In 1993, the accounting firm KPMG conducted a fraud survey of six countries-the United States, Canada, Australia, the Netherlands, Ireland, and Bermuda. This study found that, on average, approximately 80% of all frauds committed were perpetrated by employees, 60% by non-managerial personnel and 20% by managers. In all of the countries surveyed, misappropriation of cash was the most common form of employee fraud. This would appear to fit the situation currently being encountered by Saudi banks, since most employee fraud losses have come from the theft of cash and or travelers checks from. branches and ATMs. Consistent with international trends Fraud currently represents the single largest area of operational loss within the Kingdom's banking system. During the past five years, approximately 85% of all operational losses sustained by banks in the Kingdom involved employee dishonesty.

Recovery of funds lost due to fraud (particularly cash) is, at best, difficult and in many cases simply impossible. This highlights the fact that programs designed to prevent fraud are significantly more effective and less expensive than are attempts to recover the funds once stolen.

During the period 1988-1993, in the Kingdom, forgery (including check fraud) was the second largest area of operational loss, accounting for approximately 12% of total reported losses. This is entirely consistent with the results of the KPMG study in which losses in this area averaged between 10% and 18% for the six countries surveyed. Within the Kingdom the majority of crimes in this area appear to represent either simple check forgery or the forgery of negotiable instruments such as letters of credit and generally involved the failure of bank employees to adequately verify the authenticity of the documents before negotiation.

From a cash-based system, the Kingdom is rapidly moving into electronic-banking thus minimizing the intermediate state represented by the paper check. These actions have the long term potential of reducing the incidence of the relatively simple forgeries currently being encountered. However, document technology such as optical scanners, color laser printers, and powerful desktop publishing software now allows the creation of forgeries which are virtually undetectable except by highly sophisticated technical means. Therefore, while the number of simple document forgeries will probably decrease in the future, the level of technical sophistication and monetary value of forgeries may be expected to increase significantly.

With the increasing use of electronic imaging used in verification of signatures in many banking transactions, transfers etc. banks' risk management policies and procedures should include preventation of forgery through electronic means. This will become even more important with further advances in payment cards and payment systems technologies.

Counterfeit currency does not currently appear to be a major area of potential loss to Saudi banks. However, two current trends should be noted:

• 1- Technology - As with forgers, the counterfeiters of both currency and negotiable securities are also the beneficiary of new document processing technology. A recent incident involving the counterfeiting of a major international currency using color laser printers was of such a magnitude as to cause the Central Bank to redesign the currency to incorporate various anticounterfeiting measures into the new currency. However, it is expected that despite advances in design and manufacture of currencies, counterfeiting activities will continue to increase. Consequently banks must remain vigilant to these trends.

• 2-  State Supported Counterfeiting - State supported counterfeiting is assuming importance specifically for the US Dollars. US Government estimates the amount of this currency-$20, $50, and $100 notes at approximately US$ 1 billion. This bogus currency is of extremely high quality, virtually undetectable by even experienced personnel, and is primarily circulated outside the United States.

Although a highly "cash rich" society, robbery and burglary do not currently represent a significant source of operational risk in Saudi Arabia. This can be attributed to the deterrent effect of physical security measures taken by banks and law enforcement agencies, the severity of judicial punishment, and cultural factors within Saudi society, and the lack of significant illegal drug problem within the Kingdom. Studies in other countries have shown that the majority of robberies and burglaries directed against bank branches and ATMs are drug related. Therefore, barring significant social or political changes within the Kingdom, it seems unlikely that robbery or burglary will present a major operational exposure to Saudi banks within the foreseeable future. In recognition of these trends the Agency has issued detailed rules in 1995 entitled "Minimum Physical Security Standards".

Although no different except for mode of execution than any other form of criminal activity, electronic crime represents the fastest growing form of criminal activity currently facing both the international and Saudi banks. This presents itself in four major areas as given below

ATMs - While major shifts are taking place, Saudi Arabia is still a highly cash oriented society. This, in turn, drives the exposure to operational loss presented by ATMs. High daily cash withdrawal limits or no limits at all mean that ATMs routinely are stocked with far more cash than that normally found in other developed countries. This presents both a lucrative and tempting target for either employee fraud or third-party burglary. In addition, these high cash withdrawal limits also expose banks to potentially higher losses from customer fraud. As banks add additional functionality’s to ATMs (foreign currency, travellers checks, airline tickets, etc.) and connect their ATMs internationally through shared network such as CIRRUS, new opportunities for fraud against Saudi banks both from within and outside the Kingdom increase significantly.

Credit Cards - Based on experience both within the Kingdom and outside, credit cards represent a major and a rapidly growing' operational risk. This risk may be divided into two areas:

Internal Fraud - As with most other types of fraud, credit card fraud involving employees (either working along or in collusion with outsiders) is the most common and most costly. All credit card issuers are subject to internal fraud risks associated with application generation /approval, account setup / activation, card embossing, and statement preparation / distribution.

External Fraud - Although far less common than internal fraud, external credit card fraud is growing rapidly as a result of large scale international trafficking in stolen cards and obtaining valid cards through fraudulent applications.

Point of Sale (POS) - As the use and acceptance of POS grows within the Kingdom, so too will merchant fraud in number, level of sophistication, and monetary value. This type of criminal activity may range from an employee of the merchant generating fraudulent transactions (generally in collusion with a third party) to large scale and highly organized activities by the merchant himself. Therefore, prevention and detection of this type of criminal activity by banks will become increasingly more complex and costly.

Commercial Services - The extension of electronic payment and trade services to commercial customers represents a major source of fee for service income. This is income which represents virtually no credit risk. However, these systems and products may represent a major exposure to costly and embarrassing losses to corporate customers. Two areas present especially high potential exposures to third party fraud.

