BUSINESS PROCESS

IMPROVEMENT
REMEDIATION PLAN

P
Prro
ojje
ecctt

AML/ KYC Solution

PPrroojjeecctt PPrriim
maarryy O
Owwnneerr

IIT
TDDiiv
viissiio
onn,, O
Oppe
erra
attiio
onnss &
&
SSu
uppp
poorrtt
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

Table of contents

A. Introduction ................................................................
................................................................................................................................
.........................................................................................3

B. Areas for improvement to be addressed................................

................................................................................................................................
.............................................................................4

C. Action plan ................................................................

................................................................................................................................................................
...........................................................5

Annexure 1: Contents of Logical Design Document ................................

................................................................................................................................
................................................................8

Annexure 2: Contents of Gap Analysis Document................................

................................................................................................................................
...................................................................9

Annexure 3: UAT Guidelines ................................................................

................................................................................................................................
..................................................................10

Annexure 4: System Related Training................................

................................................................................................................................
....................................................................................12

Annexure 5: Aspects for specific consideration during system procurement ................................................................

......................................................................................13

Page 2 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

A. Introduction

The objective of remediation planning phase is to develop detailed remediation plans providing guidelines, identification of project interfaces/ dependencies, provision of medium-long
medium
term set of initiatives. These require detailed discussions with the relevant stakeholders at the bank for remediation of areas for improvement, as identified in Ph ase IV of this Project
for which Diagnostic Reports have already been submitted and are un under review of the stakeholders.

The remediation
diation plans have been derived from the recommendations in the diagnostic reports, identifying the areas for improvement bas ed on the As-Is documentation developed as
of the cut-off date, i.e. the date for commencement of As-Is
Is Phase.

Combating Money Laundering continues to be a key issue for or many financial institutions. Tackling the complex international patchwork of regulatory
re and legal requirements, while
continuing to serve customers is challenging. The financial services sector faces significant reputational damage and potentially large fines if adequate c ontrols do not exist. Around the
world, regulators are taking an increasingly aggressive stance
tance on failures in this area.

This remediation plan addresses initiative that the Bank

ank has already undertaken to procure aand implement a specialized AML/ KYC system for automated identification of blacklisted/
ineligible entities and with effective scenarios designed to make the identificatio
identification/
n/ monitoring and reporting of high risk accounts and suspicious/ high risk transactions more robust.
Some of the steps enumerated in this plan n have already been undertaken while the remaining steps need to be implemented. Although this is not part of our scope, we have provided
this plan as a value addition (without any obligation on the part of PwC). The Bank will need to see the essence of the contr act with the Vendor and use this approach as best practice
wherever possible. Moreover, although technical requirements ts are out of our scope
scope,, to facilitate the Bank (without any obligation on the part of PwC) we have attempted to provide
steps/ initiatives that would help the Bank in undertaking technical activities such as interface testing, advice/ guidance o n technical documentation etc.

Page 3 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

B. Areas for improvement to be addressed

S. No. Summary areas for improvement Diagnostic report reference

1. Transaction Monitoring/ AML monitoring System Volume II, AML/ KYC Monitoring
Activities, Gap No. 1
The bank currently does not have a dedicated Transaction/ AML monitoring System to aid automatic real time monitoring of
customer transactions as well as generation of periodic reports to aid various analyses
analyses.

2. Customer Anticipated Activity And Transaction Profile (CATP) Volume II, AML/ KYC Monitoring
Activities, Gap No. 2
The Bank can effectively control and reduce its risk only if there is a sound understanding and system functionality with res pect
to monitoring of account activity of the customer so as to have the means of identifying transactio ns that fall outside the regular
pattern of activity. To this end the Bank currently lacks in maintenance of comprehensive anticipated activity profile for ea ch
customer to provide parameters for subsequent transaction monitoring.

3. Additional reports to aid better analysis Volume II, AML/ KYC Monitoring
Activities, Gap No. 4
Compliance function does not have adequate reports generation capabilities to analyze useful information captured by the
system. Additionally there is no arrangement for gathering and analyzing external information which may be useful for on
on-going
going
monitoring of customers.

