Islamic Republic of Afghanistan

Da Afghanistan Bank
Risk & Compliance Department General

Risk Management and Compliance Procedure

2020

1
 Approval of the High Council
Number: [ ]
Date:

The Risk Management and Compliance Procedure of Da Afghanistan Bank is approved by the High
Council of Da Afghanistan Bank in [ ] chapters and [ ] articles.

2
Table of Contents: Chapter Summary
PART I: GENERAL PROVISIONS
Chapter 1: General Provisions
Chapter 2: Risk Management Committee and Framework
Chapter 3: Risk & Compliance General Directorate
PART II: RISK FRAMEWORK & IMPLEMENTATION
Chapter 4: Risk Assessment General Principles
Chapter 5: Risk Assessment Framework
PART III: COMPLIANCE FRAMEWORK & IMPLEMENTATION
Chapter 6: Risk Register Book
Chapter 7: Compliance Management Principles
Chapter 8: Market Operations Compliance
Chapter 9: Bank Operations Compliance
Chapter 10: Payments Department Compliance

3
Contents
PART I: GENERAL OVERVIEW ........................................................................................................................ 7
Chapter 1: General Provisions ...................................................................................................................... 7
Article 1: Basis ........................................................................................................................................... 7
Article 2: Objectives .................................................................................................................................. 7
Article 3: Scope of Application .................................................................................................................. 7
Article 4: Definitions ................................................................................................................................. 7
Chapter 2: Risk Management Committee and Framework ........................................................................ 10
Article 5: Risk Management Committee ................................................................................................. 10
Article 6: Risk Management Committee Composition ........................................................................... 10
Article 7: Duties and Responsibilities’ of the Risk Management Committee ......................................... 10
Article 8: Meetings of the Risk Management Committee ...................................................................... 10
Article 9: Voting at the Risk Management Committee ........................................................................... 10
Chapter 3: Risk & Compliance General Directorate.................................................................................... 11
Account 10: Organizational Structure..................................................................................................... 11
Article 11: Risk Section Responsibilities .................................................................................................. 11
Article 12: Compliance Section Responsibilities ..................................................................................... 11
Article 13: DAB Embedded Compliance Teams ...................................................................................... 12
PART II: RISK FRAMEWORK & IMPLEMENTATION ......................................................................... 12
Chapter 4: Risk Assessment General Principles ............................................................................................ 12
Article 14: Risk Appetite/Tolerance ........................................................................................................ 12
Article 15: Risk Identification, Assessments, Control, and Monitoring .................................................. 12
Article 16: Risk Analysis Methodology .................................................................................................... 13
Article 17: Business Continuity Planning: ............................................................................................... 13
Article 18: Relationship with Management and Comptroller General Office: ....................................... 14
Article 19: Professional Standards .......................................................................................................... 14
Chapter 5: Risk Assessment Framework ....................................................................................................... 14
Article 20: Summary of Risk Assesssment Framework ........................................................................... 14
Article 21: Acceptable (low Impact) ........................................................................................................ 14
Article 22: Tolerable (low Impact) .......................................................................................................... 15
Article 23: Intolerable (High Impact) ...................................................................................................... 15
Article 24: Scale of likelihood .................................................................................................................. 15

4
 Chapter 6: Risk Assessment Matrices ..................................................................................................... 15
Article 25: DAB Credit Risk Assessment Matrix ...................................................................................... 15
Article 26: DAB Liquidity Risk Assessment Matrix .................................................................................. 16
Article 27: DAB Operational Risk Assessment Matrix: ............................................................................ 16
Article 28: Legal Risk Assessment Matrix ................................................................................................ 16
Chapter 6: Risk Registration Book............................................................................................................... 17
Article 29: Objective of Risk Register: ..................................................................................................... 17
Article 30: Risk Identification .................................................................................................................. 17
Article 31: Risk Description ..................................................................................................................... 17
Article 32: Risk Trigger ............................................................................................................................ 17
Article 33: Risk probability ...................................................................................................................... 18
Article 34: Risk Impact ............................................................................................................................ 18
Article 35: Risk Score............................................................................................................................... 18
Article 36: Mitigating Controls ................................................................................................................ 18
Article 37: Residual Risks ........................................................................................................................ 19
Article 38: Accepted risk Probability and accepted Risk Impact ............................................................. 19
PART III: COMPLIANCE FRAMEWORK & IMPLEMENTATION ...................................................................... 19
Chapter 7: Compliance Management Principles ........................................................................................ 19
Article 39: Compliance Risk Management Principles ............................................................................. 19
Article 40: Reporting ............................................................................................................................... 20
Chapter 11: Compliance Function General Procedures.............................................................................. 20
Article 41: List Update Process ............................................................................................................... 20
Article 42: Screening Process .................................................................................................................. 20
Article 43: Matching Criteria ................................................................................................................... 20
Article 44: Evaluating the Quality of Potential matches ......................................................................... 21
Article 45: Issuance of Reports ............................................................................................................... 21
Article 46: Key performance Indicators (KPI) of DAB Compliance function ........................................... 21
Article 47: Sanctions Screening Procedure ............................................................................................. 21
Chapter 8: Market Operations Compliance ................................................................................................ 22
Article 48: Market Operations Department AML/CFT Compliance Unit ................................................ 22
Article 49: FX Auction Compliance .......................................................................................................... 22
Article 50: Financial Supervision Validation ............................................................................................ 22
Article 51: TT Compliance ....................................................................................................................... 23

5
 Article 52: LC/BG Compliance ................................................................................................................. 23
Chapter 9: Bank Operations Compliance .................................................................................................... 24
Article 53: Bank Operations Compliance Section ................................................................................... 24
Article 54: Sanctions Checks ................................................................................................................... 24
Article 55: Afghani Payment Checks ....................................................................................................... 24
Article 56: USD Checks ............................................................................................................................ 24
Article 57: Politically Exposed Persons ................................................................................................... 24
Chapter 10: Payments Department Compliance ........................................................................................ 24
Article 58: Compliance Section in Payment Department ....................................................................... 24
Article 59: International Payments Compliance Checks ......................................................................... 25
Article 60: Exemptions ............................................................................................................................ 25
Chapter 12: Miscellaneous Articles ........................................................................................................ 25
Article 61: Review and update ................................................................................................................ 25
Article 62: Attachments .......................................................................................................................... 25
Article 63: Enforcement .......................................................................................................................... 26
Attachment No. 1: TTs Template for Natural Persons ................................................................................ 27
Attachment No. 2: Telegraphic Transfer Checklist – Legal Person ............................................................. 28
Attachment No. 3: Enhanced Due Diligence............................................................................................... 29
Attachment No. 4: Risk Register Template ................................................................................................. 30
Attachment No. 5: Credit Risk Assessment Matrix ..................................................................................... 32
Attachment No. 6: Liquidity Risk Assessment Matrix ................................................................................. 33
Attachment No. 7: Operational Risk Assessment Matrix ........................................................................... 34
Attachment No. 8: Legal Risk Assessment Matrix ...................................................................................... 35
CAPACITY BUILDING ................................................................................................................................. 36

6
 PART I: GENERAL OVERVIEW
Chapter 1: General Provisions
Article 1: Basis
This charter is enacted based on the provisions set forth Article 2(1) of the Da Afghanistan bank Law
and the provisions of Anti-money Laundering and Proceeds of Crimes and Counter Financing of
Terrorism Law.