Cash Management Services - While providing both a greatly enhanced financial management tool to corporate customers and a significant source of both cost savings and fee for service income to the banks, electronic cash management services also represent a major source of operational risk from both third party penetration and customer fraud. By their very nature these services allow the conduct of transactions with the bank in which the only security present is that provided by technical means such as encryption, message authentication, and logical access checking of passwords and user ID's. While powerful, these technical controls are not infallible. Therefore, given the high monetary value represented by corporate cash management transactions, the potential for a "long tailed risk" (i.e. low probability of occurrence with extremely high monetary value) presents the potential for both a catastrophic financial loss as well as severe damage to reputation and credibility of the bank.

Electronic Data Interchange (EDI) - As both banks and corporate customers move toward the use of electronic communications to replace paper based trade documents (i.e. invoices, receiving reports, bills of lading, warehouse receipts, etc.), traditional forms of controlling these transactions will no longer apply. EDI systems have generally been designed with less stringent levels of both access control and authentication of transactions. This has been based on the assumption that since these transactions were "non-monetary" in nature they present less exposure. While this may be technically correct, the non-monetary aspect of an EDI transaction - a receiving report. bill of lading, or warehouse receipt - ultimately generates a payment (electronic or manual) to settle the transaction. Therefore, these systems also present the potential for. "long-tailed" risks from both third parties and employees of either the customer or the vendor of good and services.

As with a bank's commercial customer base, electronic banking is also penetrating the retail market. Services such as telephone bill payments, PC based home banking, and the use of "smart" telephones combining the features of both a conventional telephone and a microcomputers present significant opportunities for enhancing both the level of customer service and revenue in the highly competitive retail sector. However, at the same time, these new electronic products open new avenues of exposure to both third party and employee fraud as well as potential areas of professional liability exposure. In future this will become an increasingly important risk exposure area for the banks. The increased use of telephone services that permit computer access to banks' systems also provide an increasing opportunity to "hackers” and other criminals. These require improvements in security measures and additional risk management techniques to minimize losses.

All banks are subject to operational losses associated with professional errors and omission by employees. These include losses through errors committed by staff such as unauthorized trading, erroneous transfer of funds to wrong accounts. errors in booking or recording securities transaction, etc. In the event where such losses are for the account of the bank itself i.e. for trades on the bank's own account, these type of losses are completely uninsurable and must be controlled by means of traditional methods such as strong internal controls, quality assurance programs, rigorous staff training programs and strong and active management

On the other hand if professional errors and omissions result in losses for the client, such events are insurable. In order to effectively assess risks in this area, it is necessary to understand the difference between professional liability risks which may affect the Board of Directors and Officer (D&O) and those professional liability risks which affect the bank itself.

Directors and Officer liability

This coverage is for the directors and officer of a hank, and not for the bank itself. One of the most complex problems facing any business is the liability of its directors and officers (executive or non-executive). The personal assets of directors and senior officers may be at risk for losses arising out of the alleged negligent or imprudent acts or omissions of such individuals. The D&O coverage provides payment to the bank as it is the bank which purchases the policy to indemnify its directors and officers..

In addition, the D&O policy will reimburse directors and officers for losses for which the bank was unable to indemnify them for legal, regulatory, or financial reasons.

Professional Indemnity

This coverage is designed to indemnify the bank itself against litigation by customers, and other third parties alleging errors, omissions, misstatement or imprudence committed by directors, officers and employees in the performance of their service.

These two areas encompass professional liability, and there is some overlap between the insurance coverages designed to address them. However, although D&O is narrower in scope in terms of the individuals covered, it is significantly broader in terms of the wrongful acts which it covers generally covering all wrongful acts not specifically excluded. On the other hand, PI covers only specific professional services provided by the bank - trust, brokerage, investment advisory etc. D&O policies may specifically exclude such services from coverage.

Professional liability is created by the relationship between various parties including clients, regulators, shareholders, employees, vendors, joint venture partners and the banks. The relationship is based on the legal system in which the bank's activities take place. In addition, the same act may result in a liability situation for both the bank (through the actions of employees) as well as the Board of Directors. Thus acts of negligence or misconduct by employees, inappropriate or prohibited investments in a customer portfolio, errors in securities processing, failure to execute contractual obligations with a client may result in a liability for the bank However, the legal system may also involve allegations of mismanagement by the Board of Directors, regulatory non-compliance, product fraud, insider trading, bad loans which materially effect share price. In this case the liability may also extend to the Directors both singly and severally. Professional liability arise from a number of sources.

Shareholder Actions - Globally, the largest single source of professional liability exposure arises from shareholder actions against management, officers and employees for negligence and misconduct.

Client Services - The most rapidly growing area of professional indemnity liability exposure is in the area of the provision of client services. Trust, custodian relationships, buy/sell agreements, and investment advisory services all provide a large and growing exposure for both directors and officers and the bank itself.

Employment Practices - Employment actions represent the second largest source of D&O liability globally. D&O claims arise from employees during major business transactions i.e. mergers, acquisitions, implementation of new technology, downsizing, as well as from hiring, promotion, transfer, and termination practices.

Environmental Claims - The growth of environmental liability has coincided with the trend to impose personal liability on directors and officers who, in the performance of their duties, become subject to civil or criminal penalties for violation of environmental tows.

Lender Liability Claims - Lender liability places directors and officers at risk both as defendants in the first instance or as indemnitors when their bank have been held liable. The range of lenders' liabilities includes contractual liability, product liability, personal injury, property damage, fraud, duress, and emotional distress.