4. Banned/ blacklisted entities/ persons (negative list) screening Volume I, Account Opening, Gap No. 13
The screening of customer against banned/ blacklisted entities/ persons (negative list) is carried out manually by finding the
applicant's name in the list appearing on www.treasu.gov/ofac. Moreover, due to manual finding of names, proper screening
may not be performed resulting in opening of accounts of black listed/ banned entities/ persons, potential SBP penalties and
other adverse outcomes.

Page 4 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

C. Action plan

Tentative Start Date: Currently underway

Tentative End Date: Dependent upon AML/ KYC system implementation

Tentative
S. No. Action points Ownership Dependencies
timelines

Initiative No. 1: System Development

Ensure that the vendor provides latest standard version of the solution and all the relevant
To be decided
1.1 details, documentation, training material etc. and conducts meetings/ workshops to discuss ITD, Compliance -
by the Bank
and finalize the specifications contained therein through live comprehensive demos.

Vendor to provide comprehensive documented user requirements/ functional design

documents based on detailed assessment of the As As-Is and re-engineering requirements/
opportunities in accordance with the best practices inherent in the solution. The vendor based To be decided
1.2 ITD, Compliance -
on its experience, shall define re-engineered
d process/To
process/To-Be processes to be made part of by the Bank
detailed system requirements/ specifications (Please refer Annexure 1: Contents of Logical
Design Document).

To be decided
1.3 Finalize the user requirements/ functional design documents with the vendor. ITD, Compliance Initiative no. 1.2
by the Bank

Vendor to provide comprehensive gap analysis document showing the standard specifications
as well as the BoK specific customizations// configurations/ alignment (if any) required against To be decided
1.4 ITD, Compliance -
the documented user requirements/ functional design documents (Please refer Annexure 2: by the Bank
Contents of Gap Analysis Document).

To be decided
1.5 Finalize the gap analysis documents with the vendor. ITD, Compliance Initiative no. 1.4
by the Bank

Page 5 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

Vendor to provide logical design document showing the exact way of factorizing, configuring , To be decided
1.6 ITD, Compliance -
aligning and/ or customizing the solution to BoK’s requirements. by the Bank

To be decided
1.7 Finalize the logical design document. ITD, Compliance Initiative no. 1.6
by the Bank

Initiative No. 2: System Testing (Please refer Annexure 33: UAT Guidelines)

Vendor to deliver software integration test (SIT) including complete details of the interface
To be decided
2.1 points and all related data requirements and guidance/ mapping on the interfaces to facilitate ITD, Compliance -
by the Bank
effective technical interfaces/ integration with multiple existing systems.

To be decided
2.2 Vendor to deliver UAT version. ITD, Compliance -
by the Bank

BoK and Vendor to develop joint UAT scenarios (covering specifically scenarios outlined in the
To be decided
2.3 SBP AML/ CFT Regulations) specific to BoK (Please refer Annexure 3: UAT Guidelines Section ITD, Compliance -
by the Bank
1).

Development of functional test scripts for UAT (Please refer Annexure 3: UAT Guidelines To be decided
2.4 ITD, Compliance -
Section 2). by the Bank

To be decided
2.5 Conduct comprehensive testing of the system – initial UAT + SIT. ITD, Compliance -
by the Bank

Bug removal and incorporation of additional alignments/ modifications in system design To be decided
2.6 ITD, Compliance Initiative no. 2.5
(Please refer Annexure 3:: UAT Guidelines Section 4). by the Bank

To be decided
2.7 Conduct comprehensive testing of the system – final UAT + SIT and BoK sign-off on test results. ITD, Compliance Initiative no. 2.6
by the Bank

Initiative No. 3: System Related Documentation & Training

Page 6 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

Vendor to document the following revised documents aligned to BoK’s solution and processes:
 User guide
To be decided
3.1  Application integration guide ITD, Compliance -
by the Bank
 Compilation of MIS Reports
 Technical Manual

Vendor to conduct training on BoK’s AML solution

olution (Please refer Annexure 44: System Related To be decided
3.2 ITD, Compliance -
Training). by the Bank

Initiative No. 4: System Roll-out

Vendor to provide live production version of the solution ready to be installed to live To be decided
4.1 ITD, Compliance Initiative no. 2.7
production. by the Bank

