Chapter 8
Information Technology Risks in Islamic Banks
1. INTRODUCTION
The Islamic finance (IF) industry is rigorously struggling to maintain the progress that was visibly started in the last couple of decades despite the growth that it has witnessed. The industry is yet to reach a level of sustainability, despite various initiatives in standardisations (accounting, compliance regulation, processes, legal documentation, and information systems), evolving knowledge of the industry (it is still lacking real innovation), enhancing Shari’ah awareness (taking into consideration the differences in interpretation), reaching out to the various markets (which are still very humble), and creating awareness (that is slow and in many cases not effective).
For the IF industry, information technology and systems (ITSs) pose a prominent challenge due to the industry’s lack of maturity, which could have direct implications and risks for the IF industry. One of the main reasons for the modest growth and expansion of the IF industry is the ineffectiveness of the currently available ITSs in addressing the real challenges of the IF operating model. This really had a direct impact in providing the appropriate technological platform for Islamic financial institutions (IFIs) to conduct their business, address their operational needs, and mitigate various risks effectively.
This challenge can be seen more clearly within the Islamic banks (or major groups of such banks) that operate as “universal” banks, combining investment as well as retail banking, and attempt to provide IF services and products as part of their global offering in their respective markets. The same applies even more to the major conventional banking groups that offer Islamic banking through Islamic “windows.”1 The implementation, management, and administration of the IT infrastructure and systems of these banks to both banking models have a potential for high operational risks (i.e., overseeing and handling the coexistence of the conventional banking operations along with the IF window remains a dilemma that imposes an increase magnitude of risks to these banks).
Moreover, the lack of a system that genuinely complies with Shari’ah standards and principles (i.e., a system built with the primary purpose of supporting the IF operating model), seems to have forced the majority of IFIs to adopt conventional banking operational systems already available in the market. This has contributed to a great extent to amplifying the elements of risk that will be the focus in the following sections.
It appears that these elements of risk in ITSs have yet to be seriously analysed and assessed. This is the case despite the sizeable risks imposed on the IF industry and the direct implication that will affect the relevant IFIs, especially in the area of operational risk.
The deficiencies of ITSs in the IF industry reside in various areas that could possibly violate both the basic IF principles and standards of the IF operating model. The latter in turn could lead to immediate concerns with the regulatory bodies, and apparently put the Shari’ah compliance of these IFIs under significant pressure.
The following section attempts to explore and explain important issues in the current IF/ITS trends, practices, and challenges. These will be compared with those in the conventional banking sector because the majority of the available (and dominant) banking ITSs in the market for IFIs were originally developed to address the conventional banking operational and business framework.
It appears that the suppliers of these systems have tweaked their systems in an attempt to tailor them to the IF operational model. However; in many cases, these suppliers seem to have made some basic errors. This has posed operational risks to the IF, and has violated some fundamental principles in IF, resulting in exposure to IF Shari’ah–non-compliance risk. However, despite its gravity, this matter is not being addressed in depth by various bodies and the industry. There has also yet to be any major initiative towards attending to these risks, which would continue to expose the banks to operational and other related risks.
Below are a few examples that aim to draw the attention of the reader to the ITS risks in the IF industry, the areas that are likely to be more exposed to the risks within these banking systems, and how possibly these could impact the IF operational model. However, no discussion or remedies of these issues will be attempted, as the required remedies tend to vary among the various systems. This is mainly due to the functional and technical architecture of an ITS. In addition, various scenarios and environments will require different approaches and solutions.
2. IMPORTANT UNDERSTANDINGS AND FACTS
The principles and operational specifics of the IF have fundamental differences in comparison to the understanding and practices in the conventional banking framework. The available enterprise banking systems that are used by most of the IFIs in retail, corporate, investment, and treasury and capital markets were built originally for conventional banks’ requirements and needs.
2.1 Fundamental Principles
Given the fundamental differences in both banking models, the issues and concerns would tend to surface when the IFIs utilise IT systems that were developed for conventional banking. However, this does not mean that these systems cannot be used in some functional and operational areas that are applicable to the IFIs, which are similar in functionality to the conventional banks.
For example, in the area of core banking, IFIs are required (like conventional banks) to issue and process cheques and to manage the clearing process of these cheques. They also need to interface with standard mechanisms of settlement such as SWIFT (Society for Worldwide Interbank Financial Telecommunication) or other local settlement hubs or switches. The IFIs are also required to conduct “Know Your Customer” reviews by their regulatory authority (e.g., central bank). They have to service their customers via various delivery channels (e.g., ATM, Call Centre, Branch, Internet, etc.), as well as to levy and manage fees and various other charges to their customers—as long as there is no consideration that would be considered to constitute interest. In addition, there are other processes, which are common and similar to those of conventional banks. None of these processes raise Shari’ah–non-compliance issues nor do they have implications for other operational risks.
The contributing elements to risks in the ITSs of the IFIs are:
- The lack of understanding of the IF guidelines and principles by the vendors or systems providers—the developer.
- The inflexibility and poor functionality of some of the available conventional systems that do not assist the implementer (i.e., the end user) to address the needs of the IFIs.