During the initial negotiations with the borrower, lender can be held liable for revoking a loan commitment where no commitment was intended, charging the terms of the commitment, or fraudulently inducing a borrower to borrow. Once a loan is made, additional liability exposure may arise in situations when the lender refuses to advance funds or restructure debt, threatens to invoke covenants in the loan agreement, accelerates the loan, responds to credit inquiries, or institutes foreclosure proceedings. Should a loan go bad the bank will typically step into a more aggressive role in its relationship with the borrower. This more aggressive posture combined with a generally more strained relationship between lender and borrower creates a fertile environment for lender liability.

Lenders may face an assortment of exposures including workout negotiations, collateral liquidations, assets seizure, and actually taking control of the management of the borrower's business. In an increasingly more competitive global business environment, it is only reasonable to expect that the business of lending both within and outside the Kingdom will become more complex. This increased level of complexity will inevitably lead to a higher exposure to lender liability issues.

Since these exposures are entirely driven by the social, legal and business environment in which business operations occur, it is important to address these exposures not only as they relate to operations within Saudi Arabia, but also outside the Kingdom.

Within Saudi Arabia - Under Saudi Company Law (Royal Decree M/6 of 1385)* Articles 66 to 82, members of Boards of Directors are jointly responsible for compensating the company, the shareholders or others for damages resulting from their management of the company or contravention of provisions of company law. This seems to differ little from the provisions of the proposed European Community Fifth Company Law Directive and other European countries. Therefore, Saudi Company Law differs little from that of other developed countries with respect to the legal obligations of corporate directors and officers; and a substantial exposure to professional liability, particularly Directors and Officers liability, currently exists for banks within the Kingdom.

Outside Saudi Arabia - The third party legal liability situation outside Saudi Arabia is far more grave than that found within the Kingdom. Any Saudi bank operating in another sovereign jurisdictions will be subject to the laws, business practices, political and social conditions of that area. Thus any Saudi bank operating in the United States, the United Kingdom, or western Europe runs a significant risk of being sued for alleged illegalities and/or mismanagement in connection with the bank's activities in these areas.

Another area of exposure which Saudi banks must recognize is the exposure created by their outside directors, such as directors and officers of Saudi banks serving on the boards of joint venture companies or partnerships or other non-Saudi corporations. Outside or independent directors are now routinely threatened with potential liability and are sued along with the rest of the board. In the past, outside directors were not expected to be involved in a bank's day to day affairs. How, today the trend is for outside directors to be knowledgeable oven experts in bank's issues and are being looked upon by courts, regulators and litigants as the "watchdogs" of board activities.

Professional liability represent a fast growing and potentially damaging area of operational risk for activities outside Saudi Arabia. Thus it is essential that Saudi banks develop policies and procedures to carefully assess product and services risks in this area and take measures to manage these risks.

* The Saudi Company Law (Royal Decree M/6 of 1385) has been replaced by the Companies Law (Royal Decree M/132), dated 01/12/1443H.

One of the fastest growing and most intractable areas of operational loss exposure is that presented by contingent client-related liability. This relates to indirect responsibility for a client's business operations and products. Since major liability losses may bankrupt a client, plaintiffs will seek anyone connected with the client possessing sufficient funds to secure a financial settlement. Unfortunately, this is often a bank with whom the client had or has a relationship. These types of contingent liabilities may arise from a number of situations including.

• 1. Environmental Liability: Banks may incur substantial environmental liability when they become responsible for environmental damage or hazardous waste cleanup (i.e. an oil spill from a tanker for which the bank was a lender). This type of liability exposure is expanding globally at a tremendous rate as countries continue to enact ever more punitive environmental laws and regulations.

• 2. Product Liability: Product liability may occur when a client in which the bank has an equity position or financing interest is sued alleging negligence (i.e., class action suits against a pharmaceutical manufacturer).

• 3. Death and Bodily Injury : This liability may arise from an event involving a bank owned asset that is leased to or operated by others (i.e. commercial aircraft) or from an event involving a repossessed asset (i.e., fire at bank owned or controlled hotel).

Therefore, as global environmental and product liability laws and regulations becomes more stringent and tort liability becomes more widespread, all Saudi banks will become increasingly more exposed to this type of operational risk both inside and outside the Kingdom.

Globally, banking laws and regulations are becoming more complex, compliance more costly and time consuming, and the consequences of non-compliance (financial, legal, and reputation) more severe. In addition, some countries are increasingly applying criminal statuses to such essentially non-criminal areas as investment operations and cash management services. These liabilities may take three forms:

• 1. Financial Penalties : Within the Kingdom, violation of SAMA circulars and directives may result in substantial financial penalties being levied. Saudi banks operating outside the Kingdom are also subject to not only fines imposed by regulatory agencies, but may also find themselves responding to both civil and/or criminal charges which may carry financial penalties of such a magnitude as to cause a substantial impact on the balance sheet.

• 2. Restriction or Termination of Operations: Within Saudi Arabia, violation of SAMA rules and directives may lead to censure by the regulators and, in extreme cases, restriction of certain banking activities or total revocation of banking privileges within the Kingdom. This exposure is even more severe for Saudi banks operating outside the Kingdom. Even relatively minor technical violations of banking regulations may lead to the closure of major overseas branches.

• 3. Risk to Reputation: All banks fundamentally operate on the basis of trust. Therefore, publicity associated with statutory and regulatory infractions may act to undermine this trust with both customers and shareholders. While banks may be able to absorb both financial penalties and regulatory sanctions, they cannot absorb a major loss of customer and investor confidence.

Therefore the maintenance of aggressive and highly pro-active compliance program by banks is becoming increasingly more critical as a major component in controlling the operational risks associated with regulatory and legal non-compliance.