To be decided
4.2 Roll-out of the solution within the bank
nk (including all activities ancillary to roll-out). ITD, Compliance Initiative no. 4.1
by the Bank

Page 7 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

Annexure 11: Contents of Logical Design Document

We have developed best practice constituents of the Logical Design D

Document so that the Bank may ensure successful implementation of the KYC/ AML Solution.
Solution The constituents are as follows
(illustrative only):
 System flowcharts with
h description of processes, steps, activities within steps and pre
pre-conditions for initiating activities.
 Department/ stakeholders at each activity/ step.
 User access rights and viewing options for each screen.
 Data fields at activity level identifying separately mandatory/ non
non-mandatory fields.
 Screen designs/ snapshots for each activity.
 Controls (including activity / step / process / data field level control
controls).
 Reports generated along with their contents.
 Description of intimation/ triggers/ alerts available in the system at activity level
level.
 System calculations/ processing (where undertaken).
 Description of the scenarios/ tests pertaining to AML// KYC covered by the system.

Page 8 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

Annexure 2: Contents of Gap Analysis Document

The gap analysis stage is a crucial stage in which the Bank would be provided with necessary customizations/ configurations
configurations/ alignment which would ultimately form part of the working solution.
In this regard we have developed Contents of Gap Analysis Document which can be used as bes best practice by the Bankk in implementation of the AML/ KYC System. These are outlined as follows
(illustrative only):
 Description of various types of customizations// configurations
configurations/ alignment which may be required in the system.
 List of customizations/ configurations/ alignments (according to type) with description of each.
 The methodology/ basis used to determine in which category/ type a customization falls in
in.
 Overall organizational structure at BoK and in-scope
scope areas/ functions (in this case Complian
Compliance).
 Approval structure at BoK (description should cover information such as approval matrix, overrides (if any))
any)).
 System data structure and sources.
 High level description of data owners.
 Main application workflow detailing data ingestion, behaviour detec
detection and alert management (step-wise).
wise). This should also include step stakeholders/ applicable approval hierarchy
and step results/ outcomes.
 Description of each customization/ configuration// alignment required (including tagging of customization type, customization
omization ID & optional solution where a gap is identified)
identified with
references given for functional specification being covered in the process stage/ step
step.
 Description of standard operational functionalities which may include user & role management, workflow related functionalities, archiving, base data management, user interface
standard functionalities among others.
 List of AML scenario tests/ KYC functionalities which are covered by the system.

Page 9 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

Annexure 3: UAT Guidelines

User Acceptance Testing (UAT) is a process to validate and verify that a system meets mutually agreed -upon
upon requirements. These tests help give confidence to the stakeholders as to the
maturity of the system and its anticipated function once releas
released to a production environment. During UAT, participants access the system through a test environment, follow
sequential steps in test scripts to validate the functionality, indicate whether each step passed or failed, and document sys tem defects or modifications so
s they can be resolved or
designated as future enhancements. To undertake UAT successfully, certain best practices warrant attention. These are depicted below (illustrative only):
only)

Section 1: UAT Scenarios

UAT scenarios should be broken down into categories to indicate difficulty level to facilitate prioritizing them, allotting them to relevant personnel etc. For example the scena rios can be
categorized into easy, moderate, difficult and complex. Thus the complex ones can be given priority and focus. The UAT scenarios may in general include functionality requirement
reviews, control reviews, data checks, report generation reviews etc.

Section 2: UAT Test Scripts

UAT test scripts are developed using requirement specifications and contain detailed steps describ ing user actions within the system and the system's expected responses.
responses Separate test
scripts are developed for each UAT scenario selected. The test scripts are then used to indicate a “Pass” or “Fail” for each test to record the result of the UAT. Comments
Comment can also be
added by the testers as feedback for each test. Illustrative contents of the test scripts may be as follows:

 Purpose of the UAT test scripts.

 Tagging of testers with each test script to outline allotment of responsibility of undertaking each test.
 Instructions for the individuals participating in the testing effort (the testers) detailing steps to be undertaken by them, grading scale applicable on the test and space for input
of tester details like name, department etc.
 Serially numbered actions/ steps to be performed (with descriptions) under a particular test scenario with a space for recording results and co mments for each actions/ step
performed.
 Serially numbered verifications of the actions/ steps i.e. description of expected results in the system for the actions/ steps under a particular test scenario.
 Dedicated space to record any bugs encountered in the UAT with detailed description and severity (High Priority/ Medium Prior ity/ Low Priority).

