In 1993, the accounting firm KPMG conducted a fraud survey of six countries-the United States, Canada, Australia, the Netherlands, Ireland, and Bermuda. This study found that, on average, approximately 80% of all frauds committed were perpetrated by employees, 60% by non-managerial personnel and 20% by managers. In all of the countries surveyed, misappropriation of cash was the most common form of employee fraud. This would appear to fit the situation currently being encountered by Saudi banks, since most employee fraud losses have come from the theft of cash and or travelers checks from. branches and ATMs. Consistent with international trends Fraud currently represents the single largest area of operational loss within the Kingdom's banking system. During the past five years, approximately 85% of all operational losses sustained by banks in the Kingdom involved employee dishonesty.

Recovery of funds lost due to fraud (particularly cash) is, at best, difficult and in many cases simply impossible. This highlights the fact that programs designed to prevent fraud are significantly more effective and less expensive than are attempts to recover the funds once stolen.

During the period 1988-1993, in the Kingdom, forgery (including check fraud) was the second largest area of operational loss, accounting for approximately 12% of total reported losses. This is entirely consistent with the results of the KPMG study in which losses in this area averaged between 10% and 18% for the six countries surveyed. Within the Kingdom the majority of crimes in this area appear to represent either simple check forgery or the forgery of negotiable instruments such as letters of credit and generally involved the failure of bank employees to adequately verify the authenticity of the documents before negotiation.

From a cash-based system, the Kingdom is rapidly moving into electronic-banking thus minimizing the intermediate state represented by the paper check. These actions have the long term potential of reducing the incidence of the relatively simple forgeries currently being encountered. However, document technology such as optical scanners, color laser printers, and powerful desktop publishing software now allows the creation of forgeries which are virtually undetectable except by highly sophisticated technical means. Therefore, while the number of simple document forgeries will probably decrease in the future, the level of technical sophistication and monetary value of forgeries may be expected to increase significantly.

With the increasing use of electronic imaging used in verification of signatures in many banking transactions, transfers etc. banks' risk management policies and procedures should include preventation of forgery through electronic means. This will become even more important with further advances in payment cards and payment systems technologies.

Counterfeit currency does not currently appear to be a major area of potential loss to Saudi banks. However, two current trends should be noted:

• 1- Technology - As with forgers, the counterfeiters of both currency and negotiable securities are also the beneficiary of new document processing technology. A recent incident involving the counterfeiting of a major international currency using color laser printers was of such a magnitude as to cause the Central Bank to redesign the currency to incorporate various anticounterfeiting measures into the new currency. However, it is expected that despite advances in design and manufacture of currencies, counterfeiting activities will continue to increase. Consequently banks must remain vigilant to these trends.

• 2-  State Supported Counterfeiting - State supported counterfeiting is assuming importance specifically for the US Dollars. US Government estimates the amount of this currency-$20, $50, and $100 notes at approximately US$ 1 billion. This bogus currency is of extremely high quality, virtually undetectable by even experienced personnel, and is primarily circulated outside the United States.

Although a highly "cash rich" society, robbery and burglary do not currently represent a significant source of operational risk in Saudi Arabia. This can be attributed to the deterrent effect of physical security measures taken by banks and law enforcement agencies, the severity of judicial punishment, and cultural factors within Saudi society, and the lack of significant illegal drug problem within the Kingdom. Studies in other countries have shown that the majority of robberies and burglaries directed against bank branches and ATMs are drug related. Therefore, barring significant social or political changes within the Kingdom, it seems unlikely that robbery or burglary will present a major operational exposure to Saudi banks within the foreseeable future. In recognition of these trends the Agency has issued detailed rules in 1995 entitled "Minimum Physical Security Standards".

Although no different except for mode of execution than any other form of criminal activity, electronic crime represents the fastest growing form of criminal activity currently facing both the international and Saudi banks. This presents itself in four major areas as given below

ATMs - While major shifts are taking place, Saudi Arabia is still a highly cash oriented society. This, in turn, drives the exposure to operational loss presented by ATMs. High daily cash withdrawal limits or no limits at all mean that ATMs routinely are stocked with far more cash than that normally found in other developed countries. This presents both a lucrative and tempting target for either employee fraud or third-party burglary. In addition, these high cash withdrawal limits also expose banks to potentially higher losses from customer fraud. As banks add additional functionality’s to ATMs (foreign currency, travellers checks, airline tickets, etc.) and connect their ATMs internationally through shared network such as CIRRUS, new opportunities for fraud against Saudi banks both from within and outside the Kingdom increase significantly.