All banks operating within the Gulf Region are subject to certain distinct geo-political risks. However, if viewed in a broader perspective, these risks are certainly no more severe than those faced by banks operating in other areas. Therefore, of far more concern from an operational risk perspective is the prospect of new and more restrictive banking and securities regulations in other countries in which Saudi banks operate. Within the Kingdom, the prospect of punitive and highly restrictive regulation must be viewed as remote. However, in those oversees areas in which Saudi banks have significant business interests that some restrictive regulations may be expected.

Given the major social and political changes taking place in the industrialized countries and developing world, all markets now possess a significant degree of political instability for international banking operations. Therefore, it is imperative that all Saudi banks operating outside the Kingdom or significantly involved with international trade, develop management systems and procedures for actively monitoring operational risk associated with the political and regulatory environments in which they conduct their business operations. Such systems should include appropriate "red flag" and warning indicators, and effective alternative strategies and action plans to prevent or mitigate losses.

A bank may transfer its financial responsibility through purchase of insurance or it may transfer its liability through a contractual arrangement (hold harmless agreement).

Self insurance may be obtained through a contractual agreement. As a practical matter, the ability to transfer risk contractually depends on whether one party or the other to the contract is in a better bargaining position. As one cannot always arrange to have a contract drawn in one's favour, there should be a review of all contracts before they are signed to make sure what liabilities are being accepted.

Even when the bank is in the position of being able to dictate terms of contract, every effort should be made to ensure that the provisions for the transfer of risk are both reasonable and equitable to both parties. In recent years, many countries have enacted legislation which has acted to significantly restrict the use of "hold harmless" language in contracts. When transferring risk through any form of hold-harmless agreement, it is essential that a number of points be reviewed by competent legal counsel:

Reasonable of Provisions - Harsh and restrictive language may serve to both antagonize customers .and may be invalidated in court as being contrary to both law end public policy. 1t is essential that the bank clearly understand precisely what contractual limitations of liability are legally acceptable in the jurisdiction in which the contract is to be enforced.

Clarity of Language - Unclear or ambiguous language will usually be construed against the maker of the contract. Therefore, it is critical that all contracts be written clearly and that unnecessary legal 'jargon' is avoided since much of the traditional legal language has been invalidated by recent changes in statute in many countries.

Disclosure of Obligations - All contracts should clearly disclose the obligations of all parties to the contract. Failure to adequately disclose obligations may make the contract un-enforceable.

Financial Soundness - The bank should always ensure that the counter-parties are financially to meet their contractual commitments. It is often useful to obtain an irrevocable financial guarantee from the counter-party

The most common method of unfunded retention is the deductible. Also refer to section 3.2.3 entitled Deductible. Generally deductibles should be used to eliminate coverage for losses that are apt to occur regularly. For example deductible levels of employee dishonesty should be sufficiently high to eliminate low level theft of cash by Tellers and ATM Machines.

Although more rare than unfunded programs, self insurance also includes programs where funds are actually set aside to pay incurred losses These have several significant benefits including the following:

• 1.    Liability Accounting - By using a funded approach, the funding process goes hand in hand with an accounting system which establishes the amount of the liabilities. It is extremely useful to have an accurate measurement of year-by-year costs of operational losses - particularly as these risks grow relative to the bank’s size. This assessment ensures that significant unfunded and unrecognized liabilities are not accumulating under the self-insurance program. Furthermore, it is crucial that actuarial analysis is used for projecting losses and in determining loss reserves to avoid significant unfunded or unrecognized liabilities.

• 2.    Service and Product Pricing - An accurate accounting and assessment of costs associated with operational losses can be important in both pricing the institution's products and services and in determining those business areas which are profitable and those which are not.

• 3.    Investment of Funds - A funded program allows specific investment income to be earned on the funds comprising the funded loss pool. This, in turn, offsets the cost of the losses themselves.

 When a banks actually establishes its own insurance company it is also called "single parent captive". Such insurance companies actually act as a re-insurers, using the services of a licensed insurance company to issue policies and handle claims. This licensed insurance company is often referred to as the "fronting" insurer. Under this arrangement, the fronting insurer does the insurer's claims handling and loss control services, satisfies various legal and regulatory requirements concerning policy issuance, and may also satisfy creditors shareholders, regulators, and other interested parties The "fronting" insurance company actually assumes the primary legal obligation for the payment of claims. Thus, if professional indemnity is insured in the captive but the bank becomes insolvent, the "fronting" insurer issuing the professional Indemnity Policy is ultimately responsible for the payment of all incurred claims, regardless of whether it is able to collect from the captive or the bank. Therefore, while the use of single parent captives may provide a potentially viable vehicle for managing operational risk within a single bank, its use must be carefully evaluated in relation to legal implications within the Kingdom.

Unfortunately, some banks treat the purchase of insurance essentially as "commodity', transaction being driven entirely by price. Consequently, it is routine for banks to place their insurance programs out on an annual tender offer basis, and place little emphasis on developing stable and long-term relationships with both brokers and underwriters. All financial markets reward stability and consistency and the bank insurance market is no exception. The effect of this instability and fragmentation in the some of the insurance market has been two-fold.

Quality of underlying re-insurance - When account relationship is perceived by the both underwriters and brokers to be totally price driven, it is often impossible to re-insure the risk with the most reputable and stable re-insurers. This means that brokers must often place the risk with .re-insurers of lesser quality and stability. This, in turn, frequently leads to difficulties in claims settlement and other coverage issues, as weaker re-insurers are often reluctant to settle even the most valid of-claims. In addition, brokers also tend to charge a premium for these types of placements - meaning that brokerage commissions are higher as a percentage of overall cost and it is often difficult (if not possible) to find out the exact extent of these charges or to get full visibility into who the re-insurers are on the cover.