Article 2: Objectives
Objectives of this Procedure is to obtain the following:
(1) To protect the banking and financial system of Afghanistan from money laundering and
terrorism financing risks.
(2) To ensure that Da Afghanistan Bank [“DAB”] systems are protected and any transaction that
takes place through DAB is in accordance with AML/CFT laws, regulations, and standards.
(3) Ensure that DAB departments understand and operate within AML/CFT laws, regulations,
rules, and applicable international standards.
(4) Ensuring that DAB line departments develop and enhance tools to strengthen the three lines
of defense to detect, communicate, and manage and to report on AML/CFT compliance
Risks.
(5) Compliance function support DAB strategy by establishing clear roles and responsibilities to
help embed good AML/CFT compliance practices throughout DAB operations by using a
risk-based approach and align it with DAB’s risk appetite and risk tolerance limits.
(6) Compliance function at DAB is responsible to deepen the culture of AML/CFT compliance
in DAB by working together with DAB line department such as market operations, Banking
operations, and Payment to increase trust, accountability, transparency, and integrity in
evaluating, managing, and in reporting on AML/CFT compliance risks.
(7) Ensure the compliance will all issued laws, regulations, instructions, and circulars
(8) Conduct compliance risk assessments
(9) Implement the process of departments’ self-assessment (Risk Control Self-Assessment
(RCSA) and analyze the results received from DAB’s departments
(10) Develop compliance testing plan and conduct regular compliance testing and report any
discrepancy to DAB Risk Management Committee and DAB Executive board.
(11) Develop, update, and review compliance register.

Article 3: Scope of Application

This Procedure is applied by the Compliance Department General on all Da Afghanistan Bank
Departments and other activities of the Da Afghanistan Bank on other banks to ensure their
transactions compliance.

Article 4: Definitions
The Below terms shall have the following meanings in this Procedure.
1. Compliance Function: Means the authorized and responsible team[s] for advising on and
for managing this Procedure within the Da Afghanistan Bank Departments.
2. Compliance Risk: Means the risk of impairment of DAB’s integrity whether it is a failure (or
perceived failure) to comply with Afghanistan’s Anti-Money Laundering and Proceeds of

7
 crimes law and Counter Financing of Terrorism Law and other applicable international
standards.
3. Management: Means the Governor, Executive Board, High Council, and Department
Generals of the Bank.
4. Business Continuity Plan (BCP): Means a documented collection of procedures and
information that are developed, compiled, and maintained in readiness for use in an incident
to enable an organization to continue to deliver its critical products and services at an
acceptable predefined level.
5. Business Continuity Planning: The process of developing prior arrangements and
procedures that enable an organization to respond to an event in such a manner that critical
business functions can continue within planned levels of disruption. The end result of the
planning process is the BC Plan.
6. Compliance Risk: Risk of legal or regulatory sanctions, material framework loss, or loss to
reputation a business may suffer as a result of its failure to comply with laws, regulations, rules,
related self-regulatory organizational standards, and codes of conduct applicable to its business
activities.
7. Counterparty Risk: Risk to each party of a contract that the counterparty will
not live up to its contractual obligations.
8. Credit Risk: The risk of loss arising from a borrower or buyer who does not make payments
as promised in a transaction. Such an Event is called a default (AKA Default Risk).
9. Crisis Management: The process by which an organization manages the wider impact of any
situation until it is under control or a full BCP is invoked. It can be used in situations in which
the main activities are external such as dealing with malicious rumors, hostage taking, product
failure, or product recall.
10. Enterprise Risk Management: A process, effected by the Board of directors, Management,
and other personnel, applied in strategy setting and across the enterprise, designed to identify
potential events that may affect the entity and to manage risk to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity objectives.
11. Event: An incident or occurrence, from sources internal or external to an entity that affects
achievement of objectives.
12. Impact: Result or effect of an Event. There may be a range of possible impacts associated
with an event. The impact of an event can be positive or negative relative to the
entity’s related objectives.
13. Independent Non-executive Directors: Those Non-executive Directors who do not have
any pecuniary relationship or transactions with the organization, its subsidiaries, and its
management that, in the opinion of the board, will affect their independence of judgment.
14. Internal Control: A process, effected by an entity’s board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of
objectives in (I) effectiveness and efficiency of operations; (ii) reliability of financial reporting;
(iii) compliance with applicable laws and regulations.
15. Key Risk Indicators: Metrics used by organizations to provide an early signal of increasing
risk exposures in various areas of the enterprise.
16. Legal Risk: The risk of a loss being incurred on account of the unexpected application of a
law or regulation, or because a contract cannot be enforced.
17. Liquidity Risk: A risk that a party in a transaction suffers losses because a transaction cannot
be carried out due to the lack of liquid fund by either party. In terms of financial market, a risk
that the market as a whole runs out of liquidity, and thus transactions are delayed.

8
18. Market Risk: The risk that results from the characteristic behavior of an
entire market or asset class.
19. Non-executive Directors: Directors who do not hold executive management responsibilities
within the organization.
20. Operational Risk: The risk of loss resulting from inadequate or failed internal processes,
people, and systems or from external events. This definition includes Legal Risk but excludes
Strategic and Reputation risk.
21. Opportunities: The possibility that an Event will occur and positively affect the achievement
of objectives.
22. Reputation Risk: Risk arising from negative perception on the part of customers,
counterparties, shareholders, investors, or regulators that can adversely affect an organization’s
ability to maintain existing, or establish new, business relationships and continued access to
funding.
23. Risk: Anything that can keep an enterprise from meeting its objectives.
24. Risk Analysis: process to comprehend the nature of risk and to determine the level of risk
25. Risk Appetite: The broad-based amount of risk that DAB is willing to accept in pursuit of
its mission.
26. Risk Assessment: Process of identifying the risks to an institution, assessing the critical
functions necessary for an institution to continue its business operations, defining
the controls in place to reduce organization exposure and evaluating the cost for such controls.
Risk analysis often involves an evaluation of the probabilities of a particular Event.
27. Risk Culture: A system of values and behavior that is present throughout DAB that shape
risk decisions.
28. Risk Governance: Governance refers to the structure and process for the direction and
control of companies. Risk governance applies the principles of good governance to the
identification, assessment, management, and communication of risks. It incorporates the
principles of accountability, participation, and transparency in setting the policies and
structures to make and implement risk related decisions.
29. Risk Management: Coordinated activities to direct and control an organization with regard
to risk.
30. Risk Management Framework: The complete set of components that provide the
foundations and organizational arrangements for designing, implementing, monitoring,
reviewing, and continually improving Risk Management throughout the organization.
31. Risk Management Policy: A statement of the overall intentions and direction of an
organization related to risk management.
32. Risk Management Process: The systematic application of management policies,
procedures and practices to the activities of communicating, consulting, establishing the
context, and identifying, analyzing, evaluating, treating, monitoring, and reviewing risk.
33. Risk Manager: An officer of the Risk Management Department responsible for risk
management of DAB. The position reports to the Director General Risk Management and
Compliance Department.
34. Risk Measurement: The evaluation of the likelihood and extent (magnitude) of a risk.
35. Risk Tolerance: The acceptable variation relative to the achievement of an objective.
36. Strategic Risk: The risk of loss resulting from failure in execution of a business strategy.
37. Threat: A downside, adverse risk event.
38. Uncertainty: The spread in estimates for schedule, cost, performance arising from the
expected range of outcomes.

9
 39. Risk Management Committee: A Committee established to propose solutions regarding
the risk management to the Governor and the Executive Board.

Chapter 2: Risk Management Committee and Framework

Article 5: Risk Management Committee
The Risk Management Committee is established to obtain the following objectives:
1. To ensure the existence of a strong risk management system; and
2. Support the strategy, identification, evaluation, management, and control of risk at DAB.

Article 6: Risk Management Committee Composition

The Risk Management Committee is composed of the following members:
1. Governor;
2. First Deputy Governor, or if unavailable, Second Deputy Governor;
3. Market Operations Department General;
4. Banking Operations Department General; and
5. Compliance Department General Director shall act as secretariat of the committee

Article 7: Duties and Responsibilities’ of the Risk Management Committee

The Risk Management Committee shall have the following duties and responsibilities:
1. Approval of risk strategy;
2. Approval of compliance strategy;
3. Ensuring the existence of the sufficient resources and system to manage risks;
4. Provision of proposals regarding risk management;
5. Development of the Compliance Department Tashkeel in close coordination with HR;
Department General and the Chief of Staff;
6. Evaluation and assessment of the risk management plans;
7. Decision making in emergency situations;

Article 8: Meetings of the Risk Management Committee

(1) The Risk Management Committee shall convene meetings on quarterly basis.
(2) The meeting minutes of the Risk Management Committee shall be shared to the Chief of
Staff within 3 days after each meeting.
(3) The meetings of the Committee can be convened on the request of chairman of the
Committee
(4) The agenda of each meeting shall be shared to the Committee members at least 10 days prior
to the meetings.