Credit Cards - Based on experience both within the Kingdom and outside, credit cards represent a major and a rapidly growing' operational risk. This risk may be divided into two areas:

Internal Fraud - As with most other types of fraud, credit card fraud involving employees (either working along or in collusion with outsiders) is the most common and most costly. All credit card issuers are subject to internal fraud risks associated with application generation /approval, account setup / activation, card embossing, and statement preparation / distribution.

External Fraud - Although far less common than internal fraud, external credit card fraud is growing rapidly as a result of large scale international trafficking in stolen cards and obtaining valid cards through fraudulent applications.

Point of Sale (POS) - As the use and acceptance of POS grows within the Kingdom, so too will merchant fraud in number, level of sophistication, and monetary value. This type of criminal activity may range from an employee of the merchant generating fraudulent transactions (generally in collusion with a third party) to large scale and highly organized activities by the merchant himself. Therefore, prevention and detection of this type of criminal activity by banks will become increasingly more complex and costly.

Commercial Services - The extension of electronic payment and trade services to commercial customers represents a major source of fee for service income. This is income which represents virtually no credit risk. However, these systems and products may represent a major exposure to costly and embarrassing losses to corporate customers. Two areas present especially high potential exposures to third party fraud.

Cash Management Services - While providing both a greatly enhanced financial management tool to corporate customers and a significant source of both cost savings and fee for service income to the banks, electronic cash management services also represent a major source of operational risk from both third party penetration and customer fraud. By their very nature these services allow the conduct of transactions with the bank in which the only security present is that provided by technical means such as encryption, message authentication, and logical access checking of passwords and user ID's. While powerful, these technical controls are not infallible. Therefore, given the high monetary value represented by corporate cash management transactions, the potential for a "long tailed risk" (i.e. low probability of occurrence with extremely high monetary value) presents the potential for both a catastrophic financial loss as well as severe damage to reputation and credibility of the bank.

Electronic Data Interchange (EDI) - As both banks and corporate customers move toward the use of electronic communications to replace paper based trade documents (i.e. invoices, receiving reports, bills of lading, warehouse receipts, etc.), traditional forms of controlling these transactions will no longer apply. EDI systems have generally been designed with less stringent levels of both access control and authentication of transactions. This has been based on the assumption that since these transactions were "non-monetary" in nature they present less exposure. While this may be technically correct, the non-monetary aspect of an EDI transaction - a receiving report. bill of lading, or warehouse receipt - ultimately generates a payment (electronic or manual) to settle the transaction. Therefore, these systems also present the potential for. "long-tailed" risks from both third parties and employees of either the customer or the vendor of good and services.

As with a bank's commercial customer base, electronic banking is also penetrating the retail market. Services such as telephone bill payments, PC based home banking, and the use of "smart" telephones combining the features of both a conventional telephone and a microcomputers present significant opportunities for enhancing both the level of customer service and revenue in the highly competitive retail sector. However, at the same time, these new electronic products open new avenues of exposure to both third party and employee fraud as well as potential areas of professional liability exposure. In future this will become an increasingly important risk exposure area for the banks. The increased use of telephone services that permit computer access to banks' systems also provide an increasing opportunity to "hackers” and other criminals. These require improvements in security measures and additional risk management techniques to minimize losses.

All banks are subject to operational losses associated with professional errors and omission by employees. These include losses through errors committed by staff such as unauthorized trading, erroneous transfer of funds to wrong accounts. errors in booking or recording securities transaction, etc. In the event where such losses are for the account of the bank itself i.e. for trades on the bank's own account, these type of losses are completely uninsurable and must be controlled by means of traditional methods such as strong internal controls, quality assurance programs, rigorous staff training programs and strong and active management

On the other hand if professional errors and omissions result in losses for the client, such events are insurable. In order to effectively assess risks in this area, it is necessary to understand the difference between professional liability risks which may affect the Board of Directors and Officer (D&O) and those professional liability risks which affect the bank itself.

Directors and Officer liability

This coverage is for the directors and officer of a hank, and not for the bank itself. One of the most complex problems facing any business is the liability of its directors and officers (executive or non-executive). The personal assets of directors and senior officers may be at risk for losses arising out of the alleged negligent or imprudent acts or omissions of such individuals. The D&O coverage provides payment to the bank as it is the bank which purchases the policy to indemnify its directors and officers..

In addition, the D&O policy will reimburse directors and officers for losses for which the bank was unable to indemnify them for legal, regulatory, or financial reasons.