Lack of Enhanced Coverages and "Value Added" Services - Brokers and underwriters reward stable long-term relationships with the provision of "value added" services and enhanced coverage. Both brokers and underwriters add value to relationships through such vehicles as underwriter/broker financed risk management, audits and consulting services, assistance in structuring risk financing programs (such as captives, pooling arrangements, and finite programs), and other forms of expert operational risk management support. Long-term and stable relationships also invariably bring with them an increased willingness by underwriters to enhance coverage within existing premiums and deductible levels, to provide more favourable policy wording, and to continue to renew coverage even in the face of loss. Banks should consider the possibility of multiple year insurance contracts and also negotiating broker services based on fees as opposed to commissions.

Although globally over fifty different types of insurance coverages are available specifically for banks, six types are of primary concern.

The Bankers Blanket Bond/Financial Institution Bond (BBB/FIB)- This coverage generally consists of six basic insuring agreements: employee dishonesty, loss of property on premises, loss of property in transit, forgery, forged securities, and counterfeit money. The BBB/FIB has traditionally provided the cornerstone for any bank insurance program. Although, most banks world-wide purchase this coverage, which is mostly a function of management's perception of operational risk exposures as well as generally accepted business customs. Further, there are no rules either formal or informal for establishing bond limits. Only in some jurisdicticus there are legal or regulatory requirements that a financial institution purchase a BBB/FIB

Electronic and Computes Crime (ECC) Coverage -The ECC may either be a separate or stand-alone policy or appended to the BBB/FIB. It is designed to respond to financial loss from third-party fraud or mysterious and unexplained disappearance relating to the insured computer or telecommunications systems. It is for this reason that ECC coverage may not be written without a BBB/FIB being present. The ECC (in its London form) currently consists of eleven insuring agreements i.e Computer Systems, Insured Service Bureau Operations, Electronic Computer Instructions, Electronic Data and Media, Computer Virus, Electronic Communications, Electronic Transmissions, Electronic Securities, Forged Tele facsimile, and Voice Initiated Transfers. Generally, the ECC is purchased in the same limit as the BBB/FIB since it is truly a companion piece to the BBB/FIB.

Directors and Officers (D&O) Coverage - D&O coverage indemnifies directors and officers of the bank against liability claims arising from alleged negligence, wrongful acts, errors and omissions. The wording and insuring agreements of directors and officers policies are specific to the jurisdiction in which the coverage is being written. On a global basis, D&O coverage is rapidly overtaking the BBB/FIB as a institution's most important and expensive form of transferring operational risk through insurance.

Professional Indemnity (PI) Coverage - Unlike Directors and Officers liability insurance, banks professional indemnity coverage is intended to provide insurance to the bank itself against claims arising from alleged errors or omissions committed by bank's employees and officers in the performance of their professional duties(fiduciary and operations), investment advisory activities, private banking, etc. This is driven by the shift in emphasis away from lending income into income streams generated by fee for service.

Payment Card Coverage - Coverage for losses incurred by banks as the result of counterfeit, forged and or altered payment cards is currently available through most international payment card organizations such as VISA and MASTERCARD. This coverage is designed to address counterfeiting, forgery and or alteration of both the embossed plastic as well as magnetic encoding on the card. In addition, specialised coverage for merchants, banks, processors, and independent service organizations against fraudulent and/or excessive charge baclcs by participating merchants has recently been introduced. Underwriters view the loss, theft, or misuse of cards as a completely uninsurable risk. Therefore, no coverage for this exposure is available in the market.

Given the potential profitability of payment card operations, growing consumer demand for these services, and the potential for enhanced sharing of credit data between Saudi banks, it is inevitable that the number of payment cards in circulation within the Kingdom will increase dramatically in the near term. It is also inevitable that given global trends in payment card, fraud losses to banks will increase substantially. To address this growing operational risk, banks within the Kingdom will need to take a hybrid approach consisting of loss prevention, and regular and self insurance of risk.

Loss Prevention - The payment card industry has found that the most effective way of dealing with card fraud and abuse is prevention. Careful screening of both cardholders and participating merchants, on-line monitoring and analysis of account activity, anti counterfeiting measures, sharing of fraud information among institutions. and aggressive investigation and persecution of abuse has significantly reduced losses on a global basis. As Saudi banks increase their participation in the payment card market, it will be essential that they establish with the assistance of organizations such as VISA International and MASTERCARD International viable and effective loss prevention programs in this area.

Internal Risk Financing - All banks involved in payment card operations must understand that a certain level of loss to fraud is simply a cost of doing business. While loss prevention programs may keep this amount within manageable limits, each institution must establish self insurance mechanisms - funded retention, loss allocation, contractual transfer of risk to address these losses.

External Risk Financing - Due to the relatively high cost and coverage restrictions of conventional insurance, Saudi banks should explore the possibility of using alternative forms of external risk transfer including risk retention groups, risk pooling, and group captives to address the financing of their exposures.

Political Risk Insurance - First written in the early l96o’s, political risk insurance is designed to facilitate stability in international trade and investment by indemnifying certain operational risk associated with political and regulatory activities in the counterparty country. This type of coverage is written by commercial underwriters in the United States, the United Kingdom, and Western Europe. In addition, it is also available through the facilities of the Multilateral Investment Guarantee Agency (MIGA) of the World Bank. Political risk insurance may be written to cover a number or areas:

Confiscation, Nationalization, Expropriation, and Deprivation (CNE&D) This is most commonly purchased form of political coverage. These policies are generally used by organizations with assets permanently located in another country and respond when these assets are taken over by government action.