Article 9: Voting at the Risk Management Committee

(1) Each Committee member shall have the right to vote only once.
(2) The meeting quorum shall be completed by the presence of majority members of the
Committee
(3) Decisions of the Committee shall be taken by the simple present votes at the meeting.
(4) In case of equal votes, the chairman’s vote will be the decision making one.

10
 Chapter 3: Risk & Compliance General Directorate

Account 10: Organizational Structure

(1) The Risk and Compliance General Directorate is comprised of a Risk Management section
and a Compliance section.
(2) The Risk Management section has the responsibility for the development and implementation
of the risk management framework.
(3) The Compliance section has responsibility to oversee the compliance function
(4) Both departments report to the Risk Management Committee through the Risk and
Compliance General Director on a quarterly basis and provide updates on risk and compliance
issues

Article 11: Risk Section Responsibilities

The Risk Management section:
(1) Is a unit with Risk and Compliance General Directorate.
(2) Will have access to all business lines that have the potential to generate material risk to the
Bank. Line managers are required to cooperate with the Risk Managers.
(3) Coordinatess the effective and efficient running of the Bank’s Risk Management Process
which encompasses identification, assessment, control, and report of risks.
(4) Is responsible to:
1. Ensure the accuracy, completeness, and update of the Risk Register;
2. Ensure adequate and feasible risk control measures are in place;
3. Ensure risks are effectively monitored, updated, controlled and reported in accordance
with the limits and parameters set by the Supreme Council;
4. Coordinate the running of the risk Management committee on quarterly basis; and
5. Advice the Supreme Council, the Risk Management Committee, and the Executive
board on technical matters related to risk management.
(5) Supports DAB Supreme Council, the Risk Management Committee in management of the
Risk Management Framework, and proposing relevant Risk Management Policies and Risk
Appetite/Tolerance limits.
(6) Is responsible for coordinating the process to identify, measure, control, or mitigate, treat,
monitor, and report on risk exposures. Specific duties of the Risk Management section within
the Risk Management Framework

Article 12: Compliance Section Responsibilities

The Compliance section shall have the following duties and responsibilities:
1. Establish a Compliance framework and ensure this framework and other related corporate
Compliance policies are implemented;
2. Ensure adequate compliance monitoring and control;
3. Develop, maintain, advise on, endorse and communicate new and changed DAB Compliance
policies and minimum standards;
4. Ensure timely and appropriate reviews of Compliance and Risks issues;
5. Ensure accurate and timely reporting on Compliance issues to the Governor and the
Executive Board;
6. Provide daily FTT reports to the Governor;
7. Ensure quarterly compliance reports to the Risk Management Committee;

11
 8. Meet quarterly with the Chairman of Risk Management Committee and report on compliance
issues;
9. Manage the day-to-day operations of DAB Compliance department;
10. Manage consolidated internal and external reporting on the status of Compliance Risks and
Compliance frameworks across DAB.
11. In terms of general principles, the first line of defense is the operational department that owns
and should manage the risk affairs. Each department puts in place approved policies and
procedures to ensure systems are secured from AML/CFT risks.

Article 13: DAB Embedded Compliance Teams

(1) Compliance Department General has embedded its compliance function into DAB operations
and deployed one team in Bank Operations Department, one team in DAB Market Operations
Department, and one team into Payment Department.
(2) All teams are fully independent of the operational departments and report directly to the Risk
Committee through the Risk Management and Compliance Department.
(3) The teams will utilize a sanctions screening process to detect, prevent, and manage sanctions
risk. Sanctions screening is done to identify sanctioned individuals and organizations and
protect DAB from sanctions risks.

PART II: RISK FRAMEWORK & IMPLEMENTATION

Chapter 4: Risk Assessment General Principles

Article 14: Risk Appetite/Tolerance

(1) The Risk Management Section is responsible to provide input to the Risk Management
Committee in setting up the risk Appetite and Risk tolerance for DAB. The section specifically
performs the following tasks:
1. Provide analytical support for the setting of Risk Appetite/Tolerance levels, including
specific internal limits for various risk categories such as liquidity management; and
2. Review at least annually or upon request by the Committee the Risk Appetite /
Tolerance based on changes and development of the Bank’s strategy and the legislative
and regulatory requirements, and make recommendations to the Risk Management
Committee as appropriate.

Article 15: Risk Identification, Assessments, Control, and Monitoring

(1) The Risk Management section under the Risk Management and Compliance Department is
responsible to:
1. Set up the Risk Management Process based on Basel Committee Standards;
2. Set up the risk identification and assessment methodologies, and provide technical
support on the issues of risk management to DAB management and DAB line
departments;
3. Coordinate periodic risk assessments by:
a. Checking DAB’s risk exposures against approved risk limits
b. Managing the overall Risk Appetite/Tolerance levels as well as sub-limited by
risk categories/units/countries and reporting exceptions

12
 4. Monitor the key risks and Key Risks Indicators, report irregularity, escalate risk issues
and recommend corrective actions;
5. Coordinate the set up and maintenance of a Risk Register and other risk information
with clearly defined risk categories and risks;
6. Provide analytical and administrative support to the DAB department in Risk
Assessment and Measurements;
7. Facilitate the integration of Risk Management into daily business operations;
8. Support the implementation of an enterprise-wide Risk Management Process in
accordance with international standards (such as ISO 31000); and
9. Review periodically, under the direction of DG Risk Management and Compliance,
the effectiveness of the Risk Management System in light of changes to its risk profile
and the external risk landscape.

Article 16: Risk Analysis Methodology

(1) Risk Management and compliance department uses the following quantitative risk analysis
methodology to assess risks.
Threat likelihood
Definition Weighted Factor Likelihood
The source of Risk is very strong and current internal controls are not sufficient High Risk (1.0)
to mitigate the risk.
The source of Risk is very strong, but internal controls exist and therefore the Medium Risk (0.5)
magnetite of impact is medium.
The source of Risk is not very strong and the current controls are sufficient to Low Risk (0.1)
mitigate the risk.
Magnitude of Impact
Definition Impact Score
High Risk is a situation when the integrity, confidentiality, or availability of High Impact-100
information is compromised. Moreover, a situation in which operation, Assets
(physical or intellectual), or personnel of DAB is harmed in an irreversible
manner. For instance, if a DAB assets are stolen or damaged to an irrecoverable
extent or if DAB employee’s health is compromised, it is high risk.
Medium Risk is a situations when the integrity, confidentiality, or availability of Medium Impact-50
information is at risk of being compromised. However, DAB has put internal
controls to mitigate the risk. Moreover, the compromise of the information is
recoverable and does not cause permanent or reputational impairment for DAB.
Low Risk is a situation when integrity, confidentiality, or availability of Low Impact-10
information is at risk of being compromised. However, DAB has sufficient
controls to mitigate the risk. The likelihood of such events is very low.

Article 17: Business Continuity Planning:

(1) High Council approved Business Continuity and Disaster Recovery plan in July 2017.
(2) The Risk Management section is responsible to:
1. Manage the development, update, and implementation of the Business Continuity Plan
(BCP);
2. Provide inputs, support, and liaison as required to DAB business units on the business
continuity planning process to ensure plans are up to date and relevant;

13
 3. Schedule and coordinate regular testing of plans;
4. Coordinate the escalation of the risk issues to the Risk Committee, via DG Risk
Management and Compliance, and activation of the BCP; and
5. Coordinate ongoing training, education, and awareness of BCP.