Professional Indemnity

This coverage is designed to indemnify the bank itself against litigation by customers, and other third parties alleging errors, omissions, misstatement or imprudence committed by directors, officers and employees in the performance of their service.

These two areas encompass professional liability, and there is some overlap between the insurance coverages designed to address them. However, although D&O is narrower in scope in terms of the individuals covered, it is significantly broader in terms of the wrongful acts which it covers generally covering all wrongful acts not specifically excluded. On the other hand, PI covers only specific professional services provided by the bank - trust, brokerage, investment advisory etc. D&O policies may specifically exclude such services from coverage.

Professional liability is created by the relationship between various parties including clients, regulators, shareholders, employees, vendors, joint venture partners and the banks. The relationship is based on the legal system in which the bank's activities take place. In addition, the same act may result in a liability situation for both the bank (through the actions of employees) as well as the Board of Directors. Thus acts of negligence or misconduct by employees, inappropriate or prohibited investments in a customer portfolio, errors in securities processing, failure to execute contractual obligations with a client may result in a liability for the bank However, the legal system may also involve allegations of mismanagement by the Board of Directors, regulatory non-compliance, product fraud, insider trading, bad loans which materially effect share price. In this case the liability may also extend to the Directors both singly and severally. Professional liability arise from a number of sources.

Shareholder Actions - Globally, the largest single source of professional liability exposure arises from shareholder actions against management, officers and employees for negligence and misconduct.

Client Services - The most rapidly growing area of professional indemnity liability exposure is in the area of the provision of client services. Trust, custodian relationships, buy/sell agreements, and investment advisory services all provide a large and growing exposure for both directors and officers and the bank itself.

Employment Practices - Employment actions represent the second largest source of D&O liability globally. D&O claims arise from employees during major business transactions i.e. mergers, acquisitions, implementation of new technology, downsizing, as well as from hiring, promotion, transfer, and termination practices.

Environmental Claims - The growth of environmental liability has coincided with the trend to impose personal liability on directors and officers who, in the performance of their duties, become subject to civil or criminal penalties for violation of environmental tows.

Lender Liability Claims - Lender liability places directors and officers at risk both as defendants in the first instance or as indemnitors when their bank have been held liable. The range of lenders' liabilities includes contractual liability, product liability, personal injury, property damage, fraud, duress, and emotional distress.

During the initial negotiations with the borrower, lender can be held liable for revoking a loan commitment where no commitment was intended, charging the terms of the commitment, or fraudulently inducing a borrower to borrow. Once a loan is made, additional liability exposure may arise in situations when the lender refuses to advance funds or restructure debt, threatens to invoke covenants in the loan agreement, accelerates the loan, responds to credit inquiries, or institutes foreclosure proceedings. Should a loan go bad the bank will typically step into a more aggressive role in its relationship with the borrower. This more aggressive posture combined with a generally more strained relationship between lender and borrower creates a fertile environment for lender liability.

Lenders may face an assortment of exposures including workout negotiations, collateral liquidations, assets seizure, and actually taking control of the management of the borrower's business. In an increasingly more competitive global business environment, it is only reasonable to expect that the business of lending both within and outside the Kingdom will become more complex. This increased level of complexity will inevitably lead to a higher exposure to lender liability issues.

Since these exposures are entirely driven by the social, legal and business environment in which business operations occur, it is important to address these exposures not only as they relate to operations within Saudi Arabia, but also outside the Kingdom.

Within Saudi Arabia - Under Saudi Company Law (Royal Decree M/6 of 1385)* Articles 66 to 82, members of Boards of Directors are jointly responsible for compensating the company, the shareholders or others for damages resulting from their management of the company or contravention of provisions of company law. This seems to differ little from the provisions of the proposed European Community Fifth Company Law Directive and other European countries. Therefore, Saudi Company Law differs little from that of other developed countries with respect to the legal obligations of corporate directors and officers; and a substantial exposure to professional liability, particularly Directors and Officers liability, currently exists for banks within the Kingdom.

Outside Saudi Arabia - The third party legal liability situation outside Saudi Arabia is far more grave than that found within the Kingdom. Any Saudi bank operating in another sovereign jurisdictions will be subject to the laws, business practices, political and social conditions of that area. Thus any Saudi bank operating in the United States, the United Kingdom, or western Europe runs a significant risk of being sued for alleged illegalities and/or mismanagement in connection with the bank's activities in these areas.