Contract Frustration - This entails the nonperformance or frustration of a contract with a overseas customer through an invalid action by that customer. This invalid action wrongfully invalidates an overseas transaction in such a manner that the bank is unable to obtain payment for its services or recoup its assets.

Currency Inconvertibility - This type of loss occurs when payment occurs in local currency and the local government is unable or unwilling to exchange the currency at prevailing market rates. This has traditionally been a problem in many developing countries.

Trade Disruption - This types of losses are associated with interruption of trading activities due to war, strike, change in government, or change in law or regulation in the counterparty country. Trade disruption coverage can provide protection not only for the direct loss of revenue associated with the disrupted transactions, but also potential loss of earnings, extra expense, loss of profits, and loss of market.

One of the major "revolutions" which has taken place in the bank insurance industry globally has been in the area of retention find deductible levels. Many banks have realized that retaining and financing significant portions of their operational risk exposure simply makes good business sense. No longer can insurance be used as a substitute for sound management and loss control. Generally deductibles should be used to eliminate coverage for, losses that are apt to occur with some degree of regularity. For example, when purchasing employee infidelity coverage under the BBB/FIB, the deductible level for employee dishonesty should be set sufficiently high to eliminate low level theft of cash by tellers and ATM technicians which occur rather frequently.

There are two primary types of deductibles:

Straight Deductible - This is a flat amount that is subtracted from each loss. The sum insured is then paid over and above this amount of retention.

Aggregate Deductible - These types of deductible protect against a series of losses which, in total, may exceed the amount which can be safely assumed by the bank. Often written in conjunction with a straight deductible, this "stop loss" protection limits the total amount of losses to be absorbed to a specific amounts An aggregate deductible may apply annually or during a specified policy period, may limit the amount to be retained by the accumulation of a number of deductibles, or it may require that claims in total exceed specified amount before coverage is afforded.

While many approaches have been devised by both insurers and insiders to determine the "correct" level of deductible, the most commonly used method is to calculate the deductible as a percent of total assets. The rationale behind this approach being that the larger the institution in terms of asset base, the better its capability to absorb losses without resorting to insurance. Currently. the factor used by many underwriters in determining the minimum deductible level is approximately .0005% of total assets. Thus, using this factor as a guide, a bank with assets greater than SR 60 billion should, as a minimum, be retaining approximately SR 3 million loss as its deductible for BBB/FIB, EEC, D&O, and PI coverages, with a negotiated deductible of SR 5 million as being optimal from the insurers standpoint.

One of the significant methods for measuring the effectiveness of banks in managing their operational risks is the evaluation of the losses. In evaluating levels of loss several factors should be kept in mind:

Recurring Vs Catastrophic Losses - In general, routine recurring losses (small teller frauds, thefts of cash from ATMs, low value check forgery, etc.) should not exceed the banks deductible level. Although, all banks should attempt to control and reduce these losses to the lowest practical level, some losses must be expected as a cost of doing business. In fact, implementing a true "zero loss" environment would probably be far more costly than simply observing an acceptable level of small losses. Insurance should be viewed as catastrophe cover and should only be used to assist the institution in dealing with the consequences of "low probability and high cost" risks. Again, insurance should not be used as a substitute for sound and effective management of operational risks.

Frequency, of Claims Payment - If deductible levels have been established properly underwriters expect to pay a loss on an account every 7 to 10 years. However, with a loss frequency of more than 1 per 5 years indicates both a deductible level which is too low and problems with the bank's internal controls

Allocation of Losses

In an organisation, such as a bank which consists of many different departments and subsidiaries. it is good risk management to charge a unit directly for its losses However, it may be very difficult for smaller units to handle their self-insurance as self-insurance levels may be handled more easily by large units or subsidiaries. Therefore, in order that all units be allocated their fair share of premiums and loss costs, it is often necessary to establish an internal pooling or loss allocation system. Banks may add to the credibility and create accurate allocating systems by using acturial methodology and techniques. Such a system allows for the direct allocation of loss in some cases and the sharing of loss in others. This can make a system of higher deductibles practical.

For example, consider a bank with fifty branches and other non bank subsidiaries. A SR 5 million loss spread among the fifty units in one time period would amount to SR 0.1 million on the average. If an appropriate deductible is charged to the unit that actually suffered the loss and loss-sharing levels of the other units are adjusted relative to their size, a relatively large loss may be absorbed relatively painless. Further, very large losses could be amortized over a period of years. However, there are two important issues to consider in constructing such a system.

Penalize Frequency; Accommodate Severity -Allocation system should penalize frequency and be more forgiving of severity. This is based on the fact that severe or the high cost low probability risks" are far more difficult to control than incidents which to occur frequently and that if many incidents are allowed to occur frequently, it is inevitable that one or more will be severe. For this reason, charging units directly for loss costs can significantly improve loss controls, but the size of the penalty should be appropriate to the size of the operation.

The System Must be Accurate and Understandable - Allocation systems must be both accurate and clearly understandable to unit managers. Many allocation systems have failed because they became very complex in an attempt to create a degree of accuracy that may serve no useful purpose. The following example may serve to illustrate the point:

In this bank, a deductible of SR 1 million is set for Head Office and other wholesale nondepository subsidiaries (i.e trust company, the private bank, etc) while deductible as low as SR 50,000 are set for the small branches - a total of 35 units. Each unit pays 100% of its deductible for losses occurring in its units, and 50% of the loss in excess of the deductible up to an amount no greater than 150% of the stated deductible amount. Thus, a unit with a SR 50.000 deductable would pay the first SR 50,000 of the loss plus 25,000 of the next 50,000 loss for a total possible deductible of Sr 75,000. All units then share equally an excess losses up to the institution's aggregate of SR 1,000,000 deductible. Therefore, the largest loss which could be shared is SR 925,000 which when divided by 35 units is SR 26,428 per unit. If this is still too large a burden for the smaller units, the risk sharing percentages may be adjusted or a cap set on the maximum loss to be borne by smaller units, with the remainder shared corporate-wide.