Article 18: Relationship with Management and Comptroller General Office:

(1) As first line of defense, management is responsible for managing risks and integrating risk
management practices in day-to-day operations.
(2) The Risk Management section shall coordinate and provide technical support to relevant DAB
departments with respect to risk management and check that the Risk Management Policy is
properly implemented:
1. The Risk Management section is responsible for coordinating Risk Assessment and
updating the Risk Register periodically. The assessment findings will be shared with
Comptroller General Office, who will use the information to formulate the annual
audit plan.
2. Comptroller General Office (CGO) is responsible for providing independent
assurance on internal controls put in place by management on the business processes
to detect specific risks and prevent them from happening.
3. The Risk Management shall work with CGO on identifying internal control
weaknesses in relations to the risks identified and coordinating the
implementation of control measures.

Article 19: Professional Standards

(1) The Risk Management Unit shall adhere to the professional standards required by
Afghanistan’s Banking law, DAB Law, and other regulations enacted by DAB.
(2) The Risk Management Unit will adhere to Basel Committee on banking supervision
standards.
(3) The Risk Management professionals in the Risk Management Unit shall follow the standards
and code of conduct stipulated by the recognized professional organizations, such as the
Institute of Risk Management, and the Global Association of Risk Professionals.

Chapter 5: Risk Assessment Framework

Article 20: Summary of Risk Assesssment Framework
1) DAB risks will be classified as acceptable, tolerable, and intolerable
2) Scale of Liklihood will be classified as likely, possible, and unlikely
3) This matrix framework will be applicable to the following type of risks: credit risk, liquidity
risk, operational risk, and legal risk

Article 21: Acceptable (low Impact)

(1) This category of risks refers to those risks that has a minimum impact on DAB operations and
is within the DAB risk appetite and risk tolerance.
(2) Risk Management and Compliance Department will deploy very small amount of resources to
these risks. For example, 2 hours delay in customer payment process due to system failure.

14
Article 22: Tolerable (low Impact)
(1) These risks will hurt DAB operations and reputation, but the damage is recoverable.
(2) DAB Risk Management and Compliance Department will deploy resources to mitigate the
consequences. For example, 1 day delay in processing of payment due to system failure.

Article 23: Intolerable (High Impact)

These risk will significantly hurt DAB operations and reputation and the damage is very disruptive.
Risk Management and Compliance Department will deploy significant amount of resources to manage
these risks. For example, more than one day delay in processing of customer payment due to system
failure.

Article 24: Scale of likelihood

Some risks are more likely to happen than other. Compliance Department will consider likelihood in
its assessment as follow:
1. Likely: These are the risks that has a higher scale of likelihood. There is a higher chance
of these risks to materialize into lose for DAB.
2. Possible: There is a good change that these risk will occur, but the existing internal
controls give a ray of hope.
3. Unlikely: These are the risks that has a very small probability of occurring.
Scale of Severity
Acceptable Tolerable Intolerable
Unlikely Low Medium Medium
Scale of likelihood

Possible Low Medium High

Likely Medium High High

Chapter 6: Risk Assessment Matrices

Article 25: DAB Credit Risk Assessment Matrix
(1) Credit Risks Identified: DAB is exposed to credit risk from the Lender of Last Resort
responsibility defined in the Banking Law and Da Afghanistan Bank Law.
(2) Credit Risks Impact: The risk that a DAB employee is unable to repay his/her loan is
acceptable. The risk that a commercial bank is unable to meet its obligations is intolerable
considering the delicate economic and political conditions of Afghanistan.
(3) Credit Risk likelihood: The risk of commercial banks failure and subsequent bail out by
DAB as lender of last resort is a possible event on the scale of likelihood. On the other hand,
failure of a DAB employee to repay his/her loan (default) is possible event on the scale of
likelihood.

15
Article 26: DAB Liquidity Risk Assessment Matrix
(1) Liquidity Risks Identified: DAB has liquidity risk from two front. Liquidity risk from
Afghanistan's domestic currency (Afghanis) and liquidity risk from Foreign exchange reserve
(USD, EURO, GBP). Foreign exchange reserves risk is managed by Risk Section (middle
office) of Market Operations Department. Risk Management and Compliance Department is
responsible to manage the domestic currency liquidity risk.
(2) Liquidity Risk Impact: DAB has a legal monopoly on the printing of Afghanistan's domestic
currency in accordance with Da Afghanistan Bank Law. The repercussions are intolerable. It
is therefore a high risk issue. In order to mitigate this risk, DAB Risk Management and
Compliance will conduct stress testing once a year to ensure that DAB can meet its obligations
and mitigate liquidity risk.
(3) Liquidity Risk Likelihood: The risk that DAB will not be able to meet its domestic currency
obligation is unlikely.

Article 27: DAB Operational Risk Assessment Matrix:

(1) Operational Risks Identified: Operational risk is the prospect of loss resulting from
inadequate or failed procedures, systems, or policies. Employee errors, systems failures, fraud,
or other criminal activity. DAB has operational risk from its systems such as Core Banking
Solution (CBS) and its failure. DAB employee’s errors and fraud can also cause operational
risks for DAB. External event such as system hacking by criminals is an IT and operational
risk for DAB.
(2) Compliance Department is working with all DAB departments to ensure that operational risks
are identified and that appropriate measures are put in place to mitigate the risks.
(3) All DAB department serves of the first line of defense and must take appropriate measure to
reduce and mitigate risks. Risk Section of Risk Management and Compliance Department, as
second line of defense, work with these departments to improve the existing internal controls
and improve the efficiency and effectiveness.
(4) Operational Risk Impact: Some operational risks are acceptable. The failure of IT system
for 5 minutes is acceptable. Failure of IT system for more than 10 minutes is intolerable.
(5) Operational Risk Likelihood: Based on data from the risk assessment conducted between
June to September 2019, It is likely that DAB Systems do not function for 15 minutes.
However, it is unlikely that the systems will function for more than 2 hours.

Article 28: Legal Risk Assessment Matrix

(1) Legal Risks Identified: DAB is exposed to legal risks from its domestic operations and
international activities. Legal risks to DAB can arise from compliance risks and contractual
risks.
(2) Compliance risk is the risk that DAB violate certain laws, regulations, or other applicable
treaties including but not limited to AML/CFT issues. DAB may be sanctioned by national or
international institutions for violating these laws, rules, and regulations. On the other hand
contractual risks is the risk that DAB is unable to enforce a contract or meet its obligations.
(3) Legal Risk Impact: The violation of AML/CFT law, regulations, or other international
standards will have severe and intolerable repercussions for DAB reputation and the risks of
sanctions and fines.

16
 (4) Legal Risk Likelihood: It is unlikely that DAB systems might be used for money laundering
or terrorism financing because of its robust compliance program.

Chapter 7: Risk Registration Book

Article 29: Objective of Risk Register:
DAB risk registeration book is to maintain and meet the following objectives:
1. Provide a useful tool for reducing the impact and managing risks in DAB Operations.
2. Document risk mitigation strategies currently in place in response to the identified risks and
their grading in terms of likelihood and impact.
3. Provide Risk Management Committee and Executive Board with a documented framework
from which risk status can be reported.
4. Ensure that risk management issues are communicated to key stakeholders.
5. Provide a mechanism for getting and acting upon feedback from key stakeholders.
6. Identify the mitigation actions required for implementation of the risk management
framework and its associated costs.

Article 30: Risk Identification

(1) Risk Management and Compliance Department will conduct annual risk assessment of DAB.
(2) Risk Management section of the department is responsible to assess the risks of DAB
departments on annual basis.
(3) Annual compliance risk assessment is also a part of the program. At the end of each risk
assessment, the Risk Management Section of the department will prepare a written report and
present it to DG Risk Management and Compliance Department for review.
(4) After the review of each risk assessment report, DG Risk Management and Compliance
Department will present the report to DAB Executive board and to DAB Risk Management
Committee for further steps. The identified risks will be recorded in DAB Risk Register after
each risk assessment.
Article 31: Risk Description
DAB is exposed to market risks, liquidity risk, operational risk, and reputational risks. Market risks
arises from DAB investments and is managed by Risk Management Section of Market Operations
Department. Risk Management and Compliance Department will focus on liquidity, operational and
reputational risks of DAB.

