

8.1.2 Medium term recommendation

i. CBS branch in Jubaland and state bank of Puntland to digitize all their manual legacy records in

readiness for migration to the automated systems;

ii. CBS to make it a common practice to have their ICT networks audited frequently. To this end, they

should put in place enforceable policies compelling them to periodically conduct regular ICT

infrastructure security audit particularly whenever there are increased incidences of security

breach. They should not only conduct internal audits but also encourage external independent

audits from internationally recognized firms to ensure they get top rating accreditation based on

security preparedness;

iii. Ensure that all the sites hosting mission critical system have all the basic minimums required for

a standard server room or data centre including but not limited to; Access Control and Safety,


Raised Floor Systems, Fire Prevention, Cooling/AC Unit(s), Server racks & rack mount equipment,

and Emergency planning (power backup/UPSs);

iv. Develop clear standard operating procedures on server environments to be used pre and post

deployment;

v. CBS to ensure that they implement intrusion prevention and detection systems guided by internal

security policies.

8.1.3 Long term recommendations

i. The CBS to move their DR site to a different geographic location and not in the same premises as

their primary site;

ii. Have policies in place to ensure mission critical systems like core banking system and/or ERPs are

allotted their own dedicated bandwidth;

iii. Have policies to ensure ethical and efficient utilization of bandwidth resources in the organization

including greater utilization of bandwidth management tools;

iv. Develop policies and procedures spelling out IP allocations addressing amongst many things;

address range, amount of available addresses and amount of users;

v. There should be stringent enforcement of internal and external Network Security Policies (NSP)

to avoid incidences of industrial espionage, theft, or accidental disclosure of intellectual property,

or damage to public image or industry standing. Remote access policies and content security

policies should also be made elements of the NSP.

8.2 Recommendation on ICT technology

8.2.1 Short term recommendations

i. Extend the core banking system implementation to the CBS branch in Jubaland and State bank of

Puntland;

ii. Training of the personnel at the CBS branch in Jubaland and State bank of Puntland on basic IT

skills and utilization of technology;

iii. Auditing and certification of all systems implemented i.e. core banking solution and ERP to ensure

they meet the international best practice and industry standards;

iv. As the core banking system is implemented in the CBS branches and CBS Jubbaland bramch and

State Bank of Puntland, CBS and CBS Jubbaland bramch and State Bank of Puntland should put in

place a model for establishing, implementing, operating, monitoring, reviewing, maintaining and

improving the information security management system.

8.2.2 Medium term recommendations


i. As part of capacity injection, CBS and CBS Jubbaland bramch and State Bank of Puntland should

hire competent staff to aid in managing the network and systems to be implemented in the CBS

Jubbaland bramch and State Bank of Puntland and CBS branches, specifically people skilled in

database administration and systems/network administration;

ii. Have proper scalability plans catering for possible disruptions during upgrades;

iii. CBS to ensure their systems fully support encryption of data on transit and support decryption

using private and public keys;

iv. CBS should make it a practice to measure and set standards in terms of how resilient their systems

are when it comes to processing of transactions;

v. CBS to develop measurable benchmarks for performance and scalability.

8.2.3 Long term recommendations

i. CBS to ensure that all systems have fraud prevention and detection capabilities including velocity

checks, account blacklisting etc to minimize and mitigate cases of fraud;

ii. CBS to make it an integral part of their practice to perform frequent transaction tests on their

systems and document benchmark figures as standard practice. The information can be useful

when upgrading, scaling up, performing system audits, or managing bandwidth and server

resources;

iii. CBS should put in place programs to guarantee continued training and knowledge transfer in the

long term to facilitate skills transfer so that they have internal competencies and continuity.

rapid assessment of the · ats automatic transfer service aml anti money laundering cbs central...

Documents