In evaluating the level of premiums paid by banks for their insurance coverage it is useful to use the standard insurance industry metric of “Rate on Line”_ This is simply the . ratio of premium charged to sum insured (i.e. premium charge/sum insured = "Rate on. Line"). Globally, the spread for Rate on Line runs between 1% - 2% for highly preferred risks with excellent loss records and high retention to approximately 10 % for low quality risks with high loss records and low retention.

Therefore, as may be readily seen insurance pricing is designed to insure that underwriters will recapture the cost of all but the most catastrophic (and lowest probability) losses through the premium structure The premiums of conventional insurance programs may be structured in a number of ways:

Guaranteed Cost Programs - The standard approach for determining a bank's insurance premiums is by means of a guaranteed cost rating. most Saudi banks currently use these types of insurance programs. The guaranteed cost plan is intended to pre-fund all losses that are expected to occur during the policy period. This approach applies predetermined rates to an exposure base to determine premiums. The premium is guaranteed in the sense that it will not vary. However, depending on actual loss incurred during the policy period, premiums may be adjusted at renewal to reflect actual exposures which existed during the rating period. Therefore, reserves for losses that have been Incurred But Not Reported (IBNR) or paid remain with the insurer and investment income accrues to the insurer and the insured receives no benefit from them. However, if the insured has poor loss experience during the policy period, the insurer has no recourse for these which could far exceed earnings generated from the reserves.

Retrospective Rating Programs - Retrospective rating programs are based on the risk management ability and performance of the bank. For these arrangements which offer the insured the opportunity for substantial cost savings over a guaranteed cost plan if the loss record is good. Consequently, if the loss record is poor, the insured may end up paying more premium to the insurer than under self-insurance. Retrospective rating programs offer a system of rewards and punishments depending upon the effectiveness with which the bank manages its risk. Retrospective programs may involve a variety of methods.

No Claims Bonus - The simplest of the retrospective rating programs is the no claims bonus. Under this type of policy a percentage of the premium is returned to the insured at the end of the policy period if no claims are filed with the insurer.

Incurred Loss Retro- Here, an initial premium is paid at policy inception and is adjusted during subsequent years as actual incurred losses become known - with deposit premium being adjusted upward or downward based on loss experience. Generally, premium adjustments are computed annually and a minimum is established for the protection of the insurer. It is adjusted on the basis of losses that have actually been paid, as opposed to losses that have actually occured which may be more than losses that have been paid. This eases the insured's cash flow problem and allows the use of the loss reserves. The difference Between the standard premium and the amount paid by the insured is normally secured by a Letter of Credit or other acceptable financial guarantee.

Loss Multiplier Plans - Since all retro methods are essentially cost-plus contracts, a simple way to compare retros is by comparing the amount of "load" for non-loss costs on a percentage basis. Dividing the premium by the incurred losses gives an index known as the Effective Loss Multiplier (ELM) - thus a plan with an ELM of l30% is less expensive than plan with an ELM of 150%. Some plans utilize this-concept for determining the premium by simply multiplying the incurred losses by a stated loss multiplier subject to agreed upon minimum and maximum premium levels. This greatly simplifies the calculation process for both insured and insurer.

Present Value Discount Plans- Under these plans, losses are forecasted and then discounted back to present value at some agreed upon interest rate. Insurer expenses are added and a flat premium is charged. This premium is intended to be adequate to cover losses and to avoid the need for adjustments. However, most plans include provisions for eventually adjustment if actual losses are substantially higher or lower than expected.

Fixed_ Cost Participating Dividend Plans - This type of program is really a hybrid between retrospective and guaranteed costs policies as it gives the insurer an option to return a portion or all of the under-writing profits to the participant if it chooses, but generally does no allow the insurer to charge an additional premium for worse than expected losses. While the potential savings are not as great as under a pure retrospective program, the insured is in a no loss position. This is because maximum premium which may be charged is equal to the guaranteed cost premium less any applicable "dividend" discounts granted by the insurer.

Multiline Aggregate Program - Becoming increasingly more attractive as operational risk exposures rise, multi-line aggregate programs use a single insurance policy to cover all of the institution's exposures subject to an aggregate deductible applied to all covered losses. Once the aggregate deductible is satisfied by the payment of one or more claims, the policy would respond to any additional losses upto the aggregate limit. The theory is that by combining the various types of insurable exposures the overall predictability of loss costs is enhanced. An insured may then pay directly for planned and budged loss costs and rely on the multi-line aggregate policy to cover unplanned "high value low probability risk".

Banks which have strong internal audit and investigative functions and are able to properly document losses, generally experience little difficulty in getting claims paid in a prompt and satisfactory manner.

As a very general measure, insurers typically pay about 75% of the claimed value for about 90% of the items for which legitimate claims are submitted. Therefore, if an insured submitted ten legitimate claims totaling SR 1 million in a year, they could reasonably expect to receive between SR 600,000 and SR 800,000 in compensation less deductibles. It is extremely important that the bank clearly understand what is covered and more importantly what is not covered under the insurance contract. The filing of frivolous claims for which no coverage was contemplated in the policy not only creates extra work for the banks but also serves to antagonize both brokers and underwriters. However, it should be noted that claim payment is almost entirely a function of the quality of claims. Fully documented paid in full by underwriters, while poorly documented claims are, at best settled for a negotiated amount below that claimed or denied completely. In addition the quality of claims documentation and processing by both the bank and its broker directly effects the speed with which claims are settled. If underwriters must repeatedly request additional documentation in order to reach a settlement decision, claims processing becomes a drawn out and cumbersome process. In addition, if a bank has inadequate audit trails and investigative documentation procedures it will be necessary to secure the services of outside accountants, attorneys' or loss surveyors to conduct a proper investigation and generate claim documentation which will be acceptable to the underwriter. This process is both costly and time consuming and materially erodes whatever financial settlement is ultimately reached with the insurer.