Article 32: Risk Trigger

(1) A risk trigger is an event or condition that causes the risk to materialize. In some cases, risk
triggers can be identified in advance and mitigating strategies are in place.
(2) In other cases, the exact trigger of the risk is unknown in advance. For example, reputational
risk is important for all banks, but it is nearly impossible to predict and identify all risk triggers
that can cause reputational damage.
(3) Annual risk assessment of different DAB department by Risk Section of Risk Management
and Compliance Department will identify risk triggers and recommend mitigating strategies to
DAB Risk Management Committee on quarterly basis and to DAB Executive board on
monthly basis.

17
Article 33: Risk probability
(1) Risk probability is the chance that the risk will occur. By definition, a risk is probability of lose.
Risk Section of Risk Management and Compliance Department will use the following methods
to model risk probability at DAB.
1. Qualitative approach to Risk Probability: In qualitative approach to risk
probability, the risk section of Risk Management and Compliance Department will
assign a rating of low, medium, and high risks based on historical data and past
experiences. This will also include the expertise of the risk management staff.
2. Quantitative approach to Risk Probability: In this approach, a numerical figure will
be assigned to a risk probability. For example, 50% probability will be given 0.5.
Article 34: Risk Impact
Risk impact refers to an estimate of the potential losses associated with an identified risk. During a
risk assessment process, the risk section of Risk Management and Compliance Department will assess
the existing safeguards of DAB and analyze the risks to predict risk impact.
Article 35: Risk Score
(1) Risk score is a calculated number (score) that reflects the severity of a risk due to some factors.
Risk scores are calculated by multiplying probability and impact. In order to calculate risk
score, we need assign a value to each of the probability and impact levels (e.g. 1, 2, 3, 4, and
5). Our matrix now includes these values for each label.
Label Probability Cost Schedule Safety
Very Low: 1 1 in 100 < 1% 1 day Non injury accident
Low: 2 1 in 10 1-5% < 1 week Requires medical attention
Medium: 3 1 in 5 6-10% 2 weeks Requires hospitalization
High: 4 1 in 2 11- 20% 1 month > 1 day work lost
Very High: 5 ≥ 1 in 2 > 20% > 1 month > Fatality

(2) If we had risk that was assessed to have a high probability and medium impact it would land
on the matrix as shown below.
1. The risk score = High (4) x Medium (3) = 12
2. Risk scores can then be further defined into categories such as Catastrophic, Serious,
Moderate, and Low based on the calculated score:
 Catastrophic: ≥ 15
 Serious: ≥ 10
 Medium: ≥ 5
 Low: ≤ 4

Article 36: Mitigating Controls

Risk Section shall analyze the existing mitigating controls and provide advice the Governor or the
Executive Board on how to improve these controls.

18
Article 37: Residual Risks
Residual risks refers to the risks that remains after applying the internal controls. These risks are either
unknown, beyond the Control of DAB, or are not very serious.

Article 38: Accepted risk Probability and accepted Risk Impact

(1) Accepted risk probability is the amount of risk that DAB management accepts in order to
pursue the business objectives.
(2) The Governor or the Executive Board decides on the accepted risk probability and accepted
risk impact.
(3) Risk Section of Compliance Department General will work with other departments to help
them operate within the accepted risk probability and accepted risk impact.

PART III: COMPLIANCE FRAMEWORK & IMPLEMENTATION

Chapter 8: Compliance Management Principles

Article 39: Compliance Risk Management Principles

(1) Line departments shall be the first line of defense in regards to risk management
(2) The Financial Supervision Department will have a section to check the names of auction
participants and shareholders, beneficial owners, their close associates, and other senior
official licensed banks and financial institutions in UN, OFAC, EU, and DAB prohibited
entities sanctions lists and ensure that anyone involved with DAB is not a sanctioned
individual or entity.
(3) The second line of defense for compliance and control shall be the Risk Management. The
Compliance Department annually assess DAB AML/CFT risks and test the effectiveness of
policies and procedures, identify known and emerging issues, help the relevant Department
Generals in developing and establishing controls to manage risks more effectively. Below shall
be considered by the Compliance Department in terms of second line defense:
1. Risk management and compliance department maintains a risk register to record any
compliance related violation and the risk that the violation will pose.
2. Risk register data is used as “lessons learned” in accordance with the FCPA guide and
for training and development of employees and plan of future compliance programs.
3. Compliance Department also helps in updating policies and procedures and support
DAB in conducting training and development programs for AML/CFT compliance.
(4) The third line of defense is the internal audit department or formally known as Comptroller
General Office (CGO). The comptroller general office is functionally independent from the
management and reports directly to Audit Committee of the High Council. Below shall be
considered regarding the third line of defense:
1. The Comptroller General Office review all records and provides an independent and
objective opinion on the effectiveness and efficiency of the internal control system.
2. The Comptroller General Office conduct annual planned audits and gives reasonable
assurance to the management that the internal control system is functioning and that
DAB departments has operated within the pre-defined criteria.
3. The Comptroller General Office meticulously review all documents and ensure that
the AML/CFT laws, regulations are implemented.

19
Article 40: Reporting
(1) The Compliance Department shall provide a monthly report to the Risk Management
Committee, and present its findings to the Risk Management Committee on a quarterly basis.
(2) The Compliance Department shall provide daily FTT requests fort the Governor’s signature
(3) The Compliance Department shall provide a weekly FTT transaction summary report to the
Governor.

Chapter 9: Compliance Function General Procedures

Article 41: List Update Process

(1) Compliance Department shall consider UN, OFAC, EU, and FINTRACA sanctions lists. Any
individual or entity on UN, OFAC, EU, and FINTRACA list is prohibited from doing
business with DAB.
(2) For the above purpose, DAB uses an automated sanctions screening license from Definitive
(World-Check system). The World-Check system automatically update any changes in UN,
OFAC, and EU sanctions lists.
(3) FinTRACA update Risk Management and Compliance Department on any changes to its
sanctions and watch list individuals and entities.
(4) FINTRACA shall send updated lists via official email to Risk Management and Compliance
Department immediately.

Article 42: Screening Process

(1) Risk Management and Compliance Department shall use an automated screening system (The
World Check system) to screen against UN, OFAC, and EU sanction list.
(2) FINTRACA internal lists will also be considered and all natural or legal persons dealing with
DAB will be checked.
(3) In case of Telegraphic Transfer, name of the person or name of the company (beneficiary)
will be checked in World Check System to ensure that they are not on sanctions lists.

Article 43: Matching Criteria

(1) Matching criteria is designed to improve and maximize alert quality and minimize the number
of low quality or irrelevant matches.
(2) For a natural person, Name, Surname, and Data of birth, Nationality, place of birth details will
be used. For instance, if the name and surname of an individual appears to match someone in
the sanctions lists; then the compliance team shall ask for the copy of the a valid electronic
passport and cross check other details such as date of birth, place of birth, and nationality.
(3) If these details match very closely, then the transaction shall be stopped and the individual
shall be asked to provide source of funds, source of wealth, bank statement of the last one
year, and business history.
(4) If the close match is a legal entity, then the entity will be asked to provide legal business license,
tax returns of the last three years, and bank statements of the last one year to check the history
of the business activities.

20
Article 44: Evaluating the Quality of Potential matches
(1) Compliance Managers stationed at DAB departments will evaluate the quality of close of
matches and recommend further action to be taken.
(2) The evaluation will involve determining if the close match is true or false and what further
action shall be taken.
(3) The evaluation of the quality of potential matches is rooted in the amount of information
available in the World Check System and the amount of information DAB is legally authorized
to collect about the customer.
(4) Risk Management and Compliance Department shall collect as much information as possible
and cross check it with the information from the World Check system to improve the quality
of the evaluation of the close matches.

