Professional Documents
Culture Documents
IMPROVEMENT
REMEDIATION PLAN
P
Prro
ojje
ecctt
PPrroojjeecctt PPrriim
maarryy O
Owwnneerr
IIT
TDDiiv
viissiio
onn,, O
Oppe
erra
attiio
onnss &
&
SSu
uppp
poorrtt
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
Table of contents
A. Introduction ................................................................
................................................................................................................................
.........................................................................................3
Page 2 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
A. Introduction
The objective of remediation planning phase is to develop detailed remediation plans providing guidelines, identification of project interfaces/ dependencies, provision of medium-long
medium
term set of initiatives. These require detailed discussions with the relevant stakeholders at the bank for remediation of areas for improvement, as identified in Ph ase IV of this Project
for which Diagnostic Reports have already been submitted and are un under review of the stakeholders.
The remediation
diation plans have been derived from the recommendations in the diagnostic reports, identifying the areas for improvement bas ed on the As-Is documentation developed as
of the cut-off date, i.e. the date for commencement of As-Is
Is Phase.
Combating Money Laundering continues to be a key issue for or many financial institutions. Tackling the complex international patchwork of regulatory
re and legal requirements, while
continuing to serve customers is challenging. The financial services sector faces significant reputational damage and potentially large fines if adequate c ontrols do not exist. Around the
world, regulators are taking an increasingly aggressive stance
tance on failures in this area.
Page 3 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
1. Transaction Monitoring/ AML monitoring System Volume II, AML/ KYC Monitoring
Activities, Gap No. 1
The bank currently does not have a dedicated Transaction/ AML monitoring System to aid automatic real time monitoring of
customer transactions as well as generation of periodic reports to aid various analyses
analyses.
2. Customer Anticipated Activity And Transaction Profile (CATP) Volume II, AML/ KYC Monitoring
Activities, Gap No. 2
The Bank can effectively control and reduce its risk only if there is a sound understanding and system functionality with res pect
to monitoring of account activity of the customer so as to have the means of identifying transactio ns that fall outside the regular
pattern of activity. To this end the Bank currently lacks in maintenance of comprehensive anticipated activity profile for ea ch
customer to provide parameters for subsequent transaction monitoring.
3. Additional reports to aid better analysis Volume II, AML/ KYC Monitoring
Activities, Gap No. 4
Compliance function does not have adequate reports generation capabilities to analyze useful information captured by the
system. Additionally there is no arrangement for gathering and analyzing external information which may be useful for on
on-going
going
monitoring of customers.
4. Banned/ blacklisted entities/ persons (negative list) screening Volume I, Account Opening, Gap No. 13
The screening of customer against banned/ blacklisted entities/ persons (negative list) is carried out manually by finding the
applicant's name in the list appearing on www.treasu.gov/ofac. Moreover, due to manual finding of names, proper screening
may not be performed resulting in opening of accounts of black listed/ banned entities/ persons, potential SBP penalties and
other adverse outcomes.
Page 4 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
C. Action plan
Tentative
S. No. Action points Ownership Dependencies
timelines
Ensure that the vendor provides latest standard version of the solution and all the relevant
To be decided
1.1 details, documentation, training material etc. and conducts meetings/ workshops to discuss ITD, Compliance -
by the Bank
and finalize the specifications contained therein through live comprehensive demos.
To be decided
1.3 Finalize the user requirements/ functional design documents with the vendor. ITD, Compliance Initiative no. 1.2
by the Bank
Vendor to provide comprehensive gap analysis document showing the standard specifications
as well as the BoK specific customizations// configurations/ alignment (if any) required against To be decided
1.4 ITD, Compliance -
the documented user requirements/ functional design documents (Please refer Annexure 2: by the Bank
Contents of Gap Analysis Document).