- Absence of comprehensive and focused development initiatives in the IF arena, whilst the conventional systems processes, standards, and viability are still attracting large investments in R&D in banking systems.
- Even vendors who claim to have built systems that specifically address the requirements of the IF operational model have yet to resolve the underlying challenges, needs, and pressures that the IF industry in general and the IFIs in specific are experiencing.
2.2 ITS Issues and Concerns
Exploring the previous statements in more depth, there are specific remarks and concerns that should be highlighted:
- IF is not only about banning interest, and it is not just about replacing the word interest with profit. Some suppliers of banking systems simply turn off the so-called interest flag or indicator in these systems by making a change in terminology (to put that in simple terms rather than using technical wording). This is definitely not what the substance of the IF model is all about.
- IF does not require merely changing the terminology embedded in processes and functions within the banking system. For example, renaming conventional processes in the lending component of some of these banking systems, maintaining the functionality in its existing form but then relabelling the process with terminology borrowed from an IF contract (or description), such as murabahah or ijarah, does not achieve what is needed.
- In the core banking applications, the basic key differences between IF and conventional banking include but are not limited to: (i) how the financing process or functionality, which replaces the lending activity in conventional banking, is addressed; and (ii) how profit or return on investment on assets in the “unrestricted” asset pool is calculated and allocated to each investor holding an unrestricted investment account based upon the mudarabah contract. These two areas are the main underlying differences that are could possibly cause risks for the IFIs.
- In the case of treasury, the challenges are also significant. It is worth mentioning here that a treasurer in an IFI has a major task to manage the treasury book(s) effectively owing to the limitations in manoeuvrability or the availability of Shari’ah-compliant instruments in this regard, in comparison to the treasurer of a conventional bank who has a variety of diversified instruments. There are significant opportunities to expose an IFI to risks and violation of Shari’ah compliance in case effective controls are not enforced or put into effect.
- The IF model tends to be more complex in nature in comparison with the conventional banking framework. The IF operating model has more (strict and specific) milestones and procedural controls to be in place where IFIs need to ensure compliance with Shari’ah through their operational procedural framework. In some instances, any violation of the logical sequence of a financing process might impact the Shari’ah-compliance requirement and cause a significant operational risk. Owing to that, in some cases the core banking systems’ providers address this concern by having a workflow engine that manages the financing process, which is a remedy to part of the compliance issue. However, in some cases it is not a complete solution to the overall requirement. In the following sections this topic will be further elaborated from technical and functional aspects.
The list above generally highlights the wrong practices that some suppliers have adopted and which need attention in managing Shari’ah–non-compliance risk. These practices impose significant operational risks on the IFIs in terms of business, documentation, and legal issues as discussed in Section 3. The list above also paves the way to highlight in brief the technical aspects of the available enterprise banking systems, namely core banking, and treasury, and capital markets systems for IFIs (see Section 4).
3. ITS OPERATIONAL RISK—BUSINESS, DOCUMENTATION, AND LEGAL ISSUES
Information and technology systems involve several areas of operational risk as outlined in this section. Section 4 covers technical and functional clarification for these risks.
3.1 ITS Risk Considerations
The key areas of operational risk in ITS apply to various business activities as well as to documentation and legal aspects of Islamic finance. The nature of the IF operational and business framework brings more complexity due to the fact that the IF transactions have underlying assets (i.e., murabahah, ijarah, istisna’a, and other contracts or modes of financing), and investments, more lengthy processing cycles, and a vast array of activities from the origin of the financing until the conclusion of the transaction.
Another operational risk is how profit is calculated and allocated to investment account holders (IAH) that are mobilised based on the mudarabah contract. The main issue raised here is not about calculating the profit. Rather, it is how the system manages the allocation of profit. For example, questions arise regarding how the system addresses the issue of investment accounts that mature before profits are calculated, those in which profits are allocated periodically, and others subject to early withdrawals and rollover. In mudarabah financing, potential operational issues might arise in repayments in general and late repayments recovery, owing to the inherited accruals process embedded in the architecture of the system(s).
The conventional banking model, to which the IT systems are geared, is based on the accrual basis. The architecture of the majority (if not all) of the available IT systems accrue interest on a daily basis at the end of each day when the processing of transactions is completed. The accrued income (interest) is posted periodically (daily mostly) into the general ledger by posting journal entries. This practice does not comply with the IF accounting standards, as profit in the IF is posted (or recognised) at maturity (or at a periodic profit distribution milestone) or on settlement. It is important to note here that the accrual technique or mechanism is in place in all asset and liability transactions and deals, such as financing and deposits.
The commodity murabahah, the most commonly used product for an Islamic bank’s treasurer to manage a bank’s short-term liquidity needs and surpluses, also raises significant operational risk issues. Given that the commodity murabahah is a spot purchase-and-sale product with deferred settlement terms, there is a need to address the underlying asset being purchased and sold, as well as the required documentation and confirmations involved—based upon an agency agreement in place.