It should also be noted that nowhere in any BBB/FIB or ECC contract a condition precedent to liability exists which requires a court judgment against a perpetrator to prove a claim. In fact, no condition precedent to liability exists in the insurance contract that incidents of either internal or external fraud be reported to the police.

Although this may be a legal/regulatory requirement and is certainly a prudent action on the part of the bank.

Although they are established as insurance companies, they are more properly viewed as self-insurance mechanisms. Risk retention groups, group captives and risk sharing pools are simply cooperative risk funding vehicles designed to write insurance to cover risks. They maybe formed to reduce insurance costs within a specific group of participants, increase limits of coverage and secure more favourable terms of coverage, or to spread the risk as compared to going without insurance entirely.

Pools are developed by group captives and self insureds that wish to transfer some of the risk they have agreed to assume. Pooling arrangements frequently occur when group captives cannot find adequate reinsurance or the cost of such reinsurance is excessively high relative to the risk. Thus, participants in a risk retention group, group captive or pool should understand that they are participating in self-insurance. Viewing the captive or pool in this manner is important for two reasons:

Paying for Loss - With the exception of reinsurance for potential catastrophic losses, the group will pay for virtually all of its own losses.

Pooling the Risk - Experience indicates that the "average premium" theories that underline traditional insurance industry thinking are valid only if good risks are willing to stay in the pool with the bad risks.

These are captive insurance companies formed by brokers or agents to provide coverage for their insured. These types of captives increase the probability that brokers will have a market into which to place their insured and therefore may allow them to offer broader levels of coverage than that offered by risk retention groups or group captives.

A highly specialized form of captive operation. These companies are designed for firms that do not want to own a captive but want to obtain some of its advantages. A rent-a-captive is formed by investors and is operated as an income producing business. An insured pays a premium and usually pays a deposit or posts a letter of credit to back up its business. The operators of rent-a-captives handled the operations and claims for the insured and place the reinsurance. .At the end of the policy period the insured is paid a dividend based on incurred losses, operating expenses, and cost of reinsurance.

Finite risk works best in situations where a severe loss is possible. A typical finite risk prospect is an organization which has a high severity/low frequency loss situation (i.e an "upstream" professional liability loss from overseas derivative trading) for which inadequate insurance coverage is available in the conventional market or the cost of the coverage is prohibitive.

Frequently, a bank will use a single-parent captive to front a finite program to fill the middle layer of operational risk - above the self-insurance used for smaller recurring losses and below commercial insurance used for catastrophe cover - although some insurers have used finite insurance on top of self insurance and handled the upper layer of risk through a captive.

An example of how a finite risk program can handle a high severity/low frequency situation might be that of an investment banking firm which has developed a new series of global derivative trading products. To fully exploit the potential market the firm wishes to spin off this function as a separate operating subsidiary through an Initial Public Offering (IPO). However, investors are concerned that, given current liability issues involving derivative trading products, the proposed firms professional liability exposures are inadequately covered, since they fear that a professional liability loss in the first year of the IPO would drive insurance premiums to a prohibitive level and/or severely deplete capital. To address this issue, a program is structured utilizing both finite and conventional insurance. The finite portion consists of a five year program with a guaranteed premium for the underlying primary finite layer. For coverage in excess of this primary finite layer, commercial insurance is used since premium rates in the excess layers are less than using the finite market. This program gives the firm precisely what it needs during the critical IPO phase - maximum transfer of risk with a guaranteed premium level for five years. In addition, if there are no significant losses over the period of the finite contract, the firm will receive a return of premium at the end of that time.

One of the primary attributes of any finite insurance program is the ability to address the financing of liabilities over a multi-year period, thereby minimizing the impact of a severe loss in a single year. In addition, finite programs also minimize the "financial costs" of insurance - the cost of going into the market year after year to renew policies and being subject to market cycles. It also help building and strengthening long-term relationships with insurer. Since going into the market on an annual basis is highly inefficient, finite programs are designed to maximize the allocation of premiums to loss payments and minimize their use for transaction costs and overheads. '

One of the most attractive aspects of finite insurance programs is the possibility of premium reduction through the return premium mechanism. In return for limitation of liability through an aggregate cap and for a guarantee of premiums over a specific period of time, the insurer agrees to share underwriting profits with the insured in the event of favourable loss performance.

As with all approaches to managing operational risk. finite risk insurance has certain drawbacks:

Risk Management Expertise - To effectively blend the internal and external financing elements necessary in a successful finite risk program, it is necessary that management clearly understands the nature and magnitude of the bank loss exposures and is willing to pav for a significant portion of these exposures through self-insurance. Banks' must have a very clear view of the financial resources they will need for these programs. Since these programs are multi-year in nature, a bank must be certain about its future period cash flows and how much cash it wants to devote to the program. Otherwise finite risk management programs simply will not work more effectively with structuring the program than will normal conventional insurance.

Cost - Since finite programs are typically structured for three to five years, they may represent a higher initial cost both in terms of guaranteed premiums and costs associated with structuring the program than will conventions insurance. They are certainly more expensive than self insurance. In addition, failure to control losses over the period of the contract may result in no return of premium one of the primary advantages of finite programs,