To be decided
1.5 Finalize the gap analysis documents with the vendor. ITD, Compliance Initiative no. 1.4
by the Bank
Page 5 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
Vendor to provide logical design document showing the exact way of factorizing, configuring , To be decided
1.6 ITD, Compliance -
aligning and/ or customizing the solution to BoK’s requirements. by the Bank
To be decided
1.7 Finalize the logical design document. ITD, Compliance Initiative no. 1.6
by the Bank
Initiative No. 2: System Testing (Please refer Annexure 33: UAT Guidelines)
Vendor to deliver software integration test (SIT) including complete details of the interface
To be decided
2.1 points and all related data requirements and guidance/ mapping on the interfaces to facilitate ITD, Compliance -
by the Bank
effective technical interfaces/ integration with multiple existing systems.
To be decided
2.2 Vendor to deliver UAT version. ITD, Compliance -
by the Bank
BoK and Vendor to develop joint UAT scenarios (covering specifically scenarios outlined in the
To be decided
2.3 SBP AML/ CFT Regulations) specific to BoK (Please refer Annexure 3: UAT Guidelines Section ITD, Compliance -
by the Bank
1).
Development of functional test scripts for UAT (Please refer Annexure 3: UAT Guidelines To be decided
2.4 ITD, Compliance -
Section 2). by the Bank
To be decided
2.5 Conduct comprehensive testing of the system – initial UAT + SIT. ITD, Compliance -
by the Bank
Bug removal and incorporation of additional alignments/ modifications in system design To be decided
2.6 ITD, Compliance Initiative no. 2.5
(Please refer Annexure 3:: UAT Guidelines Section 4). by the Bank
To be decided
2.7 Conduct comprehensive testing of the system – final UAT + SIT and BoK sign-off on test results. ITD, Compliance Initiative no. 2.6
by the Bank
Page 6 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
Vendor to document the following revised documents aligned to BoK’s solution and processes:
User guide
To be decided
3.1 Application integration guide ITD, Compliance -
by the Bank
Compilation of MIS Reports
Technical Manual
Vendor to provide live production version of the solution ready to be installed to live To be decided
4.1 ITD, Compliance Initiative no. 2.7
production. by the Bank
To be decided
4.2 Roll-out of the solution within the bank
nk (including all activities ancillary to roll-out). ITD, Compliance Initiative no. 4.1
by the Bank
Page 7 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
Page 8 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
The gap analysis stage is a crucial stage in which the Bank would be provided with necessary customizations/ configurations
configurations/ alignment which would ultimately form part of the working solution.
In this regard we have developed Contents of Gap Analysis Document which can be used as bes best practice by the Bankk in implementation of the AML/ KYC System. These are outlined as follows
(illustrative only):
Description of various types of customizations// configurations
configurations/ alignment which may be required in the system.
List of customizations/ configurations/ alignments (according to type) with description of each.
The methodology/ basis used to determine in which category/ type a customization falls in
in.
Overall organizational structure at BoK and in-scope
scope areas/ functions (in this case Complian
Compliance).
Approval structure at BoK (description should cover information such as approval matrix, overrides (if any))
any)).
System data structure and sources.
High level description of data owners.
Main application workflow detailing data ingestion, behaviour detec
detection and alert management (step-wise).
wise). This should also include step stakeholders/ applicable approval hierarchy
and step results/ outcomes.
Description of each customization/ configuration// alignment required (including tagging of customization type, customization
omization ID & optional solution where a gap is identified)
identified with
references given for functional specification being covered in the process stage/ step
step.
Description of standard operational functionalities which may include user & role management, workflow related functionalities, archiving, base data management, user interface
standard functionalities among others.
List of AML scenario tests/ KYC functionalities which are covered by the system.