Another area of exposure which Saudi banks must recognize is the exposure created by their outside directors, such as directors and officers of Saudi banks serving on the boards of joint venture companies or partnerships or other non-Saudi corporations. Outside or independent directors are now routinely threatened with potential liability and are sued along with the rest of the board. In the past, outside directors were not expected to be involved in a bank's day to day affairs. How, today the trend is for outside directors to be knowledgeable oven experts in bank's issues and are being looked upon by courts, regulators and litigants as the "watchdogs" of board activities.

Professional liability represent a fast growing and potentially damaging area of operational risk for activities outside Saudi Arabia. Thus it is essential that Saudi banks develop policies and procedures to carefully assess product and services risks in this area and take measures to manage these risks.

* The Saudi Company Law (Royal Decree M/6 of 1385) has been replaced by the Companies Law (Royal Decree M/132), dated 01/12/1443H.

One of the fastest growing and most intractable areas of operational loss exposure is that presented by contingent client-related liability. This relates to indirect responsibility for a client's business operations and products. Since major liability losses may bankrupt a client, plaintiffs will seek anyone connected with the client possessing sufficient funds to secure a financial settlement. Unfortunately, this is often a bank with whom the client had or has a relationship. These types of contingent liabilities may arise from a number of situations including.

• 1. Environmental Liability: Banks may incur substantial environmental liability when they become responsible for environmental damage or hazardous waste cleanup (i.e. an oil spill from a tanker for which the bank was a lender). This type of liability exposure is expanding globally at a tremendous rate as countries continue to enact ever more punitive environmental laws and regulations.

• 2. Product Liability: Product liability may occur when a client in which the bank has an equity position or financing interest is sued alleging negligence (i.e., class action suits against a pharmaceutical manufacturer).

• 3. Death and Bodily Injury : This liability may arise from an event involving a bank owned asset that is leased to or operated by others (i.e. commercial aircraft) or from an event involving a repossessed asset (i.e., fire at bank owned or controlled hotel).

Therefore, as global environmental and product liability laws and regulations becomes more stringent and tort liability becomes more widespread, all Saudi banks will become increasingly more exposed to this type of operational risk both inside and outside the Kingdom.

Globally, banking laws and regulations are becoming more complex, compliance more costly and time consuming, and the consequences of non-compliance (financial, legal, and reputation) more severe. In addition, some countries are increasingly applying criminal statuses to such essentially non-criminal areas as investment operations and cash management services. These liabilities may take three forms:

• 1. Financial Penalties : Within the Kingdom, violation of SAMA circulars and directives may result in substantial financial penalties being levied. Saudi banks operating outside the Kingdom are also subject to not only fines imposed by regulatory agencies, but may also find themselves responding to both civil and/or criminal charges which may carry financial penalties of such a magnitude as to cause a substantial impact on the balance sheet.

• 2. Restriction or Termination of Operations: Within Saudi Arabia, violation of SAMA rules and directives may lead to censure by the regulators and, in extreme cases, restriction of certain banking activities or total revocation of banking privileges within the Kingdom. This exposure is even more severe for Saudi banks operating outside the Kingdom. Even relatively minor technical violations of banking regulations may lead to the closure of major overseas branches.

• 3. Risk to Reputation: All banks fundamentally operate on the basis of trust. Therefore, publicity associated with statutory and regulatory infractions may act to undermine this trust with both customers and shareholders. While banks may be able to absorb both financial penalties and regulatory sanctions, they cannot absorb a major loss of customer and investor confidence.

Therefore the maintenance of aggressive and highly pro-active compliance program by banks is becoming increasingly more critical as a major component in controlling the operational risks associated with regulatory and legal non-compliance.

All banks operating within the Gulf Region are subject to certain distinct geo-political risks. However, if viewed in a broader perspective, these risks are certainly no more severe than those faced by banks operating in other areas. Therefore, of far more concern from an operational risk perspective is the prospect of new and more restrictive banking and securities regulations in other countries in which Saudi banks operate. Within the Kingdom, the prospect of punitive and highly restrictive regulation must be viewed as remote. However, in those oversees areas in which Saudi banks have significant business interests that some restrictive regulations may be expected.

Given the major social and political changes taking place in the industrialized countries and developing world, all markets now possess a significant degree of political instability for international banking operations. Therefore, it is imperative that all Saudi banks operating outside the Kingdom or significantly involved with international trade, develop management systems and procedures for actively monitoring operational risk associated with the political and regulatory environments in which they conduct their business operations. Such systems should include appropriate "red flag" and warning indicators, and effective alternative strategies and action plans to prevent or mitigate losses.