Article 45: Issuance of Reports

(1) Risk Managers deployed in DAB departments are responsible to prepare a written report about
any close match or high risk customer and present the report to DG Risk Management and
Compliance Department for approval or rejection of a transaction.
(2) DG Compliance shall report the above to the Governor or the Executive Board for
instructions on the next steps.
(3) DG Compliance is responsible to report all these matters to the Governor.
(4) DG Compliance shall share a report on the FTT’s related matters on weekly basis to the
Governor.

Article 46: Key performance Indicators (KPI) of DAB Compliance function

Compliance Functions uses the following indicators to assess the performance, efficiency, and
effectiveness of compliance function as:
1) Number of times and how often code of conduct DAB was violated in one year.
2) Conflict of interest disclosure rates by DAB senior officers and senior management.
3) The number, type, and amount of gifts/entertainment given receive, and offered by or to DAB
employees.
4) Number of sanctioned and high risk individuals or entities identified and proper action taken.
5) Number of individuals and entities checked against sanctions lists and proper compliance
action taken.

Article 47: Sanctions Screening Procedure

(1) Compliance Department high consider UN, OFAC, EU, and DAB (FINTRACA) sanctions
lists. Any individual or entity on these list is not eligible to use DAB facilities and systems and
is not allowed to purchase USD banknotes in DAB auctions. All individuals and entities are
checked in World Check system. DAB sanctions list is update by FINTRCA and is
communicated to Risk Management and compliance department.
(2) All individuals or entities that intend to purchase USD banknotes from DAB or wire transfer
money using DAB systems are screened against UN, OFAC, EU, and DAB sanctions lists.
Name of the entity, its owner, and senior directors is checked in the world check system. If
there is a close match, the transaction is stopped immediately and further information and
documentation is requested.

21
 (3) The close match for an individual means if the name and surname matches 100%. Then the
compliance team will look at other details such as date of birth and place of birth (nationality).
The compliance team is authorized to collect additional details such as Tax clearance, police
clearance to ascertain the close match is either true to false. The compliance section manager
is responsible to search for adverse media and other details to ensure that the close match is
true or false.
(4) If a close match is true and the person or entity in questioned is UN, OFAC, EU, or DAB
sanctioned entity, then the compliance manager will write a concise report and send to DG
Risk Management and Compliance Department.
(5) At the same time, the compliance manager will report the suspicious transaction to
FINTRACA for further follow and action.
(6) DG Risk Management and Compliance Department update the Governor and/or Executive
Board on regular basis and report to DAB Risk Management Committee quarterly.

Chapter 10: Market Operations Compliance

Article 48: Market Operations Department AML/CFT Compliance Unit
(1) Compliance Department have a team deployed in Market Operations Department General.
(2) DAB auction participants screening, International Telegraphic Transfers (TTs), Letter of
Credit and Bank guarantees are thoroughly checked for AML/CFT risks and corrective
measure is taken immediately.
(3) Market Operations Department auction US dollars to open market to keep Afghanis exchange
rate stable.

Article 49: FX Auction Compliance

(1) The US dollars are auctioned three times per week on Saturday, Monday, and Wednesday in
accordance with DAB Auction Regulation.
(2) Any licensed Foreign exchange dealer, money service provider, bank, or financial institutions
are eligible to participate in auctions in accordance with Auction rules and regulation.
(3) Compliance Unit at Market Operations shall check each and every auction participant in
sanctions lists before each auction and inform market operations department to proceed with
auction.

Article 50: Financial Supervision Validation

(1) At the end of each month, Compliance Unit of Market Operations Department will validate
if Financial Supervision Department licensing section has checked the names of shareholders,
key management personnel, and significant related parties or covered at the newly established
entity in UN, OFAC, EU, and DAB sanctions lists.
(2) Compliance Department shall check name of the participating entity and its beneficial owners
in UN, OFAC, and EU and DAB sanctions lists and ensure that AML/CFT risk is mitigated.
(3) The compliance Unit at Market Operations Department shall develop KYC file for each and
every auction participant that shall include at least:
1. Copy of valid passport /Copy of verified Tazkira
2. Copy of Valid Business License;

22
 3. Copy of Tax Identification Number (TIN Certificate) of the entity
4. Copy of police clearance of beneficial owners.
(4) The Compliance Unit, in case of suspicion, can request additional information such as bank
account statements, last year tax clearance certificate to ensure that all auction participants meet
the Federal Reserve and OFAC requirements and that AML/CFT risk is fully mitigated.

Article 51: TT Compliance

(1) Telegraphic Transfers (TTs) are for Compliance Unit in Market Operations Department shall
be used to transfer money internationally.
(2) TTs are required for all some commercial banks in Afghanistan with or without having
corresponding banking relations.
(3) All commercial banks, in accordance with article 11 of Afghanistan’s Counter Financing
Terrorism Law shall check their customers against UN sanctions list and banks must not
provide any services to the sanctioned individuals and entities.
(4) Compliance Unit at Market Operations Department shall re-check the work of commercial
banks and shall ensure that the transfer does not benefit UN, OFAC, and EU or DAB
sanctioned individual or entity.
(5) All commercial banks in Afghanistan for a telegraphic transfer must provide at least:
1. Name of the Bank to which the transfer it taking place;
2. Account Number;
3. Full name of the beneficial owner;
4. Valid Passport/ID Number;
5. Address of the beneficiary and the bank;
6. Purpose of the transfer;
7. Relationship with sender;
8. Phone number;
9. Copy of invoice from the company/Copy of contract for Central Asian countries
/IRoA
10. Copy of valid business license;
11. Copy of Tax Identification Number (TIN certificate) of the sender and if possible Tax
clearance certificate from previous year; and
(6) The Compliance Unit shall collect the above information from the concerned commercial bank
in and shall fill out the Telegraphic Transfers Checklist and complete the requirements of the
checklist. Telegraphic Transfers Checklist is attached to this Procedure as Attachment No. 1.

Article 52: LC/BG Compliance

(1) Market Operations Department opens Letter of Credit (LCs) and Bank Guarantees for the
government of Afghanistan institutions.
(2) Once a request for and LC or BG is received by Market operation Department, the relevant
request and information is shared with Risk Management and compliance Department to:
1. Check the names of the entities and its beneficial owners in the World Check system
and ensure that these entities and their beneficial owners are not on UN, OFAC, EU,
and DAB sanctions lists.

23
 Chapter 11: Bank Operations Compliance
Article 53: Bank Operations Compliance Section
(1) Compliance Department has a section deployed at Bank Operations Department.
(2) Bank Operations Department pays all government of Afghanistan contractors and civil
servants. All funds going to government contractors through DAB AML/CFT risk.

Article 54: Sanctions Checks

1) A government contractor might be on sanctions lists. In order to mitigate this risk, the
compliance section at bank operations department shall check all USD payments and names
of the sender and receiver of the funds shall be checked in World Check System.
2) Compliance team at Bank Operations is responsible to check all individuals and entities in
UN, OFAC, EU, and DAB sanctions lists and ensure that any transactions above the threshold
of 500,000 AFN or equivalent in other currencies in accordance with Afghanistan Anti-money
laundering and proceeds of crimes law is thoroughly checked for AML/CFT compliance risks.

Article 55: Afghani Payment Checks

For Afghanis payments, any payment above 500,000 AFN is thoroughly checked in World Check
system. Name of the entity, name of the beneficial owner, and senior management is checked in World
Check system and the section ascertain that these entities and individuals are not on UN, OFAC, EU,
or DAB sanctions lists.

Article 56: USD Checks

The compliance team is responsible to check all USD transactions (No threshold is considered in
accordance with Federal Reserve and OFAC Requirements) and all Afghani transaction of 500,000 or
more. Civil servants salaries are not included in this category.