Risk in documentation and legal procedures, depending on the extent of automation and the effectiveness of the financial systems that are implemented and deployed, could be mitigated if legal agreements are generated at the right time with the appropriate content, and the documents or legal confirmations produced automatically based upon the captured details of the transaction. At the very least, such an attempt would address the overall process from the perspective of timely execution.
As indicated above, if an effective system and technology platform is put in place, the IT platform could be a catalyst in mitigating risks in the IF industry, especially for the IFIs. This can be of great value depending on the model or nature of business of the IFIs and the way in which the systems are deployed to address the various areas and propositions, for instance in retail, corporate, and treasury markets. At the same time, ineffective ITS could impose serious risks on an IFI’s operations.
It is worth noting that some of the risks incurred due to inadequate ITS might impact the two categories specified here, operational as well as documentation and legal risks, at the same time.
4. TECHNICAL AND FUNCTIONAL CLARIFICATION FOR THE IMPOSED RISKS
This section provides the reader with insights into the technical and functional aspects of these systems, in order to provide a better understanding of the examples of risks embedded in the IT systems available for the IFIs.
4.1 Investment Accounts Based upon Mudarabah
Investment accounts that are based on the mudarabah contract have major differences compared to deposits in conventional banking.
For example, a common operational risk IFIs face can be illustrated by observing the process of how most IFIs calculate the return or payment of the “profit” to the IAH in the case of early withdrawals. Such observation reveals that the process is designed to accrue profits similar to the way in which interest is accrued in a conventional system. In cases where the IFI opts to manually adjust and compensate the profit to cater to an early withdrawal by an IAH, the accruals are still posted (in most of the cases), and the IFI still needs to reverse or adjust these entries.
4.2 Profit Calculation and Allocation to IAH
Investment-account profits are not defined at the outset (i.e., when the account is opened or rolled over). Rather profits are calculated for IAH for an “identified” period, based upon the performance of the underlying assets funded by the IAH for that period.
Profit or return is usually calculated at the end of the period and then applied and back dated to the opening or rolled-over date of the account.
There are two steps to profit calculation and allocation:
The first step in this profit calculation process, regardless of the method, is mainly to identify the various rates of profit (or return rates) for every tenor and type of account with respect to those “identified” account holders who participate in the unrestricted pool of deposits. The rate (identified or calculated) is then applied to every investment account that is applicable to the relevant pool and tenor, in a back-dated fashion where the profit is calculated and passed or posted to the specific account (i.e., proportionate and time-proportional allocation of the profit applicable to that specific account with respect to the pool).
The calculation process is not the issue here. However, due to the systems’ inherited architectures, this might cause operational issues that lead to risks for not being able to allocate the calculated profit for an account whose maturity date falls within the profit calculation period.
The profit calculation period might not necessary match the maturity or roll-over date for the individual account within the pool of unrestricted investment accounts. Hence, when the profit is calculated, the allocation process comes into effect to pass or pay the profit to the account holder. If it turns out that an individual account has matured or is being rolled over to another future period, then some issues might surface due to the architectural framework in place. This is where it will most likely be a problem because most of the conventional banking systems, which were adapted for the majority of the IFIs, do not allow the posting (or maintaining) of any entry to a matured or a rolled-over account, so that the profit share cannot be allocated to such an account retroactively. In various cases, this area remains under consideration and brings at the same time significant risks to the operation. The key message here, however, is that in most cases, there are serious risk implications as to what remedies are used by IFIs to address this limitation and mitigate risks of incorrect profit allocation.
4.3 Financing Process Operational Issues
Some of the risks in this area were mentioned earlier. However, attention will be given to a common significant risk. In the conventional lending world, the loan is given (booked) when it is processed or upon approval. Most of the IT systems in the conventional banking segment are based on this model. In the previous illustration relating to the intricacies of the IF model, a financing transaction is not usually recognised or booked by the IFI until the customer signs the financing contract, be it a murabahah or an ijarah contract or any other Shari’ah-compliant contract. In other words, even of the IFI approves the “finance” application, the transaction is not recognised or booked in the records of the IFI until the customer (or the borrower) signs the relevant contract.
5. CONCLUDING REMARKS
ITSs are considered nowadays a primary pillar for the success of any business, especially financial institutions.
Having effective systems in place is vital to the IF industry, in part because of the complexity of the IF operating model, as this would significantly mitigate the operational risks highlighted above.
Regardless of the fact that the IF industry is still in its infancy and faces major challenges (e.g., standardisation, innovation, and regulation) that it needs to overcome, the deficiencies of the systems available for the IF industry represent a major threat to the Shari’ah compliance of the IFIs, as well as a more general obstacle to the growth of the industry. Such deficiencies require immediate attention and drastic action by the industry itself.
The industry has to fast-track well-orchestrated and well-defined initiatives to develop robust and effective ITSs (or platforms) to assist the IFIs to grow and to address their day-to-day challenges—and most importantly, to mitigate the IT risks they are facing in their day-to-day operations.
Until then, the IFIs can only do their best to work around the current imminent risks and try to find applicable ad hoc remedies.
NOTE
1. The same might apply to a largely conventional banking group with Islamic banking subsidiaries.