Section 3: Data Population

The Bank should

uld ensure that test data has been populated in the system prior to commencement of the UAT. It is pertinent to note that an adequate amount of real-life data should be
made available for testing purposes.

Page 10 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

Section 4: Bug Removal

Bug removal for different areas should be prioritized based on the severity (High Priority/ Medium Priority/ Low Priority) assigned to the bugs in the UAT. For efficient handling of the
bug removal process, bug status reports should be used marking closure of bugs both on the part of the Bank’s stakeholders and the Vendor. The report may include:
 Bug description and severity marked against each bug.
 Status of bug as per each stakeholder
o Outstanding: the bug is outstanding and no work on its removal has been started.
o Assigned: the bug has been assigned to the Vendor and working on its removal is underway.
o Resolved: the Vendor has communicated that the bug has been resolved at their end.
o Closed:: the bug is tested and finally marked as closed by the Bank’s stakeholders.
o Reopened: the bug is reopened due to its reoccurrence. Reoccurrence may arise both after resolved and closed status.
 Remarks and comments describing the status of the bug.

Page 11 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

Annexure 4: System Related Training

Training the end-users and technical users by the Vendor iss an essential step in the AML/ KYC system implementation. The following illustrative steps may be followed in consideration of system
related training:
Sr. No. Action Points Ownership

1 Define training strategy and plan. ITD, Compliance

2 Develop training material to complement the training programme

programme. ITD, Compliance

3 BoK to reach an agreement on training material and content. ITD, Compliance

4 BoK to select a full-time training coordinator to address the administrative and logistical aspects of training. The training coordinator will be ITD, Compliance
responsible for all training scheduling, enrollment and training logistics work (preparing classrooms, printing materials, di stributing materials to
classroom, individual computers with network and BE access, etc).

5 BoK to select functional leads who will facilitate the planning effort, logistics and scheduling for training development and delivery for each of ITD, Compliance
their respective business functions.

6 Vendor to provide training sessions for functional end

end-users of the system. ITD, Compliance

7 Vendor to provide training sessions for advanced/ technical users of the system. ITD, Compliance

Page 12 of 13
 BUSINESS PROCESS IMPROVEMENT – TURN AROUND TIME The Bank of Khyber

Annexure 5:: Aspects for specific consideration during system procurement

The following aspects need specific consideration during system procurement and hence should be addressed during RFP/ contrac t finalization stage:

 BoK and the selected vendor should, subsequent to project commencement, jointly draw up a comprehensive project plan further elaborating on each phase together with related timelines
and milestones. In addition, prior to each project phase, both the parties should draw up a detailed working plan for that ph ase outlining
tlining the discrete steps to be performed and the time to
be spent on each step by the respective parties.
 BoK shall ensure that all the functional requirements, as stated in functional specifications/ RFP or a part of standard version of its solution are made available in the software delivered by the
Vendor.. The detailed requirements should be discussed and agreed during the course of the project and will form part of the documen ted user requirements/ functional design documents
finalized jointly with thee vendor. The vendor should also ensure that all other features, as available in the standard version at the go -live
live date, including but not limited to related processes,
tools, templates, checklists, functionalities and MIS and exception reports etc., as available in the software besides those specifically stated in RFP or agreed later, are duly made available to
BoK.
 The vendor should be made responsible to facilitate re-engineering
engineering in relation to all the in
in-scope
scope aspects in accordance with the best practices inherent in the software provided to BoK. The
vendor, based on its experience, shall be responsible to define re
re-engineered processes/ To-Be Be processes to be made part of detailed system requirements/ specifications.
 The vendor should ensure that the amendments, if any, during the course of implementation, in the rules, user and organizatio n hierarchies, processes, information, templates/
documentation/
ocumentation/ checklists, MIS and exception reports and authority matrices etc. are addresse
addressed in the system to the extent possible considering the cut-off date.

Page 13 of 13