Article 57: Politically Exposed Persons

In case of close match or high risk customers such as politically exposed persons (PEP), the
compliance team will report the issue to DG Risk Management and Compliance Department for
approval of processing of the payment. All USD payments are checked, but Afghanis payments are
checked above the threshold as defined by AML/CFT law of Afghanistan. Check list on wire transfers
is applicable.

Chapter 12: Payments Department Compliance

Article 58: Compliance Section in Payment Department
(1) Compliance Department has a section deployed in Payments Department. Payment
department is responsible to receive all swift message from around the world and then settle
the transferred funds into relevant commercial bank account. AML/CFT risk exists in fund
transfer from foreign countries. All funds transferred from a legal or natural person to a legal
and natural person in Afghanistan is checked.
(2) The Payments Department has the following two functions:
1. All payments that are going out of DAB either internationally or to a commercial bank
in Afghanistan is processed via Payments Department.

24
 2. All payments coming into Afghanistan are received by DAB Payments Department
and then settled to relevant account in Afghan commercial banks or government
accounts.
(3) Outgoing payments such as telegraphic transfers, letter of credits, and salaries of Afghan
diplomats are compliance checked in Bank Operation Department and then sent to Payments
Department to complete the transactions.

Article 59: International Payments Compliance Checks

Payments coming into Afghanistan and any transaction by an individual or an entity with any
amount of money (no threshold is considered) coming into Afghanistan is:
1. Compliance checked;
2. Name of the beneficial owners and name of the entity is checked in the World Check
system in order to ensure that the beneficing person/entity is not on UN, OFAC, EU,
or DAB sanctions lists.
3. Grants or other money in the context of Official Development Aid (ODA) to Afghan
government accounts from supporting countries or agencies are not included.
4. Money coming into Afghanistan from different national government to meet the
operational expenditures of their stationed armed forces in Afghanistan are excluded
from compliance check requirement, if:
a. USAID give a grant to government of Afghanistan institution, there is no
compliance check requirement; and
b. USAID contracts a local Afghan NGO and money is coming to that Local
NGO account, the compliance team stationed at Payment Department will
check the name of the NGO, its beneficial owner, senior management in
sanctions lists.

Article 60: Exemptions

(1) Transfers from U.S. government or other NATO nations whose troops are stationed in
Afghanistan are not checked. These funds are transferred to support NATO mandate in
Afghanistan. Checklist on wire transfers is applicable.
(2) Transfer from foreign government, international organizations, International NGOs, or
individuals that go to government of Afghanistan account are not checked.

Chapter 13: Miscellaneous Articles

Article 61: Review and update
(1) This Procedure shall be reviewed and updated upon the approval of the Governor.
(2) Any update to the Procedure shall be processed to the High Council for approval.

Article 62: Attachments

Any attachment to this Procedure is an integral part of this Procedure.

25
Article 63: Enforcement
This Procedure shall be enforced as soon as it is approved by the High Council. Upon the
enforcement of this Procedure, all other risk management procedures and policies shall be null and
void.

26
 Attachment No. 1: TTs Template for Natural Persons
Telegraphic Transfer (TT) Checklist - Natural Person
Bank Name: Date:
Result
Item If No/HR
No:
TT Number: Yes No
1 Beneficiary Details:Bank Name: Stop Transaction
2 Account No: Stop Transaction
3 Full Name of the beneficiary: Stop Transaction
4 Address: Pending (ASK)
5 Email: Proceed
6 Contact Number: Pending (ASK)
7 Swift Code (if known): Stop Transaction
8 Date: Stop Transaction
9 Currency: Stop Transaction
10 Amount: Stop Transaction
11 purpose: Pending (ASK)
12 relationship with sender: Proceed
13 World Check: Stop or EDD
14 FinTRACA Watch- List: EDD
15 Country Risk: HR LR Stop or EDD
16 Profession/Occupation: HR LR HR, EDD
17 PEP: Yes No If Yes, EDD
18 Sender's Details: Name: Stop Transaction
19 Address: Stop Transaction
20 Passport/ID Number: Stop Transaction
21 Phone Number: Stop Transaction
22 Email: Proceed
23 Non-resident Customer EDD
24 Ocassional Transaction (Cash Transaction) Proceed if not HR
25 Account Name to be Debited: Stop Transaction
26 Account No: Stop Transaction
27 Verified Request: Pending (ASK)
28 Invoice/ Titlle deed or any other accepted doc Pending (ASK)
29 Is the amount less than 1 Million AFN No, EDD
30 Are the transactions batched: EDD
31 KYC Form: Pending (ASK)
32 Transaction is inline with expected turnover EDD
33 Profession: HR LR HR, EDD
34 World Check: Stop or EDD
35 FinTRACA Watch -List: Stop or EDD
36 Customer Risk*: Stop or EDD
37 Country Risk: Stop or EDD
38 PEP: If Yes, EDD
39 TT Request Form: Pending (ASK)
40 Officers Name:
41 Officers Sign:
42 Managers Name:
43 Managers Sign:
27
Note: Any discrepency or suspecioun should lead to EDD at first.
*As per ML/TF Risk Assessment Guidelines 2019
 Attachment No. 2: Telegraphic Transfer Checklist – Legal Person
Telegraphic Transfer (TT) Checklist - Legal Person
Bank Name: Date:
Result
No: Item If No/HR
1 TT Number: Yes No
2 Beneficiary Details: Bank Name: Stop Transaction
3 Account No: Stop Transaction
4 Company Name: Stop Transaction
5 Address: Pending (ASK)
6 Email: Proceed
7 Website: Proceed
8 Contact Number: Pending (ASK)
9 Swift Code (if known): Stop Transaction
10 Date: Stop Transaction
11 Currency: Stop Transaction
12 Amount: Stop Transaction
13 Purpose: Pending (ASK)
14 World Check: Stop or EDD
15 FinTRACA List: Stop or EDD
16 Country Risk: HR LR Stop or EDD
17 PEP: If Yes, EDD
18 Sender's Details: Name: Stop Transaction
19 Address: Stop Transaction
20 Valid License: Stop Transaction
21 Passport (Pr/VP)/Verified Copy Tazkera: Pending (ASK)
22 Phone Number: Pending (ASK)
23 Email: Proceed
24 Ocassional Transaction (Cash Transaction) Ask information
25 Account Name to be Debited: Stop Transaction
26 Account No: Stop Transaction
27 Account Type (Company): Stop Transaction
28 Request Letter (Showing Trans Purpose): Pending (ASK)
29 Invoice/ Contract copy of Central Asian Countries/ IRoA Stop Transaction
30 Are the transactions batched: Ask information
31 Transaction is inline with expected turnover Ask information
32 World Check: Stop or EDD
33 FinTRACA Watch - List: Stop or EDD
34 Customer Risk*: Stop or EDD
35 TT Request Form: Pending (ASK)
36 Officers Name:
Officers Sign:
37

38 Managers Name:
39 Managers Sign:

Note: No transaction should be allowed to UN/FATF and OFAC blacklisted countries/persons. No transaction
should be processed to IRAN and those goods banned by IRoA.
* As per ML/TF Risk Assessment Guidelines 2019

28
 Attachment No. 3: Enhanced Due Diligence
Enhanced Customer Due Diligence Requirements
No. Actions
If Sender (Natural Person) Is Considered High Risk
1 Tax Clearance Certificate
2 Documents on Source of Funds (Bank Statement )
3 Ask Bank for Enhanced Monitoring
4 Acknowledgment letter( Purpose of Transaction)

If Sender ( Legal Person) Is Considered High Risk

No. Actions
1 Tax Clearance Certificate
2 Documents on Source of Funds (Bank Statement )
3 Ask Bank for Enhanced Monitoring
4 Acknowledgment letter( Purpose of Transaction & Nature of Business)

29
 002 001 Ref ID

DAB liquidity Risk DAB Credit Risk Risk

Bank Operations Department Finance and Accounting and Financial Risk Owner
Supervision Department

Bank-Run on Commercial Banks Bank- run on Commercial Banks in Risk Trigger

Afghanistan

Possible Possible Probability

Intolerable Intolerable Impact

Catastrophic: ≥ 15 Catastrophic: ≥ 15 Probability

+ Impact
score
DAB Bank Operations Department maintains DAB Financial Supervision Department works Expected
the daily, weekly, monthly, and annual closely with commercial banks to reduce the Result/
domestic Currency outflow and inflow data. risk of bank failure. No Action
Risk Management and Compliance department
will conduct a stress testing exercise in 2020
to ensure that liquidity risk is managed.

