S/N Risk Type Operational

Cause Agent lack of capacity.

Risk Description Risk resulting from Agents low number of staff and/or lack of knowledge on the Bank's products and standards required to provide service at an acceptable level.

Credit/Financial Agent unable to honor Risk of loss resulting from agent being unable to re-fund obligations to the bank his/her overdrawn account.

Operational

Inadequate physical Risk of loss resulting from robbery and/or inadequate or no security and/or insurance insurance covers by the agents. covers.

Operational

Lack of equipments to support service offering

Agent may not have all or some of the equipments that are crucial to running bank Agency activities

Operational

Lack of equipments to support service offering

Agent may not have all or some of the equipments that are crucial to running bank Agency activities

Operational

Dishonest staff at the Agent may allocate dishonest staff to perform banking Agent. services and/or Agent may not have required capacity to timely identify fraudulent transaction/activies.

Operational

Poor quality equipments

of Unavailability of service due to Outdated systems/obsolete equipments

Operational 7

Abuse of Point of sale devices

Point of sale devices may be used to commit fraudulent transactions i.e. may be connected to the Bank's network before Agent's signing off receipt or Bank have not signed off receipt of malfunctioning POS from the Agent.

Operational

Abuse of Data

Agents may abuse the Bank's data or defraud the Bank if they can have full access to the computer system/network.

Compliance 9

Claims/penalty/Law suits Customer suing the bank due to Agents violation of duty of secrecy

Compliance

Non Compliance AML regulations

with Agent may not comply with KYC requirements for AML.

10

Operational

Inadequate accounting, Risk of loss resulting from inadequate accounting, Reconciliation and wrong reconciliation and cards being delivered to wrong recipient and delivery of Bank cards same used to defraud the Bank.

11

Operational

Channel failure

Loss of reputation resulting from frequent system failures and/or slowness as a result of increase in traffic caused by multiple people accessing the Bank's network at time and/or increase in transactions.

12

Operational 13

Agent/CRDB Link

Data, as it travels between the two points, is subject to illegal tapping (unauthorized access).

Operational 14

Agent/CRDB Link

Data is subject to interception in which data maybe diverted away and unwanted data injected into the stream.

Operational 15

Agent/CRDB Link

It is also possible to spoof source addresses and cause denial of service attacks.

Operational 15

Agent/CRDB Link

It is also possible to spoof source addresses and cause denial of service attacks.

16 Operational

Difficult to identify macro level problems, and failure to have Absence of Central bank reference guide in case of disputes with the Agents or regulation customers

Risk impact Reputation loss Financial losses due to errors/ Data entry errors Customer complains and claims due to delays

Priority

High

Mitigation Owner > Contract to specify Minimum level of manpower needed, skills, and financial ability of the Agent. DCA > Bank to impart product and DRB process knowledge to agent's staff DMRCS through training and other written materials describing the bank's product features and or benefits. > Agents to trade on their own funds and Bank to implement a system driven control to restrict agent accounts to allow any debit transaction when the account balance reaches TZS 100K or preset credit threshold. This to be captured in the contract as well.

Financial loss to the Bank

High

> Debit limit to be set for those agents qualifying for credit facilities after conducting an end to end review of the Agent's business by Credit Department, Debit limits shall be supported by adequate collaterals. Interest rate on ODs to be negotiated depending on the market. > Bank to prescribe minimum Agent selection and business granting criteria on which location and security to be one of the aspects to be considered. > Contract to clearly indicate the requirement for the Agent to insure his/her business and Bank to monitor cash levels at the agent (monitoring approach to be both offsite and onsite).

DRB DF DC

Financial and reputation loss to the Bank

High

DRB

Delay of service to Customers

> Bank/Contract to specify Minimum level of facilities/equipment needed, and financial ability of the Agent. > Bank to provide the key equipment(s) to the agent to facilitate smooth operations and online transactions at the Agent business (e.g. Point of sale devices)

High

DRB DICT

Reputation loss to the bank

> Bank/Contract to specify Minimum level of facilities/equipment needed, and financial ability of the Agent. > Bank to provide the key equipment(s) to the agent to facilitate smooth operations and online transactions at the Agent business (e.g. Point of sale devices)

High

DRB DICT

Fraud/Theft - Financial loss

High

Bank to prescribe minimum preventive and detective controls at the Agent. In addition, Bank shall monitor the Agent operations using both offsite and onsite reviews of activities and controls effectiveness.

DRB

Customer complaints/reputation loss

Medium

Contract to specify Minimum level of Equipment needed, and financial ability of the Agent. In addition, the Bank shall repair and/or replace DRB malfunctioning point of sale devices DICT with new ones.

Financial loss Medium

A procedure prescribing the process of handling POS from and to the Bank should be developed - Also the DRB contract to specify the DICT responsibilities of both parties with regards to handling these devices. Agents shall not be given full access to the Bank's data/computer system. Agents shall only be given right to access their account(s) only, and this is to be done through special devices DICT provided by the Bank.

Reputation and financial loss

High

Monetary loss from paying damages

Bank to provide routine training to Agent staff/ Periodic review of Agent activities.

DRB

Reputation loss

Fines/Temporary revocation penalties as per AML Act

of

license

and High

> With regard to account opening the Bank Shall provide the standard KYC templates to be used to collect key information when establishing new relationship. > Information process flow to be developed by the Bank on how the KYC forms/information shall reach the bank or same to be retained by DRB the agent provided that it is covered in the contract and the Agent can retain the documents for a period of at least five years as required by the Law. If this option is selected Bank must have a mechanism to update the collected information in its database.

Reputation and financial loss

High

Bank to develop a process on how the accounts will be opened at both i.e. in the Bank and at the Agent, how the cards will be linked to the accounts, how the cards and PINs will be handled and/or delivered to the agents and how the reconciliations if any will be performed and by who, when and how.

DRB DF

Reputation loss resulting from unavailability of services to the entire bank customers

High

Bank shall ensure that it has enough communication infrastructures to accommodate the forecasted growth in transactions (this should be in the form of communication lines i.e. bandwidth, servers, back up links etc).

DICT

Fraud/Theft High

Use of Data protection systems/Encryption. DICT

Unavailability of services to the customers High

Use of Data protection systems/Encryption. DICT

Unavailability of services to the customers High

Use of Data protection systems/Encryption

DICT

Unavailability of services to the customers High

Use of Data protection systems/Encryption

DICT

Law suits with Agents/Customers

High

Contract should have dispute resolution clause

DRB DCA

When

Before product and ongoing

launch

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing

Before product launch and ongoing