Page 9 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
User Acceptance Testing (UAT) is a process to validate and verify that a system meets mutually agreed -upon
upon requirements. These tests help give confidence to the stakeholders as to the
maturity of the system and its anticipated function once releas
released to a production environment. During UAT, participants access the system through a test environment, follow
sequential steps in test scripts to validate the functionality, indicate whether each step passed or failed, and document sys tem defects or modifications so
s they can be resolved or
designated as future enhancements. To undertake UAT successfully, certain best practices warrant attention. These are depicted below (illustrative only):
only)
UAT scenarios should be broken down into categories to indicate difficulty level to facilitate prioritizing them, allotting them to relevant personnel etc. For example the scena rios can be
categorized into easy, moderate, difficult and complex. Thus the complex ones can be given priority and focus. The UAT scenarios may in general include functionality requirement
reviews, control reviews, data checks, report generation reviews etc.
UAT test scripts are developed using requirement specifications and contain detailed steps describ ing user actions within the system and the system's expected responses.
responses Separate test
scripts are developed for each UAT scenario selected. The test scripts are then used to indicate a “Pass” or “Fail” for each test to record the result of the UAT. Comments
Comment can also be
added by the testers as feedback for each test. Illustrative contents of the test scripts may be as follows:
Page 10 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
Bug removal for different areas should be prioritized based on the severity (High Priority/ Medium Priority/ Low Priority) assigned to the bugs in the UAT. For efficient handling of the
bug removal process, bug status reports should be used marking closure of bugs both on the part of the Bank’s stakeholders and the Vendor. The report may include:
Bug description and severity marked against each bug.
Status of bug as per each stakeholder
o Outstanding: the bug is outstanding and no work on its removal has been started.
o Assigned: the bug has been assigned to the Vendor and working on its removal is underway.
o Resolved: the Vendor has communicated that the bug has been resolved at their end.
o Closed:: the bug is tested and finally marked as closed by the Bank’s stakeholders.
o Reopened: the bug is reopened due to its reoccurrence. Reoccurrence may arise both after resolved and closed status.
Remarks and comments describing the status of the bug.
Page 11 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
4 BoK to select a full-time training coordinator to address the administrative and logistical aspects of training. The training coordinator will be ITD, Compliance
responsible for all training scheduling, enrollment and training logistics work (preparing classrooms, printing materials, di stributing materials to
classroom, individual computers with network and BE access, etc).
5 BoK to select functional leads who will facilitate the planning effort, logistics and scheduling for training development and delivery for each of ITD, Compliance
their respective business functions.
7 Vendor to provide training sessions for advanced/ technical users of the system. ITD, Compliance
Page 12 of 13
BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber
The following aspects need specific consideration during system procurement and hence should be addressed during RFP/ contrac t finalization stage:
BoK and the selected vendor should, subsequent to project commencement, jointly draw up a comprehensive project plan further elaborating on each phase together with related timelines
and milestones. In addition, prior to each project phase, both the parties should draw up a detailed working plan for that ph ase outlining
tlining the discrete steps to be performed and the time to
be spent on each step by the respective parties.
BoK shall ensure that all the functional requirements, as stated in functional specifications/ RFP or a part of standard version of its solution are made available in the software delivered by the
Vendor.. The detailed requirements should be discussed and agreed during the course of the project and will form part of the documen ted user requirements/ functional design documents
finalized jointly with thee vendor. The vendor should also ensure that all other features, as available in the standard version at the go -live
live date, including but not limited to related processes,
tools, templates, checklists, functionalities and MIS and exception reports etc., as available in the software besides those specifically stated in RFP or agreed later, are duly made available to
BoK.
The vendor should be made responsible to facilitate re-engineering
engineering in relation to all the in
in-scope
scope aspects in accordance with the best practices inherent in the software provided to BoK. The
vendor, based on its experience, shall be responsible to define re
re-engineered processes/ To-Be Be processes to be made part of detailed system requirements/ specifications.
The vendor should ensure that the amendments, if any, during the course of implementation, in the rules, user and organizatio n hierarchies, processes, information, templates/
documentation/
ocumentation/ checklists, MIS and exception reports and authority matrices etc. are addresse
addressed in the system to the extent possible considering the cut-off date.
Page 13 of 13