30
All domestic currency liquidity demands are Commercial banks can manage their Positive
met on time. reputational and avoid Bank-Run situation. Risk
Response

In a Bank-run situation on all commercial Commercial Banks fail to meets its Negative
banks, DAB has to provide domestic currency obligations and DAB as a lender of last resort Risk
liquidity to help banks meet its obligations. intervenes. Response
Attachment No. 4: Risk Register Template

Bank Operations Department Finance and Accounting and Financial Response

Supervision Department owner

DAB will provide liquidity to any commercial
banks in a problem.
DAB will provided credit to an failing Response
commercial bank as a lender of last report. Description
The Bank asset may not generate enough
money to cover DAB credit and cause credit
risk for DAB.

DAB is responsible to provide domestic DAB intervention in case of failure is very Response
currency liquidity. essential. Impact
 004
DAB legal Risk /Reputational Risk
Risk Management and Compliance Department
DAB systems/Facilities are used for Money
laundering or Terrorism financing.
Unlikely
Intolerable
Serious: ≥ 10
DAB Risk Management and Compliance
Departments has deployed dedicated unties to
monitor all payments going out and coming
into DAB. All the transactions are monitored.
31
AML/CFT Laws, regulations and international
standards are implemented.
AML/CFT law, regulation, or international
standards are validated.
Risk Management and Compliance Department
Risk Management and compliance department
checks each and every transaction going
through DAB systems.
DAB is compliant with AML/CFT law,
regulations.
003
DAB Operational Risk Assessment
Bank Operations Department, Market
Operations Department, Payment Department
DAB systems failure
possible
Less than two hours Acceptable, less than one
day tolerable, More one day intolerable
More than one day Serious: ≥ 10
DAB systems are updated and checked.
Moreover, DAB Risk Management and
Compliance Department has developed a
Business continuity and Disaster Recovery
plan to minimize the disruption in operations.
There is no delay of more than two hour in all
DAB operations.
DAB Operations are suspended for more than
1 working day.
Risk Management and Compliance
Department, Bank Operations, Market
Operations and Payment Departments.
DAB Market Operation, Bank Operations and
Payment Departments work closely with Risk
Management and Compliance Department to
identify any operational deficiencies and
mitigate the operational risk in a timely
manner.
DAB is able to mitigate its operational risks
efficiently and effectively.
 Attachment No. 5: Credit Risk Assessment Matrix
Credit Risk Assessment Matrix
Scale of Severity
Acceptable Tolerable Intolerable
Unlikely

Possible Failure of DAB employee Failure of commercial

to repay his/her loan to Bank in Afghanistan and
Scale of likelihood

DAB (Low Risk).If an subsequent bail out by

employee cannot repay DAB is a possible event,
his/her loan, DAB can but the risk is intolerable
withhold his/her pension considering the delicate
fund money. It is a economic and political
possible event but the risk conditions of the country.
is acceptable. (High Risk)
Likely

32
 Attachment No. 6: Liquidity Risk Assessment Matrix

Liquidity Risk Assessment Matrix

Scale of Severity
Acceptable Tolerable Intolerable
Unlikely Failure of DAB to
meet its domestic
currency
obligations.
Scale of likelihood

(Unlikely event but

intolerable
consequences

High Risk
Possible

Likely

33
 Attachment No. 7: Operational Risk Assessment Matrix

Operational Risk Assessment Matrix

Scale of Severity
Acceptable Tolerable Intolerable
Scale of likelihood

Unlikely DAB systems does

not function for
more than one
working day

The risk from this

event is intolerable.
Possible DAB systems does
not function for
one working day.
The event is
possible, but the
damage is tolerable.
Likely DAB system does not
function for 2 hours
The event is likely, but
the damage is
acceptable.

34
 Attachment No. 8: Legal Risk Assessment Matrix

Legal Risk Assessment Matrix

Scale of Severity
Acceptable Tolerable Intolerable
Unlikely DAB systems/facilities
are used for AML/CFT
purposes. It is unlikely
because a compliance
function with adequate
Scale of likelihood

resources and capacity is

already deployed.
However, if such an
issue arises, it will
significantly damage
DAB reputation.
Possible DAB is unable to meet
its contractual
obligations.
Likely

35
 Attachment No. 9: Risk Assessment Checklist Farmat

GOVERNANCE

1.Organizational structure and organizational volume of the office

2.Work policy and procedure
3. Rules and Regulations
4. Work plan (weekly, monthly, quarterly, and annually)

5. Employee Job Descriptions

6. Reporting mechanisms

7. The stability of the office from the point of view of dismissal

or dismissal and appointment of department employees

8. What are the obstacles and problems in planning?

OPERATION

1. Modern systems and eternity

2. Powers and responsibilities

3. Performing duty and performance

4. Refund transaction procedure

5. Effectiveness

6.Limitation of competence
CAPACITY BUILDING

1. General education

2. Specialized education

3. Specialized education (short-term)

4. Specialized education (secondary)

5. Knowledge and information about the task

36
6. Specialized education (long term)

7. Employee abilities

8. Expertise and experience

DEVELOPMENT ACTIVITIES

1. Policy and work procedure

2. Rules and regulations

2. Performance

2. Effectiveness

37
 Attachment No. 10: Risk Assessment Timetable

TIMETABLE FOR RISK ASSESSMENT ( )

Months August August August Sep Sep Sep Sep

Remarks
Starting Operation 21-Aug-20
Date 26-Aug-20
Data collection
Completion of
quationairs
Risk self assessemtn
forms
Interviw
Document analysis
Report perepration
Exit meeting / update
the report

38
 The above pleanTIMETABLE FOR RISK
is changeable accourding ASSESSMENT
to the annual work plan. ( )

Months August August August Sep Sep Sep Sep

Remarks
21-Aug-20
Starting operation date
26-Aug-20
Data collection

Completion of quationairs

Risk self assessemtn forms

Interviw

Document analysis

Report perepration

Exit meeting / update the report

The above plean is changeable accourding to the annual work plan

TIMETABLE FOR RISK ASSESSMENT (

Months August August August Sep

21-Aug-20
Starting Operation Date
26-Aug-20

DATA COLLECTION

COMPLETION OF QUATIONAIRS

RISK SELF ASSESSEMTN FORMS

INTERVIW

DOCUMENT ANALYSIS

39
 REPORT PEREPRATION

EXIT MEETING / UPDATE THE REPORT

THE ABOVE PLEAN IS CHANGEABLE ACCOURDING TO THE ANNUAL WORK PLAN

Attachment No. 11: Self-Assessment Form

1. The main characteristics of the employees who are in charge of the activities of this
department:
Department Name
Name and surname of the in charge
Phone number
email
Number of department employees

2. Working problems caused by operational risk in Performance, systems, employees, and

external factors.
No Types of Activates Yes No Type of Actives Type of Risk
(High, Medium,
Low
1 Type of Problem

Difficulty in work executions

40
Problems in the workplace
(Internal External)

Problem with workload

Problems with staff
Problem with resources
Problem in the system
Problem with task
interference
Problem in reporting
Problem in problematic cases

3. Comments, orders, and suggestions of the relevant department manager:

------------------------------------------------------------------------
------------------------------------------------------------------------
------------------------------------------------------------------------

4. Seal and signature of the relevant department officials:

Sections Name Phone Email Date Signature

The following section is filled by the staff of the General Administration of Risk and in compliance
with the law of the house.

Name

Stamp and Signature

Date

41